frida for windows

某apk简单分析

看到一些师傅有破解的文章遂想自己独立尝试

image

有加固 尝试脱壳机

image

ok啊 搞出来了 jeb打开 研究一下vip的获取方式

image

可以使用激活码 抓包看一眼 使用reqable进行抓包

image

响应

image

去dex中查找一下内容 查找一下字符串

image

在这里查找一下关于网络的方法 可以找得到关于发送的请求头

image

接下来去寻找一下解析响应的方法

image

找个方法交叉引用一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package com.itally.base.data;

import android.text.TextUtils;
import com.alibaba.fastjson.n;
import com.alibaba.fastjson.parser.Feature;
import com.itally.base.data.bean.DailyResponse;
import com.itally.base.data.bean.Respons401;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.UUID;
import lc.a;
import mc.c;
import okhttp3.Response;
import org.greenrobot.eventbus.EventBus;
import p2.b;
import tc.e;
import y6.h;
import zb.d;

/* loaded from: 5112868.dex */
public abstract class DailyCallBack<T> extends a<DailyResponse<T>> {
    private static final String KEY = "06fdrlDr625oTBbW";
    private final Class aClass;
    private final String content;
    private c convert = new c();

    public DailyCallBack(Class cls, String str) {
        this.aClass = cls;
        this.content = str;
    }

    public abstract void loadSuccess(DailyResponse<T> dailyResponse);

    /* JADX WARN: Multi-variable type inference failed */
    @Override // lc.a, lc.b
    public void onStart(com.lzy.okgo.request.base.c<DailyResponse<T>, ? extends com.lzy.okgo.request.base.c> cVar) {
        super.onStart(cVar);
        String valueOf = String.valueOf(yb.c.a());
        cVar.headers("timestamp", valueOf);
        String uuid = UUID.randomUUID().toString();
        if (TextUtils.isEmpty(uuid)) {
            uuid = String.valueOf((int) (Math.random() * 1000000.0d));
        }
        String replace = uuid.replace("-", "");
        cVar.headers("nonce", replace);
        ArrayList arrayList = new ArrayList();
        LinkedHashMap<String, String> linkedHashMap = cVar.getHeaders().headersMap;
        String str = linkedHashMap.get("channel");
        String str2 = linkedHashMap.get("deviceinfo");
        String str3 = linkedHashMap.get("platform");
        String str4 = linkedHashMap.get("clientversion");
        String str5 = linkedHashMap.get("deviceid");
        if (!TextUtils.isEmpty(this.content)) {
            arrayList.add(this.content);
        }
        arrayList.add(str);
        if (!TextUtils.isEmpty(str2)) {
            arrayList.add(str2);
        }
        arrayList.add(str3);
        arrayList.add(str4);
        if (!TextUtils.isEmpty(str5)) {
            arrayList.add(str5);
        }
        arrayList.add(valueOf);
        arrayList.add(replace);
        Collections.sort(arrayList);
        StringBuffer stringBuffer = new StringBuffer();
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            String str6 = (String) it.next();
            if (str6 == null) {
                str6 = "";
            }
            stringBuffer.append(str6);
        }
        String e10 = d.e(KEY.getBytes(), stringBuffer.toString().getBytes());
        h.a("yzd", e10);
        h.a("yzd", stringBuffer.toString());
        cVar.headers("signature", e10);
    }

    @Override // lc.b
    public void onSuccess(e<DailyResponse<T>> eVar) {
        loadSuccess(eVar.a());
    }

    @Override // mc.a
    public DailyResponse<T> convertResponse(Response response) throws Throwable {
        String convertResponse = this.convert.convertResponse(response);
        response.close();
        if (convertResponse == null) {
            DailyResponse<T> dailyResponse = new DailyResponse<>();
            dailyResponse.setCode(1);
            dailyResponse.setMsg("返回body为空");
            return dailyResponse;
        }
        DailyResponse<T> dailyResponse2 = (DailyResponse) com.alibaba.fastjson.a.parseObject(convertResponse, (n) new n<DailyResponse<T>>(this.aClass) { // from class: com.itally.base.data.DailyCallBack.1
        }, (Feature[]) new b[0]);
        if (dailyResponse2.getCode() == 401) {
            EventBus.getDefault().post(new Respons401(response, this.content, convertResponse));
        }
        return dailyResponse2;
    }
}

image

这里给了一个key

image

分析一下

image

牵扯的代码有点多懒的贴图了

1
2
3
4
5
6
7
8
9
Java.perform(function(){
let d = Java.use("zb.d");
d["e"].implementation = function (bArr, bArr2) {
    console.log(`d.e is called: bArr=${bArr}, bArr2=${bArr2}`);
    let result = this["e"](bArr, bArr2);
    console.log(`d.e result=${result}`);
    return result;
};
})

image

算法助手全勾 查找对应的内容 得出加密方式

image

也对应上了

image

a3bb8036c004ac0f3f375c6d6f6eb6ee

image虽然但是想发送激活码搞通vip基本不可能 他应该是有自己的判断方法 找一下 根据字符串用户界面的字符串定位

image

image

呃呃呃 直接hook就完了

image

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Java.perform(function(){
let d = Java.use("zb.d");
d["e"].implementation = function (bArr, bArr2) {
    console.log(`d.e is called: bArr=${bArr}, bArr2=${bArr2}`);
    let result = this["e"](bArr, bArr2);
    console.log(`d.e result=${result}`);
    return result;
};

let e = Java.use("v3.e");
e["d"].implementation = function () {
    console.log(`e.d is called`);
    let result = this["d"]();
    console.log(`e.d result=${result}`);
    return true;
};

let UserInfo = Java.use("com.itally.base.data.bean.UserInfo");
UserInfo["foreverVip"].implementation = function () {
    console.log(`UserInfo.foreverVip is called`);
    let result = this["foreverVip"]();
    console.log(`UserInfo.foreverVip result=${result}`);
    return true;
};

})

当然这种一退再进就没了 当然也可以手搓一个模块