-
-
[原创]某生鲜电商mfsig加密算法解析
-
发表于: 2021-7-6 16:35
-
https://www.charlesproxy.com/
前提:手机和电脑均安装好charles证书
(需要root权限)
华为p9 android 6.0
(7.0以上版本抓包工具默认抓不到https请求,解决方式:可将charles证书升级为系统证书,安装到系统证书目录下)
cURL
请求体
返回值
通过postman调试可知,mfsig不传或错传后不能正确请求数据,确认mfsig为核心加密签名
小程序反编译工具github地址:https://github.com/qwerty472123/wxappUnpacker
运行前提需要安装node环境
该工具运行需要一些node依赖库,安装指引在github中README.md文档中有
通过re文件管理器App直捣微信小程序包路径:
/data/data/com.tencent.mm/MicroMsg/${用户MD5}/appbrand/pkg/_*_xxx.wxapkg
利用re文件管理器打成zip包,点击右上角按钮找到发送,通过QQ、钉钉或者蓝牙等方式传送到个人电脑接收
如今微信小程序单包体积不能超过4M(小程序基础依赖包除外),如果项目内容过大,开发者会使用分包模式
拿该电商来说,打开小程序一顿操作后,文件目录下发现四个包
其中:
_2124598774_821.wxapkg 3.3M 主包
_-588782754_76.wxapkg 1.5M 子包
_152740959_13.wxapkg 89k 子包
_1123949441_552.wxapkg 14M 基础依赖包
先反编译主包
再反编译子包,通过-s=指定主包的路径,使子包反编译的内容复制到主包
看到File done即反编译成功
用小程序开发工具打开
先在右上角详情中点击本地设置,勾选不校验合法域名、webview、tls及https证书
完成上述操作后,一个简单代码分析环境就搭建好了
经过抓包分析后,得知加密参数为mfsig,开发工具中全局搜索mfsig,发现并没有匹配的结果。
转换思路,我们看到mfsig的取值均为mfsw开头,于是全局搜索这个,发现mfsw也无匹配结果,可以得出个结论:
该小程序的加密相关函数是特殊对待混淆过的,静态分析明文无法定位到。算是一个安全性比较好的case。
小程序的代码一般发布时都会做混淆,一般而言单靠静态分析代码中的加密逻辑是很费时费力的,借助调试反而易于理解代码逻辑
既然静态分析无果,这时就要体现动态调试分析的重要性了。
打开模拟器,并点击编译按钮,观察模拟器窗户和调试器的Console窗口中的报错提示
期间会遇到几个很小的报错,逐步解决后成功看到主界面,接下来就可以调试了
找到对应接口,打好断点后一步步调试分析
定位到核心代码,反编译的代码格式比较乱,多行代码挤在同一行,不利于追步调试,可以点击左下角的{}按钮进行格式化
通过调试器右侧的调试功能按键进行追踪调试
加密函数混淆过,需要些耐心一步步调试,纸上记录下加密过程。
大体上来看其实就是编码游戏,字符串转数组,数组转为字符串,再利用索引进行字符编码生成最后的mfsig
经过上述动态解析,将纸上记录下的加密流程进行整理,利用java或python进行翻译,实现一遍
拿一个真实抓包接口的请求体参数进行测试验证加密函数的正确性
得到的mfsig与接口中的完全一致,那么大功告成
curl -H 'Host: as-vip.missfresh.cn' -H 'platform: weixin_app' -H 'charset: utf-8' -H 'request-id: 0649cacd90ffb932864517168199fa5a' -H 'content-type: application/json' -H 'mfsig: mfswaD2ZNKZTnrhVmrlTn43Ol3vT4uV46Q7hmuVf4iV72u4554JRnQzkmQ3V3J+PnGJU44Rk34QUiKC6Qry3niy2iRaWnrdPmiJ2mhzfROhQlFRSQiy3mhzQSJqrk3RWSryTl439m3vTRHFuQum4QvKihGyOk3RPSizhQQr2PvG6' -H 'User-Agent: Mozilla/5.0 (Linux; Android 7.0; EVA-AL10 Build/HUAWEIEVA-AL10; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.62 XWEB/2852 MMWEBSDK/20210501 Mobile Safari/537.36 MMWEBID/1318 MicroMessenger/8.0.6.1900(0x2800063A) Process/appbrand2 WeChat/arm32 Weixin NetType/WIFI Language/zh_CN ABI/arm64 MiniProgramEnv/android' -H 'x-region: {"address_code":330110,"station_code":"MRYX|mryx_celshd","delivery_type":1,"bigWarehouse":"MRYXSHD","type":0}' -H 'Referer: https://servicewechat.com/wxebf773691904eee9/821/page-frame.html' --data-binary '{"param":{"firstCategoryCode":"","secondCategoryCode":"","categoryIndex":0,"onlyClassify":1,"bizFingerprintType":3},"common":{"accessToken":"","retailType":"","fromSource":"","sourceDeviceId":"0649cacd-90ff-b932-8645-17168199fa5a","deviceId":"0649cacd-90ff-b932-8645-17168199fa5a","deviceCenterId":"8590201085835345922","env":"weixin_app","platform":"weixin_app","model":"EVA-AL10","screenHeight":611,"screenWidth":360,"version":"9.9.36.3","addressCode":330110,"stationCode":"MRYX|mryx_celshd","bigWarehouse":"MRYXSHD","deliveryType":1,"chromeType":0,"currentLng":120.024811,"currentLat":30.28203,"sellerId":13646,"mfplatform":"weixin_app","mfenv":"wxapp","sellerInfoList":[{"sellerId":13646,"sellerType":1},{"sellerId":678894,"sellerType":2},{"sellerId":2386422,"sellerType":6}]}}' --compressed 'https://as-vip.missfresh.cn/as/home/classify'
