最近收到私信求助,有个老哥玩stock,他说以前都是明文,现在被加密了,想让我帮他看一块app加密的数据包。正好最近手上的活不怎么多,同时也在学习Frida 使用,在助人为乐的同时也当是练手吧
APP下载地址:
aHR0cHM6Ly9xdWFudC5hZ3VkYXNoaS5jbi9hcHAtZG93bmxvYWQuaHRtbD9hcHA9cXVhbnQ=
下载APP后先用ApkScan-PKID查下有没有加固
在对apk是否加壳的判断上,我们可以使用以下几种方法:
方法一:判断apk是否加壳,可以先将apk后缀改为zip,再通过解压工具解压该zip文件,查看解压后的文件夹的根目录下是否含有classes.dex或classes2.dex等。若含有,可以通过jadx工具打开是否可以看到对应文件完整代码,这个是最简单的情况。
方法二:反编译AndroidManifest.xml 文件,然后遍历里面的activity、service、broadcast、provider等,看这几个class是否都存在于classes.dex文件里面。
方法三:一般做加固的厂商显然也是要在运行时对数据解密的,所以必然会有相应特征的Java代码或者是特征so文件打包在apk文件中,可以通过找这些东西来确定是否加固,而这也是主流加固工具判断的依据。常见的一些厂商加固的特征Java代码或特征so文件简单汇总如下:
http://book.fsec.io/201-%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%E4%B8%8E%E5%B7%A5%E5%85%B7/201-A-%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86/201-A21-%E5%AE%89%E5%8D%93%E5%BA%94%E7%94%A8%E6%B5%8B%E8%AF%95.html
方法四:在对应客户端借助相关工具进行辅助判断,相关平台的辅助工具如下:
1、PKID
2、MT管理器
3、......
安装apk到手机
adb install xxxx.apk
配置好移动测试环境,打开app对其进行抓包。
app主页如下图:
对【投资组合】这个功能页进行抓包是,发现后台返回的数据都是乱码,而且多次请求同一个接口返回数据每次都还长得不一样。这种情况下只能对app进行逆向,分析出加解密数据包的相应算法。
使用脱壳工具对APP进行脱壳后拉入Jadx
在Jadx 中全局搜索 Request 和 Response 中出现的字段,每个都仔细跟过去浏览一遍大概。
在这个搞了半天都没找到对数据包的加解密在哪里,最后请教大师傅说,js文件被加密存储在app资源文件中,app需要用到时从资源文件中读出来,再到V8 引擎中去执行关于加解密的操作(相当于是一个小程序)。
几经鏖战后终于找了相关函数并将js文件从app 资源文件中提取出来。
Frida rpc 脚本
这是分析的时候确认org.appcelerator.kroll.util.KrollAssetHelper
类的readAssetBytes
方法负责读取 Asset 资源文件。所以在这里hook 住这个方法,并以strings 的形式返回。
function Uint8ArrayToString(fileData){ var dataString = ""; for (var i = 0; i < fileData.length; i++) { dataString += String.fromCharCode(fileData[i]); } return dataString } function exportJsText(jsPath){ let res = '' Java.perform( ()=> { let str = Java.use("org.appcelerator.kroll.util.KrollAssetHelper").readAssetBytes(jsPath); res = Java.use('java.util.Arrays').toString(str); // res = Java.use('java.lang.String').$new(str); }); let arr = new Uint8Array(res.split(',')) let tmp = arr.slice(1,arr.length - 1) return Uint8ArrayToString(tmp) } rpc.exports = { jstext : exportJsText };
python 脚本
使用python通过RPC的方式,调用frida 脚本中的exportJsText函数,实现了直接调用app中的函数。
这里把所有的Asset 文件从app 资源文件中读出,并写在本机相同目录结构下。
import os,frida def _saveFile(filename: str, content: str): try: with open(filename, 'a+') as file: file.write(str(content)) except FileExistsError or FileNotFoundError as e: print(e) def on_message(message, data): if message['type'] == 'send': print("[*] {0}".format(message['payload'])) else: print(message) hookJsFile = "./rpc.js" appPackageName = "quant.kuankr.com" try: with open(hookJsFile, 'r') as f: jscode = f.read() except Exception as e: print("read file faild") print(e) exit device = frida.get_usb_device(1) packageName = 'quant.kuankr.com' pid = None for a in device.enumerate_applications(): if a.identifier == packageName: pid = a.pid break process = device.attach(pid) # process = frida.get_remote_device().attach(32583) script = process.create_script(jscode) script.on('message', on_message) print('[*] Running hooking') script.load() def readJsFile(jspath): return script.exports.jstext(jspath) fileList = ["Resources/ti.kernel.js", "Resources/ti.main.js", "Resources/app.js", "Resources/bootCover.js", "Resources/version.js", "Resources/boot/_dist.js", "Resources/boot/krequire.js", "Resources/boot/main.js", "Resources/boot/updater.js", "Resources/code/build-version.js", "Resources/boot/utils/device.js", "Resources/boot/utils/download.js", "Resources/boot/utils/network.js", "Resources/boot/utils/once.js", "Resources/boot/utils/path.js", "Resources/boot/utils/q.js", "Resources/boot/utils/splashScreen.js", "Resources/code/analytics/_dist.js", "Resources/code/analytics/device.js", "Resources/code/analytics/event