某享瘦app登录逆向
下载地址:
aHR0cHM6Ly93d3cud2FuZG91amlhLmNvbS9hcHBzLzc0NTc5OTk=
进入app的登录界面输入账号信息并开启charles抓包工具进行抓包,结果发现显示网络错误,证明该app进行了证书绑定的验证
接下来就是过证书绑定的验证,通过objection工具来进行hook
通过 android sslpinning disable命令即可过掉证书绑定的验证,接下来就是抓包了
通过查看charles抓包工具可以看到该登录接口,以及请求的内容,如下图:
接下来就是分析参数,经过多次抓包可以分析出,只有sign每次是变化的,因此我们只需要搞清楚sign的来源就行
将apk拖入到jadx中进行反编译,发现是加壳的。
接下进行脱壳,可以使用frida_dexdump进行脱壳
frida-dexdump -U -f com.kufeng.hj.enjoy -o d:\testzip\dex
脱下来之后查看这些dex文件的大小
从上往下依次拖到jadx中查看,发现classes11.dex有内容,所以在该dex中尝试搜索我们需要的内容
点击搜索到的内容进去依次查看,
发现sign参数在这里进行了赋值,点进u0方法中去查看,
其中u0方法内调用了u5对象的c方法,点击c进入查看
可以清楚看到c方法其实是MD5算法,再点到b方法中,
也就是将md5加密之后的值进行了base64编码,到现在我们只需要搞清楚u0方法传入的值是怎么来的就可以还原出sign的来源了
这时候我们就可以用到frida,
function main(){Java.perform(function(){var u5 = Java.use('com.lvshou.hxs.util.u5');u5.c.implementation = function(a){console.log(a);return this.c(a);}})
}setImmediate(main);
通过对u5对象的c方法进行hook,可以清楚的知道我们传入的值是多少
通过查看打印值,可以得出传入的值是当前时间戳加acol$!z%wh字符串,到这里我们就还原出整体的算法了,
具体流程是:当前时间戳加acol$!z%wh字符串进行md5加密,然后base64编码
使用python进行模拟请求
import requests, execjs, timecer_time = int(time.time())ctx = execjs.compile(open('./login.js', encoding='utf-8').read())
md5_result = ctx.call('md5', str(cer_time) + 'acol$!z%wh')
base64_result = ctx.call('base64', md5_result)url = 'https://api.hxsapp.com/account/userAccount/login'params = {'region_code': '86','username': '18235015508','pwd': '123455','model_idfa': '3fa8f27a8daaf460','model_version': 'Pixel%202','app_version': '7.0.3','system_version': '10','app_name': 'hxs','channel': 'huawei','platform_type': 'Android','utime': cer_time,'sign': base64_result,'sess_token': ''
}
print(requests.post(url=url, data=params).text)
js代码
function md5(a) {function b(a, b) {return a << b | a >>> 32 - b}function c(a, b) {var c, d, e, f, g;return e = 2147483648 & a,f = 2147483648 & b,c = 1073741824 & a,d = 1073741824 & b,g = (1073741823 & a) + (1073741823 & b),c & d ? 2147483648 ^ g ^ e ^ f : c | d ? 1073741824 & g ? 3221225472 ^ g ^ e ^ f : 1073741824 ^ g ^ e ^ f : g ^ e ^ f}function d(a, b, c) {return a & b | ~a & c}function e(a, b, c) {return a & c | b & ~c}function f(a, b, c) {return a ^ b ^ c}function g(a, b, c) {return b ^ (a | ~c)}function h(a, e, f, g, h, i, j) {return a = c(a, c(c(d(e, f, g), h), j)),c(b(a, i), e)}function i(a, d, f, g, h, i, j) {return a = c(a, c(c(e(d, f, g), h), j)),c(b(a, i), d)}function j(a, d, e, g, h, i, j) {return a = c(a, c(c(f(d, e, g), h), j)),c(b(a, i), d)}function k(a, d, e, f, h, i, j) {return a = c(a, c(c(g(d, e, f), h), j)),c(b(a, i), d)}function l(a) {for (var b, c = a.length, d = c + 8, e = (d - d % 64) / 64, f = 16 * (e + 1), g = new Array(f - 1), h = 0, i = 0; c > i;)b = (i - i % 4) / 4,h = i % 4 * 8,g[b] = g[b] | a.charCodeAt(i) << h,i++;return b = (i - i % 4) / 4,h = i % 4 * 8,g[b] = g[b] | 128 << h,g[f - 2] = c << 3,g[f - 1] = c >>> 29,g}function m(a) {var b, c, d = "", e = "";for (c = 0; 3 >= c; c++)b = a >>> 8 * c & 255,e = "0" + b.toString(16),d += e.substr(e.length - 2, 2);return d}function n(a) {a = a.replace(/\r\n/g, "\n");for (var b = "", c = 0; c < a.length; c++) {var d = a.charCodeAt(c);128 > d ? b += String.fromCharCode(d) : d > 127 && 2048 > d ? (b += String.fromCharCode(d >> 6 | 192),b += String.fromCharCode(63 & d | 128)) : (b += String.fromCharCode(d >> 12 | 224),b += String.fromCharCode(d >> 6 & 63 | 128),b += String.fromCharCode(63 & d | 128))}return b}var o, p, q, r, s, t, u, v, w, x = [], y = 7, z = 12, A = 17, B = 22, C = 5, D = 9, E = 14, F = 20, G = 4, H = 11,I = 16, J = 23, K = 6, L = 10, M = 15, N = 21;for (a = n(a),x = l(a),t = 1732584193,u = 4023233417,v = 2562383102,w = 271733878,o = 0; o < x.length; o += 16)p = t,q = u,r = v,s = w,t = h(t, u, v, w, x[o + 0], y, 3614090360),w = h(w, t, u, v, x[o + 1], z, 3905402710),v = h(v, w, t, u, x[o + 2], A, 606105819),u = h(u, v, w, t, x[o + 3], B, 3250441966),t = h(t, u, v, w, x[o + 4], y, 4118548399),w = h(w, t, u, v, x[o + 5], z, 1200080426),v = h(v, w, t, u, x[o + 6], A, 2821735955),u = h(u, v, w, t, x[o + 7], B, 4249261313),t = h(t, u, v, w, x[o + 8], y, 1770035416),w = h(w, t, u, v, x[o + 9], z, 2336552879),v = h(v, w, t, u, x[o + 10], A, 4294925233),u = h(u, v, w, t, x[o + 11], B, 2304563134),t = h(t, u, v, w, x[o + 12], y, 1804603682),w = h(w, t, u, v, x[o + 13], z, 4254626195),v = h(v, w, t, u, x[o + 14], A, 2792965006),u = h(u, v, w, t, x[o + 15], B, 1236535329),t = i(t, u, v, w, x[o + 1], C, 4129170786),w = i(w, t, u, v, x[o + 6], D, 3225465664),v = i(v, w, t, u, x[o + 11], E, 643717713),u = i(u, v, w, t, x[o + 0], F, 3921069994),t = i(t, u, v, w, x[o + 5], C, 3593408605),w = i(w, t, u, v, x[o + 10], D, 38016083),v = i(v, w, t, u, x[o + 15], E, 3634488961),u = i(u, v, w, t, x[o + 4], F, 3889429448),t = i(t, u, v, w, x[o + 9], C, 568446438),w = i(w, t, u, v, x[o + 14], D, 3275163606),v = i(v, w, t, u, x[o + 3], E, 4107603335),u = i(u, v, w, t, x[o + 8], F, 1163531501),t = i(t, u, v, w, x[o + 13], C, 2850285829),w = i(w, t, u, v, x[o + 2], D, 4243563512),v = i(v, w, t, u, x[o + 7], E, 1735328473),u = i(u, v, w, t, x[o + 12], F, 2368359562),t = j(t, u, v, w, x[o + 5], G, 4294588738),w = j(w, t, u, v, x[o + 8], H, 2272392833),v = j(v, w, t, u, x[o + 11], I, 1839030562),u = j(u, v, w, t, x[o + 14], J, 4259657740),t = j(t, u, v, w, x[o + 1], G, 2763975236),w = j(w, t, u, v, x[o + 4], H, 1272893353),v = j(v, w, t, u, x[o + 7], I, 4139469664),u = j(u, v, w, t, x[o + 10], J, 3200236656),t = j(t, u, v, w, x[o + 13], G, 681279174),w = j(w, t, u, v, x[o + 0], H, 3936430074),v = j(v, w, t, u, x[o + 3], I, 3572445317),u = j(u, v, w, t, x[o + 6], J, 76029189),t = j(t, u, v, w, x[o + 9], G, 3654602809),w = j(w, t, u, v, x[o + 12], H, 3873151461),v = j(v, w, t, u, x[o + 15], I, 530742520),u = j(u, v, w, t, x[o + 2], J, 3299628645),t = k(t, u, v, w, x[o + 0], K, 4096336452),w = k(w, t, u, v, x[o + 7], L, 1126891415),v = k(v, w, t, u, x[o + 14], M, 2878612391),u = k(u, v, w, t, x[o + 5], N, 4237533241),t = k(t, u, v, w, x[o + 12], K, 1700485571),w = k(w, t, u, v, x[o + 3], L, 2399980690),v = k(v, w, t, u, x[o + 10], M, 4293915773),u = k(u, v, w, t, x[o + 1], N, 2240044497),t = k(t, u, v, w, x[o + 8], K, 1873313359),w = k(w, t, u, v, x[o + 15], L, 4264355552),v = k(v, w, t, u, x[o + 6], M, 2734768916),u = k(u, v, w, t, x[o + 13], N, 1309151649),t = k(t, u, v, w, x[o + 4], K, 4149444226),w = k(w, t, u, v, x[o + 11], L, 3174756917),v = k(v, w, t, u, x[o + 2], M, 718787259),u = k(u, v, w, t, x[o + 9], N, 3951481745),t = c(t, p),u = c(u, q),v = c(v, r),w = c(w, s);var O = m(t) + m(u) + m(v) + m(w);return O.toLowerCase()
}var CryptoJS = CryptoJS || (function (Math, undefined) {var C = {};var C_lib = C.lib = {};var Base = C_lib.Base = (function () {function F() {};return {extend: function (overrides) {F.prototype = this;var subtype = new F();if (overrides) {subtype.mixIn(overrides);}if (!subtype.hasOwnProperty('init') || this.init === subtype.init) {subtype.init = function () {subtype.$super.init.apply(this, arguments);};}subtype.init.prototype = subtype;subtype.$super = this;return subtype;}, create: function () {var instance = this.extend();instance.init.apply(instance, arguments);return instance;}, init: function () {}, mixIn: function (properties) {for (var propertyName in properties) {if (properties.hasOwnProperty(propertyName)) {this[propertyName] = properties[propertyName];}}if (properties.hasOwnProperty('toString')) {this.toString = properties.toString;}}, clone: function () {return this.init.prototype.extend(this);}};}());var WordArray = C_lib.WordArray = Base.extend({init: function (words, sigBytes) {words = this.words = words || [];if (sigBytes != undefined) {this.sigBytes = sigBytes;} else {this.sigBytes = words.length * 4;}}, toString: function (encoder) {return (encoder || Hex).stringify(this);}, concat: function (wordArray) {var thisWords = this.words;var thatWords = wordArray.words;var thisSigBytes = this.sigBytes;var thatSigBytes = wordArray.sigBytes;this.clamp();if (thisSigBytes % 4) {for (var i = 0; i < thatSigBytes; i++) {var thatByte = (thatWords[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff;thisWords[(thisSigBytes + i) >>> 2] |= thatByte << (24 - ((thisSigBytes + i) % 4) * 8);}} else if (thatWords.length > 0xffff) {for (var i = 0; i < thatSigBytes; i += 4) {thisWords[(thisSigBytes + i) >>> 2] = thatWords[i >>> 2];}} else {thisWords.push.apply(thisWords, thatWords);}this.sigBytes += thatSigBytes;return this;}, clamp: function () {var words = this.words;var sigBytes = this.sigBytes;words[sigBytes >>> 2] &= 0xffffffff << (32 - (sigBytes % 4) * 8);words.length = Math.ceil(sigBytes / 4);}, clone: function () {var clone = Base.clone.call(this);clone.words = this.words.slice(0);return clone;}, random: function (nBytes) {var words = [];var r = (function (m_w) {var m_w = m_w;var m_z = 0x3ade68b1;var mask = 0xffffffff;return function () {m_z = (0x9069 * (m_z & 0xFFFF) + (m_z >> 0x10)) & mask;m_w = (0x4650 * (m_w & 0xFFFF) + (m_w >> 0x10)) & mask;var result = ((m_z << 0x10) + m_w) & mask;result /= 0x100000000;result += 0.5;return result * (Math.random() > .5 ? 