淘某热点APP逆向分析教学文档<\/h1>

一、逆向目标<\/h2>

目标APP<\/strong>：淘某热点APP<\/li>
版本<\/strong>：2.6.7<\/li>
逆向参数<\/strong>：sign签名参数<\/li>

下载地址<\/strong>：aHR0cHM6Ly93d3cud2FuZG91amlhLmNvbS9hcHBzLzc4Mzc0MTc= (Base64解码后获取真实地址)<\/li> <\/ul>
二、抓包分析<\/h2>

使用Charles配合SocksDroid进行抓包<\/li>
在APP首页刷新操作时捕获请求<\/li>
发现关键参数sign需要逆向分析<\/li> <\/ol>
三、逆向分析方法<\/h2>
1. 定位sign参数生成位置<\/h3>
方法一：直接搜索关键字sign<\/strong><\/p>
方法二：Frida Hook HashMap类<\/strong><\/p>
function<\/span> showStacks<\/span>() { <\/span><\/span> Java<\/span>.perform<\/span>(function<\/span> () { <\/span><\/span> console<\/span>.log<\/span>(Java<\/span>.use<\/span>("android.util.Log"<\/span>).getStackTraceString<\/span>( <\/span><\/span> Java<\/span>.use<\/span>("java.lang.Throwable"<\/span>).$new<\/span>() <\/span><\/span> )); <\/span><\/span> }) <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ HashMap.put方法Hook <\/span><\/span><\/span><\/span>function<\/span> hook_hashMap<\/span>(){ <\/span><\/span> var<\/span> hashMap<\/span> =<\/span> Java<\/span>.use<\/span>("java.util.HashMap"<\/span>); <\/span><\/span> hashMap<\/span>.put<\/span>.implementation<\/span> =<\/span> function<\/span> (a<\/span>,b<\/span>){ <\/span><\/span> if<\/span> (a<\/span> ===<\/span> "sign"<\/span>){ <\/span><\/span> \/\/ 查看调用栈 <\/span><\/span><\/span><\/span> showStacks<\/span>() <\/span><\/span> } <\/span><\/span> console<\/span>.log<\/span>('hook_hashMap输出-->'<\/span>,a<\/span>,b<\/span>) <\/span><\/span> return<\/span> this<\/span>.put<\/span>(a<\/span>,b<\/span>) <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>Java<\/span>.perform<\/span>(function<\/span>() { <\/span><\/span> hook_hashMap<\/span>() <\/span><\/span>}); <\/span><\/span><\/code><\/pre>执行命令：<\/p> frida -UF -l demo.js -o 1.txt <\/code><\/pre> 2. Java层分析<\/h3> 使用JADX反编译APK<\/li> 根据堆栈信息定位到com.maihan.tredian.util.TreUtil.sign<\/code>方法<\/li> 验证定位是否正确：<\/li> <\/ol> function<\/span> hook1<\/span>(){ <\/span><\/span> let<\/span> TreUtil<\/span> =<\/span> Java<\/span>.use<\/span>("com.maihan.tredian.util.TreUtil"<\/span>); <\/span><\/span> TreUtil<\/span>["sign"<\/span>].implementation<\/span> =<\/span> function<\/span> (str<\/span>) { <\/span><\/span> console<\/span>.log<\/span>('sign is called str: '<\/span> +<\/span> str<\/span>); <\/span><\/span> let<\/span> ret<\/span> =<\/span> this<\/span>.sign<\/span>(str<\/span>); <\/span><\/span> console<\/span>.log<\/span>('sign ret value is '<\/span> +<\/span> ret<\/span>); <\/span><\/span> return<\/span> ret<\/span>; <\/span><\/span> }; <\/span><\/span>} <\/span><\/span> <\/span><\/span>Java<\/span>.perform<\/span>(function<\/span> () { <\/span><\/span> hook1<\/span>(); <\/span><\/span>}); <\/span><\/span><\/code><\/pre> 发现最终调用native层加密，加载tre.so<\/code>文件<\/li> <\/ol> 3. 