首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. Android安全
    3. 发新帖
[原创]某APP登录参数分析
2022-4-21 11:23 24230

[原创]某APP登录参数分析

REerr 活跃值
2022-4-21 11:23
24230

前言

本篇文章仅为学习交流所用,涉及的数据已做脱敏处理,请勿用于不当途径,侵权请联系

环境

  1. 主机:win10
  2. 手机:Pixel 4 ,Android 10
  3. APP版本:V5.54.0

工具

IDA、JADX、Frida、Charles

登录逆向分析

RegisterNatives


Request Params

首先抓包看一下登录包:

 


verifydata

{
"params": "5F1D4B282F5E89548F98FC30853F4F9289D874AA82EDB0ED82330B07CF5D208ECAAF446BAEA4D4848BB7515573123514EFDEA8E6C1000FEF8F30A9901382B7119822C74B9C91394F9DDFF8B239E241F9",
"clienttime_ms": "1647312358378",
"support_face_verify": "1",
"dfid": "-",
"dev": "Pixel%204",
"plat": "1",
"pk": "7C9E722B7BCCE5B56BAB9D42902B2A4F238BAA40EACCCEECACE72C3EE46A85B1B833F7800E6D2B968EE809303485376180BD8494EBA84F006DBD050E1F876B3713DE64AFADDA4F51FCC522C6DAC0AFFC8A04AABAF47F95FE6D3F2FB6726A16FC4664AB66CE065E3FCFD7D0FACD3DCA05AA96D74DD96EC74DBF54CA72D088E42C",
"t1": "bfaf46951c6a5c58d4bf618c517354de",
"support_verify": "1",
"support_multi": "1",
"t2": "c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335237a78074f157641a1ddfb5ca4a66c5d72855feae18282b981d896c6f170cb54ca7c21aad3811d69c80a73ad3482c340",
"key": "8d73d8b5da06bad3b466d864812d488b",
"username": "130*696"
}

params参数解析

通过JADX搜索“params”字符串定位到位置:

1
2
3
this.j.put("params", a.c(jSONObject.toString(), this.g));
 
进入c方法内可以看到:
1
2
3
public static String c(String str, String str2) throws Exception {
        return a(str, "utf-8", ao.a(str2).substring(0, 32), ao.a(str2).substring(16, 32));
    }

通过objection hook该方法内的a方法,得到如下结果:

 

(agent) [302556] Called com.xxxx.fanxing.allinone.common.utils.a.a(java.lang.String, java.lang.String, java.lang.String, java.lang.String)

 

(agent) [302556] Arguments com.xxx.fanxing.allinone.common.utils.a.a({"username":"13*96","clienttime_ms":"1647313862199","pwd":"557998555"}, utf-8, 0dd6da40aea47d05b5f6612596fd2e7f, b5f6612596fd2e7f)

 

(agent) [793424] Backtrace:
com.xxx.fanxing.allinone.common.utils.a.a(Native Method)
com.xxx.fanxing.allinone.common.utils.a.a(SourceFile:117)
com.xxx.fanxing.allinone.common.utils.a.a(Native Method)
com.xxx.fanxing.allinone.common.utils.a.c(SourceFile:106)
com.xxx.fanxing.core.protocol.g.e.c(SourceFile:85)
com.xxx.fanxing.core.protocol.g.e.c(Native Method)
com.xxx.fanxing.core.protocol.g.a.d(SourceFile:76)
com.xxx.fanxing.core.modul.user.login.c.a(SourceFile:50)
com.xxx.fanxing.core.modul.user.login.f.a(SourceFile:228)
com.xxx.fanxing.core.modul.user.ui.a.a(SourceFile:577)
com.xxx.fanxing.core.modul.user.ui.a.j(SourceFile:554)
com.xxx.fanxing.core.modul.user.ui.a.i(SourceFile:520)
com.xxx.fanxing.core.modul.user.ui.a.onClick(SourceFile:417)
android.view.View.performClick(View.java:7259)
android.view.View.performClickInternal(View.java:7236)
android.view.View.access$3600(View.java:801)
android.view.View$PerformClick.run(View.java:27892)
android.os.Handler.handleCallback(Handler.java:883)
android.os.Handler.dispatchMessage(Handler.java:100)
android.os.Looper.loop(Looper.java:214)
android.app.ActivityThread.main(ActivityThread.java:7356)
java.lang.reflect.Method.invoke(Native Method)
com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)

