本文的目的只有一个就是学习更多的逆向技巧和思路,如果有人利用本文技术去进行非法商业获取利益带来的法律责任都是操作者自己承担,和本文以及作者没关系
在研究alimama的sgin过程中无意中发现的——淘口令解析。
Android studio
Android模拟器
ddms
jadx工具
xposed工程
Smali工程
使用过淘口令的人都知道,要让ali系的app能自动识别淘口令的前提,必须是先复制淘口令到Android系统的粘贴板,所有我们就从 ClipboardManager进行入手。
全文搜索 ClipboardManager,然后进行分析排查。
逐步排除定位到关键代码:TaoCodeTransferPresenter-itemInfoListener
分析后再用ddms进行轨迹跟踪, 发现其实ali系的app大量使用了RxJava技术。
if (rxMtopResponse.isReqSuccess) { TaoCodeItemInfo taoCodeItemInfo = (TaoCodeItemInfo) rxMtopResponse.result; if (taoCodeItemInfo != null && !TextUtils.isEmpty(taoCodeItemInfo.getRawUrl())) { EventBus.getDefault().post(TaoCodeTransferEvent.success(TaoCodeTransferPresenter.this.mClipboardContent, taoCodeItemInfo)); TaoCodeTransferPresenter.this.cleanClipboard(); return; } return; }
xposed大法,hook跟踪private final RxMtopResult<TaoCodeItemInfo> itemInfoListener = new RxMtopResult<TaoCodeItemInfo>() --TaoCodeTransferPresenter$2
hook对应原始代码:
private final RxMtopResult<TaoCodeItemInfo> itemInfoListener = new RxMtopResult<TaoCodeItemInfo>() { public void result(RxMtopResponse<TaoCodeItemInfo> rxMtopResponse) { 。。。。 } };
adb shell am start -D -n com.alimama.moon/com.alimama.moon.ui.WizardActivity
TaoCodeTransferPresenter(@NonNull Context context)即this.itemInfoListener
//new TaoCodeItemInfoRequest(this.mClipboardContent).sendRequest(this.itemInfoListener); Object obj_mTaoCodeTransferPresenter = XposedHelpers.getObjectField(HookAlimama.appContext,"mTaoCodeTransferPresenter") ; Object obj_itemInfoListener = XposedHelpers.getObjectField(obj_mTaoCodeTransferPresenter,"itemInfoListener"); Class<?> clz_TaoCodeItemInfoRequest = HookAlimama.myWechatloader.loadClass("com.alimama.union.app.taotokenConvert.TaoCodeItemInfoRequest"); String str_taokouling = "【第一卫数据线三合一充电线器一拖三手机快充苹果安卓三头多头二合一多功能三线多用华为一拖二车载快冲3三用】https://m.tb.cn/h.evXxTjt?sm=0a657b 點ゞ撃°鏈バ接,再选择瀏覽→噐咑閞ヽ;或椱ァ製整句话¥dYQ5YD5Fn6o¥后咑閞手机天猫"; XposedHelpers.newInstance(clz_TaoCodeItemInfoRequest,str_taokouling);
private static void callbackInTaoCodeTransferPresenter$2_result(ClassLoader classLoader) { try { Class<?> clz_RxMtopResponse = classLoader.loadClass("com.alimama.union.app.rxnetwork.RxMtopResponse"); XposedHelpers.findAndHookMethod("com.alimama.union.app.taotokenConvert.TaoCodeTransferPresenter$2" ,classLoader , "result" ,clz_RxMtopResponse , new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); Object obj_result_param =param.args[0]; String retCode = (String) XposedHelpers.getObjectField(obj_result_param,"retCode"); if ("SUCCESS".equals(retCode)){ Object obj_result_param_result_Field = XposedHelpers.getObjectField(obj_result_param,"result"); String picUrl = (String) XposedHelpers.getObjectField(obj_result_param_result_Field,"pictUrl"); String rawUrl = (String) XposedHelpers.getObjectField(obj_result_param_result_Field,"rawUrl"); String title = (String) XposedHelpers.getObjectField(obj_result_param_result_Field,"title"); Log.i(TAG,"picUrl= "+picUrl); Log.i(TAG,"rawUrl= "+rawUrl); Log.i(TAG,"title= "+title); } } }); } catch (ClassNotFoundException e) { e.printStackTrace(); } }
[公告]安全测试和项目外包请将项目需求发到看雪企服平台:https://qifu.kanxue.com
最后于 1小时前 被younghare编辑 ,原因: