慢慢买APP3.6.90接口token分析.


0x01、 目标需求:

  .a) 慢慢买接口参数以及相关的签名获取的方式

  .b) 需要获取所天猫淘宝等商品的历史优惠券信息

0x02、分析背景:

  .a) 版本3.6.90(目前最新版)

  .b) 软件有壳(奇虎360的)

  .c) 软件通讯过程中采取了Token签名验证的方式,

0x03、分析流程:

  .a) 首先软件去壳,然后通过工具分析源码

  .b) 通过数据包抓取或敏感函数hook方式获得接口功能

  .c) 通过函数内部参数的组装继续分析参数的来源以及加密的流程(校验 token)

0x04、分析开始:

  .a) 调试分析.

    0x001. 抓包分析:

抓包分析



    0x002. 请求数据放入到python内调参请求(修改参数后服务器返回Token错误.):

正常请求



校验得出结论服务器校验Token



    0x003. 使用Jadx-gui打开app查看源码(app包含壳,奇虎360的):

查看app源码发现有壳



    0x004. (脱壳)这里使用的是FRIDA-DEXDump-master,感谢作者,github上可以找到这个脚本:

软件去壳,这里使用(FRIDA-DEXDump-master)感谢作者



    0x005.分析脱壳后的源码,这里刚才脱出壳来的dex很多,这里建议找最大的,以此往后排一个一个看,只要看到dex里面包含了包名就基本上定位到了,如下图已经找到了取参的地方,我们只要hook该函数然后打印一下栈信息即可.:

定位参数来源来源



    0x006.经过以上测试,我发现并没有走该函数,所以一定是错, 为了节省时间,这里我直接hook系统的HashMap对象的put函数,只要app使用这个函数组装参数, 可以直接定位到位置.:

hook上一步的函数并没有打印东西



    0x007.然而HashMap并没有用, 看到它有用okhttp3的包,我们直接hook 这个网络包(看到了我们要抓的url请求, 这里打印异常看看), 得到的异常信息对我们来说没有一点帮助.:

Hook OkHttp3



    0x008.并没有找到对我们有帮助的信息, 此刻我由frida 更换成了Xposed 来验证hook的点.hook HashMap 判断key为请求参数中的值(我在脱壳后的dex文件中并没有找到该包名路径):

hook校验



    0x009.由于之前脱壳脱的不干净,重新脱了一下代码如下,找到这个类和函数分析如下(调用navite层的函数时候传入了一个字符串,进行要加密的字符串,其方法在so内编写, 加载的so 为 mmbKey):

getSign



    0x0010.由于之前脱壳脱的不干净,重新脱了一下代码如下,找到这个类和函数分析如下(调用navite层的函数时候传入了一个字符串,进行要加密的字符串,其方法在so内编写, 加载的so 为 mmbKey):

ida 查看实现函数



查看最终调用函数



    0x0011.我们先不管它在so内做了什么, 首选知道的是 在java层调用了要加密的数据传入到so内, so内处理之后调用了java中的MD5加密函数, 也就是我们在java层 hook 调用so函数之前的参数是什么, 然后在hook md5加密前的参数是什么,就知道 他在so内都做了什么. 开始验证(Hook代码如下):


XposedHelpers.findAndHookMethod("com.stub.StubApp", loadPackageParam.classLoader, "attachBaseContext",
                        Context.class, new XC_MethodHook() {
                            @Override
                            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                                super.beforeHookedMethod(param);

                            }

                            @Override
                            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                                super.afterHookedMethod(param);
                                Log.e("EDXposed","进入慢慢买app...");
//                               获取壳的ClassLoader
                                Context context = (Context)param.args[0];
                                final ClassLoader classLoader = context.getClassLoader();

                                XposedHelpers.findAndHookMethod(classLoader.loadClass("com.maochunjie.mencryptsign.RNReactNativeMencryptSignModule"), "getToken",
                                        String.class, new XC_MethodHook() {
                                            @Override
                                            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                                                super.beforeHookedMethod(param);
                                                Log.e("EDXposed","入参到Navite层值为: " + param.args[0].toString());
                                                XposedHelpers.findAndHookMethod("com.maochunjie.mencryptsign.MD5Util", classLoader,
                                                        "getMD5String", String.class, new XC_MethodHook() {
                                                            @Override
                                                            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                                                                super.beforeHookedMethod(param);
                                                                Log.e("EDXposed", "入参到java MD5加密函数,  参数为:   " + param.args[0].toString());
                                                            }
                                                        });
                                            }
                                        });
                            }
                        });


