The author is writing a book "The title of the book hasn't been decided yet" related to crawler reverse engineering.
I have just written 50 pages so far. The picture above is part of the article catalog.
I would like to ask you which stage of the content you are more interested in now,
Or which part of the content will be more learning ability, or help me think of a book title.
You can leave a message at the end of this article, thank you.
Let's start the text of this article.
When reversing an Android program, if you just need to read more than N codes to find the key points or hook points of the program by blindly analyzing, this article will share how to quickly find the encrypted parameter position of the APP program. In fact, whether it is to find the key position or find Hook points, finding encrypted parameters, and code logic tracking are all similar processing methods.
Clever use of search-static analysis
Generally, the process of static analysis to find encrypted parameters is to first check the shell (unpacking), decompile, find the entry method of the program, and analyze the execution process of the program.
Assuming that the unpacked app has been decompiled using Android killer, directly use the project search to retrieve the parameter name that needs to be found, compare it according to the feedback information of AK, and find the corresponding parameter location. You can also analyze the code line by line according to the application execution process, which is tiring.
objection positioning
Objection is a dynamic analysis toolkit based on Frida, which can dynamically adjust apk without root, and supports both iOS and Android. The installation method can be viewed on github. Github: https://github.com/sensepost/objection
After searching, if there are several uncertain positions, you can use Objection. Objection is a professional positioning expert, and there are only three steps from the positioning process.
- 1. Inject the target process
objection -g com.xxx.xxx explore - 2. Tracking
android hooking watch class 'com.xxx.xxx.lx.ApiSign' - 3. View input parameters and return values
Then by comparing the parameters and return value with the protocol in the request interface, you can determine where it is.android hooking watch class_method 'com.xxx.xxx.lx.ApiSign.a' --dump-args --dump-return
frida-hook
Hook tools such as frida and xposed are also a kind of dynamic analysis. Suppose that the interface of an App has a signature, and the parameter value looks very like Base64, and the length is fixed length and less than 20 bits. At this time, if you can't find it through the tool global search, you can use frida to feel the position of all operations in the App under the Hook Base64.
The Frida code is as follows:
var Base64Class = Java.use("android.util.Base64");
Base64Class.encodeToString.overload("[B", "int").implementation = function(a,b){
var resault = this.encodeToString(a,b);
console.log(">>> Base64 " + resault);
if(resault.length <= 20){
var stackAdd = threadinstance.currentThread().getStackTrace();
console.log("resault stackAdd is:" + Where(stack));
}
return rc;
}
In this way, the location of the signature calculation can be printed out with a high probability. This is also a clever trick. You must not forget this positioning method.
log injection
Code injection is also a dynamic analysis. The process is to first modify the smali code of the apk, which is to add android/util/Log output before a certain key function, and cooperate with LogCat to view the log data when the program is executed.
There are 5 methods in the Log extends Object of android/util/Log: Log.v() Log.d() Log.i() Log.w() and Log.e()
Generally, you can use the Log.v() log output function. I won't do a case, and the details will be written in the book.
Dynamic debugging
In fact, there are only two methods of positioning: static analysis and dynamic analysis. Dynamic debugging is also a dynamic analysis, which is similar to the above method.
Dynamic debugging can be understood here as stack debugging. Sometimes different tools and methods need to be used.
Such as JEB debugging, smali debugging, IDA debugging and so on.
I won't go into details anymore, this article briefly summarizes it.
You are more interested in the content of which stage now, please leave a message to let me know, thank you all.