Android逆向 某旅游 解密oauth

Android逆向 某旅游 解密oauth

记一次学习过程，需求解密"sign"字段 得到其算法

• adbook 马蜂窝旅游

• so层 算法

  • HmacSHA1 enc.Base64

1. 需解密对象

1. “oauth_signature” 字段

2. 定位到 java 关键函数

1. 搜索关键字 “oauth_signature”

    public static final String HTTP_BASE_PARAM_OAUTH_SIGNATURE = "oauth_signature";

2. HTTP_BASE_PARAM_OAUTH_SIGNATURE 查找用例

3. 一步一步查找到 oauthSignTxt 这个方法

3. firda hook java

1. hook 关键函数
2. 主动调用

4. firda hook so

1. Exports Java_com_mfw_tnative_AuthorizeHelper_xAuthencode 000090E8
2. 进去 F5 一目了然 ，没有被处理过的c++代码 ，一点一点的拆分就行

5. hook.js代码

console.log("--------------------");
console.log("adbook"); // 马蜂窝旅游
console.log(&#");
// hook_java();
hook_so();
console.log(&#");
console.log("--------------------");function showStacks() {console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
}function hook_java() {Java.perform(function () {var AuthorizeHelper = Java.use("ative.AuthorizeHelper");AuthorizeHelper.xAuthencode.implementation = function (context, source, key, packageName, isLogin) {//showStacks();console.log("xAuthencode context: ", context);console.log("xAuthencode source: ", source);console.log("xAuthencode key: ", key);console.log("xAuthencode packageName: ", packageName);console.log("xAuthencode isLogin: ", isLogin);var retval = this.xAuthencode(context, source, key, packageName, isLogin);console.log("xAuthencode retval: ", retval);return retval;}});
}function call_java() {Java.perform(function () {var currentApplication = Java.use("android.app.ActivityThread").currentApplication();var context = ApplicationContext();var AuthorizeHelper = Java.use("ative.AuthorizeHelper");var xAuthencode = AuthorizeHelper.$new("adbook").xAuthencode(context,'PUT&https%3A%2F%2Fmapi.mafengwo%2Frest%2Fapp%2Fuser%2Flogin%2F&after_style%3Ddefault%26app_code%adbook%26app_ver%3D8.1.6%26app_version_code%3D535%26brand%3DXiaomi%26channel_id%3DGROWTH-WAP-LC-3%26device_id%3DF4%253AF5%253ADB%253A23%253A63%253A06%26device_type%3Dandroid%26hardware_model%3DMI%25205X%26mfwsdk_ver%3D20140507%26o_lat%3D30.458106%26o_lng%3D114.876373%26oauth_consumer_key%3D5%26oauth_nonce%3Dc0847f2b-b284-4bcf-b823-8d19be79b6cb%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1621266286%26oauth_version%3D1.0%26open_udid%3DF4%253AF5%253ADB%253A23%253A63%253A06%26put_style%3Ddefault%26screen_height%3D1920%26screen_scale%3D3.0%26screen_width%3D1080%26sys_ver%3D8.1.0%26time_offset%3D480%26x_auth_mode%3Dclient_auth%26x_auth_password%3D333333%26x_auth_username%3D13333333333','','adbook',true);// E7yazoGTHlhhoEUcRY9ukGK/nJ8=console.log("call_java xAuthencode: ", xAuthencode);});
}function hook_so() {// mfw::Sha1::CHmac::SetKeyvar SetKey = Module.findExportByName("libmfw.so", '_ZN3mfw4Sha15CHmac6SetKeyEPKhj');console.log("SetKey Addr : ", SetKey);Interceptor.attach(SetKey, {onEnter: function (args) {// console.log("SetKey onEnter args[0]: ", (args[0])); // 指针 上下文console.log("SetKey onEnter args[1]: ", ptr(args[1]).readCString()); // 指针 密钥console.log("SetKey onEnter args[2]: ", ptr(args[2]).toInt32());     // 指针 长度// console.log("SetKey onEnter args[0]: n", hexdump(args[0]));// console.log("SetKey onEnter args[0]: ", ptr(args[0]).readCString());},onLeave: function (retval) {// console.log("SetKey onLeave retval: ", (retval)); // 无返回值// console.log("SetKey onEnter retval: ", ptr(retval).toInt32()); // 指针}});// mfw::Sha1::CHmac::Updatevar Update = Module.findExportByName("libmfw.so", '_ZN3mfw4Sha15CHmac6UpdateEPKhj');console.log("Update Addr : ", Update);Interceptor.attach(Update, {onEnter: function (args) {// console.log("Update onEnter args[0]: ", (args[0])); // 指针 上下文console.log("Update onEnter args[1]: ", ptr(args[1]).readCString()); // 指针 参数console.log("Update onEnter args[2]: ", ptr(args[2]).toInt32());     // 指针 长度// console.log("SetKey onEnter args[0]: n", hexdump(args[0]));// console.log("SetKey onEnter args[0]: ", ptr(args[0]).readCString());},onLeave: function (retval) {// console.log("Update onLeave retval: ", (retval)); // 无返回值// console.log("Update onEnter retval: ", ptr(retval).toInt32()); // 指针}});// mfw::Sha1::CHmac::Finalvar Final = Module.findExportByName("libmfw.so", '_ZN3mfw4Sha15CHmac5FinalEPhj');console.log("Final Addr : ", Final);Interceptor.attach(Final, {onEnter: function (args) {// console.log("Final onEnter args[0]: ", (args[0]));                // 指针 上下文// console.log("Final onEnter args[1]: ", ptr(args[1]));             // 指针 这是个返回值console.log("Final onEnter args[2]: ", ptr(args[2]).toInt32());      // 指针 长度// console.log("SetKey onEnter args[0]: n", hexdump(args[0]));this.args1 = args[1];},onLeave: function (retval) {// console.log("Final onLeave retval: ", (retval));                  // 无返回值// console.log("Final onEnter retval: ", ptr(retval).toInt32());     // 指针console.log("Final onLeave this.arg1: n", hexdump(this.args1, { length: 20 }));}});
}