成都银行App逆向

成都银行App逆向

不能直接使用Frida。

脱壳

https://github.com/hluwa/frida-dexdump

由于不能使用frida,所以写了一个so进行内存搜索dex,脱壳成功。

image-20230202150908977

image-20230202150917876

SSL unpinning

使用sandhook绕过SSLpinning.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
@HookReflectClass("javax.net.ssl.SSLContext")
public class Hook_SSLContext {
    public static String TAG = "zhighest_hook";

    @HookMethodBackup("getInstance")
    @MethodParams({String.class})
    static Method getInstance_Backup;

    @HookMethod("getInstance")
    @MethodParams({String.class})
    public static Object getInstance_Hook(String s) throws Throwable {
        Log.e(TAG, "getInstance_Hook: "+s);
        Log.e(TAG, Log.getStackTraceString(new Exception()));
        Object obj = ZhighestHook.callOriginByBackup(getInstance_Backup, null, s);
        return obj;
    }

    @HookMethodBackup("init")
    @MethodParams({KeyManager[].class, TrustManager[].class, SecureRandom.class})
    static Method init_Backup;

    @HookMethod("init")
    @MethodParams({KeyManager[].class, TrustManager[].class, SecureRandom.class})
    public static Object init_Hook(Object thiz,KeyManager[] km, TrustManager[] tm, SecureRandom sr) throws Throwable {
        Log.e(TAG, "SSLContext_init_Hook....");
        Object result = ZhighestHook.callOriginByBackup(init_Backup, thiz, null, EmptyTrustManager.getInstance(),null);
        return result;
    }


}

hook 打印日志:

image-20230202151205528

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
02-02 14:53:28.010  4395  4395 E zhighest_hook: getInstance_Hook: TLS
02-02 14:53:28.010  4395  4395 E zhighest_hook: java.lang.Exception
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.zhighest.target.bocd.Hook_SSLContext.getInstance_Hook(Hook_SSLContext.java:25)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.http.YTSSLSocketFactory.a(Unknown Source:4)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.network.http.APPRestClient$2.action(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.network.http.APPRestClient.a(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.network.http.APPRestClient.post(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.network.http.APPRestClient.post(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.biz.h5.plugin.common.HttpPostProxyPlugin.execute(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.h5core.jsbridge.plugin.YTBasePlugin.handler(Unknown Source:1)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.h5core.jsbridge.WebViewJavascriptBridgeBase.b(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.h5core.jsbridge.WebViewJavascriptBridgeBase$1.onReceiveValue(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.h5core.jsbridge.WebViewJavascriptBridgeBase.handlerReturnData(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.h5core.jsbridge.WebViewJavascriptBridgeBase.shouldOverrideUrlLoading(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.h5core.jsbridge.WebViewJavascriptBridgeClient.shouldOverrideUrlLoading(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.yitong.mobile.biz.h5.container.MyWebViewClient.shouldOverrideUrlLoading(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at android.webkit.WebViewClient.shouldOverrideUrlLoading(WebViewClient.java:83)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at org.chromium.android_webview.AwContentsClientBridge.shouldOverrideUrlLoading(chromium-TrichromeWebViewGoogle.apk-stable-410410183:16)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at android.os.MessageQueue.nativePollOnce(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at android.os.MessageQueue.next(MessageQueue.java:345)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at android.os.Looper.loop(Looper.java:194)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at android.app.ActivityThread.main(ActivityThread.java:7604)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at java.lang.reflect.Method.invoke(Native Method)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:539)
02-02 14:53:28.010  4395  4395 E zhighest_hook:         at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:953)

抓包截图:

image-20230202151235405

请求解密

待续