-
-
[原创]某灰色app的分析学习
-
发表于: 2024-10-29 10:25
-
1、直接将某沙app拖入jadx,看起来是加壳的,全是字母。
2、通过frida-dump脱壳出dex,代码太多,一头雾水,决定frida查看一下app load流程。
3、先查看一下so的加载,看起来是基于webview的app,这种安全性更强?
android_dlopen_ext probe /data/user/0/com.hptfludyjx.syjqeafkll/files/HJfOTtKmmn/libflutter.so android_dlopen_ext probe /vendor/lib/hw/gralloc.sdm845.so android_dlopen_ext probe /data/user/0/com.hptfludyjx.syjqeafkll/files/HJfOTtKmmn/libkiwi.so android_dlopen_ext probe /vendor/lib/hw/android.hardware.graphics.mapper@2.0-impl-qti-display.so android_dlopen_ext probe /data/dalvik-cache/arm/system@product@app@webview@webview.apk@classes.dex android_dlopen_ext probe libwebviewchromium.so android_dlopen_ext probe /system/product/app/webview/webview.apk!/lib/armeabi-v7a/libwebviewchromium.so android_dlopen_ext probe /system/lib/libwebviewchromium_plat_support.so
4、objection查看相关的控件,只有几个,决定从这几个包里面代码入手
com.FsmPTCXp.srkUzUwv.BuMNTWpHywCyOjEG com.FsmPTCXp.srkUzUwv.SYwlcwEiRFSIXShR com.FsmPTCXp.srkUzUwv.XgHiUUvJoGlJkOrD com.FsmPTCXp.srkUzUwv.etdKYlBCbRsMOoYO com.FsmPTCXp.srkUzUwv.kTqkUkCAFauhrgmp com.FsmPTCXp.srkUzUwv.pipohLdKqLHPWLVM com.FsmPTCXp.srkUzUwv.spWureHoPIGDecqQ com.google.android.gms.common.api.GoogleApiActivity
com.FsmPTCXp.srkUzUwv.SYwlcwEiRFSIXShR
这个里面有webview的创建,在com.pichillilorenzo.flutter_inappwebview.in_app_browser.InAppBrowserManager发现会启动这个控件,后面就是继续分析怎么注入了。
5、继续分析并hook相关的类,终于找到了一些post get时会触发的方法。
(agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.dispose() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.makeInitialLoad(java.util.HashMap) (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.dispose() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.makeInitialLoad(java.util.HashMap) (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.getView() (agent) [612497] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.FlutterWebView.dispose()
6、hook关键函数com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.onPageFinished,找到关键的加载js的请求
(agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.loadCustomJavaScriptOnPageStarted(android.webkit.WebView) (agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.shouldInterceptRequest(android.webkit.WebView, java.lang.String) (agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.shouldInterceptRequest(android.webkit.WebView, android.webkit.WebResourceRequest) (agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.shouldInterceptRequest(android.webkit.WebView, android.webkit.WebResourceRequest) (agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.shouldInterceptRequest(android.webkit.WebView, android.webkit.WebResourceRequest) (agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.shouldInterceptRequest(android.webkit.WebView, java.lang.String) (agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.onPageFinished(android.webkit.WebView, java.lang.String) (agent) [096825] Called com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.loadCustomJavaScriptOnPageFinished(android.webkit.WebView)
7、抓取核心接口的调用栈,拿到网页的链接,由于这个玩意服务器在国外,所以需要vpn才能inspect debug(可以但是太麻烦),干脆直接拿链接浏览器打开,居然能通。
(agent) [410874] Arguments com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebViewClient.onPageFinished(com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView{c22f292 VFED..CL. ........ 0,0-2160,1080}, https://xms.sq0002.cn/lobby/?uid=157347630&token=MTU3MzQ3NjMwXzE3MzA3Mjk4NTUwNjg6MzVaQldoeDZwaUQxS2JPbQ)8、链接在浏览器可以打开,可以f12 debug,但是没意义,因为充值接口不在游戏,不充值无法进行,所以这条路可能无意义,也许协议有漏洞,但需要分析。
基本上就是使用以下这两个请求链接来校验账号信息。
https://xms.sq0002.cn/api/app/account/get/info.do https://xms.sq0002.cn/api/app/server/list.do
9、网页js源码分析,寻找key、iv.......,F12初步分析网页逻辑,找到修改金币的位置,debug断点,修改数据,可以增加金币,但是和服务器交互后金币还是会被清零。
setAccountInfo(t) {
if (this.userInfoBarData = t,
null === this.userInfoBar)
throw new ReferenceError("RoomLayer 已被 destroy");
this.userInfoBar.setUserIcon(t.icon, t.frame),
this.userInfoBar.setUserID(t.nickname),
this.userInfoBar.setUserLevel(t.vip),
t.agentUserId && this.userInfoBar.setUid(t.agentUserId),
this.setCurrentGold(t.score) //修改t.score
}
后面会继续更新。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2024-11-8 21:56
被wx_ZXC_301编辑
,原因:
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
