下载地址:

aHR0cHM6Ly93d3cud2FuZG91amlhLmNvbS9hcHBzLzc0NTc5OTk=

进入app的登录界面输入账号信息并开启charles抓包工具进行抓包,结果发现显示网络错误,证明该app进行了证书绑定的验证

接下来就是过证书绑定的验证,通过objection工具来进行hook

通过 android sslpinning disable命令即可过掉证书绑定的验证,接下来就是抓包了

通过查看charles抓包工具可以看到该登录接口,以及请求的内容,如下图:

接下来就是分析参数,经过多次抓包可以分析出,只有sign每次是变化的,因此我们只需要搞清楚sign的来源就行

将apk拖入到jadx中进行反编译,发现是加壳的。

接下进行脱壳,可以使用frida_dexdump进行脱壳

frida-dexdump -U -f com.kufeng.hj.enjoy -o d:\testzip\dex

脱下来之后查看这些dex文件的大小

从上往下依次拖到jadx中查看,发现classes11.dex有内容,所以在该dex中尝试搜索我们需要的内容

点击搜索到的内容进去依次查看,

发现sign参数在这里进行了赋值,点进u0方法中去查看,

其中u0方法内调用了u5对象的c方法,点击c进入查看

可以清楚看到c方法其实是MD5算法,再点到b方法中,

也就是将md5加密之后的值进行了base64编码,到现在我们只需要搞清楚u0方法传入的值是怎么来的就可以还原出sign的来源了

这时候我们就可以用到frida,


function main(){Java.perform(function(){var u5 = Java.use('com.lvshou.hxs.util.u5');u5.c.implementation = function(a){console.log(a);return this.c(a);}})
}setImmediate(main);

通过对u5对象的c方法进行hook,可以清楚的知道我们传入的值是多少

通过查看打印值,可以得出传入的值是当前时间戳加acol$!z%wh字符串,到这里我们就还原出整体的算法了,

具体流程是:当前时间戳加acol$!z%wh字符串进行md5加密,然后base64编码

使用python进行模拟请求

import requests, execjs, timecer_time = int(time.time())ctx = execjs.compile(open('./login.js', encoding='utf-8').read())
md5_result = ctx.call('md5', str(cer_time) + 'acol$!z%wh')
base64_result = ctx.call('base64', md5_result)url = 'https://api.hxsapp.com/account/userAccount/login'params = {'region_code': '86','username': '18235015508','pwd': '123455','model_idfa': '3fa8f27a8daaf460','model_version': 'Pixel%202','app_version': '7.0.3','system_version': '10','app_name': 'hxs','channel': 'huawei','platform_type': 'Android','utime': cer_time,'sign': base64_result,'sess_token': ''
}
print(requests.post(url=url, data=params).text)

