Python-RSA加密, 以🐘保资讯为例

目标App:


WX20211230-141258@2x.png

WX20211230-151603.png

apk脱壳什么的我就不多讲了(请参考 https://www.jianshu.com/p/aef7cdca8263),

抓包看请求:

headers = {
    'Host': 'api.bz365.com',
    'android-version': '5.3',
    'app-channel': 'yingyongbao',
    'sign': '6182049170dc252a72a87e3875434c00',
    'imei': '8634045143851434',
    'cid': '140fe1da9e77d1d11e1',
    'content-type': 'application/json; charset=UTF-8',
    'content-length': '532',
    'accept-encoding': 'gzip',
    'user-agent': 'okhttp/3.14.0',
}
data = '{"bzValue":"s8x/dafMg691iD8BmSfu+1JI15TxrAJv8U+KE31+2D+Mka9Q5jj1SDKN06T0jckl9EOUq+J++u2sR9e1Z//5uKeBrgXKXsYFQMbKnkv5lj2hmCdaM7qOMwAVFAnXNPsBnoJq56k0ViHDHfVJHVCa3k/yCDbFHRTEQLoJ++pvzd67u24X5BYd3Uk9R03krt2rERpaZy4EGCGQH96TyqxOGw3tXBXHb73Ius0MwKWODjAKnGG1j/hjl1LGPHS9x9MWjGRI3IFJcDrOlfdBcTOUOcge+W4wkxilh7lzfwHcFIYWc8EXU7rLawXSs4sB/DyuRK7M41UcabFLPpwEIDBHiIDUTjKJnlagWKzqepsAnF7fz5KaIJEmHgWlbOiWv8Km4oxL6+FzyHsEc4UfzfmnI4Bmo6qmKsSHQF7BMPa+I0rS5ikFSjB7bCCe4ymZCmOQnoH55hmUoRIURyITZSDUllY0eF6KabEVVLBy32yOVgcYTvrG3jfgaKJj1ZxamYNEztDLMH"}'
response = requests.post('https://api.bz365.com/api/appSecondUnderstand/getMagazineLibsByParams', headers=headers, data=data)

headers的sign和cid啥的每次都不变, 也不用在意, jadx 搜索 'bzValue'看结果:


WX20211230-145529@2x.png
WX20211230-145812.png
WX20211230-145949.png
WX20211230-150309.png

hook代码

jsCode2 = """
    Java.perform(function () {
    // Function to hook is defined here
    var q = Java.use('com.bz365.bznet.RsaUtil');
    q.signPublic.overload('java.lang.String','java.lang.String').implementation = function (a,b){
            send("start");
            send("a: "+a);
            send("b: "+b);            
            var result = this.signPublic(a,b);
            send("result:"+result);
            return result;
        };
    });  
"""

结果:

[*] start
[*] a: {"size":10,"pageNo":2,"contentTypeParentId":"0","bizData":{"apiVersion":"5.3","osType":"android","busiType":"dxapi","userId":"42xxxxxx1300"},"href":"HomeMagazineFragment","type":4,"userId":"4xxx21xxx71300","tid":"c7acxxxxxx20211xxxx0103006"}
[*] b: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDw11mYofn5y1wVg1D3KgL77Z1UUrFNpoEEukzkL/uLWNBoCVLL89JuwyDBjEkzyiBZkFoy8947gEICRQvs1uTPsDVq7hBOLRUdq5qRBuJFQBeMKdCzsUggwdDXk8FS8ARH5jyt/jUrljxXXltVxnbA8QKQqdtld5f2Y+H7EuK3qwIDAQAB
[*] result:s8x/dafMg691iD8BmSfu+1JI15TxrAJv8U+KE31+2D+Mka9Q5jj1SDKN06T0jckl9EOUq+J++u2sR9e1Z//5uKeBrgXKXsYFQMbKnkv5lj2hmCdaM7qOMwAVFAnXNPsBnoJq56k0ViHDHfVJHVCa3k/yCDbFHRTEQLoJ++pvzd67u24X5BYd3Uk9R03krt2rERpaZy4EGCGQH96TyqxOGw3tXBXHb73Ius0MwKWODjAKnGG1j/hjl1LGPHS9x9MWjGRI3IFJcDrOlfdBcTOUOcge+W4wkxilh7lzfwHcFIYWc8EXU7rLawXSs4sB/DyuRK7M41UcabFLPpwEIDBHiIDUTjKJnlagWKzqepsAnF7fz5KaIJEmHgWlbOiWv8Km4oxL6+FzyHsEc4UfzfmnI4Bmo6qmKsSHQF7BMPa+I0rS5ikFSjB7bCCe4ymZCmOQnoH55hmUoRIURyITZSDUllY0eF6KabEVVLBy32yOVgcYTvrG3jfgaKJj1ZxamYNE

参数也没啥, 就是咨询每个大类小类的data 加密了一下, 详细代码如下:

def rsa_long_encrypt(pub_key_str, msg):
    '''要注意加密msg的长度'''
    msg = msg.encode('utf-8')
    length = len(msg)
    default_length = 117
    #公钥加密
    pubobj = Cipher_pkcs1_v1_5.new(RSA.importKey(base64.b64decode(pub_key_str)))
    #长度不用分段
    if length < default_length:
        return base64.b64encode(pubobj.encrypt(msg))
    #需要分段
    offset = 0
    res = []
    while length - offset > 0:
        if length - offset > default_length:
            res.append(pubobj.encrypt(msg[offset:offset+default_length]))
        else:
            res.append(pubobj.encrypt(msg[offset:]))
        offset += default_length
    byte_data = b''.join(res)

    return base64.b64encode(byte_data)
# 就选第一个key, 对应第一个value
pub_key_str='MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVoAabW8U9nNIL5JSMThPvcPuYn6B3XK5fRyEFefFph03ThkuGSzL15F5MqO/0ZrbLCdsz0mtAmSwCQx950Ge2lAMpmeWjYCx46K/75V575Fj4J8ovcGj/mSDmoj4nbAIO3BqMuUEW579ch3R4rQ+fXEiXlKt74mHzT3yJjML9PQIDAQAB'
msg={
    "size": 10,
    "pageNo": 1,
    "contentTypeParentId": "0",
    "bizData": {
        "apiVersion": "5.3",
        "osType": "android",
        "busiType": "dxapi",
        "userId": "xxx"#自己的id
    },
    "href": "HomeMagazineFragment",
    "type": 4,
    "userId": "xxx",#自己的id
    "tid": "xxx"#自己的tid
}
msg=json.dumps(msg)
bzValue= rsa_long_encrypt(pub_key_str, msg)
bzValue=bzValue.decode()
bzValue=bzValue +'VJRaEr'   #value写死
headers = {
    'Host': 'api.bz365.com',
    'android-version': '5.3',
    'app-channel': 'yingyongbao',
    'sign': 'xxxxxx',# 自己的sign
    'imei': 'xxxxxx',# 自己的imer
    'cid': 'xxxxxx',# 自己的cid
    'content-type': 'application/json; charset=UTF-8',
    'content-length': '532',
    'accept-encoding': 'gzip',
    'user-agent': 'okhttp/3.14.0',
}

data = {"bzValue":bzValue}
data=json.dumps(data)
response = requests.post('https://api.bz365.com/api/appSecondUnderstand/getMagazineLibsByParams', headers=headers, data=data)
rj=response .json()

数据到手🤓


WX20211230-151149@2x.png
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

推荐阅读更多精彩内容