Android逆向之路---Faceu的登陸功能真的只提交了用戶名和密碼嗎

時間  2019-11-17
標籤 android 逆向 之路 faceu 登陸 功能 提交 用戶名 密碼 欄目 Android 简体版
原文   原文鏈接

問題

幾乎99%的軟件都有登陸功能,而登陸這一個動做真的將咱們的用戶名和密碼上傳到了服務器嗎,會不會有我的隱私呢。根據咱們這個問題,咱們用FaceU這個軟件,逆向來看看他的登陸功能到底都傳了什麼數據。php

準備工做

首先下載faceu的APK,具體下載地址你們能夠去各大應用市場,我下載的版本是v2.2.6。java

須要的工具

  • apktool (拆包APK用)
  • dex2jar (反編譯dex文件用)

須要的工具下載地址:github.com/hanhan12312…android

拆包

首先,咱們利用apktool拆包apk,執行命令git

apktool d faceu.apk
複製代碼

這樣在當前文件夾就獲得了一個faceu的文件夾。程序員

定位代碼

咱們打開Faceu軟件,點擊下面的已有帳號在此登陸,而後彈出來登陸界面,如圖所示

咱們利用字符串搜索法,這個頁面的註冊的EditText的hint字爲"Faceu號/手機號",咱們搜索res文件夾內全部文件的內容,搜索此關鍵字找到兩處,位置都在res/values/strings.xml文件內github

strings.xmlshell

<string name="str_account_hint">Faceu號 / 手機號</string>
<string name="str_search_user">Faceu號/手機號</string>

複製代碼

根據name咱們也能知道,account_hint是帳號的輸入框,而另外一個是用於搜索的。 咱們知道一個佈局文件確定有用到過這個值。因此咱們在工程內搜索"str_account_hint",但是結果卻發現只有兩處引用到,如圖
json

這裏寫圖片描述
看來faceu的程序員們是沒有在佈局中引用,那就有可能在java代碼內引用到,那就去看看"str_account_hint"在代碼對應的值是多少。
緊接着咱們順着str_account_hint這個名字在res/values/public.xml文件內搜索"str_account_hint",public.xml是在編譯期間生成的文字對應編譯後資源的id。
public.xml 

<public type="string" name="str_account_hint" id="0x7f070047" />
複製代碼

由此咱們能夠看出在java代碼內對應的是0x7f070047。所以咱們再次在代碼裏面搜索0x7f070047試試。 找到了引用到這個常量的地方。api

在文件com/lemon/faceu/login/b內bash

 const v2, 0x7f070047

    invoke-virtual {v1, v2}, Landroid/content/res/Resources;->getString(I)Ljava/lang/String;

    move-result-object v1

    invoke-virtual {v0, v1}, Lcom/lemon/faceu/uimodule/view/AccountEditText->setHintText(Ljava/lang/String;)V

複製代碼

熟悉smali語法的話,咱們可以讀懂,這個翻譯成Java代碼其實就是

String v1 = context.getString(0x7f070047);
    editText.setHintText(v1);
複製代碼

目的是找到到這個字符串。

到此爲止咱們分析一下當前的類是個什麼類,是個Activity?Fragment?仍是自定義View。

咱們找到當前頁面網上翻幾行,看看還有沒有用到什麼別的資源id,找到了以下代碼

 const v0, 0x7f0e026e

    invoke-virtual {p1, v0}, Landroid/view/View;->findViewById(I)Landroid/view/View;

    move-result-object v0

    check-cast v0, Lcom/lemon/faceu/uimodule/view/PasswordEditText;

    iput-object v0, p0, Lcom/lemon/faceu/login/b;->bpP:Lcom/lemon/faceu/uimodule/view/PasswordEditText;


複製代碼

很明顯,這個憑藉PasswordEditText名稱咱們也能發現他就是密碼輸入的EditText
翻譯成java代碼

PasswordEditText v0 = (PasswordEditText)this.findViewById(0x7f0e026e);
    this.bpP = v0;
複製代碼

根據這一句話咱們在public.xml裏面找到對應的xml

<public type="id" name="cet_login_password" id="0x7f0e026e" />
複製代碼

而後咱們再看看有沒有佈局文件引用到了cet_login_password,因而找到了4處

cet_login_password

咱們進入fragment_login.xml發現他只有登陸頁面的上半部分。卻沒有下面的取消和確認按鈕。能夠猜想他並非Activity,Fragment,由於沒有標誌性的onCreate方法,父類最終也沒有找到Activity,Fragment等。極可能是一個負責處理業務的類。

可是咱們知道了當前的成員變量bpP就是對應的密碼的EditText了,那麼看看都哪裏調用這個bpP了。
經過對當前類分析,我最終找到了Lu方法裏面對應到了登陸按鈕的。

逆向登陸代碼,查看傳遞參數

通過一番努力總算找到了登陸界面,登陸代碼,如今咱們進行分析,而且加入一段咱們本身的代碼,進行二次打包。
下面是分析詳解

Lcom/lemon/faceu/login/b;

 .method Lu()V
 .locals 4

 .prologue
 .line 216
    invoke-virtual {p0}, Lcom/lemon/faceu/login/b;->Ls()Z
    #檢測用戶名是否合法

    move-result v0
    #若是不合法就返回

    if-eqz v0, :cond_0

    invoke-virtual {p0}, Lcom/lemon/faceu/login/b;->Lt()Z
    #檢測密碼是否合法

    move-result v0
    #若是不合法就返回

    if-nez v0, :cond_1

 .line 241
    :cond_0
    :goto_0
    return-void 
 .line 220
    :cond_1
    invoke-virtual {p0}, Lcom/lemon/faceu/login/b;->Uv()V

 .line 222
    const-string v0, "LoginFragment"

    const-string v1, "startLogin"

    invoke-static {v0, v1}, Lcom/lemon/faceu/sdk/utils/c;->i(Ljava/lang/String;Ljava/lang/String;)V
    #調用Faceu本身的統計打點方法

 .line 223
    iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;

    invoke-virtual {v0}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->getAccount()Ljava/lang/String;

    move-result-object v0
    #調用AccountEditText的getAccount方法,並將用戶戶名存入v0 

    iput-object v0, p0, Lcom/lemon/faceu/login/b;->aAS:Ljava/lang/String;
    #將aAs賦值爲用戶名

 .line 224
    iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpP:Lcom/lemon/faceu/uimodule/view/PasswordEditText;

    invoke-virtual {v0}, Lcom/lemon/faceu/uimodule/view/PasswordEditText;->getEditText()Landroid/widget/EditText;

    move-result-object v0

    invoke-virtual {v0}, Landroid/widget/EditText;->getText()Landroid/text/Editable;

    move-result-object v0

    invoke-virtual {v0}, Ljava/lang/Object;->toString()Ljava/lang/String;

    move-result-object v0
    #將密碼從bpP取出來,並取出String類型的密碼複製給v0

 .line 227
    invoke-static {}, Lcom/lemon/faceu/common/e/a;->xJ()Lcom/lemon/faceu/common/e/a;

    move-result-object v1

    iget-object v2, p0, Lcom/lemon/faceu/login/b;->aAS:Ljava/lang/String;

    invoke-virtual {v1, v2}, Lcom/lemon/faceu/common/e/a;->setAccount(Ljava/lang/String;)V
    #將如今的用戶名存入sharedprefence,以便於記住用戶名下次直接顯示

 .line 229
    new-instance v1, Ljava/util/HashMap;
    #new一個HashMap存儲進v1

    invoke-direct {v1}, Ljava/util/HashMap;-><init>()V
    #初始化v1

 .line 230
    const-string v2, "account"

    iget-object v3, p0, Lcom/lemon/faceu/login/b;->aAS:Ljava/lang/String;

    invoke-interface {v1, v2, v3}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
    #將用戶名存入HashMap


 .line 231
    const-string v2, "pwd"

    invoke-static {v0}, Lcom/lemon/faceu/common/i/g;->bS(Ljava/lang/String;)Ljava/lang/String;

    move-result-object v0

    invoke-interface {v1, v2, v0}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
    #將密碼調用bS方法加密而且存入map

 .line 232
    const-string v0, "councode"

    const-string v2, "86"

    invoke-interface {v1, v0, v2}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
    #國家編號86,存入map

 .line 233
    const-string v0, "manufacture"

    sget-object v2, Landroid/os/Build;->MANUFACTURER:Ljava/lang/String;

    invoke-interface {v1, v0, v2}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
    #將廠商信息存入map

 .line 234
    const-string v0, "model"

    sget-object v2, Landroid/os/Build;->MODEL:Ljava/lang/String;

    invoke-interface {v1, v0, v2}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
    #將model信息存入map

