这次分享一个iOS端*车之家的登录接口的参数分析(仅供学习,严禁干坏事=。=)。本文为新手项,大佬请跳过。
抓包使用 charles,请自行安装并配置证书
抓取登陆接口,点击账号登陆。使用假账密测试抓包 123456 / 123456,能够抓包成功
登录页面需要输入3个信息,分别是账号 / 密码 / 验证码,对应字段 logincode / userpwd / validcode
logincode为一个字符串,是输入账号加一个 %3 做前缀。
userpwd是一个加密字符串,需要待分析
validcode是验证码原文
经过多次抓包分析,其他字段为一些设备信息,可以保持不变。_timestamp是一个10位的时间戳,_sign参数每次均改变,需要待分析
分析前将包含 Mach-O文件的,后缀名为 .app的文件夹从爱思助手导出
检查Mach-O文件是否需要脱壳
找到Mach-O文件
使用otool查看是否脱壳。1: 未脱壳;0: 脱壳;
使用 frida-ios-dump砸壳。
需要app完全启动才能砸,如果砸壳中遇到阻塞请重试。
砸完会生成一个 ipa,直接解压即可
再次使用otool检测会发现 cryptid 1 变为 cryptid 0,即砸壳完成。
开始分析userpwd参数。用ida将Mach-O文件 Autohome 打开,搜索字符串 userpwd
点击第一个进入,tab键转换伪代码.
分析发现有MD5字样,疑似为大写md5,用md5在线网站测试一下,果然是原滋原味的md5大写,未做任何魔改。那_sign字符串与userpwd的“样子”相似,可能也是md5。ios的md5使用的是 CC_MD5,那咱就直接用frida对CC_MD5进行hook了
hook CC_MD5后,分析打印日志, 在userpwd md5日志下发现一个可以日志。是一个312位字符串,放到在线网站中测试一下,加密后果然是_sign的值。
再分析生成_sign的字符串,发现是由抓包中的各参数拼接成的,拼接代码如下。至此_sign参数分析结束。
登录接口的 userpwd 和 _sign 已经分析完了。比较简单,就一个大写md5,还没有任何魔改,熟悉算法的佬应该很快就反应过来的。可惜俺不是
file
Payload
/
Autohome.app
/
*
| grep Mach
-
O
Payload
/
Autohome.app
/
Autohome: Mach
-
O
64
-
bit executable arm64
file
Payload
/
Autohome.app
/
*
| grep Mach
-
O
Payload
/
Autohome.app
/
Autohome: Mach
-
O
64
-
bit executable arm64
%
otool
-
l Payload
/
Autohome.app
/
Autohome | grep crypt
cryptoff
16384
cryptsize
28295168
cryptid
1
%
otool
-
l Payload
/
Autohome.app
/
Autohome | grep crypt
cryptoff
16384
cryptsize
28295168
cryptid
1
void __cdecl
-
[LOGThirdBindService bindThirdLogincode:userpwd:platformid:token:tokensecret:orginalname:openid:unionId:position:](LOGThirdBindService
*
self
, SEL a2,
id
a3,
id
a4,
int
a5,
id
a6,
id
a7,
id
a8,
id
a9,
id
a10,
int
a11)
{
id
v11;
/
/
x23
id
v12;
/
/
x22
id
v13;
/
/
x21
int
v14;
/
/
w27
id
v15;
/
/
x20
LOGThirdBindService
*
v16;
/
/
x25
__int64 v17;
/
/
x1
void
*
v18;
/
/
x20
__int64 v19;
/
/
x1
__int64 v20;
/
/
x21
__int64 v21;
/
/
x1
__int64 v22;
/
/
x1
__int64 v23;
/
/
x1
__int64 v24;
/
/
x1
void
*
v25;
/
/
x0
int
v26;
/
/
w19
NSMutableDictionary
*
v27;
/
/
x19
void
*
v28;
/
/
x0
__int64 v29;
/
/
x0
NSMutableDictionary
*
v30;
/
/
x19
void
*
v31;
/
/
x0
void
*
v32;
/
/
x0
NSMutableDictionary
*
v33;
/
/
x28
void
*
v34;
/
/
x0
NSMutableDictionary
*
v35;
/
/
x19
void
*
v36;
/
/
x0
NSMutableDictionary
*
v37;
/
/
x19
void
*
v38;
/
/
x0
NSMutableDictionary
*
v39;
/
/
x19
__int64 v40;
/
/
x0
__int64 v41;
/
/
x0
__int64 v42;
/
/
x27
void
*
v43;
/
/
[xsp
+
20h
] [xbp
-
90h
]
__int64 v44;
/
/
[xsp
+
50h
] [xbp
-
60h
]
char v45;
/
