一、指标

咱们来剖析某站 App的sign签名算法,先搜寻一下 游戏 ,抓包后果:

二、步骤

这个sign仍然是32位的字符串

都9020年了,这种规模用户的App应该是不会裸奔在java层了,咱们就间接一点,在so外面搜寻 sign=

惋惜没有后果……

藏起来的货色肯定是重要的货色

so层导出函数给java层调用,有两种办法,一种是动态注册,间接会体现在so的导出表里。 一种是RegisterNatives来动静注册,这种就比拟费解了,从导出表里看不到痕迹。

所以咱们Hook下RegisterNatives,看看它藏了什么?

// hook register 打印动静注册的函数地址function hook_register(){    // libart.so 所有导出函数表    var symbols = Module.enumerateSymbolsSync("libart.so");    var addr_register = null;    for(var i = 0; i < symbols.length; i++){        var symbol = symbols[i];        var method_name = symbol.name;        if(method_name.indexOf("art") >= 0){            if(method_name.indexOf("_ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi") >= 0){                addr_register = symbol.address;            }        }    }    // 开始hook    if(addr_register){        Interceptor.attach(addr_register, {            onEnter: function(args){                var methods = ptr(args[2]);                var method_count = args[3];                console.log("[RegisterNatives] method_count:", method_count);                for(var i = 0; i < method_count; i++){                    var fn_ptr = methods.add(i * Process.pointerSize * 3 + Process.pointerSize * 2).readPointer();                    var find_module = Process.findModuleByAddress(fn_ptr);                    if(i == 0){                        console.log("module name", find_module.name);                        console.log("module base", find_module.base);                    }                    console.log("\t method_name:", methods.add(i * Process.pointerSize * 3).readPointer().readCString(), "method_sign:", methods.add(i * Process.pointerSize * 3 + Process.pointerSize).readPointer().readCString(), "method_fnPtr:", fn_ptr, "method offset:", fn_ptr.sub(find_module.base));                }            }, onLeave(retval){            }        })    }}

挂上我可爱的frida,跑起来……

这种函数命名可读性这么好,顾名思义就晓得不是做sign

[RegisterNatives] method_count: 0x6module name libimagepipeline.somodule base 0x7c29c000     method_name: nativeAllocate method_sign: (I)J method_fnPtr: 0x7c29cc6d method offset: 0xc6d     method_name: nativeFree method_sign: (J)V method_fnPtr: 0x7c29ccb5 method offset: 0xcb5     method_name: nativeCopyToByteArray method_sign: (J[BII)V method_fnPtr: 0x7c29ccbb method offset: 0xcbb     method_name: nativeCopyFromByteArray method_sign: (J[BII)V method_fnPtr: 0x7c29ccd7 method offset: 0xcd7     method_name: nativeMemcpy method_sign: (JJI)V method_fnPtr: 0x7c29ccf3 method offset: 0xcf3     method_name: nativeReadByte method_sign: (J)B method_fnPtr: 0x7c29ccff method offset: 0xcff

这个 libbili.so 大兄弟看上去不像坏蛋,都9020年了,函数命名个 a、b、s之类,这么明火执仗的写bug,在我司是要被李老板拉出去打PP的。

[RegisterNatives] method_count: 0x7module name libbili.somodule base 0x88e2b000     method_name: a method_sign: (Ljava/lang/String;)Ljava/lang/String; method_fnPtr: 0x88e2cc35 method offset: 0x1c35     method_name: ao method_sign: (Ljava/lang/String;II)Ljava/lang/String; method_fnPtr: 0x88e2cc3b method offset: 0x1c3b     method_name: b method_sign: (Ljava/lang/String;)Ljavax/crypto/spec/IvParameterSpec; method_fnPtr: 0x88e2cc49 method offset: 0x1c49     method_name: s method_sign: (Ljava/util/SortedMap;)Lcom/bilibili/nativelibrary/SignedQuery; method_fnPtr: 0x88e2cc4f method offset: 0x1c4f     method_name: so method_sign: (Ljava/util/SortedMap;II)Lcom/bilibili/nativelibrary/SignedQuery; method_fnPtr: 0x88e2cc55 method offset: 0x1c55     method_name: getCpuCount method_sign: ()I method_fnPtr: 0x88e2cc63 method offset: 0x1c63     method_name: getCpuId method_sign: ()I method_fnPtr: 0x88e2cc67 method offset: 0x1c67

