白乐天

道阻且长,行则将至。

唯品会设备注册及搜索接口逆向分析

发表于 更新于 分类于
本文字数: 55k 阅读时长 ≈ 50 分钟

App信息

包名:com.achievo.vipshop

设备注册

抓包找到有关设备注册的接口

device_reg

测试一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests

headers = {
    "User-Agent":"okhttp/4.9.1",
    "authorization":"OAuth api_sign=fee2a0810c0b9637b6aa0f64b2d91f172dc4e397",
    "accept-encoding":"gzip"
}

parameters = {
    "app_name":"achievo_ad",
    "app_version":"9.39.4",
    "device_token":"b3aad8e2-2840-39a5-8b51-e5b1c5b16bad",
    "status":"1",
    "warehouse":"VIP_HZ",
    "manufacturer":"Google",
    "device":"Pixel 3",
    "os_version":"28",
    "channel":"yro8nr0d:::",
    "vipruid":"",
    "regPlat":"0",
    "regid":"null",
    "rom":"Dalvik/2.1.0 (Linux; U; Android 9; Pixel 3 Build/PD1A.180720.030)",
    "skey":"6692c461c3810ab150c9a980d0c275ec"
}

url = "https://mp.appvipshop.com/apns/device_reg"
response = requests.get(url,headers=headers,params=parameters)
print(response.status_code)
print(response.text)

>>>
200
{"result":"ok","msg":"注册成功"}

参数中device_token是变动的,对其进行逆向

反编译app搜索device_token

device_token

of

device_token

l

device_token

a

device_token

getMid

device_token

MidProvider是一个接口,Injector是静态内部类,MidProvider接口定义两个方法String getMid()String getMidOnly()

找MidProvider接口的实现类

device_token

VipMidManager

在vipMidManager类里面找getMid方法,发现jadx并不能反编译这个函数,使用jeb反编译。

device_token

这个方法的解析

1
2
3
4
5
6
7
8
9
getMid()方法根据一些条件生成或获取一个 MID,应该是设备唯一标识符。
stringBuilder0用于构建字符串
application0是当前应用的 Application 实例
s为从 SharedPreferences(应用的配置文件)中获取键为 "VIPS_MID" 的值,假设这个值表示设备的唯一标识符。
判断s是否有效,如果无效,设置 stringBuilder0 为 null,创建一个新的 StringBuilder对象,构造日志信息。
调用 DeviceUuidFactory.getDeviceUuid(application0) 获取设备的唯一标识符(UUID)
将 s 设置为 UUID 的字符串形式,并记录日志信息 | create by androidId。
生成新的 MID:
生成一个新的随机 UUID 并将其赋值给 s , 同时更新日志,记录生成方式为 | create by uuid。

生成uuid

1
2
3
4
5
6
import uuid
random_uuid = uuid.uuid4()
print(random_uuid)

>>> 
85acb30b-3b28-4975-b8cd-2bb53f08b472

设备注册逆向

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import requests
import uuid
device_token = str(uuid.uuid4())

headers = {
    "User-Agent":"okhttp/4.9.1",
    "authorization":"OAuth api_sign=fee2a0810c0b9637b6aa0f64b2d91f172dc4e397",
    "accept-encoding":"gzip"
}

parameters = {
    "app_name":"achievo_ad",
    "app_version":"9.39.4",
    "device_token":device_token,
    "status":"1",
    "warehouse":"VIP_HZ",
    "manufacturer":"Google",
    "device":"Pixel 3",
    "os_version":"28",
    "channel":"yro8nr0d:::",
    "vipruid":"",
    "regPlat":"0",
    "regid":"null",
    "rom":"Dalvik/2.1.0 (Linux; U; Android 9; Pixel 3 Build/PD1A.180720.030)",
    "skey":"6692c461c3810ab150c9a980d0c275ec"
}

url = "https://mp.appvipshop.com/apns/device_reg"
response = requests.get(url,headers=headers,params=parameters)
print(response.status_code)
print(response.text)


>>>
200
{"result":"ok","msg":"注册成功"}

参数api_sign

分析数据包,找到Authorization参数的api_sign

image-20241217095807281

jadx反编译

文本搜索api_sign

Snipaste_2024-12-17_10-06-59

追踪函数

getApiSign

getapisign

分析,getApiSign 函数用于为网络请求生成包含 API 签名的授权头。

猜测VCSPCommonsConfig.getIAppInfo().getUserTokenSecret() 的作用是从应用程序的配置中获取当前用户的令牌密钥,该密钥通常用于生成 API 签名或进行身份验证。

apisign

apisign

调用 VCSPSecurityConfig.getMapParamsSign(context, treeMap, str, false) 方法生成签名

hook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
function hook_function(){
    Java.perform(function(){
        let VCSPSecurityBasicService = Java.use("com.vip.vcsp.security.api.VCSPSecurityBasicService");
        VCSPSecurityBasicService["apiSign"].implementation = function (context, treeMap, str) {
            console.log(`VCSPSecurityBasicService.apiSign is called!`);
            console.log("context:",context);
            console.log("treeMap:",treeMap);
            console.log("str:",str);
            let result = this["apiSign"](context, treeMap, str);                                  
            console.log(`VCSPSecurityBasicService.apiSign result=${result}`);
            return result;
        };
    })
}
hook_function()

hook结果

1
2
3
4
5
VCSPSecurityBasicService.apiSign is called!
context: com.achievo.vipshop.common.VipApplicationLike@41bfc24
treeMap: {activity=null, activity_endtime=null, activity_id=7660011, activity_param={"page_info":{"source_from":{"ffp":"-99","s":"9","fp":{"ot":"23","chi":"1024","f":"1","tsf":"0","pi":"20180930001","page":"page_channel","cn":"推荐"},"tp":{"pi":"裤子男款","page":"page_te_commodity_search"},"sp":{"ot":"s93","of":"sf1","oi":"裤子男款","page":"page_te_globle_classify_search"}},"page_id":"page_commodity_detail_1734423751094","page_propety":{"sale_id":"1711235467","detailStatus":"0","goods_rank":"1","banStatus":"-99","mr":"-6017890654677737204","scene_entry_id":"-99","refer_page_id":"page_te_commodity_search_1734423543145","goods_id":"6921055391784126923","isPreSale":"0","store":"0","type":"-99","direct_buy":"-99","brand_id":"1711235467","has_color":"1","isBgToFront":"0","buy_mode_scene":"-99","module_name":"com.achievo.vipshop.productdetail","with_image":"0","sr":"-6017890015095286044","is_back_page":"0"},"page":"page_commodity_detail"},"biz_data":{"sequence":"-99","target_type":"1","target_id":"9e8b047b52d0"}}, activity_propety=null, activity_starttime=1734423752401, app_name=shop_android, app_version=9.39.4, channel=1, deeplink_cps=, face_flag=0_1, fdc_area_id=104101113, local_time=1734423856870, location=104101, mid=b3aad8e2-2840-39a5-8b51-e5b1c5b16bad, other_cps=, page_id=page_commodity_detail_1734423751094, repeat=0, service=mobile.activityinfo.logger, session_id=b3aad8e2-2840-39a5-8b51-e5b1c5b16bad_shop_android_1734423526867, skey=6692c461c3810ab150c9a980d0c275ec, status=, status_descrit=null, user_class=A1, user_group=20460_【23年新客首页】安卓-5.23-[快应用-独立首页]-[顶部导航-测试-18], user_label=3105,310505, userid=null, vipruid=null, warehouse=VIP_HZ}
str: null
VCSPSecurityBasicService.apiSign result=2ba1c5746ce498722dc8eb444f7170ef7319f848

getMapParamsSign

getMapParamsSign

getMapParamsSign 函数用于生成 API 请求的签名

调用 getSignHash(context, treeMap, str2, z10) 方法,生成签名并返回。

getSignHash

getSignHash

调用 gs(context.getApplicationContext(), map, str, z10) 来生成签名哈希值。

gs

这里jadx不能正常反编译gs函数,使用jeb进行反编译

gs

调用 VCSPSecurityConfig.initInstance() 方法进行初始化。

通过反射获取 clazz 对应的类中名为 "gs" 的方法,该方法接受 ContextMapStringboolean 类型的参数。

使用反射调用获取到的 gsMethod 方法,传入参数 context0map0sz,并将结果转换为 String 类型返回。

initInstance

初始化 VCSPSecurityConfig 类的静态成员 clazzobject

clazz = KeyInfo.class

KeyInfo.gs

1
2
3
4
5
6
7
8
9
10
11
12
public static String gs(Context context, Map<String, String> map, String str, boolean z10) {
    try {
        try {
            return gsNav(context, map, str, z10);
        } catch (Throwable th2) {
            return "KI gs: " + th2.getMessage();
        }
    } catch (Throwable unused) {
        SoLoader.load(context, LibName);
        return gsNav(context, map, str, z10);
    }
}

调用 gsNav(context, map, str, z10) 来生成签名。

gsNav

1
private static native String gsNav(Context context, Map<String, String> map, String str, boolean z10);

这是一个native方法

so

1
2
3
4
5
6
7
8
static {
    try {
        System.loadLibrary("keyinfo");
    }
    catch(Throwable throwable0) {
        throwable0.printStackTrace();
    }
}

hook gsNav

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
function printMap(param_map){
    var HashMap = Java.use("java.util.TreeMap");
    var arg_map = Java.cast(param_map,HashMap);
    return arg_map.toString();
}

function hook_gsNav(){
    Java.perform(function(){
        let KeyInfo = Java.use("com.vip.vcsp.KeyInfo");
        KeyInfo["gsNav"].implementation = function (context, map, str, z10) {
            console.log("----hooked gsNav----");
            console.log(`KeyInfo.gsNav is called: context=${context}, map=${map}, str=${str}, z10=${z10}`);
            console.log("gsNav map:",printMap(map))
            let result = this["gsNav"](context, map, str, z10);
            console.log(`KeyInfo.gsNav result=${result}`);
            console.log("----hooked over!----");
            return result;
        };
    })
}
hook_gsNav()

结果

1
2
3
4
5
----hooked gsNav----
KeyInfo.gsNav is called: context=com.achievo.vipshop.common.VipApplicationLike@478a323, map=[object Object], str=null, z10=false
gsNav map: {activity=lightart_click, activity_endtime=null, activity_propety={"obj_data":"sub_sn=1&id=2085883&code=10052420&slotId=4&source=pcmp&slot_type=84","hole_type":"pcmp","obj_id":"336","unique_id":"10052420:7:2085883","content_id":"mst_100056642","content_sn":"1","mr":"-6009657029902736963","hole_id":"2085883","operation_code":"10052420","biz_data":"tt=url&ti=mst_100056642","obj_location":"3:","content_type":"mst","ext_data":"code=10052420&layout_id=52921&slotType=84&slotAbtestId=4218&goodsId=6920749529361397578&floorId=2085883&slotPoolId=53109357&m_name=AA%E7%89%88C%E4%BD%8D&material=108&brandSn=10000542&product_id=6920749529361397578&recommendImageId=f70c02f25aa57695679&menu_code=20180930001&slotId=4&nodeId=1","obj_type":"5","page":"page_channel","cache_data":"0"}, activity_starttime=1734846844455, app_name=shop_android, app_version=9.39.4, channel=1, deeplink_cps=, face_flag=0_1, fdc_area_id=104101113, local_time=1734846955236, location=104101, mid=b3aad8e2-2840-39a5-8b51-e5b1c5b16bad, other_cps=, page_id=page_channel_1734846541245, repeat=0, service=mobile.activityinfo.logger, session_id=b3aad8e2-2840-39a5-8b51-e5b1c5b16bad_shop_android_1734845336928, skey=6692c461c3810ab150c9a980d0c275ec, status=, status_descrit=null, user_class=A1, user_group=20460_【23年新客首页】安卓-5.23-[快应用-独立首页]-[顶部导航-测试-18], user_label=3105,310505, userid=null, vipruid=null, warehouse=VIP_HZ}
KeyInfo.gsNav result=0aff60c1b478fdafc0ea9700cdd80d1ae4c46f7d
----hooked over!----

分析so

导出函数中找gsNav

Java_com_vip_vcsp_KeyInfo_gsNav

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
__int64 __fastcall Java_com_vip_vcsp_KeyInfo_gsNav(
        __int64 a1,
        __int64 a2,
        __int64 a3,
        __int64 a4,
        __int64 a5,
        unsigned int a6)
{
  __int64 v11; // x20

  if ( (unsigned int)Utils_ima(a1, a2, a3) )
    v11 = Functions_gs(a1, a2, a4, a5, a6);
  else
    v11 = 0LL;
  Utils_checkJniException(a1);
  return v11;
}

Functions_gs

关键代码

getByteHash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
char *__fastcall getByteHash(JNIEnv *a1, jobject a2, __int64 a3, unsigned int a4, char *a5)
{
  __int64 i; // x20
  _OWORD v10[4]; // [xsp+0h] [xbp-E0h] BYREF
  _BYTE v11[104]; // [xsp+40h] [xbp-A0h] BYREF
  __int64 v12; // [xsp+A8h] [xbp-38h]

  v12 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  if ( !a3 )
    return 0LL;
  SHA1Reset(v11);
  SHA1Input(v11, a3, a4);
  if ( (unsigned int)SHA1Result(v11) )
  {
    for ( i = 0LL; i != 20; i += 4LL )
    {
      memset(v10, 0, sizeof(v10));
      sub_F2328(v10);
      strcat(a5, (const char *)v10);
    }
  }
  return a5;
}

这里看出这是SHA1算法

hook getByteHash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
function hook_native(){
    var soAddr = Module.findBaseAddress("libkeyinfo.so");
    var functionaddr = soAddr.add(0xF2260)
    Interceptor.attach(functionaddr,{
        onEnter:function(args){
            console.log("arg2",hexdump(args[2],{length : args[3].toInt32()}));
            console.log("arg3",args[3]);
            console.log("arg4",hexdump(args[4]));
        },
        onLeave:function(ret){
            
            console.log("ret:",hexdump(ret))
        }
    })
}
hook_native()

示例一个hook结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
arg2              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
71fb5bdf50  61 65 65 34 63 34 32 35 64 62 62 32 32 38 38 62  aee4c425dbb2288b
71fb5bdf60  38 30 63 37 31 33 34 37 63 63 33 37 64 30 34 62  80c71347cc37d04b
71fb5bdf70  65 66 66 63 38 31 33 35 31 39 36 61 63 30 35 64  effc8135196ac05d
71fb5bdf80  63 64 36 39 64 35 36 39 32 66 32 31 37 34 33 33  cd69d5692f217433
71fb5bdf90  30 39 62 31 38 62 36 63                          09b18b6c
arg3 0x48
arg4              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
71fb5be050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
71fb5be060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
71fb5be070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
71fb5be080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
71fb5be090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
71fb5be0a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
ret:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
71fb5be050  36 61 38 35 66 30 38 65 35 37 66 37 30 38 35 38  6a85f08e57f70858
71fb5be060  33 35 37 32 35 33 61 37 32 34 34 62 33 32 63 65  357253a7244b32ce
71fb5be070  62 36 33 39 62 62 66 39 00 00 00 00 00 00 00 00  b639bbf9........
71fb5be080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
71fb5be090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

如下验证了这是一个标准的SHA1算法

tttt

升级一下脚本继续hook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
function hook_native(){
    var soAddr = Module.findBaseAddress("libkeyinfo.so");
    var functionaddr = soAddr.add(0xF2260)  
    Interceptor.attach(functionaddr,{
        onEnter:function(args){
            console.log("----hooked getByteHash----");
            console.log("arg2:",hexdump(args[2],{length : args[3].toInt32()}));
            console.log("arg3:",args[3]);
            console.log("arg4:",hexdump(args[4]));
            this.arg2 = args[2];
            this.arg3 = args[3];
            this.arg4 = args[4];
        },
        onLeave:function(ret){
            console.log("ret_arg2:",hexdump(this.arg2,{length : this.arg3.toInt32()}));
            console.log("ret_arg3:",this.arg3);
            console.log("ret_arg4:",hexdump(this.arg4));
            console.log("ret:",hexdump(ret));
            console.log("----hooked over!----");
        }
    })
}
hook_native()

hook结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
----hooked getByteHash----
arg2:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
724c411400  61 65 65 34 63 34 32 35 64 62 62 32 32 38 38 62  aee4c425dbb2288b
724c411410  38 30 63 37 31 33 34 37 63 63 33 37 64 30 34 62  80c71347cc37d04b
724c411420  61 63 74 69 76 69 74 79 3d 61 63 74 69 76 65 5f  activity=active_
724c411430  74 65 5f 64 79 6e 61 6d 69 63 5f 72 65 73 26 61  te_dynamic_res&a
724c411440  63 74 69 76 69 74 79 5f 65 6e 64 74 69 6d 65 3d  ctivity_endtime=
724c411450  6e 75 6c 6c 26 61 63 74 69 76 69 74 79 5f 70 72  null&activity_pr
724c411460  6f 70 65 74 79 3d 7b 22 61 63 74 69 76 69 74 79  opety={"activity
724c411470  5f 6e 61 6d 65 22 3a 22 22 2c 22 64 65 70 65 6e  _name":"","depen
724c411480  64 5f 73 74 61 74 75 73 22 3a 2d 31 2c 22 6d 6f  d_status":-1,"mo
724c411490  64 75 6c 65 22 3a 22 73 6d 61 72 74 52 6f 75 74  dule":"smartRout
724c4114a0  65 22 2c 22 6d 61 74 63 68 22 3a 31 2c 22 69 73  e","match":1,"is
724c4114b0  5f 64 65 62 75 67 22 3a 22 30 22 2c 22 61 70 6b  _debug":"0","apk
724c4114c0  5f 74 79 70 65 22 3a 22 31 22 2c 22 73 63 65 6e  _type":"1","scen
724c4114d0  65 22 3a 22 61 70 69 22 2c 22 69 73 5f 6d 61 69  e":"api","is_mai
724c4114e0  6e 5f 70 72 6f 63 65 73 73 22 3a 31 2c 22 66 61  n_process":1,"fa
724c4114f0  69 6c 5f 62 61 63 6b 22 3a 30 2c 22 65 76 65 6e  il_back":0,"even
724c411500  74 5f 69 64 22 3a 30 2c 22 68 61 73 5f 6d 6f 64  t_id":0,"has_mod
724c411510  75 6c 65 22 3a 30 2c 22 72 65 6d 6f 76 65 5f 73  ule":0,"remove_s
724c411520  6f 22 3a 22 30 22 2c 22 61 63 74 69 6f 6e 22 3a  o":"0","action":
724c411530  22 72 65 73 5f 73 63 65 6e 65 22 2c 22 73 74 61  "res_scene","sta
724c411540  74 75 73 22 3a 30 7d 26 61 63 74 69 76 69 74 79  tus":0}&activity
724c411550  5f 73 74 61 72 74 74 69 6d 65 3d 31 37 33 34 38  _starttime=17348
724c411560  34 37 33 37 31 36 36 38 26 61 70 70 5f 6e 61 6d  47371668&app_nam
724c411570  65 3d 73 68 6f 70 5f 61 6e 64 72 6f 69 64 26 61  e=shop_android&a
724c411580  70 70 5f 76 65 72 73 69 6f 6e 3d 39 2e 33 39 2e  pp_version=9.39.
724c411590  34 26 63 68 61 6e 6e 65 6c 3d 31 26 64 65 65 70  4&channel=1&deep
724c4115a0  6c 69 6e 6b 5f 63 70 73 3d 26 66 61 63 65 5f 66  link_cps=&face_f
724c4115b0  6c 61 67 3d 30 5f 31 26 66 64 63 5f 61 72 65 61  lag=0_1&fdc_area
724c4115c0  5f 69 64 3d 31 30 34 31 30 31 31 31 33 26 6c 6f  _id=104101113&lo
724c4115d0  63 61 6c 5f 74 69 6d 65 3d 31 37 33 34 38 34 37  cal_time=1734847
724c4115e0  33 37 31 36 36 38 26 6c 6f 63 61 74 69 6f 6e 3d  371668&location=
724c4115f0  31 30 34 31 30 31 26 6d 69 64 3d 62 33 61 61 64  104101&mid=b3aad
724c411600  38 65 32 2d 32 38 34 30 2d 33 39 61 35 2d 38 62  8e2-2840-39a5-8b
724c411610  35 31 2d 65 35 62 31 63 35 62 31 36 62 61 64 26  51-e5b1c5b16bad&
724c411620  6f 74 68 65 72 5f 63 70 73 3d 26 70 61 67 65 5f  other_cps=&page_
724c411630  69 64 3d 70 61 67 65 5f 74 65 5f 6c 6f 64 69 6e  id=page_te_lodin
724c411640  67 5f 61 63 74 69 76 69 74 79 5f 31 37 33 34 38  g_activity_17348
724c411650  34 37 33 37 31 34 30 31 26 72 65 70 65 61 74 3d  47371401&repeat=
724c411660  30 26 73 65 72 76 69 63 65 3d 6d 6f 62 69 6c 65  0&service=mobile
724c411670  2e 61 63 74 69 76 69 74 79 69 6e 66 6f 2e 6c 6f  .activityinfo.lo
724c411680  67 67 65 72 26 73 65 73 73 69 6f 6e 5f 69 64 3d  gger&session_id=
724c411690  62 33 61 61 64 38 65 32 2d 32 38 34 30 2d 33 39  b3aad8e2-2840-39
724c4116a0  61 35 2d 38 62 35 31 2d 65 35 62 31 63 35 62 31  a5-8b51-e5b1c5b1
724c4116b0  36 62 61 64 5f 73 68 6f 70 5f 61 6e 64 72 6f 69  6bad_shop_androi
724c4116c0  64 5f 31 37 33 34 38 34 37 33 37 31 33 33 35 26  d_1734847371335&
724c4116d0  73 6b 65 79 3d 36 36 39 32 63 34 36 31 63 33 38  skey=6692c461c38
724c4116e0  31 30 61 62 31 35 30 63 39 61 39 38 30 64 30 63  10ab150c9a980d0c
724c4116f0  32 37 35 65 63 26 73 74 61 74 75 73 3d 26 73 74  275ec&status=&st
724c411700  61 74 75 73 5f 64 65 73 63 72 69 74 3d 6e 75 6c  atus_descrit=nul
724c411710  6c 26 75 73 65 72 5f 63 6c 61 73 73 3d 41 31 26  l&user_class=A1&
724c411720  75 73 65 72 5f 67 72 6f 75 70 3d 32 30 34 36 30  user_group=20460
724c411730  5f e3 80 90 32 33 e5 b9 b4 e6 96 b0 e5 ae a2 e9  _...23..........
724c411740  a6 96 e9 a1 b5 e3 80 91 e5 ae 89 e5 8d 93 2d 35  ..............-5
724c411750  2e 32 33 2d 5b e5 bf ab e5 ba 94 e7 94 a8 2d e7  .23-[.........-.
724c411760  8b ac e7 ab 8b e9 a6 96 e9 a1 b5 5d 2d 5b e9 a1  ...........]-[..
724c411770  b6 e9 83 a8 e5 af bc e8 88 aa 2d e6 b5 8b e8 af  ..........-.....
724c411780  95 2d 31 38 5d 26 75 73 65 72 5f 6c 61 62 65 6c  .-18]&user_label
724c411790  3d 33 31 30 35 2c 33 31 30 35 30 35 26 75 73 65  =3105,310505&use
724c4117a0  72 69 64 3d 6e 75 6c 6c 26 76 69 70 72 75 69 64  rid=null&vipruid
724c4117b0  3d 6e 75 6c 6c 26 77 61 72 65 68 6f 75 73 65 3d  =null&warehouse=
724c4117c0  56 49 50 5f 48 5a                                VIP_HZ
arg3: 0x3c6
arg4:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
72342e4050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e40a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e40b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
ret_arg2:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
724c411400  61 65 65 34 63 34 32 35 64 62 62 32 32 38 38 62  aee4c425dbb2288b
724c411410  38 30 63 37 31 33 34 37 63 63 33 37 64 30 34 62  80c71347cc37d04b
724c411420  61 63 74 69 76 69 74 79 3d 61 63 74 69 76 65 5f  activity=active_
724c411430  74 65 5f 64 79 6e 61 6d 69 63 5f 72 65 73 26 61  te_dynamic_res&a
724c411440  63 74 69 76 69 74 79 5f 65 6e 64 74 69 6d 65 3d  ctivity_endtime=
724c411450  6e 75 6c 6c 26 61 63 74 69 76 69 74 79 5f 70 72  null&activity_pr
724c411460  6f 70 65 74 79 3d 7b 22 61 63 74 69 76 69 74 79  opety={"activity
724c411470  5f 6e 61 6d 65 22 3a 22 22 2c 22 64 65 70 65 6e  _name":"","depen
724c411480  64 5f 73 74 61 74 75 73 22 3a 2d 31 2c 22 6d 6f  d_status":-1,"mo
724c411490  64 75 6c 65 22 3a 22 73 6d 61 72 74 52 6f 75 74  dule":"smartRout
724c4114a0  65 22 2c 22 6d 61 74 63 68 22 3a 31 2c 22 69 73  e","match":1,"is
724c4114b0  5f 64 65 62 75 67 22 3a 22 30 22 2c 22 61 70 6b  _debug":"0","apk
724c4114c0  5f 74 79 70 65 22 3a 22 31 22 2c 22 73 63 65 6e  _type":"1","scen
724c4114d0  65 22 3a 22 61 70 69 22 2c 22 69 73 5f 6d 61 69  e":"api","is_mai
724c4114e0  6e 5f 70 72 6f 63 65 73 73 22 3a 31 2c 22 66 61  n_process":1,"fa
724c4114f0  69 6c 5f 62 61 63 6b 22 3a 30 2c 22 65 76 65 6e  il_back":0,"even
724c411500  74 5f 69 64 22 3a 30 2c 22 68 61 73 5f 6d 6f 64  t_id":0,"has_mod
724c411510  75 6c 65 22 3a 30 2c 22 72 65 6d 6f 76 65 5f 73  ule":0,"remove_s
724c411520  6f 22 3a 22 30 22 2c 22 61 63 74 69 6f 6e 22 3a  o":"0","action":
724c411530  22 72 65 73 5f 73 63 65 6e 65 22 2c 22 73 74 61  "res_scene","sta
724c411540  74 75 73 22 3a 30 7d 26 61 63 74 69 76 69 74 79  tus":0}&activity
724c411550  5f 73 74 61 72 74 74 69 6d 65 3d 31 37 33 34 38  _starttime=17348
724c411560  34 37 33 37 31 36 36 38 26 61 70 70 5f 6e 61 6d  47371668&app_nam
724c411570  65 3d 73 68 6f 70 5f 61 6e 64 72 6f 69 64 26 61  e=shop_android&a
724c411580  70 70 5f 76 65 72 73 69 6f 6e 3d 39 2e 33 39 2e  pp_version=9.39.
724c411590  34 26 63 68 61 6e 6e 65 6c 3d 31 26 64 65 65 70  4&channel=1&deep
724c4115a0  6c 69 6e 6b 5f 63 70 73 3d 26 66 61 63 65 5f 66  link_cps=&face_f
724c4115b0  6c 61 67 3d 30 5f 31 26 66 64 63 5f 61 72 65 61  lag=0_1&fdc_area
724c4115c0  5f 69 64 3d 31 30 34 31 30 31 31 31 33 26 6c 6f  _id=104101113&lo
724c4115d0  63 61 6c 5f 74 69 6d 65 3d 31 37 33 34 38 34 37  cal_time=1734847
724c4115e0  33 37 31 36 36 38 26 6c 6f 63 61 74 69 6f 6e 3d  371668&location=
724c4115f0  31 30 34 31 30 31 26 6d 69 64 3d 62 33 61 61 64  104101&mid=b3aad
724c411600  38 65 32 2d 32 38 34 30 2d 33 39 61 35 2d 38 62  8e2-2840-39a5-8b
724c411610  35 31 2d 65 35 62 31 63 35 62 31 36 62 61 64 26  51-e5b1c5b16bad&
724c411620  6f 74 68 65 72 5f 63 70 73 3d 26 70 61 67 65 5f  other_cps=&page_
724c411630  69 64 3d 70 61 67 65 5f 74 65 5f 6c 6f 64 69 6e  id=page_te_lodin
724c411640  67 5f 61 63 74 69 76 69 74 79 5f 31 37 33 34 38  g_activity_17348
724c411650  34 37 33 37 31 34 30 31 26 72 65 70 65 61 74 3d  47371401&repeat=
724c411660  30 26 73 65 72 76 69 63 65 3d 6d 6f 62 69 6c 65  0&service=mobile
724c411670  2e 61 63 74 69 76 69 74 79 69 6e 66 6f 2e 6c 6f  .activityinfo.lo
724c411680  67 67 65 72 26 73 65 73 73 69 6f 6e 5f 69 64 3d  gger&session_id=
724c411690  62 33 61 61 64 38 65 32 2d 32 38 34 30 2d 33 39  b3aad8e2-2840-39
724c4116a0  61 35 2d 38 62 35 31 2d 65 35 62 31 63 35 62 31  a5-8b51-e5b1c5b1
724c4116b0  36 62 61 64 5f 73 68 6f 70 5f 61 6e 64 72 6f 69  6bad_shop_androi
724c4116c0  64 5f 31 37 33 34 38 34 37 33 37 31 33 33 35 26  d_1734847371335&
724c4116d0  73 6b 65 79 3d 36 36 39 32 63 34 36 31 63 33 38  skey=6692c461c38
724c4116e0  31 30 61 62 31 35 30 63 39 61 39 38 30 64 30 63  10ab150c9a980d0c
724c4116f0  32 37 35 65 63 26 73 74 61 74 75 73 3d 26 73 74  275ec&status=&st
724c411700  61 74 75 73 5f 64 65 73 63 72 69 74 3d 6e 75 6c  atus_descrit=nul
724c411710  6c 26 75 73 65 72 5f 63 6c 61 73 73 3d 41 31 26  l&user_class=A1&
724c411720  75 73 65 72 5f 67 72 6f 75 70 3d 32 30 34 36 30  user_group=20460
724c411730  5f e3 80 90 32 33 e5 b9 b4 e6 96 b0 e5 ae a2 e9  _...23..........
724c411740  a6 96 e9 a1 b5 e3 80 91 e5 ae 89 e5 8d 93 2d 35  ..............-5
724c411750  2e 32 33 2d 5b e5 bf ab e5 ba 94 e7 94 a8 2d e7  .23-[.........-.
724c411760  8b ac e7 ab 8b e9 a6 96 e9 a1 b5 5d 2d 5b e9 a1  ...........]-[..
724c411770  b6 e9 83 a8 e5 af bc e8 88 aa 2d e6 b5 8b e8 af  ..........-.....
724c411780  95 2d 31 38 5d 26 75 73 65 72 5f 6c 61 62 65 6c  .-18]&user_label
724c411790  3d 33 31 30 35 2c 33 31 30 35 30 35 26 75 73 65  =3105,310505&use
724c4117a0  72 69 64 3d 6e 75 6c 6c 26 76 69 70 72 75 69 64  rid=null&vipruid
724c4117b0  3d 6e 75 6c 6c 26 77 61 72 65 68 6f 75 73 65 3d  =null&warehouse=
724c4117c0  56 49 50 5f 48 5a                                VIP_HZ
ret_arg3: 0x3c6
ret_arg4:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
72342e4050  32 31 63 34 63 31 31 63 35 30 36 33 37 64 34 33  21c4c11c50637d43
72342e4060  31 36 65 63 63 31 62 62 66 37 65 36 61 34 61 62  16ecc1bbf7e6a4ab
72342e4070  64 66 36 66 62 65 36 31 00 00 00 00 00 00 00 00  df6fbe61........
72342e4080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e40a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
ret:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
72342e4050  32 31 63 34 63 31 31 63 35 30 36 33 37 64 34 33  21c4c11c50637d43
72342e4060  31 36 65 63 63 31 62 62 66 37 65 36 61 34 61 62  16ecc1bbf7e6a4ab
72342e4070  64 66 36 66 62 65 36 31 00 00 00 00 00 00 00 00  df6fbe61........
72342e4080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
----hooked over!----
----hooked getByteHash----
arg2:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
72342e3f50  61 65 65 34 63 34 32 35 64 62 62 32 32 38 38 62  aee4c425dbb2288b
72342e3f60  38 30 63 37 31 33 34 37 63 63 33 37 64 30 34 62  80c71347cc37d04b
72342e3f70  32 31 63 34 63 31 31 63 35 30 36 33 37 64 34 33  21c4c11c50637d43
72342e3f80  31 36 65 63 63 31 62 62 66 37 65 36 61 34 61 62  16ecc1bbf7e6a4ab
72342e3f90  64 66 36 66 62 65 36 31                          df6fbe61
arg3: 0x48
arg4:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
72342e4050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e40a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
ret_arg2:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
72342e3f50  61 65 65 34 63 34 32 35 64 62 62 32 32 38 38 62  aee4c425dbb2288b
72342e3f60  38 30 63 37 31 33 34 37 63 63 33 37 64 30 34 62  80c71347cc37d04b
72342e3f70  32 31 63 34 63 31 31 63 35 30 36 33 37 64 34 33  21c4c11c50637d43
72342e3f80  31 36 65 63 63 31 62 62 66 37 65 36 61 34 61 62  16ecc1bbf7e6a4ab
72342e3f90  64 66 36 66 62 65 36 31                          df6fbe61
ret_arg3: 0x48
ret_arg4:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
72342e4050  32 33 37 66 32 64 66 62 33 34 64 38 38 34 36 63  237f2dfb34d8846c
72342e4060  61 37 66 31 31 30 37 31 35 38 33 66 62 33 61 66  a7f11071583fb3af
72342e4070  35 66 39 38 62 39 66 65 00 00 00 00 00 00 00 00  5f98b9fe........
72342e4080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
ret:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
72342e4050  32 33 37 66 32 64 66 62 33 34 64 38 38 34 36 63  237f2dfb34d8846c
72342e4060  61 37 66 31 31 30 37 31 35 38 33 66 62 33 61 66  a7f11071583fb3af
72342e4070  35 66 39 38 62 39 66 65 00 00 00 00 00 00 00 00  5f98b9fe........
72342e4080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
72342e4090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
----hooked over!----