 

这样我们可以得到a.c(jSONObject.toString(), this.g)中两个参数的来源,其中第一个参数为JSON结构:{"username":"13**96","clienttime_ms":"1647313862199","pwd":"557998555"},第二个参数为AES的KEY,最终将KEY拆分为(0,32)和(16,32)具体生成方式如下:

1
this.g = com.xxx.fanxing.allinone.common.utils.a.a(com.kugou.fanxing.allinone.common.constant.c.hz() ? 128 : 64);

a方法如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
public static String a(int i) {
        try {
            KeyGenerator instance = KeyGenerator.getInstance("AES");
            instance.init(i);
            return a(instance.generateKey().getEncoded());
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
 
public static String c(String str, String str2) throws Exception {
        return a(str, "utf-8", ao.a(str2).substring(0, 32), ao.a(str2).substring(16, 32));
    }
public static String a(String str) {
        return a(str.getBytes());
    }
 
public static String a(byte[] bArr) {
        try {
            MessageDigest instance = MessageDigest.getInstance("MD5");
            instance.update(bArr);
            return bd.a(instance.digest());
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
public static String a(byte[] bArr) {
        StringBuilder sb = new StringBuilder();
        for (byte b : bArr) {
            String hexString = Integer.toHexString(b & 255);
            if (hexString.length() == 1) {
                sb.append('0');
            }
            sb.append(hexString);
        }
        return sb.toString();
    }
 
public static String a(String str, String str2, String str3, String str4) throws Exception {
        SecretKeySpec secretKeySpec = new SecretKeySpec(str3.getBytes(str2), "AES");
        Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding");
        instance.init(1, secretKeySpec, new IvParameterSpec(str4.getBytes()));
        return a(instance.doFinal(str.getBytes(str2)));
    }

最终为通过KeyGenerator生成一个32位的key,然后对key进行MD5,最后将其分割

dfid参数解析

通过搜索字符串即可定位到如下函数:

1
2
3
4
5
6
7
public String e() {
        String a2 = com.xxx.fanxing.core.common.fingerprint.a.a();
        return TextUtils.isEmpty(a2) ? "-" : a2;
    }
 
a2 -> share_data -> device_fingerprint
通过sharedPreferences读取了文件名为share_data里的device_fingerprint字段

pk参数解析

1
2
3
4
5
6
7
8
hashMap.put("pk", com.xxx.fanxing.core.protocol.g.a.a(String.valueOf(currentTimeMillis), a2));
 
public static String a(String str, String str2) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("clienttime_ms", str);
        hashMap.put(ao.M, str2);
        return com.xxx.common.player.kugouplayer.a.d(hashMap);
    }
1
2
str为时间戳,str2为AES随机密钥
组成形式如下:

{"clienttime_ms":"1647829236357","key":"E96E510C296711ECEA6C85CAF6152F4D"}

 

最终调用native层的cc::i加密方法

 

 

PUBKEY:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2DT4odzkDd7hMlZ7djdZQH12j38nKxriINW1MGjMry3tXheya113xwmbBOwN0GA4zTwKFauFJRzcsD0nDFq1eaatcFKeDF25R4dnQRX+4BdTwFVS8lIb8nJMluSBwK+i4Z3VF+gfZ0AqQOXda6lJ4jPBt9Ep7VXEAHXUDn9JM8wIDAQAB

 

