慢慢买APP3.6.90接口token分析.
0x01、 目标需求:
.a) 慢慢买接口参数以及相关的签名获取的方式
.b) 需要获取所天猫淘宝等商品的历史优惠券信息
0x02、分析背景:
.a) 版本3.6.90(目前最新版)
.b) 软件有壳(奇虎360的)
.c) 软件通讯过程中采取了Token签名验证的方式,
0x03、分析流程:
.a) 首先软件去壳,然后通过工具分析源码
.b) 通过数据包抓取或敏感函数hook方式获得接口功能
.c) 通过函数内部参数的组装继续分析参数的来源以及加密的流程(校验 token)0x04、分析开始:
.a) 调试分析.
0x001. 抓包分析:
0x002. 请求数据放入到python内调参请求(修改参数后服务器返回Token错误.):
0x003. 使用Jadx-gui打开app查看源码(app包含壳,奇虎360的):
0x004. (脱壳)这里使用的是FRIDA-DEXDump-master,感谢作者,github上可以找到这个脚本:
0x005.分析脱壳后的源码,这里刚才脱出壳来的dex很多,这里建议找最大的,以此往后排一个一个看,只要看到dex里面包含了包名就基本上定位到了,如下图已经找到了取参的地方,我们只要hook该函数然后打印一下栈信息即可.:
0x006.经过以上测试,我发现并没有走该函数,所以一定是错, 为了节省时间,这里我直接hook系统的HashMap对象的put函数,只要app使用这个函数组装参数, 可以直接定位到位置.:
0x007.然而HashMap并没有用, 看到它有用okhttp3的包,我们直接hook 这个网络包(看到了我们要抓的url请求, 这里打印异常看看), 得到的异常信息对我们来说没有一点帮助.:
0x008.并没有找到对我们有帮助的信息, 此刻我由frida 更换成了Xposed 来验证hook的点.hook HashMap 判断key为请求参数中的值(我在脱壳后的dex文件中并没有找到该包名路径):
0x009.由于之前脱壳脱的不干净,重新脱了一下代码如下,找到这个类和函数分析如下(调用navite层的函数时候传入了一个字符串,进行要加密的字符串,其方法在so内编写, 加载的so 为 mmbKey):
0x0010.由于之前脱壳脱的不干净,重新脱了一下代码如下,找到这个类和函数分析如下(调用navite层的函数时候传入了一个字符串,进行要加密的字符串,其方法在so内编写, 加载的so 为 mmbKey):
0x0011.我们先不管它在so内做了什么, 首选知道的是 在java层调用了要加密的数据传入到so内, so内处理之后调用了java中的MD5加密函数, 也就是我们在java层 hook 调用so函数之前的参数是什么, 然后在hook md5加密前的参数是什么,就知道 他在so内都做了什么. 开始验证(Hook代码如下):
XposedHelpers.findAndHookMethod("com.stub.StubApp", loadPackageParam.classLoader, "attachBaseContext",
Context.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
Log.e("EDXposed","进入慢慢买app...");
// 获取壳的ClassLoader
Context context = (Context)param.args[0];
final ClassLoader classLoader = context.getClassLoader();
XposedHelpers.findAndHookMethod(classLoader.loadClass("com.maochunjie.mencryptsign.RNReactNativeMencryptSignModule"), "getToken",
String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
Log.e("EDXposed","入参到Navite层值为: " + param.args[0].toString());
XposedHelpers.findAndHookMethod("com.maochunjie.mencryptsign.MD5Util", classLoader,
"getMD5String", String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
Log.e("EDXposed", "入参到java MD5加密函数, 参数为: " + param.args[0].toString());
}
});
}
});
}
});
2021-08-10 18:42:12.174 9469-9587/? E/EDXposed: 入参到Navite层值为: C_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767IPAGE2IPAGESIZE6JSONCALLBACK%3FMETHODNAMEGETZHEKOUP_URLHTTPS%253A%252F%252FITEM.TAOBAO.COM%252FITEM.HTM%253FID%253D630980474179SHOWLOWER0T1628592132150ZKORDERBYDATETIME
2021-08-10 18:42:12.174 9469-9587/? E/EDXposed: 入参到java MD5加密函数, 参数为: 7F83010817815989101D7442BF760B3FC_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767IPAGE2IPAGESIZE6JSONCALLBACK%3FMETHODNAMEGETZHEKOUP_URLHTTPS%253A%252F%252FITEM.TAOBAO.COM%252FITEM.HTM%253FID%253D630980474179SHOWLOWER0T1628592132150ZKORDERBYDATETIME7F83010817815989101D7442BF760B3F
