0x01 定位关键函数
取消勾选反混淆,否则影响关键函数定位
尝试搜索AES,DES,RSA,加密,encode,decode等关键字,也可以仔细跟进http等请求发起过程定位加解密函数
分析实现加密与解密的函数:
加密函数:传入了公钥以及需要加密的字节数组
解密函数:传入了私钥以及需要解密的字节数组
0x02 编写hook.js
function main() {if (Java.available) {console.log("*********** hook start ************");Java.perform(function() {var JniUtils = Java.use("com.gdtel.eshore.mss.lib.b.b");JniUtils.a.overload("java.security.interfaces.RSAPrivateKey","[B").implementation=function(arg1,arg2){console.log("*********** decodeByAES start ************");var a =this.a(arg1,arg2);var String = Java.use("java.lang.String")var data = String.$new(a)console.log("from data: " + data)return a;}JniUtils.a.overload("java.security.interfaces.RSAPublicKey","[B").implementation=function(arg3,arg4){console.log("*********** encodeByRSA start ************");var b =this.a(arg3,arg4);var String1 = Java.use("java.lang.String")var data1 = String1.$new(arg4)console.log("from data: " + data1)return b;});}function printTrace(){console.log("****************** printTrace start ***********************");var jAndroidLog = Java.use("android.util.Log");var jException = Java.use("java.lang.Exception");var threadef = Java.use('java.lang.Thread');var threadinstance = threadef.$new();var stack = threadinstance.currentThread().getStackTrace();console.log("Full call stack:");for(var i = 0; i < stack.length; ++i){console.log(stack[i].toString());}console.log("****************** printTrace finish ***********************");}
}setImmediate(main)
0x03 run
frida -U -l demo.js xxx.xxx.xxx.xxx