js代码

function md5(a) {function b(a, b) {return a << b | a >>> 32 - b}function c(a, b) {var c, d, e, f, g;return e = 2147483648 & a,f = 2147483648 & b,c = 1073741824 & a,d = 1073741824 & b,g = (1073741823 & a) + (1073741823 & b),c & d ? 2147483648 ^ g ^ e ^ f : c | d ? 1073741824 & g ? 3221225472 ^ g ^ e ^ f : 1073741824 ^ g ^ e ^ f : g ^ e ^ f}function d(a, b, c) {return a & b | ~a & c}function e(a, b, c) {return a & c | b & ~c}function f(a, b, c) {return a ^ b ^ c}function g(a, b, c) {return b ^ (a | ~c)}function h(a, e, f, g, h, i, j) {return a = c(a, c(c(d(e, f, g), h), j)),c(b(a, i), e)}function i(a, d, f, g, h, i, j) {return a = c(a, c(c(e(d, f, g), h), j)),c(b(a, i), d)}function j(a, d, e, g, h, i, j) {return a = c(a, c(c(f(d, e, g), h), j)),c(b(a, i), d)}function k(a, d, e, f, h, i, j) {return a = c(a, c(c(g(d, e, f), h), j)),c(b(a, i), d)}function l(a) {for (var b, c = a.length, d = c + 8, e = (d - d % 64) / 64, f = 16 * (e + 1), g = new Array(f - 1), h = 0, i = 0; c > i;)b = (i - i % 4) / 4,h = i % 4 * 8,g[b] = g[b] | a.charCodeAt(i) << h,i++;return b = (i - i % 4) / 4,h = i % 4 * 8,g[b] = g[b] | 128 << h,g[f - 2] = c << 3,g[f - 1] = c >>> 29,g}function m(a) {var b, c, d = "", e = "";for (c = 0; 3 >= c; c++)b = a >>> 8 * c & 255,e = "0" + b.toString(16),d += e.substr(e.length - 2, 2);return d}function n(a) {a = a.replace(/\r\n/g, "\n");for (var b = "", c = 0; c < a.length; c++) {var d = a.charCodeAt(c);128 > d ? b += String.fromCharCode(d) : d > 127 && 2048 > d ? (b += String.fromCharCode(d >> 6 | 192),b += String.fromCharCode(63 & d | 128)) : (b += String.fromCharCode(d >> 12 | 224),b += String.fromCharCode(d >> 6 & 63 | 128),b += String.fromCharCode(63 & d | 128))}return b}var o, p, q, r, s, t, u, v, w, x = [], y = 7, z = 12, A = 17, B = 22, C = 5, D = 9, E = 14, F = 20, G = 4, H = 11,I = 16, J = 23, K = 6, L = 10, M = 15, N = 21;for (a = n(a),x = l(a),t = 1732584193,u = 4023233417,v = 2562383102,w = 271733878,o = 0; o < x.length; o += 16)p = t,q = u,r = v,s = w,t = h(t, u, v, w, x[o + 0], y, 3614090360),w = h(w, t, u, v, x[o + 1], z, 3905402710),v = h(v, w, t, u, x[o + 2], A, 606105819),u = h(u, v, w, t, x[o + 3], B, 3250441966),t = h(t, u, v, w, x[o + 4], y, 4118548399),w = h(w, t, u, v, x[o + 5], z, 1200080426),v = h(v, w, t, u, x[o + 6], A, 2821735955),u = h(u, v, w, t, x[o + 7], B, 4249261313),t = h(t, u, v, w, x[o + 8], y, 1770035416),w = h(w, t, u, v, x[o + 9], z, 2336552879),v = h(v, w, t, u, x[o + 10], A, 4294925233),u = h(u, v, w, t, x[o + 11], B, 2304563134),t = h(t, u, v, w, x[o + 12], y, 1804603682),w = h(w, t, u, v, x[o + 13], z, 4254626195),v = h(v, w, t, u, x[o + 14], A, 2792965006),u = h(u, v, w, t, x[o + 15], B, 1236535329),t = i(t, u, v, w, x[o + 1], C, 4129170786),w = i(w, t, u, v, x[o + 6], D, 3225465664),v = i(v, w, t, u, x[o + 11], E, 643717713),u = i(u, v, w, t, x[o + 0], F, 3921069994),t = i(t, u, v, w, x[o + 5], C, 3593408605),w = i(w, t, u, v, x[o + 10], D, 38016083),v = i(v, w, t, u, x[o + 15], E, 3634488961),u = i(u, v, w, t, x[o + 4], F, 3889429448),t = i(t, u, v, w, x[o + 9], C, 568446438),w = i(w, t, u, v, x[o + 14], D, 3275163606),v = i(v, w, t, u, x[o + 3], E, 4107603335),u = i(u, v, w, t, x[o + 8], F, 1163531501),t = i(t, u, v, w, x[o + 13], C, 