官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
记一次简单的APP逆向分析:解密Response数据包
- 关注
记一次简单的APP逆向分析:解密Response数据包
本文由 创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
最近收到私信求助,有个老哥玩stock,他说以前都是明文,现在被加密了,想让我帮他看一块app加密的数据包。正好最近手上的活不怎么多,同时也在学习Frida 使用,在助人为乐的同时也当是练手吧
APP下载地址:
aHR0cHM6Ly9xdWFudC5hZ3VkYXNoaS5jbi9hcHAtZG93bmxvYWQuaHRtbD9hcHA9cXVhbnQ=
下载APP后先用ApkScan-PKID查下有没有加固
在对apk是否加壳的判断上,我们可以使用以下几种方法:
方法一:判断apk是否加壳,可以先将apk后缀改为zip,再通过解压工具解压该zip文件,查看解压后的文件夹的根目录下是否含有classes.dex或classes2.dex等。若含有,可以通过jadx工具打开是否可以看到对应文件完整代码,这个是最简单的情况。
方法二:反编译AndroidManifest.xml 文件,然后遍历里面的activity、service、broadcast、provider等,看这几个class是否都存在于classes.dex文件里面。
方法三:一般做加固的厂商显然也是要在运行时对数据解密的,所以必然会有相应特征的Java代码或者是特征so文件打包在apk文件中,可以通过找这些东西来确定是否加固,而这也是主流加固工具判断的依据。常见的一些厂商加固的特征Java代码或特征so文件简单汇总如下:
http://book.fsec.io/201-%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%E4%B8%8E%E5%B7%A5%E5%85%B7/201-A-%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86/201-A21-%E5%AE%89%E5%8D%93%E5%BA%94%E7%94%A8%E6%B5%8B%E8%AF%95.html
方法四:在对应客户端借助相关工具进行辅助判断,相关平台的辅助工具如下:
1、PKID
2、MT管理器
3、......
安装apk到手机
adb install xxxx.apk
配置好移动测试环境,打开app对其进行抓包。
app主页如下图:
对【投资组合】这个功能页进行抓包是,发现后台返回的数据都是乱码,而且多次请求同一个接口返回数据每次都还长得不一样。这种情况下只能对app进行逆向,分析出加解密数据包的相应算法。
使用脱壳工具对APP进行脱壳后拉入Jadx
在Jadx 中全局搜索 Request 和 Response 中出现的字段,每个都仔细跟过去浏览一遍大概。
在这个搞了半天都没找到对数据包的加解密在哪里,最后请教大师傅说,js文件被加密存储在app资源文件中,app需要用到时从资源文件中读出来,再到V8 引擎中去执行关于加解密的操作(相当于是一个小程序)。
几经鏖战后终于找了相关函数并将js文件从app 资源文件中提取出来。
Frida rpc 脚本
这是分析的时候确认org.appcelerator.kroll.util.KrollAssetHelper类的readAssetBytes方法负责读取 Asset 资源文件。所以在这里hook 住这个方法,并以strings 的形式返回。
function Uint8ArrayToString(fileData){
var dataString = "";
for (var i = 0; i < fileData.length; i++) {
dataString += String.fromCharCode(fileData[i]);
}
return dataString
}
function exportJsText(jsPath){
let res = ''
Java.perform( ()=> {
let str = Java.use("org.appcelerator.kroll.util.KrollAssetHelper").readAssetBytes(jsPath);
res = Java.use('java.util.Arrays').toString(str);
// res = Java.use('java.lang.String').$new(str);
});
let arr = new Uint8Array(res.split(','))
let tmp = arr.slice(1,arr.length - 1)
return Uint8ArrayToString(tmp)
}
rpc.exports = {
jstext : exportJsText
};python 脚本
使用python通过RPC的方式,调用frida 脚本中的exportJsText函数,实现了直接调用app中的函数。
这里把所有的Asset 文件从app 资源文件中读出,并写在本机相同目录结构下。
import os,frida
def _saveFile(filename: str, content: str):
try:
with open(filename, 'a+') as file:
file.write(str(content))
except FileExistsError or FileNotFoundError as e:
print(e)
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
hookJsFile = "./rpc.js"
appPackageName = "quant.kuankr.com"
try:
with open(hookJsFile, 'r') as f:
jscode = f.read()
except Exception as e:
print("read file faild")
print(e)
exit
device = frida.get_usb_device(1)
packageName = 'quant.kuankr.com'
pid = None
for a in device.enumerate_applications():
if a.identifier == packageName:
pid = a.pid
break
process = device.attach(pid)
# process = frida.get_remote_device().attach(32583)
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Running hooking')
script.load()
def readJsFile(jspath):
return script.exports.jstext(jspath)
fileList = ["Resources/ti.kernel.js", "Resources/ti.main.js", "Resources/app.js", "Resources/bootCover.js",
"Resources/version.js", "Resources/boot/_dist.js", "Resources/boot/krequire.js", "Resources/boot/main.js",
"Resources/boot/updater.js", "Resources/code/build-version.js", "Resources/boot/utils/device.js",
"Resources/boot/utils/download.js", "Resources/boot/utils/network.js", "Resources/boot/utils/once.js",
"Resources/boot/utils/path.js", "Resources/boot/utils/q.js", "Resources/boot/utils/splashScreen.js",
"Resources/code/analytics/_dist.js", "Resources/code/analytics/device.js",