参数处理


2021-08-10 18:42:12.174 9469-9587/? E/EDXposed: 入参到Navite层值为: C_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767IPAGE2IPAGESIZE6JSONCALLBACK%3FMETHODNAMEGETZHEKOUP_URLHTTPS%253A%252F%252FITEM.TAOBAO.COM%252FITEM.HTM%253FID%253D630980474179SHOWLOWER0T1628592132150ZKORDERBYDATETIME
2021-08-10 18:42:12.174 9469-9587/? E/EDXposed: 入参到java MD5加密函数,  参数为:   7F83010817815989101D7442BF760B3FC_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767IPAGE2IPAGESIZE6JSONCALLBACK%3FMETHODNAMEGETZHEKOUP_URLHTTPS%253A%252F%252FITEM.TAOBAO.COM%252FITEM.HTM%253FID%253D630980474179SHOWLOWER0T1628592132150ZKORDERBYDATETIME7F83010817815989101D7442BF760B3F
2021-08-10 18:42:12.178 9469-9587/? E/EDXposed: 入参到java MD5加密函数,  参数为:   7F83010817815989101D7442BF760B3FC_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767IPAGE2IPAGESIZE6JSONCALLBACK%3FMETHODNAMEGETZHEKOUP_URLHTTPS%253A%252F%252FITEM.TAOBAO.COM%252FITEM.HTM%253FID%253D630980474179SHOWLOWER0T1628592132150ZKORDERBYDATETIME7F83010817815989101D7442BF760B3F
2021-08-10 18:42:12.534 9469-9587/? E/EDXposed: 入参到Navite层值为: C_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767JSONCALLBACK%3FMETHODNAMEINSERTAPPLOGT1628592132480TYPE%E5%8E%86%E5%8F%B2%E4%BB%B7%E6%A0%BC%E8%B5%B0%E5%8A%BFVALUE%7B%22TYPE%22%3A%22%E5%8E%86%E5%8F%B2%E6%8A%98%E6%89%A3_%E6%9F%A5%E7%9C%8B%E6%9B%B4%E5%A4%9A%22%2C%22KEY%22%3A%7B%22URL%22%3A%22HTTPS%3A%2F%2FITEM.TAOBAO.COM%2FITEM.HTM%3FID%3D630980474179%22%2C%22PAGE%22%3A2%7D%7D
2021-08-10 18:42:12.534 9469-9587/? E/EDXposed: 入参到java MD5加密函数,  参数为:   7F83010817815989101D7442BF760B3FC_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767JSONCALLBACK%3FMETHODNAMEINSERTAPPLOGT1628592132480TYPE%E5%8E%86%E5%8F%B2%E4%BB%B7%E6%A0%BC%E8%B5%B0%E5%8A%BFVALUE%7B%22TYPE%22%3A%22%E5%8E%86%E5%8F%B2%E6%8A%98%E6%89%A3_%E6%9F%A5%E7%9C%8B%E6%9B%B4%E5%A4%9A%22%2C%22KEY%22%3A%7B%22URL%22%3A%22HTTPS%3A%2F%2FITEM.TAOBAO.COM%2FITEM.HTM%3FID%3D630980474179%22%2C%22PAGE%22%3A2%7D%7D7F83010817815989101D7442BF760B3F
2021-08-10 18:42:12.537 9469-9587/? E/EDXposed: 入参到java MD5加密函数,  参数为:   7F83010817815989101D7442BF760B3FC_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767JSONCALLBACK%3FMETHODNAMEINSERTAPPLOGT1628592132480TYPE%E5%8E%86%E5%8F%B2%E4%BB%B7%E6%A0%BC%E8%B5%B0%E5%8A%BFVALUE%7B%22TYPE%22%3A%22%E5%8E%86%E5%8F%B2%E6%8A%98%E6%89%A3_%E6%9F%A5%E7%9C%8B%E6%9B%B4%E5%A4%9A%22%2C%22KEY%22%3A%7B%22URL%22%3A%22HTTPS%3A%2F%2FITEM.TAOBAO.COM%2FITEM.HTM%3FID%3D630980474179%22%2C%22PAGE%22%3A2%7D%7D7F83010817815989101D7442BF760B3F


