Project scenario:
This is a financial Android app with root detection, sslpinning verification, and a shell. The downloaded unpinning script doesn't work at all. Next, let's see how to analyze it. As we all know, analyzing packet capture from an app is only the first step. Unfortunately, the first step confuses many people. This article only records the key points of knowledge, and all of them will be desensitized. Big guys squirt
Problem Description
一般来说我们拿到apk都迫不及待的装到手机上,立马开始抓包,结果就会和下图一样
This is what Charles displays here:
The initial judgment is that there is sslpinning verification
sslpinning verification positioning:
Drag apk to apk and find that it is packed. Then use frida-dump to unpack, get dex, and use jadx-gui to decompile.