x715quan逆向协议分析
040a86a0658c0262e6fc252830fa321e  99+     Android逆向 / 协议分析6 分钟 读完 (大约 845 个字)  0次访问

x715quan逆向协议分析

x715quan逆向协议分析

获取到以下数据,从键值分析nonce,codeSign和access_token三个数值有加密

1

将apk放入JEB2进行分析 通过搜索调试定位到

nonce

1
2
3
4
5
6
7
8
9
10
11
protected void a(String arg11, JSONObject arg12, d arg13) {
      String v0 = UUID.randomUUID().toString().replaceAll("-", "");
      long v2 = System.currentTimeMillis();
      JSONObject v1 = this.a(arg12);
      if(MyApplication.getInstance().isLogin()) {
          g.a(arg11, new f[]{new f("user_id", "" + MyApplication.getInstance().getUserDataEntity().getUid()), new f("login_token", "" + MyApplication.getInstance().getUserDataEntity().getLogin_token()), new f("nonce", v0), new f("codeSign", v.a(v0, v1, MyApplication.getInstance().getUserDataEntity().getUid() + "", v2)), new f("timestamp", v2 + ""), new f("data", v1.toString()), new f("version", a.f + ""), new f("product_version", "220"), new f("platform", Build.PRODUCT + ""), new f("network", MyApplication.getNetworkType() + ""), new f("device", "" + MyApplication.getDeviceId()), new f("access_token", "" + a.h), new f("screen_width", "" + a.i), new f("screen_height", "" + a.j), new f("bbsnopic", MyApplication.isForumNoIMG() + ""), new f("system", "2"), new f("system_version", Build$VERSION.SDK_INT + ""), new f("theme", a.b + "")}, ((ResultCallback)arg13));
      }
      else {
          g.a(arg11, new f[]{new f("nonce", v0), new f("codeSign", v.a(v0, v1, v2)), new f("timestamp", v2 + ""), new f("data", v1.toString()), new f("version", a.f + ""), new f("product_version", "220"), new f("platform", Build.PRODUCT + ""), new f("network", MyApplication.getNetworkType() + ""), new f("device", "" + MyApplication.getDeviceId()), new f("access_token", "" + a.h), new f("screen_width", "" + a.i), new f("screen_height", "" + a.j), new f("bbsnopic", MyApplication.isForumNoIMG() + ""), new f("system", "2"), new f("system_version", Build$VERSION.SDK_INT + ""), new f("theme", a.b + "")}, ((ResultCallback)arg13));
      }
  }

可知nonce原为UUID,用replaceAll替换了“-”变为无符号的格式;

codeSign

if中 new f(“codeSign”, v.a(v0, v1, MyApplication.getInstance().getUserDataEntity().getUid() + “”, v2)),

else中 new f(“codeSign”, v.a(v0, v1, v2)),

v0:nonce的值

v1: 由new f(“data”, v1.toString())得知是数据中data的值

v2:当前时间戳 数据中的timestamp

进入v.a()方法,获得如下

1
2
3
4
5
6
7
8
9
10
11
12
13
 public static String a(String arg3, JSONObject arg4, String arg5, long arg6) {
        return r.a(arg4.toString() + arg3 + v.a() + arg6 + arg5).toUpperCase();
    }
 public static String a(String arg4, JSONObject arg5, long arg6) {
    return r.a(arg5.toString() + arg4 + v.a() + arg6).toUpperCase();
}
 private static String a() {
        return v.a(af.b(2131230990), "");
    }

 private static String a(String arg2, String arg3) {
        return af.a(arg2 + arg3, af.b(2131231233));
  }

进入af.b方法:

1
2
3
4
5
6
7
8
9
10
11
public static String b(int arg1) {
    String v0_1;
    try {
        v0_1 = MyApplication.getInstance().getResources().getString(arg1);
    }
    catch(Exception v0) {
        v0.printStackTrace();
        v0_1 = "";
    }
    return v0_1;
}

根据方法可知2131230990和的2131231233值隐藏在资源文件中;

将数字转为16进制后再resources—values—public中搜索7f08010e 找到

根据类型在strings.xml中找到同名变量:

94ac5cfb69e87bd7

同理获得2131231233的资源值是:860f50db3569e448

进入af.a方法中 

1
2
3
public static String a(String arg2, String arg3) {
    return new StringBuffer(arg2 + arg3).reverse().toString();
}

两个参数相加并reverse可得:844e9653bd05f0687db78e96bfc5ca49

进入r.a可知是md5加密,所以结果是

(data+nonce+844e9653bd05f0687db78e96bfc5ca49+timestamp).toUpperCase();

access_token

new f(“access_token”, “” + a.h)

进入a.h后得到 a.h = r.a(v0);

String v0 = a.f + Build.PRODUCT + MyApplication.getNetworkType() + MyApplication.getDeviceId();

此时也可使用log输出获得v0的值

在apk用解压工具打开,移动出classes.dex并在逆向助手中反编译dex,根据上面这个方法的包名获取地址package com.quan0715.forum.b;在a.smali中找到了此方法,对照这个变量下面添加 invoke-static {v0}, Lcrack;->log(Ljava/lang/String;)V 然后将crack.smali放入dex根目录,再重新用逆向助手重打包,并替换apk中的dex文件并重新安装此apk;如果apk安装失败重新签名即可。

打开ddms 获取此应用的log信息 由log信息获得v0的值是version+platform+network+device;

然后进行md5加密即可得token值

 

# 推荐文章
  1.vpy加密视频破解转mp4-JAVA代码实现
  2.x715quan逆向协议分析
  3.20200516 每日记录
  4.AutoGeneratorCode
  5.C语言知识小计

喜欢这篇文章?打赏一下作者吧

评论

目录

关注我

:D 一言句子获取中...

最新评论

加载中,最新评论有1分钟延迟...

最新文章

分类

归档

标签

Android逆向3
java3
协议分析3
mysql2
ssm2
分布式2
C1
MyBatisPlus1
技术分享1
每日记录1
读书笔记1