某加速器APP算法脱机刷邀请

.KK

• 详细过程可以参考一下上面的链接地址 这边就给出一些重要的分析点        参考链接

• 关于脱壳：之前的版本有加壳升级到最新版倒没有壳了 有点奇怪

• 逆向第一步抓包分析字段 简单分析下 需要解密data跟sign

  http://ant.hyysapi.com/api.php
  appId=android&appVersion=2.1.8×tamp=1631623725&data=07AFB9FE519DA49C71D9294926A9CFF7E041015C520E93F1B62382C61FD2E2D9A02037ECAFCBECF8064BD58B11854A4A3C45D7D9FEDE70745E2FC7C3A4E4D3158ABF6083DC20E1EDA63A7DE0EBA96236C9C09DF8E76E21B9640F221AF073D20F42D6CB2189E1E03910BC50902E5C21DB33A912BBAC072E90AA529C4A22532D2E8C212BD9959D78AFAC95AF19E1004BA340CCC09D370D3BEE20885B6F244C8CE5BE687330B68CD2FF4FDEFA3B6598476738E333DD5266D3C1A2A83616F79514DC82A1B328DB5BF8BB0B54FA360FC783ACB21A5D0A&sign=ac6e08db803317c0c7c6ef66286d63b5

自吐

• Python 代码 没安装库的百度一下安装姿势就ok

[Python] 纯文本查看 复制代码

# -*- encoding: utf-8 -*-
import requests
import time
import json
from base64 import b64decode
from hashlib import sha256, md5
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes

class Ant(object):
    """
    蚂蚁加速器刷邀请
    """

    def __init__(self, aff):
        self.aff = aff  # 邀请码
        self.oauth_id = ''
        self.timestamp = ''
        self.url = 'http://ant.hyysapi.com/api.php'
        self.headers = {  # 加不加header都可以
            "User-Agent": "okhttp-okgo/jeasonlzy",
            "Content-Type": "application/x-www-form-urlencoded",
        }
        self.key = 'fjeldkb4438b1eb36b7e244b37dhg03j'  # 没发现哪个加密库中有EVP_BytesToKey算法
        self.hexkey = 'B496F831128E4FE1DE33F4B7A2C46E0DD4772524A4826FE4486FCC07E3E2B87F'
        self.b64key = 'tJb4MRKOT+HeM/S3osRuDdR3JSSkgm/kSG/MB+PiuH8='

    @staticmethod
    def get_timestamp(long=10):
        """
        取时间戳，默认10位
        """
        return str(time.time_ns())[:long]

    def decrypt(self, data: str):
        """
        aes解密
        """
        ct_iv = bytes.fromhex(data[:32])
        ct_bytes = bytes.fromhex(data[32:])
        ciper = AES.new(
            b64decode(self.b64key), AES.MODE_CFB, iv=ct_iv,
            segment_size=128)  # CFB模式，iv指定，块大小为128(默认为8，需填8的倍数，貌似AES标准区块大小就是128，和密钥大小128/192/256无关)
        plaintext = ciper.decrypt(ct_bytes).decode()
        return plaintext

    def encrypt(self, data: str):
        """
        aes加密
        """
        cipher = AES.new(b64decode(self.b64key), AES.MODE_CFB, segment_size=128)  # CFB模式，iv自动随机，块大小为128
        ct_bytes = cipher.iv + cipher.encrypt(data.encode())  # iv+加密结果合并
        return ct_bytes.hex().upper()  # hex编码

    def get_sign(self):
        """
        生成sign
        """
        template = 'appId=android&appVersion=2.1.8&data={}×tamp={}2d5f22520633cfd5c44bacc1634a93f2'.format(
            self.encrypt_data, self.timestamp)
        # sha256
        sha = sha256()
        sha.update(template.encode())
        res = sha.hexdigest()
        # nd5
        m = md5()
        m.update(res.encode())
        res = m.hexdigest()
        return res

    def request(self, d):
        """
        请求封包
        """
        plaintext = {"version": "2.4.5", "app_type": "ss_proxy", "language": 0, "bundleId": "com.dd.antss"}
        d.update(plaintext)
        self.timestamp = self.get_timestamp(10)
        self.encrypt_data = self.encrypt(json.dumps(d, separators=(',', ':')))
        sign = self.get_sign()
        data = f"appId=android&appVersion=2.1.8×tamp={self.timestamp}&data={self.encrypt_data}&sign={sign}"
        res = requests.post(url=self.url, data=data, headers=self.headers)
        if res.status_code == 200:
            res = self.decrypt(res.json().get('data'))
            print(res)
        else:
            print("访问失败:", res.status_code)

    def get_user(self):
        """
        生成新用户
        """
        # 取随机md5
        m = md5()
        m.update(get_random_bytes(16))
        oauth_id = m.hexdigest()
        self.oauth_id = oauth_id
        print("new user:", oauth_id)

    def invite(self):
        """
        刷邀请，邀请码：self.aff
        """
        self.get_user()
        data = {
            "oauth_id": self.oauth_id,
            "oauth_type": "android",
            "aff": self.aff,
            "mod": "user",
            "code": "exchangeAFF"
        }
        self.request(data)


if __name__ == "__main__":
    ant = Ant('aKD2j')
    ant.invite()

