逆向火山小视频的发送短信、验证码登录、密码登录协议

抓包分析

手机登录处抓包

发现mobile参数

逆向分析算法

这里我先把apk解压，发现里面有7个dex，然后用d2j-dex2jar工具把dex文件转换成jar

d2j-dex2jar *.dex

用jd-gui打开全部包，然后全局搜索mobile

这里之所以不选择jadx的原因是其搜索太慢，有点麻烦，可读性也不及jd-gui，不过jd-gui最大的缺点是不能直接看到搜索出来的代码，要看类名判断关键代码的位置，然后点击类名才能看到代码，不过我一般看类名就能猜出关键代码的位置，所以这里选择了MobileLoginApi这个类名

点进去查看函数方法

这里看到mobilesmsendcode这个方法名，然后全局搜索这个方法名

进入这个bc类

这里调用了MobileLoginApi的方法，找到关键加密函数StringUtils（）

继续进入这个类

这里是将手机号码getByte（”utf-8”）后再将数组的每一位都与0x5异或，然后再调用DigestUtils类的toHexString方法加密，下面进如这个类

这里进行一系列的加密操作，接下来我们直接重构他的算法

这里直接调用函数，输入手机号码参数，直接输出了加密后的手机值.

输入验证码，点击抓包

这里是短信登录的接口

逆向查看发现这里的加密算法跟手机号的加密算法是一样的

后来再继查找发现原来密码登录的加密算法也是一样的

下面用java项目写一个模拟发送验证码、短信登录和密码登录的协议，代码如下

package com.android;

public class DigestUtils {
	 public class java {

	}
	static final char[] HEX_CHARS = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102 };
	  public static String toHexString(byte[] paramArrayOfByte)
	  {
	    if (paramArrayOfByte == null) {
	      throw new NullPointerException("bytes is null");
	    }
	    return toHexString(paramArrayOfByte, 0, paramArrayOfByte.length);
	  }
	  public static String toHexString(byte[] paramArrayOfByte, int paramInt1, int paramInt2)
	  {
	    if (paramArrayOfByte == null) {
	      throw new NullPointerException("bytes is null");
	    }
	    if ((paramInt1 < 0) || (paramInt1 + paramInt2 > paramArrayOfByte.length)) {
	      throw new IndexOutOfBoundsException();
	    }
	    char[] arrayOfChar = new char[paramInt2 * 2];
	    int i = 0;
	    int j = 0;
	    while (i < paramInt2)
	    {
	      int k = paramArrayOfByte[(i + paramInt1)] & 0xFF;
	      int m = j + 1;
	      arrayOfChar[j] = HEX_CHARS[(k >> 4)];
	      j = m + 1;
	      arrayOfChar[m] = HEX_CHARS[(k & 0xF)];
	      i += 1;
	    }
	    return new String(arrayOfChar, 0, paramInt2 * 2);
	  }
}

package com.android;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLConnection;

import com.android.DigestUtils;

