首页
社区
课程
招聘
[原创]某生鲜电商mfsig加密算法解析
发表于: 2021-7-6 16:35 31981

[原创]某生鲜电商mfsig加密算法解析

2021-7-6 16:35
31981

https://www.charlesproxy.com/

前提:手机和电脑均安装好charles证书

image-20210706151936444

image-20210706152105634

(需要root权限)

华为p9 android 6.0

(7.0以上版本抓包工具默认抓不到https请求,解决方式:可将charles证书升级为系统证书,安装到系统证书目录下)

cURL

请求体

返回值

通过postman调试可知,mfsig不传或错传后不能正确请求数据,确认mfsig为核心加密签名

image-20210706153005140

image-20210706153036359

小程序反编译工具github地址:https://github.com/qwerty472123/wxappUnpacker

运行前提需要安装node环境

该工具运行需要一些node依赖库,安装指引在github中README.md文档中有

通过re文件管理器App直捣微信小程序包路径:

/data/data/com.tencent.mm/MicroMsg/${用户MD5}/appbrand/pkg/_*_xxx.wxapkg

利用re文件管理器打成zip包,点击右上角按钮找到发送,通过QQ、钉钉或者蓝牙等方式传送到个人电脑接收

如今微信小程序单包体积不能超过4M(小程序基础依赖包除外),如果项目内容过大,开发者会使用分包模式

拿该电商来说,打开小程序一顿操作后,文件目录下发现四个包

image-20210706154412251

其中:

_2124598774_821.wxapkg 3.3M 主包

_-588782754_76.wxapkg 1.5M 子包

_152740959_13.wxapkg 89k 子包

_1123949441_552.wxapkg 14M 基础依赖包

先反编译主包

再反编译子包,通过-s=指定主包的路径,使子包反编译的内容复制到主包

image-20210706154720473

看到File done即反编译成功

image-20210706154734258

用小程序开发工具打开

image-20210706154836938

先在右上角详情中点击本地设置,勾选不校验合法域名、webview、tls及https证书

image-20210706155122944

完成上述操作后,一个简单代码分析环境就搭建好了

经过抓包分析后,得知加密参数为mfsig,开发工具中全局搜索mfsig,发现并没有匹配的结果。

image-20210706155415889

转换思路,我们看到mfsig的取值均为mfsw开头,于是全局搜索这个,发现mfsw也无匹配结果,可以得出个结论:

该小程序的加密相关函数是特殊对待混淆过的,静态分析明文无法定位到。算是一个安全性比较好的case。

小程序的代码一般发布时都会做混淆,一般而言单靠静态分析代码中的加密逻辑是很费时费力的,借助调试反而易于理解代码逻辑

既然静态分析无果,这时就要体现动态调试分析的重要性了。

打开模拟器,并点击编译按钮,观察模拟器窗户和调试器的Console窗口中的报错提示

期间会遇到几个很小的报错,逐步解决后成功看到主界面,接下来就可以调试了

image-20210706162859382

找到对应接口,打好断点后一步步调试分析

定位到核心代码,反编译的代码格式比较乱,多行代码挤在同一行,不利于追步调试,可以点击左下角的{}按钮进行格式化

image-20210706160107480

通过调试器右侧的调试功能按键进行追踪调试

image-20210706160201085

加密函数混淆过,需要些耐心一步步调试,纸上记录下加密过程。

大体上来看其实就是编码游戏,字符串转数组,数组转为字符串,再利用索引进行字符编码生成最后的mfsig

经过上述动态解析,将纸上记录下的加密流程进行整理,利用java或python进行翻译,实现一遍

拿一个真实抓包接口的请求体参数进行测试验证加密函数的正确性

image-20210706160955448

得到的mfsig与接口中的完全一致,那么大功告成

 
 
