[原创]安卓协议逆向 咸鱼 frida rpc 调用方案
2023-6-15 22:52:17 Author: bbs.pediy.com(查看原文) 阅读量:164 收藏

frida 提供了一种跨平台的 rpc (远程过程调用)机制,通过 frida rpc 可以在主机和目标设备之间进行通信,并在目标设备上执行代码,可实现功能如下:
1、动态地修改函数和方法的参数和返回值。
2、监视和拦截特定函数和方法的调用。
3、修改内存中的数据和指令。
4、与目标设备上的应用程序进行交互,发送和接收数据。
5、在运行时加载自己的 JavaScript 脚本,从而实现自定义的行为修改。

一个个点进去查看,发现并没有有价值的东西,仅仅只是构建字段名等操作,并且我尝试 hook 这些点,并没有得到有用的信息,换 JEB 看看,反复搜索观察,最终定位到 getUnifiedSign 这个函数:
图片描述

第 2 处定义了一个抽象类 AbstractSignImpl 实现了 ISign 接口中的 getUnifiedSign 方法,当类实现接口的时候,类要实现接口中所有的方法。否则,类必须声明为抽象的类。该处声明的为抽象类,并不需要实现接口,代码有删减:

第 3 处定义了 InnerSignImpl 类继承 AbstractSignImpl,java中规定抽象类的子类必须给出抽象类中的抽象方法的具体实现,除非该子类也是抽象类。InnerSignImpl 并不是抽象类,也可以看出它实现了 getUnifiedSign 方法,代码有删减:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

public class InnerSignImpl extends AbstractSignImpl {

    @Override  // mtopsdk.security.AbstractSignImpl

    public HashMap getUnifiedSign(HashMap arg17, HashMap arg18, String appKey, String authCode, boolean useWua, String requestId) {

        String instanceId = this.c();

        if(appKey == null) {

            arg17.put("SG_ERROR_CODE", "AppKey is null");

            TBSdkLog.e("mtopsdk.InnerSignImpl", instanceId + " [getUnifiedSign] AppKey is null.");

            return null;

        }

        if(arg17 == null) {

            TBSdkLog.e("mtopsdk.InnerSignImpl", instanceId + " [getUnifiedSign] params is null.appKey=" + appKey);

            return null;

        }

        if(this.f == null) {

            arg17.put("SG_ERROR_CODE", "unified is null");

            TBSdkLog.e("mtopsdk.InnerSignImpl", instanceId + " [getUnifiedSign]sg unified sign is null, please call ISign init()");

            return null;

        }

        try {

            HashMap input = new HashMap();

            String data = (String)this.a(arg17, appKey, true).get("INPUT");

            boolean v10 = StringUtils.isBlank(data);

            if(v10) {

                TBSdkLog.e("mtopsdk.InnerSignImpl", this.c() + " [getUnifiedSign]get sign failed with sign data empty ", "appKeyIndex=" + this.a.k + ",authCode=" + this.a.i);

                return null;

            }

            input.put("appkey", appKey);

            input.put("data", data);

            input.put("useWua", Boolean.valueOf(useWua));

            input.put("env", Integer.valueOf(this.d()));

            input.put("authCode", authCode);

            input.put("extendParas", arg18);

            input.put("requestId", requestId);

            input.put("api", arg17.get("api"));

            HashMap output = this.f.getSecurityFactors(input);

            if(output != null && !output.isEmpty()) {

                return output;

            }

            TBSdkLog.e("mtopsdk.InnerSignImpl", this.c() + " [getUnifiedSign]get sign failed with no output ", "appKeyIndex=" + this.a.k + ",authCode=" + this.a.i);

        }

        catch(SecException v0_1) {

            TBSdkLog.e("mtopsdk.InnerSignImpl", this.c() + " [getUnifiedSign]get sign failed and SecException errorCode " + v0_1.getErrorCode() + ",appKeyIndex=" + this.a.k + ",authCode=" + this.a.i, v0_1);

        }

        catch(Throwable v0) {

            TBSdkLog.e("mtopsdk.InnerSignImpl", this.c() + " [getUnifiedSign]get sign failed exception ,appKeyIndex=" + this.a.k + ",authCode=" + this.a.i, v0);

        }

        return null;

    }

}

getUnifiedSign is called,
params:
{data={"activeSearch":false,"bizFrom":"home","disableHierarchicalSort":0,"forceUseInputKeyword":false,"forceUseTppRepair":false,"fromFilter":false,"fromKits":false,"fromLeaf":false,"fromShade":false,"fromSuggest":false,"keyword":"黑丝","pageNumber":1,"resultListLastIndex":0,"rowsPerPage":10,"searchReqFromActivatePagePart":"searchButton","searchReqFromPage":"xyHome","searchTabType":"SEARCH_TAB_MAIN","shadeBucketNum":-1,"suggestBucketNum":27}, deviceId=AnlVbDHuTb2u0LWMPSEZxO4CdI4PNLcEAjN85BBOipB9, sid=null, uid=null, x-features=27, appKey=21407387, api=mtop.taobao.idle.search.glue, lat=0, lng=0, utdid=Y6mM0d1XDnwDAAZc4d8Tk60B, extdata=openappkey=DEFAULT_AUTH, [email protected]_android_7.4.70, t=1672065081, v=8.0}
ext:
{pageId=, pageName=}
appKey:
21407387
authCode:
null
useWua:
false
requestId:
r_342
getUnifiedSign ret value is
{x-sgext=JAc6QkgEOGWLbN43MhWbokILcghxC2EIdAJ0A2EJdghhCW4PbgpuC24LbgtuC24LbgtuC24MdRZzFnQNbgx1FnIWchZyFnIWchZyFnIWchZyFnIWcxZzDncWcw53FnEWchZyFnACYQt0DXAKdwxyC3UZcgghW3IKcgtxXHUOIA17CGEJdgphA2EJdhlyCnINYQlhC2ELYQthC2ELYQhhC2EOcRlxGXUZcw5hCmEKYQphCmEKYRknGSRfYQphXCdfJwInGXIKcgpy, x-umt=2QMB7AlLPMcI7wKFTpWcJNO9Tq3ykFES, x-mini-wua=HHnB_LsOm2MbDDQX8pocsAv844s/AJ3eeRpQBvQ0ruCym5E4E9z73i+wqyWX+kYoOCLjd0M+Af0hvQxs8NJyeS1/+qAd+g60eGM0Y7snvKtTeCvVhBnNESbEFrPu+orzouidZjoRxOAXN2Cpe1icpSFPKMA==, x-sign=azU7Bc002xAAJAe6xWI/sfnl+vxS1Be0CqzNIjAW/Hwc8p+i1dC0d4rAl5xTWTXVcWTzU1+mIZmU3sPAV41DwKbwpS1llAe0BZQHtA}

参数都在这了,这就好办了,rpc 调用就能解决,注意这边的 data 数据是进行了 url 编码的,需进行进一步转化。
rpc 调用代码可参考我写的:原创] 安卓协议逆向 cxdx 分析与实现 一文。


文章来源: https://bbs.pediy.com/thread-277632.htm
如有侵权请联系:admin#unsafe.sh