2850285829),w = i(w, t, u, v, x[o + 2], D, 4243563512),v = i(v, w, t, u, x[o + 7], E, 1735328473),u = i(u, v, w, t, x[o + 12], F, 2368359562),t = j(t, u, v, w, x[o + 5], G, 4294588738),w = j(w, t, u, v, x[o + 8], H, 2272392833),v = j(v, w, t, u, x[o + 11], I, 1839030562),u = j(u, v, w, t, x[o + 14], J, 4259657740),t = j(t, u, v, w, x[o + 1], G, 2763975236),w = j(w, t, u, v, x[o + 4], H, 1272893353),v = j(v, w, t, u, x[o + 7], I, 4139469664),u = j(u, v, w, t, x[o + 10], J, 3200236656),t = j(t, u, v, w, x[o + 13], G, 681279174),w = j(w, t, u, v, x[o + 0], H, 3936430074),v = j(v, w, t, u, x[o + 3], I, 3572445317),u = j(u, v, w, t, x[o + 6], J, 76029189),t = j(t, u, v, w, x[o + 9], G, 3654602809),w = j(w, t, u, v, x[o + 12], H, 3873151461),v = j(v, w, t, u, x[o + 15], I, 530742520),u = j(u, v, w, t, x[o + 2], J, 3299628645),t = k(t, u, v, w, x[o + 0], K, 4096336452),w = k(w, t, u, v, x[o + 7], L, 1126891415),v = k(v, w, t, u, x[o + 14], M, 2878612391),u = k(u, v, w, t, x[o + 5], N, 4237533241),t = k(t, u, v, w, x[o + 12], K, 1700485571),w = k(w, t, u, v, x[o + 3], L, 2399980690),v = k(v, w, t, u, x[o + 10], M, 4293915773),u = k(u, v, w, t, x[o + 1], N, 2240044497),t = k(t, u, v, w, x[o + 8], K, 1873313359),w = k(w, t, u, v, x[o + 15], L, 4264355552),v = k(v, w, t, u, x[o + 6], M, 2734768916),u = k(u, v, w, t, x[o + 13], N, 1309151649),t = k(t, u, v, w, x[o + 4], K, 4149444226),w = k(w, t, u, v, x[o + 11], L, 3174756917),v = k(v, w, t, u, x[o + 2], M, 718787259),u = k(u, v, w, t, x[o + 9], N, 3951481745),t = c(t, p),u = c(u, q),v = c(v, r),w = c(w, s);var O = m(t) + m(u) + m(v) + m(w);return O.toLowerCase()
}var CryptoJS = CryptoJS || (function (Math, undefined) {var C = {};var C_lib = C.lib = {};var Base = C_lib.Base = (function () {function F() {};return {extend: function (overrides) {F.prototype = this;var subtype = new F();if (overrides) {subtype.mixIn(overrides);}if (!subtype.hasOwnProperty('init') || this.init === subtype.init) {subtype.init = function () {subtype.$super.init.apply(this, arguments);};}subtype.init.prototype = subtype;subtype.$super = this;return subtype;}, create: function () {var instance = this.extend();instance.init.apply(instance, arguments);return instance;}, init: function () {}, mixIn: function (properties) {for (var propertyName in properties) {if (properties.hasOwnProperty(propertyName)) {this[propertyName] = properties[propertyName];}}if (properties.hasOwnProperty('toString')) {this.toString = properties.toString;}}, clone: function () {return this.init.prototype.extend(this);}};}());var WordArray = C_lib.WordArray = Base.extend({init: function (words, sigBytes) {words = this.words = words || [];if (sigBytes != undefined) {this.sigBytes = sigBytes;} else {this.sigBytes = words.length * 4;}}, toString: function (encoder) {return (encoder || Hex).stringify(this);}, concat: function (wordArray) {var thisWords = this.words;var thatWords = wordArray.words;var thisSigBytes = this.sigBytes;var thatSigBytes = wordArray.sigBytes;this.clamp();if (thisSigBytes % 4) {for (var i = 0; i < thatSigBytes; i++) {var thatByte = (thatWords[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff;thisWords[(thisSigBytes + i) >>> 2] |= thatByte << (24 - ((thisSigBytes + i) % 4) * 8);}} else if (thatWords.length > 0xffff) {for (var i = 0; i < thatSigBytes; i += 4) {thisWords[(thisSigBytes + i) >>> 2] = thatWords[i >>> 2];}} else {thisWords.push.apply(thisWords, thatWords);}this.sigBytes += thatSigBytes;return this;}, clamp: function () {var words = this.words;var sigBytes = this.sigBytes;words[sigBytes >>> 2] &= 0xffffffff << (32 - (sigBytes % 4) * 8);words.length = Math.ceil(sigBytes / 4);}, clone: function () {var clone = Base.clone.call(this);clone.words = this.words.slice(0);return clone;}, random: function (nBytes) {var words = [];var r = (function (m_w) {var m_w = m_w;var m_z = 0x3ade68b1;var mask = 0xffffffff;return function () {m_z = (0x9069 * (m_z & 0xFFFF) + (m_z >> 0x10)) & mask;m_w = (0x4650 * (m_w & 0xFFFF) + (m_w >> 0x10)) & mask;var result = ((m_z << 0x10) + m_w) & mask;result /= 0x100000000;result += 0.5;return result * (Math.random() > .5 ? 1 : -1);}});for (var i = 0, rcache; i < nBytes; i += 4) {var _r = r((rcache || Math.random()) * 0x100000000);rcache = _r() * 0x3ade67b7;words.push((_r() * 0x100000000) | 0);}return new WordArray.init(words, nBytes);}});var C_enc = C.enc = {};var Hex = C_enc.Hex = {stringify: function (wordArray) {var words = wordArray.words;var sigBytes = wordArray.sigBytes;var hexChars = [];for (var i = 0; i < sigBytes; i++) {var bite = (words[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff;hexChars.push((bite >>> 4).toString(16));hexChars.push((bite & 0x0f).toString(16));}return hexChars.join('');}, parse: function (hexStr) {var hexStrLength = hexStr.length;var words = [];for (var i = 0; i < hexStrLength; i += 2) {words[i >>> 3] |= parseInt(hexStr.substr(i, 2), 16) << (24 - (i % 8) * 4);}return new WordArray.init(words, hexStrLength / 2);}};var Latin1 = C_enc.Latin1 = {stringify: function (wordArray) {var words = wordArray.words;var sigBytes = wordArray.sigBytes;var latin1Chars = [];for (var i = 0; i < sigBytes; i++) {var bite = (words[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff;latin1Chars.push(String.fromCharCode(bite));}return latin1Chars.join('');}, parse: function (latin1Str) {var latin1StrLength = latin1Str.length;var words = [];for (var i = 0; i < latin1StrLength; i++) {words[i >>> 2] |= (latin1Str.charCodeAt(i) & 0xff) << (24 - (i % 4) * 8);}return new WordArray.init(words, latin1StrLength);}};var Utf8 = C_enc.Utf8 = {stringify: function (wordArray) {try {return decodeURIComponent(escape(Latin1.stringify(wordArray)));} catch (e) {throw new Error('Malformed UTF-8 data');}}, parse: function (utf8Str) {return Latin1.parse(unescape(encodeURIComponent(utf8Str)));}};var BufferedBlockAlgorithm = C_lib.BufferedBlockAlgorithm = Base.extend({reset: function () {this._data = new WordArray.init();this._nDataBytes = 0;}, _append: function (data) {if (typeof data == 'string') {data = Utf8.parse(data);}this._data.concat(data);this._nDataBytes += data.sigBytes;}, _process: function (doFlush) {var data = this._data;var dataWords = data.words;var dataSigBytes = data.sigBytes;var blockSize = this.blockSize;var blockSizeBytes = blockSize * 4;var nBlocksReady = dataSigBytes / blockSizeBytes;if (doFlush) {nBlocksReady = Math.ceil(nBlocksReady);} else {nBlocksReady = Math.max((nBlocksReady | 0) - this._minBufferSize, 0);}var nWordsReady = nBlocksReady * blockSize;var nBytesReady = Math.min(nWordsReady * 4, dataSigBytes);if (nWordsReady) {for (var offset = 0; offset < nWordsReady; offset += blockSize) {this._doProcessBlock(dataWords, offset);}var processedWords = dataWords.splice(0, nWordsReady);data.sigBytes -= nBytesReady;}return new WordArray.init(processedWords, nBytesReady);}, clone: function () {var clone = Base.clone.call(this);clone._data = this._data.clone();return clone;}, _minBufferSize: 0});var Hasher = C_lib.Hasher = BufferedBlockAlgorithm.extend({cfg: Base.extend(),init: function (cfg) {this.cfg = this.cfg.extend(cfg);this.reset();}, reset: function () {BufferedBlockAlgorithm.reset.call(this);this._doReset();}, update: function (messageUpdate) {this._append(messageUpdate);this._process();return this;}, finalize: function (messageUpdate) {if (messageUpdate) {this._append(messageUpdate);}var hash = this._doFinalize();return hash;}, blockSize: 512 / 32,_createHelper: function (hasher) {return function (message, cfg) {return new hasher.init(cfg).finalize(message);};}, _createHmacHelper: function (hasher) {return function (message, key) {return new C_algo.HMAC.init(hasher, key).finalize(message);};}});var C_algo = C.algo = {};return C;
}(Math));(function () {var C = CryptoJS;var C_lib = C.lib;var WordArray = C_lib.WordArray;var C_enc = C.enc;var Base64 = C_enc.Base64 = {stringify: function (wordArray) {var words = wordArray.words;var sigBytes = wordArray.sigBytes;var map = this._map;wordArray.clamp();var base64Chars = [];for (var i = 0; i < sigBytes; i += 3) {var byte1 = (words[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff;var byte2 = (words[(i + 1) >>> 2] >>> (24 - ((i + 1) % 4) * 8)) & 0xff;var byte3 = (words[(i + 2) >>> 2] >>> (24 - ((i + 2) % 4) * 8)) & 0xff;var triplet = (byte1 << 16) | (byte2 << 8) | byte3;for (var j = 0;(j < 4) && (i + j * 0.75 < sigBytes); j++) {base64Chars.push(map.charAt((triplet >>> (6 * (3 - j))) & 0x3f));}}var paddingChar = map.charAt(64);if (paddingChar) {while (base64Chars.length % 4) {base64Chars.push(paddingChar);}}return base64Chars.join('');}, parse: function (base64Str) {var base64StrLength = base64Str.length;var map = this._map;var reverseMap = this._reverseMap;if (!reverseMap) {reverseMap = this._reverseMap = [];for (var j = 0; j < map.length; j++) {reverseMap[map.charCodeAt(j)] = j;}}var paddingChar = map.charAt(64);if (paddingChar) {var paddingIndex = base64Str.indexOf(paddingChar);if (paddingIndex !== -1) {base64StrLength = paddingIndex;}}return parseLoop(base64Str, base64StrLength, reverseMap);}, _map: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='};function parseLoop(base64Str, base64StrLength, reverseMap) {var words = [];var nBytes = 0;for (var i = 0; i < base64StrLength; i++) {if (i % 4) {var bits1 = reverseMap[base64Str.charCodeAt(i - 1)] << ((i % 4) * 2);var bits2 = reverseMap[base64Str.charCodeAt(i)] >>> (6 - (i % 4) * 2);words[nBytes >>> 2] |= (bits1 | bits2) << (24 - (nBytes % 4) * 8);nBytes++;}}return WordArray.create(words, nBytes);}
}());function base64(word) {var src = CryptoJS.enc.Utf8.parse(word);return CryptoJS.enc.Base64.stringify(src);
}function B64_Decrypt(word) {var src = CryptoJS.enc.Base64.parse(word);return CryptoJS.enc.Utf8.stringify(src);
}