/
[xsp
+
58h
] [xbp
-
58h
]
v11
=
a8;
v12
=
a7;
v13
=
a6;
v14
=
a5;
v15
=
a4;
v16
=
self
;
v43
=
(void
*
)objc_retain(a3, a2);
v18
=
(void
*
)objc_retain(v15, v17);
v20
=
objc_retain(v13, v19);
objc_retain(v12, v21);
objc_retain(v11, v22);
objc_retain(a9, v23);
objc_retain(a10, v24);
sub_1016C6940((void
*
)v16
-
>postDataDic);
v25
=
sub_1016769C0(&OBJC_CLASS___AHUserSettings);
objc_retainAutoreleasedReturnValue(v25);
v26
=
sub_1016978E0();
objc_release();
if
( v26 )
{
v27
=
v16
-
>postDataDic;
v28
=
sub_1016769C0(&OBJC_CLASS___AHUserSettings);
objc_retainAutoreleasedReturnValue(v28);
v29
=
sub_10167D700();
objc_retainAutoreleasedReturnValue(v29);
sub_1017025E0((void
*
)v27);
objc_release();
objc_release();
}
v30
=
v16
-
>postDataDic;
v31
=
sub_101728CE0(v43);
objc_retainAutoreleasedReturnValue(v31);
sub_1017025E0((void
*
)v30);
objc_release();
v32
=
-
[LPNode count]_0(v18);
v33
=
v16
-
>postDataDic;
if
( v32 )
{
v34
=
sub_10162E040(&OBJC_CLASS___AHMD5);
objc_retainAutoreleasedReturnValue(v34);
sub_1017025E0((void
*
)v33);
objc_release();
}
else
{
sub_1017025E0((void
*
)v16
-
>postDataDic);
}
v35
=
v16
-
>postDataDic;
v36
=
sub_1016AAC00(&OBJC_CLASS___NSNumber);
objc_retainAutoreleasedReturnValue(v36);
sub_1017025E0((void
*
)v35);
objc_release();
if
( !v20 )
objc_release();
sub_1017025E0((void
*
)v16
-
>postDataDic);
sub_1017025E0((void
*
)v16
-
>postDataDic);
sub_1017025E0((void
*
)v16
-
>postDataDic);
sub_1017025E0((void
*
)v16
-
>postDataDic);
if
( v14
=
=
26
)
sub_1017025E0((void
*
)v16
-
>postDataDic);
v37
=
v16
-
>postDataDic;
v38
=
sub_1016AAC00(&OBJC_CLASS___NSNumber);
objc_retainAutoreleasedReturnValue(v38);
sub_1017025E0((void
*
)v37);
objc_release();
sub_1017025E0((void
*
)v16
-
>postDataDic);
v39
=
v16
-
>postDataDic;
v40
=
sub_1016CB900(&OBJC_CLASS___AHAppSettings);
objc_retainAutoreleasedReturnValue(v40);
sub_1017025E0((void
*
)v39);
objc_release();
objc_initWeak(&v45, v16);
v41
=
sub_10172F720(v16);
v42
=
objc_retainAutoreleasedReturnValue(v41);
objc_copyWeak(&v44, &v45);
sub_10167B600(v42);
objc_release();
objc_destroyWeak(&v44);
objc_destroyWeak(&v45);
objc_release();
objc_release();
objc_release();
objc_release();
objc_release();
objc_release();
objc_release();
}
void __cdecl
-
[LOGThirdBindService bindThirdLogincode:userpwd:platformid:token:tokensecret:orginalname:openid:unionId:position:](LOGThirdBindService
*
self
, SEL a2,
id
a3,
id
a4,
int
a5,
id
a6,
id
a7,
id
a8,
id
a9,
id
a10,
int