主动调用gsNav方法,来观察getByteHash的输出结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
function call_gsNav(){
    Java.perform(function(){
        console.log("----call gsNav----");
        var currentApplication = Java.use("android.app.ActivityThread").currentApplication();
        var context = currentApplication.getApplicationContext();
        var map = Java.use("java.util.TreeMap").$new();
        map.put("api_key","bileton")
        map.put("app_name","shop_android")
        var string = null;
        var boolean = false;
        let KeyInfo = Java.use("com.vip.vcsp.KeyInfo");
        var result = KeyInfo.gsNav(context,map,string,boolean)
        console.log("call gsNav result:",result)
        console.log("----call gsNav over----")
    })
}

function hook_native(){
    var soAddr = Module.findBaseAddress("libkeyinfo.so");
    var functionaddr = soAddr.add(0xF2260)  
    Interceptor.attach(functionaddr,{
        onEnter:function(args){
            console.log("----hooked getByteHash----");
            console.log("arg2:",hexdump(args[2],{length : args[3].toInt32()}));
            console.log("arg3:",args[3]);
            console.log("arg4:",hexdump(args[4]));
            this.arg2 = args[2];
            this.arg3 = args[3];
            this.arg4 = args[4];
        },
        onLeave:function(ret){
            console.log("ret_arg2:",hexdump(this.arg2,{length : this.arg3.toInt32()}));
            console.log("ret_arg3:",this.arg3);
            console.log("ret_arg4:",hexdump(this.arg4));
            console.log("ret:",hexdump(ret));
            console.log("----hooked over!----");
        }
    })
}

function main(){
    hook_native();
    call_gsNav();
}

main()

