Shulou(Shulou.com)06/02 Report--

This article introduces the relevant knowledge of "how Python grabs APP data in reverse". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Required equipment and environment:

Device: Android phone

Grab the bag:

Fiddler+xposed+JustTrustme

Shell search: ApkScan-PKID

Shelling: frida-DEXDump

Decompilation: jadx-gui

Hook:frida

Grab the bag

Install app on the phone, set up the proxy, open fiddler to grab a package first, and find that the app has done certificate verification. When fiddler is enabled, app indicates that you cannot connect to the server:

That is, app did SSL pinning certificate verification, to solve this problem is generally to install the xposed framework, which has a JustTrustme module, its principle is hook, directly bypass the certificate verification class, install the method everyone Baidu.

After opening app, you can see that the package has been successfully captured:

After a brief analysis, we can see that the formdata in the request body is ciphertext, and the response content is also ciphertext. There is very little useful information in this request and response. I don't even know how to search in jadx-gui. The formdata in the request body ends with two equal signs, so it should be a base64 code. No, no, no.

Shelling decompilation

Then decompile first. Before that, you usually use the shell tool to check whether app is hardened, open ApkScan-PKID, and drag app into:

You can see that this app uses 360 reinforcement, which is really limited layer by layer! Here, you can use frida-DEXDump to shell. You can download the source code of frida-DEXDump on github. When you are finished, open the folder where the project is located, open the command line at the current location and run the following command:

Python main.py

Waiting for the shelling to be completed, you can see that a corresponding folder has been generated in the current project, in which there are many dex files:

To open the dex file with jadx-gui, we usually start with the largest file to search for keywords in turn. We know that base64 has the keyword BASE64Encoder in java, because there is very little information obtained from packet capture, so we can only search for this keyword here. When we find the fourth dex, we get the suspected encryption:

You can see that an aes encryption is used, and the key is a fixed string.

Frida Hook

Java is not familiar with and cannot be analyzed. Use frida to write a hook code to take a look at the contents of the input and output parameters of the encrypt function:

At the same time, let's grab the bag and compare it:

You get the request data input parameter data here:

PageIndex: current page number

PageSize: the number of data entries corresponding to the current page

TypeId and source are fixed. Next, let's use the hook decrypt function to compare the results of grab package and hook:

The result is the same, and at this point, our reverse analysis is complete.

To sum up the request and response process, that is, the data in the request body is encrypted and transmitted parameters through the encrypt function, and each page of data can be obtained by changing the pageIndex. The response is encrypted and displayed through the decrypt function, then we only need to implement the aes encryption and decryption process in python. From the decompiled java code, we can see that the key is fixed: wxtdefgabcdawn12, no iv offset.

Request

Go directly to the code:

Run the code and successfully get the data:

This is the end of "how Python grabs APP data in reverse". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.