拼某某手机号登陆协议简单分析 (一)
## 前言简单分析下拼某某的手机号登陆,不涉及算法的具体分析
拼某某版本:3.42.0
## 工具
-MuMu模拟器
-fiddler **(抓包)**
-jadx **(反编译)**
-Android studio **(动态调试)**
-apktool **(回编译)**
## 过程
1.模拟器设置代{过}{滤}理,打开fiddler抓包,点击发送短信
可以看到在body里有"fingerprint"项,而且内容是经过加密的
fingerprint={**"key"**:"cxTyZ+Cus8AQG9MMRRHH+SaTIFUYnPNuu4C7hGIbmcvSm4BRAJBG61JCeatqQkU0Z2nmzv810UlmSpANbDXAlPmnKpZJ3P6bjLlgP7a/F8lZNCy/Aplf4ciFaXNxKpWVVwkgHWiLiFzMeVIJV9tXCXkzIzn/8BPSMoMLiBBlH+E=",**"data"**:"al88qYAlL7CRHaHskvtFq.
**........省略一万字"**}
2.打开jadx 搜索**"fingerprint"**
可以分析出这个fingerprint就是设备的相关信息,且经过native层的加密.
3.插入记录日志代码,回编译
4.打开ddms,监听日志消息,点击发送短信后即可收到日志信息
格式化后为
```
{
"device": "x86_64",
"networkCountryIso": "",
"wifiMacList": [{
"ssid": "kIgbSZ",
"mac": "12:34:56:78:90:12",
"level": -55
}],
"dataActivity": 0,
"appCnt": 59,
"dBm": {},
"operateTime": 10848915,
"buildTime": 1611305578000,
"batteryStatus": 2,
"perCpuUsage": ["0.65%", "0.62%", "0.69%", "0.58%"],
"systemAppName": ["com.android.providers.telephony", "com.android.providers.calendar", "com.netease.nemu_vinput.nemu", "com.android.providers.media", "com.android.wallpapercropper", "com.android.documentsui", "com.android.galaxy4", "com.android.externalstorage", "com.android.htmlviewer", "com.android.quicksearchbox", "com.android.mms.service", "com.android.providers.downloads", "com.android.browser", "com.android.defcontainer", "com.android.providers.downloads.ui", "com.android.pacprocessor", "com.android.certinstaller", "android", "com.android.camera2", "com.android.backupconfirm"],
"connectType": "WIFI",
"sdkVersion": 23,
"id": "56f94b363d02e5b2",
"currentTime": 1629609733024,
"densityDpi": 270,
"basebandversion1": "",
"root": true,
"simState": 0,
"mcc": "",
"manufacturer": "Netease",
"msisdn": "",
"imsi": "",
"photoInfo": [],
"gyroscopeSensor": {
"name": "BML160 Gyproscope",
"vendor": "BML160",
"data": [{
"x": 0,
"y": 0,
"z": 0
}, {
"x": 0,
"y": 0,
"z": 0
}, {
"x": 0,
"y": 0,
"z": 0
}, {
"x": 0,
"y": 0,
"z": 0
}, {
"x": 0,
"y": 0,
"z": 0
}]
},
"iccid": "",
"networkType": "UNKNOWN",
"wifi": {
"ssid": "\"kIgbSZ\"",
"mac": "12:34:56:78:90:12",
"rssi": -55,
"speed": 50,
"ip": "10.0.2.15",
"mask": "255.255.255.0"
},
"availableCapacity": 134410260480,
"mac": "12:34:56:78:90:12",
"networkOperatorName": "",
"userPhoneName": "x86_64",
"cpuUsage": "0.63%",
"buildFingerprint": "OnePlus\/OnePlus2\/OnePlus2:6.0.1\/MMB29M\/1447841200:user\/release-keys",
"mnc": "",
"display": "V417IR release-keys",
"availableMemory": 7928315904,
"prop": 1611305633000,
"meid": "",
"imei1": "540000000146339",
"appDetect": [],
"imei2": "540000000146339",
"installTime": 1629609633007,
"batteryLevel": "51.00%",
"cpuCore": 4,
"appVersion": "3.42.0",
"osVersion": "6.0.1",
"simOperatroName": "",
"sc": "810,1440",
"bluetooth": "",
"photoNum": 0,
"bootTime": 1629598884109,
"volume": {
"system": 5,
"voiceCall": 4,
"ring": 5,
"alarm": 6,
"music": 11,
"notification": 5
},
"simCountryIso": "",
"sn": "ZX1G42CPJD",
"screenBrightness": 102,
"cpuType": "OMAP4 Panda board",
"basebandversion2": "",
"board": "unknown",
"kernelVersion": "Linux version 4.0.9-android-x86_64+ (luoweiqiao@a11-gz02-test.i.nease.net) (gcc version 4.9 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Fri Jan 22 16:55:32 HKT 2021",
"appName": ["com.tencent.mm", "com.xunmeng.pinduoduo", "com.tencent.test", "com.cmge.weixin.pay"],
"dataState": 0,
"os": "Android",
"frequency": [{
"maxFreq": "2400000Hz",
"minFreq": "1600000Hz",
"curFreq": "2400000Hz"
}, {
"maxFreq": "2400000Hz",
"minFreq": "1600000Hz",
"curFreq": "2400000Hz"
}, {
"maxFreq": "2400000Hz",
"minFreq": "1600000Hz",
"curFreq": "2400000Hz"
}, {
"maxFreq": "2400000Hz",
"minFreq": "1600000Hz",
"curFreq": "2400000Hz"
}],
"lightSensor": {
"name": "LTR559 Ambient Light Sensor",
"vendor": "LITE-ON TECHNOLOGY CORP.",
"data":
},
"brand": "Android",
"totalCapacity": 135148310528,
"totalMemory": 8374714368,
"standbyTime": 0,
"model": "MuMu"
}
```
## native层分析
从java层可以分析出,待加密的数据是设备信息的json经过gzip压缩,那么它变成{key:".....",data:"....."}还需要进行native加密.
1.打开ida,找到nativeGenerate函数
2.进一步跟进,发现其使用了aes,rsa加密.
具体流程为
1.随机生成aes的key
2.原数据用aes加密
3.用rsa加密aes的key
4.将key和data用base64编码
## 结论
拼某某在登陆时会发送设备信息,包括已安装的app名称,数量等.并使用aes,rsa加密. 感谢大佬 正好需要 谢谢你的分享 6666思路清晰 拼某某在登陆时会发送设备信息,包括已安装的app名称,数量等.并使用aes,rsa加密.呵呵 膜拜大佬~ 拼某某是不是有读取通讯录的权限呀 elevo 发表于 2021-8-23 15:33
拼某某是不是有读取通讯录的权限呀
是的,之前就有人分析过 现在不是设备信息不能直接获取了么? 大佬思路清晰啊 牛 安装了啥APP也上传 {:1_935:}