某眼查的逆向

发布于:2023-05-22 ⋅ 阅读:(341) ⋅ 点赞:(0)

​一: 准备
APP: 某眼查

版本: 11.4.0

工具: xposed, FDex2, JustTrustMe, Fiddler, jadx

二. 抓包

  1. 打开Fiddler,打开天眼查抓包(开启JustTrustMe能抓到包)

我们抓取工商信息这块,查看Fiddler上面的body这块,因为传输数据,所以包肯定是比较大的,点开看右边的json格式能看到和工商信息里面的相符的内容,说明这就是我们需要抓取的数据包了.

  1. 查看抓到包的请求头,找出我们需要自动生成的参数: tyc-hi, Authorization,duid

(某音的逆向文章有说怎么找)

三.脱壳

  1. 用jadx打开该app,文件夹特别少,说明该app加壳了,需要我们脱壳.

  2. 手机打开Xposed里的FDex2模块

再打开要脱壳的软件,在FDex2的目录下面就能看到脱壳文件了.

 3. 然后用adb pull data/user/0/com.tianyancha.skyeye/xxxx.dex 电脑路径 把这几个dex文件全都放到电脑上,再用jadx打开. 文件内容可以排除前三个小文件

逐个打开后面三个文件,然后搜请求头的关键字(如tyc-hi),找到定义该参数的地方,定位到该函数,这里有请求头的所有的参数名,所以可以确定该文件是获取请求参数的壳文件了.在这里把’tyc-hi’赋值给了w ,

  1. 所以要定位到该参数的位置应该定位变量w,而w的重复概率很大,所以要变个模式搜.因为要调用该变量可以尝试搜索: (.w),(.w=),(m.w),(.w,)(m.w,) 然后看定位代码,找相似的,这里用的m.w, 找出只有一个,所以点进去看了一下.能找到定位到的其他参数,所以可以确定这里是请求头的参数操作位置了

  2. 找到需要逆向的参数所对应的变量: tyc-hi—(m.w, a2)

Authorization—(‘Authorization’,I)

duid—(m.v, g)

  1. tyc-hi的逆向分析:

tyc-hi — (m.w, a2) — a2 = dp.a(str, I, d2, N, i, “slat”)

把a2里面的参数替代成请求头:

a2 = (url, authorization, app_version, ‘’, device_id, “slat”)

  1. Authorization的逆向分析

Authorization—(‘Authorization’, I)—I = dp.I()

  1. duid的逆向分析

duid—(m.v, g) — g = dp.g()

  1. 三个参数的生成方法都涉及到了dp方法,我们直接hook dp.a方法(记得手机启动frida-server)
import frida, sys
​
jscode_signatue = """
Java.perform(
    function() {
        var dp = Java.use('com.tianyancha.skyeye.utils.dp');
        dp.a.overload('java.lang.String', 'java.lang.String').implementation = function(str1, str2) {
            send('here');
            send(str1);
            send(str2);
            var return_str = this.a(str1, str2);
            send(return_str);
            return return_str;
        },
        dp.f.implementation = function() {
            var f_str = this.f();
            send('f_str:'+f_str);
            return f_str;
        },
        dp.a.overload('java.lang.String', 'java.lang.String', 'java.lang.String', 'java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(arg1, arg2, arg3, arg4, arg5, arg6) {
            send('a func6');
            send(arg1);
            send(arg2);
            send(arg3);
            send(arg4);
            send(arg5);
            send(arg6);
            var return_str = this.a(arg1, arg2, arg3, arg4, arg5, arg6);
            send('re:'+return_str);
            return return_str;
        }
    }
)
​
​
"""def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)
​
​
process = frida.get_usb_device(1000).attach('com.tianyancha.skyeye')
script = process.create_script(jscode_signatue)
script.on('message', on_message)
script.load()
sys.stdin.read()

打印出传的六个参数,

可以推出a2 = dp.a(str, I, d2, N, i, “slat”)

a2 = dp.a(str, dp.I(), dz.d(), ’Android 11.4.0’, ‘’, ‘slat’)

