1、直接将某沙app拖入jadx,看起来是加壳的,全是字母。
2、通过frida-dump脱壳出dex,代码太多,一头雾水,决定frida查看一下app load流程。
3、先查看一下so的加载,看起来是基于webview的app,这种安全性更强?
android_dlopen_ext probe /data/user/0/com.hptfludyjx.syjqeafkll/files/HJfOTtKmmn/libflutter.soandroid_dlopen_ext probe /vendor/lib/hw/gralloc.sdm845.soandroid_dlopen_ext probe /data/user/0/com.hptfludyjx.syjqeafkll/files/HJfOTtKmmn/libkiwi.soandroid_dlopen_ext probe /vendor/lib/hw/android.hardware.graphics.mapper@2.0-impl-qti-display.soandroid_dlopen_ext probe /data/dalvik-cache/arm/system@product@app@[email protected]@classes.dexandroid_dlopen_ext probe libwebviewchromium.soandroid_dlopen_ext probe /system/product/app/webview/webview.apk!/lib/armeabi-v7a/libwebviewchromium.soandroid_dlopen_ext probe /system/lib/libwebviewchromium_plat_support.so
4、objection查看相关的控件,只有几个,决定从这几个包里面代码入手
com.FsmPTCXp.srkUzUwv.BuMNTWpHywCyOjEGcom.FsmPTCXp.srkUzUwv.SYwlcwEiRFSIXShRcom.FsmPTCXp.srkUzUwv.XgHiUUvJoGlJkOrDcom.FsmPTCXp.srkUzUwv.etdKYlBCbRsMOoYOcom.FsmPTCXp.srkUzUwv.kTqkUkCAFauhrgmpcom.FsmPTCXp.srkUzUwv.pipohLdKqLHPWLVMcom.FsmPTCXp.srkUzUwv.spWureHoPIGDecqQcom.google.android.gms.common.api.GoogleApiActivity
com.FsmPTCXp.srkUzUwv.SYwlcwEiRFSIXShR这个里面有webview的创建,在com.pichillilorenzo.flutter_inappwebview.in_app_browser.InAppBrowserManager发现会启动这个控件,后面就是继续分析怎么注入了。
5、继续分析并hook相关的类,终于找到了一些post get时会触发的方法。
(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.dispose()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.makeInitialLoad(java.util.HashMap)(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.dispose()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.makeInitialLoad(java.util.HashMap)(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView()(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.dispose()
6、hook关键函数com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.onPageFinished,找到关键的加载js的请求
(agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.loadCustomJavaScriptOnPageStarted(android.webkit.WebView)(agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.shouldInterceptRequest(android.webkit.WebView, java.lang.String)(agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.shouldInterceptRequest(android.webkit.WebView, android.webkit.WebResourceRequest)(agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.shouldInterceptRequest(android.webkit.WebView, android.webkit.WebResourceRequest)(agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.shouldInterceptRequest(android.webkit.WebView, android.webkit.WebResourceRequest)(agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.shouldInterceptRequest(android.webkit.WebView, java.lang.String)(agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.onPageFinished(android.webkit.WebView, java.lang.String)(agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.loadCustomJavaScriptOnPageFinished(android.webkit.WebView)
7、抓取核心接口的调用栈,拿到网页的链接,由于这个玩意服务器在国外,所以需要vpn才能inspect debug(可以但是太麻烦),干脆直接拿链接浏览器打开,居然能通。
(agent) [410874] Arguments com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.onPageFinished(com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView{c22f292 VFED..CL. ........ 0,0-2160,1080}, https://xms.sq0002.cn/lobby/?uid=157347630&token=MTU3MzQ3NjMwXzE3MzA3Mjk4NTUwNjg6MzVaQldoeDZwaUQxS2JPbQ)8、链接在浏览器可以打开,可以f12 debug,但是没意义,因为充值接口不在游戏,不充值无法进行,所以这条路可能无意义,也许协议有漏洞,但需要分析。
基本上就是使用以下这两个请求链接来校验账号信息。
https://xms.sq0002.cn/api/app/account/get/info.dohttps://xms.sq0002.cn/api/app/server/list.do
9、网页js源码分析,寻找key、iv.......,F12初步分析网页逻辑,找到修改金币的位置,debug断点,修改数据,可以增加金币,但是和服务器交互后金币还是会被清零。
setAccountInfo(t) {if (this.userInfoBarData = t,null === this.userInfoBar)throw new ReferenceError("RoomLayer 已被 destroy");this.userInfoBar.setUserIcon(t.icon, t.frame),this.userInfoBar.setUserID(t.nickname),this.userInfoBar.setUserLevel(t.vip),t.agentUserId && this.userInfoBar.setUid(t.agentUserId),this.setCurrentGold(t.score) //修改t.score}
本文内容来自网络,如有侵权请联系删除
原文始发于微信公众号(逆向有你):安卓逆向 -- 某灰色app的分析学习
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论