对某猫的sig值的分析记录
本帖最后由 yuhan694 于 2020-4-23 10:57 编辑上次讲了对某猫安卓端数据接口加密方式的简单分析
但是你抓包的时候会发现它提交的数据中还有一个sig值是变化的
这是提交是数据:_app_version=1.0.4&_device_id=861944247165472&_device_type=DUK-AL20&_device_version=5.1.1&_sdk_version=22&data=0CEBFE4DC9B72DF4A627357AAE961019&sig=ededc1a199d61cd4cb955687f03e59c2
第一步:搜索关键字
这里不建议搜索sig,因为搜索出来的结果有几千个,我们换一个关键字搜索
可以看到提交的数据里面有一个_sdk_version,就你了。
搜索出来两个赋值的结果,转换成java看一下。
看到它加了个字符串“maomi_pass_xyz”后进行了MD5加密,那“maomi_pass_xyz”前面的那一段是怎么来的???
第二步:进行动态分析
在AndroidManifest.xml找到包名和activity的android:name
打开调试模式
adb shell am start -D -n com.xxx.svideo/com.xxx.svideo.activity.SplashActivity
用jeb连接上去
在这里可以看到有两个对sig赋值的文件,分别是GetBuilder和PostFormBuilder
先是在GetBuilder的一些位置下了断点,发现没断下了,就去PostFormBuilder下断点,结果附加的时候断了下来
GetBuilder没断下来可能是进行别的操作调用的
.method public getParams()PostFormBuilder
.registers 9
00000000iget-object v4, p0, PostFormBuilder->params:TreeMap
00000004if-nez v4, :16
:8
00000008new-instance v4, TreeMap
0000000Cinvoke-direct TreeMap-><init>()V, v4
00000012iput-object v4, p0, PostFormBuilder->params:TreeMap
:16
00000016iget-object v4, p0, PostFormBuilder->params:TreeMap
0000001Aconst-string v5, "_device_id"
0000001Einvoke-static AppUtils->getAppContext()Context
00000024move-result-objectv6
00000026invoke-static AppUtils->getAndroidID(Context)String, v6
0000002Cmove-result-objectv6
0000002Einvoke-virtual TreeMap->put(Object, Object)Object, v4, v5, v6
00000034iget-object v4, p0, PostFormBuilder->params:TreeMap
00000038const-string v5, "_app_version"
0000003Cinvoke-static AppUtils->getAppContext()Context
00000042move-result-objectv6
00000044invoke-static AppUtils->getAppVersionName(Context)String, v6
0000004Amove-result-objectv6
0000004Cinvoke-virtual TreeMap->put(Object, Object)Object, v4, v5, v6
00000052iget-object v4, p0, PostFormBuilder->params:TreeMap
00000056const-string v5, "_device_type"
0000005Ainvoke-static AppUtils->getModel()String
00000060move-result-objectv6
00000062invoke-virtual TreeMap->put(Object, Object)Object, v4, v5, v6
00000068iget-object v4, p0, PostFormBuilder->params:TreeMap
0000006Cconst-string v5, "_sdk_version"
00000070invoke-static AppUtils->getSDKVersion()String
00000076move-result-objectv6
00000078invoke-virtual TreeMap->put(Object, Object)Object, v4, v5, v6
0000007Eiget-object v4, p0, PostFormBuilder->params:TreeMap
00000082const-string v5, "_device_version"
00000086invoke-static AppUtils->getOSVersion()String
0000008Cmove-result-objectv6
0000008Einvoke-virtual TreeMap->put(Object, Object)Object, v4, v5, v6
00000094new-instance v3, StringBuilder
00000098const-string v4, ""
0000009Cinvoke-direct StringBuilder-><init>(String)V, v3, v4
000000A2iget-object v4, p0, PostFormBuilder->params:TreeMap
000000A6invoke-virtual TreeMap->entrySet()Set, v4
000000ACmove-result-objectv4
