拼某某手机号登陆协议简单分析 (一)

Shocker

前言

简单分析下拼某某的手机号登陆,不涉及算法的具体分析
拼某某版本:3.42.0

工具

• MuMu模拟器
• fiddler (抓包)
• jadx (反编译)
• Android studio (动态调试)
• apktool (回编译)

过程

1.模拟器设置代{过}{滤}理,打开fiddler抓包,点击发送短信
可以看到在body里有"fingerprint"项,而且内容是经过加密的

fingerprint={"key":"cxTyZ+Cus8AQG9MMRRHH+SaTIFUYnPNuu4C7hGIbmcvSm4BRAJBG61JCeatqQkU0Z2nmzv810UlmSpANbDXAlPmnKpZJ3P6bjLlgP7a/F8lZNCy/Aplf4ciFaXNxKpWVVwkgHWiLiFzMeVIJV9tXCXkzIzn/8BPSMoMLiBBlH+E=","data":"al88qYAlL7CRHaHskvtFq.
........省略一万字"}

2.打开jadx 搜索"fingerprint"


可以分析出这个fingerprint就是设备的相关信息,且经过native层的加密.

3.插入记录日志代码,回编译


4.打开ddms,监听日志消息,点击发送短信后即可收到日志信息

格式化后为

{
    "device": "x86_64",
    "networkCountryIso": "",
    "wifiMacList": [{
        "ssid": "kIgbSZ",
        "mac": "12:34:56:78:90:12",
        "level": -55
    }],
    "dataActivity": 0,
    "appCnt": 59,
    "dBm": {},
    "operateTime": 10848915,
    "buildTime": 1611305578000,
    "batteryStatus": 2,
    "perCpuUsage": ["0.65%", "0.62%", "0.69%", "0.58%"],
    "systemAppName": ["com.android.providers.telephony", "com.android.providers.calendar", "com.netease.nemu_vinput.nemu", "com.android.providers.media", "com.android.wallpapercropper", "com.android.documentsui", "com.android.galaxy4", "com.android.externalstorage", "com.android.htmlviewer", "com.android.quicksearchbox", "com.android.mms.service", "com.android.providers.downloads", "com.android.browser", "com.android.defcontainer", "com.android.providers.downloads.ui", "com.android.pacprocessor", "com.android.certinstaller", "android", "com.android.camera2", "com.android.backupconfirm"],
    "connectType": "WIFI",
    "sdkVersion": 23,
    "id": "56f94b363d02e5b2",
    "currentTime": 1629609733024,
    "densityDpi": 270,
    "basebandversion1": "",
    "root": true,
    "simState": 0,
    "mcc": "",
    "manufacturer": "Netease",
    "msisdn": "",
    "imsi": "",
    "photoInfo": [],
    "gyroscopeSensor": {
        "name": "BML160 Gyproscope",
        "vendor": "BML160",
        "data": [{
            "x": 0,
            "y": 0,
            "z": 0
        }, {
            "x": 0,
            "y": 0,
            "z": 0
        }, {
            "x": 0,
            "y": 0,
            "z": 0
        }, {
            "x": 0,
            "y": 0,
            "z": 0
        }, {
            "x": 0,
            "y": 0,
            "z": 0
        }]
    },
    "iccid": "",
    "networkType": "UNKNOWN",
    "wifi": {
        "ssid": "\"kIgbSZ\"",
        "mac": "12:34:56:78:90:12",
        "rssi": -55,
        "speed": 50,
        "ip": "10.0.2.15",
        "mask": "255.255.255.0"
    },
    "availableCapacity": 134410260480,
    "mac": "12:34:56:78:90:12",
    "networkOperatorName": "",
    "userPhoneName": "x86_64",
    "cpuUsage": "0.63%",
    "buildFingerprint": "OnePlus\/OnePlus2\/OnePlus2:6.0.1\/MMB29M\/1447841200:user\/release-keys",
    "mnc": "",
    "display": "V417IR release-keys",
    "availableMemory": 7928315904,
    "prop": 1611305633000,
    "meid": "",
    "imei1": "540000000146339",
    "appDetect": [],
    "imei2": "540000000146339",
    "installTime": 1629609633007,
    "batteryLevel": "51.00%",
    "cpuCore": 4,
    "appVersion": "3.42.0",
    "osVersion": "6.0.1",
    "simOperatroName": "",
    "sc": "810,1440",
    "bluetooth": "",
    "photoNum": 0,
    "bootTime": 1629598884109,
    "volume": {
        "system": 5,
        "voiceCall": 4,
        "ring": 5,
        "alarm": 6,
        "music": 11,
        "notification": 5
    },
    "simCountryIso": "",
    "sn": "ZX1G42CPJD",
    "screenBrightness": 102,
    "cpuType": "OMAP4 Panda board",
    "basebandversion2": "",
    "board": "unknown",
    "kernelVersion": "Linux version 4.0.9-android-x86_64+ (luoweiqiao@a11-gz02-test.i.nease.net) (gcc version 4.9 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Fri Jan 22 16:55:32 HKT 2021",
    "appName": ["com.tencent.mm", "com.xunmeng.pinduoduo", "com.tencent.test", "com.cmge.weixin.pay"],
    "dataState": 0,
    "os": "Android",
    "frequency": [{
        "maxFreq": "2400000Hz",
        "minFreq": "1600000Hz",
        "curFreq": "2400000Hz"
    }, {
        "maxFreq": "2400000Hz",
        "minFreq": "1600000Hz",
        "curFreq": "2400000Hz"
    }, {
        "maxFreq": "2400000Hz",
        "minFreq": "1600000Hz",
        "curFreq": "2400000Hz"
    }, {
        "maxFreq": "2400000Hz",
        "minFreq": "1600000Hz",
        "curFreq": "2400000Hz"
    }],
    "lightSensor": {
        "name": "LTR559 Ambient Light Sensor",
        "vendor": "LITE-ON TECHNOLOGY CORP.",
        "data": [29, 29, 29, 29, 29]
    },
    "brand": "Android",
    "totalCapacity": 135148310528,
    "totalMemory": 8374714368,
    "standbyTime": 0,
    "model": "MuMu"
}

native层分析

从java层可以分析出,待加密的数据是设备信息的json经过gzip压缩,那么它变成{key:".....",data:"....."}还需要进行native加密.

1.打开ida,找到nativeGenerate函数

2.进一步跟进,发现其使用了aes,rsa加密.

具体流程为
1.随机生成aes的key
2.原数据用aes加密
3.用rsa加密aes的key
4.将key和data用base64编码

结论

拼某某在登陆时会发送设备信息,包括已安装的app名称,数量等.并使用aes,rsa加密.

aaa179888

感谢大佬 正好需要

longling

谢谢你的分享                  

xieemengxin

6666思路清晰

limit7

拼某某在登陆时会发送设备信息,包括已安装的app名称,数量等.并使用aes,rsa加密.呵呵

依旧沉沉

膜拜大佬~

elevo

拼某某是不是有读取通讯录的权限呀

小三啦

elevo 发表于 2021-8-23 15:33
拼某某是不是有读取通讯录的权限呀

是的，之前就有人分析过

wss0823

现在不是设备信息不能直接获取了么?

goMoney

大佬思路清晰啊 牛

等到烟火也清凉

安装了啥APP也上传