2021-08-10 18:42:12.178 9469-9587/? E/EDXposed: 入参到java MD5加密函数, 参数为: 7F83010817815989101D7442BF760B3FC_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767IPAGE2IPAGESIZE6JSONCALLBACK%3FMETHODNAMEGETZHEKOUP_URLHTTPS%253A%252F%252FITEM.TAOBAO.COM%252FITEM.HTM%253FID%253D630980474179SHOWLOWER0T1628592132150ZKORDERBYDATETIME7F83010817815989101D7442BF760B3F
2021-08-10 18:42:12.534 9469-9587/? E/EDXposed: 入参到Navite层值为: C_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767JSONCALLBACK%3FMETHODNAMEINSERTAPPLOGT1628592132480TYPE%E5%8E%86%E5%8F%B2%E4%BB%B7%E6%A0%BC%E8%B5%B0%E5%8A%BFVALUE%7B%22TYPE%22%3A%22%E5%8E%86%E5%8F%B2%E6%8A%98%E6%89%A3_%E6%9F%A5%E7%9C%8B%E6%9B%B4%E5%A4%9A%22%2C%22KEY%22%3A%7B%22URL%22%3A%22HTTPS%3A%2F%2FITEM.TAOBAO.COM%2FITEM.HTM%3FID%3D630980474179%22%2C%22PAGE%22%3A2%7D%7D
2021-08-10 18:42:12.534 9469-9587/? E/EDXposed: 入参到java MD5加密函数, 参数为: 7F83010817815989101D7442BF760B3FC_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767JSONCALLBACK%3FMETHODNAMEINSERTAPPLOGT1628592132480TYPE%E5%8E%86%E5%8F%B2%E4%BB%B7%E6%A0%BC%E8%B5%B0%E5%8A%BFVALUE%7B%22TYPE%22%3A%22%E5%8E%86%E5%8F%B2%E6%8A%98%E6%89%A3_%E6%9F%A5%E7%9C%8B%E6%9B%B4%E5%A4%9A%22%2C%22KEY%22%3A%7B%22URL%22%3A%22HTTPS%3A%2F%2FITEM.TAOBAO.COM%2FITEM.HTM%3FID%3D630980474179%22%2C%22PAGE%22%3A2%7D%7D7F83010817815989101D7442BF760B3F
2021-08-10 18:42:12.537 9469-9587/? E/EDXposed: 入参到java MD5加密函数, 参数为: 7F83010817815989101D7442BF760B3FC_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767JSONCALLBACK%3FMETHODNAMEINSERTAPPLOGT1628592132480TYPE%E5%8E%86%E5%8F%B2%E4%BB%B7%E6%A0%BC%E8%B5%B0%E5%8A%BFVALUE%7B%22TYPE%22%3A%22%E5%8E%86%E5%8F%B2%E6%8A%98%E6%89%A3_%E6%9F%A5%E7%9C%8B%E6%9B%B4%E5%A4%9A%22%2C%22KEY%22%3A%7B%22URL%22%3A%22HTTPS%3A%2F%2FITEM.TAOBAO.COM%2FITEM.HTM%3FID%3D630980474179%22%2C%22PAGE%22%3A2%7D%7D7F83010817815989101D7442BF760B3F
0x0012.取第一行(进入so之前的参数,和我们的请求参数进行比对分析) 和第二行 (so层处理过的数据传到java层加密), 四五六行数据可以忽略, 因为是另外 一个接口的insertAppLog的MethodName(先不管这个):
请求参数为(去掉token参数为原始需要加密的数据): methodName=getZhekou&p_url=https%253A%252F%252Fitem.taobao.com%252Fitem.htm%253Fid%253D630980474179&ipagesize=6&ipage=2&zkorderby=datetime&showLower=0&t=1628592132150&jsoncallback=%3F&username=&u_name=&u_avatar=&sign=&c_appver=3.6.90&c_ostype=android&c_osver=10&c_devid=98%3Af6%3A21%3A58%3Af6%3A4d&c_mmbDevId=ce79239f24654ea1bc00d1ce14c9037a-397&c_patch=&c_devmodel=M2003J15SC&c_brand=Redmi&c_operator=&c_ctrl=TrendDetailScene&c_win=w_393_h_767&c_dp=1&c_safearea=36.3636360168457_0&c_mac=98%3Af6%3A21%3A58%3Af6%3A4d&c_oaid=edb64b3a5004567c&c_vaid=0c5debb2d3c47666&c_aaid=643b6b5a-d611-4b58-bba5-c9bff8ba3461&c_firstchannel=%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0&c_firstquerendate=1628498875141&c_fristversion=3.6.90&c_channel=%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0&c_test=%5B%7B%22t%22%3A%22indexInformationFlowTest_3570%22%2C%22g%22%3A%22default%22%7D%2C%7B%22t%22%3A%22test3610%22%2C%22g%22%3A%22default