一、抓取数据包
1、请求头有%加十六进制,说以是url编码,先解密一下
GET http://m.mapps.m1905.cn/User/sendVer?request=jYgPer7AuEqdM+DYqs/AbNb35UrMvjLwt4+f0p3RHXc= HTTP/1.12、需要找的数值是requests的组成、pid(常量值)、key、did(设备编号)
GET http://m.mapps.m1905.cn/User/sendVer?request=jYgPer7AuEqdM%2BDYqs%2FAbNb35UrMvjLwt4%2Bf0p3RHXc%3D HTTP/1.1sid:pid: 236key: 69b39cb24632252f7bb891bdb1f0de85did: 010067028741939uid:ver: 100/95/2016020901User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.2; HD1900 Build/N2G47O)Host: m.mapps.m1905.cnConnection: Keep-AliveAccept-Encoding: gzip
二、搜索链接里关键字"User/sendVer"
1、查看aay.b()函数,DESede算法
key:iufles8787rewjk1qkq9dj76,iv:vs0ld7w3
2、由于DESede是对称加密算法,密文是:jYgPer7AuEqdM+DYqs/AbNb35UrMvjLwt4+f0p3RHXc=,可以反推一下得到加密内容为:mobile=15836353612&templateid=1
三、搜索关键字key
1、查看v0.i()函数
public String i() {return abh.a(abb.c() + "m1905_2014");}
2、查看abb.c()函数,获取设备id
public static String c() {String v0_2;try {TelephonyManager v0_1 = (TelephonyManager)BaseApplication.a().getSystemService("phone");v0_2 = v0_1 == null ? "" : v0_1.getDeviceId();}catch(Exception v0) {v0_2 = "";}return v0_2;}
3、查看abh.a()函数,获取md5值
public class abh {public static final String a(String arg9) {int v0 = 0;if(!TextUtils.isEmpty(arg9)) {char[] v2 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};try {byte[] v1 = arg9.getBytes();MessageDigest v3 = MessageDigest.getInstance("MD5");v3.update(v1);byte[] v3_1 = v3.digest();char[] v5 = new char[(((int)v1)) * 2];int v1_1 = 0;while(v0 < v3_1.length) {int v6 = v3_1[v0];int v7 = v7 + 1;char v8 = v2[v8 >>> 4 & 15];v5[v1_1] = v8;++v1_1;v5[v7] = v2[v6 & 15];++v0;}arg9 = new String(v5);}catch(Exception v0_1) {arg9 = null;}}return arg9;}}
4、最终就是设备id+m1905_2014,然后再算md5
四、响应值解密
禁止非法,后果自负
欢迎关注公众号:逆向有你
欢迎关注视频号:之乎者也吧
欢迎报名安卓逆向培训,报名微信(QQ):335158573
本文始发于微信公众号(web安全工具库):某影视APP算法逆向分析
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论