Hexo

  • 首页

  • 归档

逆向火山小视频的发送短信、验证码登录、密码登录协议

发表于 2019-12-20 更新于 2019-12-22

抓包分析

手机登录处抓包

1

发现mobile参数

2

逆向分析算法

这里我先把apk解压,发现里面有7个dex,然后用d2j-dex2jar工具把dex文件转换成jar

1
d2j-dex2jar *.dex

用jd-gui打开全部包,然后全局搜索mobile

3

这里之所以不选择jadx的原因是其搜索太慢,有点麻烦,可读性也不及jd-gui,不过jd-gui最大的缺点是不能直接看到搜索出来的代码,要看类名判断关键代码的位置,然后点击类名才能看到代码,不过我一般看类名就能猜出关键代码的位置,所以这里选择了MobileLoginApi这个类名

点进去查看函数方法

4

这里看到mobilesmsendcode这个方法名,然后全局搜索这个方法名

5

进入这个bc类

6

这里调用了MobileLoginApi的方法,找到关键加密函数StringUtils()

继续进入这个类

7

这里是将手机号码getByte(”utf-8”)后再将数组的每一位都与0x5异或,然后再调用DigestUtils类的toHexString方法加密,下面进如这个类

8

这里进行一系列的加密操作,接下来我们直接重构他的算法

9

这里直接调用函数,输入手机号码参数,直接输出了加密后的手机值.

输入验证码,点击抓包

11

这里是短信登录的接口

12

逆向查看发现这里的加密算法跟手机号的加密算法是一样的

13

后来再继查找发现原来密码登录的加密算法也是一样的

14

下面用java项目写一个模拟发送验证码、短信登录和密码登录的协议,代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
package com.android;

public class DigestUtils {
public class java {

}
static final char[] HEX_CHARS = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102 };
public static String toHexString(byte[] paramArrayOfByte)
{
if (paramArrayOfByte == null) {
throw new NullPointerException("bytes is null");
}
return toHexString(paramArrayOfByte, 0, paramArrayOfByte.length);
}
public static String toHexString(byte[] paramArrayOfByte, int paramInt1, int paramInt2)
{
if (paramArrayOfByte == null) {
throw new NullPointerException("bytes is null");
}
if ((paramInt1 < 0) || (paramInt1 + paramInt2 > paramArrayOfByte.length)) {
throw new IndexOutOfBoundsException();
}
char[] arrayOfChar = new char[paramInt2 * 2];
int i = 0;
int j = 0;
while (i < paramInt2)
{
int k = paramArrayOfByte[(i + paramInt1)] & 0xFF;
int m = j + 1;
arrayOfChar[j] = HEX_CHARS[(k >> 4)];
j = m + 1;
arrayOfChar[m] = HEX_CHARS[(k & 0xF)];
i += 1;
}
return new String(arrayOfChar, 0, paramInt2 * 2);
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
package com.android;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLConnection;

import com.android.DigestUtils;

