车机app签到接口抓到了但是参数加密了

幕后胸手 · 发表于 2024-11-4 15:30

长安的引力域签到接口接口抓到了，但是参数是加密的，不知道下一步应该怎么办了，请大佬指点一下小弟

[Asm] 纯文本查看 复制代码

POST /user/signIn HTTP/2

host: api.uni.changan.com.cn

appversion: 2.0.0
os: Android
loginchannel: 3004
sign: 478153C58EC77F41BDD614957FDA1261
operatorname: not found
networkstate: WIFI
token: user:token:app:7503231:uni-52b8fe4d2721516364eb19dde72d31c8
osversion: 9
fingerprint: 
x-tenant-app: ca-boot-ui-yunli-app
seccode: GyrSp/n34LpOfU8mghvxLrlvbOsymVcLWA0AqU6IlAtGPzFnm+YZhA6VUYFrdAzpnFCQcqgPYd3DPl3pU/J+BQscR01TIoQ5MAAuT57OuAT8OCtxBo/T8R+5YOEGcSfTW4vVGNcDViP0M5F304gPZrJTzV0zm9L/Q/0M0vwR2fuhh+bpbfb2tKHNu8gznvShgVoZXlSMknSplrVgGToy/bVmUdB2aLcPdHHQ1IqKa9xUTBe/i9dNMFlG0ZPnaxGy1YNXSClYtcwmsUEZUwq772DkiFCW6Mn+XjP8wvAYbsI+JZQ0bSgYW4KePZCYMSCXF5h53M3i+clM+s3Mf5TWOA==
model: NX709S
brand: ipad
timestamp: 1730702742663
codelab: codelabs
body: 
content-type: application/json
content-length: 40
accept-encoding: gzip
user-agent: okhttp/4.10.0

{"paramEncr":"ylvaSHO9EGrY+wdDz1nJyw=="}

tantanxin147 · 发表于 2024-11-4 15:30

app不会弄，曲线了一下，这是引力域小程序的签到，你试试和app的是不是一样的。

[Python] 纯文本查看 复制代码

import random
import time
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from base64 import b64encode
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
import json
import requests
#生成16位随机字符串作为AES密钥
def generate_random_key(length=16):
    chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
    return ''.join(random.choice(chars) for _ in range(length))

#AES加密，key和iv
def aes_encrypt(text, key):
    key_bytes = key.encode('utf-8')
    iv = key_bytes[:16]  # 使用密钥前16位作为IV，其实和key是一样的
    cipher = AES.new(key_bytes, AES.MODE_CBC, iv)
    padded_data = pad(text.encode('utf-8'), AES.block_size)
    encrypted = cipher.encrypt(padded_data)
    return b64encode(encrypted).decode('utf-8')

#RSA加密key生成codeEncryptedStr
def rsa_encrypt(text):
    public_key = """-----BEGIN PUBLIC KEY-----
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCd0x5KWJKH+99QIvadRgvaYxD1
    HXxwvy/v7H0AYLu/CCaKGGZERtNJiar8d2LcYeeD5FQ+/9bwX5pNnxefwMQgLHyt
    xpGsKO/pIjrSytZX1bvNA6WIWbGH/an//md/cBXOQvq1hrNsKfwdZWIOgIj1N5MY
    cc7cLPLJToq2XqpP9QIDAQAB
    -----END PUBLIC KEY-----"""
    
    rsa_key = RSA.importKey(public_key)
    cipher = PKCS1_v1_5.new(rsa_key)
    encrypted = cipher.encrypt(text.encode('utf-8'))
    return b64encode(encrypted).decode('utf-8')

#生成sign，MD5加密paramEncryptedStr参数 + 时间戳 + 固定字符串并转大写
def generate_sign(param_str, timestamp):
    sign_str = f"{param_str}{timestamp}hyzh-unistar-5KWJKH291IvadR"
    return hashlib.md5(sign_str.encode('utf-8')).hexdigest().upper()

def generate_request_params(body):
    random_key = generate_random_key(16)
    timestamp = int(time.time() * 1000)
    
    param_encrypted_str = aes_encrypt(body, random_key)
    code_encrypted_str = rsa_encrypt(random_key)
    sign = generate_sign(json.dumps({"paramEncryptedStr": param_encrypted_str}), timestamp)
    
    print("\n=== 生成的参数 ===")
    print(f"时间戳: {timestamp}")
    print(f"paramEncryptedStr: {param_encrypted_str}")
    print(f"codeEncryptedStr: {code_encrypted_str}")  
    print(f"sign: {sign}")
    print(f"随机key和iv: {random_key}")
    print("=================\n")
    
    return {
        "timestamp": timestamp,
        "paramEncryptedStr": param_encrypted_str,
        "codeEncryptedStr": code_encrypted_str,
        "sign": sign
    }

def send_request():
    body = "{}"
    params = generate_request_params(body)
    
    headers = {
        "Content-Type": "application/json",
        "timestamp": str(params["timestamp"]),
        "codeEncryptedStr": params["codeEncryptedStr"],
        "sign": params["sign"],
        "token": "", # 替换成你的token
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090a13) XWEB/8555"
    }
    
    data = {
        "paramEncryptedStr": params["paramEncryptedStr"]
    }
    
    try:
        response = requests.post(
            "https://wxapi.uni.changan.com.cn/user/signIn",
            headers=headers,
            json=data
        )
        print("\n=== 请求结果 ===")
        print(f"状态码: {response.status_code}")
        print(f"响应内容: {response.text}")
        print("=================\n")
        return response
        
    except Exception as e:
        print(f"请求发生错误: {str(e)}")
        return None

if __name__ == "__main__":
    response = send_request()

次谐波 · 发表于 2024-11-4 16:27

接下来需要逆向了，jadui 查看app 源码，看签名生成方法。不过这这种的大概率在so层，需要unidbg调用，不行的话只能xposed rpc调用。

幕后胸手 · 发表于 2024-11-6 10:30

tantanxin147 发表于 2024-11-5 00:14
app不会弄，曲线了一下，这是引力域小程序的签到，你试试和app的是不是一样的。[mw_shl_code=python,true]i ...

感谢大佬，还有个疑问，小程序的token怎么拿呢，我看有个接口是gettokenbycode，也是加密的，如果想实现脚本自动签到的话，token也得自动拿吧，这个原理大概是什么样的呢，通过wx_id生成唯一token吗

tantanxin147 · 发表于 2024-11-6 11:35

幕后胸手发表于 2024-11-6 10:30
感谢大佬，还有个疑问，小程序的token怎么拿呢，我看有个接口是gettokenbycode，也是加密的，如果想实现 ...

这个真不会，手动抓一下吧，token得需要code code是腾讯服务器下发的，

帐号		自动登录	找回密码
密码			注册[Register]

[经验求助] 车机app签到接口抓到了但是参数加密了

最佳答案