抓包查看数据

先抓包登录,发现没什么特别

提交的登录包:

POST /User/login HTTP/1.1
pid: 236
ver: 100/95/2016020901
did: 865166029891887
key: 428ec0492158cd84dadb072f1e3d50ce
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Host: m.mapps.m1905.cn
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.3.1

username=我的电话号码&password=abc123456

返回的包:

POST /v2/report HTTP/2
Host: stats.jpush.cn
Charset: UTF-8
Content-Length: 1415
Accept: application/jason
X-App-Key: 0e51f2f2f82cb882842bbb77
Content-Encoding: gzip
Accept-Encoding: gzip, deflate
Authorization: Basic NjA0NjkzMTczNTk6MzY1ZjFjZmQxMzcwODQ4OTgwNGQ3ZWQyNWM3OGNlODI=
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; redmi note 3 Build/LMY48Z)
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded

‹

image-20220426145611343

可以看到并没有什么能分析的地方,甚至还有乱码。

于是抓包看注册

image-20220426145131343

提交的数据包:

GET /User/register?request=Vw5YoQuUKwqhdZkLrG77G7q4jdGkhc4oMPJbHZVazigpd00bPxcXEEqsz2wHWXo9IYcXRhXAZLhDWLRqlVcztw%3D%3D HTTP/1.1
sid:
pid: 236
key: 428ec0492158cd84dadb072f1e3d50ce
did: 865166029891887
uid:
ver: 100/95/2016020901
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; redmi note 3 Build/LMY48Z)
Host: m.mapps.m1905.cn
Connection: close
Accept-Encoding: gzip, deflate

返回的包:

1

POST /mobile/v2/connect HTTP/1.1
aid: 0
did: 0
Content-Length: 594
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; redmi note 3 Build/LMY48Z)
X-App-License-Key: 056DADF8562257750EAC5FB13CE86F0E76
X-BlueWare-Connect-Time: 1650955564406
Host: mobile.oneapm.com
Connection: close
Accept-Encoding: gzip, deflate

{“app”:{“appName”:”1905电影网”,”appVer”:”5.2.2”,”pkgName”:”com.m1905.mobilefree”,”channel”:”tencent”,”token”:”056DADF8562257750EAC5FB13CE86F0E76”},”device”:{“os”:”Android”,”ver”:”5.1.1”,”model”:”redmi note 3”,”deviceId”:”c9cbb7b3-f22e-4df5-9e32-65c2bd7d49d8”,”manufacturer”:”xiaomi”,”imei”:”865166029891887”,”size”:”normal”,”countryCode”:””,”regionCode”:””,”cityCode”:””,”country”:””,”region”:””,”city”:””,”mcc”:”460”,”mnc”:”00”,”imsi”:”460006384551485”,”networkStatus”:”wifi”,”macAddress”:””,”serialNumber”:”unknown”,”androidId”:”366a40034878b2a7”},”sdk”:{“type”:”Android”,”ver”:”3.0.9.3”}}

2

POST /mobile/v2/connect HTTP/1.1
aid: 0
did: 0
Content-Length: 594
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; redmi note 3 Build/LMY48Z)
X-App-License-Key: 056DADF8562257750EAC5FB13CE86F0E76
X-BlueWare-Connect-Time: 1650955924406
Host: mobile.oneapm.com
Connection: close
Accept-Encoding: gzip, deflate

