Realization Method of android Encryption Parameter Location
- 2021-12-12 05:35:26
- OfStack
When reversing an Android program, if you only blindly analyze and need to read N multi-code to find the key point or Hook point of the program, this article will share how to quickly find the encryption parameter position of APP program. In fact, whether you find the key position, hook point, encryption parameter or code logic tracking, they are all similar processing methods.
Skillful use of search-static analysis
1 general static analysis to find encryption parameters are the first shell (shelling), decompilation, find the entry method of the program, analysis of the implementation process of the program.
Assuming that the unshelled app has been decompiled by Android killer, the engineering search is directly used to search the parameter names to be searched, and the corresponding parameter positions are found by comparing the feedback information of AK. You can also analyze the code line by line according to the application execution process, which is tiring.
objection positioning
objection is a dynamic analysis toolkit based on Frida, which can avoid root and dynamically adjust apk, and supports iOS and Android at the same time. The installation method can be viewed at github. Github: https://github.com/sensepost/objection
After searching, if there are several uncertain positions, Objection can be used. Objection is a professional positioning expert, and there are only 3 steps in the positioning process.
1. Inject the target process
objection -g com.xxx.xxx explore 2. Trace classes
android hooking watch class 'com.xxx.xxx.lx.ApiSign'3. Check the input parameters and return values
android hooking watch class_method 'com.xxx.xxx.lx.ApiSign.a' --dump-args --dump-returnThen, by comparing the parameters and return values with the protocols in the request interface, we can determine which location it is.
frida-hook
hook tools such as frida and xposed are also a kind of dynamic analysis. Suppose the interface of an App has an signature signature, and the parameter value looks very much like Base64, and has a fixed length and less than 20 bits. At this time, if you can't find it through the global search of the tool, you can feel the position of all operations Base64 in App under Hook through frida.
The Frida code is as follows:
var Base64Class = Java.use("android.util.Base64");
Base64Class.encodeToString.overload("[B", "int").implementation = function(a,b){
var resault = this.encodeToString(a,b);
console.log(">>> Base64 " + resault);
if(resault.length <= 20){
var stackAdd = threadinstance.currentThread().getStackTrace();
console.log("resault stackAdd is:" + Where(stack));
}
return rc;
}In this way, the location of signature calculation can be printed with high probability, which is also a clever trick. Everyone must not forget this positioning method.
log injection
Code injection also belongs to dynamic analysis. The process is to modify smali code of apk first, which is to add android/util/Log output before a key function, and cooperate with LogCat to view log data when the program is executed.
There are five methods for Log extends Object 1 for android/util/Log: Log. v () Log. d () Log. i () Log. w () and Log. e ()
1 general use Log. v () log output function is OK, do not do the case, the details will be written in the book.
Dynamic debugging
In fact, there are only two methods of positioning static analysis and dynamic analysis, and dynamic debugging also belongs to dynamic analysis, which is similar to the above methods.
Dynamic debugging can be understood as stack debugging here, and sometimes different tools and methods are needed.
Such as JEB debugging, smali debugging, IDA debugging and so on.
No more details, this article briefly summarizes 1.