0x01 安装frida
之前安装pixel 5的时候已经安装过magisk_all.zip插件,里面自带了自启动的frida-server。
查看版本
PC用python3.9的pip安装跟该版本一致的frida
pip3.9 install frida==15.1.20
测试frida
https://j777a45.com/oss/1007-saas/20230621/*.apkcom.saas.h5ios.j777.d0616
查看加固状态:
未加固
调用exp.js
setImmediate(function() {console.log("[*] Starting script");Java.perform(function() {myClass = Java.use("com.saas.h5ios.j777.d0616");myClass.implementation = function(v) {// do sth.}})})
adb forward tcp:27042 tcp:27042
frida -U -l exp.js -f com.saas.h5ios.j777.d0616
使用现成的hook
git clone https://github.com/Margular/frida-skeleton.git
安装apktool
下载链接:
Apktool:http://ibotpeaches.github.io/Apktool/install/
dex2jar: https://github.com/pxb1988/dex2jar
JD-GUI: http://jd.benow.ca/
讲下载的文件放置在/usr/local/bin/ 目录下并赋予执行权限
chmod +x /usr/local/bin/apktoolchmod +x /usr/local/bin/apktool.jar
dex2jar主要作用是将apk里面的class.dex转成jar
jd-gui主要作用是将生成jar包载入查看java源代码
将apk解包得到smaill
apktool d b777.apk
下载生成hook的脚本
git clone https://github.com/lasting-yang/FridaAutoHook.gitxxx.smali xxx2.smali yyy.smali > hook.js这里说几个坑。
pixel 5 系统代理在这个地方
adb install xxx.apk
oss:
ostatic.philofitness.com(该域名应该是解析了oss链接,域名注册商:GoDaddy.com)
登陆主域名:
h5api.akcddq.com(请求主域名,IP为负载均衡45.119.98.107;43.242.130.182,包括登陆域名,域名注册商:GoDaddy.com)
客服链接:
https://kf.shapesbysimon.com?code=9V31V&tenantPlatCode=3&userId=fc504859283a7e0804cd69df74b53330817e3bb8282d4d64573b2a22ce559d77
0x03 四方分析
USDT:
未跳转三方链接,说明是该充值方式是自运营
好家伙,域名都不带了,IP:119.23.239.6,广东深圳阿里云(小伙子,你被盯上了)
——————————
http://120.77.82.215/Index/Index/qrcode?url=http%3A%2F%2Fopen.weixin.qq.com%2Fconnect%2Foauth2%2Fauthorize%3F%26appid%3Dwx8c180fdc45032f02%26redirect_uri%3Dhttp%3A%2F%2Fnxt.nongxinyin.com%2Fbuybal-api%2Fv1.0%2Fcashier%2FwechatPreCash%26response_type%3Dcode%26scope%3Dsnsapi_base%26state%3DEE3325202A3641EDBA0BA21F94048EA3%7C22616657%7C299.93%7C1%7C24152803%26connect_redirect%3D1%23wechat_redirect&w=300&k=684cd6b8e200d25e9912a80eed1f73dburl解码看的更清楚点
http://120.77.82.215/Index/Index/qrcode?url=http://open.weixin.qq.com/connect/oauth2/authorize?&appid=wx8c180fdc45032f02&redirect_uri=http://nxt.nongxinyin.com/buybal-api/v1.0/cashier/wechatPreCash&response_type=code&scope=snsapi_base&state=EE3325202A3641EDBA0BA21F94048EA3|22616657|299.93|1|24152803&connect_redirect=1#wechat_redirect&w=300&k=684cd6b8e200d25e9912a80eed1f73db相关微信id:
wx8c180fdc45032f02
相关域名:
nxt.nongxinyin.com
该域名为农信聚合支付域名
还有个回调域名,目的就是告诉该赌博平台,充值已到账,所以该回调域名归属不为四方支付,是赌博平台所有。
http://www.grguqoj.cn:12033/api/superjszfb/notify
绑定IP :8.218.255.138,香港阿里云
域名whois:
头铁小伙子,顾头不固腚,回调的屁股露出来了。
回调IP:58.208.245.205, 中国 江苏省 苏州市 张家港市
话费四方:
http://139.198.171.207:88/api/pay/orderPage/LN20230714124526287653be
IP:139.198.171.207,运营商:qingcloud
http://120.78.206.217:1337/phonecharge.html?amount=20000&eo=NDY5ODEzPD41NA&cat=1689309927082&payType=alipay
IP:120.78.206.217,广东深圳阿里云
http://120.79.71.5:1338/alipayyx.html?callback=
回调地址(话费回调地址应该不是赌博app自营,应该还有一层四方):120.79.71.5,广东深圳阿里云。
支付宝大额:
http://42.192.114.3/alipaycode.php?is_bzk=0&account_name=IUvZHqfxcxzx2ilOUM6B4A%3D%3D&bank_name=IUvZHqfxcxzx2ilOUM6B4A%3D%3D&account_number=xGFtbSbMPuRy93rWybniHBPwGGBJumq2oROOMOETxpxFjjuEJylrPHS6MRFm9TUR0dgv2RZ3fAIQGTlCAoAOQw%3D%3D&trade_no=P01202307141257021039283&order_pay_price=1999.33&sign=65010c7246946a06f95583711138f669&user=Yn8FqqrecuQ%2F6cOW9URbcCM3FAFKdtFFhvBbkr74A4M%3D&remark=653762&is_pay_name=1&initialization_h5=2
IP:42.192.114.3,上海腾讯云
数字人民币:
http://h5.ypfzojcu.com/numberpayinfo.html?data=eyJyZWNBY2N0Tm8iOiIwMDMxMDAwNjQyMjU5Mzk3IiwidXNlck5vIjoiNzU2NjkwNiIsIm1lcmNoT3JkZXJObyI6IjIwMjMwNzE0MTMwMzQwNjUyMDUxIn0=
域名:h5.ypfzojcu.com,注册商,GoDaddy.com
IP:CDN
JC uncle 有需要该APP可与我联系。
end
下期预告
《xxx 菠菜appxxx》
欢迎投稿并加入我们,请联系公众号:Golden-Qianjiang
金色钱江,讲述杭州IT精英的成长之路!
关注金色钱江,体验全能技术王者之路!
原文始发于微信公众号(金色钱江):安卓逆向之frida hook 使用浅修
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论