reverse-android-淘最热点so

资源

1. com.maihan.tredian 2021版淘最热点

2. 该 app 没有加壳 ,也没混淆。

登录抓包

POST: https://api.taozuiredian.com/api/v1/auth/login/sms

POST /api/v1/auth/login/sms HTTP/1.1
Content-Type: application/json
Connection: close
Charset: UTF-8
User-Agent: Dalvik/2.1.0 (Linux; U; Android 14; Pixel 6 Build/AP1A.240505.004)
Host: api.taozuiredian.com
Accept-Encoding: gzip
Content-Length: 566{"sign":"3c0bc27ca0e9a647f32f5e9751d0db63e38849b5","nonce":"8bfisg1718611936552","tzrd":"BwzXzSGFyiPstMIVuzTZb7LzTZzbXRJOFzpbQiIaT7ujUDo3\/3Itq4wx7VQB94J9yQcrD22YICXHDicUiOY8ggIARFsAfdxkYDBJCJN5ScgdFKnF1+ISjECffNemekpceZEtoWiE8Dw8qF5DYd\/RAGF7iNzRF3WoESa4CR2\/JzHhlwW4d8a2HNEPaNGcdwvomjmkQRh17mnDNufFD3YbHeoTId4Gz0h+IzLUuHCLgQFWoUK\/FPYa7epLPvJ0fi5U1wrV+FU+avqDNzGQVyeewhofZU5c511E0ITgSI27IrqBdCwvtpyW29F8T5dsHhmTrkKyJqs43AS\/fAapl7jYuzLz1+P7PPNEATv5y8GVTQJb+xYVZSVeyNpXmpSgkNIiSQVcRG8xw\/tAAOh6LpuZrx4Xay6OlulssTeYvnaAR1k=","timestamp":"1718611936","app_ver":"100"}

HTTP/1.1 400 Bad Request
Server: nginx
Date: Mon, 17 Jun 2024 08:12:03 GMT
Content-Type: application/json
Content-Length: 167
Cache-Control: no-cache, private
Access-Control-Allow-Origin: *
Vary: Origin
Connection: close{"code":1,"error":{"code":1,"ex_code":0,"exid":"9a16e02c3c1769177721bc0ece924941","message":"\u9a8c\u8bc1\u7801\u4e0d\u6b63\u786e","custom_params":[]},"success":false}

需要一下三个参数逆向:

sign: 3c0bc27ca0e9a647f32f5e9751d0db63e38849b5

nonce: 8bfisg1718611936552

tzrd: BwzXzSGFyiPstMIVuzTZb7LzTZzbXRJOFzpbQiIaT7ujUDo3\/3Itq4wx7VQB94J9yQcrD22YICXHDicUiOY8ggIARFsAfdxkYDBJCJN5ScgdFKnF1+ISjECffNemekpceZEtoWiE8Dw8qF5DYd\/RAGF7iNzRF3WoESa4CR2\/JzHhlwW4d8a2HNEPaNGcdwvomjmkQRh17mnDNufFD3YbHeoTId4Gz0h+IzLUuHCLgQFWoUK\/FPYa7epLPvJ0fi5U1wrV+FU+avqDNzGQVyeewhofZU5c511E0ITgSI27IrqBdCwvtpyW29F8T5dsHhmTrkKyJqs43AS\/fAapl7jYuzLz1+P7PPNEATv5y8GVTQJb+xYVZSVeyNpXmpSgkNIiSQVcRG8xw\/tAAOh6LpuZrx4Xay6OlulssTeYvnaAR1k=

java层分析

1. 搜索 login/sms

2. 搜索sign, tzrd 字段

可以定位到在 MhRequestUtil.a中

tzrd: Base64.encodeToString(AesUtil.b(jSONObject.toString().getBytes(), a.getBytes(), b.getBytes()), 2);

我们在hook 下 encodeToString ()看是不是这里。 encodeToString里面是个AES ,

String a = "AES/CBC/PKCS5Padding"; 从代码中可以看出 是 aes 自吐算法


Java.perform(function(){var Base64 = Java.use('android.util.Base64');var String =Java.use('java.lang.String');// Base64.encodeToString(AesUtil.b(jSONObject.toString().getBytes(), a.getBytes(), b.getBytes()), 2);Base64.encodeToString.overload("[B","int").implementation =function(input,flag){console.log(' hook encodeToString.overloads("[B","int") ...' );console.log(getStackTrace());var data= this.encodeToString(input,flag);console.log('res data origin: ', data);console.log('res data string: ', String.$new(data));return data;}// public static byte[] b(byte[] bArr, byte[] bArr2, byte[] bArr3) throws Exception {var  AesUtil = Java.use('com.maihan.tredian.util.AesUtil');AesUtil.b.implementation= function(src,key,key2){ // key =PeMBjWOVbrMgElXO 写死 , key2: VTToNCiifIJ9c2coconsole.log(getStackTrace());console.log('src: ',src)console.log('key: ',key)console.log('key2: ',key2)var data= this.b(src,key,key2);console.log('res data origin: ', data);console.log('res data string: ', String.$new(data));return data;}function getStackTrace(){return Java.use('android.util.Log').getStackTraceString(Java.use("java.lang.Throwable").$new());}
})//frida -UF -l hook_sign_java.js

打印出:

src string:  {"imei2":"null","device_name":"google Pixel 6","code":"6465","imei1":"null","phone":"18051116656","device_udid":"47cba2e1a0c4aed30ddf6687e096ab84","device_id":"2fd841981ec9f6dbb162d6bf7f93de5e","channel":"official","system":"1","from":"app","mac":"02:00:00:00:00:00","os_ver_code":"34","android_id":"e3de5277cf5deadf"}key string:  PeMBjWOVbrMgElXOkey2 string:  VTToNCiifIJ9c2co

可以看出上面的几个数据都是定2量的。

tzrd= Base64(AES(src,key,key2))

sign: TreUtil.sign(a(map, false, false))

sign 是so里面： System.loadLibrary("tre");

    public static native String sign(String str);

从lib中找出 libtre.so 是32位的，用 IDA 32位打开。在导出表里面.

hook sign so

nonce: 随机数

 private static String a() {Random random = new Random();StringBuffer stringBuffer = new StringBuffer();for (int i = 0; i < 6; i++) {stringBuffer.append("abcdefghijklmnopqrstuvwxyz0123456789".charAt(random.nextInt(36)));}return stringBuffer.toString() + System.currentTimeMillis();}