a11)
{
id
v11;
/
/
x23
id
v12;
/
/
x22
id
v13;
/
/
x21
int
v14;
/
/
w27
id
v15;
/
/
x20
LOGThirdBindService
*
v16;
/
/
x25
__int64 v17;
/
/
x1
void
*
v18;
/
/
x20
__int64 v19;
/
/
x1
__int64 v20;
/
/
x21
__int64 v21;
/
/
x1
__int64 v22;
/
/
x1
__int64 v23;
/
/
x1
__int64 v24;
/
/
x1
void
*
v25;
/
/
x0
int
v26;
/
/
w19
NSMutableDictionary
*
v27;
/
/
x19
void
*
v28;
/
/
x0
__int64 v29;
/
/
x0
NSMutableDictionary
*
v30;
/
/
x19
void
*
v31;
/
/
x0
void
*
v32;
/
/
x0
NSMutableDictionary
*
v33;
/
/
x28
void
*
v34;
/
/
x0
NSMutableDictionary
*
v35;
/
/
x19
void
*
v36;
/
/
x0
NSMutableDictionary
*
v37;
/
/
x19
void
*
v38;
/
/
x0
NSMutableDictionary
*
v39;
/
/
x19
__int64 v40;
/
/
x0
__int64 v41;
/
/
x0
__int64 v42;
/
/
x27
void
*
v43;
/
/
[xsp
+
20h
] [xbp
-
90h
]
__int64 v44;
/
/
[xsp
+
50h
] [xbp
-
60h
]
char v45;
/
/
[xsp
+
58h
] [xbp
-
58h
]
v11
=
a8;
v12
=
a7;
v13
=
a6;
v14
=
a5;
v15
=
a4;
v16
=
self
;
v43
=
(void
*
)objc_retain(a3, a2);
v18
=
(void
*
)objc_retain(v15, v17);
v20
=
objc_retain(v13, v19);
objc_retain(v12, v21);
objc_retain(v11, v22);
objc_retain(a9, v23);
objc_retain(a10, v24);
sub_1016C6940((void
*
)v16
-
>postDataDic);
v25
=
sub_1016769C0(&OBJC_CLASS___AHUserSettings);
objc_retainAutoreleasedReturnValue(v25);
v26
=
sub_1016978E0();
objc_release();
if
( v26 )
{
v27
=
v16
-
>postDataDic;
v28
=
sub_1016769C0(&OBJC_CLASS___AHUserSettings);
objc_retainAutoreleasedReturnValue(v28);
v29
=
sub_10167D700();
objc_retainAutoreleasedReturnValue(v29);
sub_1017025E0((void
*
)v27);
objc_release();
objc_release();
}
v30
=
v16
-
>postDataDic;
v31
=
sub_101728CE0(v43);
objc_retainAutoreleasedReturnValue(v31);
sub_1017025E0((void
*
)v30);
objc_release();
v32
=
-
[LPNode count]_0(v18);
v33
=
v16
-
>postDataDic;
if
( v32 )
{
v34
=
sub_10162E040(&OBJC_CLASS___AHMD5);
objc_retainAutoreleasedReturnValue(v34);
sub_1017025E0((void
*
)v33);
objc_release();
}
else
{
sub_1017025E0((void
*
)v16
-
>postDataDic);
}
v35
=
v16
-
>postDataDic;
v36
=
sub_1016AAC00(&OBJC_CLASS___NSNumber);
objc_retainAutoreleasedReturnValue(v36);
sub_1017025E0((void
*
)v35);
objc_release();
if
( !v20 )
objc_release();
sub_1017025E0((void
*
)v16
-
>postDataDic);
sub_1017025E0((void
*
)v16
-
>postDataDic);
sub_1017025E0((void
*
)v16
-
>postDataDic);
sub_1017025E0((void
*
)v16
-
>postDataDic);
if
( v14
=
=
26
)
sub_1017025E0((void
*
)v16
-
>postDataDic);
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2023-6-12 01:08
被andyhah编辑
,原因: 文本莫名缺少