  1. 然后再写一个hook程序,打印tyc-hi, Authorization, duid, deviceID这四个参数的值
import frida,sys
​
#Android 11.4.0
hook_code = '''
rpc.exports = {
    getsig: function(url, app_version){
        var sig = {"tyc-hi":"", "Authorization":"", "duid":"", "deviceID":""};
        Java.perform(
            function(){
                var dp = Java.use('com.tianyancha.skyeye.utils.dp');
                var duid = dp.g();
                var authorization = dp.I();
                var device_id = dp.i()
                var tyc = dp.a(url, authorization, app_version, '', device_id, "slat")
​
                sig["tyc-hi"] = tyc;
                sig["Authorization"] = authorization;
                sig["duid"] = duid;
                sig["deviceID"] = device_id;
            }
        )
        return sig;
    }
}
'''
​
​
def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)def hook_prepare():
    process = frida.get_usb_device(1000).attach('com.tianyancha.skyeye')
    script = process.create_script(hook_code)
    script.on('message', on_message)
    script.load()
    return script
​
​
process = frida.get_usb_device().attach('com.tianyancha.skyeye')
script = process.create_script(hook_code)
script.on('message', on_message)
script.load()
sig = script.exports.getsig("https://api4.tianyancha.com/services/v3/t/details/appComIcV4/150041670?pageSize=1000","Android 11.4.0")
print(sig)
sys.stdin.read()
    urls = set()
    # 该文件下放着每个公司对应的天眼查id
    with open('D:/tanyancha/urls.txt', 'r') as f:
        for line in f:
            urls.add(line.strip())
    return urls
​
def to_file(ids, text):
    # 下载的文件存储的目录以及名字
    with open('D:/tanyancha/'+ids, 'w') as f:
        f.write(text)def start():
    base_url = 'https://api4.tianyancha.com/services/v3/t/details/appComIcV4/{}?pageSize=1000'
    script = hook_sky.hook_prepare()
    urls = load()
    for ids in urls:
       params = script.exports.getsig(base_url.format(ids), "Android 11.4.0")
       text = req(base_url.format(ids), params)
       to_file(ids, text)
​
start()
​```
11. 需要的参数生成方法都获取到了,接下来写个爬虫程序模拟手机的请求头就可以抓取app上的数据了.

```python

import requests
import hook_sky
​
def req(url, params):
    header = {
      'Accept-Encoding': 'gzip',
      'User-Agent': 'com.tianyancha.skyeye/Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/M4B30Z; appDevice/google_QAQ_Nexus 5)',
      'Content-Type': 'application/json',
      'channelID': 'YingYongBao',
      'deviceID': '{}'.format(params['deviceID']),
      'duid': '{}'.format(params['duid']),
      'tyc-hi': '{}'.format(params['tyc-hi']),
      'version': 'Android 11.4.0',
      'X-Auth-Token': '',
      'Authorization': '{}'.format(params['Authorization']),
      'Connection': 'close',
      'Host': 'api4.tianyancha.com'
    }
    r = requests.get(url, headers=header, verify=False, timeout=1.5)
    print(r.status_code)
    return r.text
​
​
def load():
    urls = set()
    # 该文件下放着每个公司对应的天眼查id
    with open('D:/tanyancha/urls.txt', 'r') as f:
        for line in f:
            urls.add(line.strip())
    return urls
​
def to_file(ids, text):
    # 下载的文件存储的目录以及名字
    with open('D:/tanyancha/'+ids, 'w') as f:
        f.write(text)def start():
    base_url = 'https://api4.tianyancha.com/services/v3/t/details/appComIcV4/{}?pageSize=1000'
    script = hook_sky.hook_prepare()
    urls = load()
    for ids in urls:
       params = script.exports.getsig(base_url.format(ids), "Android 11.4.0")
       text = req(base_url.format(ids), params)
       to_file(ids, text)
​
start()

urls.txt下载链接:

链接:https://pan.baidu.com/s/1daVEzvmwJV8XvUTpWlShlw

提取码:5047

爬下来的数据还要进行筛选才能得到有用的数据,这就不过多的说了,毕竟…我现在只做逆向.