.js", "Resources/code/analytics/keychain.js", "Resources/code/analytics/network.js", "Resources/code/analytics/service.js", "Resources/code/analytics/session_manager.js", "Resources/code/analytics/uncaught.js", "Resources/code/analytics/utils.js", "Resources/code/analytics/uuid.js", "Resources/code/classic-strategy-designer/main.js", "Resources/code/lib/FTPageHelper.js", "Resources/code/lib/FTResizable.js", "Resources/code/lib/FTThemable.js", "Resources/code/lib/FTViewCreater.js", "Resources/code/lib/_dist.js", "Resources/code/lib/device.js", "Resources/code/lib/eventTemplate.js", "Resources/code/lib/helper.js", "Resources/code/lib/ipadSplit.js", "Resources/code/lib/lodash.js", "Resources/code/lib/logKit.js", "Resources/code/lib/network.js", "Resources/code/lib/q.js", "Resources/code/lib/screen.js", "Resources/code/lib/session.js", "Resources/code/lib/utilUI.js", "Resources/code/lib/utils.js", "Resources/code/strategy-designer/_dist.js", "Resources/code/strategy-designer/button-style-page.js", "Resources/code/strategy-designer/interpreter.js", "Resources/code/strategy-designer/messager.js", "Resources/code/strategy-designer/resource.js", "Resources/code/strategy-designer/test.js", "Resources/code/strategy-designer/utils.js", "Resources/code/umeng.notification/eventHandlers.js", "Resources/code/umeng.notification/main.js", "Resources/code/umeng.notification/readme.js", "Resources/code/ui/entry.js", "Resources/code/ui/error.js", "Resources/code/ui/init.js", "Resources/code/ui/main-window.js", "Resources/code/modules/activity-service.js", "Resources/code/modules/ad-filter.js", "Resources/code/modules/adm.js", "Resources/code/modules/apple-login.js", "Resources/code/modules/blueeat-android.js", "Resources/code/modules/blueeat.js", "Resources/code/modules/cache.js", "Resources/code/modules/chart-settings.js", "Resources/code/modules/data-services.js", "Resources/code/modules/discount.js", "Resources/code/modules/formula-executer.js", "Resources/code/modules/fund-calculator.js", "Resources/code/modules/idfa.js", "Resources/code/modules/init.js", "Resources/code/modules/innerPageInterval.js", "Resources/code/modules/innerPageTasksInterval.js", "Resources/code/modules/keyboard-event.js", "Resources/code/modules/label-clipped-detector.js", "Resources/code/modules/local-notification.js", "Resources/code/modules/login.js", "Resources/code/modules/message-center.js", "Resources/code/modules/notification-center.js", "Resources/code/modules/pending-action.js", "Resources/code/modules/pinyin.js", "Resources/code/modules/portfolio.js", "Resources/code/modules/readable-version.js", "Resources/code/modules/screener-settings.js", "Resources/code/modules/share.js", "Resources/code/modules/signup.js", "Resources/code/modules/special-pay-tokens.js", "Resources/code/modules/speed-limited.js", "Resources/code/modules/stock.js", "Resources/code/modules/strategy-share-settings.js", "Resources/code/modules/subscribed-formula.js", "Resources/code/modules/task-restraint.js", "Resources/code/modules/tdx-functions.js", "Resources/code/modules/unique.js", "Resources/code/modules/web-injector.js", "Resources/code/modules/weixin-login.js", "Resources/code/views/views-list.js", "Resources/code/views/views.js", "Resources/code/utils/_dist.js", "Resources/code/utils/account.js", "Resources/code/utils/apiClient.js", "Resources/code/utils/apis.js", "Resources/code/utils/cache.js", "Resources/code/utils/delegate.js", "Resources/code/utils/eventTemplate.js", "Resources/code/utils/ftLog.js", "Resources/code/utils/hosts.js", "Resources/code/utils/krUtils.js", "Resources/code/utils/localStorage.js", "Resources/code/utils/purchase.js", "Resources/code/utils/resourceManager.js", "Resources/code/utils/umengPush.js", "Resources/code/lib/FTIcon/FTIcon.js", "Resources/code/lib/FTIcon/FontAwesome.js", "Resources/code/lib/FTIcon/IconicFont.js", "Resources/code/lib/FTIcon/README.js", "Resources/code/lib/configs/sizes.js", "Resources/code/lib/configs/themes.js", "Resources/code/lib/network_encryption/index.js", "Resources/code/lib/network_encryption/utils.js", "Resources/code/strategy-designer/controllers/controller-template.js", "Resources/code/strategy-designer/controllers/controllers-template.js", "Resources/code/strategy-designer/controllers/main.js", "Resources/code/strategy-designer/models/checkbox-model-template.js", "Resources/code/strategy-designer/models/common-model-template.js", "Resources/code/strategy-designer/models/list-model-template.js", "Resources/code/strategy-designer/models/main.js", "Resources/code/strategy-designer/models/switch-model-template.js", "Resources/code/strategy-designer/models/textfield-model-template.js", "Resources/code/strategy-designer/views/button-creater.js", "Resources/code/strategy-designer/views/main.js", "Resources/code/ui/account/cancellation.js", "Resources/code/ui/account/finish-signup.js", "Resources/code/ui/account/homepage.js", "Resources/code/ui/account/index.js", "Resources/code/ui/account/login.js", "Resources/code/ui/account/profile.js", "Resources/code/ui/account/settings.js", "Resources/code/ui/account/signup.js", "Resources/code/ui/account/try.js", "Resources/code/ui/account/update.js", "Resources/code/ui/activity/best-strategies-certificate.js", "Resources/code/ui/activity/best-strategies.js", "Resources/code/ui/activity/bind-weixin.js", "Resources/code/ui/activity/buy-themes.js", "Resources/code/ui/activity/follow-weixin.js", "Resources/code/ui/activity/index.js", "Resources/code/ui/activity/smalltests.js", "Resources/code/ui/article/create.js", "Resources/code/ui/article/mine.js", "Resources/code/ui/article/preview.js", "Resources/code/ui/article/published-articles.js", "Resources/code/ui/article/settings-detail.js", "Resources/code/ui/article/settings.js", "Resources/code/ui/article/web-tip.js", "Resources/code/ui/coupon/index.js", "Resources/code/ui/data-center/hk-inflow.js", "Resources/code/ui/data-center/hot-spots.js", "Resources/code/ui/data-center/index.js", "Resources/code/ui/data-center/sector.js", "Resources/code/ui/feedback/index.js", "Resources/code/ui/fund/create.js", "Resources/code/ui/fund/current-followed-strategy.js", "Resources/code/ui/fund/current-position.js", "Resources/code/ui/fund/follow-history.js", "Resources/code/ui/fund/index.js", "Resources/code/ui/fund/latest-adjustment.js", "Resources/code/ui/fund/report.js", "Resources/code/ui/fund/settings.js", "Resources/code/ui/fund/subscription.js", "Resources/code/ui/fund/trading-records.js", "Resources/code/ui/fund/update.js", "Resources/code/ui/home/articles.js", "Resources/code/ui/home/index.js", "Resources/code/ui/indicator/index.js", "Resources/code/ui/indicator/published-indicator.js", "Resources/code/ui/indicator/search.js", "Resources/code/ui/indicator/test-indicator.js", "Resources/code/ui/indicator/theme-indicator.js", "Resources/code/ui/message-center/index.js", "Resources/code/ui/message-center/list.js", "Resources/code/ui/message-center/settings.js", "Resources/code/ui/moments/create.js", "Resources/code/ui/moments/details.js", "Resources/code/ui/moments/homepage.js", "Resources/code/ui/moments/index.js", "Resources/code/ui/moments/messages.js", "Resources/code/ui/portfolio/android-portfolio-adjustment.js", "Resources/code/ui/portfolio/groups-management.js", "Resources/code/ui/portfolio/index.js", "Resources/code/ui/portfolio/ios-portfolio-adjustment.js", "Resources/code/ui/portfolio/realtime-stock.js", "Resources/code/ui/portfolio/search.js", "Resources/code/ui/portfolio/stock.js", "Resources/code/ui/screener/index.js", "Resources/code/ui/screener/realtime-stock.js", "Resources/code/ui/screener/report.js", "Resources/code/ui/screener/theme-screener.js", "Resources/code/ui/settings/blacklist.js", "Resources/code/ui/settings/cache-clean.js", "Resources/code/ui/settings/fontsize.js", "Resources/code/ui/settings/index.js", "Resources/code/ui/settings/indicator-settings-detail.js", "Resources/code/ui/settings/indicator-settings.js", "Resources/code/ui/settings/ipad-split.js", "Resources/code/ui/settings/macd-kdj-boll.js", "Resources/code/ui/settings/strategy-share.js", "Resources/code/ui/settings/theme.js", "Resources/code/ui/shop/coin.js", "Resources/code/ui/shop/green-qrcode-eat.js", "Resources/code/ui/shop/vip.js", "Resources/code/ui/singlestock/my-published-strategies.js", "Resources/code/ui/singlestock/my-saved-strategies.js", "Resources/code/ui/singlestock/report.js", "Resources/code/ui/singlestock/subscribe.js", "Resources/code/ui/singlestock/trading-records.js", "Resources/code/ui/singlestock/trading-reminder-detail.js", "Resources/code/ui/singlestock/trading-reminder.js", "Resources/code/ui/user-center/favorites.js", "Resources/code/ui/user-center/index.js", "Resources/code/ui/user-center/subscriptions.js", "Resources/code/ui/strategy/create.js", "Resources/code/ui/strategy/index.js", "Resources/code/ui/strategy/market.js", "Resources/code/ui/strategy/my-published.js", "Resources/code/ui/strategy/my-saved.js", "Resources/code/ui/strategy/report.js", "Resources/code/ui/strategy/search.js", "Resources/code/ui/strategy/share-reward-record.js", "Resources/code/ui/strategy/subscribe.js", "Resources/code/ui/strategy/trading-records.js", "Resources/code/ui/strategy/trading-reminder.js", "Resources/code/ui/utils-ui/choose-image.js", "Resources/code/ui/utils-ui/delay-price-intro.js", "Resources/code/ui/utils-ui/follow-recommend.js", "Resources/code/ui/utils-ui/fullscreen-chart.js", "Resources/code/ui/utils-ui/preview-image.js", "Resources/code/ui/utils-ui/subscription-period-intro.js", "Resources/code/ui/utils-ui/weixin-notification.js", "Resources/code/ui/utils-ui/weixin-qrcode-login.js", "Resources/code/ui/web/index.js", "Resources/code/ui/whitehorse/index.js", "Resources/code/ui/whitehorse/strategy.js", "Resources/code/ui/whitehorse/subscription.js", "Resources/code/modules/stockchart/main.js", "Resources/code/modules/storekit/ios-purchase-ui.js", "Resources/code/modules/storekit/iosPurchaseUtil.js", "Resources/code/modules/storekit/order.js", "Resources/code/modules/storekit/storekit.js", "Resources/code/modules/storekit/storekitWrapper.js", "Resources/code/modules/tdx/tdx_error.js", "Resources/code/modules/tdx/tdx_grammar.js", "Resources/code/modules/tdx/tdx_main.js", "Resources/code/modules/tdx/tdx_parser.js", "Resources/_app_props_.json", "Resources/_env_.json", "Resources/code/modules/tdx/tdx_semantic.js", "Resources/code/modules/tdx/tdx_types.js", "Resources/code/modules/tdx/tdx_word.js", "Resources/code/modules/tdx-plugin/main.js", "Resources/code/modules/tdx-plugin/tdx-functions.js", "Resources/code/modules/ths-encoder/index.js", "Resources/code/modules/ths-encoder/readme.js", "Resources/code/views/account/views.js", "Resources/code/views/charts/pie-chart.js", "Resources/code/views/coupon/views.js", "Resources/code/views/data-center/views-list.js", "Resources/code/views/formula