安卓逆向入门练习之电影天堂APP逆向分析
Posted asmcvc
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了安卓逆向入门练习之电影天堂APP逆向分析相关的知识,希望对你有一定的参考价值。
准备
- 抓包环境及工具准备,参考:使用Fiddler对安卓App抓包
- APP:电影天堂APP,版本:3.5.0
抓包
使用fiddler在模拟器里对App进行抓包,拦截到四种类型的数据:
- http://m.dydytt.net:8080/adminapi/api/version.json?vs=0
- http://m.dydytt.net:8080/adminapi/api/movieCategory.json
- http://m.dydytt.net:8080/adminapi/api/movieList.json?categoryId=9&page=1&searchContent=
- http://m.dydytt.net:8080/adminapi/api/movieDetail.json?categoryId=9&movieDetailId=26695
- http://m.dydytt.net:8080/adminapi/api/movieList.json?categoryId=0&page=1&searchContent=%E5%93%A5%E6%96%AF%E6%8B%89
对应的App的功能分别是:
- 检查版本
- 获取电影分类列表
- 查看某个分类下的电影列表
- 查看某个电影的详情
- 搜索影片
全部是GET请求,使用fiddler可以重放数据,但是在浏览器里直接访问没有数据返回,初步判断数据有加密和校验,于是把fiddler发送的数据头也都拦截下来分析。
接口:检查版本
GET http://m.dydytt.net:8080/adminapi/api/version.json?vs=0 HTTP/1.1
x-header-request-timestamp: 1615546857
x-header-request-imei: 89860081015389554942
x-header-request-key: 2ca2eee903e0fbebc66c47ac0f8d0283
Host: m.dydytt.net:8080
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.8.0
返回:
"code":12,"name":"3.5.0","downloadUrl":"http://m.dytt8.net/dytt8.apk","size":"1.88MB","adtime":3,"limitVersion":10
接口:获取电影分类列表
GET http://m.dydytt.net:8080/adminapi/api/movieCategory.json HTTP/1.1
x-header-request-timestamp: 1615546857
x-header-request-imei: 89860081015389554942
x-header-request-key: 2ca2eee903e0fbebc66c47ac0f8d0283
Host: m.dydytt.net:8080
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.8.0
返回:
"categoryDtoList":["id":9,"name":"最新电影","id":10,"name":"综合电影","id":1,"name":"华语电影","id":2,"name":"欧美电影","id":3,"name":"日韩电影","id":4,"name":"华语电视","id":5,"name":"欧美电视","id":6,"name":"日韩电视","id":7,"name":"综艺","id":8,"name":"动漫"],"adDtoList":["id":6,"name":"cq.l1","adOpen":2,"categoryId":1,"picUrl":"https://cscdn1.39d83s.com/b/11/3148/233466/1589264944329-640X100.jpg","id":7,"name":"bz.l2","adOpen":2,"categoryId":1,"picUrl":"https://cscdn1.39d83s.com/b/11/3148/233457/1587378357232-640X100.gif","id":11,"name":"bz.n1","adOpen":2,"categoryId":3,"picUrl":"https://cscdn1.39d83s.com/b/11/3148/233457/1587378357232-640X100.gif"]
接口:查看某个分类下的电影列表
GET http://m.dydytt.net:8080/adminapi/api/movieList.json?categoryId=9&page=1&searchContent= HTTP/1.1
x-header-request-timestamp: 1615547011
x-header-request-imei: 89860081015389554942
x-header-request-key: 07f57092a22f5b1a1831951d1b80a5be
Host: m.dydytt.net:8080
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.8.0
返回:
"total":3007,"rows":["id":26703,"categoryId":9,"name":"2021年获奖剧情《犹大与黑弥赛亚》BD中英双字","publishTime":"2021-03-12","id":26695,"categoryId":9,"name":"2021年惊悚《较量2/误杀瞒天记2》BD中英双字","publishTime":"2021-03-09","id":26691,"categoryId":9,"name":"2020年获奖剧情《85年盛夏》BD中英双字","publishTime":"2021-03-08","id":26690,"categoryId":9,"name":"2021年获奖剧情《米纳里/梦想之地》BD韩语中字","publishTime":"2021-03-08","id":26679,"categoryId":9,"name":"2021年喜剧《美国之旅2》BD中英双字","publishTime":"2021-03-08","id":26678,"categoryId":9,"name":"2021年奇幻《寻龙传说/魔龙王国》BD中英双字","publishTime":"2021-03-07","id":26677,"categoryId":9,"name":"2021年喜剧《失恋反攻队/阿索的故事》BD国粤双语中字","publishTime":"2021-03-07","id":26664,"categoryId":9,"name":"2021年喜剧音乐《女生要革命》BD中英双字","publishTime":"2021-03-06","id":26661,"categoryId":9,"name":"2021年惊悚剧情《毛里塔尼亚人》BD中英双字","publishTime":"2021-03-06","id":26660,"categoryId":9,"name":"2020年剧情《送你一朵小红花》HD国语中英双字","publishTime":"2021-03-06","id":26659,"categoryId":9,"name":"2021年喜剧《猫和老鼠》BD中英双字","publishTime":"2021-03-05","id":26658,"categoryId":9,"name":"2021年获奖剧情《打开心世界》BD中英双字","publishTime":"2021-03-05","id":26653,"categoryId":9,"name":"2020年获奖剧情《亲爱的房客》BD国语中字","publishTime":"2021-03-03","id":26644,"categoryId":9,"name":"2019年7.6分剧情悬疑《伊丽莎白不见了》BD中英双字","publishTime":"2021-03-02","id":26483,"categoryId":9,"name":"2020年动作《救赎之日》BD中英双字幕","publishTime":"2021-03-02","id":26636,"categoryId":9,"name":"2020年动作喜剧《OK老板娘》BD韩语中字","publishTime":"2021-03-01","id":26635,"categoryId":9,"name":"2020年获奖剧情《所有死者》BD中英双字","publishTime":"2021-03-01","id":26638,"categoryId":9,"name":"2019年高分喜剧《最初的梦想》BD中字","publishTime":"2021-03-01","id":26631,"categoryId":9,"name":"2021年科幻悬疑惊悚《缉魂》HD国语中英双字","publishTime":"2021-02-27","id":26630,"categoryId":9,"name":"2020年剧情《吉祥如意》HD国语中英双字","publishTime":"2021-02-27","id":26628,"categoryId":9,"name":"2021年喜剧《弗罗拉与松鼠侠》BD中英双字","publishTime":"2021-02-25","id":26622,"categoryId":9,"name":"2020年剧情爱情《我的一生》BD中英双字","publishTime":"2021-02-23","id":26621,"categoryId":9,"name":"2020年喜剧《半血缘兄弟》BD中英双字","publishTime":"2021-02-23","id":26612,"categoryId":9,"name":"2020年动作《拆弹专家2》HD国语中英双字","publishTime":"2021-02-21","id":26611,"categoryId":9,"name":"2020年剧情喜剧《同学麦娜丝》HD国语中字","publishTime":"2021-02-21","id":26603,"categoryId":9,"name":"2020年动画喜剧《疯狂原始人2》BD国英双语双字","publishTime":"2021-02-18","id":26602,"categoryId":9,"name":"2020年悬疑《圣何塞谋杀案》BD国粤双语中字","publishTime":"2021-02-18","id":26601,"categoryId":9,"name":"2021年爱情喜剧《大红包》HD国语中字","publishTime":"2021-02-17","id":26598,"categoryId":9,"name":"2021年惊悚《丝绸之路》BD中英双字","publishTime":"2021-02-17","id":26597,"categoryId":9,"name":"2021年惊悚恐怖《致命弯道重启版》BD中英双字幕","publishTime":"2021-02-16"]
