python之app逆向破解data引數中的PassWord DES加密無填充
阿新 • • 發佈:2020-12-08
1.還是先抓包
登入入口
uploading-image-686776.png
uploading-image-725824.png
2.用jadx-gui開啟
直接用jadx-gui開啟,因為沒有加殼
並搜尋關鍵字Authorization
點選右鍵 查詢用例
3.開始Hook
從以下可以看出: 由 Appid + COLON_SEPARATOR + c 組成的,最後 Base64
所以從第一個入參開始跟蹤
String encodeToString = Base64.encodeToString((GetAppId + Constants.COLON_SEPARATOR + DeviceUtil.c(sb.toString())).getBytes(), 2);
hook GetAppId 方法
得出Hook結果
多hook幾次,一看肯定是固定的,不會變的引數
hook GetAppSecret 方法
com.homelinkndk.lib.JniClient
得出Hook結果
同樣的道理,多hook幾次,也是不會變的引數
跟蹤 Constants.COLON_SEPARATOR
跟蹤之後,發現 COLON_SEPARATOR 其實是 ":"
hook c 方法
com.homelink.midlib.util.DeviceUtil
得出Hook結果
d5e343d453aecca8b14b2dc687c381camobile_phone_no=13918238341request_ts=1606964312
首先想到的是,先用這些引數md5 或者 sha 線上加密下看看結果是不是一樣的
通過線上加密方法得出 是SHA1 加密的結果
https://www.bejson.com/enc/sha/
4.用python實現
整個js 程式碼
Java.perform(function () { console.log('HOOK Start!!!'); var Des3Encrypt = Java.use("com.homelink.midlib.util.DeviceUtil");// console.log(Des3Encrypt); // 加密 Des3Encrypt.c.overload('java.lang.String').implementation = function (args1) { console.log("encryptByPublicKey args1:",(args1)); //console.log("encryptByPublicKey args2:",args2); //console.log("encryptByPublicKey args3:",args3); //console.log("Encrypt args4:",args4); var result1 = this.c(args1); console.log("encryptByPublicKey result1=",result1); return result1; }; var Des3Encrypt = Java.use("com.homelinkndk.lib.JniClient");// console.log(Des3Encrypt); Des3Encrypt.GetAppId.overload('java.lang.Object').implementation = function (args1) { console.log("splitString args1:",args1); //console.log("encryptByPublicKey args2:",args2); //console.log("encryptByPublicKey args3:",args3); //console.log("encryptByPublicKey args4:",args4); var result2 = this.GetAppId(args1,args2); console.log("encryptByPublicKey result2=",result2); return result2; }; // 加密 var Des3Encrypt = Java.use("com.homelinkndk.lib.JniClient");// console.log(Des3Encrypt); Des3Encrypt.GetAppSecret.overload('java.lang.Object').implementation = function (args1) { console.log("encryptByPublicKey args1:",args1); //console.log("encryptByPublicKey args2:",args2); //console.log("encryptByPublicKey args3:",args3); //console.log("encryptByPublicKey args4:",args4); var result3 = this.GetAppSecret(args1); console.log("encryptByPublicKey result3=",result3); return result3; }; })
def get_str_sha1_secret_str(res:str):
"""
使用sha1加密演算法,返回str加密後的字串
"""
sha = hashlib.sha1(res.encode('utf-8'))
encrypts = sha.hexdigest()
# print(encrypts)
return encrypts
phone = '15751786649'
pwd = 'shqushuiw'
t = '1606981326'
Authorization =base64.b64encode(f'20180111_android:{get_str_sha1_secret_str(f"d5e343d453aecca8b14b2dc687c381camobile_phone_no={phone}password={pwd}request_ts={t}")}'.encode())
# print(Authorization)
app下載地址
連結:https://pan.baidu.com/s/1iHZZEV9IxQS8kHfNjhl5jg
提取碼:jsw8