运行结果如下:

某享瘦app登录逆向相关推荐

  1. 某app登录协议逆向分析

    某app登录协议逆向分析 设备 iphone 5s Mac Os app:神奇的字符串57qm5Y2V 本文主要通过frida-trace.fridaHook.lldb动态调试完成破解相应的登录算法, ...

  2. 易班APP登录密码加密、sig逆向分析

    1.最近闲来无事,听说有一个易班app登录好练手,就去试了一下看看. 先抓个包看看 然后使用了腾讯的壳,脱一下,我这边用的是BlackDex64. 脱完壳之后导出来直接导出来拖到jadx,就是现在这个 ...

  3. 安卓关于健身的代码_亲子运动健身新玩法,娱乐享瘦两不误,让孩子不再沉迷电子产品...

    每次和姐妹逛街,看到那些漂亮小姐姐们在电玩城跳舞机上跳舞,心里都痒痒的想要自己上去试试,可就是因为不熟练,大庭广众之下害羞怕丢脸,最后放弃了.可每次路过还是会羡慕那些敢跳的姐姐们! 平常工作忙,压力大 ...

  4. 【android逆向笔记】(一)简单登录逆向

    简单的登录逆向 因为是简单的学习过程,所以这里直接进行逆向,就不进行android代码的演示了.apk是直接借用了被人写好的app来进行学习的. ###(1)使用APK改之理对apk进行编译. ### ...

  5. SPRINGBOOT享瘦减肥中心管理系统

    开发工具(eclipse/idea/vscode等):idea 数据库(sqlite/mysql/sqlserver等):mysql 功能模块(请用文字描述,至少200字):基于Spring Boot ...

  6. 怎么用Android做登录界面,利用Android怎么制作一个APP登录界面

    利用Android怎么制作一个APP登录界面 发布时间:2020-12-02 17:09:10 来源:亿速云 阅读:79 作者:Leah 这期内容当中小编将会给大家带来有关利用Android怎么制作一 ...

  7. app开发人脸登录和指纹登录_易讯云通讯推出“一键登录”,为App登录提供新方案...

    移动互联网时代,用户的耐心越来越少,注意力也越来越弱,追求便捷与高效.登录的方式从自定义的账号密码登录,到邮箱登录,到第三方登录与手机验证码登录两种登录方式进行竞争,到现在的个人指纹,人脸识别等的识别 ...

  8. 【JS 逆向百例】DOM 事件断点调试,某商盟登录逆向

    文章目录 声明 逆向目标 DOM 简介 逆向过程 完整代码 JavaScript 加密关键代码架构 Python 登录关键代码 声明 本文章中所有内容仅供学习交流,抓包内容.敏感网址.数据接口均已做脱 ...

  9. 对吃鸡APP的逆向分析

    吃鸡的APP逆向分析涉及到动态调试分析,涉及到对arm汇编指令的掌握,涉及到一些反调试方案的绕过. 下面通过对吃鸡APP的逆向分析做了一次详解解析. 请点击文字进行阅读对android逆向吃鸡APP的 ...

  10. APP登录 技术点与流程全解

    1.首先需要一个登陆APP需要封装的数据model 假设model名称是AccountInfo 在AccountInfo里面封装用户名,密码,登陆凭证类型,登陆ip等一些用户相关的信息 2.用户输入完 ...

最新文章

  1. 【数论】【Polya定理】【枚举约数】【欧拉函数】【Java】poj2154 Color
  2. json数据 提示框flash.now[:notice] flash.now[:alert]
  3. java接监控摄像头接口_离奇!深夜隧道内,12个摄像头突然一个接一个“瞎”了,监控员吓懵了...
  4. 最后生成神么格式的代码_智能扩充机器人的“标准问”库之Query生成
  5. MySql(windows)安装步骤整理
  6. openGauss 上海 Meetup:把企业级数据库能力带给用户
  7. MySQL怎么卸载干净重装?
  8. HashMap遍历有序性问题——map.entrySet()的无序性
  9. Qt Creator 使用教程
  10. 输入等值线参数绘制等值线图python_专题复习:等值线(上)
  11. 基于JAVA健康生活网站计算机毕业设计源码+系统+mysql数据库+lw文档+部署
  12. 网络安全之僵尸网络与蠕虫的学习笔记
  13. python网盘搜索引擎_打造一个蓝奏云网盘搜索引擎
  14. 用Python做雷霆战机小游戏【附素材+源码】
  15. Data Structures in C++:八大基本数据结构概述
  16. 基于STC89C51单片机,CH340芯片的下载电路
  17. BUU LFI COURSE 1 WP
  18. 报错信息:java.io.FileNotFoundException拒绝访问
  19. 哈密顿算子与梯度、散度、旋度
  20. linux跑wrf.exe程序的前提,WRF模式上机手册

热门文章

  1. php控制步进电机,步进电机的速度控制的原理及方法简介
  2. ZZULIOJ:1148: 组合三位数之一
  3. fflush(stdout)
  4. 获取淘宝天猫商品历史价格信息API接口
  5. 加入7654联盟,一次装机,终身领工资!
  6. 国内主流新一代用户行为分析系统选型过程分享
  7. 七年之后的《深入理解计算机系统》CSAPP
  8. 李飞飞创建ImageNet的基本逻辑
  9. 工地信息化——施工现场网格化管理系统实施小记
  10. 基于Python语言的文件与文件夹管理