Analysis sample of a video app

1, Grab the bag

Charles+Postern

 2, Search for sign, There are too many search results . Another key word ,s_locale, Just two . Last to

com.xxxxxxi.okretro.f.a

  First look at d() Method

  At the end of the day native s()

  Look again c（）

  Finally, it will also come to

 frida hook once

        var LibBili=Java.use("com.xxxxx.nativelibrary.Libxxx");
        var treemap=Java.use("java.util.TreeMap")
         LibBili.s.implementation=function(map){
            console.log("com.xxxxx.nativelibrary.Libxxx map==>",treemap.$new(map))
            var retval=this.s(map)
            console.log("com.xxxxx.nativelibrary.Libxxx retval==>",retval)
            return retval
        }

  Print the results ：

// com.xxxxx.nativelibrary.Lixxx map==> {aid=799065621, appkey=1d8b6e7d45233436, build=6180500, c_locale=zh-Hans_CN, channel=shenma069, cid=292549658, mobi_app=android, platform=android, s_locale=zh-Hans_CN, statistics={"appId":1,"platform":3,"version":"6.18.0","abtest":""}}
// com.xxxxx.nativelibrary.Lxxxx retval==> aid=799065621&appkey=1d8b6e7d45233436&build=6180500&c_locale=zh-Hans_CN&channel=shenma069&cid=292549658&mobi_app=android&platform=android&s_locale=zh-Hans_CN&statistics=%7B%22appId%22%3A1%2C%22platform%22%3A3%2C%22version%22%3A%226.18.0%22%2C%22abtest%22%3A%22%22%7D&ts=1657861030&sign=a52cd09b0a83f96daa5d0c0125151804

Obviously sign It's already out .

Let's take the initiative to call native s(), It's so convenient mode , Don't click on the machine

function invoke(){
    
    Java.perform(function(){
    var  treemap=Java.use("java.util.TreeMap")
    var LibBili=Java.use("com.xxxxxx.nativelibrary.Libxxxx"); 
    var map=treemap.$new()
    map.put("aid", "728305240");
    map.put("appkey", "1d8b6e7d45233436");
    map.put("autoplay_card","11");
    map.put("banner_hash","10687342131252771522");
    map.put("build","6180500");
    map.put("c_locale","zh-Hans_CN");
    map.put("channel","shenma069");
    map.put("cid","292549658");
    map.put("mobi_app","android");
    map.put("device_type","0");
    map.put("flush","6");
    console.log(map)
    var sign=LibBili.s(map)
    console.log("invoke sign ==>",sign)
    })
    
}

2,so File analysis

open ida, Export table , There is no such method , Dynamic registration ,hook RegisterNatives

If the feeling looks more , You can modify the source code , Just add a judgment .

if(class_name.indexOf("com.xxxxx.nativelibrary.LibBili")>=0)

 hook Add -o xxxx.txt. You can save the log

frida -U -f tv.xxxx.xxx -l hook_RegisterNatives.js --no-pause -o registerNatives.txt

[RegisterNatives] java_class: com.xxxxx.nativelibrary.LibBili name: s sig: (Ljava/util/SortedMap;)Lcom/bilibili/nativelibrary/SignedQuery; fnPtr: 0xbc753c97  fnOffset: 0x1c97  callee: 0xbc753b8f libbili.so!JNI_OnLoad+0x66

Know the offset address offset=0x1c97

stay ida Press G Jump

  Get into sub_2F88

  Press Y modify sub_2F88 

  And look down

sub_6680 It's a JNI Call yes CallBooleanMethod. call java The method in returns Boolean in native To jboolean

 hook once Active call Algorithm . return 0.

var sub_2F88=addr.add(0x2F88+1)
        Interceptor.attach(sub_2F88,{
            onEnter:function(args){
                
            },onLeave:function(retval){
                console.log("sub_2F88 onLeave:",ptr(retval))
            }
        })

  Then enter sub_3414();

  Keep going

  Of this class called r() Method

  Will be map To & The string of the connection

So let's look down

 hook sub_22B0()

//sub_22B0
        var sub_22B0=addr.add(0x22B0+1)
        Interceptor.attach(sub_22B0,{
            onEnter:function(args){
                console.log("0x22B0 onEnter:",hexdump(args[1], {length: args[2].toInt32()}));
                console.log("\n0x22B0 Length:"+args[2]);
            },onLeave:function(retval){
                console.log("0x22B0 onLeave:",ptr(retval))
            }
        })

Algorithm restoration

sub_22B0() That is to say MD5 Will be called 7 Time

Respectively in

  Call the algorithm many times , These four data blocks are found to be fixed , Parameters and four data blocks are spliced together MD5

Last 5 Time MD5 Splicing together , Namely sign

aid=728305240&appkey=1d8b6e7d45233436&autoplay_card=11&banner_hash=10687342131252771522&build=6180500&c_locale=zh-Hans_CN&channel=shenma069&cid=292549658&device_type=0&flush=6&mobi_app=android&ts=1657877030&sign=71739fc69a301b43ad920e2820e97b31

 Enter the reference ：aid=728305240&appkey=1d8b6e7d45233436&autoplay_card=11&banner_hash=10687342131252771522&build=6180500&c_locale=zh-Hans_CN&channel=shenma069&cid=292549658&device_type=0&flush=6&mobi_app=android&ts=1657877030

  Restore complete