%22%7D%2C%7B%22t%22%3A%22indexFilterBarABtest3620%22%2C%22g%22%3A%22testa%22%7D%2C%7B%22t%22%3A%22Search_zoushiQwbjABTest3640%22%2C%22g%22%3A%22default%22%7D%2C%7B%22t%22%3A%22historyTrendZhekouDrainageABtest3640%22%2C%22g%22%3A%22testa%22%7D%2C%7B%22t%22%3A%22ZhekouSearchboxABTest3680%22%2C%22g%22%3A%22default%22%7D%2C%7B%22t%22%3A%22ShequHomePageABTes3660%22%2C%22g%22%3A%22default%22%7D%2C%7B%22t%22%3A%22AppIndexNewStyleABTest3680%22%2C%22g%22%3A%22testb%22%7D%5D&c_ab=21578%2C21543&c_userStatus=%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7D&c_uuid=&c_ssid=9f2ae114-0a90-4a36-9ae2-777d2960d289&c_did=R5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01&token=13B20D0E69F282938105AAD70A6B0BAA
进入so之前的参数为:C_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767IPAGE2IPAGESIZE6JSONCALLBACK%3FMETHODNAMEGETZHEKOUP_URLHTTPS%253A%252F%252FITEM.TAOBAO.COM%252FITEM.HTM%253FID%253D630980474179SHOWLOWER0T1628592132150ZKORDERBYDATETIME
进入so之后 调用Java 层MD5加密的参数为: 7F83010817815989101D7442BF760B3FC_AAID643B6B5A-D611-4B58-BBA5-C9BFF8BA3461C_AB21578%2C21543C_APPVER3.6.90C_BRANDREDMIC_CHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_CTRLTRENDDETAILSCENEC_DEVID98%3AF6%3A21%3A58%3AF6%3A4DC_DEVMODELM2003J15SCC_DIDR5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01C_DP1C_FIRSTCHANNEL%E9%98%BF%E9%87%8C%E5%88%86%E5%8F%91%E5%B9%B3%E5%8F%B0C_FIRSTQUERENDATE1628498875141C_FRISTVERSION3.6.90C_MAC98%3AF6%3A21%3A58%3AF6%3A4DC_MMBDEVIDCE79239F24654EA1BC00D1CE14C9037A-397C_OAIDEDB64B3A5004567CC_OSTYPEANDROIDC_OSVER10C_SAFEAREA36.3636360168457_0C_SSID9F2AE114-0A90-4A36-9AE2-777D2960D289C_TEST%5B%7B%22T%22%3A%22INDEXINFORMATIONFLOWTEST_3570%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22TEST3610%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22INDEXFILTERBARABTEST3620%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22SEARCH_ZOUSHIQWBJABTEST3640%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22HISTORYTRENDZHEKOUDRAINAGEABTEST3640%22%2C%22G%22%3A%22TESTA%22%7D%2C%7B%22T%22%3A%22ZHEKOUSEARCHBOXABTEST3680%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22SHEQUHOMEPAGEABTES3660%22%2C%22G%22%3A%22DEFAULT%22%7D%2C%7B%22T%22%3A%22APPINDEXNEWSTYLEABTEST3680%22%2C%22G%22%3A%22TESTB%22%7D%5DC_USERSTATUS%7B%22ST_TREND_USER_STATUS%22%3A%221%22%2C%22ST_SEARCH_ITEM_USER_STATUS%22%3A%221%22%2C%22ST_HOME_CX_LIST_STATUS%22%3A%221%22%2C%22ST_HOME_GUIDE_SUPERNATANT%22%3A%221%22%2C%22ST_SEARCH_HISTORY_USER_STATUS%22%3A%221%22%2C%22ST_SHEQU_RECOMMEND_ARITH%22%3A%221%22%2C%22ST_HOME_SERACH_BOX_STATUS%22%3A%221%22%2C%22ST_SEARCH_YH_MODAL%22%3A%221%22%7DC_VAID0C5DEBB2D3C47666C_WINW_393_H_767IPAGE2IPAGESIZE6JSONCALLBACK%3FMETHODNAMEGETZHEKOUP_URLHTTPS%253A%252F%252FITEM.TAOBAO.COM%252FITEM.HTM%253FID%253D630980474179SHOWLOWER0T1628592132150ZKORDERBYDATETIME7F83010817815989101D7442BF760B3F
