Signature analysis of app x-zse-96 in a Q & a community

One 、 The goal is

Our goal today is a Q & a community App Of  x-zse-96

1:main

edition ： v8.21.1

Two 、 step

search x-zse-96

The normal practice is jadx open apk, And then the search x-zse-96.

The magic is , There was no result , It's kind of interesting ,App Added drama to us , Some obvious strings are encrypted and hidden .

Observe commonalities

Observe , Signatures have two things in common

1、 All are  1.0_  start

2、 What follows is very similar Base64

Then first hook Let's start . Continue to search for a needle in a haystack to find the beginning .

//  Locate by string 
var strCls = Java.use("java.lang.StringBuilder");
strCls.toString.implementation = function(){
    var result = this.toString();

    // console.log(result.toString());

    if(result.toString().indexOf("1.0_") >= 0 )
    {
        console.log(result.toString());

        var stack = threadinstance.currentThread().getStackTrace();
        console.log("Rc Full call stack:" + Where(stack));

    }
    return result;
}

Let's run .

Fortunately, , We guessed the right beginning this time , You guessed the right result .

This is the goal below  com.zxxxu.android.net.d.i.e  了

Order this encryp Function in

  public interface b {
        byte[] encrypt(byte[] bArr);
    }

Find out b A variable is an interface type , So we have to know what type of variable it is actually assigned to .

Print class member variables

We will  http://91fans.com.cn/post/idlesignone/  The member variables of the print class have been introduced before .

var requestCls =  Java.use("com.zxxxu.android.net.d.i");
requestCls.e.implementation = function(a){
    console.log(" ========== ");

    var fields = Java.cast(this.getClass(),Java.use('java.lang.Class')).getDeclaredFields();
    //console.log(fields);
    for (var i = 0; i < fields.length; i++) {
        var field = fields[i];
        field.setAccessible(true);
        var name = field.getName();
        var value =field.get(this)
        console.log("name:"+name+"\tvalue:"+value);
    }

    console.log(" ========== ");
    var result = this.e(a);
    return result;
}

And here it is

1:rc1

The class name comes out  -$$Lambda$AshC3KZBWneDDB5y10Ccx5ghIWw  It looks more complicated

This a.a Function continues to look down , Finally I found it here

You can write code to hook 了 , From the name, the probability is aes Algorithm . Besides the plaintext, there are two parameters , So the probability is key and iv 了 .

3、 ... and 、 summary

App Starting to be cunning , The obvious string is encrypted , It's not so convenient for us to find it .

The key point is commonality , As long as there are commonalities , There is a clue .

com.secneo.apkwrapper.H.d You can analyze this function , It should be the one that encrypts the obvious string . It can reveal x-zse-96.

No one asked , But the turbid wine calls out to each other , Sparse curtain self rolling , The moon shines and the water is clear .