"Resources/code/analytics/event.js", "Resources/code/analytics/keychain.js",
"Resources/code/analytics/network.js", "Resources/code/analytics/service.js",
"Resources/code/analytics/session_manager.js", "Resources/code/analytics/uncaught.js",
"Resources/code/analytics/utils.js", "Resources/code/analytics/uuid.js",
"Resources/code/classic-strategy-designer/main.js", "Resources/code/lib/FTPageHelper.js",
"Resources/code/lib/FTResizable.js", "Resources/code/lib/FTThemable.js",
"Resources/code/lib/FTViewCreater.js", "Resources/code/lib/_dist.js", "Resources/code/lib/device.js",
"Resources/code/lib/eventTemplate.js", "Resources/code/lib/helper.js", "Resources/code/lib/ipadSplit.js",
"Resources/code/lib/lodash.js", "Resources/code/lib/logKit.js", "Resources/code/lib/network.js",
"Resources/code/lib/q.js", "Resources/code/lib/screen.js", "Resources/code/lib/session.js",
"Resources/code/lib/utilUI.js", "Resources/code/lib/utils.js", "Resources/code/strategy-designer/_dist.js",
"Resources/code/strategy-designer/button-style-page.js", "Resources/code/strategy-designer/interpreter.js",
"Resources/code/strategy-designer/messager.js", "Resources/code/strategy-designer/resource.js",
"Resources/code/strategy-designer/test.js", "Resources/code/strategy-designer/utils.js",
"Resources/code/umeng.notification/eventHandlers.js", "Resources/code/umeng.notification/main.js",
"Resources/code/umeng.notification/readme.js", "Resources/code/ui/entry.js", "Resources/code/ui/error.js",
"Resources/code/ui/init.js", "Resources/code/ui/main-window.js",
"Resources/code/modules/activity-service.js", "Resources/code/modules/ad-filter.js",
"Resources/code/modules/adm.js", "Resources/code/modules/apple-login.js",
"Resources/code/modules/blueeat-android.js", "Resources/code/modules/blueeat.js",
"Resources/code/modules/cache.js", "Resources/code/modules/chart-settings.js",
"Resources/code/modules/data-services.js", "Resources/code/modules/discount.js",
"Resources/code/modules/formula-executer.js", "Resources/code/modules/fund-calculator.js",
"Resources/code/modules/idfa.js", "Resources/code/modules/init.js",
"Resources/code/modules/innerPageInterval.js", "Resources/code/modules/innerPageTasksInterval.js",
"Resources/code/modules/keyboard-event.js", "Resources/code/modules/label-clipped-detector.js",
"Resources/code/modules/local-notification.js", "Resources/code/modules/login.js",
"Resources/code/modules/message-center.js", "Resources/code/modules/notification-center.js",
"Resources/code/modules/pending-action.js", "Resources/code/modules/pinyin.js",
"Resources/code/modules/portfolio.js", "Resources/code/modules/readable-version.js",
"Resources/code/modules/screener-settings.js", "Resources/code/modules/share.js",
"Resources/code/modules/signup.js", "Resources/code/modules/special-pay-tokens.js",
"Resources/code/modules/speed-limited.js", "Resources/code/modules/stock.js",
"Resources/code/modules/strategy-share-settings.js", "Resources/code/modules/subscribed-formula.js",
"Resources/code/modules/task-restraint.js", "Resources/code/modules/tdx-functions.js",
"Resources/code/modules/unique.js", "Resources/code/modules/web-injector.js",
"Resources/code/modules/weixin-login.js", "Resources/code/views/views-list.js",
"Resources/code/views/views.js", "Resources/code/utils/_dist.js", "Resources/code/utils/account.js",
"Resources/code/utils/apiClient.js", "Resources/code/utils/apis.js", "Resources/code/utils/cache.js",
"Resources/code/utils/delegate.js", "Resources/code/utils/eventTemplate.js",
"Resources/code/utils/ftLog.js", "Resources/code/utils/hosts.js", "Resources/code/utils/krUtils.js",