    0x0012.取第一行(进入so之前的参数,和我们的请求参数进行比对分析) 和第二行 (so层处理过的数据传到java层加密), 四五六行数据可以忽略, 因为是另外 一个接口的insertAppLog的MethodName(先不管这个):

请求参数为(去掉token参数为原始需要加密的数据): methodName=getZhekou&p_url=https%253A%252F%252Fitem.taobao.com%252Fitem.htm%253Fid%253D630980474179&ipagesize=6&ipage=2&zkorderby=datetime&showLower=0&t=1628592132150&jsoncallback=%3F&username=&u_name=&u_avatar=&sign=&c_appver=3.6.90&c_ostype=android&c_osver=10&c_devid=98%3Af6%3A21%3A58%3Af6%3A4d&c_mmbDevId=ce79239f24654ea1bc00d1ce14c9037a-397&c_patch=&c_devmodel=M2003J15SC&c_brand=Redmi&c_operator=&c_ctrl=TrendDetailScene&c_win=w_393_h_767&c_dp=1&c_safearea=36.3636360168457_0&c_mac=98%3Af6%3A21%3A58%3Af6%3A4d&c_oaid=edb64b3a5004567c&c_vaid=0c5debb2d3c47666&c_aaid=643b6b5a-d611-4b58-bba5-c9bff8ba3461&c_firstchannel=%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0&c_firstquerendate=1628498875141&c_fristversion=3.6.90&c_channel=%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0&c_test=%5B%7B%22t%22%3A%22indexInformationFlowTest_3570%22%2C%22g%22%3A%22default%22%7D%2C%7B%22t%22%3A%22test3610%22%2C%22g%22%3A%22default%22%7D%2C%7B%22t%22%3A%22indexFilterBarABtest3620%22%2C%22g%22%3A%22testa%22%7D%2C%7B%22t%22%3A%22Search_zoushiQwbjABTest3640%22%2C%22g%22%3A%22default%22%7D%2C%7B%22t%22%3A%22historyTrendZhekouDrainageABtest3640%22%2C%22g%22%3A%22testa%22%7D%2C%7B%22t%22%3A%22ZhekouSearchboxABTest3680%22%2C%22g%22%3A%22default%22%7D%2C%7B%22t%22%3A%22ShequHomePageABTes3660%22%2C%22g%22%3A%22default%22%7D%2C%7B%22t%22%3A%22AppIndexNewStyleABTest3680%22%2C%22g%22%3A%22testb%22%7D%5D&c_ab=21578%2C21543&c_userStatus=%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7D&c_uuid=&c_ssid=9f2ae114-0a90-4a36-9ae2-777d2960d289&c_did=R5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01&token=13B20D0E69F282938105AAD70A6B0BAA



进入so之前的参数为:C_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767IPAGE2IPAGESIZE6JSONCALLBACK%3FMETHODNAMEGETZHEKOUP_URLHTTPS%253A%252F%252FITEM.TAOBAO.COM%252FITEM.HTM%253FID%253D630980474179SHOWLOWER0T1628592132150ZKORDERBYDATETIME


进入so之后 调用Java 层MD5加密的参数为: 7F83010817815989101D7442BF760B3FC_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767IPAGE2IPAGESIZE6JSONCALLBACK%3FMETHODNAMEGETZHEKOUP_URLHTTPS%253A%252F%252FITEM.TAOBAO.COM%252FITEM.HTM%253FID%253D630980474179SHOWLOWER0T1628592132150ZKORDERBYDATETIME7F83010817815989101D7442BF760B3F




    0x0013.开始处理第一步参数:

"""
# ---------------------------------------
# @DateTime : 2021-08-10 15:02:51
# @Author   : ts, QuJianJun
# @FileName :test.py
# @Email    : 8577352@qq.com
# @Description :
# @ProductName :PyCharm
# ---------------------------------------
"""
from urllib.parse import quote
import collections


if __name__ == '__main__':
    # 第一步处理参数排序 转换大写, 过滤掉参数为空的数据
    post_data = {
        "methodName": "getZhekou",
        "p_url": "https%3A%2F%2Fitem.taobao.com%2Fitem.htm%3Fid%3D630980474179",
        "ipagesize": "6",
        "ipage": "2",
        "zkorderby": "datetime",
        "showLower": "0",
        "t": "1628592132150",
        "jsoncallback": "?",
        "username": "",
        "u_name": "",
        "u_avatar": "",
        "sign": "",
        "c_appver": "3.6.90",
        "c_ostype": "android",
        "c_osver": "10",
        "c_devid": "98:f6:21:58:f6:4d",
        "c_mmbDevId": "ce79239f24654ea1bc00d1ce14c9037a-397",
        "c_patch": "",
        "c_devmodel": "M2003J15SC",
        "c_brand": "Redmi",
        "c_operator": "",
        "c_ctrl": "TrendDetailScene",
        "c_win": "w_393_h_767",
        "c_dp": "1",
        "c_safearea": "36.3636360168457_0",
        "c_mac": "98:f6:21:58:f6:4d",
        "c_oaid": "edb64b3a5004567c",
        "c_vaid": "0c5debb2d3c47666",
        "c_aaid": "643b6b5a-d611-4b58-bba5-c9bff8ba3461",
        "c_firstchannel": "阿里分发平台",
        "c_firstquerendate": "1628498875141",
        "c_fristversion": "3.6.90",
        "c_channel": "阿里分发平台",
        "c_test": '[{"t":"indexInformationFlowTest_3570","g":"default"},{"t":"test3610","g":"default"},{"t":"indexFilterBarABtest3620","g":"testa"},{"t":"Search_zoushiQwbjABTest3640","g":"default"},{"t":"historyTrendZhekouDrainageABtest3640","g":"testa"},{"t":"ZhekouSearchboxABTest3680","g":"default"},{"t":"ShequHomePageABTes3660","g":"default"},{"t":"AppIndexNewStyleABTest3680","g":"testb"}]',
        "c_ab": "21578,21543",
        "c_userStatus": '{"ST_TREND_USER_STATUS":"1","ST_SEARCH_ITEM_USER_STATUS":"1","ST_HOME_CX_LIST_STATUS":"1","ST_HOME_GUIDE_SUPERNATANT":"1","ST_SEARCH_HISTORY_USER_STATUS":"1","ST_SHEQU_RECOMMEND_ARITH":"1","ST_HOME_SERACH_BOX_STATUS":"1","ST_SEARCH_YH_MODAL":"1"}',
        "c_uuid": "",
        "c_ssid": "9f2ae114-0a90-4a36-9ae2-777d2960d289",
        "c_did": "R5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01",
    }
    # 按照 key 排序
    post_data = collections.OrderedDict(
        sorted(post_data.items(),
               key=lambda x: x[0])
    )
    sortStr = ""
    for k, v in post_data.items():
        if v == "":
            continue
        sortStr += quote(k.upper(), safe='') + quote(v.upper(), safe='')  # Python 默认不转义 //,这个必须删掉
    print(sortStr)

第一步参数调试没有问题



    0x0013.开始处理第二步, 在第一步参数首部和尾部追加盐值:7F83010817815989101D7442BF760B3F 然后MD5(得到最终结果)开始校验:

校验签名成功



数据获取成功



    0x0014.最终代码如下:


"""
# ---------------------------------------
# @DateTime : 2021-08-10 15:02:51
# @Author   : ts, QuJianJun
# @FileName :test.py
# @Email    : 8577352@qq.com
# @Description :
# @ProductName :PyCharm
# ---------------------------------------
"""
from urllib.parse import quote
import collections
import hashlib

import requests

if __name__ == '__main__':
    url = "https://apapia-history.manmanbuy.com/ChromeWidgetServices/WidgetServices.ashx"
    headers = {
        "content-type":"application/x-www-form-urlencoded; charset=utf-8",
        "accept":"*/*",
        "user-agent":"Mozilla/5.0 (Linux; Android 10; M2003J15SC Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.101 Mobile Safari/537.36 - mmbWebBrowse - android"
    }
    # 第一步处理参数排序 转换大写, 过滤掉参数为空的数据
    post_data = {
        "methodName": "getZhekou",
        "p_url": "https%3A%2F%2Fitem.taobao.com%2Fitem.htm%3Fid%3D630980474179",
        "ipagesize": "6",
        "ipage": "2",
        "zkorderby": "datetime",
        "showLower": "0",
        "t": "1628592132150",
        "jsoncallback": "?",
        "username": "",
        "u_name": "",
        "u_avatar": "",
        "sign": "",
        "c_appver": "3.6.90",
        "c_ostype": "android",
        "c_osver": "10",
        "c_devid": "98:f6:21:58:f6:4d",
        "c_mmbDevId": "ce79239f24654ea1bc00d1ce14c9037a-397",
        "c_patch": "",
        "c_devmodel": "M2003J15SC",
        "c_brand": "Redmi",
        "c_operator": "",
        "c_ctrl": "TrendDetailScene",
        "c_win": "w_393_h_767",
        "c_dp": "1",
        "c_safearea": "36.3636360168457_0",
        "c_mac": "98:f6:21:58:f6:4d",
        "c_oaid": "edb64b3a5004567c",
        "c_vaid": "0c5debb2d3c47666",
        "c_aaid": "643b6b5a-d611-4b58-bba5-c9bff8ba3461",
        "c_firstchannel": "阿里分发平台",
        "c_firstquerendate": "1628498875141",
        "c_fristversion": "3.6.90",
        "c_channel": "阿里分发平台",
        "c_test": '[{"t":"indexInformationFlowTest_3570","g":"default"},{"t":"test3610","g":"default"},{"t":"indexFilterBarABtest3620","g":"testa"},{"t":"Search_zoushiQwbjABTest3640","g":"default"},{"t":"historyTrendZhekouDrainageABtest3640","g":"testa"},{"t":"ZhekouSearchboxABTest3680","g":"default"},{"t":"ShequHomePageABTes3660","g":"default"},{"t":"AppIndexNewStyleABTest3680","g":"testb"}]',
        "c_ab": "21578,21543",
        "c_userStatus": '{"ST_TREND_USER_STATUS":"1","ST_SEARCH_ITEM_USER_STATUS":"1","ST_HOME_CX_LIST_STATUS":"1","ST_HOME_GUIDE_SUPERNATANT":"1","ST_SEARCH_HISTORY_USER_STATUS":"1","ST_SHEQU_RECOMMEND_ARITH":"1","ST_HOME_SERACH_BOX_STATUS":"1","ST_SEARCH_YH_MODAL":"1"}',
        "c_uuid": "",
        "c_ssid": "9f2ae114-0a90-4a36-9ae2-777d2960d289",
        "c_did": "R5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01",
    }
    # 按照 key 排序
    post_data = collections.OrderedDict(
        sorted(post_data.items(),
               key=lambda x: x[0])
    )
    salt = "7F83010817815989101D7442BF760B3F"
    endStr = ""
    for k, v in post_data.items():
        if v == "":
            continue
        endStr += quote(k.upper(), safe='') + quote(v.upper(), safe='')  # Python 默认不转义 //,这个必须删掉
    endStr = salt + endStr + salt
    m = hashlib.md5()
    m.update(endStr.encode("utf-8"))
    result = m.hexdigest()
    token = result.upper()
    post_data['token'] = token
    res = requests.post(url=url, data=post_data, headers=headers)
    print(res.text)









友情提示:本文只为技术分享交流,请勿非法用途.产生一切法律问题与本人无关.
本文中所有的调试代码均在gitee仓库中(包含很多app的关键点的hook代码) Git公开仓库地址 欢迎star or fork
unidbgWebServer项目地址(unidbg封装app加密服务不依赖移动端) Git公开仓库地址 欢迎 start or fork 或贡献代码.


在浏览的同时希望给予作者打赏,来支持作者的服务器维护费用.一分也是爱~