本帖最后由 sumith 于 2022-11-18 15:54 编辑
一、抓到登录包[HTML] 纯文本查看 复制代码 POST /user/login?union_id=69e1a995a970528e&coid=13&ncoid=14&verCode=1007 HTTP/1.1
authTokenkey: authTokenkey
authToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0aGlzIGlzIHVzZXJMb2dpbiB0b2tlbiIsImF1ZCI6Ik1QIiwicGhvbmUiOiIiLCJjb2lkIjoiMTMiLCJuY29pZCI6IjE0IiwiZXhwaXJlRGF0ZSI6MTY3MDY1OTg3MSwiaXNNZW1iZXIiOmZhbHNlLCJleHAiOjE2NzA2NTk4NzEsInVzZXJJZCI6NTQ1ODUwOCwiaWF0IjoxNjY4MTU0MjcxLCJ5YlVuaW9uaWQiOiI2OWUxYTk5NWE5NzA1MjhlIn0.RzhxZwNz3VaR_az_96r_6LjzoDeM7kTrIeENPafrHrE
Content-Type: application/json; charset=utf-8
Content-Length: 327
Host: user.fangzhou-wea.com
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.12.13
{"installChannel":"0","code":"","loginType":"1","FirstLinkTime":"1668154269","channel":"0","coid":"13","ncoid":"14","verName":"4.9.2.1","_sign":"b6705035938ad82b8ee3d9b5ed6b8627","verCode":"1007","phone":"15836353612","smsVerCode":"123456","union_id":"69e1a995a970528e","_tid":"1668691277,c73417b4-3caa-4e3d-9b12-197293bdfe6f"} 二、提交的数据里面有个_sign值[C] 纯文本查看 复制代码 "_sign":"b6705035938ad82b8ee3d9b5ed6b8627" 三、看着像MD5加密,hook一下MD5加密函数[JavaScript] 纯文本查看 复制代码 messageDigest.update.overload('[B').implementation = function (data) {
console.log("MessageDigest.update('[B') is called!");
showStacks();
var algorithm = this.getAlgorithm();
var tag = algorithm + " update data";
toUtf8(tag, data);
toHex(tag, data);
toBase64(tag, data);
console.log("=======================================================");
return this.update(data);
} 四、获取加密参数[Asm] 纯文本查看 复制代码 1668677597,14c2229d-4b50-4bc5-9a2d-7f6a4fa94823052fd221f33612d0619a990a41376a81 五、分析明文里面的内容1668677597:时间戳14c2229d-4b50-4bc5-9a2d-7f6a4fa94823:随机的一段数字052fd221f33612d0619a990a41376a81:通过多次hook发现该值是常量,也是一个md5加密,明文为:66DFC38D5DC34571A82D79F3EEFFFCBDqb&QU$六、将apk拖到jadx中,搜索,发现有这个字符串
|