安卓逆向 -- 某壁纸软件的sign值分析

sumith

一、抓到登录包

[HTML] 纯文本查看 复制代码

POST /user/login?union_id=69e1a995a970528e&coid=13&ncoid=14&verCode=1007 HTTP/1.1
authTokenkey: authTokenkey
authToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0aGlzIGlzIHVzZXJMb2dpbiB0b2tlbiIsImF1ZCI6Ik1QIiwicGhvbmUiOiIiLCJjb2lkIjoiMTMiLCJuY29pZCI6IjE0IiwiZXhwaXJlRGF0ZSI6MTY3MDY1OTg3MSwiaXNNZW1iZXIiOmZhbHNlLCJleHAiOjE2NzA2NTk4NzEsInVzZXJJZCI6NTQ1ODUwOCwiaWF0IjoxNjY4MTU0MjcxLCJ5YlVuaW9uaWQiOiI2OWUxYTk5NWE5NzA1MjhlIn0.RzhxZwNz3VaR_az_96r_6LjzoDeM7kTrIeENPafrHrE
Content-Type: application/json; charset=utf-8
Content-Length: 327
Host: user.fangzhou-wea.com
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.12.13

{"installChannel":"0","code":"","loginType":"1","FirstLinkTime":"1668154269","channel":"0","coid":"13","ncoid":"14","verName":"4.9.2.1","_sign":"b6705035938ad82b8ee3d9b5ed6b8627","verCode":"1007","phone":"15836353612","smsVerCode":"123456","union_id":"69e1a995a970528e","_tid":"1668691277,c73417b4-3caa-4e3d-9b12-197293bdfe6f"}

二、提交的数据里面有个_sign值

[C] 纯文本查看 复制代码

"_sign":"b6705035938ad82b8ee3d9b5ed6b8627"

三、看着像MD5加密，hook一下MD5加密函数

[JavaScript] 纯文本查看 复制代码

messageDigest.update.overload('[B').implementation = function (data) {
        console.log("MessageDigest.update('[B') is called!");
        showStacks();
        var algorithm = this.getAlgorithm();
        var tag = algorithm + " update data";
        toUtf8(tag, data);
        toHex(tag, data);
        toBase64(tag, data);
        console.log("=======================================================");
        return this.update(data);
    }

四、获取加密参数

[Asm] 纯文本查看 复制代码

1668677597,14c2229d-4b50-4bc5-9a2d-7f6a4fa94823052fd221f33612d0619a990a41376a81

五、分析明文里面的内容1668677597：时间戳14c2229d-4b50-4bc5-9a2d-7f6a4fa94823：随机的一段数字052fd221f33612d0619a990a41376a81：通过多次hook发现该值是常量，也是一个md5加密，明文为：66DFC38D5DC34571A82D79F3EEFFFCBDqb&QU$六、将apk拖到jadx中，搜索，发现有这个字符串

sumith

看着好好的，发出来就变成这个了。。。

正己

内容是不是不完整啊？

georgeJzzz

hook 脚本能贴下吗 大佬。  
showStacks()
toHex等

ssjjtt

可以啊兄弟666666666