 
curl -H 'Host: as-vip.missfresh.cn' -H 'platform: weixin_app' -H 'charset: utf-8' -H 'request-id: 0649cacd90ffb932864517168199fa5a' -H 'content-type: application/json' -H 'mfsig: mfswaD2ZNKZTnrhVmrlTn43Ol3vT4uV46Q7hmuVf4iV72u4554JRnQzkmQ3V3J+PnGJU44Rk34QUiKC6Qry3niy2iRaWnrdPmiJ2mhzfROhQlFRSQiy3mhzQSJqrk3RWSryTl439m3vTRHFuQum4QvKihGyOk3RPSizhQQr2PvG6' -H 'User-Agent: Mozilla/5.0 (Linux; Android 7.0; EVA-AL10 Build/HUAWEIEVA-AL10; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.62 XWEB/2852 MMWEBSDK/20210501 Mobile Safari/537.36 MMWEBID/1318 MicroMessenger/8.0.6.1900(0x2800063A) Process/appbrand2 WeChat/arm32 Weixin NetType/WIFI Language/zh_CN ABI/arm64 MiniProgramEnv/android' -H 'x-region: {"address_code":330110,"station_code":"MRYX|mryx_celshd","delivery_type":1,"bigWarehouse":"MRYXSHD","type":0}' -H 'Referer: https://servicewechat.com/wxebf773691904eee9/821/page-frame.html' --data-binary '{"param":{"firstCategoryCode":"","secondCategoryCode":"","categoryIndex":0,"onlyClassify":1,"bizFingerprintType":3},"common":{"accessToken":"","retailType":"","fromSource":"","sourceDeviceId":"0649cacd-90ff-b932-8645-17168199fa5a","deviceId":"0649cacd-90ff-b932-8645-17168199fa5a","deviceCenterId":"8590201085835345922","env":"weixin_app","platform":"weixin_app","model":"EVA-AL10","screenHeight":611,"screenWidth":360,"version":"9.9.36.3","addressCode":330110,"stationCode":"MRYX|mryx_celshd","bigWarehouse":"MRYXSHD","deliveryType":1,"chromeType":0,"currentLng":120.024811,"currentLat":30.28203,"sellerId":13646,"mfplatform":"weixin_app","mfenv":"wxapp","sellerInfoList":[{"sellerId":13646,"sellerType":1},{"sellerId":678894,"sellerType":2},{"sellerId":2386422,"sellerType":6}]}}' --compressed 'https://as-vip.missfresh.cn/as/home/classify'
curl -H 'Host: as-vip.missfresh.cn' -H 'platform: weixin_app' -H 'charset: utf-8' -H 'request-id: 0649cacd90ffb932864517168199fa5a' -H 'content-type: application/json' -H 'mfsig: mfswaD2ZNKZTnrhVmrlTn43Ol3vT4uV46Q7hmuVf4iV72u4554JRnQzkmQ3V3J+PnGJU44Rk34QUiKC6Qry3niy2iRaWnrdPmiJ2mhzfROhQlFRSQiy3mhzQSJqrk3RWSryTl439m3vTRHFuQum4QvKihGyOk3RPSizhQQr2PvG6' -H 'User-Agent: Mozilla/5.0 (Linux; Android 7.0; EVA-AL10 Build/HUAWEIEVA-AL10; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.62 XWEB/2852 MMWEBSDK/20210501 Mobile Safari/537.36 MMWEBID/1318 MicroMessenger/8.0.6.1900(0x2800063A) Process/appbrand2 WeChat/arm32 Weixin NetType/WIFI Language/zh_CN ABI/arm64 MiniProgramEnv/android' -H 'x-region: {"address_code":330110,"station_code":"MRYX|mryx_celshd","delivery_type":1,"bigWarehouse":"MRYXSHD","type":0}' -H 'Referer: https://servicewechat.com/wxebf773691904eee9/821/page-frame.html' --data-binary '{"param":{"firstCategoryCode":"","secondCategoryCode":"","categoryIndex":0,"onlyClassify":1,"bizFingerprintType":3},"common":{"accessToken":"","retailType":"","fromSource":"","sourceDeviceId":"0649cacd-90ff-b932-8645-17168199fa5a","deviceId":"0649cacd-90ff-b932-8645-17168199fa5a","deviceCenterId":"8590201085835345922","env":"weixin_app","platform":"weixin_app","model":"EVA-AL10","screenHeight":611,"screenWidth":360,"version":"9.9.36.3","addressCode":330110,"stationCode":"MRYX|mryx_celshd","bigWarehouse":"MRYXSHD","deliveryType":1,"chromeType":0,"currentLng":120.024811,"currentLat":30.28203,"sellerId":13646,"mfplatform":"weixin_app","mfenv":"wxapp","sellerInfoList":[{"sellerId":13646,"sellerType":1},{"sellerId":678894,"sellerType":2},{"sellerId":2386422,"sellerType":6}]}}' --compressed 'https://as-vip.missfresh.cn/as/home/classify'
{
    "param": {
        "firstCategoryCode": "",
        "secondCategoryCode": "",
        "categoryIndex": 0,
        "onlyClassify": 1,
        "bizFingerprintType": 3
    },
    "common": {
        "accessToken": "",
        "retailType": "",
        "fromSource": "",
        "sourceDeviceId": "0649cacd-90ff-b932-8645-17168199fa5a",
        "deviceId": "0649cacd-90ff-b932-8645-17168199fa5a",
        "deviceCenterId": "8590201085835345922",
        "env": "weixin_app",
        "platform": "weixin_app",
        "model": "EVA-AL10",
        "screenHeight": 611,
        "screenWidth": 360,
        "version": "9.9.36.3",
        "addressCode": 330110,
        "stationCode": "MRYX|mryx_celshd",
        "bigWarehouse": "MRYXSHD",
        "deliveryType": 1,
        "chromeType": 0,
        "currentLng": 120.024811,
        "currentLat": 30.28203,
        "sellerId": 13646,
        "mfplatform": "weixin_app",
        "mfenv": "wxapp",
        "sellerInfoList": [{
            "sellerId": 13646,
            "sellerType": 1
        }, {
            "sellerId": 678894,
            "sellerType": 2
        }, {
            "sellerId": 2386422,
            "sellerType": 6
        }]
    }
}
{
    "param": {
        "firstCategoryCode": "",
        "secondCategoryCode": "",
        "categoryIndex": 0,
        "onlyClassify": 1,
        "bizFingerprintType": 3
    },
    "common": {
        "accessToken": "",
        "retailType": "",
        "fromSource": "",
        "sourceDeviceId": "0649cacd-90ff-b932-8645-17168199fa5a",
        "deviceId": "0649cacd-90ff-b932-8645-17168199fa5a",
        "deviceCenterId": "8590201085835345922",
        "env": "weixin_app",
        "platform": "weixin_app",
        "model": "EVA-AL10",
        "screenHeight": 611,
        "screenWidth": 360,
        "version": "9.9.36.3",
        "addressCode": 330110,
        "stationCode": "MRYX|mryx_celshd",
        "bigWarehouse": "MRYXSHD",
        "deliveryType": 1,
        "chromeType": 0,
        "currentLng": 120.024811,
        "currentLat": 30.28203,
        "sellerId": 13646,
        "mfplatform": "weixin_app",
        "mfenv": "wxapp",
        "sellerInfoList": [{