"Resources/code/utils/localStorage.js", "Resources/code/utils/purchase.js",
"Resources/code/utils/resourceManager.js", "Resources/code/utils/umengPush.js",
"Resources/code/lib/FTIcon/FTIcon.js", "Resources/code/lib/FTIcon/FontAwesome.js",
"Resources/code/lib/FTIcon/IconicFont.js", "Resources/code/lib/FTIcon/README.js",
"Resources/code/lib/configs/sizes.js", "Resources/code/lib/configs/themes.js",
"Resources/code/lib/network_encryption/index.js", "Resources/code/lib/network_encryption/utils.js",
"Resources/code/strategy-designer/controllers/controller-template.js",
"Resources/code/strategy-designer/controllers/controllers-template.js",
"Resources/code/strategy-designer/controllers/main.js",
"Resources/code/strategy-designer/models/checkbox-model-template.js",
"Resources/code/strategy-designer/models/common-model-template.js",
"Resources/code/strategy-designer/models/list-model-template.js",
"Resources/code/strategy-designer/models/main.js",
"Resources/code/strategy-designer/models/switch-model-template.js",
"Resources/code/strategy-designer/models/textfield-model-template.js",
"Resources/code/strategy-designer/views/button-creater.js",
"Resources/code/strategy-designer/views/main.js", "Resources/code/ui/account/cancellation.js",
"Resources/code/ui/account/finish-signup.js", "Resources/code/ui/account/homepage.js",
"Resources/code/ui/account/index.js", "Resources/code/ui/account/login.js",
"Resources/code/ui/account/profile.js", "Resources/code/ui/account/settings.js",
"Resources/code/ui/account/signup.js", "Resources/code/ui/account/try.js",
"Resources/code/ui/account/update.js", "Resources/code/ui/activity/best-strategies-certificate.js",
"Resources/code/ui/activity/best-strategies.js", "Resources/code/ui/activity/bind-weixin.js",
"Resources/code/ui/activity/buy-themes.js", "Resources/code/ui/activity/follow-weixin.js",
"Resources/code/ui/activity/index.js", "Resources/code/ui/activity/smalltests.js",
"Resources/code/ui/article/create.js", "Resources/code/ui/article/mine.js",
"Resources/code/ui/article/preview.js", "Resources/code/ui/article/published-articles.js",
"Resources/code/ui/article/settings-detail.js", "Resources/code/ui/article/settings.js",
"Resources/code/ui/article/web-tip.js", "Resources/code/ui/coupon/index.js",
"Resources/code/ui/data-center/hk-inflow.js", "Resources/code/ui/data-center/hot-spots.js",
"Resources/code/ui/data-center/index.js", "Resources/code/ui/data-center/sector.js",
"Resources/code/ui/feedback/index.js", "Resources/code/ui/fund/create.js",
"Resources/code/ui/fund/current-followed-strategy.js", "Resources/code/ui/fund/current-position.js",
"Resources/code/ui/fund/follow-history.js", "Resources/code/ui/fund/index.js",
"Resources/code/ui/fund/latest-adjustment.js", "Resources/code/ui/fund/report.js",
"Resources/code/ui/fund/settings.js", "Resources/code/ui/fund/subscription.js",
"Resources/code/ui/fund/trading-records.js", "Resources/code/ui/fund/update.js",
"Resources/code/ui/home/articles.js", "Resources/code/ui/home/index.js",
"Resources/code/ui/indicator/index.js", "Resources/code/ui/indicator/published-indicator.js",
"Resources/code/ui/indicator/search.js", "Resources/code/ui/indicator/test-indicator.js",
"Resources/code/ui/indicator/theme-indicator.js", "Resources/code/ui/message-center/index.js",
"Resources/code/ui/message-center/list.js", "Resources/code/ui/message-center/settings.js",
"Resources/code/ui/moments/create.js", "Resources/code/ui/moments/details.js",
"Resources/code/ui/moments/homepage.js", "Resources/code/ui/moments/index.js",
"Resources/code/ui/moments/messages.js", "Resources/code/ui/portfolio/android-portfolio-adjustment.js",