既然不是坏蛋,那就问询一下,Hook之:

var biliNative = Java.use("com.bilibili.nativelibrary.LibBili");biliNative.a.implementation = function(a){    var result = this.a(a);    console.log("biliNative a(" + a + ") = " + result);    return result;}biliNative.ao.implementation = function(a,b,c){     var result = this.ao(a,b,c);     console.log("biliNative ao(" + a + "," + b + "," + c + ") = " + result);    return result;}biliNative.b.overload('java.lang.String').implementation = function(a){    var result = this.b(a);    console.log("biliNative b(" + a + ") = " + result);    return result;}biliNative.s.implementation = function(map){    var result = this.s(map);    console.log("biliNative s(" + map + ") = " + result);    return result;}biliNative.so.implementation = function(a,b,c){     var result = this.so(a,b,c);     console.log("biliNative so(" + a + "," + b + "," + c + ") = " + result);    return result;}

现形了,出工。

慢着!李老板出场了,为什么老板总在上班的时候呈现?下班的时候他们干什么去了?(。╯︵╰。)

奋飞呀,签名是进去的,然而入参呢?你总不能通知我入参是个Object吧?

搞SortedMap入参

入参从之前打印的后果能够看进去,是个 Ljava/util/SortedMap;, 那就so easy了,把它打印进去即可。

半小时后…… 找了一圈google只通知了我一个 HashMap 的打印办法,不论了,先打进去

biliNative.s.implementation = function(HashMap){       var result = this.s(HashMap);    var keys = HashMap.keySet();    var key_set = keys.iterator();    while (key_set.hasNext()) {    var key = key_set.next().toString();    var value = HashMap.get(key).toString();    console.log(key + ": " + value);    }       console.log("biliNative s(" + HashMap + ") = " + result);       return result;}

持续跑,Duang.....

{'type': 'error', 'description': "TypeError: undefined not callable (property 'get' of [object Object])", 'stack': "TypeError: undefined not callable (property 'get' of [object Object])\n    at [anon] (../../../frida-gum/bindings/gumjs/duktape.c:67616)\n    at /script1.js:111\n    at je (frida/node_modules/frida-java-bridge/lib/class-factory.js:633)\n    at frida/node_modules/frida-java-bridge/lib/class-factory.js:616", 'fileName': '/script1.js', 'lineNumber': 111, 'columnNumber': 1}

貌似是说 SortedMap没有get()这个办法 ????

鲁迅学生已经说过:年轻人不能偷懒,到处抄代码是不对的。

先查查java文档,剖析下 SortedMap 的成员函数,其实奋飞也是个优良的java程序员。

  • java.util.SortedMap.comparator() //接管比拟器,用于Map排序
  • java.util.SortedMap.entrySet() //后去Map中的entrySet汇合
  • java.util.SortedMap.firstKey() //第一个key
  • java.util.SortedMap.headMap(K k) //在k之前的键值对
  • java.util.SortedMap.keySet() //获取key的set汇合
  • java.util.SortedMap.lastKey() //最初的key
  • java.util.SortedMap.subMap(K k1, K k2) //k1,k2之间的键值对
  • java.util.SortedMap.tailMap(K) //汇合最初的键值对
  • java.util.SortedMap.values() //汇合所有的values

好吧,那就简略了,咱们先把 key 遍历进去,而后在把 values() 打印进去。

哪位同学有更好的方法,请给奋飞留言.Orz

TIP: 网友:飞雪的日子,提供了一个更帅的形式 console.log(map.entrySet().toArray());

biliNative.s.implementation = function(map){    var result = this.s(map);    var keyStr = ""    var keys = map.keySet();    var key_set = keys.iterator();    while (key_set.hasNext()) {        var key = key_set.next().toString();        keyStr += ","+key    }    console.log(keyStr)    console.log(map.values().toArray());    console.log("biliNative s(" + map + ") = " + result);    return result;}

嗯嗯,成果不错,打印进去了,出工

三、总结

好货色要藏起来,逆向一下,藏起来的必定是好货色(^\_~)

╮(‵▽′)╭ 每天叫醒我的不是闹钟,而是常识星球新用户退出的音讯铃声 ( ̄ ̄)

TIP: 本文的目标只有一个就是学习更多的逆向技巧和思路,如果有人利用本文技术去进行非法商业获取利益带来的法律责任都是操作者本人承当,和本文以及作者没关系,本文波及到的代码我的项目能够去 奋飞的敌人们 常识星球自取,欢送退出常识星球一起学习探讨技术。有问题能够加我wx: fenfei331 探讨下。

关注微信公众号: 奋飞平安,最新技术干货实时推送