-
-
[原创]逆向分析某应用商店协议
-
发表于: 2019-9-19 17:36
-
一、明文协议
POST /api/resource.app.getList HTTP/1.1
Charset: UTF-8
Content-Type: application/json; charset=utf-8
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; MI 8 UD MIUI/9.9.3)
Host: xx.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 609
{"id":-7006190407224178889,"client":{"caller":"secret.pp.client","ex":{"osVersion":28,"ch":"PM_38","cityCode":"","productId":2001,"brand":"xiaomi","pos":"pp\/category","aid":"wsYOpeLadjZBXN7TP9ikvA==","utdid":"XYHW+RyLS\/kDAAJ01p8JLYww","v":"d3MnEJEYvSjqTRZGtJItNhA79mM="},"versionCode":1995,"VName":"6.1.9","puid":"0191568767674989650006","uuid":"d3MnEPShoC55QrtMbwD50yQvP1yg4f8u5poqt7J0VRzj\/wHciidweBnGD8dCZlavnhg\/fAqIreLs8vSiuvwoXq0mSDE="},"data":{"count":20,"flags":193,"page":1,"subCategoryId":923,"categoryId":5024,"resourceType":0,"order":4},"sign":"faf19c5ad90d2285090f36b244b5565e","encrypt":"md5"}*协议使用字段sign加密
(1)搜索"sign"字段
POST /api/resource.app.getList HTTP/1.1
Charset: UTF-8
Content-Type: application/json; charset=utf-8
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; MI 8 UD MIUI/9.9.3)
Host: xx.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 609
{"id":-7006190407224178889,"client":{"caller":"secret.pp.client","ex":{"osVersion":28,"ch":"PM_38","cityCode":"","productId":2001,"brand":"xiaomi","pos":"pp\/category","aid":"wsYOpeLadjZBXN7TP9ikvA==","utdid":"XYHW+RyLS\/kDAAJ01p8JLYww","v":"d3MnEJEYvSjqTRZGtJItNhA79mM="},"versionCode":1995,"VName":"6.1.9","puid":"0191568767674989650006","uuid":"d3MnEPShoC55QrtMbwD50yQvP1yg4f8u5poqt7J0VRzj\/wHciidweBnGD8dCZlavnhg\/fAqIreLs8vSiuvwoXq0mSDE="},"data":{"count":20,"flags":193,"page":1,"subCategoryId":923,"categoryId":5024,"resourceType":0,"order":4},"sign":"faf19c5ad90d2285090f36b244b5565e","encrypt":"md5"}*协议使用字段sign加密
(1)搜索"sign"字段
用frida进行hook
和抓包完全一致,再看看另一个sign
尝试了一下和so包算的sign居然是一致的 !
二、密文协议
POST /api/op.rec.app.checkUpdate HTTP/1.1
Charset: UTF-8
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; MI 8 UD MIUI/9.9.3)
Host: xx.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 436
ws'�Y��!5�/ H"jS��f��>v�G-�G���?��Em/����Ќ�0�.mF�q��&�'ʴg���p����Ј�q�X�Z|�m��⒖oᖿ@�TA�_�Y[�B�X�_m{%Y�I��u�"�xoOy��vn�`�I�V�g4ԅ�;���:��+lQ�Z ����S|�
I������|A3�e!X�x��]�G�|Mb49��5+
^�t�(y)�q�cJ��q�T�fS�C�;��r��b���2 kTD �o�k��\`5�o�g�HqJ�����N�N�q�)Z�]�K�k~4,0��b��QW���}�k��*`zJ̉�����q����;t�&w���%'OΕ��Y���Bl3java层
POST /api/op.rec.app.checkUpdate HTTP/1.1
Charset: UTF-8
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; MI 8 UD MIUI/9.9.3)
Host: xx.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 436
ws'�Y��!5�/ H"jS��f��>v�G-�G���?��Em/����Ќ�0�.mF�q��&�'ʴg���p����Ј�q�X�Z|�m��⒖oᖿ@�TA�_�Y[�B�X�_m{%Y�I��u�"�xoOy��vn�`�I�V�g4ԅ�;���:��+lQ�Z ����S|�
I������|A3�e!X�x��]�G�|Mb49��5+
^�t�(y)�q�cJ��q�T�fS�C�;��r��b���2 kTD �o�k��\`5�o�g�HqJ�����N�N�q�)Z�]�K�k~4,0��b��QW���}�k��*`zJ̉�����q����;t�&w���%'OΕ��Y���Bl3java层
使用了某安全防护
hook decode和encode方法
加密前byte
�)t}s�l���w�7D�u5��#����y���kB�oI��s"b�@�v?%�z�?m�z���C���v���Ǫ�E��u!D�g��4La�7O'�dWD��z���T/���|�Qn��Nl$��n�����Na举���>v�kU�z�i���q^3=+��^�%�N���;Rܵ������)_b�iɞ��OG�)����9�i�f�/"����a�'�+%�ؠ3�4��̹l���~@�_ɉ=���N�(ŕ&� i| e��y3�����˥qd�J�c��)���_N�#�c
gzip之后
�)t}s�l���w�7D�u5��#����y���kB�oI��s"b�@�v?%�z�?m�z���C���v���Ǫ�E��u!D�g��4La�7O'�dWD��z���T/���|�Qn��Nl$��n�����Na举���>v�kU�z�i���q^3=+��^�%�N���;Rܵ������)_b�iɞ��OG�)����9�i�f�/"����a�'�+%�ؠ3�4��̹l���~@�_ɉ=���N�(ŕ&� i| e��y3�����˥qd�J�c��)���_N�#�c
gzip之后
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2019-9-27 16:15
被neilwu编辑
,原因: 敏感信息处理