"Resources/code/ui/portfolio/groups-management.js", "Resources/code/ui/portfolio/index.js",
"Resources/code/ui/portfolio/ios-portfolio-adjustment.js", "Resources/code/ui/portfolio/realtime-stock.js",
"Resources/code/ui/portfolio/search.js", "Resources/code/ui/portfolio/stock.js",
"Resources/code/ui/screener/index.js", "Resources/code/ui/screener/realtime-stock.js",
"Resources/code/ui/screener/report.js", "Resources/code/ui/screener/theme-screener.js",
"Resources/code/ui/settings/blacklist.js", "Resources/code/ui/settings/cache-clean.js",
"Resources/code/ui/settings/fontsize.js", "Resources/code/ui/settings/index.js",
"Resources/code/ui/settings/indicator-settings-detail.js",
"Resources/code/ui/settings/indicator-settings.js", "Resources/code/ui/settings/ipad-split.js",
"Resources/code/ui/settings/macd-kdj-boll.js", "Resources/code/ui/settings/strategy-share.js",
"Resources/code/ui/settings/theme.js", "Resources/code/ui/shop/coin.js",
"Resources/code/ui/shop/green-qrcode-eat.js", "Resources/code/ui/shop/vip.js",
"Resources/code/ui/singlestock/my-published-strategies.js",
"Resources/code/ui/singlestock/my-saved-strategies.js", "Resources/code/ui/singlestock/report.js",
"Resources/code/ui/singlestock/subscribe.js", "Resources/code/ui/singlestock/trading-records.js",
"Resources/code/ui/singlestock/trading-reminder-detail.js",
"Resources/code/ui/singlestock/trading-reminder.js", "Resources/code/ui/user-center/favorites.js",
"Resources/code/ui/user-center/index.js", "Resources/code/ui/user-center/subscriptions.js",
"Resources/code/ui/strategy/create.js", "Resources/code/ui/strategy/index.js",
"Resources/code/ui/strategy/market.js", "Resources/code/ui/strategy/my-published.js",
"Resources/code/ui/strategy/my-saved.js", "Resources/code/ui/strategy/report.js",
"Resources/code/ui/strategy/search.js", "Resources/code/ui/strategy/share-reward-record.js",
"Resources/code/ui/strategy/subscribe.js", "Resources/code/ui/strategy/trading-records.js",
"Resources/code/ui/strategy/trading-reminder.js", "Resources/code/ui/utils-ui/choose-image.js",
"Resources/code/ui/utils-ui/delay-price-intro.js", "Resources/code/ui/utils-ui/follow-recommend.js",
"Resources/code/ui/utils-ui/fullscreen-chart.js", "Resources/code/ui/utils-ui/preview-image.js",
"Resources/code/ui/utils-ui/subscription-period-intro.js",
"Resources/code/ui/utils-ui/weixin-notification.js", "Resources/code/ui/utils-ui/weixin-qrcode-login.js",
"Resources/code/ui/web/index.js", "Resources/code/ui/whitehorse/index.js",
"Resources/code/ui/whitehorse/strategy.js", "Resources/code/ui/whitehorse/subscription.js",
"Resources/code/modules/stockchart/main.js", "Resources/code/modules/storekit/ios-purchase-ui.js",
"Resources/code/modules/storekit/iosPurchaseUtil.js", "Resources/code/modules/storekit/order.js",
"Resources/code/modules/storekit/storekit.js", "Resources/code/modules/storekit/storekitWrapper.js",
"Resources/code/modules/tdx/tdx_error.js", "Resources/code/modules/tdx/tdx_grammar.js",
"Resources/code/modules/tdx/tdx_main.js", "Resources/code/modules/tdx/tdx_parser.js",
"Resources/_app_props_.json", "Resources/_env_.json", "Resources/code/modules/tdx/tdx_semantic.js",
"Resources/code/modules/tdx/tdx_types.js", "Resources/code/modules/tdx/tdx_word.js",
"Resources/code/modules/tdx-plugin/main.js", "Resources/code/modules/tdx-plugin/tdx-functions.js",
"Resources/code/modules/ths-encoder/index.js", "Resources/code/modules/ths-encoder/readme.js",
"Resources/code/views/account/views.js", "Resources/code/views/charts/pie-chart.js",
"Resources/code/views/coupon/views.js", "Resources/code/views/data-center/views-list.js",
