识货APP sh-sign sh-ba sh-jt 分析

声明:
本文章中所有内容仅供学习交流使用，不用于其他任何目的，抓包内容、敏感网址、数据接口等均已做脱敏处理，严禁用于商业用途和非法用途，否则由此产生的一切后果均与作者无关！
逆向分析

版本识货8.3  

unidbg 跑的。有很多坑用SpringBoot今天又踩了一个新坑。一值报空指针，backException。排错太麻烦了。

@Service("ShiHuo")
public class ShiHuoService extends GlobalJni {
    private final AndroidEmulator emulator;
    private final VM vm;
    // 包名
    private final String processName = "";
    // apk 地址
    private final String packagePath = "lib/shihuo/8.0.apk";
    // so 名称, 要去掉 lib 和  .so
    private final String libraryName = "l";
    // jni 类名
    private final String jniClassName = "com.shihuo.shsecsdk.Enviroment";
    // 调试信息
    private final Boolean verbose = true;
    // jni 模块


    private File apkFile = TempFileUtils.createTempFileFromResource(packagePath);
    private File soFile = TempFileUtils.createTempFileFromResource(libraryName);

    private final Module module = null;

    public String getSign(String str) {
        DvmClass cContext = vm.resolveClass("android/content/Context");
        DvmClass cContextWrapper = vm.resolveClass("android/content/ContextWrapper", cContext);
        DvmObject<?> ctx = vm.resolveClass("android/app/Application", cContextWrapper).newObject(null);
        DvmClass env = vm.resolveClass("com/shihuo/shsecsdk/Enviroment");
        StringObject sign = env.callStaticJniMethodObject(emulator,
            "nativeParam(Landroid/content/Context;Ljava/lang/String)Ljava/lang/String;",
            ctx,
            (StringObject) ProxyDvmObject.createObject(vm, str)
        );
        return sign.getValue();
    }


    public ShiHuoService() throws IOException {

        // 实例化一个模拟器

        emulator = AndroidEmulatorBuilder
            .for32Bit()
            .addBackendFactory(new Unicorn2Factory(true))
            .setProcessName(processName)
            .build();
        Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(getFileFromClasspath("/lib/shihuo/识货8.0.apk"));
        vm.setJni(this);
//        vm.setVerbose(verbose);
        DalvikModule dm = vm.loadLibrary(getFileFromClasspath(""), false);

        dm.callJNI_OnLoad(emulator);
    }

    public File getFileFromClasspath(String fileName) {
        try {
            ClassPathResource resource = new ClassPathResource(fileName);
            return resource.getFile();
        } catch (IOException e) {
            throw new RuntimeException("Failed to get file from classpath: " + fileName, e);
        }
    }

}

结果

列表

详情

总结

   1.出于安全考虑,本章未提供完整流程,调试环节省略较多,只提供大致思路,具体细节要你自己还原,相信你也能调试出来。