public class encryptWithXor {

	public static void main(String[] args) {
		// TODO Auto-generated method stub
			System.out.println(encryptWith("abcxxxxxx"));
			System.out.println(encryptWith("18319xxxxxx"));
			String code=encryptWith("3964");
			String mobile=encryptWith("183196xxxxx");
			String password=encryptWith("abcxxxxxx");
			String params="manifest_version_code=820&_rticket=1576979037652&client_version_code=820&iid=96590040347&channel=xiaomi&device_type=MI+5&language=zh&resolution=1080*1920&openudid=de9b20cc5271c92d&update_version_code=8203&password="+password+"&cdid=50216864-b6b0-44fd-8957-08be35e9b639&os_api=26&dpi=480&oaid=2922991e812845a2&ac=wifi&device_id=18405873091&mcc_mnc=46001&mix_mode=1&os_version=8.0.0&mobile="+mobile+"&version_code=820&app_name=live_stream&ab_version=1268729%2C712302%2C994817%2C1370954%2C1104583%2C755178%2C1369899%2C1364631%2C692223%2C1320817%2C889328%2C1354483%2C1374199%2C955279%2C1143745%2C1258912%2C1264664%2C1322526%2C947985%2C957026%2C1368106%2C1352835%2C1316247%2C1050089%2C848690%2C1182061%2C1345483%2C841997%2C1143672%2C929432%2C1352453%2C1377016%2C1374645%2C1048436%2C1063522%2C1372902%2C1244006%2C1227332%2C1377210%2C1257475%2C1230695%2C1168128%2C1193008%2C1371832%2C1309210%2C1143559%2C1226407%2C1323185%2C1226957%2C1363719%2C1184124%2C1247683%2C1337869%2C1096187%2C1243996%2C1300490%2C1375856%2C1002041%2C1353703%2C1368092%2C1297715%2C1371165%2C1317441%2C1331696%2C1356505%2C1133591%2C1169772%2C1167794%2C1030027%2C1322518%2C1300543%2C1317526%2C1315548%2C1340442%2C956105%2C1019139%2C1287613%2C1244221%2C1032070%2C1165214%2C1265052%2C1238834%2C1072545%2C1069233%2C1337766%2C1358405%2C1329048%2C1372433%2C1294193%2C1306589%2C1368499%2C1362800%2C1046183%2C1346662%2C1354701%2C1287139%2C1143730%2C1359497%2C819015%2C1165209%2C1363586%2C1331021%2C1312546%2C1210860%2C1315619%2C682009%2C1359100%2C1345619%2C1377338&version_name=8.2.0&jssdk_version=1.37.1.2&device_brand=Xiaomi&ssmix=a&device_platform=android&aid=1112";
			String url="https://security-lq.snssdk.com/passport/mobile/send_code/?live_sdk_version=820&iid=96450368993&device_id=68769029932&ac=wifi&channel=pcandroid&aid=1112&app_name=live_stream&version_code=820&version_name=8.2.0&device_platform=android&ssmix=a&device_type=SM-G955F&device_brand=samsung&language=zh&os_api=19&os_version=4.4.2&uuid=355757010200257&openudid=c8ff2864ecb36636&manifest_version_code=820&resolution=1280*720&dpi=240&update_version_code=8203&_rticket=1576897043715&jssdk_version=1.37.1.2&ab_version=1287140%2C712302%2C1138752%2C1268726%2C994817%2C1294193%2C1167794%2C1300490%2C1364631%2C1320816%2C1356507%2C1244214%2C889328%2C1354483%2C1374199%2C1143745%2C1354612%2C1264664%2C955276%2C1168130%2C947985%2C1368106%2C1370954%2C1377016%2C1030027%2C848691%2C1182060%2C1377210%2C1143672%2C929430%2C682009%2C1352453%2C1048437%2C1340442%2C1063522%2C1372902%2C1349168%2C1050089%2C1227333%2C1374646%2C1257475%2C1193008%2C1309210%2C1038565%2C1143559%2C1226407%2C661938%2C1337822%2C1184124%2C1230696%2C1104583%2C1243996%2C1096188%2C842000%2C985550%2C1002040%2C1368092%2C1165214%2C1317441%2C1315617%2C1133591%2C692223%2C1331694%2C1169772%2C1362801%2C1210860%2C1322518%2C1300542%2C1317525%2C1244006%2C956106%2C1323190%2C1019139%2C1072545%2C1032070%2C1371165%2C1069234%2C1265053%2C1358404%2C1238835%2C1352835%2C1337766%2C1368497%2C1247686%2C1306588%2C1369900%2C1322526%2C1046183%2C1346662%2C1354701%2C1359496%2C1377337%2C1143730%2C1374995%2C1165209%2C1345486%2C1363586%2C1331021%2C1312546%2C1258912%2C1359100%2C1360490&client_version_code=820&mcc_mnc=46007&cdid=2cf3c6de-3db6-46fa-bc04-c3ef2e95750b&new_nav=1&ws_status=CONNECTED&settings_version=15&last_update_time=1576896924569&ts=1576897043";