1 : -1);}});for (var i = 0, rcache; i < nBytes; i += 4) {var _r = r((rcache || Math.random()) * 0x100000000);rcache = _r() * 0x3ade67b7;words.push((_r() * 0x100000000) | 0);}return new WordArray.init(words, nBytes);}});var C_enc = C.enc = {};var Hex = C_enc.Hex = {stringify: function (wordArray) {var words = wordArray.words;var sigBytes = wordArray.sigBytes;var hexChars = [];for (var i = 0; i < sigBytes; i++) {var bite = (words[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff;hexChars.push((bite >>> 4).toString(16));hexChars.push((bite & 0x0f).toString(16));}return hexChars.join('');}, parse: function (hexStr) {var hexStrLength = hexStr.length;var words = [];for (var i = 0; i < hexStrLength; i += 2) {words[i >>> 3] |= parseInt(hexStr.substr(i, 2), 16) << (24 - (i % 8) * 4);}return new WordArray.init(words, hexStrLength / 2);}};var Latin1 = C_enc.Latin1 = {stringify: function (wordArray) {var words = wordArray.words;var sigBytes = wordArray.sigBytes;var latin1Chars = [];for (var i = 0; i < sigBytes; i++) {var bite = (words[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff;latin1Chars.push(String.fromCharCode(bite));}return latin1Chars.join('');}, parse: function (latin1Str) {var latin1StrLength = latin1Str.length;var words = [];for (var i = 0; i < latin1StrLength; i++) {words[i >>> 2] |= (latin1Str.charCodeAt(i) & 0xff) << (24 - (i % 4) * 8);}return new WordArray.init(words, latin1StrLength);}};var Utf8 = C_enc.Utf8 = {stringify: function (wordArray) {try {return decodeURIComponent(escape(Latin1.stringify(wordArray)));} catch (e) {throw new Error('Malformed UTF-8 data');}}, parse: function (utf8Str) {return Latin1.parse(unescape(encodeURIComponent(utf8Str)));}};var BufferedBlockAlgorithm = C_lib.BufferedBlockAlgorithm = Base.extend({reset: function () {this._data = new WordArray.init();this._nDataBytes = 0;}, _append: function (data) {if (typeof data == 'string') {data = Utf8.parse(data);}this._data.concat(data);this._nDataBytes += data.sigBytes;}, _process: function (doFlush) {var data = this._data;var dataWords = data.words;var dataSigBytes = data.sigBytes;var blockSize = this.blockSize;var blockSizeBytes = blockSize * 4;var nBlocksReady = dataSigBytes / blockSizeBytes;if (doFlush) {nBlocksReady = Math.ceil(nBlocksReady);} else {nBlocksReady = Math.max((nBlocksReady | 0) - this._minBufferSize, 0);}var nWordsReady = nBlocksReady * blockSize;var nBytesReady = Math.min(nWordsReady * 4, dataSigBytes);if (nWordsReady) {for (var offset = 0; offset < nWordsReady; offset += blockSize) {this._doProcessBlock(dataWords, offset);}var processedWords = dataWords.splice(0, nWordsReady);data.sigBytes -= nBytesReady;}return new WordArray.init(processedWords, nBytesReady);}, clone: function () {var clone = Base.clone.call(this);clone._data = this._data.clone();return clone;}, _minBufferSize: 0});var Hasher = C_lib.Hasher = BufferedBlockAlgorithm.extend({cfg: Base.extend(),init: function (cfg) {this.cfg = this.cfg.extend(cfg);this.reset();}, reset: function () {BufferedBlockAlgorithm.reset.call(this);this._doReset();}, update: function (messageUpdate) {this._append(messageUpdate);this._process();return this;}, finalize: function (messageUpdate) {if (messageUpdate) {this._append(messageUpdate);}var hash = this._doFinalize();return hash;}, blockSize: 512 / 32,_createHelper: function (hasher) {return function (message, cfg) {return new hasher.init(cfg).finalize(message);};}, _createHmacHelper: function (hasher) {return function (message, key) {return new C_algo.HMAC.init(hasher, key).finalize(message);};}});var C_algo = C.algo = {};return C;
}(Math));(function () {var C = CryptoJS;var C_lib = C.lib;var WordArray = C_lib.WordArray;var C_enc = C.enc;var Base64 = C_enc.Base64 = {stringify: function (wordArray) {var words = wordArray.words;var sigBytes = wordArray.sigBytes;var map = this._map;wordArray.clamp();var base64Chars = [];for (var i = 0; i < sigBytes; i += 3) {var byte1 = (words[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff;var byte2 = (words[(i + 1) >>> 2] >>> (24 - ((i + 1) % 4) * 8)) & 0xff;var byte3 = (words[(i + 2) >>> 2] >>> (24 - ((i + 2) % 4) * 8)) & 0xff;var triplet = (byte1 << 16) | (byte2 << 8) | byte3;for (var j = 0;(j < 4) && (i + j * 0.75 < sigBytes); j++) {base64Chars.push(map.charAt((triplet >>> (6 * (3 - j))) & 0x3f));}}var paddingChar = map.charAt(64);if (paddingChar) {while (base64Chars.length % 4) {base64Chars.push(paddingChar);}}return base64Chars.join('');}, parse: function (base64Str) {var base64StrLength = base64Str.length;var map = this._map;var reverseMap = this._reverseMap;if (!reverseMap) {reverseMap = this._reverseMap = [];for (var j = 0; j < map.length; j++) {reverseMap[map.charCodeAt(j)] = j;}}var paddingChar = map.charAt(64);if (paddingChar) {var paddingIndex = base64Str.indexOf(paddingChar);if (paddingIndex !== -1) {base64StrLength = paddingIndex;}}return parseLoop(base64Str, base64StrLength, reverseMap);}, _map: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='};function parseLoop(base64Str, base64StrLength, reverseMap) {var words = [];var nBytes = 0;for (var i = 0; i < base64StrLength; i++) {if (i % 4) {var bits1 = reverseMap[base64Str.charCodeAt(i - 1)] << ((i % 4) * 2);var bits2 = reverseMap[base64Str.charCodeAt(i)] >>> (6 - (i % 4) * 2);words[nBytes >>> 2] |= (bits1 | bits2) << (24 - (nBytes % 4) * 8);nBytes++;}}return WordArray.create(words, nBytes);}
}());function base64(word) {var src = CryptoJS.enc.Utf8.parse(word);return CryptoJS.enc.Base64.stringify(src);
}function B64_Decrypt(word) {var src = CryptoJS.enc.Base64.parse(word);return CryptoJS.enc.Utf8.stringify(src);
}
运行结果如下:
某享瘦app登录逆向相关推荐
- 某app登录协议逆向分析
某app登录协议逆向分析 设备 iphone 5s Mac Os app:神奇的字符串57qm5Y2V 本文主要通过frida-trace.fridaHook.lldb动态调试完成破解相应的登录算法, ...
- 易班APP登录密码加密、sig逆向分析
1.最近闲来无事,听说有一个易班app登录好练手,就去试了一下看看. 先抓个包看看 然后使用了腾讯的壳,脱一下,我这边用的是BlackDex64. 脱完壳之后导出来直接导出来拖到jadx,就是现在这个 ...