接口:查看某个电影的详情
GET http://m.dydytt.net:8080/adminapi/api/movieDetail.json?categoryId=9&movieDetailId=26703 HTTP/1.1
x-header-request-timestamp: 1615549920
x-header-request-imei: 89860081015389554942
x-header-request-key: fbf9eeb7c5b0435d5f21f9c0a702a19a
Host: m.dydytt.net:8080
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.8.0
返回:
"id":26703,"categoryId":9,"name":"2021年获奖剧情《犹大与黑弥赛亚》BD中英双字","publishTime":"2021-03-12","homePicUrl":"https://img9.doubanio.com/view/photo/l_ratio_poster/public/p2620539710.jpg","content":"◎译 名 犹大与黑弥赛亚/耶稣是我同伙/耶稣是我同伴/耶稣曾是我兄弟\\r\\n◎片 名 Judas and the Black Messiah/Jesus Is My Homeboy\\r\\n◎年 代 2021\\r\\n◎产 地 美国\\r\\n◎类 别 剧情/传记/历史\\r\\n◎语 言 英语\\r\\n◎字 幕 中英双字\\r\\n◎上映日期 2021-02-12(美国)\\r\\n◎IMDb评分 7.7/10 from 20431 users\\r\\n◎豆瓣评分 7.2/10 from 879 users\\r\\n◎片 长 126分钟\\r\\n◎导 演 沙卡·金 Shaka King\\r\\n◎编 剧 威尔·伯森 Will Berson\\r\\n 沙卡·金 Shaka King\\r\\n 肯尼斯·卢卡斯 Kenneth Lucas\\r\\n 基斯·卢卡斯 Keith Lucas\\r\\n◎主 演 丹尼尔·卡卢亚 Daniel Kaluuya\\r\\n 勒凯斯·斯坦菲尔德 Lakeith Stanfield\\r\\n 杰西·普莱蒙 Jesse Plemons\\r\\n 多米尼克·菲什巴克 Dominique Fishback\\r\\n 艾什顿·桑德斯 Ashton Sanders\\r\\n 阿尔吉·史密斯 Algee Smith\\r\\n 达里尔·布里特-吉布森 Darrell Britt-Gibson\\r\\n 里尔·莱尔·哈瓦瑞 Lil Rel Howery\\r\\n 多米尼克·索恩 Dominique Thorne\\r\\n 马丁·辛 Martin Sheen\\r\\n 阿马里·切托姆 Amari Cheatom\\r\\n 克里斯·戴维斯 Khris Davis\\r\\n 伊恩·达夫 Ian Duff\\r\\n 卡勒布·埃伯哈特 Caleb Eberhardt\\r\\n 罗伯特·朗斯特里特 Robert Longstreet\\r\\n 汤米·拉菲特 Tommy Lafitte\\r\\n 特雷勒·希尔 Terayle Hill\\r\\n 齐纳·萨维尔斯 China Shavers\\r\\n 迈克尔·哈瑞蒂 Michael 'Mick' Harrity\\r\\n 迈克尔·博诺莫 Michael Buonomo\\r\\n 布莱恩·鲍曼 Brian Bowman\\r\\n 杰梅因·福勒 Jermaine Fowler\\r\\n 洛根·弗莱 Logan Fry\\r\\n 泰拉·乔伊·史密斯 Tyra Joy Smith\\r\\n 史蒂夫·里佐 Steve Rizzo\\r\\n 亚伦·克莱伯 Aaron Kleiber\\r\\n 小约翰·韦斯特 John West Jr.\\r\\n 尼克·芬克 Nick Fink\\r\\n\\r\\n◎标 签 美国 | 历史 | 传记 | 黑豹党 | 政治 | 2021 | 剧情 | 2020\\r\\n\\r\\n◎简 介\\r\\n\\r\\n 影片改编自真人真事。讲述了1960年代美国黑人社团黑豹党历史上的真实事件,故事聚焦于Hampton之死,他于1969年被杀,死于芝加哥警察局和FBI组织的一次突袭行动。警方开了80枪,而“黑豹党”成员一共只开了一枪,这一枪还是来自于一位成员被警方打死后的肌肉收缩。Hampton与怀孕的未婚妻正在睡觉时,头部被近距离射杀2枪,他当晚被下了药,根本没听见任何警方的动静,死后尸体被拖进小巷中,年仅21岁。经过审讯,他的死被判定为“正当杀人”,后来在1982年,以185万美元的赔偿数额,达到了民事诉讼的庭外和解。\\r\\n\\r\\n◎获奖情况\\r\\n\\r\\n 第78届金球奖 (2021)\\r\\n 电影类最佳男配角 丹尼尔·卡卢亚\\r\\n 电影类最佳原创歌曲(提名)\\r\\n \\r\\n 第27届美国演员工会奖 (2021)\\r\\n 电影奖最佳男配角(提名) 丹尼尔·卡卢亚\\r\\n \\r\\n 第23届美国服装设计工会奖 (2021)\\r\\n 年代电影最佳服装设计(提名) 查利斯·安托瓦内特·琼斯\\r\\n \\r\\n 第92届美国国家评论协会奖 (2020)\\r\\n 年度佳片\\r\\n \\r\\n 第26届美国评论家选择电影奖 (2021)\\r\\n 最佳男配角 丹尼尔·卡卢亚\\r\\n 最佳群戏(提名)\\r\\n 最佳歌曲(提名)\\r\\n \\r\\n 第21届美国电影学会奖 (2020)\\r\\n 年度佳片","pics":"upload/","downloadUrl":"magnet:?xt=urn:btih:b9a5ca6e85e1562f73192af08f25c54ebe31964d&dn=%e9%98%b3%e5%85%89%e7%94%b5%e5%bd%b1www.ygdy8.com.%e7%8a%b9%e5%a4%a7%e4%b8%8e%e9%bb%91%e5%bc%a5%e8%b5%9b%e4%ba%9a.2021.1080P.%e4%b8%ad%e8%8b%b1%e5%8f%8c%e5%ad%97.mkv&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannounce&tr=udp%3a%2f%2fexodus.desync.com%3a6969%2fannounce;"