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2021-7-6 17:02 被灵风_spirit编辑 ,原因: 格式修改
收藏
免费 8
支持
分享
最新回复 (20)
雪    币: 163
活跃值: (1623)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
2
这个小程序开发工具和调试工具具体是啥
2021-7-7 09:25
0
雪    币: 0
活跃值: (633)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
谢谢楼主, 新技能get
2021-7-8 16:58
1
雪    币: 3275
活跃值: (1461)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
谢谢分享~~~~~~~~·
2021-7-9 10:09
0
雪    币: 589
活跃值: (1727)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
学编程 这个小程序开发工具和调试工具具体是啥
微信开发者工具 https://developers.weixin.qq.com/miniprogram/dev/devtools/stable.html
2021-7-9 15:28
0
雪    币: 248
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
6
WX小程序逆向   新技能get
2021-7-9 16:21
0
雪    币: 287
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
7
wxappUnpacker下载不到啊  哪位大哥给个链接
2021-7-11 10:02
0
雪    币: 589
活跃值: (1727)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
cheny76 wxappUnpacker下载不到啊 哪位大哥给个链接
微信开发者工具  https://mp.weixin.qq.com/s/4BerA1Ij3BfMeg2LA0cm5g
2021-7-12 22:57
0
雪    币: 116
活跃值: (1012)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
支持一下
2021-7-13 15:02
0
雪    币: 0
活跃值: (353)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
怎么看哪个是 主包 ,基础依赖包   子包 ?
2021-7-19 20:08
0
雪    币: 589
活跃值: (1727)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
Erlösung 怎么看哪个是 主包 ,基础依赖包 子包 ?
文中有提到,观察包的大小
2021-7-19 21:02
0
雪    币: 0
活跃值: (353)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
C:\Users\Administrator\Desktop\ksd-wxappUnpacker-master\wxappUnpacker>node wuWxapkg.js -s=
C:\Users\Administrator\Desktop\miniprogram\mini\_-2079671945_341 C:\Users\Administrator\De
sktop\miniprogram\mini\_1123949441_555.wxapkg
Unpack file C:\Users\Administrator\Desktop\miniprogram\mini\_1123949441_555.wxapkg...