- 安卓关于健身的代码_亲子运动健身新玩法,娱乐享瘦两不误,让孩子不再沉迷电子产品...
每次和姐妹逛街,看到那些漂亮小姐姐们在电玩城跳舞机上跳舞,心里都痒痒的想要自己上去试试,可就是因为不熟练,大庭广众之下害羞怕丢脸,最后放弃了.可每次路过还是会羡慕那些敢跳的姐姐们! 平常工作忙,压力大 ...
- 【android逆向笔记】(一)简单登录逆向
简单的登录逆向 因为是简单的学习过程,所以这里直接进行逆向,就不进行android代码的演示了.apk是直接借用了被人写好的app来进行学习的. ###(1)使用APK改之理对apk进行编译. ### ...
- SPRINGBOOT享瘦减肥中心管理系统
开发工具(eclipse/idea/vscode等):idea 数据库(sqlite/mysql/sqlserver等):mysql 功能模块(请用文字描述,至少200字):基于Spring Boot ...
- 怎么用Android做登录界面,利用Android怎么制作一个APP登录界面
利用Android怎么制作一个APP登录界面 发布时间:2020-12-02 17:09:10 来源:亿速云 阅读:79 作者:Leah 这期内容当中小编将会给大家带来有关利用Android怎么制作一 ...
- app开发人脸登录和指纹登录_易讯云通讯推出“一键登录”,为App登录提供新方案...
移动互联网时代,用户的耐心越来越少,注意力也越来越弱,追求便捷与高效.登录的方式从自定义的账号密码登录,到邮箱登录,到第三方登录与手机验证码登录两种登录方式进行竞争,到现在的个人指纹,人脸识别等的识别 ...
- 【JS 逆向百例】DOM 事件断点调试,某商盟登录逆向
文章目录 声明 逆向目标 DOM 简介 逆向过程 完整代码 JavaScript 加密关键代码架构 Python 登录关键代码 声明 本文章中所有内容仅供学习交流,抓包内容.敏感网址.数据接口均已做脱 ...
- 对吃鸡APP的逆向分析
吃鸡的APP逆向分析涉及到动态调试分析,涉及到对arm汇编指令的掌握,涉及到一些反调试方案的绕过. 下面通过对吃鸡APP的逆向分析做了一次详解解析. 请点击文字进行阅读对android逆向吃鸡APP的 ...
- APP登录 技术点与流程全解
1.首先需要一个登陆APP需要封装的数据model 假设model名称是AccountInfo 在AccountInfo里面封装用户名,密码,登陆凭证类型,登陆ip等一些用户相关的信息 2.用户输入完 ...
最新文章
- 【数论】【Polya定理】【枚举约数】【欧拉函数】【Java】poj2154 Color
- json数据 提示框flash.now[:notice] flash.now[:alert]
- java接监控摄像头接口_离奇!深夜隧道内,12个摄像头突然一个接一个“瞎”了,监控员吓懵了...
- 最后生成神么格式的代码_智能扩充机器人的“标准问”库之Query生成
- MySql(windows)安装步骤整理
- openGauss 上海 Meetup:把企业级数据库能力带给用户
- MySQL怎么卸载干净重装?
- HashMap遍历有序性问题——map.entrySet()的无序性
- Qt Creator 使用教程
- 输入等值线参数绘制等值线图python_专题复习:等值线(上)
- 基于JAVA健康生活网站计算机毕业设计源码+系统+mysql数据库+lw文档+部署
- 网络安全之僵尸网络与蠕虫的学习笔记
- python网盘搜索引擎_打造一个蓝奏云网盘搜索引擎
- 用Python做雷霆战机小游戏【附素材+源码】
- Data Structures in C++:八大基本数据结构概述
- 基于STC89C51单片机,CH340芯片的下载电路
- BUU LFI COURSE 1 WP
- 报错信息:java.io.FileNotFoundException拒绝访问
- 哈密顿算子与梯度、散度、旋度
- linux跑wrf.exe程序的前提,WRF模式上机手册