输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
----call gsNav----
----hooked getByteHash----
arg2:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d0246f580  30 82 02 5f 30 82 01 c8 a0 03 02 01 02 02 04 4e  0.._0..........N
7d0246f590  77 18 86 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05  w..0...*.H......
7d0246f5a0  05 00 30 73 31 0b 30 09 06 03 55 04 06 13 02 63  ..0s1.0...U....c
7d0246f5b0  6e 31 12 30 10 06 03 55 04 08 13 09 67 75 61 6e  n1.0...U....guan
7d0246f5c0  67 64 6f 6e 67 31 12 30 10 06 03 55 04 07 13 09  gdong1.0...U....
7d0246f5d0  67 75 61 6e 67 7a 68 6f 75 31 10 30 0e 06 03 55  guangzhou1.0...U
7d0246f5e0  04 0a 13 07 76 69 70 73 68 6f 70 31 18 30 16 06  ....vipshop1.0..
7d0246f5f0  03 55 04 0b 13 0f 77 77 77 2e 76 69 70 73 68 6f  .U....www.vipsho
7d0246f600  70 2e 63 6f 6d 31 10 30 0e 06 03 55 04 03 13 07  p.com1.0...U....
7d0246f610  76 69 70 73 68 6f 70 30 20 17 0d 31 31 30 39 31  vipshop0 ..11091
7d0246f620  39 31 30 32 35 31 30 5a 18 0f 32 32 38 35 30 37  9102510Z..228507
7d0246f630  30 34 31 30 32 35 31 30 5a 30 73 31 0b 30 09 06  04102510Z0s1.0..
7d0246f640  03 55 04 06 13 02 63 6e 31 12 30 10 06 03 55 04  .U....cn1.0...U.
7d0246f650  08 13 09 67 75 61 6e 67 64 6f 6e 67 31 12 30 10  ...guangdong1.0.
7d0246f660  06 03 55 04 07 13 09 67 75 61 6e 67 7a 68 6f 75  ..U....guangzhou
7d0246f670  31 10 30 0e 06 03 55 04 0a 13 07 76 69 70 73 68  1.0...U....vipsh
7d0246f680  6f 70 31 18 30 16 06 03 55 04 0b 13 0f 77 77 77  op1.0...U....www
7d0246f690  2e 76 69 70 73 68 6f 70 2e 63 6f 6d 31 10 30 0e  .vipshop.com1.0.
7d0246f6a0  06 03 55 04 03 13 07 76 69 70 73 68 6f 70 30 81  ..U....vipshop0.
7d0246f6b0  9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00  .0...*.H........
7d0246f6c0  03 81 8d 00 30 81 89 02 81 81 00 93 34 83 f8 c0  ....0.......4...
7d0246f6d0  1a 56 74 4a a3 a0 54 73 95 ca c4 22 ea 07 ae a0  .VtJ..Ts..."....
7d0246f6e0  3f 38 45 90 c1 fc bb eb d3 0c 71 39 5e a8 b6 bd  ?8E.......q9^...
7d0246f6f0  1a 1b 04 84 47 49 0e 4b af 36 5a 4b 49 72 6f 35  ....GI.K.6ZKIro5
7d0246f700  4e 57 96 35 f5 40 7e 63 86 57 49 2f 6c af 66 5c  NW.5.@~c.WI/l.f\
7d0246f710  27 18 11 8c cc ba d9 2f 1f fc ab 62 3c c7 ca 9e  '....../...b<...
7d0246f720  a8 ca 9a d5 8c 47 ab 21 05 ba 7c 7c 6d 6f fe 46  .....G.!..||mo.F
7d0246f730  6d 7e 94 06 bb f0 28 cb 9b b5 43 3a 74 cb 85 47  m~....(...C:t..G
7d0246f740  d1 b6 de de f8 84 56 a1 67 9d 3d 02 03 01 00 01  ......V.g.=.....
7d0246f750  30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03  0...*.H.........
7d0246f760  81 81 00 17 fd cc f7 dd 2f 1a 42 80 92 89 a2 15  ......../.B.....
7d0246f770  9b 64 aa 5a b0 57 91 35 88 18 37 74 3b ca 21 18  .d.Z.W.5..7t;.!.
7d0246f780  0b f3 30 50 75 4b b8 a8 44 90 02 c6 07 5e b6 d7  ..0PuK..D....^..
7d0246f790  1a 65 80 06 a6 b6 00 94 c1 69 f0 77 fb 06 3b 93  .e.......i.w..;.
7d0246f7a0  91 64 d1 64 e6 70 4a ae a1 14 c1 fa ed b4 eb fc  .d.d.pJ.........
7d0246f7b0  25 db ca 96 21 a5 58 d2 8b 87 1c 72 7f ff b6 0e  %...!.X....r....
7d0246f7c0  c7 40 e8 64 01 53 e8 e9 4d a9 da 7b 09 9e 30 82  .@.d.S..M..{..0.
7d0246f7d0  c3 77 e4 6d 2d 4e 9c 4a 25 8a b2 54 99 d1 da 85  .w.m-N.J%..T....
7d0246f7e0  5b 14 ca                                         [..
arg3: 0x263
arg4:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7cd7ea9c80  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9c90  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9ca0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9cb0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9cc0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9cd0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