public class encryptWithXor {

public static void main(String[] args) {
// TODO Auto-generated method stub
System.out.println(encryptWith("abcxxxxxx"));
System.out.println(encryptWith("18319xxxxxx"));
String code=encryptWith("3964");
String mobile=encryptWith("183196xxxxx");
String password=encryptWith("abcxxxxxx");
String params="manifest_version_code=820&_rticket=1576979037652&client_version_code=820&iid=96590040347&channel=xiaomi&device_type=MI+5&language=zh&resolution=1080*1920&openudid=de9b20cc5271c92d&update_version_code=8203&password="+password+"&cdid=50216864-b6b0-44fd-8957-08be35e9b639&os_api=26&dpi=480&oaid=2922991e812845a2&ac=wifi&device_id=18405873091&mcc_mnc=46001&mix_mode=1&os_version=8.0.0&mobile="+mobile+"&version_code=820&app_name=live_stream&ab_version=1268729%2C712302%2C994817%2C1370954%2C1104583%2C755178%2C1369899%2C1364631%2C692223%2C1320817%2C889328%2C1354483%2C1374199%2C955279%2C1143745%2C1258912%2C1264664%2C1322526%2C947985%2C957026%2C1368106%2C1352835%2C1316247%2C1050089%2C848690%2C1182061%2C1345483%2C841997%2C1143672%2C929432%2C1352453%2C1377016%2C1374645%2C1048436%2C1063522%2C1372902%2C1244006%2C1227332%2C1377210%2C1257475%2C1230695%2C1168128%2C1193008%2C1371832%2C1309210%2C1143559%2C1226407%2C1323185%2C1226957%2C1363719%2C1184124%2C1247683%2C1337869%2C1096187%2C1243996%2C1300490%2C1375856%2C1002041%2C1353703%2C1368092%2C1297715%2C1371165%2C1317441%2C1331696%2C1356505%2C1133591%2C1169772%2C1167794%2C1030027%2C1322518%2C1300543%2C1317526%2C1315548%2C1340442%2C956105%2C1019139%2C1287613%2C1244221%2C1032070%2C1165214%2C1265052%2C1238834%2C1072545%2C1069233%2C1337766%2C1358405%2C1329048%2C1372433%2C1294193%2C1306589%2C1368499%2C1362800%2C1046183%2C1346662%2C1354701%2C1287139%2C1143730%2C1359497%2C819015%2C1165209%2C1363586%2C1331021%2C1312546%2C1210860%2C1315619%2C682009%2C1359100%2C1345619%2C1377338&version_name=8.2.0&jssdk_version=1.37.1.2&device_brand=Xiaomi&ssmix=a&device_platform=android&aid=1112";
String url="https://security-lq.snssdk.com/passport/mobile/send_code/?live_sdk_version=820&iid=96450368993&device_id=68769029932&ac=wifi&channel=pcandroid&aid=1112&app_name=live_stream&version_code=820&version_name=8.2.0&device_platform=android&ssmix=a&device_type=SM-G955F&device_brand=samsung&language=zh&os_api=19&os_version=4.4.2&uuid=355757010200257&openudid=c8ff2864ecb36636&manifest_version_code=820&resolution=1280*720&dpi=240&update_version_code=8203&_rticket=1576897043715&jssdk_version=1.37.1.2&ab_version=1287140%2C712302%2C1138752%2C1268726%2C994817%2C1294193%2C1167794%2C1300490%2C1364631%2C1320816%2C1356507%2C1244214%2C889328%2C1354483%2C1374199%2C1143745%2C1354612%2C1264664%2C955276%2C1168130%2C947985%2C1368106%2C1370954%2C1377016%2C1030027%2C848691%2C1182060%2C1377210%2C1143672%2C929430%2C682009%2C1352453%2C1048437%2C1340442%2C1063522%2C1372902%2C1349168%2C1050089%2C1227333%2C1374646%2C1257475%2C1193008%2C1309210%2C1038565%2C1143559%2C1226407%2C661938%2C1337822%2C1184124%2C1230696%2C1104583%2C1243996%2C1096188%2C842000%2C985550%2C1002040%2C1368092%2C1165214%2C1317441%2C1315617%2C1133591%2C692223%2C1331694%2C1169772%2C1362801%2C1210860%2C1322518%2C1300542%2C1317525%2C1244006%2C956106%2C1323190%2C1019139%2C1072545%2C1032070%2C1371165%2C1069234%2C1265053%2C1358404%2C1238835%2C1352835%2C1337766%2C1368497%2C1247686%2C1306588%2C1369900%2C1322526%2C1046183%2C1346662%2C1354701%2C1359496%2C1377337%2C1143730%2C1374995%2C1165209%2C1345486%2C1363586%2C1331021%2C1312546%2C1258912%2C1359100%2C1360490&client_version_code=820&mcc_mnc=46007&cdid=2cf3c6de-3db6-46fa-bc04-c3ef2e95750b&new_nav=1&ws_status=CONNECTED&settings_version=15&last_update_time=1576896924569&ts=1576897043";
