POST /app/login/signup.app HTTP/2
Host: zc.vjkeji.com
X-Requested-With: XMLHttpRequest
Vs_app_version: 3.0.4
Vs_nonce_str: F12m8iGarppGa2WDOJUO8YayOeV2V0bx
Vs_device_id: 865166029891887
Vs_device_name: redmi note 3
Online_type: android
Vs_timestamp: 1650961572898
Vs_request_fromapp: f2f
Accept: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Connection: keep-alive
Content-Type: application/json
Cookie: JSESSIONID=F4A316916F1EAC3BE9C7D85AE94C471E; route=f5cf0741684208119280e061e407700e
User-Agent: Mozilla/5.0 (Linux; U; Android 5.1.1; zh-cn; redmi note 3 Build/LMY48Z) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Content-Length: 207

{“password”:”057fa5c78d2bb0139a35a65011edc6dd”,”countryCode”:”86”,”sign”:”03e0497b9c2352c7098defc43b3d1a92”,”userName”:”13618396959”,”nonceStr”:”TQbBR5qJO3rImsVJZ72rj5hTYmM6yxG6”,”timestamp”:”1650961572897”}

image-20220426162821517

查找nonceStr

image-20220426163506215

反编译:

image-20220426163537557

要分析的字段:

password

sign

nonceStr

Vs_nonce_str

password

跳转后

image-20220426163817208

因此,大胆判断就只是md5加密

用js工具加密abc123456得到0659c7992e268962384eb17fafe88364

057fa5c78d2bb0139a35a65011edc6dd

不对

用网上的md5解密057fa5c78d2bb0139a35a65011edc6dd得到0659c7992e268962384eb17fafe88364

好了,现在可以看出来是两次md5加密后的值了

image-20220426164221428

sign

03e0497b9c2352c7098defc43b3d1a92

image-20220426164453594

1
2
3
public static String encryptParam(AjaxParams arg2) {
return ComUtil.encryptMap(arg2.getUrlParams(), false);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
public static String encryptMap(Map arg11, boolean arg12) {
String v2;
if(arg11 == null) {
v2 = null;
return v2;
}

ArrayList v3 = new ArrayList();
Iterator v8 = arg11.entrySet().iterator();
while(v8.hasNext()) {
Object v1 = v8.next();
if(TextUtils.isEmpty(((Map$Entry)v1).getValue())) {
continue;
}

((List)v3).add(((Map$Entry)v1).getKey() + "=" + ((Map$Entry)v1).getValue());
}

String[] v6 = new String[((List)v3).size()];
((List)v3).toArray(((Object[])v6));
Arrays.sort(((Object[])v6));
StringBuilder v4 = new StringBuilder();
int v8_1 = v6.length;
int v7;
for(v7 = 0; v7 < v8_1; ++v7) {
v4.append(v6[v7] + "&");
}

if(arg12) {
v4.append("key=09ebcc6549b6fad41e0b857459c5b2be");
}
else {
v4.append("key=75cba6dd6d4d75154624dbe9d770d451");
}

try {
v2 = MD5.md5Encode(v4.toString());
}
catch(Exception v0) {
v0.printStackTrace();
}

return v2;
}

arg11 = v0(上边那一堆字符串)
arg12 = false

v4 = countryCode=86&userName=13618396959&password=abc123456&timestamp=1650961572897&nonceStr=TQbBR5qJO3rImsVJZ72rj5hTYmM6yxG6

v4+75cba6dd6d4d75154624dbe9d770d451 用md5加密(这里也要看 里面还有填充0和UTF-8) -> a

image-20220426170231568

v2 = a

countryCode=86&userName=13618396959&password=abc123456&timestamp=1650961572897&nonceStr=TQbBR5qJO3rImsVJZ72rj5hTYmM6yxG675cba6dd6d4d75154624dbe9d770d451

utf-8转换后:

countryCode=86&userName=13618396959&password=abc123456&timestamp=1650961572897&nonceStr=TQbBR5qJO3rImsVJZ72rj5hTYmM6yxG675cba6dd6d4d75154624dbe9d770d451

加密:

f6593a27bd2a8d594b3ce64858d41272

不对。。。。

累了,,,动态调试吧

{“password”:”057fa5c78d2bb0139a35a65011edc6dd”,”countryCode”:”86”,”sign”:”03e0497b9c2352c7098defc43b3d1a92”,”userName”:”13618396959”,”nonceStr”:”TQbBR5qJO3rImsVJZ72rj5hTYmM6yxG6”,”timestamp”:”1650961572897”}

“countryCode=86&nonceStr=TQbBR5qJO3rImsVJZ72rj5hTYmM6yxG6&password=057fa5c78d2bb0139a35a65011edc6dd&timestamp=1650961572897&userName=13618396959&key=75cba6dd6d4d75154624dbe9d770d451”

答案: 03e0497b9c2352c7098defc43b3d1a92

成功:

image-20220426175729482

但是我还是不知道这个0为什么要填充

image-20220426174902907

这一串实在没搞清楚是多少个0

标题叫断点调试,but,,,我并没有用到,,,

nonceStr

是随机的