首页
社区
课程
招聘
[原创]瑞幸咖啡最新协议分析
发表于: 2023-3-21 11:51 10159

[原创]瑞幸咖啡最新协议分析

2023-3-21 11:51
10159

sign走的是md5_crypt,具体实现在libcryptDD里,常规md5加密,拼接了一串20长度的字符串,然后四位四位运算.(下面是解密代码)
图片描述

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import hashlib
 
 
def md5Sign():
    s = "cid=你的cid;q=你的q;t=你的时间戳;uid=你的uid"
    md5sign = hashlib.md5((s + "puclDGB45KTsGwHb").encode("utf-8")).digest()
 
    res = ""
    for i in range(4):
        mr = int.from_bytes(md5sign[i * 4:(i + 1) * 4], byteorder="big", signed=True)
        if mr < 0:
            mr = mr * (-1)
        res += str(mr)
    return res
print(md5Sign())

图片描述
sign就算出来了。
然后body解密跟q走的都是白盒AES。走了AESworks那个加密,然后base64的_变/,+变-。第二个参数分别是2,3代表加密解密。
加密如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
//emulator.traceCode(module.base+0xA0FC,module.base+0x000AC50);
      ArrayList<Object> list = new ArrayList<>(10);
      list.add(vm.getJNIEnv());
      list.add(0);
      //String param1 =getTemplateContent();
      String param1 = "{\"appversion\":\"5115\"}";
      list.add(vm.addLocalObject(new ByteArray(vm,param1.getBytes(StandardCharsets.UTF_8))));
      list.add(2);
      byte[] b=new byte[]{6,103,-107,-119,-40,18,-106,-8,-1,-59,-47,-49,70,50,15,-10,73,9,-6,80,-38,87,98,16,114,-89,108,124,97,-82,52,59};
      list.add(vm.addLocalObject(new ByteArray(vm,b)));
      Number number = module.callFunction(emulator, 0x2286d, list.toArray());
      Inspector.inspect((byte[]) vm.getObject(number.intValue()).getValue(),"localAESWork4Api_result");
      byte[] result = (byte[]) vm.getObject(number.intValue()).getValue();
      byte[] encodedHexB64 = Base64.encodeBase64(result);
      System.out.println(new String(encodedHexB64).replace('/','_').replace('+','-'));

解密如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
//emulator.traceCode(module.base+0xA0FC,module.base+0x000AC50);
 ArrayList<Object> list = new ArrayList<>(10);
 list.add(vm.getJNIEnv());
 list.add(0);
 //String param1 =getTemplateContent();
 String param1 = "uGBe_7dJNAkQS0hyPTzYUdZpESQgV6cg5QTn5M1KdHs=";
 param1.replace('_','/').replace('-','+');
 byte[] decodedHexB64 = Base64.decodeBase64(param1);
 list.add(vm.addLocalObject(new ByteArray(vm,decodedHexB64)));
 list.add(3);
 byte[] b=new byte[]{6,103,-107,-119,-40,18,-106,-8,-1,-59,-47,-49,70,50,15,-10,73,9,-6,80,-38,87,98,16,114,-89,108,124,97,-82,52,59};
 list.add(vm.addLocalObject(new ByteArray(vm,b)));
 Number number = module.callFunction(emulator, 0x2286d, list.toArray());
 Inspector.inspect((byte[]) vm.getObject(number.intValue()).getValue(),"localAESWorks_result");
 byte[] result = (byte[]) vm.getObject(number.intValue()).getValue();
 
 System.out.println(new String(result));

图片描述
图片描述
目前是unidbg调了,有空再研究。当时想手撸白盒aes的, 图片描述
这里已经是加密结果赋值了,下面有一堆方法挤在一起的就是读取输入,对输入进行排列。(之前弄得,没图了。自己找一下可以看到。)因为没时间分析了,直接unidbg调了就行了,下次有时间的话还原一下算法。


[注意]看雪招聘,专注安全领域的专业人才平台!

收藏
免费 2
支持
分享
最新回复 (4)
雪    币: 859
活跃值: (945)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
牛逼!
2023-3-25 17:59
0
雪    币: 859
活跃值: (945)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
e11K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6V1j5i4u0T1M7X3q4Q4x3V1k6K6K9h3N6F1i4K6u0r3j5X3I4G2j5W2)9J5c8X3#2S2M7%4c8W2M7W2)9J5c8X3y4G2L8g2)9J5k6h3I4#2j5$3E0&6i4K6u0W2L8q4)9J5b7i4c8Q4x3X3c8Q4x3U0g2q4y4#2)9J5y4e0V1I4i4K6t1#2z5f1g2Q4x3V1q4Q4x3U0g2q4y4g2)9J5y4e0V1J5i4K6t1#2z5e0k6Q4x3U0g2q4y4g2)9J5y4e0V1#2i4K6t1#2b7e0q4Q4x3X3b7@1i4K6u0W2y4q4)9J5k6e0m8Q4x3X3g2@1P5s2c8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4c8e0N6Q4b7V1c8Q4z5e0q4Q4c8e0c8Q4b7U0S2Q4z5p5q4Q4c8e0k6Q4z5f1y4Q4z5o6W2Q4c8e0g2Q4z5o6g2Q4b7f1y4Q4c8e0g2Q4b7V1y4Q4z5o6m8Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4c8e0k6Q4z5o6c8Q4z5f1k6Q4c8e0S2Q4b7e0N6Q4z5o6V1J5i4@1f1#2i4@1t1&6i4@1t1@1i4@1f1#2i4@1p5@1i4K6W2m8i4@1f1@1i4@1u0m8i4K6R3$3i4@1f1&6i4K6R3K6i4@1u0p5i4@1f1$3i4@1t1J5i4@1p5I4i4@1f1#2i4K6S2r3i4K6V1^5
2023-3-25 18:11
0
雪    币: 7
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
4
不错,多多更新,感谢~
2023-4-29 19:39
0
雪    币:
活跃值: (131)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
有样本吗
2024-4-12 18:39
0
游客
登录 | 注册 方可回帖
返回