frida-reverse-analysis-4
Frida reverse and protocol analysis-4
0x08 Reverse analysis of paid live streaming rooms
We have a pronographic live streaming app with 2 restrictions: 1. Pop up prompts that only VIPs can watch the live stream. 2. Non VIP can only watch for 15s. As this app is shell added, we need to use frida-dexdump
for shell removal. we can get workflow from link1.
1 | 1. run frida-server |
Finally, we will get 7 dex files, we can analyze these using jadx-gui
.
Then we will begin analyze. Firstly, we need to bypass the restriction of pop ups. The pop up will call the API provided by system, it is usually called show
method in class android.app.Dialog
. We first verify whether the pop-up is implemented by android.app.Dialog.show
method:
1 | objection -g com.hay.dreamlover explore |
Due to the app not being able to open and constantly stopping on the initial page, the experiment cannot be conducted. Just go through the important points.
Based on the result returned by the object, we can locate the pop-up function SDDialogBase.show()
in the app and write the code to remove the pop-up:
1 | setImmediate(function() { |
Next, we need to bypass the 15s limit. We will analyze the function calls in the dex file and ultimately find the onTimePayViewerShowCoveringxx
function, this function will control time. By hooking this function, we can bypass.
After bypassing these two restrictions, the key is to conduct protocol analysis of the app. We can see it in P218. These pages analyze a APP in detail (very important). But I am so lazy, just look at it, not write notes (sorry~).
0x09 Cracking the illegal application of membership system
It also analyze a app in P239. R0capture
could catch data in application layer, r0tracer
could trace class’s method (just like objection/wallbreaker
, but it is more powerful.) It could (1) switch classloader when we can’t find specific class; (2) Add a delayed hook mechanism to avoid situations where applications cannot be immediately found due to injection through spawn
; (3) Compared to objection
, r0tracer
could hook class’s constructor function; (4) Could print class instance variables, function arguments, returns and call stack.
Before P250, pages talks about how to bypass VIP. After P250, we analyze protocol.
留言
- 文章链接: https://wd-2711.tech/
- 版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-ND 4.0 许可协议。转载请注明出处!