0x00 Scene
In a test app when to drop such packets, found the presence of certain parameters to be encrypted, or have the signature verification of the situation, this time if we want to go directly to tamper with the contents of the packet is often impossible, then take a look at a crawl app login packet, as shown below, password fields are encrypted obvious:
Then, they begin to debug apk dynamic positioning key encryption function decompiled by JEB.
0x01 premise of APP debugging
In the Android system, if you need to debug Android applications, you need one of the following two conditions:
- Apk display configuration file AndroidManifest.xml declared the android: debuggable = "true".
- In the file in the root directory of default.prop Andrews system ro.debuggable = 1
For the first of the above conditions can debug android application, officially added to the application in android application stores downloaded, not usually encountered in setting up android in AndroidMainfest: case debuggable = "true", so if you want to use the first method, usually need to be unpacked apk add android: debuggable = "true" re-packaged, with the packers and check apk and other protective measures itself, and then re-packaged apk process often prone to abnormal, is not likely to succeed, while the second debug conditions published in the official phone or original rom package, ro.debuggable = 0, that is not allowed by default debugging, you can temporarily modify the memory of the way through the brush, or Review: ro.debuggable = 1
0x02 decompile apk file
Open decompiler JEB, directly require decompilation APK (not packed) in the file onto the JEB obtained can decompile java code and pseudo-code smali
After a while, decompile end as follows:
0x03 break point by keyword search
Search position, a function of positioning the encrypted key file Byecode JEB decompiling taken in accordance with the registration data packet parameter key (mobile_tel, op_station, mobile_uuid, terminal_os, terminal_platform, terminal_device, password, channel).
ctrl + F to start the search:
Search to the following location, more than a similar position with the position of this search to similar locations are marked with a breakpoint
After the possible positions are marked with a breakpoint, and then they start debugging.
0x04 found by JEB debugging encryption function position
1, after all breakpoints are just great, click the debug button, attach the equipment program, start debugging, as follows:
2, when after the application running on the mobile phone attached JEB, operating app to the login screen, click Log
If all breakpoints at which there is just right, then click Login jeb directly after the stop at the breakpoint correct position, anyway, there is no effect, indicating that the breakpoint is not hit in the right place, you need to search again.
Among the commissioning process, the program will prompt no response, remember to click wait
3, click to select the breakpoint to resolve or press the tab key to jump to the current breakpoint location decompile java source at
Found password is assigned by v0_2 from
Double-v0_2, jump to a position described v0_2 value obtained in the onClick () function:
Continue to look for other v0_2 located in onClick () function of the position
Double-click encrypt, jump to the location where the encryption function
Through the analysis, here it is almost certain encryption password field is a function of location
Next, it can then be determined by a breakpoint, the following java source back position, then back to the tab or parsing smali codes corresponding to this position and lay the breakpoint:
Re-click app application login, jump to the success of call encryption function breakpoint location, as follows:
4, double-click the encrypt an encryption function, an encryption function where the entry position, in order to decrypt the encryption function analysis:
Encryption function is as follows:
Decryption function to achieve the following:
Decryption key is related to the need to use hard-coded as follows:
5, according to the encryption function in the final fill pattern, encryption mode, key data block, offset information by decrypting online websites
After the fetch packet fields to the encryption decryption url transcoding follows, obtained prior to the original password encryption
