Posts
[RE-APP]某为快逆向
pre
逆向一个记账本
todo
文件
/data/data/com.huawei.fastapp/app_resource/fastappEgine/com.xx.fruit
提取拿到轻应用的网页资源。 应用程序在这里。下来看抓包
抓包
注入证书,然后开启抓包软件。发现无法抓包。
找到不能抓包原因
在目录下找到cbg_root.cert证书,
InputStream open = context.getAssets().open(str);
X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(open);
if (open != null) {
open.close();
}
return x509Certificate;
生成了证书,然后日志看到它固定证书.
C:\Users\Kian>adb logcat |findstr CertVerifier
03-08 15:02:35.446 18560 18657 I a : [hmssafetydetect-feature CertVerifierUtil.java:1] Start verify cert chain using root ca: CN=Huawei CBG Root CA,OU=Huawei CBG,O=Huawei,C=CN
03-08 15:02:35.447 18560 18657 I a : [hmssafetydetect-feature CertVerifierUtil.java:3] verify cert CN=sysintegrity.platform.hicloud.com,OU=Huawei CBG Cloud Security Signer,O=Huawei,C=CN
03-08 15:02:35.448 18560 18657 I a : [hmssafetydetect-feature CertVerifierUtil.java:4] using CN=Huawei CBG Application Integration CA,OU=Huawei CBG,O=Huawei,C=CN
来自于类:Lcom/huawei/fastapp/ca8;
猜测
这里猜测,它和服务器使用这套证书,不用这套证书是无法通信的, 同事给建议是转发全部流量然后用mitmproxy抓包,但是觉得是不可行的,理论说不通.
跟踪了一下 发现它传递到 native中去了。太深了。我觉得这个四路有问题。
换一种思路找它的通信方式。直接拿到app的代码。
代码在上边的文件夹中,我们找到关键的代码:
c.fetch({
url: s,
responseType: "text",
method: "POST",
header: {
"Content-Type": "application/json"
},
其中c的定义:
, c = $app_require$("@app-module/system.fetch")
好好好,就找system.fetch
经过在apk中寻找,
找到了fetchModule.class
然后根据其创建okhttp3client的过程,找到其证书管理器的类的关键三个方法:
getAcceptedIssuers
checkServerTrusted
checkClientTrusted
知道这三个方法就知道大概的流程了。
直接bypass
iz.checkClientTrusted.implementation = function (obj1,ibj2) {
console.log(' -->checkClientTrusted Bypassing');
};
iz.checkServerTrusted.implementation = function (obj1,ibj2) {
console.log(' -->checkServerTrusted Bypassing');
};
iz.getAcceptedIssuers.implementation = function () {
console.log(' -->getAcceptedIssuers Bypassing');
return [];
};
然后安装证书
@echo off
adb shell su -c "mkdir -m 700 /data/local/tmp/ca-copy"
adb shell su -c "cp /system/etc/security/cacerts/* /data/local/tmp/ca-copy/"
adb shell su -c "mount -t tmpfs tmpfs /system/etc/security/cacerts"
adb shell su -c "mv /data/local/tmp/ca-copy/* /system/etc/security/cacerts/"
adb push c8750f0d.0 /data/local/tmp/c8750f0d.0
adb shell su -c "cp /data/local/tmp/c8750f0d.0 /system/etc/security/cacerts/"
adb shell su -c "chown root:root /system/etc/security/cacerts/*"
adb shell su -c "chmod 644 /system/etc/security/cacerts/*"
adb shell su -c "chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*"
adb shell su -c "rm -r /data/local/tmp/ca-copy"
echo " cert into system ok!"
打开转发报工具。即可正常抓取包。
算法突破
就是调试JS
调试js就很easy:
直接copy js 到一个html
<script>
function w(e, t) {
var r = (65535 & e) + (65535 & t);
return (e >> 16) + (t >> 16) + (r >> 16) << 16 | 65535 & r;
}
function b(e, t, r, n, a, i) {
return w((s = w(w(t, e), w(n, i))) << (o = a) | s >>> 32 - o, r);
var s, o;
}
function A(e, t, r, n, a, i, s) {
return b(t & r | ~t & n, e, t, a, i, s);
}
function k(e, t, r, n, a, i, s) {
return b(t & n | r & ~n, e, t, a, i, s);
}
function S(e, t, r, n, a, i, s) {
return b(t ^ r ^ n, e, t, a, i, s);
}
function C(e, t, r, n, a, i, s) {
return b(r ^ (t | ~n), e, t, a, i, s);
}
function _(e, t) {
debugger;
var r,
n = "noncestr=" + e + "×tamp=" + String(t) + "&key=205B31FA4F96D31D84DF380BA559A603";
return (r = n, function (e) {
var t,
r,
n = "0123456789abcdef",
a = "";
for (r = 0; r < e.length; r += 1) t = e.charCodeAt(r), a += n.charAt(t >>> 4 & 15) + n.charAt(15 & t);
return a;
}(function (e) {
return function (e) {
return function (e) {
var t,
r = "";
for (t = 0; t < 32 * e.length; t += 8) r += String.fromCharCode(e[t >> 5] >>> t % 32 & 255);