主动调用sign方法<\/h3> \/\/ sign function call_taozui(){ <\/span><\/span><\/span><\/span> let<\/span> TreUtil<\/span> =<\/span> Java<\/span>.use<\/span>("com.maihan.tredian.util.TreUtil"<\/span>); <\/span><\/span> \/\/ 主动调用sign方法 <\/span><\/span><\/span><\/span> let<\/span> str<\/span> =<\/span> "android_id=9a8493c270cc2270&app_ver=87&channel=aliapp&device_id=5e9bdbbc3bc779c18511c1bb26351dad&device_udid=8f6e2b8cf3b2e3c36db8dea8368d7305&first_time=1706003627&from=app&last_time=1695744000&limit=8&mac=0E:D8:C1:64:25:37&nonce=4vlwb71740715028559&os_ver_code=30&system=1&timestamp=1740715028&with_super=0&with_video=1"<\/span>; <\/span><\/span> console<\/span>.log<\/span>('Before calling sign, str: '<\/span> +<\/span> str<\/span>); <\/span><\/span> \/\/ 调用sign方法 <\/span><\/span><\/span><\/span> let<\/span> result<\/span> =<\/span> TreUtil<\/span>.sign<\/span>(str<\/span>); <\/span><\/span> console<\/span>.log<\/span>('After calling sign, result: '<\/span> +<\/span> result<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>四、SO层分析<\/h2> 1. 获取SO文件<\/h3> 从APK的lib目录下获取tre.so<\/code>文件<\/p> 2. IDA静态分析<\/h3> 在导出表中搜索Java<\/code>，确认是静态注册<\/li> 定位到sign<\/code>函数<\/li> 发现明显的SHA1算法特征<\/li> 但直接使用标准SHA1算法计算结果不一致<\/li> <\/ol> 3. 关键函数分析<\/h3> 发现j_base64_encode_new<\/code>函数，可能是加密流程中的关键步骤<\/p> 4. Frida Hook SO层函数<\/h3> var<\/span> soAddr<\/span> =<\/span> Module<\/span>.findBaseAddress<\/span>("libtre.so"<\/span>); <\/span><\/span>\/\/ 32位需要加1 <\/span><\/span><\/span><\/span>var<\/span> base64_encode_new<\/span> =<\/span> soAddr<\/span>.add<\/span>(0x13B4<\/span>+<\/span>1<\/span>); <\/span><\/span> <\/span><\/span>Interceptor<\/span>.attach<\/span>(base64_encode_new<\/span>,{ <\/span><\/span> onEnter<\/span>:<\/span>function<\/span> (args<\/span>){ <\/span><\/span> console<\/span>.log<\/span>("参数1"<\/span>,args<\/span>[0<\/span>].readCString<\/span>()); <\/span><\/span> console<\/span>.log<\/span>("参数2"<\/span>,hexdump<\/span>(args<\/span>[1<\/span>])); <\/span><\/span> console<\/span>.log<\/span>("参数3"<\/span>,args<\/span>[2<\/span>].toInt32<\/span>()); <\/span><\/span> }, <\/span><\/span> onLeave<\/span>:<\/span>function<\/span> (retval<\/span>){ <\/span><\/span> console<\/span>.log<\/span>("返回值为:"<\/span>,retval<\/span>.readCString<\/span>()) <\/span><\/span> } <\/span><\/span>}); <\/span><\/span><\/code><\/pre>5. 加密流程分析<\/h3> 在查询参数后添加特定字符串（加盐）<\/li> 对加盐后的字符串进行Base64编码<\/li> 对Base64编码结果进行标准SHA1算法加密<\/li> <\/ol> 五、完整加密流程<\/h2> 参数拼接<\/strong>：将所有请求参数按固定顺序拼接成字符串<\/li> 加盐处理<\/strong>：在参数字符串后添加特定字符串<\/li> Base64编码<\/strong>：对加盐后的字符串进行Base64编码<\/li> SHA1加密<\/strong>：对Base64编码结果进行标准SHA1算法加密<\/li> 生成sign<\/strong>：将SHA1结果作为最终的sign值<\/li> <\/ol> 六、验证方法<\/h2> 使用标准SHA1工具验证中间结果<\/li> 对比Frida Hook获取的值与计算结果<\/li> 确保每一步处理与APP实际处理一致<\/li> <\/ol> 七、注意事项<\/h2> 本分析仅供学习交流使用<\/li> 严禁用于商业用途和非法用途<\/li> 抓包内容、敏感网址、数据接口等均已做脱敏处理<\/li> 不提供完整代码，防止滥用<\/li> <\/ol> 八、总结<\/h2> 通过本次逆向分析，我们完整还原了淘某热点APP的sign参数生成流程，涉及Java层定位、Native层分析、加密算法还原等关键技术点。关键点在于：<\/p> 使用Frida Hook快速定位关键函数<\/li> Java层与Native层的交互分析<\/li> 非标准加密算法的逆向分析<\/li> 加盐、Base64编码、SHA1加密的组合使用<\/li> <\/ol> 这种分析方法可以应用于其他APP的类似参数逆向场景。<\/p>

淘某热点APP逆向分析教学文档<\/h1>

三、逆向分析方法<\/h2>

四、SO层分析<\/h2>

1. 获取SO文件<\/h3>
从APK的lib目录下获取`tre.so<\/code>文件<\/p>`

3. 关键函数分析<\/h3>
发现`j_base64_encode_new<\/code>函数，可能是加密流程中的关键步骤<\/p>`