reverse-android-淘最热点so

资源

1. com.maihan.tredian 2021版淘最热点

2. 该 app 没有加壳 ,也没混淆。

登录抓包

POST: https://api.taozuiredian.com/api/v1/auth/login/sms

POST /api/v1/auth/login/sms HTTP/1.1
Content-Type: application/json
Connection: close
Charset: UTF-8
User-Agent: Dalvik/2.1.0 (Linux; U; Android 14; Pixel 6 Build/AP1A.240505.004)
Host: api.taozuiredian.com
Accept-Encoding: gzip
Content-Length: 566

{"sign":"3c0bc27ca0e9a647f32f5e9751d0db63e38849b5","nonce":"8bfisg1718611936552","tzrd":"BwzXzSGFyiPstMIVuzTZb7LzTZzbXRJOFzpbQiIaT7ujUDo3\/3Itq4wx7VQB94J9yQcrD22YICXHDicUiOY8ggIARFsAfdxkYDBJCJN5ScgdFKnF1+ISjECffNemekpceZEtoWiE8Dw8qF5DYd\/RAGF7iNzRF3WoESa4CR2\/JzHhlwW4d8a2HNEPaNGcdwvomjmkQRh17mnDNufFD3YbHeoTId4Gz0h+IzLUuHCLgQFWoUK\/FPYa7epLPvJ0fi5U1wrV+FU+avqDNzGQVyeewhofZU5c511E0ITgSI27IrqBdCwvtpyW29F8T5dsHhmTrkKyJqs43AS\/fAapl7jYuzLz1+P7PPNEATv5y8GVTQJb+xYVZSVeyNpXmpSgkNIiSQVcRG8xw\/tAAOh6LpuZrx4Xay6OlulssTeYvnaAR1k=","timestamp":"1718611936","app_ver":"100"}

HTTP/1.1 400 Bad Request
Server: nginx
Date: Mon, 17 Jun 2024 08:12:03 GMT
Content-Type: application/json
Content-Length: 167
Cache-Control: no-cache, private
Access-Control-Allow-Origin: *
Vary: Origin
Connection: close

{"code":1,"error":{"code":1,"ex_code":0,"exid":"9a16e02c3c1769177721bc0ece924941","message":"\u9a8c\u8bc1\u7801\u4e0d\u6b63\u786e","custom_params":[]},"success":false}

需要一下三个参数逆向:

sign: 3c0bc27ca0e9a647f32f5e9751d0db63e38849b5

nonce: 8bfisg1718611936552

tzrd: BwzXzSGFyiPstMIVuzTZb7LzTZzbXRJOFzpbQiIaT7ujUDo3\/3Itq4wx7VQB94J9yQcrD22YICXHDicUiOY8ggIARFsAfdxkYDBJCJN5ScgdFKnF1+ISjECffNemekpceZEtoWiE8Dw8qF5DYd\/RAGF7iNzRF3WoESa4CR2\/JzHhlwW4d8a2HNEPaNGcdwvomjmkQRh17mnDNufFD3YbHeoTId4Gz0h+IzLUuHCLgQFWoUK\/FPYa7epLPvJ0fi5U1wrV+FU+avqDNzGQVyeewhofZU5c511E0ITgSI27IrqBdCwvtpyW29F8T5dsHhmTrkKyJqs43AS\/fAapl7jYuzLz1+P7PPNEATv5y8GVTQJb+xYVZSVeyNpXmpSgkNIiSQVcRG8xw\/tAAOh6LpuZrx4Xay6OlulssTeYvnaAR1k=

java层分析

1. 搜索 login/sms

2. 搜索sign, tzrd 字段

可以定位到在 MhRequestUtil.a中

tzrd: Base64.encodeToString(AesUtil.b(jSONObject.toString().getBytes(), a.getBytes(), b.getBytes()), 2);

我们在hook 下 encodeToString ()看是不是这里。 encodeToString里面是个AES ,

String a = "AES/CBC/PKCS5Padding"; 从代码中可以看出 是 aes 自吐算法


Java.perform(function(){

    var Base64 = Java.use('android.util.Base64');
    var String =Java.use('java.lang.String');
    // Base64.encodeToString(AesUtil.b(jSONObject.toString().getBytes(), a.getBytes(), b.getBytes()), 2);
    Base64.encodeToString.overload("[B","int").implementation =function(input,flag){
        console.log(' hook encodeToString.overloads("[B","int") ...' );
        console.log(getStackTrace());
        
        var data= this.encodeToString(input,flag);
        console.log('res data origin: ', data);
        console.log('res data string: ', String.$new(data));

        return data;
        
    }


    // public static byte[] b(byte[] bArr, byte[] bArr2, byte[] bArr3) throws Exception {
    var  AesUtil = Java.use('com.maihan.tredian.util.AesUtil');
    AesUtil.b.implementation= function(src,key,key2){ // key =PeMBjWOVbrMgElXO 写死 , key2: VTToNCiifIJ9c2co

        console.log(getStackTrace());
        console.log('src: ',src)
        console.log('key: ',key)
        console.log('key2: ',key2)

        var data= this.b(src,key,key2);
        console.log('res data origin: ', data);
        console.log('res data string: ', String.$new(data));
        return data;
        
    }

    


    function getStackTrace(){
        return Java.use('android.util.Log').getStackTraceString(Java.use("java.lang.Throwable").$new());
    }
})

//frida -UF -l hook_sign_java.js

打印出:

src string:  {"imei2":"null","device_name":"google Pixel 6","code":"6465","imei1":"null","phone":"18051116656","device_udid":"47cba2e1a0c4aed30ddf6687e096ab84","device_id":"2fd841981ec9f6dbb162d6bf7f93de5e","channel":"official","system":"1","from":"app","mac":"02:00:00:00:00:00","os_ver_code":"34","android_id":"e3de5277cf5deadf"}


key string:  PeMBjWOVbrMgElXO


key2 string:  VTToNCiifIJ9c2co

可以看出上面的几个数据都是定2量的。

tzrd= Base64(AES(src,key,key2))

sign: TreUtil.sign(a(map, false, false))

sign 是so里面： System.loadLibrary("tre");

    public static native String sign(String str);

从lib中找出 libtre.so 是32位的，用 IDA 32位打开。在导出表里面.

hook sign so

nonce: 随机数

 private static String a() {
        Random random = new Random();
        StringBuffer stringBuffer = new StringBuffer();
        for (int i = 0; i < 6; i++) {
            stringBuffer.append("abcdefghijklmnopqrstuvwxyz0123456789".charAt(random.nextInt(36)));
        }
        return stringBuffer.toString() + System.currentTimeMillis();
    }