A marriage app_ T signature analysis

One 、 The goal is

I'm not allowed to work overtime recently , Boss Li goes home early every day , The small video is boring . You'd better find a mm Let's talk seriously .

Our goal today is A marriage App Of v11.3.2.

Two 、 step

Grab a bag

_t Parameters , It looks like a timestamp plus md5( Break your fingers and count , altogether 32 position ).

jadx Search for _t , I went to ,10 Tens of thousands of results . For a moment , I forgot my unique script . This signature is usually stored in a string map. So we should search "_t"

Um. , It's delicious .

The code is clear , String plus salt And the current time , Then I do md5.

Find the interface

From the packet capture data, you can see , Back a lot mm Photo . But for a golden bachelor like boss Li , How boring it is to return one photo at a time , One will return to a pile mm Photos are boss Li's style .

But it's strange to click on the main interface anyway , Just didn't catch the return mm List of packages . It's not scientific .

Signature function location method

App Finally got a signature , That's sure to work. All requests will be used .

Generally speaking, the request to return the list should also bring _t Signature , So let's try hook Signature function , Then hit the stack , See if there is a request process that hasn't been caught .

var strUtilCls = Java.use('com.bxxxx.libs.framework.utils.j');
strUtilCls.a.overload('java.lang.String').implementation = function(a){
    var rc = this.a(a);
    console.log(a);
    console.log(">>> _t = " + rc);

    var stack = threadinstance.currentThread().getStackTrace();
    console.log(" ==== Rc Full call stack:" + Where(stack));                
    return rc ;         
}

strUtilCls.a.overload('java.io.InputStream').implementation = function(a){
    var rc = this.a(a);
    console.log("InputStream >>> _t = " + rc);

    var stack = threadinstance.currentThread().getStackTrace();
    console.log(" ==== Rc Full call stack:" + Where(stack));                
    return rc ;         
}

The conclusion is that , There are indeed requests that have been signed but not caught , But the evidence so far , Still can't locate the request to return the list .

\u670d\u52a1\u672a Translation

During the process of looking for packets, several return values are found "msg":"\u670d\u52a1\u672a My bag ,\uxxx It must be Chinese , Write a python Small programs can be easily parsed . But here's an online analysis , It's more convenient

http://www.msxindl.com/tools/unicode16.asp

Search for similar

At a time when we are at a loss , Boss Li came over : Fly hard , This mm Pretty good , There is also a search similar button below .

Search a lot , The return value is a long json, There is a pile of mm The data of , Head portrait , Details and photos .

https://cpi.bxxxx.com/search/Searchuser

After finding this packet , According to normal logic, we have reason to infer ,App Obtained at startup mm The interface of the list should also be under this domain name .

Go ahead jadx

There are many interfaces under this domain name , A little bit patient , Turn slowly , The truth should not be far away .

But boss Li doesn't have the patience to wait , He made a new App, What's your name ？ Is he going to learn to cook ？

3、 ... and 、 summary

Most people have path dependence , Finally designed a signature , It must be used . So trace the stack of signature functions , It's a good way to locate .

String encryption is important , A bunch of interfaces url Direct exposure , It's not advanced . The most earthy way is to be base64 Well , At least not by jadx Easy to find .

The lion is often compared to , Cover it with a lion Parade , Don't ask for a partner . Take one step , The animals are wild , Hepatobiliary fissure . The same is true for those who study .

TIP: The only purpose of this paper is to learn more reverse skills and ideas , If someone uses this technology to carry out illegal business, the legal responsibility brought by the profit is borne by the operator himself , It has nothing to do with this article and the author , The code projects involved in this article can go to Feifei friends The planet of knowledge takes itself , Welcome to the knowledge planet to learn and explore technology . If you have any questions, you can add me wx: fenfei331 Under discussion .

Pay attention to WeChat public number : It's safe to fly , Latest technology real time push of dry goods