/views-list.js", "Resources/code/views/formula/views.js", "Resources/code/views/fund/views-list.js", "Resources/code/views/fund/views.js", "Resources/code/views/home/views.js", "Resources/code/views/indicator/views-list.js", "Resources/code/views/indicator/views.js", "Resources/code/views/ios-style-notification/views.js", "Resources/code/views/message/views.js", "Resources/code/views/picker/views.js", "Resources/code/views/portfolio/views-list.js", "Resources/code/views/portfolio/views.js", "Resources/code/views/selector/views-list.js", "Resources/code/views/selector/views.js", "Resources/code/views/share/views.js", "Resources/code/views/singlestock/views-list.js", "Resources/code/views/singlestock/views-t0.js", "Resources/code/views/singlestock/views.js", "Resources/code/views/strategy/views.js", "Resources/code/views/user-center/views-list.js", "Resources/code/views/whitehorse/views.js", "Resources/code/strategy-designer/controllers/button-style/main.js", "Resources/code/strategy-designer/models/indicators/indicator-filter.js", "Resources/code/strategy-designer/models/indicators/indicator-group-template.js", "Resources/code/strategy-designer/models/indicators/indicator-groups-template.js", "Resources/code/strategy-designer/models/indicators/indicator-template.js", "Resources/code/strategy-designer/models/indicators/main.js", "Resources/code/strategy-designer/models/indicators/network-cache.js", "Resources/code/strategy-designer/models/indicators/params-setting.js", "Resources/code/ui/article/widgets/formula.js", "Resources/code/ui/article/widgets/strategy.js", "Resources/code/ui/article/widgets/views.js", "Resources/code/ui/coupon/services/main.js", "Resources/code/ui/fund/service/main.js", "Resources/code/ui/indicator/develop/create.js", "Resources/code/ui/indicator/develop/indicator-params.js", "Resources/code/ui/indicator/develop/published-private-indicator.js", "Resources/code/ui/indicator/develop/saved-indicator.js", "Resources/code/ui/indicator/develop/settings-update.js", "Resources/code/ui/indicator/develop/settings.js", "Resources/code/ui/indicator/develop/test-indicator.js", "Resources/code/ui/indicator/service/api.js", "Resources/code/ui/indicator/service/main.js", "Resources/code/ui/indicator/service/utils.js", "Resources/code/ui/message-center/services/main.js", "Resources/code/ui/moments/properties/funds.js", "Resources/code/ui/moments/properties/indicators.js", "Resources/code/ui/moments/properties/strategies.js", "Resources/code/ui/moments/services/blacklist.js", "Resources/code/ui/moments/services/main.js", "Resources/code/ui/moments/services/path.js", "Resources/code/ui/screener/develop/button-style.js", "Resources/code/ui/screener/develop/save-strategy.js", "Resources/code/ui/screener/develop/text-style.js", "Resources/code/ui/screener/service/api.js", "Resources/code/ui/screener/service/main.js", "Resources/code/ui/screener/service/utils.js", "Resources/code/ui/singlestock/develop/backtest-time.js", "Resources/code/ui/singlestock/develop/button-style.js", "Resources/code/ui/singlestock/develop/load-template.js", "Resources/code/ui/singlestock/develop/publish-strategy.js", "Resources/code/ui/singlestock/develop/report.js", "Resources/code/ui/singlestock/develop/save-strategy.js", "Resources/code/ui/singlestock/develop/saveas-template.js", "Resources/code/ui/singlestock/develop/settings-update.js", "Resources/code/ui/singlestock/develop/settings.js", "Resources/code/ui/singlestock/develop/text-style.js", "Resources/code/ui/singlestock/service/main.js", "Resources/code/ui/singlestock/service/utils.js", "Resources/code/ui/singlestock/t0-course/