"Resources/code/views/formula/views-list.js", "Resources/code/views/formula/views.js",
"Resources/code/views/fund/views-list.js", "Resources/code/views/fund/views.js",
"Resources/code/views/home/views.js", "Resources/code/views/indicator/views-list.js",
"Resources/code/views/indicator/views.js", "Resources/code/views/ios-style-notification/views.js",
"Resources/code/views/message/views.js", "Resources/code/views/picker/views.js",
"Resources/code/views/portfolio/views-list.js", "Resources/code/views/portfolio/views.js",
"Resources/code/views/selector/views-list.js", "Resources/code/views/selector/views.js",
"Resources/code/views/share/views.js", "Resources/code/views/singlestock/views-list.js",
"Resources/code/views/singlestock/views-t0.js", "Resources/code/views/singlestock/views.js",
"Resources/code/views/strategy/views.js", "Resources/code/views/user-center/views-list.js",
"Resources/code/views/whitehorse/views.js",
"Resources/code/strategy-designer/controllers/button-style/main.js",
"Resources/code/strategy-designer/models/indicators/indicator-filter.js",
"Resources/code/strategy-designer/models/indicators/indicator-group-template.js",
"Resources/code/strategy-designer/models/indicators/indicator-groups-template.js",
"Resources/code/strategy-designer/models/indicators/indicator-template.js",
"Resources/code/strategy-designer/models/indicators/main.js",
"Resources/code/strategy-designer/models/indicators/network-cache.js",
"Resources/code/strategy-designer/models/indicators/params-setting.js",
"Resources/code/ui/article/widgets/formula.js", "Resources/code/ui/article/widgets/strategy.js",
"Resources/code/ui/article/widgets/views.js", "Resources/code/ui/coupon/services/main.js",
"Resources/code/ui/fund/service/main.js", "Resources/code/ui/indicator/develop/create.js",
"Resources/code/ui/indicator/develop/indicator-params.js",
"Resources/code/ui/indicator/develop/published-private-indicator.js",
"Resources/code/ui/indicator/develop/saved-indicator.js",
"Resources/code/ui/indicator/develop/settings-update.js", "Resources/code/ui/indicator/develop/settings.js",
"Resources/code/ui/indicator/develop/test-indicator.js", "Resources/code/ui/indicator/service/api.js",
"Resources/code/ui/indicator/service/main.js", "Resources/code/ui/indicator/service/utils.js",
"Resources/code/ui/message-center/services/main.js", "Resources/code/ui/moments/properties/funds.js",
"Resources/code/ui/moments/properties/indicators.js", "Resources/code/ui/moments/properties/strategies.js",
"Resources/code/ui/moments/services/blacklist.js", "Resources/code/ui/moments/services/main.js",
"Resources/code/ui/moments/services/path.js", "Resources/code/ui/screener/develop/button-style.js",
"Resources/code/ui/screener/develop/save-strategy.js", "Resources/code/ui/screener/develop/text-style.js",
"Resources/code/ui/screener/service/api.js", "Resources/code/ui/screener/service/main.js",
"Resources/code/ui/screener/service/utils.js", "Resources/code/ui/singlestock/develop/backtest-time.js",
"Resources/code/ui/singlestock/develop/button-style.js",
"Resources/code/ui/singlestock/develop/load-template.js",
"Resources/code/ui/singlestock/develop/publish-strategy.js",
"Resources/code/ui/singlestock/develop/report.js", "Resources/code/ui/singlestock/develop/save-strategy.js",
"Resources/code/ui/singlestock/develop/saveas-template.js",
"Resources/code/ui/singlestock/develop/settings-update.js",
"Resources/code/ui/singlestock/develop/settings.js", "Resources/code/ui/singlestock/develop/text-style.js",
"Resources/code/ui/singlestock/service/main.js", "Resources/code/ui/singlestock/service/utils.js",
"Resources/code/ui/singlestock/t0-course/index.js", "Resources/code/ui/strategy/develop/backtest-time.js",