 .line 235
    const-string v0, "version"

    sget v2, Lcom/lemon/faceu/common/d/b;->aAL:I

    invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;

    move-result-object v2

    invoke-interface {v1, v0, v2}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
    #將軟件版本信息存入map

 .line 236
    const-string v0, "deviceinfo"

    invoke-static {}, Lcom/lemon/faceu/common/b/a;->xt()Lorg/json/JSONObject;

    move-result-object v2
    #將調用com.lemon.faceu.common.b.a->xt()方法,取回JsonObject而且賦值給v2

    invoke-interface {v1, v0, v2}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
    #將JSONObject存入map

 .line 238
    new-instance v0, Lcom/lemon/faceu/common/t/a;

    sget-object v2, Lcom/lemon/faceu/common/d/a;->azO:Ljava/lang/String;

    invoke-static {}, Landroid/os/Looper;->getMainLooper()Landroid/os/Looper;

    move-result-object v3

    invoke-direct {v0, v2, v1, v3}, Lcom/lemon/faceu/common/t/a;-><init>(Ljava/lang/String;Ljava/util/Map;Landroid/os/Looper;)V

 .line 239
    iget-object v1, p0, Lcom/lemon/faceu/login/b;->aKe:Lcom/lemon/faceu/common/t/a$a;

    invoke-virtual {v0, v1}, Lcom/lemon/faceu/common/t/a;->a(Lcom/lemon/faceu/common/t/a$a;)V

 .line 240
    const-string v1, "login"

    invoke-static {v0, v1}, Lcom/lemon/faceu/sdk/i/b;->a(Ljava/lang/Runnable;Ljava/lang/String;)V

    goto :goto_0 .end method  

#此方法主要校驗用戶名是否合法,錯誤的話輸出錯誤信息,返回值爲boolean
.method Ls()Z   
 .locals 5

 .prologue
    const/4 v1, 0x0 
    #使v0寄存器爲0
 .line 177
    iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;
    #將成員變量bpO賦值給v0,此時v0就是用戶名

    invoke-virtual {v0}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->getAccount()Ljava/lang/String;
    

    move-result-object v2
    #調用AccountEditText的getAccount方法,並將返回值存入v2

 .line 178
    invoke-virtual {v2}, Ljava/lang/String;->length()I
    #取出用戶名長度

    move-result v0
    #v0 = 用戶名長度

    if-lez v0, :cond_0

    invoke-virtual {v2, v1}, Ljava/lang/String;->charAt(I)C

    move-result v0

    invoke-static {v0}, Ljava/lang/Character;->isDigit(C)Z

    move-result v0

    if-eqz v0, :cond_0

 .line 180
    invoke-static {v2}, Lcom/lemon/faceu/common/u/t;->dz(Ljava/lang/String;)Z

    move-result v0

    if-nez v0, :cond_4

 .line 181
    iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;

    const v2, 0x7f0700ae

    invoke-virtual {p0, v2}, Lcom/lemon/faceu/login/b;->getString(I)Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v0, v2}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->setTips(Ljava/lang/String;)V

 .line 202
    :goto_0
    return v1

 .line 185
    :cond_0
    invoke-virtual {v2}, Ljava/lang/String;->length()I

    move-result v0

    const/16 v3, 0x14

    if-le v0, v3, :cond_1

 .line 186
    iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;

    const v2, 0x7f070087

    invoke-virtual {p0, v2}, Lcom/lemon/faceu/login/b;->getString(I)Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v0, v2}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->setTips(Ljava/lang/String;)V

    goto :goto_0

 .line 188
    :cond_1
    invoke-virtual {v2}, Ljava/lang/String;->length()I

    move-result v0

    if-lez v0, :cond_2

    invoke-virtual {v2, v1}, Ljava/lang/String;->charAt(I)C

    move-result v0

    invoke-static {v0}, Lcom/lemon/faceu/sdk/utils/h;->u(C)Z

    move-result v0

    if-nez v0, :cond_2

 .line 189
    iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;

    const v2, 0x7f070086

    invoke-virtual {p0, v2}, Lcom/lemon/faceu/login/b;->getString(I)Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v0, v2}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->setTips(Ljava/lang/String;)V