{“app”:{“appName”:”1905电影网”,”appVer”:”5.2.2”,”pkgName”:”com.m1905.mobilefree”,”channel”:”tencent”,”token”:”056DADF8562257750EAC5FB13CE86F0E76”},”device”:{“os”:”Android”,”ver”:”5.1.1”,”model”:”redmi note 3”,”deviceId”:”c9cbb7b3-f22e-4df5-9e32-65c2bd7d49d8”,”manufacturer”:”xiaomi”,”imei”:”865166029891887”,”size”:”normal”,”countryCode”:””,”regionCode”:””,”cityCode”:””,”country”:””,”region”:””,”city”:””,”mcc”:”460”,”mnc”:”00”,”imsi”:”460006384551485”,”networkStatus”:”wifi”,”macAddress”:””,”serialNumber”:”unknown”,”androidId”:”366a40034878b2a7”},”sdk”:{“type”:”Android”,”ver”:”3.0.9.3”}}

image-20220426145722195

多看几个提交的包,发现只有request在变,所以就搜索路径/User/register名或者request字段

静态分析

搜索

搜索路径/User/register

image-20220426150448137

request字段

image-20220426150811364

这样找其实是错的,以为看上面那张图就可以对比出来,字段更像是?request=

锁定/User/register

分析

分析的应该是request

image-20220426151132504

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public void a(Context arg7, String arg8, String arg9, String arg10, String arg11) throws UnsupportedEncodingException {
        ze$3 v0 = new hh(0, "http://m.mapps.m1905.cn/User/register" + "?request=" + URLEncoder.encode(aay.b("username=" + arg8 + "&password=" + arg9 + "&acode=" + arg10 + "&islogin=" + arg11), "UTF-8"), new b(arg7) {
            public void a(String arg4) {
                EUser v0 = ze.a(arg4);
                if(v0 != null) {
                    if(v0.getData() != null) {
                        aby.a(this.a, arg4);
                    }

                    this.b.a(100);
                }
                else {
                    this.b.a(0);
                }

                ze.a(this.b);
                this.b.notifyObservers(v0);
            }

URLEncoder.encode(aay.b("username=" + arg8 + "&password=" + arg9 + "&acode=" + arg10 + "&islogin=" + arg11), "UTF-8")

分析不出来,自己试试动态调试

image-20220426152227678

一直跳过查看各步值

image-20220426152332727

string@7104:”Vw5YoQuUKwqHtf9D2P0iNXpRxGUdqsMeyIJ6Ke+kK+Bl2Xxapv2Eb8rbXsgeRf1QJDmwSRDq74Lw/PPruU/oEg==”

v3变为:

string@7111:”Vw5YoQuUKwqHtf9D2P0iNXpRxGUdqsMeyIJ6Ke%2BkK%2BBl2Xxapv2Eb8rbXsgeRf1QJDmwSRDq74Lw%2FPPruU%2FoEg%3D%3D”

v4:

image-20220426152538207

变为

image-20220426152601791

v5

image-20220426152653758

分析:

和上述代码一样,v10应该就是验证码

“&islogin=”应该是次数

username=13618396959&password=abc123456&acode=0987&islogin=1

再来看一下代码中的b函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public static String b(String arg4) {
        String v0_2;
        try {
            SecretKey v0_1 = SecretKeyFactory.getInstance("DESede").generateSecret(new DESedeKeySpec(aay.key.getBytes()));  // DESede算法(三重DES)
            Cipher v1 = Cipher.getInstance("DESede/CBC/PKCS5Padding");  // 加密模式为CBC,填充方式为PKCS5
            v1.init(1, ((Key)v0_1), new IvParameterSpec(aay.iv.getBytes()));
            v0_2 = aau.a(v1.doFinal(arg4.getBytes()));
        }
        catch(Exception v0) {
            v0_2 = "";
        }

        return v0_2;
    }

ivkey

image-20220426155632591

注意有静态代码块

aay.key = “iufles8787rewjk1qkq9dj76”;

aay.iv = “vs0ld7w3”;

验证

image-20220426160017171

答案: Vw5YoQuUKwqhdZkLrG77G7q4jdGkhc4oMPJbHZVazijZp0IKMeCdcW5KFWYnoNJwJkjOOVDVLCFcAk+NrTsKig==

解密后:

username=13618396959&password=abc123456&acode=0987&islogin=1

总结

对于DES的java编码,不太会用js来写