目标App:
WX20211230-141258@2x.png
WX20211230-151603.png
apk脱壳什么的我就不多讲了(请参考 https://www.jianshu.com/p/aef7cdca8263),
抓包看请求:
headers = {
'Host': 'api.bz365.com',
'android-version': '5.3',
'app-channel': 'yingyongbao',
'sign': '6182049170dc252a72a87e3875434c00',
'imei': '8634045143851434',
'cid': '140fe1da9e77d1d11e1',
'content-type': 'application/json; charset=UTF-8',
'content-length': '532',
'accept-encoding': 'gzip',
'user-agent': 'okhttp/3.14.0',
}
data = '{"bzValue":"s8x/dafMg691iD8BmSfu+1JI15TxrAJv8U+KE31+2D+Mka9Q5jj1SDKN06T0jckl9EOUq+J++u2sR9e1Z//5uKeBrgXKXsYFQMbKnkv5lj2hmCdaM7qOMwAVFAnXNPsBnoJq56k0ViHDHfVJHVCa3k/yCDbFHRTEQLoJ++pvzd67u24X5BYd3Uk9R03krt2rERpaZy4EGCGQH96TyqxOGw3tXBXHb73Ius0MwKWODjAKnGG1j/hjl1LGPHS9x9MWjGRI3IFJcDrOlfdBcTOUOcge+W4wkxilh7lzfwHcFIYWc8EXU7rLawXSs4sB/DyuRK7M41UcabFLPpwEIDBHiIDUTjKJnlagWKzqepsAnF7fz5KaIJEmHgWlbOiWv8Km4oxL6+FzyHsEc4UfzfmnI4Bmo6qmKsSHQF7BMPa+I0rS5ikFSjB7bCCe4ymZCmOQnoH55hmUoRIURyITZSDUllY0eF6KabEVVLBy32yOVgcYTvrG3jfgaKJj1ZxamYNEztDLMH"}'
response = requests.post('https://api.bz365.com/api/appSecondUnderstand/getMagazineLibsByParams', headers=headers, data=data)
headers的sign和cid啥的每次都不变, 也不用在意, jadx 搜索 'bzValue'看结果:
WX20211230-145529@2x.png
WX20211230-145812.png
WX20211230-145949.png
WX20211230-150309.png
hook代码
jsCode2 = """
Java.perform(function () {
// Function to hook is defined here
var q = Java.use('com.bz365.bznet.RsaUtil');
q.signPublic.overload('java.lang.String','java.lang.String').implementation = function (a,b){
send("start");
send("a: "+a);
send("b: "+b);
var result = this.signPublic(a,b);
send("result:"+result);
return result;
};
});
"""
结果:
[*] start
[*] a: {"size":10,"pageNo":2,"contentTypeParentId":"0","bizData":{"apiVersion":"5.3","osType":"android","busiType":"dxapi","userId":"42xxxxxx1300"},"href":"HomeMagazineFragment","type":4,"userId":"4xxx21xxx71300","tid":"c7acxxxxxx20211xxxx0103006"}
[*] b: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDw11mYofn5y1wVg1D3KgL77Z1UUrFNpoEEukzkL/uLWNBoCVLL89JuwyDBjEkzyiBZkFoy8947gEICRQvs1uTPsDVq7hBOLRUdq5qRBuJFQBeMKdCzsUggwdDXk8FS8ARH5jyt/jUrljxXXltVxnbA8QKQqdtld5f2Y+H7EuK3qwIDAQAB
[*] result:s8x/dafMg691iD8BmSfu+1JI15TxrAJv8U+KE31+2D+Mka9Q5jj1SDKN06T0jckl9EOUq+J++u2sR9e1Z//5uKeBrgXKXsYFQMbKnkv5lj2hmCdaM7qOMwAVFAnXNPsBnoJq56k0ViHDHfVJHVCa3k/yCDbFHRTEQLoJ++pvzd67u24X5BYd3Uk9R03krt2rERpaZy4EGCGQH96TyqxOGw3tXBXHb73Ius0MwKWODjAKnGG1j/hjl1LGPHS9x9MWjGRI3IFJcDrOlfdBcTOUOcge+W4wkxilh7lzfwHcFIYWc8EXU7rLawXSs4sB/DyuRK7M41UcabFLPpwEIDBHiIDUTjKJnlagWKzqepsAnF7fz5KaIJEmHgWlbOiWv8Km4oxL6+FzyHsEc4UfzfmnI4Bmo6qmKsSHQF7BMPa+I0rS5ikFSjB7bCCe4ymZCmOQnoH55hmUoRIURyITZSDUllY0eF6KabEVVLBy32yOVgcYTvrG3jfgaKJj1ZxamYNE
参数也没啥, 就是咨询每个大类小类的data 加密了一下, 详细代码如下:
def rsa_long_encrypt(pub_key_str, msg):
'''要注意加密msg的长度'''
msg = msg.encode('utf-8')
length = len(msg)
default_length = 117
#公钥加密
pubobj = Cipher_pkcs1_v1_5.new(RSA.importKey(base64.b64decode(pub_key_str)))
#长度不用分段
if length < default_length:
return base64.b64encode(pubobj.encrypt(msg))
#需要分段
offset = 0
res = []
while length - offset > 0:
if length - offset > default_length:
res.append(pubobj.encrypt(msg[offset:offset+default_length]))
else:
res.append(pubobj.encrypt(msg[offset:]))
offset += default_length
byte_data = b''.join(res)
return base64.b64encode(byte_data)
# 就选第一个key, 对应第一个value
pub_key_str='MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVoAabW8U9nNIL5JSMThPvcPuYn6B3XK5fRyEFefFph03ThkuGSzL15F5MqO/0ZrbLCdsz0mtAmSwCQx950Ge2lAMpmeWjYCx46K/75V575Fj4J8ovcGj/mSDmoj4nbAIO3BqMuUEW579ch3R4rQ+fXEiXlKt74mHzT3yJjML9PQIDAQAB'
msg={
"size": 10,
"pageNo": 1,
"contentTypeParentId": "0",
"bizData": {
"apiVersion": "5.3",
"osType": "android",
"busiType": "dxapi",
"userId": "xxx"#自己的id
},
"href": "HomeMagazineFragment",
"type": 4,
"userId": "xxx",#自己的id
"tid": "xxx"#自己的tid
}
msg=json.dumps(msg)
bzValue= rsa_long_encrypt(pub_key_str, msg)
bzValue=bzValue.decode()
bzValue=bzValue +'VJRaEr' #value写死
headers = {
'Host': 'api.bz365.com',
'android-version': '5.3',
'app-channel': 'yingyongbao',
'sign': 'xxxxxx',# 自己的sign
'imei': 'xxxxxx',# 自己的imer
'cid': 'xxxxxx',# 自己的cid
'content-type': 'application/json; charset=UTF-8',
'content-length': '532',
'accept-encoding': 'gzip',
'user-agent': 'okhttp/3.14.0',
}
data = {"bzValue":bzValue}
data=json.dumps(data)
response = requests.post('https://api.bz365.com/api/appSecondUnderstand/getMagazineLibsByParams', headers=headers, data=data)
rj=response .json()
数据到手🤓
WX20211230-151149@2x.png