ret_arg2:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d0246f580  30 82 02 5f 30 82 01 c8 a0 03 02 01 02 02 04 4e  0.._0..........N
7d0246f590  77 18 86 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05  w..0...*.H......
7d0246f5a0  05 00 30 73 31 0b 30 09 06 03 55 04 06 13 02 63  ..0s1.0...U....c
7d0246f5b0  6e 31 12 30 10 06 03 55 04 08 13 09 67 75 61 6e  n1.0...U....guan
7d0246f5c0  67 64 6f 6e 67 31 12 30 10 06 03 55 04 07 13 09  gdong1.0...U....
7d0246f5d0  67 75 61 6e 67 7a 68 6f 75 31 10 30 0e 06 03 55  guangzhou1.0...U
7d0246f5e0  04 0a 13 07 76 69 70 73 68 6f 70 31 18 30 16 06  ....vipshop1.0..
7d0246f5f0  03 55 04 0b 13 0f 77 77 77 2e 76 69 70 73 68 6f  .U....www.vipsho
7d0246f600  70 2e 63 6f 6d 31 10 30 0e 06 03 55 04 03 13 07  p.com1.0...U....
7d0246f610  76 69 70 73 68 6f 70 30 20 17 0d 31 31 30 39 31  vipshop0 ..11091
7d0246f620  39 31 30 32 35 31 30 5a 18 0f 32 32 38 35 30 37  9102510Z..228507
7d0246f630  30 34 31 30 32 35 31 30 5a 30 73 31 0b 30 09 06  04102510Z0s1.0..
7d0246f640  03 55 04 06 13 02 63 6e 31 12 30 10 06 03 55 04  .U....cn1.0...U.
7d0246f650  08 13 09 67 75 61 6e 67 64 6f 6e 67 31 12 30 10  ...guangdong1.0.
7d0246f660  06 03 55 04 07 13 09 67 75 61 6e 67 7a 68 6f 75  ..U....guangzhou
7d0246f670  31 10 30 0e 06 03 55 04 0a 13 07 76 69 70 73 68  1.0...U....vipsh
7d0246f680  6f 70 31 18 30 16 06 03 55 04 0b 13 0f 77 77 77  op1.0...U....www
7d0246f690  2e 76 69 70 73 68 6f 70 2e 63 6f 6d 31 10 30 0e  .vipshop.com1.0.
7d0246f6a0  06 03 55 04 03 13 07 76 69 70 73 68 6f 70 30 81  ..U....vipshop0.
7d0246f6b0  9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00  .0...*.H........
7d0246f6c0  03 81 8d 00 30 81 89 02 81 81 00 93 34 83 f8 c0  ....0.......4...
7d0246f6d0  1a 56 74 4a a3 a0 54 73 95 ca c4 22 ea 07 ae a0  .VtJ..Ts..."....
7d0246f6e0  3f 38 45 90 c1 fc bb eb d3 0c 71 39 5e a8 b6 bd  ?8E.......q9^...
7d0246f6f0  1a 1b 04 84 47 49 0e 4b af 36 5a 4b 49 72 6f 35  ....GI.K.6ZKIro5
7d0246f700  4e 57 96 35 f5 40 7e 63 86 57 49 2f 6c af 66 5c  NW.5.@~c.WI/l.f\
7d0246f710  27 18 11 8c cc ba d9 2f 1f fc ab 62 3c c7 ca 9e  '....../...b<...
7d0246f720  a8 ca 9a d5 8c 47 ab 21 05 ba 7c 7c 6d 6f fe 46  .....G.!..||mo.F
7d0246f730  6d 7e 94 06 bb f0 28 cb 9b b5 43 3a 74 cb 85 47  m~....(...C:t..G
7d0246f740  d1 b6 de de f8 84 56 a1 67 9d 3d 02 03 01 00 01  ......V.g.=.....
7d0246f750  30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03  0...*.H.........
7d0246f760  81 81 00 17 fd cc f7 dd 2f 1a 42 80 92 89 a2 15  ......../.B.....
7d0246f770  9b 64 aa 5a b0 57 91 35 88 18 37 74 3b ca 21 18  .d.Z.W.5..7t;.!.
7d0246f780  0b f3 30 50 75 4b b8 a8 44 90 02 c6 07 5e b6 d7  ..0PuK..D....^..
7d0246f790  1a 65 80 06 a6 b6 00 94 c1 69 f0 77 fb 06 3b 93  .e.......i.w..;.
7d0246f7a0  91 64 d1 64 e6 70 4a ae a1 14 c1 fa ed b4 eb fc  .d.d.pJ.........
7d0246f7b0  25 db ca 96 21 a5 58 d2 8b 87 1c 72 7f ff b6 0e  %...!.X....r....
7d0246f7c0  c7 40 e8 64 01 53 e8 e9 4d a9 da 7b 09 9e 30 82  .@.d.S..M..{..0.
7d0246f7d0  c3 77 e4 6d 2d 4e 9c 4a 25 8a b2 54 99 d1 da 85  .w.m-N.J%..T....
7d0246f7e0  5b 14 ca                                         [..
ret_arg3: 0x263
ret_arg4:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7cd7ea9c80  31 65 64 35 36 32 65 31 65 39 30 62 32 33 61 65  1ed562e1e90b23ae
7cd7ea9c90  33 66 39 61 34 30 66 38 62 32 61 36 35 33 38 32  3f9a40f8b2a65382
7cd7ea9ca0  62 39 35 61 34 37 35 32 00 00 00 00 00 00 00 00  b95a4752........
7cd7ea9cb0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9cc0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9cd0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
ret:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7cd7ea9c80  31 65 64 35 36 32 65 31 65 39 30 62 32 33 61 65  1ed562e1e90b23ae
7cd7ea9c90  33 66 39 61 34 30 66 38 62 32 61 36 35 33 38 32  3f9a40f8b2a65382
7cd7ea9ca0  62 39 35 61 34 37 35 32 00 00 00 00 00 00 00 00  b95a4752........
7cd7ea9cb0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9cc0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9cd0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9ce0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
----hooked over!----
----hooked getByteHash----
arg2:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d02424b30  61 65 65 34 63 34 32 35 64 62 62 32 32 38 38 62  aee4c425dbb2288b
7d02424b40  38 30 63 37 31 33 34 37 63 63 33 37 64 30 34 62  80c71347cc37d04b
7d02424b50  61 70 69 5f 6b 65 79 3d 62 69 6c 65 74 6f 6e 26  api_key=bileton&
7d02424b60  61 70 70 5f 6e 61 6d 65 3d 73 68 6f 70 5f 61 6e  app_name=shop_an
7d02424b70  64 72 6f 69 64                                   droid
arg3: 0x45
arg4:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7cd7ea99f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a10  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a20  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a30  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a40  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
ret_arg2:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d02424b30  61 65 65 34 63 34 32 35 64 62 62 32 32 38 38 62  aee4c425dbb2288b
7d02424b40  38 30 63 37 31 33 34 37 63 63 33 37 64 30 34 62  80c71347cc37d04b
7d02424b50  61 70 69 5f 6b 65 79 3d 62 69 6c 65 74 6f 6e 26  api_key=bileton&
7d02424b60  61 70 70 5f 6e 61 6d 65 3d 73 68 6f 70 5f 61 6e  app_name=shop_an
7d02424b70  64 72 6f 69 64                                   droid
ret_arg3: 0x45
ret_arg4:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7cd7ea99f0  62 30 64 63 61 36 66 31 35 36 66 37 39 30 32 38  b0dca6f156f79028
7cd7ea9a00  62 33 61 36 38 63 31 36 36 32 39 34 30 34 65 34  b3a68c16629404e4
7cd7ea9a10  35 37 39 31 32 30 62 64 00 00 00 00 00 00 00 00  579120bd........
7cd7ea9a20  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a30  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a40  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
ret:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7cd7ea99f0  62 30 64 63 61 36 66 31 35 36 66 37 39 30 32 38  b0dca6f156f79028
7cd7ea9a00  62 33 61 36 38 63 31 36 36 32 39 34 30 34 65 34  b3a68c16629404e4
7cd7ea9a10  35 37 39 31 32 30 62 64 00 00 00 00 00 00 00 00  579120bd........
7cd7ea9a20  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a30  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
----hooked over!----
----hooked getByteHash----
arg2:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7cd7ea98f0  61 65 65 34 63 34 32 35 64 62 62 32 32 38 38 62  aee4c425dbb2288b
7cd7ea9900  38 30 63 37 31 33 34 37 63 63 33 37 64 30 34 62  80c71347cc37d04b
7cd7ea9910  62 30 64 63 61 36 66 31 35 36 66 37 39 30 32 38  b0dca6f156f79028
7cd7ea9920  62 33 61 36 38 63 31 36 36 32 39 34 30 34 65 34  b3a68c16629404e4
7cd7ea9930  35 37 39 31 32 30 62 64                          579120bd
arg3: 0x48
arg4:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7cd7ea99f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a10  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a20  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a30  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a40  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
ret_arg2:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7cd7ea98f0  61 65 65 34 63 34 32 35 64 62 62 32 32 38 38 62  aee4c425dbb2288b
7cd7ea9900  38 30 63 37 31 33 34 37 63 63 33 37 64 30 34 62  80c71347cc37d04b
7cd7ea9910  62 30 64 63 61 36 66 31 35 36 66 37 39 30 32 38  b0dca6f156f79028
7cd7ea9920  62 33 61 36 38 63 31 36 36 32 39 34 30 34 65 34  b3a68c16629404e4
7cd7ea9930  35 37 39 31 32 30 62 64                          579120bd
ret_arg3: 0x48
ret_arg4:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7cd7ea99f0  63 39 31 34 63 39 64 64 32 62 38 36 32 61 37 34  c914c9dd2b862a74
7cd7ea9a00  63 35 65 39 31 61 63 31 65 36 62 37 39 33 32 38  c5e91ac1e6b79328
7cd7ea9a10  36 62 33 63 31 61 63 32 00 00 00 00 00 00 00 00  6b3c1ac2........
7cd7ea9a20  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a30  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a40  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a50  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
ret:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7cd7ea99f0  63 39 31 34 63 39 64 64 32 62 38 36 32 61 37 34  c914c9dd2b862a74
7cd7ea9a00  63 35 65 39 31 61 63 31 65 36 62 37 39 33 32 38  c5e91ac1e6b79328
7cd7ea9a10  36 62 33 63 31 61 63 32 00 00 00 00 00 00 00 00  6b3c1ac2........
7cd7ea9a20  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a30  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a40  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a50  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7cd7ea9a60  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
----hooked over!----
call gsNav result: c914c9dd2b862a74c5e91ac1e6b793286b3c1ac2
----call gsNav over----

发现当主动调用gsNav函数的时候,主动调用了三次getByteHash方法,而第一次调用getByteHash方法时的入参和返回值都没有找到相关的信息,在IDA里查看getByteHash交叉引用,发现

发现在其他函数里也调用了getByteHash函数,溯源一下,最后找到是在Utils_ima方法里调用的,并不影响Function_gs函数调用的getByteHash

分析

从Functions_gs函数里可以看出来,getByteHash函数被调用了两次,这个函数是标准SHA1算法,那么要分析的话就要拿连续的两个hook结果,从hook结果来看,getByteHash传入的第三个参数是map,但是它的开头加盐了,aee4c425dbb2288b80c71347cc37d04b,这个盐的值是固定的

如下是我对Functions_gs函数变量重命名后的关键代码

SaltMap是加盐后的Map的值,经过第一次SHA1签名之后,得到ByteHash,然后在ByteHash前面加盐,再一次进行SHA1签名,得到最终的api_sign

