一: 准备
APP: 某眼查
版本: 11.4.0
工具: xposed, FDex2, JustTrustMe, Fiddler, jadx
二. 抓包
- 打开Fiddler,打开天眼查抓包(开启JustTrustMe能抓到包)
我们抓取工商信息这块,查看Fiddler上面的body这块,因为传输数据,所以包肯定是比较大的,点开看右边的json格式能看到和工商信息里面的相符的内容,说明这就是我们需要抓取的数据包了.
- 查看抓到包的请求头,找出我们需要自动生成的参数: tyc-hi, Authorization,duid
(某音的逆向文章有说怎么找)
三.脱壳
-
用jadx打开该app,文件夹特别少,说明该app加壳了,需要我们脱壳.
-
手机打开Xposed里的FDex2模块
再打开要脱壳的软件,在FDex2的目录下面就能看到脱壳文件了.
3. 然后用adb pull data/user/0/com.tianyancha.skyeye/xxxx.dex 电脑路径 把这几个dex文件全都放到电脑上,再用jadx打开. 文件内容可以排除前三个小文件
逐个打开后面三个文件,然后搜请求头的关键字(如tyc-hi),找到定义该参数的地方,定位到该函数,这里有请求头的所有的参数名,所以可以确定该文件是获取请求参数的壳文件了.在这里把’tyc-hi’赋值给了w ,
-
所以要定位到该参数的位置应该定位变量w,而w的重复概率很大,所以要变个模式搜.因为要调用该变量可以尝试搜索: (.w),(.w=),(m.w),(.w,)(m.w,) 然后看定位代码,找相似的,这里用的m.w, 找出只有一个,所以点进去看了一下.能找到定位到的其他参数,所以可以确定这里是请求头的参数操作位置了
-
找到需要逆向的参数所对应的变量: tyc-hi—(m.w, a2)
Authorization—(‘Authorization’,I)
duid—(m.v, g)
- tyc-hi的逆向分析:
tyc-hi — (m.w, a2) — a2 = dp.a(str, I, d2, N, i, “slat”)
把a2里面的参数替代成请求头:
a2 = (url, authorization, app_version, ‘’, device_id, “slat”)
- Authorization的逆向分析
Authorization—(‘Authorization’, I)—I = dp.I()
- duid的逆向分析
duid—(m.v, g) — g = dp.g()
- 三个参数的生成方法都涉及到了dp方法,我们直接hook dp.a方法(记得手机启动frida-server)
import frida, sys
jscode_signatue = """
Java.perform(
function() {
var dp = Java.use('com.tianyancha.skyeye.utils.dp');
dp.a.overload('java.lang.String', 'java.lang.String').implementation = function(str1, str2) {
send('here');
send(str1);
send(str2);
var return_str = this.a(str1, str2);
send(return_str);
return return_str;
},
dp.f.implementation = function() {
var f_str = this.f();
send('f_str:'+f_str);
return f_str;
},
dp.a.overload('java.lang.String', 'java.lang.String', 'java.lang.String', 'java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(arg1, arg2, arg3, arg4, arg5, arg6) {
send('a func6');
send(arg1);
send(arg2);
send(arg3);
send(arg4);
send(arg5);
send(arg6);
var return_str = this.a(arg1, arg2, arg3, arg4, arg5, arg6);
send('re:'+return_str);
return return_str;
}
}
)
"""
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_usb_device(1000).attach('com.tianyancha.skyeye')
script = process.create_script(jscode_signatue)
script.on('message', on_message)
script.load()
sys.stdin.read()
打印出传的六个参数,
可以推出a2 = dp.a(str, I, d2, N, i, “slat”)
a2 = dp.a(str, dp.I(), dz.d(), ’Android 11.4.0’, ‘’, ‘slat’)
- 然后再写一个hook程序,打印tyc-hi, Authorization, duid, deviceID这四个参数的值
import frida,sys
#Android 11.4.0
hook_code = '''
rpc.exports = {
getsig: function(url, app_version){
var sig = {"tyc-hi":"", "Authorization":"", "duid":"", "deviceID":""};
Java.perform(
function(){
var dp = Java.use('com.tianyancha.skyeye.utils.dp');
var duid = dp.g();
var authorization = dp.I();
var device_id = dp.i()
var tyc = dp.a(url, authorization, app_version, '', device_id, "slat")
sig["tyc-hi"] = tyc;
sig["Authorization"] = authorization;
sig["duid"] = duid;
sig["deviceID"] = device_id;
}
)
return sig;
}
}
'''
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
def hook_prepare():
process = frida.get_usb_device(1000).attach('com.tianyancha.skyeye')
script = process.create_script(hook_code)
script.on('message', on_message)
script.load()
return script
process = frida.get_usb_device().attach('com.tianyancha.skyeye')
script = process.create_script(hook_code)
script.on('message', on_message)
script.load()
sig = script.exports.getsig("https://api4.tianyancha.com/services/v3/t/details/appComIcV4/150041670?pageSize=1000","Android 11.4.0")
print(sig)
sys.stdin.read()
urls = set()
# 该文件下放着每个公司对应的天眼查id
with open('D:/tanyancha/urls.txt', 'r') as f:
for line in f:
urls.add(line.strip())
return urls
def to_file(ids, text):
# 下载的文件存储的目录以及名字
with open('D:/tanyancha/'+ids, 'w') as f:
f.write(text)
def start():
base_url = 'https://api4.tianyancha.com/services/v3/t/details/appComIcV4/{}?pageSize=1000'
script = hook_sky.hook_prepare()
urls = load()
for ids in urls:
params = script.exports.getsig(base_url.format(ids), "Android 11.4.0")
text = req(base_url.format(ids), params)
to_file(ids, text)
start()
```
11. 需要的参数生成方法都获取到了,接下来写个爬虫程序模拟手机的请求头就可以抓取app上的数据了.
```python
import requests
import hook_sky
def req(url, params):
header = {
'Accept-Encoding': 'gzip',
'User-Agent': 'com.tianyancha.skyeye/Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/M4B30Z; appDevice/google_QAQ_Nexus 5)',
'Content-Type': 'application/json',
'channelID': 'YingYongBao',
'deviceID': '{}'.format(params['deviceID']),
'duid': '{}'.format(params['duid']),
'tyc-hi': '{}'.format(params['tyc-hi']),
'version': 'Android 11.4.0',
'X-Auth-Token': '',
'Authorization': '{}'.format(params['Authorization']),
'Connection': 'close',
'Host': 'api4.tianyancha.com'
}
r = requests.get(url, headers=header, verify=False, timeout=1.5)
print(r.status_code)
return r.text
def load():
urls = set()
# 该文件下放着每个公司对应的天眼查id
with open('D:/tanyancha/urls.txt', 'r') as f:
for line in f:
urls.add(line.strip())
return urls
def to_file(ids, text):
# 下载的文件存储的目录以及名字
with open('D:/tanyancha/'+ids, 'w') as f:
f.write(text)
def start():
base_url = 'https://api4.tianyancha.com/services/v3/t/details/appComIcV4/{}?pageSize=1000'
script = hook_sky.hook_prepare()
urls = load()
for ids in urls:
params = script.exports.getsig(base_url.format(ids), "Android 11.4.0")
text = req(base_url.format(ids), params)
to_file(ids, text)
start()
urls.txt下载链接:
链接:https://pan.baidu.com/s/1daVEzvmwJV8XvUTpWlShlw
提取码:5047
爬下来的数据还要进行筛选才能得到有用的数据,这就不过多的说了,毕竟…我现在只做逆向.