好友
阅读权限20
听众
最后登录1970-1-1
|
本帖最后由 yuhan694 于 2020-4-23 10:57 编辑
上次讲了对某猫安卓端数据接口加密方式的简单分析
但是你抓包的时候会发现它提交的数据中还有一个sig值是变化的
这是提交是数据:_app_version=1.0.4&_device_id=861944247165472&_device_type=DUK-AL20&_device_version=5.1.1&_sdk_version=22&data=0CEBFE4DC9B72DF4A627357AAE961019&sig=ededc1a199d61cd4cb955687f03e59c2
第一步:搜索关键字
这里不建议搜索sig,因为搜索出来的结果有几千个,我们换一个关键字搜索
可以看到提交的数据里面有一个_sdk_version,就你了。
搜索出来两个赋值的结果,转换成java看一下。
看到它加了个字符串“maomi_pass_xyz”后进行了MD5加密,那“maomi_pass_xyz”前面的那一段是怎么来的???
第二步:进行动态分析
在AndroidManifest.xml找到包名和activity的android:name
打开调试模式
adb shell am start -D -n com.xxx.svideo/com.xxx.svideo.activity.SplashActivity
用jeb连接上去
在这里可以看到有两个对sig赋值的文件,分别是GetBuilder和PostFormBuilder
先是在GetBuilder的一些位置下了断点,发现没断下了,就去PostFormBuilder下断点,结果附加的时候断了下来
GetBuilder没断下来可能是进行别的操作调用的
[Java] 纯文本查看 复制代码 .method public getParams()PostFormBuilder
.registers 9
00000000 iget-object v4, p0, PostFormBuilder->params:TreeMap
00000004 if-nez v4, :16
:8
00000008 new-instance v4, TreeMap
0000000C invoke-direct TreeMap-><init>()V, v4
00000012 iput-object v4, p0, PostFormBuilder->params:TreeMap
:16
00000016 iget-object v4, p0, PostFormBuilder->params:TreeMap
0000001A const-string v5, "_device_id"
0000001E invoke-static AppUtils->getAppContext()Context
00000024 move-result-object v6
00000026 invoke-static AppUtils->getAndroidID(Context)String, v6
0000002C move-result-object v6
0000002E invoke-virtual TreeMap->put(Object, Object)Object, v4, v5, v6
00000034 iget-object v4, p0, PostFormBuilder->params:TreeMap
00000038 const-string v5, "_app_version"
0000003C invoke-static AppUtils->getAppContext()Context
00000042 move-result-object v6
00000044 invoke-static AppUtils->getAppVersionName(Context)String, v6
0000004A move-result-object v6
0000004C invoke-virtual TreeMap->put(Object, Object)Object, v4, v5, v6
00000052 iget-object v4, p0, PostFormBuilder->params:TreeMap
00000056 const-string v5, "_device_type"
0000005A invoke-static AppUtils->getModel()String
00000060 move-result-object v6
00000062 invoke-virtual TreeMap->put(Object, Object)Object, v4, v5, v6
00000068 iget-object v4, p0, PostFormBuilder->params:TreeMap
0000006C const-string v5, "_sdk_version"
00000070 invoke-static AppUtils->getSDKVersion()String
00000076 move-result-object v6
00000078 invoke-virtual TreeMap->put(Object, Object)Object, v4, v5, v6
0000007E iget-object v4, p0, PostFormBuilder->params:TreeMap
00000082 const-string v5, "_device_version"
00000086 invoke-static AppUtils->getOSVersion()String
0000008C move-result-object v6
0000008E invoke-virtual TreeMap->put(Object, Object)Object, v4, v5, v6
00000094 new-instance v3, StringBuilder
00000098 const-string v4, ""
0000009C invoke-direct StringBuilder-><init>(String)V, v3, v4
000000A2 iget-object v4, p0, PostFormBuilder->params:TreeMap
000000A6 invoke-virtual TreeMap->entrySet()Set, v4
000000AC move-result-object v4
000000AE invoke-interface Set->iterator()Iterator, v4
000000B4 move-result-object v5
:B6
000000B6 invoke-interface Iterator->hasNext()Z, v5
000000BC move-result v4
000000BE if-eqz v4, :11A
:C2
000000C2 invoke-interface Iterator->next()Object, v5
000000C8 move-result-object v0
000000CA check-cast v0, Map$Entry
000000CE const-string v4, "&"
000000D2 invoke-virtual StringBuilder->append(String)StringBuilder, v3, v4
000000D8 move-result-object v6
000000DA invoke-interface Map$Entry->getKey()Object, v0
000000E0 move-result-object v4
000000E2 check-cast v4, String
000000E6 invoke-virtual StringBuilder->append(String)StringBuilder, v6, v4
000000EC move-result-object v4
000000EE const-string v6, "="
000000F2 invoke-virtual StringBuilder->append(String)StringBuilder, v4, v6
000000F8 move-result-object v6
000000FA invoke-interface Map$Entry->getValue()Object, v0
00000100 move-result-object v4
00000102 check-cast v4, String
00000106 const-string v7, "UTF-8"
0000010A invoke-static EncodeUtils->urlEncode(String, String)String, v4, v7
00000110 move-result-object v4
00000112 invoke-virtual StringBuilder->append(String)StringBuilder, v6, v4
00000118 goto :B6
结果调试上面这一段是获取_app_version、_device_id、_device_type、_device_version、_sdk_version、data,然后通过循环用“&”和“=”将它们连接起来
这里就看得更加清楚了。
&_app_version=1.0.4&_device_id=861944247165472&_device_type=DUK-AL20&_device_version=5.1.1&_sdk_version=22&data=0CEBFE4DC9B72DF4A627357AAE961019
这是这一段执行上面代码后获取的。
[Java] 纯文本查看 复制代码 0000011A invoke-virtual StringBuilder->toString()String, v3
00000120 move-result-object v4
v4内容: "&_app_version=1.0.4&_device_id=861944247165472&_device_type=DUK-AL20&_device_version=5.1.1&_sdk_version=22&data=0CEBFE4DC9B72DF4A627357AAE961019"
00000122 const/4 v5, 1 # 给v5赋值1
00000124 invoke-virtual String->substring(I)String, v4, v5 # 删掉第一个字符,即最前面的&
0000012A move-result-object v2
0000012C new-instance v4, StringBuilder
00000130 invoke-direct StringBuilder-><init>()V, v4
00000136 invoke-virtual StringBuilder->append(String)StringBuilder, v4, v2
0000013C move-result-object v4
0000013E const-string v5, "maomi_pass_xyz" # 在尾部加入maomi_pass_xy
00000142 invoke-virtual StringBuilder->append(String)StringBuilder, v4, v5
00000148 move-result-object v4
0000014A invoke-virtual StringBuilder->toString()String, v4
00000150 move-result-object v4
00000152 invoke-static EncryptUtils->encryptMD5ToString(String)String, v4 # 进行MD5加密
00000158 move-result-object v1
0000015A iget-object v4, p0, PostFormBuilder->params:TreeMap
0000015E const-string v5, "sig"
|
免费评分
-
查看全部评分
|
发表于 2020-4-23 10:51
不是你想的那样的