验证一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import hashlib
 
mapdata = 'activity=active_te_dynamic_res&activity_endtime=null&activity_propety={"activity_name":"","depend_status":-1,"module":"smartRoute","match":1,"is_debug":"0","apk_type":"1","scene":"api","is_main_process":1,"fail_back":0,"event_id":0,"has_module":0,"remove_so":"0","action":"res_scene","status":0}&activity_starttime=1734847371668&app_name=shop_android&app_version=9.39.4&channel=1&deeplink_cps=&face_flag=0_1&fdc_area_id=104101113&local_time=1734847371668&location=104101&mid=b3aad8e2-2840-39a5-8b51-e5b1c5b16bad&other_cps=&page_id=page_te_loding_activity_1734847371401&repeat=0&service=mobile.activityinfo.logger&session_id=b3aad8e2-2840-39a5-8b51-e5b1c5b16bad_shop_android_1734847371335&skey=6692c461c3810ab150c9a980d0c275ec&status=&status_descrit=null&user_class=A1&user_group=20460_【23年新客首页】安卓-5.23-[快应用-独立首页]-[顶部导航-测试-18]&user_label=3105,310505&userid=null&vipruid=null&warehouse=VIP_HZ'

Salt = "aee4c425dbb2288b80c71347cc37d04b"
SaltMap = Salt+mapdata
cipher1 = hashlib.sha1()
cipher1.update(SaltMap.encode("utf-8"))
ByteHash = cipher1.hexdigest()
print(ByteHash)
SecondEnc = Salt+ByteHash
cipher2 = hashlib.sha1()
cipher2.update(SecondEnc.encode("utf-8"))
api_sign = cipher2.hexdigest()
print(api_sign)

>>>
21c4c11c50637d4316ecc1bbf7e6a4abdf6fbe61
237f2dfb34d8846ca7f11071583fb3af5f98b9fe

还原完成

设备注册接口复现

这次我们可以用自己生成的api_sign来进行设备注册

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import requests
import uuid
import hashlib

def sha1(data):
    cipher = hashlib.sha1()
    cipher.update(data)
    return cipher.hexdigest()


device_token = str(uuid.uuid4())

parameters = {
    "app_name":"achievo_ad",
    "app_version":"9.39.4",
    "device_token":device_token,
    "status":"1",
    "warehouse":"VIP_HZ",
    "manufacturer":"Google",
    "device":"Pixel 3",
    "os_version":"28",
    "channel":"yro8nr0d:::",
    "vipruid":"",
    "regPlat":"0",
    "regid":"null",
    "rom":"Dalvik/2.1.0 (Linux; U; Android 9; Pixel 3 Build/PD1A.180720.030)",
    "skey":"6692c461c3810ab150c9a980d0c275ec"
}

url = "https://mp.appvipshop.com/apns/device_reg"

mapdata = "&".join([key+"="+value for key,value in parameters.items()])
salt = "aee4c425dbb2288b80c71347cc37d04b"
onesha1 = sha1((salt+mapdata).encode("utf-8"))
apisign = sha1((salt+onesha1).encode("utf-8"))

headers = {
    "User-Agent":"okhttp/4.9.1",
    "authorization":"OAuth api_sign="+apisign,
    "accept-encoding":"gzip"
}

response = requests.get(url,headers=headers,params=parameters)
print(response.status_code)
print(response.text)

搜索接口逆向

搜索接口抓包

逆向还原

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
import requests
import hashlib

def sha1(data):
    cipher = hashlib.sha1()
    cipher.update(data)
    return cipher.hexdigest()

keyword = input("input keyword:")

url = "https://mapi.appvipshop.com/vips-mobile/rest/shopping/search/product/list/v1"

data = {
    "api_key": "23e7f28019e8407b98b84cd05b5aef2c",
    "app_name": "shop_android",
    "app_version": "9.39.4",
    "bigSaleTagIds": "",
    "brandIds": "",
    "brandStoreSns": "",
    "categoryId": "",
    "channelId": "1",
    "channel_flag": "0_1",
    "clickFrom": "userword",
    "client": "android",
    "client_type": "android",
    "couponIds": "",
    "darkmode": "0",
    "deeplink_cps": "",
    "device_model": "Google Pixel 3",
    "did": "0.0.7dd2447b686b5292535eeee5df76af4e.e30722",
    "elder": "0",
    "evgid": "MEPeuS28WvKWWBaORXRayvPD91hpo6rtPhqtYlf9h/sqV/qXMrLitm9X/TxB0xIU0R0HnbOuRkt494w2LedGeuzIt0jR6xdfSfROjGrf92s=",
    "extParams": '{"priceVer":"2","video_playable":"1","mclabel":"1","cmpStyle":"1","statusVer":"2","ic2label":"1","video":"2","uiVer":"2","preheatTipsVer":"4","floatwin":"1","superHot":"1","exclusivePrice":"1","router":"1","coupons":"4","needVideoExplain":"1","rank":"2","needVideoGive":"1","attr":"2","bigBrand":"2","couponVer":"v2","videoExplainUrl":"1","live":"1","sellpoint":"1","reco":"1","vreimg":"1","search_tag":"2","tpl":"1","ads":"2","stdSizeVids":"","labelVer":"2","preheatView":"1"}',
    "fdc_area_id": "104101113",
    "functions": "RTRecomm,flagshipInfo,couponBarV2,lowPriceTabs,discountTabs,feedbackV2,otdAds,zoneCode,slotOp,survey,outfit,aiRealtime,floaterParams,tabGroupV2,bsAndSeason,parallelCall",
    "harmony_app": "0",
    "harmony_os": "0",
    "height": "2028",
    "isMultiTab": "0",
    "is_default_area": "1",
    "keyword": keyword,
    "lastPageProperty": "{\"isBgToFront\":\"0\",\"scene_entry_id\":\"-99\",\"refer_page_id\":\"page_channel_1734917260119\",\"text\":\"女童加绒裤子\",\"module_name\":\"com.achievo.vipshop.search\",\"type\":\"-99\",\"is_back_page\":\"0\"}",
    "maker": "GOOGLE",
    "mars_cid": "b3aad8e2-2840-39a5-8b51-e5b1c5b16bad",
    "mobile_channel": "yro8nr0d:::",
    "mobile_platform": "3",
    "net": "WIFI",
    "operator": "",
    "os": "Android",
    "osv": "9",
    "otddid": "",
    "other_cps": "",
    "page_id": "page_te_globle_classify_search_1734917270854",
    "phone_brand": "google",
    "phone_model": "pixel 3",
    "priceMax": "",
    "priceMin": "",
    "props": "",
    "province_id": "104101",
    "referer": "com.achievo.vipshop.search.activity.TabSearchProductListActivity",
    "rom": "Dalvik/2.1.0 (Linux; U; Android 9; Pixel 3 Build/PD1A.180720.030)",
    "sd_tuijian": "0",
    "service_provider": "",
    "session_id": "b3aad8e2-2840-39a5-8b51-e5b1c5b16bad_shop_android_1734917371208",
    "skey": "6692c461c3810ab150c9a980d0c275ec",
    "sort": "0",
    "source": "app",
    "source_app": "android",
    "standby_id": "yro8nr0d:::",
    "sys_version": "28",
    "tabFields": "gender,tabs,priceTabs,discountTabs,tabGroupV2",
    "timestamp": "1734917303",
    "union_mark": "blank&_&blank&_&yro8nr0d:::&_&blank&_&blank",
    "vipService": "",
    "warehouse": "VIP_HZ",
    "width": "1080"
}

mapdata = "&".join([key+"="+value for key,value in data.items()])
salt = "aee4c425dbb2288b80c71347cc37d04b"
onesha1 = sha1((salt+mapdata).encode("utf-8"))
apisign = sha1((salt+onesha1).encode("utf-8"))

headers = {
  "authorization": "OAuth api_sign="+apisign,
  "x-vip-host": "mapi.appvipshop.com",
  "content-type": "application/x-www-form-urlencoded",
  "content-length": "2886",
  "accept-encoding": "gzip",
  "user-agent": "okhttp/4.9.1"
}

response = requests.post(url=url,data=data,headers=headers)
print(response.status_code)
print(response.text)

Unidbg

模拟执行getNavInfo()

so是libkeyinfo.so

hook getNavInfo()

1
2
3
4
5
6
7
8
9
10
11
12
13
function hook_getNavInfo(){
    Java.perform(function(){
        let KeyInfo = Java.use("com.vip.vcsp.KeyInfo");
        KeyInfo["getNavInfo"].implementation = function (context, str) {
            console.log(`KeyInfo.getNavInfo is called: context=${context}, str=${str}`);
            let result = this["getNavInfo"](context, str);
            console.log(`KeyInfo.getNavInfo result=${result}`);
            return result;
        };
    })
}

hook_getNavInfo();

hook结果

1
2
KeyInfo.getNavInfo is called: context=com.achievo.vipshop.common.VipApplicationLike@ff37661, str=skey
KeyInfo.getNavInfo result=6692c461c3810ab150c9a980d0c275ec

call getNavInfo()