"Resources/code/ui/strategy/develop/button-style.js",
"Resources/code/ui/strategy/develop/publish-strategy.js", "Resources/code/ui/strategy/develop/report.js",
"Resources/code/ui/strategy/develop/rule-statistics.js",
"Resources/code/ui/strategy/develop/save-strategy.js",
"Resources/code/ui/strategy/develop/settings-update.js", "Resources/code/ui/strategy/develop/settings.js",
"Resources/code/ui/strategy/develop/stockpool.js", "Resources/code/ui/strategy/develop/text-style.js",
"Resources/code/ui/strategy/service/api.js", "Resources/code/ui/strategy/service/main.js",
"Resources/code/ui/strategy/service/utils.js", "Resources/code/ui/web/services/article.js",
"Resources/code/ui/web/services/quant.js", "Resources/code/views/picker/android-picker/picker.js",
"Resources/code/strategy-designer/controllers/button-style/rows/checkbox-controller.js",
"Resources/code/strategy-designer/controllers/button-style/rows/common-controller.js",
"Resources/code/strategy-designer/controllers/button-style/rows/indicator-controller.js",
"Resources/code/strategy-designer/controllers/button-style/rows/list-controller.js",
"Resources/code/strategy-designer/controllers/button-style/rows/main.js",
"Resources/code/strategy-designer/controllers/button-style/rows/switch-controller.js",
"Resources/code/strategy-designer/controllers/button-style/rows/textarea-controller.js",
"Resources/code/strategy-designer/controllers/button-style/rows/textfield-controller.js",
"Resources/code/strategy-designer/controllers/button-style/sections/common-controller.js",
"Resources/code/strategy-designer/controllers/button-style/sections/indicator-controller.js",
"Resources/code/strategy-designer/controllers/button-style/sections/list-controller.js",
"Resources/code/strategy-designer/controllers/button-style/sections/main.js",
"Resources/code/strategy-designer/models/indicators/intraday-indicators/groups.js",
"Resources/code/strategy-designer/models/indicators/intraday-indicators/indicators.js",
"Resources/code/strategy-designer/models/indicators/intraday-indicators/intraday-indicator-template.js",
"Resources/code/strategy-designer/models/indicators/intraday-indicators/main.js",
"Resources/code/strategy-designer/models/indicators/system-indicators/boll.js",
"Resources/code/strategy-designer/models/indicators/system-indicators/break.js",
"Resources/code/strategy-designer/models/indicators/system-indicators/ema.js",
"Resources/code/strategy-designer/models/indicators/system-indicators/kdj.js",
"Resources/code/strategy-designer/models/indicators/system-indicators/ma.js",
"Resources/code/strategy-designer/models/indicators/system-indicators/macd.js",
"Resources/code/strategy-designer/models/indicators/system-indicators/main.js",
"Resources/code/strategy-designer/models/indicators/system-indicators/others.js",
"Resources/code/strategy-designer/models/indicators/system-indicators/volatility.js",
"Resources/code/strategy-designer/models/indicators/system-indicators/volume.js",
"Resources/code/strategy-designer/models/indicators/user-indicators/controlled-indicators.js",
"Resources/code/strategy-designer/models/indicators/user-indicators/main.js",
"Resources/code/strategy-designer/models/indicators/user-indicators/published-indicators.js",
"Resources/code/strategy-designer/models/indicators/user-indicators/user-indicators-template.js",
"Resources/code/strategy-designer/views/button-style/rows/checkbox-row.js",
"Resources/code/strategy-designer/views/button-style/rows/common-row.js",
"Resources/code/strategy-designer/views/button-style/rows/editable-row.js",
"Resources/code/strategy-designer/views/button-style/rows/list-row.js",