接口:搜索影片
GET http://m.dydytt.net:8080/adminapi/api/movieList.json?categoryId=0&page=1&searchContent=%E5%93%A5%E6%96%AF%E6%8B%89 HTTP/1.1
x-header-request-timestamp: 1618198266
x-header-request-imei: 89860081015389554942
x-header-request-key: 9ad8c59b2266a0960133ea74937de4e7
Host: m.dydytt.net:8080
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.8.0
返回:
"total":10,"rows":["id":26763,"categoryId":9,"name":"2021年动作科幻《哥斯拉大战金刚》BD中英双字","publishTime":"2021-04-01","id":24494,"categoryId":9,"name":"2019年科幻动作《哥斯拉2:怪兽之王》BD中英双字幕","publishTime":"2019-08-14","id":23578,"categoryId":9,"name":"2018年科幻动画《哥斯拉:噬星者》BD国日双语中英双字","publishTime":"2019-01-10","id":23572,"categoryId":9,"name":"2018年科幻动画《哥斯拉:决战之都》BD日英双语双字","publishTime":"2019-01-09","id":22655,"categoryId":10,"name":"2018年科幻动画《哥斯拉:决战之都》BD日英双语双字","publishTime":"2018-07-19","id":22075,"categoryId":10,"name":"2017年动画《哥斯拉:怪兽行星》BD日英双语双字幕","publishTime":"2018-03-26","id":21680,"categoryId":9,"name":"2017年动画《哥斯拉:怪兽行星》BD日英双语中英双字幕","publishTime":"2018-01-21","id":20343,"categoryId":9,"name":"2016年科幻惊悚《新哥斯拉》BD日语中字","publishTime":"2017-04-04","id":16511,"categoryId":9,"name":"2014年科幻动作《哥斯拉》BD中英双字幕","publishTime":"2014-08-23","id":744,"categoryId":10,"name":"1024分辨率《哥斯拉》BD中英双字","publishTime":"2009-11-14"]
找KEY
想要构造APP,需要把以上接口中的的几个关键值搞明白:
x-header-request-timestamp | 时间戳(单位秒,10位长度的整数) |
x-header-request-imei | 手机设备的IMEI,这个可以随意构造一个字符串 |
x-header-request-key | KEY |
这个KEY是从NATIVE层的接口函数Java_com_movies_jni_Verify_headerRequestKey获取的,因此需要分析下SO的代码:
int __fastcall Java_com_movies_jni_Verify_headerRequestKey(_JNIEnv *a1, int a2, int a3, int a4, int a5)
int v5; // STB0_4
int v6; // STA8_4
int v7; // STA4_4
int v8; // STA0_4
int v9; // ST9C_4
int v10; // ST98_4
int v11; // ST94_4
int v12; // ST90_4
int v13; // ST88_4
int v14; // ST84_4
int v15; // ST80_4
int v16; // ST78_4
int v17; // ST70_4
int v18; // ST6C_4
int v19; // ST68_4
int v20; // ST64_4
char *s1; // ST60_4
int v22; // ST50_4
int v23; // ST4C_4
int v24; // ST48_4
int v25; // ST44_4
char *v27; // [sp+54h] [bp-7Ch]
char *src; // [sp+58h] [bp-78h]
char *dest; // [sp+5Ch] [bp-74h]
int v30; // [sp+ACh] [bp-24h]
_JNIEnv *v31; // [sp+B8h] [bp-18h]
v31 = a1;
v5 = a3;
