APP相关信息
版本:1.5.4
包名:Y29tLmZlaW5pdS5hY3RvZ28=
抓包分析
加密参数
data {"addrId":"","apiVersion":"ao1.45","appVersion":"1.5.4","body":{"cp_seq":"CC1000000013","gcSeq":"CC1000000013","goodsType":0,"level":2,"one_page_size":10,"page_start_end":"start","parentSiseq":"","si_seq":"C1159827","store_id":"2701","type":21},"businessId":"27010001","channel":"YingYongBao","deliveryCircleType":"2","deviceId":"cde8a99e5f2694d5-a99e-cde8-94d5-5f26","httpsEnable":1,"isSimulator":false,"networkType":"WIFI","osType":1,"reRule":"3","scopeType":1,"source":"yx","time":"20220513015751","token":"75cc5792d86d0cd1c28e686236346965","viewSize":"1080x2029"}
paramsMD5 UEmVDT1+ZQ8w139mcwLwLU5fQjxCp+17JU6DsD/4luk=
壳处理
脱完壳以后
加密定位
追进k方法看看
hook一下这个函数瞧瞧
加密定位到这里我们就找到了!!!!
继续跟进找核心加密方法
可以看到就用了sha256然后base64
python翻译加密
import hashlib
import json, base64, hmac
data = {"addrId": "", "apiVersion": "ao1.45", "appVersion": "1.5.4",
"body": {"cp_seq": "CC1000000013", "gcSeq": "CC1000000013", "goodsType": 0, "level": 2, "one_page_size": 10,
"page_start_end": "start", "parentSiseq": "", "si_seq": "C1159827", "store_id": "2701", "type": 21},
"businessId": "27010001", "channel": "YingYongBao", "deliveryCircleType": "2",
"deviceId": "cde8a99e5f2694d5-a99e-cde8-94d5-5f26", "httpsEnable": 1, "isSimulator": False,
"networkType": "WIFI", "osType": 1, "reRule": "3", "scopeType": 1, "source": "yx", "time": "20220513015751",
"token": "75cc5792d86d0cd1c28e686236346965", "viewSize": "1080x2029"}
dataStr = json.dumps(data, ensure_ascii=False)
isSimulator = False
dataStr = dataStr + (str(isSimulator).lower() + data['viewSize'] + data['networkType'] + data['time'])
data = dataStr.replace(" ", "").encode('utf-8')
appsecret = "@456yx#*^&HrUU99".encode('utf-8')
signature = base64.b64encode(hmac.new(appsecret, data, digestmod=hashlib.sha256).digest())
print(signature.decode())
运行结果
对比上述抓包结果,发现一模一样
最后补一下hook脚本吧
function FMRequestk() {
console.log('FMRequestk HOOK Start!!!');
var Des3Encrypt = Java.use("com.rt.market.fresh.application.FMRequest");
console.log(Des3Encrypt);
Des3Encrypt.k.implementation = function (args1) {
console.log("Encrypt args1:",args1);
var result1 = this.k(args1);
console.log("Des3Encrypt.encode result1==>", result1);
return result1;
};
};
// com.rt.market.fresh.application.FMEnvironment
function FMEnvironmenth() {
console.log('FMEnvironmenth HOOK Start!!!');
var Des3Encrypt = Java.use("com.rt.market.fresh.application.FMEnvironment");
console.log(Des3Encrypt);
Des3Encrypt.h.implementation = function () {
var result1 = this.h();
console.log("Des3Encrypt.encode result1==>", result1);
return result1;
};
};
Java.perform(function() {
// FMRequestk();
FMEnvironmenth();
});