app中的sink点—利用系统函数与堆栈快速定位漏洞与关键代码

red-team

目录

app中,当一些加解密调用,或者进行数据解析等操作时,都会一步步调用到底层的函数,在进行hook一些方法前,可以先尝试简单hook一下其底层函数。

string.trim

这个还是比较关键的,没准可以从这里直接得到加密方式。进一步还可以打印堆栈来用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Java.perform(function(){

    function showStack(){

        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    

    }

    var str= Java.use("java.lang.String");
    str.trim.implementation = function(){


       // showStack();
        console.log("str.trim",this);
        return this.trim();

    }


});

hashmap.put

hook代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Java.perform(function(){

    function showStack(){
        var log = Java.use("android.util.Log")
        var throwable = Java.use("java.lang.Throwable")
        console.log(log.getStackTraceString(throwable.$new()))
    

    }

    var hashmap = Java.use("java.util.HashMap")
    hashmap.put.implementation = function (a,b){
        if(a.equals("username")){
    
        showStack()
        console.log("hashMap.put: ",a,b)

        }
   
        return this.put(a,b)
    }

});

结果:

ArrayList.add

可以先用 console.log打印每一个参数,然后全局搜索敏感参数比如username=15149123131,最后加一个if判断进行打印堆栈:

hook代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Java.perform(function(){

    function showStack(){

        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
  

    }

    var arrayList= Java.use("java.util.ArrayList");
    arrayList.add.overload('java.lang.Object').implementation = function (a){
        if(a.equals("username=15143212981")){

            showStack();
            console.log("ArrayList.add: ",a);
  
        }
        return this.add(a);
    }
    // arrayList.add.overload('int','java.lang.Object').implementation = function (a,b){
    //     console.log("ArrayList.add: ",a,b);
    //     return this.add(a,b);
    // }

});

结果:

textUtils.isEmpty

同样也是可以先用 console.log打印每一个参数,然后全局搜索敏感参数比如username=15142017981,最后加一个if判断进行打印堆栈:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Java.perform(function(){

    function showStack(){

        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    

    }

    var text= Java.use("android.text.TextUtils");
    text.isEmpty.implementation = function(a){
            showStack();
            console.log("textUtils:",a);
            return this.isEmpty(a);

    }


});


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Java.perform(function(){

    function showStack(){

        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    

    }

    var text= Java.use("android.text.TextUtils");
    text.isEmpty.implementation = function(a){
        if(a=="2v+DC2gq7RuAC8PE5GZz5wH3/y9ZVcWhFwhDY9L19g9iEd075+Q7xwewvfIN0g0ec/NaaF43/S0="){
            showStack();
            console.log("textUtils:",a);
        }
        return this.isEmpty(a);

    }


});

这里的返回结果,应该是我们登陆返回的结果的加密

log.w

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Java.perform(function(){

    function showStack(){

        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    

    }

    var wr= Java.use("android.util.Log");
    wr.w.overload('java.lang.String','java.lang.String').implementation = function(tag,message){


        //showStack();
        console.log("log.w:",tag,message);
        return this.w(tag,message);

    }


});

EditText.getText

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Java.perform(function(){

    function showStack(){

        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    

    }

    var te1= Java.use("android.widget.EditText");
    te1.getText.overload.implementation = function(){
    
        var res1 = this.getText();
        res1 = Java.cast(res1,Java.use("java.lang.CharSequence"));
        console.log("getText:",res1.toString());
        //showStack();
        return res1;

    }


});

Collections.sort

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Java.perform(function(){

    function showStack(){

        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    

    }

    var col= Java.use("java.util.Collections");
    col.sort.overload('java.util.List', 'java.util.Comparator').implementation = function(a,b){
        var res=Java.cast(a,Java.use("java.util.ArrayList"))
        showStack();
        console.log("sort:",res.toString(),res.toString());
        return this.sort(a,b);

    }

    col.sort.overload('java.util.List').implementation = function(a){
        var res=Java.cast(a,Java.use("java.util.ArrayList"))
        showStack();
        console.log("sort:",res.toString());
        return this.sort(a);

    }


});

JSONobject.put与JSONobject.getString

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Java.perform(function(){

    function showStack(){

        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    

    }
    // .overload('java.lang.String', 'double')
  // .overload('java.lang.String', 'int')
  // .overload('java.lang.String', 'long')
  // .overload('java.lang.String', 'java.lang.Object')
  // .overload('java.lang.String', 'boolean')

    var json1= Java.use("org.json.JSONObject");
    json1.put.overload('java.lang.String', 'java.lang.Object').implementation = function(a,b){
        showStack();
        console.log("jsonput:",a,b);
        return this.put(a,b);

    }

    json1.getString.implementation = function(a){
        showStack();
        console.log("jsongetstring:");
        var res = this.getString(a);
        console.log(res);

        return res;

    }

});

toast.show

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Java.perform(function(){

    function showStack(){

        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    

    }


    var toa= Java.use("android.widget.Toast");
    toa.show.implementation = function(){
        showStack();
        console.log("toastshow:");
        return this.show();

    }



});

Base64.encodeToString

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Java.perform(function(){

    function showStack(){

        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    

    }


    var bas= Java.use("android.util.Base64");
    bas.encodeToString.overload('[B', 'int').implementation = function(a,b){
        showStack();
        console.log("base64end:",JSON.stringify(a));
        var res = this.encodeToString(a,b)
        console.log("base64res:",res)

        return res

    }



});

String.getBytes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Java.perform(function(){

    function showStack(){

        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    

    }


    var str = Java.use("java.lang.String");
    str.getBytes.overload().implementation = function () {
        //showStack();
        var result = this.getBytes();
        var newStr = str.$new(result);
        console.log("str.getBytes result: ", newStr);
        return result;
    }
    str.getBytes.overload('java.lang.String').implementation = function (a) {
       // showStack();
        var result = this.getBytes(a);
        var newStr = str.$new(result, a);
        console.log("str.getBytes result: ", newStr);
        return result;
    }



});

打印堆栈: