某某新闻App Sign逆向分析教学文档<\/h1>

1. 前言<\/h2>

本教程详细分析某某新闻App(版本1.2)的sign签名生成机制，适用于Android安全研究人员和逆向工程师。<\/p>

环境准备<\/strong>:<\/p>

测试设备: Pixel 2<\/li>
Android版本: 10<\/li>
工具: Postern(抓包)、frida(动态分析)、jadx(静态分析)、IDA Pro(原生代码分析)<\/li> <\/ul>
2. 初步抓包分析<\/h2>

使用Postern配合抓包工具捕获登录请求<\/li>
发现请求中包含sign参数，需要逆向分析其生成逻辑<\/li> <\/ol>
3. 脱壳处理<\/h2>

原始APK使用了数字壳保护<\/li>
使用fundeX工具进行脱壳:

脱出的dex文件位于\/data\/data\/com.dachaun.news\/<\/code>目录下<\/li>
将多个dex文件拉取到本地<\/li> <\/ul> <\/li>
使用jadx反编译所有dex文件<\/li> <\/ol> 4. Java层分析<\/h2> 搜索字符串"sign"定位关键代码<\/p> <\/li> 排除第三方SDK(如阿里、腾讯、魅族等)的干扰<\/p> <\/li> 关键调用链:<\/p> this.sign<\/code><\/li> getSign()<\/code><\/li> 最终调用到JNI函数nativeGetSign<\/code><\/li> <\/ul> <\/li> 参数分析:<\/p> 第一个参数: account (UUID随机生成)<\/li> 第二个参数: token (未登录时为空)<\/li> 第三个参数: timestamp (当前时间戳)<\/li> <\/ul> <\/li> 关键Java代码:<\/p> \/\/ account生成 <\/span><\/span><\/span><\/span>String account =<\/span> UUID.<\/span>randomUUID<\/span>().<\/span>toString<\/span>();<\/span> <\/span><\/span>\/\/ timestamp生成 <\/span><\/span><\/span><\/span>String timestamp =<\/span> String.<\/span>valueOf<\/span>(<\/span>System.<\/span>currentTimeMillis<\/span>());<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5. Native层分析<\/h2> 使用IDA Pro分析libwtf.so<\/code>库:<\/p> 搜索getSign<\/code>函数定位关键实现<\/p> <\/li> 签名生成流程:<\/p> 首先获取LogShutDown.getAppSign()<\/code>的返回值<\/li> 对该值进行MD5加密并转为大写，得到appsignMd5result<\/code><\/li> 拼接字符串: appsignMd5result + account + token + timestamp<\/code><\/li> 对拼接结果再次进行MD5加密并转为大写，得到最终sign<\/li> <\/ul> <\/li> 关键Native代码逻辑:<\/p> \/\/ 获取getAppSign返回值 <\/span><\/span><\/span><\/span>jstring __s =<\/span> (jstring)env-><\/span>CallStaticObjectMethod(cls_LogShutDown, getAppSign); <\/span><\/span> <\/span><\/span>\/\/ 第一次MD5加密 <\/span><\/span><\/span><\/span>std::<\/span>string src =<\/span> md5(stringFromJstring(env, __s)); <\/span><\/span>std::<\/span>string appsignMd5result =<\/span> toUpperCase(src); <\/span><\/span> <\/span><\/span>\/\/ 字符串拼接 <\/span><\/span><\/span><\/span>std::<\/span>string input =<\/span> appsignMd5result +<\/span> account +<\/span> token +<\/span> timestamp; <\/span><\/span> <\/span><\/span>\/\/ 第二次MD5加密 <\/span><\/span><\/span><\/span>std::<\/span>string result =<\/span> toUpperCase(md5(input)); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6. Hook验证<\/h2> 使用frida进行动态验证:<\/p> Hook md5::update<\/code>函数验证输入参数:<\/p> \/\/ 打印md5::update的输入 <\/span><\/span><\/span><\/span>console<\/span>.log<\/span>("input: "<\/span> +<\/span> ptr<\/span>(input<\/span>).readCString<\/span>()); <\/span><\/span><\/code><\/pre>验证拼接逻辑是否正确<\/p> <\/li> Hook LogShutDown.getAppSign<\/code>:<\/p> \/\/ 打印getAppSign返回值 <\/span><\/span><\/span><\/span>console<\/span>.log<\/span>("getAppSign return: "<\/span> +<\/span> retval<\/span>); <\/span><\/span><\/code><\/pre>发现返回值为固定值<\/p> <\/li> <\/ol> 7. 签名生成复现<\/h2> 示例数据:<\/p> getAppSign返回: A262FA6ED59F60E49FD49E205F68426D<\/code><\/li> account: 2d5c37ea-c2ef-4453-a87a-103610a90b53<\/code><\/li> token: 空<\/li> timestamp: 1735787896808<\/code><\/li> <\/ul> 生成步骤:<\/p> 对A262FA6ED59F60E49FD49E205F68426D<\/code>进行MD5:<\/p> 结果: f2fd87d83151721b48e869dbff113ac8<\/code><\/li> 转为大写: F2FD87D83151721B48E869DBFF113AC8<\/code><\/li> <\/ul> <\/li> 拼接字符串: F2FD87D83151721B48E869DBFF113AC82d5c37ea-c2ef-4453-a87a-103610a90b531735787896808<\/code><\/p> <\/li> 对拼接结果进行MD5并转为大写，得到最终sign<\/p> <\/li> <\/ol> 8. 总结<\/h2> 某某新闻App的sign生成流程:<\/p> 获取固定的getAppSign<\/code>返回值<\/li> 对该值进行MD5并转为大写<\/li> 拼接account、token(如有)和timestamp<\/li> 对拼接结果进行MD5并转为大写<\/li> 最终结果作为sign使用<\/li> <\/ol> 关键点<\/strong>:<\/p> 使用了双重MD5加密<\/li> 第一次加密的对象是固定的应用签名<\/li> 第二次加密的对象是拼接字符串<\/li> 所有MD5结果都转为大写<\/li> account使用UUID随机生成<\/li> token在未登录时为空<\/li> <\/ul> 9. 防御建议<\/h2> 对于类似签名机制的安全加固建议:<\/p> 增加动态密钥或盐值<\/li> 引入设备指纹等变量因素<\/li> 使用非标准哈希算法或自定义加密<\/li> 关键逻辑增加混淆和反调试保护<\/li> <\/ol>