最近學習安卓逆向,接觸一下TB系的APP,瞭解大廠APP是作數據安全的,這篇文章主要介紹某寶直播APP的簽名參數x-sign的HOOK過程,固然,其餘的參數也是能夠HOOK的。本文只用於學習交流,請勿他用。android
1、環境工具
環境:windows 10windows
設備:雷電模擬器,google pixel安全
HOOK框架:Xposedcookie
插裝工具:Frida網絡
編譯器:android studioapp
反編譯工具:jadx框架
抓包工具:Charles工具
分析APP:某淘直播apk(com.***.live_1.8.6_50.apk)學習
2、流程步驟
1.抓包分析數據包,將App安裝到模擬器上,設置好模擬器上的VNP代理,打開Charles工具,在模擬器上進行操做,使App發起網絡請求,而後在Charles上查看抓取到的數據包。ui
2.使用查殼工具對APP進程檢測,查看APP是使用什麼加殼軟件進行的加殼的,若是有加殼,首選須要進行脫殼。固然大廠APP是不多進行加殼的。
3.使用jadx反編譯APP,獲取到相關的代碼,可是反編譯的代碼也不是所有正確的,這個須要注意一下。
4.依據抓包獲取到的關鍵信息,使用關鍵字段名,在jadx反編譯好的代碼中進行搜索,查找到能夠代碼。
5.編寫JS代碼,而後使用frida插裝到模擬器內存或者是手機內存進行探測。
6.找到關鍵代碼後,就須要藉助xposed hook出出關鍵字段,開發插件將服務接出來,供爬蟲代碼進行調用。
3、過程展現
1.抓包
GET /gw/mtop.***.livex.vcore.hot.ranking.list.query/2.0/?data=%7B%22focusId%22%3A%220%22%2C%22enterPage%22%3A%22hot_search%22%7D HTTP/1.1 x-m-biz-live-bizcode TAOBAO x-features 27 x-sgext JAHfTfKqFp8VS17V%2Fyrwrw%3D%3D user-agent MTOPSDK%2F3.1.1.7+%28Android%3B7.1.2%3Bsamsung%3BSM-G9750%29 x-ttid 10005533%40***live_android_1.8.6 cache-control no-cache a-orange-q appKey=25443018&appVersion=1.8.6&clientAppIndexVersion=1120200928112400415&clientVersionIndexVersion=0 x-appkey 25443018 x-region-channel CN x-mini-wua HHnB_yY%2BVTP4ONzYAS0JZCZH1kxay0eLuo3X2qtBIE5jr6lZvRAnJJ1G8cadrB8RwL24tN8%2Fh9ghtDlb6k5cAwiNaOKX0mD9%2BFADwgxmVeVcmxYJ8M7DGxIGdoBk2pTZYdROi x-c-traceid XzFAo6l4I0QDAEtkomuzYMMg1601521245154002312720 content-type application/x-www-form-urlencoded;charset=UTF-8 x-app-conf-v 0 x-app-ver 1.8.6 x-bx-version 6.4.17 x-pv 6.3 x-t 1601521245 f-refer mtop Cookie unb=2677236496; sn=; lgc=; cookie17=UU6m2Eeo2kZhAw%3D%3D; dnk=; munb=2677236496; cookie2=1da9677cd5d8067a25887efad5399035; tracknick=; ti=; sg=x6e; _l_g_=Ug%3D%3D; _nk_=minizqx; cookie1=U7HzARmj%2B0xuestjyOv43ck2AoCzwROfdIWJFcYSstg%3D; imewweoriw=3%2FxErrexaa2iG0nL9nQkVq6vWzZ2RYFXo60Fqs9r6Y0%3D; WAPFDFDTGFG=%2B4cMKKP%2B8PI%2BMesd%2Bk5vda3o; _w_tb_nick=minizqx; uc3=nk2=DlkyfSB%2Bjw%3D%3D&vt3=F8dCufBEpQar8u2TO3M%3D&id2=UU6m2Eeo2kZhAw%3D%3D&lg2=W5iHLLyFOGW7aA%3D%3D; uc1=existShop=false&cookie14=Uoe0bHJmGwo4lQ%3D%3D&cookie21=W5iHLLyFfX5Xzx7qNYvXUg%3D%3D&cookie15=V32FPkk%2Fw0dUvg%3D%3D; csg=2de8b6f3; t=305ec04f6cebe219662be638fa62aaf9; sgcookie=W100Cx89pixouHdsov7UuolWf0KF4SCZSW%2BghMbGvElGjMjGInUE8ule6s0vwKHP7bE2u%2FV4huIYCVL69Y4Nb609lp%2FZmI%2FnGoxACSa43mcyatM%3D; skt=2c65e2ca24dd1fde; uc4=nk4=0%40DDxxrcvliaXBeEHW%2FzgIyiWv&id4=0%40U2xrdV%2F5ZuJ17PCSrvw8g3giR4gj; _cc_=VT5L2FSpdA%3D%3D; _tb_token_=ed17ebbe55356; ockeqeudmj=mQRlQ%2FY%3D x-sid 1da9677cd5d8067a25887efad5399035 x-disastergrd x-utdid XzFAo6l4I0QDAEtkomuzYMMg x-umt duJLkp5LOjp9tjV04l0sWVWVGrYsNTP%2B x-devid At0LQnkeo_YpGZF88TSoTGUnqnqNWXm7ezbTK8JEkoHr x-sign azSdY1002xAAEKX7IpQqlaakQWgkgKXwpHpjVVSKm5h2mnFJOuQWX51LpqfoKidOysB%2BZ%2B1EviEW%2BmG09cHhh3fHdGCl0KXwpdCl8K x-uid 2677236496 Host acs.m.***.com Accept-Encoding gzip Connection Keep-Alive
2.查殼
我沒有進行脫殼,由於我在使用jadx-gui能看到代碼,若是看不到代碼,那可能就須要進行脫殼了。
3.反編譯
4.搜索關鍵字
5.插樁探測
[-->] result :K[x-mini-wua]-->V[HHnB_Ai0JzNjvjpyeSUtZj9lfxHyKwYN4U/I42Jr28lnGLg6QzMU54H22mQJZEjR5reJmg7dSfgV2tJSCFQR/DtiSyTdKpLKJPO8OXuo9Lapqe1cuwdLTn9bb8sjz+HbjQ0xT]
[-->] result :K[x-sgext]-->V[JAEPhzh63E/fm5QFNfo6fw==]
[-->] result :K[x-umt]-->V[duJLkp5LOjp9tjV04l0sWVWVGrYsNTP+]
[-->] result: {x-sign=azSdY1002xAAHrGTXJ0perBksC3AfrGesBR3O0Dkj/Zi9GUnLooCMYklssn8RDMg3q5qCfkqqk8ClHXa4a/16WOpYA6xjrGesY6xnr, wua=, x-mini-wua=HHnB_Ai0JzNjvjpyeSUtZj9lfxHyKwYN4U/I42Jr28lnGLg6QzMU54H22mQJZEjR5reJmg7dSfgV2tJSCFQR/DtiSyTdKpLKJPO8OXuo9Lapqe1cuwdLTn9bb8sjz+HbjQ0xT, x-sgext=JAEPhzh63E/fm5QFNfo6fw==, x-umt=duJLkp5LOjp9tjV04l0sWVWVGrYsNTP+}
6.編寫xposed插件
使用Android studio編寫插件。
4、分析展現
{"x-sign":"azSdY1002xAAGTOrG3oat7W3Cl5CuTOpOyrE7MLTDcHmpOcYgQ2AAK2s8P5+RHf/cTJX5G3EEiBQo/ftY5h33uGe4jkzuTOpM7kzqT","wua":"","x-mini-wua":"HHnB_x95u54gos/jSNsGcF2zvx+yhl8pchUZ/Z7Xke/2HlZZdYjvuuG4H4jZhhr2aUlre8xns7pYnMgr4nHcGSE4p7drYGE+VsuI73+L06luyPp+D/9Nod8fTnfNH4GHkXxzL","x-sgext":"JAFB9aifQ1zyfnYYZQ/y0w\u003d\u003d","x-umt":"XoVLH9JLOu1p1DV04lJL9VD9L4Y4mjV7"}
{"x-sign":"azSdY1002xAAHec7oUg/rsBTX3gmfec9774QeBZH2VUyMDOMVZlUlHk4JGqq0KNrpaaDcLlQxrSENyN5twyjSjUKNq33Hec95x3nPe","wua":"","x-mini-wua":"HHnB_kaq8xeRHJGYkxmlj4Tj7s+AE/ucCilsewjWaBR/V0/e5uhqJcgn26+5kTJBZBgPOHv8CYjmtQ1LAoR856xrcK+29ZT5HnUkMRMgvTm4H2pjm5GkpKhRHgo3VBGdhzvYa","x-sgext":"JAHZbzIH2cRo5uyA/5doSw\u003d\u003d","x-umt":"XoVLH9JLOu1p1DV04lJL9VD9L4Y4mjV7"}
固然,請求頭中的其餘參數也是能夠獲取的。
本文只用於學習交流,請勿他用。技術支持,扣扣:3165845957