安卓逆向百例

某嘟牛

通过UI Automator Viewer找到登录按钮绑定的id

拖到jadx进行反编译，搜索btn_login，找到了登录函数。

定位到login()函数

private void login(String userName, String pwd) {
        this.DEFAULT_TYPE = new TypeToken<RequestResult<User>>() { // from class: com.dodonew.online.ui.LoginActivity.1
        }.getType();
        this.para.clear();
        this.para.put("username", userName);
        this.para.put("userPwd", pwd);
        if (TextUtils.isEmpty(DodonewOnlineApplication.devId)) {
            DodonewOnlineApplication.devId = Utils.getDevId(DodonewOnlineApplication.getAppContext());
        }
        this.para.put("equtype", Config.equtype);
        this.para.put("loginImei", "Android" + DodonewOnlineApplication.devId);
        requestNetwork("user/login", this.para, this.DEFAULT_TYPE);
    }

其中的para为 private Map<String, String> para;是hashmap，定位到 requestNetwork

private void requestNetwork(final String cmd, Map<String, String> para, Type type) {
        showProgress();
        String url = "http://api.dodovip.com/api/" + cmd;
        this.request = new JsonRequest(this, url, "", new Response.Listener<RequestResult>() { // from class: com.dodonew.online.ui.LoginActivity.2
            @Override // com.android.volley.Response.Listener
            public void onResponse(RequestResult requestResult) {
                if (requestResult.code.equals(C0584a.f665e)) {
                    if (cmd.equals("user/login")) {
                        DodonewOnlineApplication.loginUser = (User) requestResult.data;
                        DodonewOnlineApplication.loginLabel = "mobile";
                        Utils.saveJson(LoginActivity.this, DodonewOnlineApplication.loginLabel, Config.LOGINLABEL_JSON);
                        LoginActivity.this.intentMainActivity();
                    }
                } else {
                    LoginActivity.this.showToast(requestResult.message);
                }
                LoginActivity.this.dissProgress();
            }
        }, this, type);
        this.request.addRequestMap(para, 0); // 将登录元素的数组传给了addRequestMap，addRequestMap是JsonRequest的对象
        DodonewOnlineApplication.addRequest(this.request, this);
    }

定位到 JsonRequest.addRequestMap

public void addRequestMap(Map<String, String> addMap, int a) {
        String time = System.currentTimeMillis() + "";
        if (addMap == null) {
            addMap = new HashMap<>();
        }
        addMap.put("timeStamp", time);
        String code = RequestUtil.paraMap(addMap, Config.BASE_APPEND, "sign");
        String encrypt = RequestUtil.encodeDesMap(code, this.desKey, this.desIV);
        JSONObject obj = new JSONObject();
        try {
            obj.put("Encrypt", encrypt);
            this.mRequestBody = obj + "";
        } catch (JSONException e) {
            e.printStackTrace();
        }
    }

对addRequestMap进行hook

Java.perform(function () {
    let JsonRequest = Java.use("com.dodonew.online.http.JsonRequest");
    JsonRequest.addRequestMap.overload('java.util.Map', 'int').implementation = function(a,b){
        let res = Java.cast(a,Java.use("java.util.HashMap"))
        
        console.log(res)
        this.addRequestMap(a,b)
    }
})

可以打印登录的信息

继续对 equtype, loginImei进行分析

private void login(String userName, String pwd) {
        this.DEFAULT_TYPE = new TypeToken<RequestResult<User>>() { // from class: com.dodonew.online.ui.LoginActivity.1
        }.getType();
        this.para.clear();
        this.para.put("username", userName);
        this.para.put("userPwd", pwd);
        if (TextUtils.isEmpty(DodonewOnlineApplication.devId)) {
            DodonewOnlineApplication.devId = Utils.getDevId(DodonewOnlineApplication.getAppContext());
        }
        this.para.put("equtype", Config.equtype);
        this.para.put("loginImei", "Android" + DodonewOnlineApplication.devId);
        requestNetwork("user/login", this.para, this.DEFAULT_TYPE);
    }

可以发现Config.equtype是config文件里的内容，分析 DodonewOnlineApplication.devId

更改用户名进行hook，发现loginImei不变，猜测为固定的ID

分析addRequestMap

public void addRequestMap(Map<String, String> addMap, int a) {
        String time = System.currentTimeMillis() + "";
        if (addMap == null) {
            addMap = new HashMap<>();
        }
        addMap.put("timeStamp", time);
        String code = RequestUtil.paraMap(addMap, Config.BASE_APPEND, "sign"); //code为
        String encrypt = RequestUtil.encodeDesMap(code, this.desKey, this.desIV);
        JSONObject obj = new JSONObject();
        try {
            obj.put("Encrypt", encrypt);
            this.mRequestBody = obj + "";
        } catch (JSONException e) {
            e.printStackTrace();
        }
    }

对 RequestUtil.encodeDesMap进行hook，

Java.perform(function () {
    let RequestUtil = Java.use("com.dodonew.online.http.RequestUtil");
    RequestUtil["encodeDesMap"].overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function (data, desKey, desIV) {
        console.log(`RequestUtil.encodeDesMap is called: data=${data}, desKey=${desKey}, desIV=${desIV}`);
        let result = this["encodeDesMap"](data, desKey, desIV);
        console.log(`RequestUtil.encodeDesMap result=${result}`);
        return result; //result为
    };
})