			String account_login="https://security.snssdk.com/passport/mobile/login/?manifest_version_code=820&_rticket=1576979037652&client_version_code=820&iid=96590040347&channel=xiaomi&device_type=MI+5&language=zh&resolution=1080*1920&openudid=de9b20cc5271c92d&update_version_code=8203&cdid=50216864-b6b0-44fd-8957-08be35e9b639&os_api=26&dpi=480&oaid=2922991e812845a2&ac=wifi&device_id=18405873091&mcc_mnc=46001&os_version=8.0.0&version_code=820&app_name=live_stream&ab_version=1268729%2C712302%2C994817%2C1370954%2C1104583%2C755178%2C1369899%2C1364631%2C692223%2C1320817%2C889328%2C1354483%2C1374199%2C955279%2C1143745%2C1258912%2C1264664%2C1322526%2C947985%2C957026%2C1368106%2C1352835%2C1316247%2C1050089%2C848690%2C1182061%2C1345483%2C841997%2C1143672%2C929432%2C1352453%2C1377016%2C1374645%2C1048436%2C1063522%2C1372902%2C1244006%2C1227332%2C1377210%2C1257475%2C1230695%2C1168128%2C1193008%2C1371832%2C1309210%2C1143559%2C1226407%2C1323185%2C1226957%2C1363719%2C1184124%2C1247683%2C1337869%2C1096187%2C1243996%2C1300490%2C1375856%2C1002041%2C1353703%2C1368092%2C1297715%2C1371165%2C1317441%2C1331696%2C1356505%2C1133591%2C1169772%2C1167794%2C1030027%2C1322518%2C1300543%2C1317526%2C1315548%2C1340442%2C956105%2C1019139%2C1287613%2C1244221%2C1032070%2C1165214%2C1265052%2C1238834%2C1072545%2C1069233%2C1337766%2C1358405%2C1329048%2C1372433%2C1294193%2C1306589%2C1368499%2C1362800%2C1046183%2C1346662%2C1354701%2C1287139%2C1143730%2C1359497%2C819015%2C1165209%2C1363586%2C1331021%2C1312546%2C1210860%2C1315619%2C682009%2C1359100%2C1345619%2C1377338&version_name=8.2.0&jssdk_version=1.37.1.2&device_brand=Xiaomi&ssmix=a&device_platform=android&aid=1112&ts=1576979037";
			String url1="https://security-lq.snssdk.com/passport/mobile/sms_login_only/?live_sdk_version=820&iid=96450368993&device_id=68769029932&ac=wifi&channel=pcandroid&aid=1112&app_name=live_stream&version_code=820&version_name=8.2.0&device_platform=android&ssmix=a&device_type=SM-G955F&device_brand=samsung&language=zh&os_api=19&os_version=4.4.2&uuid=355757010200257&openudid=c8ff2864ecb36636&manifest_version_code=820&resolution=1280*720&dpi=240&update_version_code=8203&_rticket=1576907381202&jssdk_version=1.37.1.2&ab_version=1287140%2C712302%2C1138752%2C1268726%2C994817%2C1294193%2C1167794%2C1300490%2C1364631%2C1320816%2C1356507%2C1244214%2C889328%2C1354483%2C1374199%2C1143745%2C1354612%2C1264664%2C955276%2C1168130%2C947985%2C1368106%2C1370954%2C1377016%2C1030027%2C848691%2C1182060%2C1377210%2C1143672%2C929430%2C682009%2C1352453%2C1048437%2C1340442%2C1063522%2C1372902%2C1349168%2C1050089%2C1227333%2C1374646%2C1257475%2C1193008%2C1309210%2C1038565%2C1143559%2C1226407%2C661938%2C1337822%2C1184124%2C1230696%2C1104583%2C1243996%2C1096188%2C842000%2C985550%2C1002040%2C1368092%2C1165214%2C1317441%2C1315617%2C1133591%2C692223%2C1331694%2C1169772%2C1362801%2C1210860%2C1322518%2C1300542%2C1317525%2C1244006%2C956106%2C1323190%2C1019139%2C1072545%2C1032070%2C1371165%2C1069234%2C1265053%2C1358404%2C1238835%2C1352835%2C1337766%2C1368497%2C1247686%2C1306588%2C1369900%2C1322526%2C1046183%2C1346662%2C1354701%2C1359496%2C1377337%2C1143730%2C1374995%2C1165209%2C1345486%2C1363586%2C1331021%2C1312546%2C1258912%2C1359100%2C1360490&client_version_code=820&mcc_mnc=46007&cdid=2cf3c6de-3db6-46fa-bc04-c3ef2e95750b&new_nav=1&ws_status=CONNECTED&settings_version=15&last_update_time=1576896924569&ts=1576907381";
    			
