首页
社区
课程
招聘
[求助]阿里系x-signature加密方法逆向
发表于: 2024-6-18 13:35 4799

[求助]阿里系x-signature加密方法逆向

2024-6-18 13:35
4799

最近在抓包X里云盘的x-signature-v2,发现最终是由ISecureSignatureComponent.signRequest生成的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
@Nullable
    public final String signString(@NotNull String appKey, @NotNull String needSignString) {
        Intrinsics.checkNotNullParameter(appKey, "appKey");
        Intrinsics.checkNotNullParameter(needSignString, "needSignString");
        // 签名方法
        ISecureSignatureComponent secureSignatureComp = SecurityGuardManager.getInstance(AppContext.INSTANCE.get()).getSecureSignatureComp();
        HashMap hashMap = new HashMap();
        hashMap.put("INPUT", needSignString);
        SecurityGuardParamContext securityGuardParamContext = new SecurityGuardParamContext();
        securityGuardParamContext.appKey = appKey;
        securityGuardParamContext.paramMap = hashMap;
        securityGuardParamContext.requestType = 3;
        try {
            return secureSignatureComp.signRequest(securityGuardParamContext, "");
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
package com.alibaba.wireless.security.open.securesignature;
 
import com.alibaba.wireless.security.framework.InterfacePluginInfo;
import com.alibaba.wireless.security.open.IComponent;
import com.alibaba.wireless.security.open.SecException;
import com.alibaba.wireless.security.open.SecurityGuardParamContext;
 
@InterfacePluginInfo(pluginName = "main")
/* loaded from: classes11.dex */
public interface ISecureSignatureComponent extends IComponent {
    String getSafeCookie(String str, String str2, String str3) throws SecException;
 
    String signRequest(SecurityGuardParamContext securityGuardParamContext, String str) throws SecException;
}

但是ISecureSignatureComponent在静态分析里找不到实现类,frida hook signString方法打印ISecureSignatureComponent实现类名是а.а.а.а.а.з.а,是否意味着实现类是动态创建并且混淆了,该如何破局,大佬们给点丝路

1
2
3
4
5
6
7
8
9
10
11
12
13
Java.perform(() => {
    let SecurityGuardHelper = Java.use("com.alicloud.common.securityguard.SecurityGuardHelper");
    let Companion = Java.use("com.alicloud.databox.library.AppContext").Companion;
    let SecurityGuardManager = Java.use("com.alibaba.wireless.security.open.SecurityGuardManager");
    SecurityGuardHelper["signString"].implementation = function (appKey, needSignString) {
        let secureSignatureComp = SecurityGuardManager.getInstance(Companion.value.get()).getSecureSignatureComp();
 
        // 打印 secureSignatureComp 的具体实现类和地址
        console.log("secureSignatureComp class: " + secureSignatureComp.$className);
 
        return this["signString"](appKey, needSignString);
    };
});

APK链接: https://pan.baidu.com/s/11qTuV_wptRcV4sD6pn-lmA?pwd=sign 提取码: sign


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (7)
雪    币: 10
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
可以试试用真实的类hook试试
2024-6-18 17:31
0
雪    币: 20
活跃值: (87)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
mb_ldbucrik 可以试试用真实的类hook试试
可以hook到真实的类,signRequest native,但是怎么追到是哪个so,遍历了所有so的expoet也遍历不到这个方法,求教
2024-6-20 12:44
0
雪    币: 3134
活跃值: (1227)
能力值: ( LV5,RANK:70 )
在线值:
发帖
回帖
粉丝
4
这不是阿里的libsgmain吗?
2024-6-20 13:44
0
雪    币: 555
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
5
会飞的蛋蛋面 可以hook到真实的类,signRequest native,但是怎么追到是哪个so,遍历了所有so的expoet也遍历不到这个方法,求教
可能是动态注册的吧?试试hook一下?
2024-6-20 14:42
0
雪    币: 200
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
6
楼主成功了吗,我也是卡到了这一步,根据帖子https://www.52pojie.cn/forum.php?mod=viewthread&tid=1491319得知,这个好像在libsgmain.so中
2024-8-1 15:31
0
雪    币: 1
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
7
可以参考这个文章 https://www.jianshu.com/p/e4395b49094a 就在libsgmain.so里了 还有参考https://blog.csdn.net/weixin_44084602/article/details/126923221这篇文章 知道JNICLibrary.doCommandNative方法
2024-11-14 14:20
0
雪    币: 1
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
8
还可以参考https://blog.csdn.net/Api_hex/article/details/138128786 这篇文章,非常好。能找到JNICLibrary类的真正实现。
2024-11-14 18:13
0
游客
登录 | 注册 方可回帖
返回
//