1. Objectives

The app has been upgraded, but has its algorithm also been upgraded? This is a question. We need to verify it quickly, otherwise Mr. Li will go crazy.

Note:
  • Objection
  • Unidbg
  • gettimeofday
  • lrand48
  • V9.4.2

2. Analysis

In the previous analysis of a signature algorithm of an e-commerce app (Part 1) we located the com.xxxxxxxx.common.utils.BitmapkitUtils class and its getSignFromJni function as the key functions for calculating the sign.

In the new version, we first use Objection to hook com.xxxxxxxx.common.utils.BitmapkitUtils

objection -g com.xxxxxxxx.app.mall explore
android hooking watch class 'com.xxxxxxxx.common.utils.BitmapkitUtils'

Then from the App, open any product page:

(agent) [3688199735633] Called com.xxxxxxxx.common.utils.BitmapkitUtils.loadBMP()
(agent) [3688199735633] Called com.xxxxxxxx.common.utils.BitmapkitUtils.isFuncAvailable()
(agent) [3688199735633] Called com.xxxxxxxx.common.utils.BitmapkitUtils.loadBMP()
(agent) [3688199735633] Called com.xxxxxxxx.common.utils.BitmapkitUtils.getSignFromJni(android.content.Context, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String)

Perfect, indicating that the function entry has not changed, and it is still signed by getSignFromJni .

Let’s check whether the input parameters and return values are consistent with the packet capture results:

android hooking watch class_method 'com.xxxxxxxx.common.utils.BitmapkitUtils.getSignFromJni' --dump-args --dump-return

Still OK, I saw the familiar sign value.

(agent) [1921806846023] Arguments com.xxxxxxxx.common.utils.BitmapkitUtils.getSignFromJni("<instance: android.content.Context, $className: com.xxxxxxxx.app.mall.JDApp>", "asynInteface", "{\"intefaceType\":\"asynIntefaceType\",\"skuId\":\"10026198901146\"}", "xxc930c5dcfe67xx", "android", "9.4.2")
(agent) [1921806846023] Return Value: "st=1615000030090&sign=7841200ddd83d8cda0828b1cae56b41e&sv=110"

Now is the last step, to check whether the sign result is the same as the previous version. To do this, refer to the algorithm restoration assistant (I) First stop time and fix the values of gettimeofday and lrand48.

Turn outKnowledge PlanetThere is a practical tutorial on Unidbg simulation execution of big manufacturers written last year (the Year of the Rat) , and the new version of the apk is loaded.

// vm = emulator.createDalvikVM(new File("/Users/h1yx/Desktop/V9.2.2.85371_T1_350271430_lc029.apk"));
vm = emulator.createDalvikVM(new File("/Users/h1yx/Desktop/V9_4_2.apk"));

Run

st=1606701201628&sign=59039230dc2e1ea27a4f250d9ec81b8c&sv=111
destroy
run

This value looks familiar.