"Resources/code/strategy-designer/views/button-style/rows/row.js",
"Resources/code/strategy-designer/views/button-style/rows/switch-row.js",
"Resources/code/strategy-designer/views/button-style/rows/textarea-row.js",
"Resources/code/strategy-designer/views/button-style/rows/textfield-row.js",
"Resources/code/strategy-designer/views/button-style/sections/common-section.js",
"Resources/code/strategy-designer/views/button-style/sections/editable-section.js",
"Resources/code/strategy-designer/views/button-style/sections/list-section.js",
"Resources/code/strategy-designer/views/button-style/sections/section.js",
"Resources/code/strategy-designer/views/text-style/rows/card-row.js",
"Resources/code/strategy-designer/views/text-style/rows/common-row.js",
"Resources/code/strategy-designer/views/text-style/sections/common-section.js",
"Resources/code/ui/screener/develop/config-files/messager.js",
"Resources/code/ui/screener/develop/config-files/screener-config.js",
"Resources/code/ui/singlestock/develop/config-files/messager.js",
"Resources/code/ui/singlestock/develop/config-files/strategy-design-config.js",
"Resources/code/ui/singlestock/develop/config-files/t0-strategy-design-config.js",
"Resources/code/ui/singlestock/develop/t0/button-style.js",
"Resources/code/ui/singlestock/develop/t0/choose-symbols.js",
"Resources/code/ui/singlestock/develop/t0/formula-edit.js",
"Resources/code/ui/singlestock/develop/t0/text-style.js",
"Resources/code/ui/singlestock/service/data/singlestock.js",
"Resources/code/ui/singlestock/service/data/t0.js",
"Resources/code/ui/singlestock/t0-course/views/views.js",
"Resources/code/ui/strategy/develop/config-files/market-round-rule-config.js",
"Resources/code/ui/strategy/develop/config-files/market-signal-rule-config.js",
"Resources/code/ui/strategy/develop/config-files/market-smallcap-rule-config.js",
"Resources/code/ui/strategy/develop/config-files/messager.js", "Resources/ti.internal/bootstrap.json"]
for jspath in fileList:
tmp = jspath.split("/")
filename = tmp[-1]
path = "/".join(tmp[:-1])
if not os.path.exists(path):
os.makedirs(path)
js = readJsFile(jspath)
_saveFile(jspath, js)所有Asset文件都读出来了,才发现这是一个Titanium SDK【Write in JavaScript. Run native everywhere.】
它的作用是:使用 JavaScript 构建完全原生的跨平台移动应用程序。
目录结构如下图:
对提出来的js文件进行分析,摸清了它的解密逻辑:
核心解密算法:
key = networkEncryption.encryptionPrivateKey * publicEncryptionKey % 256
function decryptBlob(blob, key) {
for (var arrayBuffer = blob.toArrayBuffer(), uint8Array = new Uint8Array(arrayBuffer), length = uint8Array.length, i = 0; i < length; ++i)
uint8Array[i] ^= key;
return uint8Array;
}encryptionPrivateKey 写死在js文件中,publicEncryptionKey 来自Response header 中 x-data-binary 字段的值,所谓的解密就是对Response body 中的16进制文件流进行异或操作,异或 key。
在010 Editor 中确认分析出的解密算法是否正确
编写python脚本进行解密:
# Disable SSL warnings
try:
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
except Exception:
pass
def decrypt(url):
req = requests.get(url=url)
encryptionHeaderKey = req.headers['x-data-binary']
key = 10641 * int(encryptionHeaderKey) % 256
response = req.content
tmp = b''
for b in response:
tmp += bytes([b ^ key])
res = tmp.decode()
print(res)
# return res
if __name__ == "__main__":
url = "http://x.x.x.x/v1/articles/articles.json?app=quant&client=Android%20Pixel%204&version=3.2.2.403&_host_=quant.fattail.cn&category=rec&page=1&pagesize=3"
decrypt(url)至此,针对此 app 的数据包的解密分析就完成了。
最后,总结一下需要用到的技能和遇到问题:
1、使用工具进行查壳脱壳
2、apk 反编译和 Crtl + F 常见的关键词
3、Frida 简单的 hook
4、一点点js分析能力
在反编译的代码中大量出现了 Titanium 这些关键词,当时并没有想到这个是一个开源js打包SDK,然后绕了一大圈多走好多弯路。有写的不对的地方还敬请大佬们指正。
已在FreeBuf发表 0 篇文章
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
- 0 文章数
- 0 关注者