Python版RSA_NOPADDING加密方法实现:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import rsa
import base64
from Crypto.PublicKey import RSA
 
 
def zfillStrToBin(s):
    b = bytes(s.encode())
    for i in range(128 - len(b)):
        b += b'\0'
    print(len(b))
    return b
 
 
class RsaNopadding:
 
    def __init__(self, key):
        self.pubkey = RSA.importKey(base64.b64decode(key))
 
    def encrypt(self, message):
        kLen = rsa.common.byte_size(self.pubkey.n)
        msg = zfillStrToBin(message)
        _b = rsa.transform.bytes2int(msg)
        _i = rsa.core.encrypt_int(_b, self.pubkey.e, self.pubkey.n)
        result = rsa.transform.int2bytes(_i, kLen)
        return result.hex().upper()
 
 
message = '{"clienttime_ms":"1647829236357","key":"E96E510C296711ECEA6C85CAF6152F4D"}'
msg = RsaNopadding(
    "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2DT4odzkDd7hMlZ7djdZQH12j38nKxriINW1MGjMry3tXheya113xwmbBOwN0GA4zTwKFauFJRzcsD0nDFq1eaatcFKeDF25R4dnQRX+4BdTwFVS8lIb8nJMluSBwK+i4Z3VF+gfZ0AqQOXda6lJ4jPBt9Ep7VXEAHXUDn9JM8wIDAQAB")
print(msg.encrypt(message))

t1参数解析

1
String t1 = com.xxx.common.player.kugouplayer.a.b(null);

最终调用native层的cc::d方法

 

 