v30 = a4;
v6 = _JNIEnv::GetObjectClass(a1, a3);
v7 = _JNIEnv::GetMethodID(v31, v6, "getPackageManager", "()Landroid/content/pm/PackageManager;");
v8 = _JNIEnv::CallObjectMethod(v31, v5, v7);
v9 = _JNIEnv::GetObjectClass(v31, v8);
v10 = _JNIEnv::GetMethodID(v31, v9, "getPackageInfo", "(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;");
v11 = _JNIEnv::GetObjectClass(v31, v5);
v12 = _JNIEnv::GetMethodID(v31, v11, "getPackageName", "()Ljava/lang/String;");
_JNIEnv::CallObjectMethod(v31, v5, v12);
v13 = _JNIEnv::CallObjectMethod(v31, v8, v10);
v14 = _JNIEnv::GetObjectClass(v31, v13);
v15 = _JNIEnv::GetFieldID(v31, v14, "signatures", "[Landroid/content/pm/Signature;");
v16 = _JNIEnv::GetObjectField(v31, v13, v15);
_JNIEnv::GetArrayLength(v31, v16);
v17 = _JNIEnv::GetObjectArrayElement(v31, v16);
v18 = _JNIEnv::GetObjectClass(v31, v17);
v19 = _JNIEnv::GetMethodID(v31, v18, "toCharsString", "()Ljava/lang/String;");
v20 = _JNIEnv::CallObjectMethod(v31, v17, v19);
s1 = (char *)_JNIEnv::GetStringUTFChars(v31, v20, 0);
if ( strcmp(s1, RELEASE_SIGN) )
return _JNIEnv::NewStringUTF(v31, (const char *)&unk_291D);
dest = (char *)malloc(0x78u);
strcpy(dest, ENCRYPT_KEY);
strcat(dest, X_HEADER_REQUEST_TIMESTAMP);
strcat(dest, "=");
src = (char *)_JNIEnv::GetStringUTFChars(v31, a5, 0);
if ( src )
strcat(dest, src);
strcat(dest, X_HEADER_REQUEST_IMEI);
strcat(dest, "=");
v27 = (char *)_JNIEnv::GetStringUTFChars(v31, v30, 0);
if ( v27 )
strcat(dest, v27);
v22 = _JNIEnv::FindClass(v31, "com/movies/utils/digest/Digest");
v23 = _JNIEnv::GetMethodID(v31, v22, "<init>", "()V");
v24 = _JNIEnv::NewObject(v31, v22, v23);
v25 = _JNIEnv::GetMethodID(v31, v22, "md5Hex", "(Ljava/lang/String;)Ljava/lang/String;");
_JNIEnv::NewStringUTF(v31, dest);
free(dest);
return _JNIEnv::CallObjectMethod(v31, v24, v25);
大致能看出代码逻辑:计算App签名信息,如果不和预置的相同则退出,否则计算key,key的计算方法如下(…表示字符串连接):
key = MD5(ENCRYPT_KEY..X_HEADER_REQUEST_TIMESTAMP..'='时间戳..X_HEADER_REQUEST_IMEI..IMEI)
双击代码找到字符串:
.data:00004004 EXPORT RELEASE_SIGN
.data:00004004 RELEASE_SIGN DCD a30820349308202 ; DATA XREF: LOAD:00000330↑o
.data:00004004 ; Java_com_movies_jni_Verify_headerRequestKey+12E↑o ...
.data:00004004 ; "3082034930820231a003020102020470c4609a3"...
.data:00004008 EXPORT ENCRYPT_KEY
.data:00004008 ENCRYPT_KEY DCD aWq0lqbluth66 ; DATA XREF: LOAD:00000340↑o
.data:00004008 ; Java_com_movies_jni_Verify_headerRequestKey+14E↑o ...
.data:00004008 ; "wq0LQbLUTH66"
.data:0000400C 以上是关于安卓逆向入门练习之电影天堂APP逆向分析的主要内容,如果未能解决你的问题,请参考以下文章
Android逆向开发,入门到入坟,我看刑,一定要遵纪守法,切记!!!