curl -H 'Host: as-vip.missfresh.cn' -H 'platform: weixin_app' -H 'charset: utf-8' -H 'request-id: 0649cacd90ffb932864517168199fa5a' -H 'content-type: application/json' -H 'mfsig: mfswaD2ZNKZTnrhVmrlTn43Ol3vT4uV46Q7hmuVf4iV72u4554JRnQzkmQ3V3J+PnGJU44Rk34QUiKC6Qry3niy2iRaWnrdPmiJ2mhzfROhQlFRSQiy3mhzQSJqrk3RWSryTl439m3vTRHFuQum4QvKihGyOk3RPSizhQQr2PvG6' -H 'User-Agent: Mozilla/5.0 (Linux; Android 7.0; EVA-AL10 Build/HUAWEIEVA-AL10; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.62 XWEB/2852 MMWEBSDK/20210501 Mobile Safari/537.36 MMWEBID/1318 MicroMessenger/8.0.6.1900(0x2800063A) Process/appbrand2 WeChat/arm32 Weixin NetType/WIFI Language/zh_CN ABI/arm64 MiniProgramEnv/android' -H 'x-region: {"address_code":330110,"station_code":"MRYX|mryx_celshd","delivery_type":1,"bigWarehouse":"MRYXSHD","type":0}' -H 'Referer: https://servicewechat.com/wxebf773691904eee9/821/page-frame.html' --data-binary '{"param":{"firstCategoryCode":"","secondCategoryCode":"","categoryIndex":0,"onlyClassify":1,"bizFingerprintType":3},"common":{"accessToken":"","retailType":"","fromSource":"","sourceDeviceId":"0649cacd-90ff-b932-8645-17168199fa5a","deviceId":"0649cacd-90ff-b932-8645-17168199fa5a","deviceCenterId":"8590201085835345922","env":"weixin_app","platform":"weixin_app","model":"EVA-AL10","screenHeight":611,"screenWidth":360,"version":"9.9.36.3","addressCode":330110,"stationCode":"MRYX|mryx_celshd","bigWarehouse":"MRYXSHD","deliveryType":1,"chromeType":0,"currentLng":120.024811,"currentLat":30.28203,"sellerId":13646,"mfplatform":"weixin_app","mfenv":"wxapp","sellerInfoList":[{"sellerId":13646,"sellerType":1},{"sellerId":678894,"sellerType":2},{"sellerId":2386422,"sellerType":6}]}}' --compressed 'https://as-vip.missfresh.cn/as/home/classify'
{ "param": {
"firstCategoryCode": "",
"secondCategoryCode": "",
"categoryIndex": 0,
"onlyClassify": 1,
"bizFingerprintType": 3
},
"common": {
"accessToken": "",
"retailType": "",
"fromSource": "",
"sourceDeviceId": "0649cacd-90ff-b932-8645-17168199fa5a",
"deviceId": "0649cacd-90ff-b932-8645-17168199fa5a",
"deviceCenterId": "8590201085835345922",
"env": "weixin_app",
"platform": "weixin_app",
"model": "EVA-AL10",
"screenHeight": 611,
"screenWidth": 360,
"version": "9.9.36.3",
"addressCode": 330110,
"stationCode": "MRYX|mryx_celshd",
"bigWarehouse": "MRYXSHD",
"deliveryType": 1,
"chromeType": 0,
"currentLng": 120.024811,
"currentLat": 30.28203,
"sellerId": 13646,
"mfplatform": "weixin_app",
"mfenv": "wxapp",
"sellerInfoList": [{
"sellerId": 13646,
"sellerType": 1
}, {
"sellerId": 678894,
"sellerType": 2
}, {
"sellerId": 2386422,
"sellerType": 6
}]
}
}{ "param": {
"firstCategoryCode": "",
"secondCategoryCode": "",
"categoryIndex": 0,
"onlyClassify": 1,
"bizFingerprintType": 3
},
"common": {
"accessToken": "",
"retailType": "",
"fromSource": "",
"sourceDeviceId": "0649cacd-90ff-b932-8645-17168199fa5a",
"deviceId": "0649cacd-90ff-b932-8645-17168199fa5a",
"deviceCenterId": "8590201085835345922",
"env": "weixin_app",
"platform": "weixin_app",
"model": "EVA-AL10",
"screenHeight": 611,
"screenWidth": 360,
"version": "9.9.36.3",
"addressCode": 330110,
"stationCode": "MRYX|mryx_celshd",
"bigWarehouse": "MRYXSHD",
"deliveryType": 1,
"chromeType": 0,
"currentLng": 120.024811,
"currentLat": 30.28203,
"sellerId": 13646,
"mfplatform": "weixin_app",
"mfenv": "wxapp",
"sellerInfoList": [{
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
微信开发者工具 https://developers.weixin.qq.com/miniprogram/dev/devtools/stable.html |
|
|
|
|
|
|
|
|
微信开发者工具 https://mp.weixin.qq.com/s/4BerA1Ij3BfMeg2LA0cm5g |
|
|
|
|
|
|
|
|
文中有提到,观察包的大小 |
|
|
|
|
|
|
|
|
亲,别着急,试试这个 https://github.com/xuedingmiaojun/wxappUnpacker |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
用了这个仍然报错Error: ENOTDIR: not a directory, scandir 'D:\itcast\unpack-wx\part\WAAutoService.js' |
