某音six分析记录(mgaic原创)

发表于

hook hashMap put 函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
function hookMap(){
    var hashMap = Java.use("java.util.HashMap");
    hashMap.put.implementation = function (a, b) {
        //a=="username"和a.equals("username")一般都可以
        //如果不行换一下即可
        // console.log("a", a);
        // if (a == "x-tt-token") {
        if (a == "X-Medusa") {
        // if (a.indexOf("medusa") != -1) {
            console.log("hashMap.put: ", a, b);
            console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
        }
     return this.put(a, b);
    }
}

结果如下

img_1.png

hook fCw试试, 看看在调用该函数的时候, 六神是否已经生成

hook 代码如下

1
2
3
4
5
6
7
8
9
10
function hook_intercept(){
    let C112070fCw = Java.use("X.fCw");
    C112070fCw["intercept"].implementation = function (chain) {
        console.log(`C112070fCw.intercept is called: chain=${chain.request().url()}`);
        console.log(`C112070fCw.intercept is called: chain headers =${chain.request().headers()}`);
        let result = this["intercept"](chain);
        // console.log(`C112070fCw.intercept result=${result}`);
        return result;
    };
}

hook 结果如下

img_1.png

可以看到此处六神已经拿到了, 继续往上游函数摸索.

hook fct函数试试, hookfct函数发现headers 中没有 six

jadx打开看看

img_1.png

看看response fct函数以后, headers有没有增加six 字段

hook脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function hook_intercept(){
    let C112070fCw = Java.use("X.fCt");
    var origin_chain = null;
    C112070fCw["intercept"].implementation = function (chain) {
        origin_chain = chain;
        console.log(`C112070fCw.intercept is called: chain=${chain.request().url()}`);
        console.log(`C112070fCw.intercept is called: chain headers =${chain.request().headers()}`);
        let result = this["intercept"](chain);
        // console.log(`C112070fCw.intercept result=${result}`);
        console.log("after call function ", result.request().headers());
        return result;
    };

}

结果如下

img_1.png

可以看到 经过 fCt 以后,six就出来了. 重点看看 fCt, tryAddSecurityFactor 很可疑, hook 看看, 要注意Map强转HashMap, 否则打印出来的就是 Obejct

1
2
3
4
5
6
7
8
9
let NetworkParams = Java.use("com.bytedance.frameworks.baselib.network.http.NetworkParams");
var HashMap = Java.use('java.util.HashMap');
NetworkParams["tryAddSecurityFactor"].implementation = function (str, map) {
    console.log(`NetworkParams.tryAddSecurityFactor is called: str=${str}, map=${map}`);
    let result = this["tryAddSecurityFactor"](str, map);
    console.log(`NetworkParams.tryAddSecurityFactor result=${result}`);
    console.log(`NetworkParams.tryAddSecurityFactor result=${Java.cast(result, HashMap).toString()}`);
    return result;
};

hook 结果如下, 可以看到 six已经生成了

img_1.png

jadx继续看看 发现调用了 onCallToAddSecurityFactor, 进去看看实现, 发现是个接口

img_1.png

查看交叉引用看看

img_1.png

进入以后 发现调用了 l.a, hook 试试看

1
2
3
4
5
6
7
8
9
10
11
12
Java.perform(function (){
    let l = Java.use("ms.bd.c.l");
    let result = null;
    l["a"].implementation = function (i, i2, j, str, obj) {
        result = this["a"](i, i2, j, str, obj);
        if(i == 50331649){
            console.log("result ", Java.use('org.json.JSONArray').$new(result))
        }

        return result;
    };
});

结果如下

img_1.png

java层到此结束。实现在native层。 实际测试, frida rpc 几十次后就不返回数据了. 风控很强。