0x0013.开始处理第一步参数:
"""
# ---------------------------------------
# @DateTime : 2021-08-10 15:02:51
# @Author : ts, QuJianJun
# @FileName :test.py
# @Email : 8577352@qq.com
# @Description :
# @ProductName :PyCharm
# ---------------------------------------
"""
from urllib.parse import quote
import collections
if __name__ == '__main__':
# 第一步处理参数排序 转换大写, 过滤掉参数为空的数据
post_data = {
"methodName": "getZhekou",
"p_url": "https%3A%2F%2Fitem.taobao.com%2Fitem.htm%3Fid%3D630980474179",
"ipagesize": "6",
"ipage": "2",
"zkorderby": "datetime",
"showLower": "0",
"t": "1628592132150",
"jsoncallback": "?",
"username": "",
"u_name": "",
"u_avatar": "",
"sign": "",
"c_appver": "3.6.90",
"c_ostype": "android",
"c_osver": "10",
"c_devid": "98:f6:21:58:f6:4d",
"c_mmbDevId": "ce79239f24654ea1bc00d1ce14c9037a-397",
"c_patch": "",
"c_devmodel": "M2003J15SC",
"c_brand": "Redmi",
"c_operator": "",
"c_ctrl": "TrendDetailScene",
"c_win": "w_393_h_767",
"c_dp": "1",
"c_safearea": "36.3636360168457_0",
"c_mac": "98:f6:21:58:f6:4d",
"c_oaid": "edb64b3a5004567c",
"c_vaid": "0c5debb2d3c47666",
"c_aaid": "643b6b5a-d611-4b58-bba5-c9bff8ba3461",
"c_firstchannel": "阿里分发平台",
"c_firstquerendate": "1628498875141",
"c_fristversion": "3.6.90",
"c_channel": "阿里分发平台",
"c_test": '[{"t":"indexInformationFlowTest_3570","g":"default"},{"t":"test3610","g":"default"},{"t":"indexFilterBarABtest3620","g":"testa"},{"t":"Search_zoushiQwbjABTest3640","g":"default"},{"t":"historyTrendZhekouDrainageABtest3640","g":"testa"},{"t":"ZhekouSearchboxABTest3680","g":"default"},{"t":"ShequHomePageABTes3660","g":"default"},{"t":"AppIndexNewStyleABTest3680","g":"testb"}]',
"c_ab": "21578,21543",
"c_userStatus": '{"ST_TREND_USER_STATUS":"1","ST_SEARCH_ITEM_USER_STATUS":"1","ST_HOME_CX_LIST_STATUS":"1","ST_HOME_GUIDE_SUPERNATANT":"1","ST_SEARCH_HISTORY_USER_STATUS":"1","ST_SHEQU_RECOMMEND_ARITH":"1","ST_HOME_SERACH_BOX_STATUS":"1","ST_SEARCH_YH_MODAL":"1"}',
"c_uuid": "",
"c_ssid": "9f2ae114-0a90-4a36-9ae2-777d2960d289",
"c_did": "R5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01",
}
# 按照 key 排序
post_data = collections.OrderedDict(
sorted(post_data.items(),
key=lambda x: x[0])
)
sortStr = ""
for k, v in post_data.items():
if v == "":
continue
sortStr += quote(k.upper(), safe='') + quote(v.upper(), safe='') # Python 默认不转义 //,这个必须删掉
print(sortStr)
0x0013.开始处理第二步, 在第一步参数首部和尾部追加盐值:7F83010817815989101D7442BF760B3F 然后MD5(得到最终结果)开始校验:
0x0014.最终代码如下:
"""
# ---------------------------------------
# @DateTime : 2021-08-10 15:02:51
# @Author : ts, QuJianJun
# @FileName :test.py
# @Email : 8577352@qq.com
# @Description :
# @ProductName :PyCharm
# ---------------------------------------
"""
from urllib.parse import quote
import collections
import hashlib
import requests
if __name__ == '__main__':