000000AEinvoke-interface Set->iterator()Iterator, v4
000000B4move-result-objectv5
:B6
000000B6invoke-interface Iterator->hasNext()Z, v5
000000BCmove-result v4
000000BEif-eqz v4, :11A
:C2
000000C2invoke-interface Iterator->next()Object, v5
000000C8move-result-objectv0
000000CAcheck-cast v0, Map$Entry
000000CEconst-string v4, "&"
000000D2invoke-virtual StringBuilder->append(String)StringBuilder, v3, v4
000000D8move-result-objectv6
000000DAinvoke-interface Map$Entry->getKey()Object, v0
000000E0move-result-objectv4
000000E2check-cast v4, String
000000E6invoke-virtual StringBuilder->append(String)StringBuilder, v6, v4
000000ECmove-result-objectv4
000000EEconst-string v6, "="
000000F2invoke-virtual StringBuilder->append(String)StringBuilder, v4, v6
000000F8move-result-objectv6
000000FAinvoke-interface Map$Entry->getValue()Object, v0
00000100move-result-objectv4
00000102check-cast v4, String
00000106const-string v7, "UTF-8"
0000010Ainvoke-static EncodeUtils->urlEncode(String, String)String, v4, v7
00000110move-result-objectv4
00000112invoke-virtual StringBuilder->append(String)StringBuilder, v6, v4
00000118goto :B6
结果调试上面这一段是获取_app_version、_device_id、_device_type、_device_version、_sdk_version、data,然后通过循环用“&”和“=”将它们连接起来
这里就看得更加清楚了。
&_app_version=1.0.4&_device_id=861944247165472&_device_type=DUK-AL20&_device_version=5.1.1&_sdk_version=22&data=0CEBFE4DC9B72DF4A627357AAE961019
这是这一段执行上面代码后获取的。
0000011Ainvoke-virtual StringBuilder->toString()String, v3
00000120move-result-objectv4
v4内容: "&_app_version=1.0.4&_device_id=861944247165472&_device_type=DUK-AL20&_device_version=5.1.1&_sdk_version=22&data=0CEBFE4DC9B72DF4A627357AAE961019"
00000122const/4 v5, 1 # 给v5赋值1
00000124invoke-virtual String->substring(I)String, v4, v5 # 删掉第一个字符,即最前面的&
0000012Amove-result-objectv2
0000012Cnew-instance v4, StringBuilder
00000130invoke-direct StringBuilder-><init>()V, v4
00000136invoke-virtual StringBuilder->append(String)StringBuilder, v4, v2
0000013Cmove-result-objectv4
0000013Econst-string v5, "maomi_pass_xyz" # 在尾部加入maomi_pass_xy
00000142invoke-virtual StringBuilder->append(String)StringBuilder, v4, v5
00000148move-result-objectv4
0000014Ainvoke-virtual StringBuilder->toString()String, v4
00000150move-result-objectv4
00000152invoke-static EncryptUtils->encryptMD5ToString(String)String, v4 # 进行MD5加密
00000158move-result-objectv1
0000015Aiget-object v4, p0, PostFormBuilder->params:TreeMap
0000015Econst-string v5, "sig"
hackgsl 发表于 2020-4-23 11:52
这是去幼儿园的车不是你想的那样的
老哥方便的话吧车发一下,上次误删了发车软件哈哈哈,猫没了 hackgsl 发表于 2020-4-23 11:52
这是去幼儿园的车不是你想的那样的
老哥方便的话吧车发一下,上次误删了发车软件哈哈哈,猫没了 感谢楼主 用心的讲解 与分享 还是要喊一句楼主666666 CSGO01 发表于 2020-4-23 11:47
是不是快猫
这是去幼儿园的车{:1_918:}不是你想的那样的 手淘xsign 可以逆么 可付费 讲解很详细,学习起来比较简单,谢了 是不是猫咪段子?{:1_918:} 哪是什么猫{:301_988:} 看不懂,看不懂,看不懂 不错,思路比较清晰,作为小白的我都能看的懂了。{:1_921:}
页:
[1]
2