这里只分析f4函数内关键步骤部分:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
int __fastcall f4(int a1)
{
LABEL_44:                                       // 走这
  v76[0] = (int)v76;
  v76[1] = (int)v76;
  v76[2] = 0;
  v77 = 0;
  v78 = 0;
  v79 = 0;
  std::string::__init((int)&v77, (int)&aEia[2], 1);
  v34 = v77;
  v35 = v78;
  v77 = 0;
  v78 = 0;
  v103 = v34;
  v104 = v35;
  v105 = v79;
  v79 = 0;
  std::string::basic_string((int)v106, (int)&v66);
  std::list<std::pair<std::string,std::string>>::push_back((int)v76, (int)&v103);
  std::string::~string((int)v106);
  std::string::~string((int)&v103);
  std::string::~string((int)&v77);
  v80 = 0;
  v81 = 0;
  v82 = 0;
  std::string::__init((int)&v80, (int)"b", 1);
  f5(&v83);                                     // daytime
  v36 = v80;
  v37 = v81;
  v38 = v82;
  v80 = 0;
  v81 = 0;
  v82 = 0;
  v103 = v36;
  v104 = v37;
  v105 = v38;
  v39 = v83;
  v40 = v84;
  v41 = v85;
  v83 = 0;
  v84 = 0;
  v85 = 0;
  v106[0] = v39;
  v106[1] = v40;
  v106[2] = v41;
  std::list<std::pair<std::string,std::string>>::push_back((int)v76, (int)&v103);
  std::string::~string((int)v106);
  std::string::~string((int)&v103);
  std::string::~string((int)&v83);
  std::string::~string((int)&v80);
  f9((int)v86, (int)v76);
  v87 = 0;
  v42 = v107;
  v88 = 0;
  v89 = 0;
  v95[0] = 0;
  v95[1] = 0;
  v95[2] = 0;
  v43 = aBdeaed243193ce;                        // v42=bdeaed243193ce1i#~DC<M[g
  do
  {
    v44 = *(_DWORD *)v43;
    v43 += 8;
    v45 = *((_DWORD *)v43 - 1);
    *(_DWORD *)v42 = v44;                       // 整个循环将bdeaed243193ce1i#~DC<M[g扩展到bdeaed243193ce1i#~DC<M[g..=2..~4
    *((_DWORD *)v42 + 1) = v45;
    v42 += 8;
  }
  while ( v43 != (const char *)&unk_D90E4 );
  v103 = 0;
  v104 = 0;
  v105 = 0;
  std::string::__init((int)&v103, (int)v107, 32);// v105=v109=bdeaed243193ce1i#~DC<M[g..=2..~4
                                                // 62 64 65 61 65 64 32 34 33 31 39 33 63 65 31 69
                                                // 23 7E 44 43 3C 4D 5B 67 7F 0E 3D 32 01 2E 7E 34
  v46 = (unsigned __int8)v103;
  if ( (v103 & 1) == 0 )
    v46 = (int)(unsigned __int8)v103 >> 1;
  if ( (v103 & 1) != 0 )
    v46 = v104;
  v47 = v46 - 2;
  do
  {
    if ( v47 < 0 )
      break;
    v48 = (v103 & 1) != 0 ? v105 : (int *)((char *)&v103 + 1);
    v49 = (char *)v48 + v47;                    // 转换v105为bdeaed243193ce11ac913bbd48d340a4
    v50 = (v103 & 1) != 0 ? v105 : (int *)((char *)&v103 + 1);
    v51 = *((_BYTE *)v50 + v47);
    v52 = (char *)&unk_D90E4 + v47 - v46;
    --v47;
    *v49 = v51 ^ v52[17];
  }
  while ( v47 != v46 - 18 );
  std::string::basic_string((int)&v100, (int)&v103);
  std::string::~string((int)&v103);
  v53 = v107;
  v54 = aAc913bbd48d340;                        // v54 = ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.
  do
  {
    v55 = *(_DWORD *)v54;
    v54 += 8;
    v56 = *((_DWORD *)v54 - 1);
    *(_DWORD *)v53 = v55;                       // 整个循环将ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.转换为ac913bbd48d340a4
    *((_DWORD *)v53 + 1) = v56;
    v53 += 8;
  }
  while ( v54 != &aAc913bbd48d340[16] );
  v103 = 0;
  v104 = 0;
  v105 = 0;
  std::string::__init((int)&v103, (int)v107, 16);// v103=v107=ac913bbd48d340a4
  std::string::basic_string((int)v99, (int)&v103);
  std::string::~string((int)&v103);
  sub_394FC(1, v86, v95, (unsigned __int8 *)&v100, v99);// AES加密
  std::string::~string((int)v99);
  std::string::~string((int)&v100);
  f11((int)&v96, (int)v95);                     // HEX格式化
  v58 = v87 & 1;
  if ( (v87 & 1) != 0 )
  {
    v57 = v89;
    v58 = 0;
  }
  else
  {
    BYTE1(v87) = v87 & 1;
  }
  if ( (v87 & 1) != 0 )
  {
    *v57 = v58;
    v88 = v58;
  }
  else
  {
    LOBYTE(v87) = v58;
  }
  std::string::reserve((int)&v87, 0);
  v59 = v96;
  v60 = v97;
  v61 = v98;
  v96 = 0;
  v97 = 0;
  v98 = 0;
  v87 = v59;
  v88 = v60;
  v89 = (_BYTE *)v61;
  std::string::~string((int)&v96);
  std::string::~string((int)v95);
  if ( (*(_BYTE *)a1 & 1) != 0 )
  {
    **(_BYTE **)(a1 + 8) = 0;
    *(_DWORD *)(a1 + 4) = 0;
  }
  else
  {
    *(_BYTE *)(a1 + 1) = 0;
    *(_BYTE *)a1 = 0;
  }
  std::string::reserve(a1, 0);
  v62 = v87;
  v63 = v88;
  v64 = (int)v89;
  v87 = 0;
  v88 = 0;
  v89 = 0;
  *(_DWORD *)a1 = v62;
  *(_DWORD *)(a1 + 4) = v63;
  *(_DWORD *)(a1 + 8) = v64;
  std::string::~string((int)&v87);
  std::string::~string((int)v86);
  std::__list_imp<std::pair<std::string,std::string>>::clear(v76);
  std::string::~string((int)&v66);
  return a1;
}