.KK

上面代码有问题 用这版

[Python] 纯文本查看 复制代码

# -*- encoding: utf-8 -*-

import requests
import time
import json
from base64 import b64decode
from hashlib import sha256, md5
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes


class Ant(object):
    """
    蚂蚁加速器刷邀请
    """

    def __init__(self, aff):
        self.aff = aff  # 邀请码
        self.oauth_id = ''
        self.timestamp = ''
        self.url = 'http://ant.hyysapi.com/api.php'
        self.headers = {  # 加不加header都可以
            "User-Agent": "okhttp-okgo/jeasonlzy",
            "Content-Type": "application/x-www-form-urlencoded",
        }
        self.key = 'fjeldkb4438b1eb36b7e244b37dhg03j'  # 没发现哪个加密库中有EVP_BytesToKey算法
        self.hexkey = 'B496F831128E4FE1DE33F4B7A2C46E0DD4772524A4826FE4486FCC07E3E2B87F'
        self.b64key = 'tJb4MRKOT+HeM/S3osRuDdR3JSSkgm/kSG/MB+PiuH8='

    @staticmethod
    def get_timestamp(long=10):
        """
        取时间戳，默认10位
        """
        return str(time.time_ns())[:long]

    def decrypt(self, data: str):
        """
        aes解密
        """
        ct_iv = bytes.fromhex(data[:32])
        ct_bytes = bytes.fromhex(data[32:])
        ciper = AES.new(
            b64decode(self.b64key), AES.MODE_CFB, iv=ct_iv,
            segment_size=128)  # CFB模式，iv指定，块大小为128(默认为8，需填8的倍数，貌似AES标准区块大小就是128，和密钥大小128/192/256无关)
        plaintext = ciper.decrypt(ct_bytes).decode()
        return plaintext

    def encrypt(self, data: str):
        """
        aes加密
        """
        cipher = AES.new(b64decode(self.b64key), AES.MODE_CFB, segment_size=128)  # CFB模式，iv自动随机，块大小为128
        ct_bytes = cipher.iv + cipher.encrypt(data.encode())  # iv+加密结果合并
        return ct_bytes.hex().upper()  # hex编码

    def get_sign(self):
        """
        生成sign
        """
        template = 'appId=android&appVersion=2.1.8&data={}&timestamp={}2d5f22520633cfd5c44bacc1634a93f2'.format(
            self.encrypt_data, self.timestamp)
        # sha256
        sha = sha256()
        sha.update(template.encode())
        res = sha.hexdigest()
        # nd5
        m = md5()
        m.update(res.encode())
        res = m.hexdigest()
        return res

    def request(self, d):
        """
        请求封包
        """
        plaintext = {"version": "2.4.5", "app_type": "ss_proxy", "language": 0, "bundleId": "com.dd.antss"}
        d.update(plaintext)
        self.timestamp = self.get_timestamp(10)
        self.encrypt_data = self.encrypt(json.dumps(d, separators=(',', ':')))
        sign = self.get_sign()
        data = f"appId=android&appVersion=2.1.8&timestamp={self.timestamp}&data={self.encrypt_data}&sign={sign}"
        res = requests.post(url=self.url, data=data, headers=self.headers)
        if res.status_code == 200:
            res = self.decrypt(res.json().get('data'))
            print(res)
        else:
            print("访问失败:", res.status_code)

    def get_user(self):
        """
        生成新用户
        """
        # 取随机md5
        m = md5()
        m.update(get_random_bytes(16))
        oauth_id = m.hexdigest()
        self.oauth_id = oauth_id
        print("new user:", oauth_id)

    def invite(self):
        """
        刷邀请，邀请码：self.aff
        """
        self.get_user()
        data = {
            "oauth_id": self.oauth_id,
            "oauth_type": "android",
            "aff": self.aff,
            "mod": "user",
            "code": "exchangeAFF"
        }
        self.request(data)


if __name__ == "__main__":
    ant = Ant('aKD2j')
    ant.invite()

wcf202835

院主 发表于 2021-9-15 14:17
楼主可以编辑贴子的
小白问一句
from Crypto.Cipher import AES

建议你把Crypto换成替代的独立库Cryptodome，不然要下一堆关联的库

laos

还好我不是用的这个

院主

.KK 发表于 2021-9-15 13:57
上面代码有问题 用这版
[mw_shl_code=python,true]# -*- encoding: utf-8 -*-

楼主可以编辑贴子的
小白问一句
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
这个应该安装什么包，包名是什么

wcf202835

成功了成功了

nuller

学习一下，感谢。

DeathLYH

学习学习，谢谢楼主分享

glz220

学习学习，感谢

AndresG

学习一下