某音six分析记录(mgaic原创)

hook hashMap put 函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
function hookMap(){
var hashMap = Java.use("java.util.HashMap");
hashMap.put.implementation = function (a, b) {
//a=="username"和a.equals("username")一般都可以
//如果不行换一下即可
// console.log("a", a);
// if (a == "x-tt-token") {
if (a == "X-Medusa") {
// if (a.indexOf("medusa") != -1) {
console.log("hashMap.put: ", a, b);
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
}
return this.put(a, b);
}
}

结果如下

img_1.png

hook fCw试试, 看看在调用该函数的时候, 六神是否已经生成

hook 代码如下

1
2
3
4
5
6
7
8
9
10
function hook_intercept(){
let C112070fCw = Java.use("X.fCw");
C112070fCw["intercept"].implementation = function (chain) {
console.log(`C112070fCw.intercept is called: chain=${chain.request().url()}`);
console.log(`C112070fCw.intercept is called: chain headers =${chain.request().headers()}`);
let result = this["intercept"](chain);
// console.log(`C112070fCw.intercept result=${result}`);
return result;
};
}

hook 结果如下

img_1.png

可以看到此处六神已经拿到了, 继续往上游函数摸索.

hook fct函数试试, hookfct函数发现headers 中没有 six

jadx打开看看

img_1.png

看看response fct函数以后, headers有没有增加six 字段

hook脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function hook_intercept(){
let C112070fCw = Java.use("X.fCt");
var origin_chain = null;
C112070fCw["intercept"].implementation = function (chain) {
origin_chain = chain;
console.log(`C112070fCw.intercept is called: chain=${chain.request().url()}`);
console.log(`C112070fCw.intercept is called: chain headers =${chain.request().headers()}`);
let result = this["intercept"](chain);
// console.log(`C112070fCw.intercept result=${result}`);
console.log("after call function ", result.request().headers());
return result;
};

}

结果如下

img_1.png

可以看到 经过 fCt 以后,six就出来了. 重点看看 fCt, tryAddSecurityFactor 很可疑, hook 看看, 要注意Map强转HashMap, 否则打印出来的就是 Obejct

1
2
3
4
5
6
7
8
9
let NetworkParams = Java.use("com.bytedance.frameworks.baselib.network.http.NetworkParams");
var HashMap = Java.use('java.util.HashMap');
NetworkParams["tryAddSecurityFactor"].implementation = function (str, map) {
console.log(`NetworkParams.tryAddSecurityFactor is called: str=${str}, map=${map}`);
let result = this["tryAddSecurityFactor"](str, map);
console.log(`NetworkParams.tryAddSecurityFactor result=${result}`);
console.log(`NetworkParams.tryAddSecurityFactor result=${Java.cast(result, HashMap).toString()}`);
return result;
};

hook 结果如下, 可以看到 six已经生成了

img_1.png

jadx继续看看 发现调用了 onCallToAddSecurityFactor, 进去看看实现, 发现是个接口

img_1.png

查看交叉引用看看

img_1.png

进入以后 发现调用了 l.a, hook 试试看

1
2
3
4
5
6
7
8
9
10
11
12
Java.perform(function (){
let l = Java.use("ms.bd.c.l");
let result = null;
l["a"].implementation = function (i, i2, j, str, obj) {
result = this["a"](i, i2, j, str, obj);
if(i == 50331649){
console.log("result ", Java.use('org.json.JSONArray').$new(result))
}

return result;
};
});

结果如下

img_1.png

java层到此结束。实现在native层。 实际测试, frida rpc 几十次后就不返回数据了. 风控很强。