cc::d方法里为AES_256_CBC_ENCRYPT

 

encData: |1649905000102

 

key:bdeaed243193ce11ac913bbd48d340a4

 

iv:ac913bbd48d340a4

t2参数解析

1
String t2 = com.xxx.common.player.kugouplayer.a.c(null);

最终调用native层的cc::e方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
int __fastcall cc::e(_JNIEnv *a1)
{
  sub_346F4(&v33);
  v34[2] = 0;
  v34[0] = (int)v34;
  v34[1] = (int)v34;
  v35 = 0;
  v36 = 0;
  v37 = 0;
  std::string::__init((int)&v35, (int)&aEia[2], 1);
  cc::h4((int)&v38, a1);                        // 获取ANDROID_ID
  v2 = v35;
  v3 = v36;
  v35 = 0;
  v36 = 0;
  v66 = v2;
  v67 = v3;
  v68 = v37;
  v4 = v38;
  v5 = v39;
  v37 = 0;
  v38 = 0;
  v39 = 0;
  v69 = v4;
  v70 = v5;
  v71 = v40;
  v40 = 0;
  std::list<std::pair<std::string,std::string>>::push_back(v34, &v66);
  std::pair<std::string,std::string>::~pair(&v66);
  std::string::~string((int)&v38);
  std::string::~string((int)&v35);
  v41 = 0;
  v42 = 0;
  v43 = 0;
  std::string::__init((int)&v41, (int)"b", 1);
  cc::h5((int)&v44, a1);                        // 获取DeviceId
  v6 = v41;
  v7 = v42;
  v8 = v43;
  v41 = 0;
  v42 = 0;
  v43 = 0;
  v66 = v6;
  v67 = v7;
  v68 = v8;
  v9 = v44;
  v10 = v45;
  v11 = v46;
  v44 = 0;
  v45 = 0;
  v46 = 0;
  v69 = v9;
  v70 = v10;
  v71 = v11;
  std::list<std::pair<std::string,std::string>>::push_back(v34, &v66);
  std::pair<std::string,std::string>::~pair(&v66);
  std::string::~string((int)&v44);
  std::string::~string((int)&v41);
  v47 = 0;
  v48 = 0;
  v49 = 0;
  std::string::__init((int)&v47, (int)"c", 1);
  cc::h6((cc *)&v50, a1);                       // 获取network HardwareAddress
  v12 = v47;
  v13 = v48;
  v14 = v49;
  v47 = 0;
  v48 = 0;
  v49 = 0;
  v66 = v12;
  v67 = v13;
  v68 = v14;
  v15 = v50;
  v16 = v51;
  v17 = v52;
  v50 = 0;
  v51 = 0;
  v52 = 0;
  v69 = v15;
  v70 = v16;
  v71 = v17;
  std::list<std::pair<std::string,std::string>>::push_back(v34, &v66);
  std::pair<std::string,std::string>::~pair(&v66);
  std::string::~string((int)&v50);
  std::string::~string((int)&v47);
  v53 = 0;
  v54 = 0;
  v55 = 0;
  std::string::__init((int)&v53, (int)"d", 1);
  cc::h8((cc *)&v56, a1);                       // 获取手机的型号设备名称
  v18 = v53;
  v19 = v54;
  v20 = v55;
  v53 = 0;
  v54 = 0;
  v55 = 0;
  v66 = v18;
  v67 = v19;
  v68 = v20;
  v21 = v56;
  v22 = v57;
  v23 = v58;
  v56 = 0;
  v57 = 0;
  v58 = 0;
  v69 = v21;
  v70 = v22;
  v71 = v23;
  std::list<std::pair<std::string,std::string>>::push_back(v34, &v66);
  std::pair<std::string,std::string>::~pair(&v66);
  std::string::~string((int)&v56);
  std::string::~string((int)&v53);
  v59 = 0;
  v60 = 0;
  v61 = 0;
  std::string::__init((int)&v59, (int)aEia, 1);
  f5();                                         // daytime
  v24 = v59;
  v25 = v60;
  v26 = v61;
  v59 = 0;
  v60 = 0;
  v61 = 0;
  v66 = v24;
  v67 = v25;
  v68 = v26;
  v27 = v62;
  v28 = v63;
  v29 = v64;
  v62 = 0;
  v63 = 0;
  v64 = 0;
  v69 = v27;
  v70 = v28;
  v71 = v29;
  std::list<std::pair<std::string,std::string>>::push_back(v34, &v66);
  std::pair<std::string,std::string>::~pair(&v66);
  std::string::~string((int)&v62);
  std::string::~string((int)&v59);
  f9(v65, v34);                                 // 合并string
  f6(&v66, v65);                                // aes
  if ( (v66 & 1) != 0 )
    v30 = v68;
  else
    v30 = (char *)&v66 + 1;
  v31 = _JNIEnv::NewStringUTF(a1, v30);
  std::string::~string((int)&v66);
  std::string::~string((int)v65);
  std::__list_imp<std::pair<std::string,std::string>>::clear(v34);
  cc::sp<cc::RefJObject>::~sp(&v33);
  return v31;
}