return r;
}(function (e, t) {
e[t >> 5] |= 128 << t % 32, e[14 + (t + 64 >>> 9 << 4)] = t;
var r,
n,
a,
i,
s,
o = 1732584193,
c = -271733879,
u = -1732584194,
l = 271733878;
for (r = 0; r < e.length; r += 16) n = o, a = c, i = u, s = l, o = A(o, c, u, l, e[r], 7, -680876936),
l = A(l, o, c, u, e[r + 1], 12, -389564586),
u = A(u, l, o, c, e[r + 2], 17, 606105819),
c = A(c, u, l, o, e[r + 3], 22, -1044525330),
o = A(o, c, u, l, e[r + 4], 7, -176418897),
l = A(l, o, c, u, e[r + 5], 12, 1200080426),
u = A(u, l, o, c, e[r + 6], 17, -1473231341),
c = A(c, u, l, o, e[r + 7], 22, -45705983),
o = A(o, c, u, l, e[r + 8], 7, 1770035416),
l = A(l, o, c, u, e[r + 9], 12, -1958414417),
u = A(u, l, o, c, e[r + 10], 17, -42063),
c = A(c, u, l, o, e[r + 11], 22, -1990404162),
o = A(o, c, u, l, e[r + 12], 7, 1804603682),
l = A(l, o, c, u, e[r + 13], 12, -40341101),
u = A(u, l, o, c, e[r + 14], 17, -1502002290),
o = k(o, c = A(c, u, l, o, e[r + 15], 22, 1236535329), u, l, e[r + 1], 5, -165796510),
l = k(l, o, c, u, e[r + 6], 9, -1069501632),
u = k(u, l, o, c, e[r + 11], 14, 643717713),
c = k(c, u, l, o, e[r], 20, -373897302),
o = k(o, c, u, l, e[r + 5], 5, -701558691),
l = k(l, o, c, u, e[r + 10], 9, 38016083),
u = k(u, l, o, c, e[r + 15], 14, -660478335),
c = k(c, u, l, o, e[r + 4], 20, -405537848),
o = k(o, c, u, l, e[r + 9], 5, 568446438),
l = k(l, o, c, u, e[r + 14], 9, -1019803690),
u = k(u, l, o, c, e[r + 3], 14, -187363961),
c = k(c, u, l, o, e[r + 8], 20, 1163531501),
o = k(o, c, u, l, e[r + 13], 5, -1444681467), l = k(l, o, c, u, e[r + 2], 9, -51403784),
u = k(u, l, o, c, e[r + 7], 14, 1735328473),
o = S(o, c = k(c, u, l, o, e[r + 12], 20, -1926607734), u, l, e[r + 5], 4, -378558),
l = S(l, o, c, u, e[r + 8], 11, -2022574463),
u = S(u, l, o, c, e[r + 11], 16, 1839030562),
c = S(c, u, l, o, e[r + 14], 23, -35309556),
o = S(o, c, u, l, e[r + 1], 4, -1530992060),
l = S(l, o, c, u, e[r + 4], 11, 1272893353),
u = S(u, l, o, c, e[r + 7], 16, -155497632),
c = S(c, u, l, o, e[r + 10], 23, -1094730640),
o = S(o, c, u, l, e[r + 13], 4, 681279174),
l = S(l, o, c, u, e[r], 11, -358537222),
u = S(u, l, o, c, e[r + 3], 16, -722521979),
c = S(c, u, l, o, e[r + 6], 23, 76029189),
o = S(o, c, u, l, e[r + 9], 4, -640364487),
l = S(l, o, c, u, e[r + 12], 11, -421815835), u = S(u, l, o, c, e[r + 15], 16, 530742520),
o = C(o, c = S(c, u, l, o, e[r + 2], 23, -995338651), u, l, e[r], 6, -198630844),
l = C(l, o, c, u, e[r + 7], 10, 1126891415), u = C(u, l, o, c, e[r + 14], 15, -1416354905),
c = C(c, u, l, o, e[r + 5], 21, -57434055), o = C(o, c, u, l, e[r + 12], 6, 1700485571),
l = C(l, o, c, u, e[r + 3], 10, -1894986606), u = C(u, l, o, c, e[r + 10], 15, -1051523),
c = C(c, u, l, o, e[r + 1], 21, -2054922799), o = C(o, c, u, l, e[r + 8], 6, 1873313359),
l = C(l, o, c, u, e[r + 15], 10, -30611744), u = C(u, l, o, c, e[r + 6], 15, -1560198380),
c = C(c, u, l, o, e[r + 13], 21, 1309151649), o = C(o, c, u, l, e[r + 4], 6, -145523070),
l = C(l, o, c, u, e[r + 11], 10, -1120210379), u = C(u, l, o, c, e[r + 2], 15, 718787259),
c = C(c, u, l, o, e[r + 9], 21, -343485551), o = w(o, n), c = w(c, a), u = w(u, i), l = w(l, s);
return [o, c, u, l];
}(function (e) {
var t,
r = [];
console.log(e.length);
for (r[(e.length >> 2) - 1] = undefined, t = 0; t < r.length; t += 1) r[t] = 0;
for (t = 0; t < 8 * e.length; t += 8) r[t >> 5] |= (255 & e.charCodeAt(t / 8)) << t % 32;
console.log(r);
return r;
}(e), 8 * e.length));
}(unescape(encodeURIComponent(e)));
}(r))).toUpperCase();
}
</script>
浏览器打开,直接调用调试就可以了。 注意debugger位置;
复现
直接配合AI和python直接写出来。
总结
按图索骥!