    goto :goto_0

    :cond_2
    move v0, v1

 .line 192
    :goto_1
    invoke-virtual {v2}, Ljava/lang/String;->length()I

    move-result v3

    if-ge v0, v3, :cond_4

 .line 193
    invoke-virtual {v2, v0}, Ljava/lang/String;->charAt(I)C

    move-result v3

 .line 194
    const/16 v4, 0x5f

    if-eq v3, v4, :cond_3

    invoke-static {v3}, Ljava/lang/Character;->isDigit(C)Z

    move-result v4

    if-nez v4, :cond_3

    invoke-static {v3}, Lcom/lemon/faceu/sdk/utils/h;->u(C)Z

    move-result v3

    if-nez v3, :cond_3

 .line 195
    iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;

    const v2, 0x7f070085

    invoke-virtual {p0, v2}, Lcom/lemon/faceu/login/b;->getString(I)Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v0, v2}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->setTips(Ljava/lang/String;)V

    goto :goto_0

 .line 192
    :cond_3
    add-int/lit8 v0, v0, 0x1

    goto :goto_1

 .line 202
    :cond_4
    const/4 v1, 0x1

    goto :goto_0 .end method
#此方法主要校驗密碼是否合法,錯誤的話輸出錯誤信息,作一些動畫之類,正確返回true
.method Lt()Z
 .locals 2

 .prologue
 .line 206
    iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpP:Lcom/lemon/faceu/uimodule/view/PasswordEditText;

    invoke-virtual {v0}, Lcom/lemon/faceu/uimodule/view/PasswordEditText;->getEditText()Landroid/widget/EditText;

    move-result-object v0

    invoke-virtual {v0}, Landroid/widget/EditText;->getText()Landroid/text/Editable;

    move-result-object v0

    invoke-virtual {v0}, Ljava/lang/Object;->toString()Ljava/lang/String;

    move-result-object v0

    invoke-virtual {v0}, Ljava/lang/String;->length()I

    move-result v0

 .line 207
    const/4 v1, 0x6

    if-lt v0, v1, :cond_0

    const/16 v1, 0x10

    if-le v0, v1, :cond_1

 .line 208
    :cond_0
    iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpP:Lcom/lemon/faceu/uimodule/view/PasswordEditText;

    const v1, 0x7f0700b5

    invoke-virtual {p0, v1}, Lcom/lemon/faceu/login/b;->getString(I)Ljava/lang/String;

    move-result-object v1

    invoke-virtual {v0, v1}, Lcom/lemon/faceu/uimodule/view/PasswordEditText;->setTips(Ljava/lang/String;)V

 .line 209
    const/4 v0, 0x0

 .line 211
    :goto_0
    return v0

    :cond_1
    const/4 v0, 0x1

    goto :goto_0 .end method

複製代碼

咱們主要看Lu方法裏面的如下幾行,他調用了com.lemon.faceu.common.b.a->xt()方法,這個主要是用於竊取咱們的手機型號,系統,廠商等信息,咱們進入方法看看

 const-string v0, "deviceinfo"

    invoke-static {}, Lcom/lemon/faceu/common/b/a;->xt()Lorg/json/JSONObject;

    move-result-object v2
    #將調用com.lemon.faceu.common.b.a->xt()方法,取回JsonObject而且賦值給v2

複製代碼

咱們進入方法看看

.method public static xt()Lorg/json/JSONObject;
 .locals 5

 .prologue
 .line 34
    new-instance v1, Lorg/json/JSONObject;

    invoke-direct {v1}, Lorg/json/JSONObject;-><init>()V

 .line 36
    :try_start_0
    const-string v0, "cpu"

    invoke-static {}, Lcom/lemon/faceu/common/b/a;->xv()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
    #取出你的cpu信息放入json

 .line 37
    const-string v0, "radio"

    invoke-static {}, Lcom/lemon/faceu/common/b/a;->xx()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
    #機型的RADIO信息存入json

 .line 38
    const-string v0, "os_version"

    sget v2, Landroid/os/Build$VERSION;->SDK_INT:I

    invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;I)Lorg/json/JSONObject;
    #取出你係統版本


 .line 39
    const-string v0, "imei"

    invoke-static {}, Lcom/lemon/faceu/common/e/a;->xJ()Lcom/lemon/faceu/common/e/a;

    move-result-object v2
    #取出IMEI號


    invoke-virtual {v2}, Lcom/lemon/faceu/common/e/a;->getContext()Landroid/content/Context;

    move-result-object v2

    invoke-static {v2}, Lcom/lemon/faceu/common/b/a;->bd(Landroid/content/Context;)Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;