			//sendPost(url,"mix_mode=1&mobile="+mobile+"&type=3731");
    			//发验证短信协议
    			
			//sendPost(url1,"mix_mode=1&mobile="+mobile+"&code="+code);
				//验证码登录协议
			sendPost(account_login,params);
			//密码登录协议
	}
	public static String encryptWith(String paramString)
	  {
	    int i = 0;
	   // byte[] localObject={"[","B","@",1,"d","b",9,7,4,2};
	    try
	    {
	    	byte[] localObject=paramString.getBytes("UTF-8");
	    	System.out.println(paramString.getBytes("UTF-8"));
	    	
	    //  String[] localObject = new String(paramString.length());
	      while (i < localObject.length)
	      {
	        localObject[i] = ((byte)(localObject[i] ^ 0x5));
	        i += 1;
	      }
	      String localObject1 = DigestUtils.toHexString((byte[])localObject, 0, localObject.length);
	      return localObject1;
	    }
	    catch (Exception localException) {}
	    return paramString;
	  }
	public static String sendPost(String url, String string) {
	    PrintWriter out = null;
	    BufferedReader in = null;
	    String result = "";
	    try {
	    	System.out.println("yes");
	        URL realUrl = new URL(url);
	        // 打开和URL之间的连接
	        URLConnection conn = realUrl.openConnection();
	        // 设置通用的请求属性
	        conn.setRequestProperty("accept", "*/*");
	        conn.setRequestProperty("connection", "Keep-Alive");
	        conn.setRequestProperty("user-agent",
	                "ttnet okhttp/3.10.0.2");
	        conn.setRequestProperty("Content-Type","application/x-www-form-urlencoded; charset=UTF-8");
	        conn.setRequestProperty("X-SS-STUB","85DA0AB5DB33DF75CB0FB8B8C42484E9");
	        conn.setRequestProperty("X-SS-REQ-TICKET","1576897043715");
	        conn.setRequestProperty("X-Gorgon","040170f040052350e4f3a7ba14ffbb3faa8797bed2afdc6e258b");
	        conn.setRequestProperty("X-Khronos","1576897043");
	        // 发送POST请求必须设置如下两行
	        conn.setDoOutput(true);
	        conn.setDoInput(true);
	        // 获取URLConnection对象对应的输出流
	        out = new PrintWriter(conn.getOutputStream());
	        // 发送请求参数
	        out.print(string);
	        // flush输出流的缓冲
	        out.flush();
	        // 定义BufferedReader输入流来读取URL的响应
	        in = new BufferedReader(
	                new InputStreamReader(conn.getInputStream()));
	        String line;
	        while ((line = in.readLine()) != null) {
	            result += line;
	        }
	        System.out.println(result);
	    } catch (Exception e) {
	        System.out.println("发送 POST 请求出现异常！"+e);
	        e.printStackTrace();
	    }
	    //使用finally块来关闭输出流、输入流
	    finally{
	        try{
	            if(out!=null){
	                out.close();
	            }
	            if(in!=null){
	                in.close();
	            }
	        }
	        catch(IOException ex){
	            ex.printStackTrace();
	        }
	    }
	    return result;
	}   
	
}