When reversed an Android program, if you only blindly analyze, you need to read more than one code to find the key points or Hook points of the program, this article will share how to quickly find the encryption parameter location of the APP program. In fact, whether it is finding the key location, hook points, encryption parameters, and code logic tracking, they are all similar processing methods.
Use clever search-static analysis
Generally, the process of finding encryption parameters in static analysis is to first check the shell (unshelling), decompile, find the entry method of the program, and analyze the execution process of the program.
Assuming that an unshelled app has been decompiled using Android killer, you can directly use engineering search to retrieve the parameter names that need to be found, compare them based on the feedback information of AK, and find the corresponding parameter location. You can also analyze the code line by line according to the application execution process, which is more tiring.
objection positioning
objection is a dynamic analysis toolkit based on Frida. It can be dynamically modulated with root without root, and supports both iOS and Android. The installation method can be viewed at github. Github:/sensepost/objection
If there are several uncertain positions after searching, you can use Objection. Objection is a professional positioning expert, and there are only three steps in the positioning process.
1. Inject the target process
objection -g explore
2. Tracking category
android hooking watch class ''
3. Check the input parameters and return values
android hooking watch class_method '' --dump-args --dump-return
Then, by comparing the parameters and return values with the protocol in the request interface, you can determine where it is.
frida-hook
Hook tools such as frida and xposed are also a type of dynamic analysis. Suppose that the interface of an App has a signature signature, and the parameter value looks very much like Base64, and the length is fixed and less than 20 bits. At this time, if the global search through the tool is not found, you can use frida to feel the location of all operations Base64 in the app under Hook.
The Frida code is as follows:
var Base64Class = (".Base64");
("[B", "int").implementation = function(a,b){
var resault = (a,b);
(">>> Base64 " + resault);
if( <= 20){
var stackAdd = ().getStackTrace();
("resault stackAdd is:" + Where(stack));
}
return rc;
}
This method is highly likely to print out the location of the signature calculation, which is also a clever plan. Everyone must not forget this positioning method.
log injection
Code injection is also a dynamic analysis. The process is to modify the smali code of apk first. It is to add android/util/Log output before a key function, and to view the log data when the program is executed in conjunction with LogCat.
There are 5 methods about the Log extends Object of Android/util/Log: () () () and ()
Generally, you can just use the () log output function. If you don’t do a case, you will write the details in the book.
Dynamic debugging
In fact, there are only two types of positioning methods: static analysis and dynamic analysis. Dynamic debugging is also dynamic analysis, which is similar to the above method.
Dynamic debugging can be understood here as stack debugging. Sometimes different tools and methods are needed.
For example, JEB debugging, smali debugging, IDA debugging, etc.
I won’t go into details, this article briefly summarizes it.
This is the end of this article about Android encryption parameter positioning method. For more related contents of Android encryption parameter positioning method, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!