1
2
3
4
5
6
7
8
9
function call_getNavInfo(){
    Java.perform(function(){
        let KeyInfo = Java.use("com.vip.vcsp.KeyInfo");
        let context = Java.use("android.app.ActivityThread").currentApplication().getApplicationContext();
        let str = "skey";               
        let result = KeyInfo["getNavInfo"](context, str);
        console.log(`KeyInfo.getNavInfo result=${result}`);
    })
}

结果

1
KeyInfo.getNavInfo result=6692c461c3810ab150c9a980d0c275ec

Unidbg执行getNavInfo()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
public class KeyInfo extends AbstractJni {
    private final AndroidEmulator emulator;
    private final Memory memory;
    private final VM vm;
    private DalvikModule dm;


    public KeyInfo() {
        emulator = AndroidEmulatorBuilder
                .for64Bit() // for32Bit()
                .setRootDir(new File("target/rootfs"))
                .build();
        memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File("unidbg-android/src/test/java/com/achievo/vipshop/weipinhui.apk"));
        vm.setJni(this);
        vm.setVerbose(true);
        dm = vm.loadLibrary("keyinfo",true);
        dm.callJNI_OnLoad(emulator);
    }

    public String getNavInfo(){
        DvmClass KeyInfoClass = vm.resolveClass("com.vip.vcsp.KeyInfo");
        DvmObject context = vm.resolveClass("android/app/Application",vm.resolveClass("android/content/ContextWrapper",vm.resolveClass("android/content/Context"))).newObject(null);
        StringObject stringObject = KeyInfoClass.callStaticJniMethodObject(emulator,"getNavInfo(Landroid/content/Context;Ljava/lang/String;)Ljava/lang/String;",context,"skey");
        return stringObject.getValue();
    }

    public static void main(String[] args) {
        KeyInfo keyInfo = new KeyInfo();
        System.out.println(keyInfo.getNavInfo()); // 6692c461c3810ab150c9a980d0c275ec
    }
}

模拟执行gsNav()

hook gsNav()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
function hook_gsNav(){
    Java.perform(function(){
        let KeyInfo = Java.use("com.vip.vcsp.KeyInfo");
        KeyInfo["gsNav"].implementation = function (context, map, str, z10) {
            console.log("----hooked gsNav----");
            console.log(`KeyInfo.gsNav is called: context=${context}, map=${map}, str=${str}, z10=${z10}`);
            console.log("gsNav map:",printMap(map))
            let result = this["gsNav"](context, map, str, z10);
            console.log(`KeyInfo.gsNav result=${result}`);
            console.log("----hooked over!----");
            return result;
        };
    })
}

hook_gsNav()

hook结果

1
2
3
4
5
----hooked gsNav----
KeyInfo.gsNav is called: context=com.achievo.vipshop.common.VipApplicationLike@17ab95c, map=[object Object], str=null, z10=false
gsNav map: {app_name=achievo_ad, app_version=9.39.4, channel=yro8nr0d:::, device=Pixel 3, device_token=c6e072c0-ec5c-3fd4-8b3d-993abbdcb72a, manufacturer=Google, os_version=29, regPlat=0, regid=null, rom=Dalvik/2.1.0 (Linux; U; Android 10; Pixel 3 Build/QQ3A.200705.002), skey=6692c461c3810ab150c9a980d0c275ec, status=1, vipruid=, warehouse=VIP_HZ}
KeyInfo.gsNav result=a05a0d94df429a4cdc0d2cd68bce1291b046d667
----hooked over!----

unidbg执行gsNav()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
public class KeyInfo extends AbstractJni {
    private final AndroidEmulator emulator;
    private final Memory memory;
    private final VM vm;
    private DalvikModule dm;


    public KeyInfo() {
        emulator = AndroidEmulatorBuilder
                .for64Bit() // for32Bit()
                .setRootDir(new File("target/rootfs"))
                .build();
        memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File("unidbg-android/src/test/java/com/achievo/vipshop/weipinhui.apk"));
        vm.setJni(this);
        vm.setVerbose(true);
        dm = vm.loadLibrary("keyinfo",true);
        dm.callJNI_OnLoad(emulator);
    }

    public String gsNav(){
        DvmClass KeyInfoClass = vm.resolveClass("com.vip.vcsp.KeyInfo");
//        DvmObject context = vm.resolveClass("android/app/Application",vm.resolveClass("android/content/ContextWrapper",vm.resolveClass("android/content/Context"))).newObject(null);
        DvmObject context = vm.resolveClass("android/content/Context").newObject(null);
        Map<String,String> map = new TreeMap<>();
        map.put("app_name","achievo_ad");
        map.put("app_version","9.39.4");
        map.put("channel","yro8nr0d:::");
        map.put("device","Pixel 3");
        map.put("device_token","c6e072c0-ec5c-3fd4-8b3d-993abbdcb72a");
        map.put("manufacturer","Google");
        map.put("os_version","29");
        map.put("regPlat","0");
        map.put("regid","null");
        map.put("rom","Dalvik/2.1.0 (Linux; U; Android 10; Pixel 3 Build/QQ3A.200705.002)");
        map.put("skey","6692c461c3810ab150c9a980d0c275ec");
        map.put("status","1");
        map.put("vipruid","");
        map.put("warehouse","VIP_HZ");
        DvmObject map_dvmobj = ProxyDvmObject.createObject(vm,map);
        StringObject stringObject = KeyInfoClass.callStaticJniMethodObject(emulator,"gsNav(Landroid/content/Context;Ljava/util/Map;Ljava/lang/String;Z)Ljava/lang/String;",context,map_dvmobj,"",false);
        return stringObject.getValue();
    }

    public static void main(String[] args) {
        KeyInfo keyInfo = new KeyInfo();
        System.out.println(keyInfo.gsNav());
    }
}

运行一下,需要补环境

补entrySet()

1
2
java.lang.UnsupportedOperationException: java/util/TreeMap->entrySet()Ljava/util/Set;
	at com.github.unidbg.linux.android.dvm.AbstractJni.callObjectMethod(AbstractJni.java:933)

1
2
3
4
5
case "java/util/TreeMap->entrySet()Ljava/util/Set;":{
    TreeMap map = (TreeMap) dvmObject.getValue();
    Set<String> set = map.entrySet();
    return ProxyDvmObject.createObject(vm,set);
}

运行一下继续补环境

补iterator()

1
2
java.lang.UnsupportedOperationException: java/util/Set->iterator()Ljava/util/Iterator;
	at com.github.unidbg.linux.android.dvm.AbstractJni.callObjectMethod(AbstractJni.java:933)

1
2
3
4
5
case "java/util/Set->iterator()Ljava/util/Iterator;":{
    Set set = (Set) dvmObject.getValue();
    Iterator it = set.iterator();
    return ProxyDvmObject.createObject(vm,it);
}

运行一下继续补环境

补hasNext()

1
2
java.lang.UnsupportedOperationException: java/util/Iterator->hasNext()Z
	at com.github.unidbg.linux.android.dvm.AbstractJni.callBooleanMethod(AbstractJni.java:598)

1
2
3
4
5
case "java/util/Iterator->hasNext()Z":{
    Iterator it = (Iterator) dvmObject.getValue();
    boolean hasNext = it.hasNext();
    return hasNext;
}

运行一下继续补环境

补next()

1
2
java.lang.UnsupportedOperationException: java/util/Iterator->next()Ljava/lang/Object;
	at com.github.unidbg.linux.android.dvm.AbstractJni.callObjectMethod(AbstractJni.java:933)

1
2
3
4
5
case "java/util/Iterator->next()Ljava/lang/Object;":{
    Iterator iterator = (Iterator) dvmObject.getValue();
    Object next = iterator.next();
    return ProxyDvmObject.createObject(vm,next);
}

运行一下继续补环境

补getKey()

1
2
java.lang.UnsupportedOperationException: java/util/Map$Entry->getKey()Ljava/lang/Object;
	at com.github.unidbg.linux.android.dvm.AbstractJni.callObjectMethod(AbstractJni.java:933)

1
2
3
4
5
case "java/util/Map$Entry->getKey()Ljava/lang/Object;":{
    Map.Entry entry = (Map.Entry) dvmObject.getValue();
    Object key = entry.getKey();
    return ProxyDvmObject.createObject(vm,key);
}

补getValue()

1
2
java.lang.UnsupportedOperationException: java/util/Map$Entry->getValue()Ljava/lang/Object;
	at com.github.unidbg.linux.android.dvm.AbstractJni.callObjectMethod(AbstractJni.java:933)

1
2
3
4
5
case "java/util/Map$Entry->getValue()Ljava/lang/Object;":{
    Map.Entry entry = (Map.Entry) dvmObject.getValue();
    Object value = entry.getValue();
    return ProxyDvmObject.createObject(vm,value);
}

over

出结果了

1
a05a0d94df429a4cdc0d2cd68bce1291b046d667