f6函数内部逻辑与t1的f4函数一致

 

cc::e方法里为AES_256_CBC_ENCRYPT

 

encData: ||9eea2d301e53|Pixel 4|1649905000118
key:dc8e123f07636a41361b62235fc313ac
iv:361b62235fc313ac

key参数解析

com.xxx.fanxing.core.protocol.g.e.c

1
map.put(ao.M, com.xxx.fanxing.allinone.common.utils.ao.a("" + this.b + this.e + getVersion() + String.valueOf(this.h).toLowerCase()));

ao.m = key

com.xxx.fanxing.allinone.common.d.a

public static int g() {
return 1131;
}

this.b = AppId

com.xxx.fanxing.allinone.common.d.a

public static String h() {
return "4lu0l3cujt2KWIjcM374F8oX5N2lGY59";
}

this.e = AppKey=“4lu0l3cujt2KWIjcM374F8oX5N2lGY59”

getVersion = APPVersion

public int getVersion() {
return y.s();
}

55400

 

this.h = clienttime_ms

 

key = MD5("" + AppId + AppKey + APPVersion + String.valueOf(this.h).toLowerCase())

signature参数解析

com.xxx.fanxing.allinone.watch.common.protocol.user.a

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
public String a(String str, int i, String str2, String str3) {
        StringBuilder sb = new StringBuilder(str);
        StringBuilder sb2 = new StringBuilder();
        sb.append("?");
        sb.append("appid=");
        sb.append(this.b);
        sb2.append("appid=");
        sb2.append(this.b);
        sb.append("&clienttime=");
        sb.append(i);
        sb2.append("clienttime=");
        sb2.append(i);
        int version = getVersion();
        sb.append("&clientver=");
        sb.append(version);
        sb2.append("clientver=");
        sb2.append(version);
        sb.append("&dfid=");
        sb.append(str2);
        sb2.append("dfid=");
        sb2.append(str2);
        String fxDeviceId = getFxDeviceId();
        sb.append("&mid=");
        sb.append(fxDeviceId);
        sb2.append("mid=");
        sb2.append(fxDeviceId);
        String androidId = getAndroidId();
        sb.append("&uuid=");
        sb.append(androidId);
        sb2.append("uuid=");
        sb2.append(androidId);
        String a2 = com.xxx.fanxing.allinone.common.utils.ao.a(this.e + sb2.toString() + str3 + this.e);
        sb.append("&signature=");
        sb.append(a2);
        return sb.toString();
    }