String account_login="https://security.snssdk.com/passport/mobile/login/?manifest_version_code=820&_rticket=1576979037652&client_version_code=820&iid=96590040347&channel=xiaomi&device_type=MI+5&language=zh&resolution=1080*1920&openudid=de9b20cc5271c92d&update_version_code=8203&cdid=50216864-b6b0-44fd-8957-08be35e9b639&os_api=26&dpi=480&oaid=2922991e812845a2&ac=wifi&device_id=18405873091&mcc_mnc=46001&os_version=8.0.0&version_code=820&app_name=live_stream&ab_version=1268729%2C712302%2C994817%2C1370954%2C1104583%2C755178%2C1369899%2C1364631%2C692223%2C1320817%2C889328%2C1354483%2C1374199%2C955279%2C1143745%2C1258912%2C1264664%2C1322526%2C947985%2C957026%2C1368106%2C1352835%2C1316247%2C1050089%2C848690%2C1182061%2C1345483%2C841997%2C1143672%2C929432%2C1352453%2C1377016%2C1374645%2C1048436%2C1063522%2C1372902%2C1244006%2C1227332%2C1377210%2C1257475%2C1230695%2C1168128%2C1193008%2C1371832%2C1309210%2C1143559%2C1226407%2C1323185%2C1226957%2C1363719%2C1184124%2C1247683%2C1337869%2C1096187%2C1243996%2C1300490%2C1375856%2C1002041%2C1353703%2C1368092%2C1297715%2C1371165%2C1317441%2C1331696%2C1356505%2C1133591%2C1169772%2C1167794%2C1030027%2C1322518%2C1300543%2C1317526%2C1315548%2C1340442%2C956105%2C1019139%2C1287613%2C1244221%2C1032070%2C1165214%2C1265052%2C1238834%2C1072545%2C1069233%2C1337766%2C1358405%2C1329048%2C1372433%2C1294193%2C1306589%2C1368499%2C1362800%2C1046183%2C1346662%2C1354701%2C1287139%2C1143730%2C1359497%2C819015%2C1165209%2C1363586%2C1331021%2C1312546%2C1210860%2C1315619%2C682009%2C1359100%2C1345619%2C1377338&version_name=8.2.0&jssdk_version=1.37.1.2&device_brand=Xiaomi&ssmix=a&device_platform=android&aid=1112&ts=1576979037";
String url1="https://security-lq.snssdk.com/passport/mobile/sms_login_only/?live_sdk_version=820&iid=96450368993&device_id=68769029932&ac=wifi&channel=pcandroid&aid=1112&app_name=live_stream&version_code=820&version_name=8.2.0&device_platform=android&ssmix=a&device_type=SM-G955F&device_brand=samsung&language=zh&os_api=19&os_version=4.4.2&uuid=355757010200257&openudid=c8ff2864ecb36636&manifest_version_code=820&resolution=1280*720&dpi=240&update_version_code=8203&_rticket=1576907381202&jssdk_version=1.37.1.2&ab_version=1287140%2C712302%2C1138752%2C1268726%2C994817%2C1294193%2C1167794%2C1300490%2C1364631%2C1320816%2C1356507%2C1244214%2C889328%2C1354483%2C1374199%2C1143745%2C1354612%2C1264664%2C955276%2C1168130%2C947985%2C1368106%2C1370954%2C1377016%2C1030027%2C848691%2C1182060%2C1377210%2C1143672%2C929430%2C682009%2C1352453%2C1048437%2C1340442%2C1063522%2C1372902%2C1349168%2C1050089%2C1227333%2C1374646%2C1257475%2C1193008%2C1309210%2C1038565%2C1143559%2C1226407%2C661938%2C1337822%2C1184124%2C1230696%2C1104583%2C1243996%2C1096188%2C842000%2C985550%2C1002040%2C1368092%2C1165214%2C1317441%2C1315617%2C1133591%2C692223%2C1331694%2C1169772%2C1362801%2C1210860%2C1322518%2C1300542%2C1317525%2C1244006%2C956106%2C1323190%2C1019139%2C1072545%2C1032070%2C1371165%2C1069234%2C1265053%2C1358404%2C1238835%2C1352835%2C1337766%2C1368497%2C1247686%2C1306588%2C1369900%2C1322526%2C1046183%2C1346662%2C1354701%2C1359496%2C1377337%2C1143730%2C1374995%2C1165209%2C1345486%2C1363586%2C1331021%2C1312546%2C1258912%2C1359100%2C1360490&client_version_code=820&mcc_mnc=46007&cdid=2cf3c6de-3db6-46fa-bc04-c3ef2e95750b&new_nav=1&ws_status=CONNECTED&settings_version=15&last_update_time=1576896924569&ts=1576907381";