url = "https://apapia-history.manmanbuy.com/ChromeWidgetServices/WidgetServices.ashx"
headers = {
"content-type":"application/x-www-form-urlencoded; charset=utf-8",
"accept":"*/*",
"user-agent":"Mozilla/5.0 (Linux; Android 10; M2003J15SC Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.101 Mobile Safari/537.36 - mmbWebBrowse - android"
}
# 第一步处理参数排序 转换大写, 过滤掉参数为空的数据
post_data = {
"methodName": "getZhekou",
"p_url": "https%3A%2F%2Fitem.taobao.com%2Fitem.htm%3Fid%3D630980474179",
"ipagesize": "6",
"ipage": "2",
"zkorderby": "datetime",
"showLower": "0",
"t": "1628592132150",
"jsoncallback": "?",
"username": "",
"u_name": "",
"u_avatar": "",
"sign": "",
"c_appver": "3.6.90",
"c_ostype": "android",
"c_osver": "10",
"c_devid": "98:f6:21:58:f6:4d",
"c_mmbDevId": "ce79239f24654ea1bc00d1ce14c9037a-397",
"c_patch": "",
"c_devmodel": "M2003J15SC",
"c_brand": "Redmi",
"c_operator": "",
"c_ctrl": "TrendDetailScene",
"c_win": "w_393_h_767",
"c_dp": "1",
"c_safearea": "36.3636360168457_0",
"c_mac": "98:f6:21:58:f6:4d",
"c_oaid": "edb64b3a5004567c",
"c_vaid": "0c5debb2d3c47666",
"c_aaid": "643b6b5a-d611-4b58-bba5-c9bff8ba3461",
"c_firstchannel": "阿里分发平台",
"c_firstquerendate": "1628498875141",
"c_fristversion": "3.6.90",
"c_channel": "阿里分发平台",
"c_test": '[{"t":"indexInformationFlowTest_3570","g":"default"},{"t":"test3610","g":"default"},{"t":"indexFilterBarABtest3620","g":"testa"},{"t":"Search_zoushiQwbjABTest3640","g":"default"},{"t":"historyTrendZhekouDrainageABtest3640","g":"testa"},{"t":"ZhekouSearchboxABTest3680","g":"default"},{"t":"ShequHomePageABTes3660","g":"default"},{"t":"AppIndexNewStyleABTest3680","g":"testb"}]',
"c_ab": "21578,21543",
"c_userStatus": '{"ST_TREND_USER_STATUS":"1","ST_SEARCH_ITEM_USER_STATUS":"1","ST_HOME_CX_LIST_STATUS":"1","ST_HOME_GUIDE_SUPERNATANT":"1","ST_SEARCH_HISTORY_USER_STATUS":"1","ST_SHEQU_RECOMMEND_ARITH":"1","ST_HOME_SERACH_BOX_STATUS":"1","ST_SEARCH_YH_MODAL":"1"}',
"c_uuid": "",
"c_ssid": "9f2ae114-0a90-4a36-9ae2-777d2960d289",
"c_did": "R5DGAWNPMBLJNLMT3EBBUJI57UY3DU3H6IYKMXKCDOQPXHBQM5YA01",
}
# 按照 key 排序
post_data = collections.OrderedDict(
sorted(post_data.items(),
key=lambda x: x[0])
)
salt = "7F83010817815989101D7442BF760B3F"
endStr = ""
for k, v in post_data.items():
if v == "":
continue
endStr += quote(k.upper(), safe='') + quote(v.upper(), safe='') # Python 默认不转义 //,这个必须删掉
endStr = salt + endStr + salt
m = hashlib.md5()
m.update(endStr.encode("utf-8"))
result = m.hexdigest()
token = result.upper()
post_data['token'] = token
res = requests.post(url=url, data=post_data, headers=headers)
print(res.text)
友情提示:本文只为技术分享交流,请勿非法用途.产生一切法律问题与本人无关. 本文中所有的调试代码均在gitee仓库中(包含很多app的关键点的hook代码) Git公开仓库地址 欢迎star or fork
unidbgWebServer项目地址(unidbg封装app加密服务不依赖移动端) Git公开仓库地址 欢迎 start or fork 或贡献代码.
在浏览的同时希望给予作者打赏,来支持作者的服务器维护费用.一分也是爱~
7reeHole
博主高产似母猪
用户 MacOS 1002 天前回复