Header info:
  firstMark: 0xbe
  unknownInfo:  0
  infoListLength:  680
  dataLength:  15213140
  lastMark: 0xed

File list info:
  fileCount:  24
Saving files...
Unpack done.
now dir: C:\Users\Administrator\Desktop\miniprogram\mini\_1123949441_555
param of mainDir: C:\Users\Administrator\Desktop\miniprogram\mini\_-2079671945_341
internal/fs/utils.js:230
    throw err;
    ^

Error: ENOTDIR: not a directory, scandir 'C:\Users\Administrator\Desktop\miniprogram\mini\
_1123949441_555\WAAutoService.js'
[90m    at Object.readdirSync (fs.js:871:3)[39m
    at findDir (C:\Users\Administrator\Desktop\ksd-wxappUnpacker-master\wxappUnpacker\wuWx
apkg.js:154:36)
    at findDir (C:\Users\Administrator\Desktop\ksd-wxappUnpacker-master\wxappUnpacker\wuWx
apkg.js:165:29)
    at Array.packDone (C:\Users\Administrator\Desktop\ksd-wxappUnpacker-master\wxappUnpack
er\wuWxapkg.js:171:17)
    at CntEvent.decount (C:\Users\Administrator\Desktop\ksd-wxappUnpacker-master\wxappUnpa
cker\wuLib.js:20:54)
    at C:\Users\Administrator\Desktop\ksd-wxappUnpacker-master\wxappUnpacker\wuLib.js:87:1
7
    at agent (C:\Users\Administrator\Desktop\ksd-wxappUnpacker-master\wxappUnpacker\wuLib.
js:64:23)
[90m    at FSReqCallback.oncomplete (fs.js:154:23)[39m {
  errno: [33m-4052[39m,
  syscall: [32m'scandir'[39m,
  code: [32m'ENOTDIR'[39m,
  path: [32m'C:\\Users\\Administrator\\Desktop\\miniprogram\\mini\\_1123949441_555\\WAAut
oService.js'[39m
}


按照你的思路 分包反编译报错,不知为何
2021-7-20 12:12
0
雪    币: 589
活跃值: (1727)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
亲,别着急,试试这个 https://github.com/xuedingmiaojun/wxappUnpacker
2021-7-20 17:59
0
雪    币: 589
活跃值: (1727)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
14
Erlösung C:\Users\Administrator\Desktop\ksd-wxappUnpacker-master\wxappUnpacker>node wuWxapkg.js -s= C:\Us ...
亲,别着急,试试这个 https://github.com/xuedingmiaojun/wxappUnpacker
2021-7-20 18:00
0
雪    币: 0
活跃值: (353)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
15
主包里面解压后 没有app-server.js这是为啥
2021-7-21 15:04
0
雪    币: 0
活跃值: (353)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
16
C:\Users\Administrator\Desktop\wxappUnpacker-master\wxappUnpacker-master>node wuWxapkg.js
 -s=C:\Users\Administrator\Desktop\uu\uu\_1506898651_165 C:\Users\Administrator\Desktop\uu
\uu\_1169510392_165.wxapkg C:\Users\Administrator\Desktop\uu\uu\_-557522105_165.wxapkg

我这样 编译后有两个包 一个主包 一个子包,好像子包文件没有复制到主包里面?一个_150开头的文件和一个_116开头的文件
2021-8-8 18:50
0
雪    币: 0
活跃值: (353)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
17
你这个小程序的子包是手动复制到主包里面?我按照你的操作  他好像没有自动覆盖?
2021-8-30 19:35
0
雪    币: 204
活跃值: (21)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
18
我按照你的步骤,反编译了小程序,但是提示无法连接网络,不管是pc端的小程序还是  手机上的小程序都是一样的,请问这种情况改怎么处理
2021-10-14 16:29
0
雪    币: 286
活跃值: (35)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
19
需要帮忙小程序逆向可以找我 v:ixiaohe_
2021-12-2 10:28
0
雪    币: 524
活跃值: (649)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
21
灵风_spirit 亲,别着急,试试这个 https://github.com/xuedingmiaojun/wxappUnpacker
用了这个仍然报错Error: ENOTDIR: not a directory, scandir 'D:\itcast\unpack-wx\part\WAAutoService.js'
2022-6-29 10:13
0
游客
登录 | 注册 方可回帖
返回
//