//sendPost(url,"mix_mode=1&mobile="+mobile+"&type=3731");
//发验证短信协议

//sendPost(url1,"mix_mode=1&mobile="+mobile+"&code="+code);
//验证码登录协议
sendPost(account_login,params);
//密码登录协议
}
public static String encryptWith(String paramString)
{
int i = 0;
// byte[] localObject={"[","B","@",1,"d","b",9,7,4,2};
try
{
byte[] localObject=paramString.getBytes("UTF-8");
System.out.println(paramString.getBytes("UTF-8"));

// String[] localObject = new String(paramString.length());
while (i < localObject.length)
{
localObject[i] = ((byte)(localObject[i] ^ 0x5));
i += 1;
}
String localObject1 = DigestUtils.toHexString((byte[])localObject, 0, localObject.length);
return localObject1;
}
catch (Exception localException) {}
return paramString;
}
public static String sendPost(String url, String string) {
PrintWriter out = null;
BufferedReader in = null;
String result = "";
try {
System.out.println("yes");
URL realUrl = new URL(url);
// 打开和URL之间的连接
URLConnection conn = realUrl.openConnection();
// 设置通用的请求属性
conn.setRequestProperty("accept", "*/*");
conn.setRequestProperty("connection", "Keep-Alive");
conn.setRequestProperty("user-agent",
"ttnet okhttp/3.10.0.2");
conn.setRequestProperty("Content-Type","application/x-www-form-urlencoded; charset=UTF-8");
conn.setRequestProperty("X-SS-STUB","85DA0AB5DB33DF75CB0FB8B8C42484E9");
conn.setRequestProperty("X-SS-REQ-TICKET","1576897043715");
conn.setRequestProperty("X-Gorgon","040170f040052350e4f3a7ba14ffbb3faa8797bed2afdc6e258b");
conn.setRequestProperty("X-Khronos","1576897043");
// 发送POST请求必须设置如下两行
conn.setDoOutput(true);
conn.setDoInput(true);
// 获取URLConnection对象对应的输出流
out = new PrintWriter(conn.getOutputStream());
// 发送请求参数
out.print(string);
// flush输出流的缓冲
out.flush();
// 定义BufferedReader输入流来读取URL的响应
in = new BufferedReader(
new InputStreamReader(conn.getInputStream()));
String line;
while ((line = in.readLine()) != null) {
result += line;
}
System.out.println(result);
} catch (Exception e) {
System.out.println("发送 POST 请求出现异常!"+e);
e.printStackTrace();
}
//使用finally块来关闭输出流、输入流
finally{
try{
if(out!=null){
out.close();
}
if(in!=null){
in.close();
}
}
catch(IOException ex){
ex.printStackTrace();
}
}
return result;
}

}

10

逆向家长帮安卓app的sign算法
  • 文章目录
  • 站点概览

GD

a GOOD pwner
14 日志
  1. 1. 抓包分析
  2. 2. 逆向分析算法
© 2019 GD
由 Hexo 强力驱动 v3.7.1
|
主题 – NexT.Muse v7.3.0