index.js", "Resources/code/ui/strategy/develop/backtest-time.js", "Resources/code/ui/strategy/develop/button-style.js", "Resources/code/ui/strategy/develop/publish-strategy.js", "Resources/code/ui/strategy/develop/report.js", "Resources/code/ui/strategy/develop/rule-statistics.js", "Resources/code/ui/strategy/develop/save-strategy.js", "Resources/code/ui/strategy/develop/settings-update.js", "Resources/code/ui/strategy/develop/settings.js", "Resources/code/ui/strategy/develop/stockpool.js", "Resources/code/ui/strategy/develop/text-style.js", "Resources/code/ui/strategy/service/api.js", "Resources/code/ui/strategy/service/main.js", "Resources/code/ui/strategy/service/utils.js", "Resources/code/ui/web/services/article.js", "Resources/code/ui/web/services/quant.js", "Resources/code/views/picker/android-picker/picker.js", "Resources/code/strategy-designer/controllers/button-style/rows/checkbox-controller.js", "Resources/code/strategy-designer/controllers/button-style/rows/common-controller.js", "Resources/code/strategy-designer/controllers/button-style/rows/indicator-controller.js", "Resources/code/strategy-designer/controllers/button-style/rows/list-controller.js", "Resources/code/strategy-designer/controllers/button-style/rows/main.js", "Resources/code/strategy-designer/controllers/button-style/rows/switch-controller.js", "Resources/code/strategy-designer/controllers/button-style/rows/textarea-controller.js", "Resources/code/strategy-designer/controllers/button-style/rows/textfield-controller.js", "Resources/code/strategy-designer/controllers/button-style/sections/common-controller.js", "Resources/code/strategy-designer/controllers/button-style/sections/indicator-controller.js", "Resources/code/strategy-designer/controllers/button-style/sections/list-controller.js", "Resources/code/strategy-designer/controllers/button-style/sections/main.js", "Resources/code/strategy-designer/models/indicators/intraday-indicators/groups.js", "Resources/code/strategy-designer/models/indicators/intraday-indicators/indicators.js", "Resources/code/strategy-designer/models/indicators/intraday-indicators/intraday-indicator-template.js", "Resources/code/strategy-designer/models/indicators/intraday-indicators/main.js", "Resources/code/strategy-designer/models/indicators/system-indicators/boll.js", "Resources/code/strategy-designer/models/indicators/system-indicators/break.js", "Resources/code/strategy-designer/models/indicators/system-indicators/ema.js", "Resources/code/strategy-designer/models/indicators/system-indicators/kdj.js", "Resources/code/strategy-designer/models/indicators/system-indicators/ma.js", "Resources/code/strategy-designer/models/indicators/system-indicators/macd.js", "Resources/code/strategy-designer/models/indicators/system-indicators/main.js", "Resources/code/strategy-designer/models/indicators/system-indicators/others.js", "Resources/code/strategy-designer/models/indicators/system-indicators/volatility.js", "Resources/code/strategy-designer/models/indicators/system-indicators/volume.js", "Resources/code/strategy-designer/models/indicators/user-indicators/controlled-indicators.js", "Resources/code/strategy-designer/models/indicators/user-indicators/main.js", "Resources/code/strategy-designer/models/indicators/user-indicators/published-indicators.js", "Resources/code/strategy-designer/models/indicators/user-indicators/user-indicators-template.js", "Resources/code/strategy-designer/views/button-style/rows/checkbox-row.js", "Resources/code/strategy-designer/views/button-style/rows/common-row.js", "Resources/code/strategy-designer/views/button-style/rows/editable-row.js", "Resources/code/strategy-designer/views/button-style/rows/list-row.js", "Resources/code/strategy-designer/views/button-style/rows/row.js", "Resources/code/strategy-designer/views/button-style/rows/switch-row.js", "Resources/code/strategy-designer/views/button-style/rows/textarea-row.js", "Resources/code/strategy-designer/views/button-style/rows/textfield-row.js", "Resources/code/strategy-designer/views/button-style/sections/common-section.js", "Resources/code/strategy-designer/views/button-style/sections/editable-section.js", "Resources/code/strategy-designer/views/button-style/sections/list-section.js", "Resources/code/strategy-designer/views/button-style/sections/section.js", "Resources/code/strategy-designer/views/text-style/rows/card-row.js", "Resources/code/strategy-designer/views/text-style/rows/common-row.js", "Resources/code/strategy-designer/views/text-style/sections/common-section.js", "Resources/code/ui/screener/develop/config-files/messager.js", "Resources/code/ui/screener/develop/config-files/screener-config.js", "Resources/code/ui/singlestock/develop/config-files/messager.js", "Resources/code/ui/singlestock/develop/config-files/strategy-design-config.js", "Resources/code/ui/singlestock/develop/config-files/t0-strategy-design-config.js", "Resources/code/ui/singlestock/develop/t0/button-style.js", "Resources/code/ui/singlestock/develop/t0/choose-symbols.js", "Resources/code/ui/singlestock/develop/t0/formula-edit.js", "Resources/code/ui/singlestock/develop/t0/text-style.js", "Resources/code/ui/singlestock/service/data/singlestock.js", "Resources/code/ui/singlestock/service/data/t0.js", "Resources/code/ui/singlestock/t0-course/views/views.js", "Resources/code/ui/strategy/develop/config-files/market-round-rule-config.js", "Resources/code/ui/strategy/develop/config-files/market-signal-rule-config.js", "Resources/code/ui/strategy/develop/config-files/market-smallcap-rule-config.js", "Resources/code/ui/strategy/develop/config-files/messager.js", "Resources/ti.internal/bootstrap.json"] for jspath in fileList: tmp = jspath.split("/") filename = tmp[-1] path = "/".join(tmp[:-1]) if not os.path.exists(path): os.makedirs(path) js = readJsFile(jspath) _saveFile(jspath, js)
所有Asset文件都读出来了,才发现这是一个Titanium SDK【Write in JavaScript. Run native everywhere.】
它的作用是:使用 JavaScript 构建完全原生的跨平台移动应用程序。
目录结构如下图:
对提出来的js文件进行分析,摸清了它的解密逻辑:
核心解密算法:
key = networkEncryption.encryptionPrivateKey * publicEncryptionKey % 256 function decryptBlob(blob, key) { for (var arrayBuffer = blob.toArrayBuffer(), uint8Array = new Uint8Array(arrayBuffer), length = uint8Array.length, i = 0; i < length; ++i) uint8Array[i] ^= key; return uint8Array; }
encryptionPrivateKey 写死在js文件中,publicEncryptionKey 来自Response header 中 x-data-binary 字段的值,所谓的解密就是对Response body 中的16进制文件流进行异或操作,异或 key。
在010 Editor 中确认分析出的解密算法是否正确
编写python脚本进行解密:
# Disable SSL warnings try: import requests.packages.urllib3 requests.packages.urllib3.disable_warnings() except Exception: pass def decrypt(url): req = requests.get(url=url) encryptionHeaderKey = req.headers['x-data-binary'] key = 10641 * int(encryptionHeaderKey) % 256 response = req.content tmp = b'' for b in response: tmp += bytes([b ^ key]) res = tmp.decode() print(res) # return res if __name__ == "__main__": url = "http://x.x.x.x/v1/articles/articles.json?app=quant&client=Android%20Pixel%204&version=3.2.2.403&_host_=quant.fattail.cn&category=rec&page=1&pagesize=3" decrypt(url)
至此,针对此 app 的数据包的解密分析就完成了。
最后,总结一下需要用到的技能和遇到问题:
1、使用工具进行查壳脱壳
2、apk 反编译和 Crtl + F 常见的关键词
3、Frida 简单的 hook
4、一点点js分析能力
在反编译的代码中大量出现了 Titanium 这些关键词,当时并没有想到这个是一个开源js打包SDK,然后绕了一大圈多走好多弯路。有写的不对的地方还敬请大佬们指正。