Frida&Objection

1. Frida 三剑客的安装

pip3 install frida

pip3 install Frida-tools

pip3 install objection

这几个工具干嘛的,就不再赘述了,我的博客和网上非常多文章都对其做个比较详尽的介绍,需要的自己去网上查阅相关的资料。

2. 绕过SSL验证

没有安装证书的读者可以先看看Android7.0+的证书移动到系统证书目录的文章
http://www.zhuoyue360.com/crack/60.html

在我们抓登录包的时候,不出意外的话,会一直在登录那里转圈圈,这其实不怪海航,要怪他所对接的顶象滑块。咱们只需要

  1. 启动objection

    objection -g 海南航空 explore
  2. 输入SSL绕过命令

    android sslpinning disable

然后抓不了后续包的问题就解决了

3. Hnairsign

sign在jadx非常好定位,一搜索就搜到了

com.rytong.hnair.HNASignature

依然是使用objection大法

android hooking watch class_method com.rytong.hnair.HNASignature.getHNASignature --dump-args --dump-return
  • android 代表Android程序
  • hooking 我要hook了
  • watch 看什么东西
  • class_method 看类方法
  • com.rytong.hnair.HNASignature.getHNASignature 对应的 类.方法
  • --dump-args 查看参数
  • --dump-return 查看返回值

于是乎只要调用到了我们hook的函数,就会有

com.rytong.hnair on (google: 9) [usb] # android hooking watch class_method com.rytong.hnair.HNASignature.getHNASignature --dump-args --dump-return(agent) [001211] Called com.rytong.hnair.HNASignature.getHNASignature(java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String)
(agent) [001211] Arguments com.rytong.hnair.HNASignature.getHNASignature({}, {"token":"1abfc6a328bee75ffd52da91fc4b4294_7febaea6bc72a3ec801608c1785b522b"}, {"akey":"184C5F04D8BE43DCBD2EE3ABC928F616","aname":"com.rytong.hnair","atarget":"standard","aver":"8.14.2","did":"4e3bd5a0bbf6cec3","dname":"Google_Pixel 2","gtcid":"bbea9dcebc1893ea7a3897b29b9656b6","mchannel":"official","schannel":"AD","slang":"zh-CN","sname":"google\/walleye\/walleye:9\/PQ3A.190801.002\/5670241:user\/release-keys","stime":"1650736378885","sver":"9","system":"AD","szone":"-0500","abuild":"62316","riskToken":"6263937axdP2ivNjVCVPCUEU4Erzdil2al7x0uM3","captchaToken":"","hver":"8.14.2.23509.4f05a2e32.standard","userToken":"1abfc6a328bee75ffd52da91fc4b4294_7febaea6bc72a3ec801608c1785b522b"}, 21047C596EAD45209346AE29F0350491, F6B15ABD66F91951036C955CB25B069F)
(agent) [001211] Return Value: B269846BB20D23EA698562120811EA74A461104D>>1abfc6a328bee75ffd52da91fc4b4294_7febaea6bc72a3ec801608c1785b522b62316184C5F04D8BE43DCBD2EE3ABC928F616com.rytong.hnairstandard8.14.24e3bd5a0bbf6cec3Google_Pixel 2bbea9dcebc1893ea7a3897b29b9656b68.14.2.23509.4f05a2e32.standardofficial6263937axdP2ivNjVCVPCUEU4Erzdil2al7x0uM3ADzh-CNgoogle/walleye/walleye:9/PQ3A.190801.002/5670241:user/release-keys16507363788859AD-05001abfc6a328bee75ffd52da91fc4b4294_7febaea6bc72a3ec801608c1785b522b>>F6B15ABD66F91951036C955CB25B069F