Frida reverse and protocol analysis-4

0x08 Reverse analysis of paid live streaming rooms

We have a pronographic live streaming app with 2 restrictions: 1. Pop up prompts that only VIPs can watch the live stream. 2. Non VIP can only watch for 15s. As this app is shell added, we need to use frida-dexdump for shell removal. we can get workflow from link1.

1
2
3

1. run frida-server
2. run the app to be analyzed
3. frida-dexdump -U -f com.hay.dreamlover

Finally, we will get 7 dex files, we can analyze these using jadx-gui.

Then we will begin analyze. Firstly, we need to bypass the restriction of pop ups. The pop up will call the API provided by system, it is usually called show method in class android.app.Dialog. We first verify whether the pop-up is implemented by android.app.Dialog.show method:

1
2

objection -g com.hay.dreamlover explore
android hooking watch class_method android.app.Dialog.show --dump-backtrace --dump-return

Due to the app not being able to open and constantly stopping on the initial page, the experiment cannot be conducted. Just go through the important points. Based on the result returned by the object, we can locate the pop-up function SDDialogBase.show() in the app and write the code to remove the pop-up:

1
2
3
4
5

setImmediate(function() {
    Java.perform(funtion() {
        Java.use("com.fanwe.lib.dialog.impl.SDDialogBase").show.implementation = function() {}
    })
})

Next, we need to bypass the 15s limit. We will analyze the function calls in the dex file and ultimately find the onTimePayViewerShowCoveringxx function, this function will control time. By hooking this function, we can bypass.

After bypassing these two restrictions, the key is to conduct protocol analysis of the app. We can see it in P218. These pages analyze a APP in detail (very important). But I am so lazy, just look at it, not write notes (sorry~).

0x09 Cracking the illegal application of membership system

It also analyze a app in P239. R0capture could catch data in application layer, r0tracer could trace class’s method (just like objection/wallbreaker, but it is more powerful.) It could (1) switch classloader when we can’t find specific class; (2) Add a delayed hook mechanism to avoid situations where applications cannot be immediately found due to injection through spawn; (3) Compared to objection, r0tracer could hook class’s constructor function; (4) Could print class instance variables, function arguments, returns and call stack.

Before P250, pages talks about how to bypass VIP. After P250, we analyze protocol.