Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of Xposed data acquisition case analysis, the content is detailed and easy to understand, the operation is simple and fast, and has a certain reference value. I believe everyone will gain something after reading this Xposed data collection case analysis article. Let's take a look.

Data acquisition tutorial, an example of APK shelling decompilation to find AES key process record

According to the needs of customers, an APP called "* * attending physician General question Bank" package named com.zitibaohe.zhuzhiyishierke) was collected and analyzed.

This APP communicates with the server using the HTTP protocol, which makes it easy to catch data packets, but the returned data is encrypted, as shown in the following figure.

According to past experience, the content should be encrypted by AES. In order to restore the plaintext, you must decompile and get the KEY.

Download the APK file, decompile it with JADX, and find that it has been shelled, using the shell tool of 360. as shown in the following figure.

It must be shelled before it can be decompiled into real APK source code. After shelling, we use the Xposed + FDex2 plug-in (PS: if you are not familiar with Xposed, it is recommended to read Xposed related articles first).

Install the FDex2 plug-in (don't forget to restart the system), start the plug-in, and click the APP you want to shell, as shown in the following figure.

Then start the target APP (pediatrician attending general question bank). Use Root Explorer to browse to the APP data directory (/ data/data/com.zitibaohe.zhuzhiyishierke/). If you see multiple dex files (originally there are no such files in this directory, as shown in the following figure), the shelling is successful.

Pull these dex files, and then decompile them with JADX in turn. Since there are multiple dex, how can we quickly locate which code we are concerned about? We can search for some characteristic strings, such as the "questions" in the request URL seen in the previous grab package, and if it is found, it is probably the dex file (as shown in the following figure).

Then we search for AES-related keywords such as "AES/", "SecretKeySpec" or "IvParameterSpec", and finally successfully locate (as shown in the following figure), which uses the "AES/CBC/NoPadding" encryption algorithm, and the corresponding KEY and IV are in clear text.

Let's verify that KEY and IV are correct. With the help of "AES Online" (http://aes.online-domain-tools.com/), an online tool), select the corresponding encryption algorithm and enter ciphertext, KEY, IV (as shown in the following figure).

Then click "Decrypt" to successfully restore the plaintext (as shown in the following figure). Click "[Download as a binary file]" to download the decrypted data file and find that the content is in JSON format. After parsing, it is shown in the following figure.

At this point, the goal has been achieved.

In addition to the above decompiled source code to obtain the secret key (the process is very tedious), we can also use the Xposed way (you need to know about Xposed first), through the HOOK javax.crypto.spec.SecretKeySpec and javax.crypto.spec.IvParameterSpec classes to intercept KEY and IV, the operation process is simple, the following describes two related plug-ins.

1. Use Inspeckage (https://github.com/ac-pm/Inspeckage), an Android dynamic analysis tool. The following figure shows the KEY of the AES intercepted by Inspeckage, which is the same as the one obtained above through the source code (although no IV is obtained, the reason is unknown).

two。 I also tested a Xposed plug-in called CryptoFucker (https://github.com/Chenyuxin/CryptoFucker). Although it is not as convenient to use as Inspeckage (no UI), it works well and successfully gets KEY and IV, as shown in the following figure (shown in HEX form).

This is the end of the article on "case Analysis of Xposed data Collection". Thank you for your reading! I believe you all have a certain understanding of the knowledge of "Xposed data collection case analysis". If you want to learn more knowledge, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.