(agent) [013697] Arguments com.xxx.fanxing.allinone.watch.common.protocol.user.a.a(https://loginservice.kugou.com/v9/login_by_pwd,
1650353888,
1tRbIu1gsMjC2Htvln120WPp,
{"params":"2CA44E5F5D8F189BC68662C0438844D7043484C37D09E7AD1A8A138D44CDCBB0465684EE3C6FD64263174944AD6F2027D0782D9BF64A904432F9FD764CF1C96FF5C90B16DB2932E15FDC56178940207F","clienttime_ms":"1650353888654","support_face_verify":"1","dfid":"1tRbIu1gsMjC2Htvln120WPp","dev":"Pixel%204","plat":"1","pk":"5F03A05AFD4E10B7283A9F2634153FEFA0AF318DD781687BB907DA770614C021921AEB30AB7A808714C132ECA24285E43E6EA2134A91BB79893B10B4024040E32C8EA448463251173D9E412A5B640F240AA601690DDF9A180599F73AA5CF45F8570F6562ABEFA31196CBB0BB31BB6E781974C56A4640CB70D25955D04F3CC7EA","t1":"cdb7d88e278cab7c596af28cfcd873ba","support_verify":"1","support_multi":"1","t2":"c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335d459ddad1015bb5e96678cc0185b5ea20cc2563d5fc8f040aa77b49c039e40c5e2ca000392eeebfce750e3612ff280f6","key":"ffa858faa437189eb024cdeeb37e372d","username":"130*669"})

com.xxx.fanxing.allinone.common.utils.ao.a(

4lu0l3cujt2KWIjcM374F8oX5N2lGY59

appid=1131clienttime=1650356391clientver=55400dfid=1tRbIu1gsMjC2Htvln120WPpmid=5c539aee628111af4fc4645c761885bfuuid=5c539aee628111af4fc4645c761885bf

{"params":"3FF4D2AB2A549FDBD95EBA40F155635B1E9A5EB353EF147EC459EC47FE18EDE2ED465FAE1E974ABB8605499F1434228E6A30779E0E07DB12A79775A6073EE748709951692C97506CD6384513250870B3","clienttime_ms":"1650356391589","support_face_verify":"1","dfid":"1tRbIu1gsMjC2Htvln120WPp","dev":"Pixel%204","plat":"1","pk":"62A6F1633AD5B9F85007AD597B90157C854A796FEA8D965E110C9D8FB152170E18CF6868F4497E1FAA62F13B257758DF803B2E4ABCF28980207534BE8B8728DFA50A4F00AD2626307B31C850E8ACED450393643C5CE8DD679E1F77186D3CED20DB72E8003C4EF2048EC1942035159EDB2590095D09B6E7A706A72F5E96408212","t1":"512640caae5a66bb98402eda86b5b026","support_verify":"1","support_multi":"1","t2":"c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335d459ddad1015bb5e96678cc0185b5ea2a4865a6be23bed4a31f7625c6927379348d014b77b354e00181c2e0b1530397a","key":"7e8cfb92bb4be58f9a62e0af4c040783","username":"130*669"}

4lu0l3cujt2KWIjcM374F8oX5N2lGY59)

 

signature=MD5(appkey+appid=1131clienttime=1650356391clientver=55400dfid=1tRbIu1gsMjC2Htvln120WPpmid=5c539aee628111af4fc4645c761885bfuuid=5c539aee628111af4fc4645c761885bf+ post data + appkey)

还原

算法还原Python版


[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。

最后于 2023-4-14 11:11 被REerr编辑 ,原因:
收藏
点赞4
打赏
分享
最新回复 (2)
wx_nu无情
雪    币: 321
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
wx_nu无情 2022-4-21 13:03
2
0
学到了,感谢大佬
TrumpWY
雪    币: 1058
活跃值: (550)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
TrumpWY 2022-8-11 10:13
3
0
学习大佬,手机号暴露了哈哈
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回