 .line 40
    const-string v0, "imsi"

    invoke-static {}, Lcom/lemon/faceu/common/b/a;->xy()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;

 .line 41
    const-string v0, "iccid"

    invoke-static {}, Lcom/lemon/faceu/common/b/a;->xz()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;

 .line 42
    const-string v0, "android_id"

    invoke-static {}, Lcom/lemon/faceu/common/b/a;->xw()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;

 .line 43
    const-string v0, "model"

    sget-object v2, Landroid/os/Build;->MODEL:Ljava/lang/String;

    invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;

 .line 44
    const-string v0, "core_count"

    invoke-static {}, Lcom/lemon/faceu/common/b/a;->xA()I

    move-result v2

    invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;I)Lorg/json/JSONObject;

 .line 45
    const-string v0, "wifi"

    invoke-static {}, Lcom/lemon/faceu/common/b/a;->xu()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
    :try_end_0
 .catch Lorg/json/JSONException; {:try_start_0 .. :try_end_0} :catch_0

 .line 49
    :goto_0
    return-object v1

 .line 46
    :catch_0
    move-exception v0

 .line 47
    const-string v2, "DeviceInfo"

    new-instance v3, Ljava/lang/StringBuilder;

    invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V

    const-string v4, "jsonexception, "

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v0}, Lorg/json/JSONException;->getMessage()Ljava/lang/String;

    move-result-object v0

    invoke-virtual {v3, v0}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v0

    invoke-virtual {v0}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v0

    invoke-static {v2, v0}, Lcom/lemon/faceu/sdk/utils/c;->e(Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0 .end method

複製代碼

咱們能看到他獲取了咱們的cpu,radio,os_version(系統版本),imei,MODEL,cpu_count,mac地址。 看了半天代碼,咱們加入一些咱們的代碼,讓程序本身把提交的信息打印出來吧。

 const-string v0, "MartinHan--map"
    invoke-virtual {v1}, Ljava/util/HashMap;->toString()Ljava/lang/String;
    move-result-object v3
    invoke-static {v0, v3}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I

    const-string v3, "MartinHan---url"
    invoke-static {v3, v2}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I
    
複製代碼

而後咱們執行代碼

apktool d faceu
cd faceu/disk
#簽名 生成文件明爲_signed.apk 
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore "MartinHan.jks" -signedjar "_signed.apk" "faceu.apk" "111111" << EOF
111111

adb install _signed.apk

複製代碼

這樣的流程走下來,咱們的二次打包apk就安裝到手機上啦,看看咱們輸入咱們賬號,點擊登陸。會打印出log信息。
以下所示

03-13 14:17:15.269 10240-10240/com.lemon.faceu V/MartinHan--map: {account=159xxxxxxxx, deviceinfo={"android_id":"62fjdhu42d070400","wifi":"08:33:61:cc:b9:fc","model":"HUAWEI G630-U00","imei":"81338398767854654","iccid":"","cpu":"ARMv7 Processor rev 3 (v7l) ","radio":"203040,203040","imsi":"","core_count":4,"os_version":18}, model=HUAWEI G630-U00, pwd=4d259481d57ffc1c6b4b68cd73dbd301, councode=86, manufacture=HUAWEI, version=270540806}

03-13 14:17:15.269 10240-10240/com.lemon.faceu V/MartinHan---url: https://api2.faceu.mobi/faceu/v3/login.php
複製代碼

如上訴代碼所示,咱們在faceu登陸一次,faceu會上傳咱們的不少我的信息
mac地址,手機型號,imei,cpu信息,radio,系統版本,國家代碼, 而且找到了faceu登陸的地址是https://api2.faceu.mobi/faceu/v3/login.php

以上就是個人全部思路,從問題開始,一直找代碼,最後動態的打log實如今https加密前就讓app本身吐出數據。

寫在最後

其實我想不只faceu,像是其餘的廠商也會收集咱們的我的信息,完成統計。而且經過大數據分析使用軟件的人羣,手機型號。
但願全部喜歡逆向的朋友們一塊兒探討,多多交流。

注:若有侵權,請聯繫我

關於我

我的博客:MartinHan的小站

博客網站:hanhan12312的專欄

知乎:MartinHan01

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程