起首挂上代理抓个登岸包,效果发现抓不到包,我们直接换个思绪,接纳vpn转发方式进行抓包;
sign, hsign,hext-union 三个参数加密;
hsign长度为32,大概为MD5 , 其他两个未确定;
直接上我们的url定位:我直接附加吧
- frida-trace -UF -m "+[NSURL URLWithString:]"
是搞出来点东西,看样子有这个MD5, 先个堆栈追踪;
打开提示目次中的,URLWithString_.js 文件
- C:\Users\Codeooo\__handlers__
- log('堆栈 from:\n' +Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');
记录下堆栈,砸壳分析一波:
砸壳我这里用的是 CrackerXI ,https://blog.csdn.net/weixin_38927522/article/details/129497173
- 0x1024da038 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[AFHTTPRequestSerializer requestBySerializingRequest:withParameters:error:]
- 0x1024d9380 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[AFHTTPRequestSerializer requestWithMethod:URLString:parameters:error:]
- 0x1038de2a0 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkProxy dataTaskWithHTTPMethod:sessionManager:requestSerializer:URLString:parameters:uploadProgress:downloadProgress:constructingBodyWithBlock:error:]
- 0x1038de1a4 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkProxy dataTaskWithHTTPMethod:sessionManager:requestSerializer:URLString:parameters:uploadProgress:downloadProgress:error:]
- 0x1038de118 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkProxy sessionTaskForRequest:error:]
- 0x1038dd6a8 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkProxy addRequest:]
- 0x1038d89e8 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYBaseRequest start]
- 0x1038dc8f8 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkManager getWithUrl:param:header:progress:completion:]
- 0x1024ed940 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!+[DrLogin58NetworkManager request:withMethod:parameters:withTimeoutInterval:resultClassType:withSuccess:withFail:]
- 0x1024ee8c8 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!+[DrLogin58RequestManager login:success:Failure:]
- 0x10250f07c /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[DrUserLoginViewController passwordLoginRequestByPhone:ThePassword:]
- 0x102510b68 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[DrUserLoginViewController verifyLoginButtonClicked:]
- 0x1b2169300 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
- 0x1b1c12424 UIKitCore!-[UIControl sendAction:to:forEvent:]
- 0x1b1c12744 UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
- 0x1b1c117b0 UIKitCore!-[UIControl touchesEnded:withEvent:]
- 8966 ms +[NSURL URLWithString:]https://user.ksedt.com/api/login/v2?sign=314CEEC4B7FF8F7097990FA5FC412E635A31D4FA5760ECBBD3085C5C6F8C5E54A62F92A824DAF5C87E6708F21547BBCA09362643C2FFF4504B87EDC5247FA102
- var ClassName = "NSURL";
- var MethodName = "+ URLWithString:";
- var func = ObjC.classes[ClassName][MethodName];
- Interceptor.attach(func.implementation, {
- onEnter: function (args) {
- console.log(Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n"));
- console.log("URL: ", ObjC.Object(args[2]), "\n");
- }, onLeave: function (retval) {
- }
- });
hook第一个堆栈函数,看一下:
- var requestBySerializingRequest = ObjC.classes.AFHTTPRequestSerializer['- requestBySerializingRequest:withParameters:error:'];
- Interceptor.attach(requestBySerializingRequest.implementation, {
- onEnter: function (args) {
- console.log("args[2]: ", ObjC.Object(args[2]));
- console.log("args[3]: ", ObjC.Object(args[3]));
- console.log("args[4]: ", ObjC.Object(args[4]));
- this.arg4 = args[4];
- }, onLeave: function (retval) {
- console.log("args[4]: ", ObjC.Object(this.arg4.readPointer()));
- }
- });
继承往上找吧;
找到这个堆栈:
// 0x1038dc8f8
/var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkManager
getWithUrl:param:header:progress:completion:]
- var initWithMethod = ObjC.classes.XYHTTPRequest['+ initWithMethod:requestURL:requestParam:requestHeaderField:'];
- Interceptor.attach(initWithMethod.implementation, {
- onEnter: function (args) {
- console.log('initWithMethod called from:\n' +
- Thread.backtrace(this.context, Backtracer.ACCURATE)
- .map(DebugSymbol.fromAddress).join('\n') + '\n');
- //console.log("args[2]: ", (args[2]));
- console.log("args[3]: ", ObjC.Object(args[3]));
- console.log("args[4]: ", ObjC.Object(args[4]));
- console.log("args[5]: ", ObjC.Object(args[5]));
- }, onLeave: function (retval) {
- }
- });
看来还是不对,再继承往上找:
找到: // 0x1024ed940
/var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!+[DrLogin58NetworkManager
request:withMethod:parameters:withTimeoutInterval:resultClassType:withSuccess:withFail:]
这里有个方法比力特别 记录下:
有个雷同于MD5的调用,再点进去看看
也是个cc_md5;
再往上找:
// 0x10250f07c
/var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[DrUserLoginViewController
passwordLoginRequestByPhone:ThePassword:]
看到这个函数,我们搞一下:
+[DrGenerateLoginRequestSign generateLoginRequestSignByParamDict:]
- var initWithMethod = ObjC.classes.DrGenerateLoginRequestSign['+ generateLoginRequestSignByParamDict:'];
- Interceptor.attach(initWithMethod.implementation, {
- onEnter: function (args) {
- console.log("args[2]: ", ObjC.Object(args[2]));
- }, onLeave: function (retval) {
- console.log("retval: ", ObjC.Object(retval));
- }
- });
这内里东西不少;
- var initWithMethod = ObjC.classes.NSData['- jx_aes256EncryptWithKey:iv:'];
- Interceptor.attach(initWithMethod.implementation, {
- onEnter: function (args) {
- console.log("args[0]: ", ObjC.Object(args[0]));
- console.log("args[2]: ", ObjC.Object(args[2]));
- console.log("args[3]: ", ObjC.Object(args[3]));
- }, onLeave: function (retval) {
- console.log("retval: ", ObjC.Object(retval));
- }
- });
retval:则是 314CEEC4B7FF8F7097990FA5FC412E635A31D4FA5760ECBBD3085C5C6F8C5E54A62F92A824DAF5C87E6708F21547BBCA09362643C2FFF4504B87EDC5247FA102
那我们aes的key找到了 , iv是 nil,那就是ecb模式,无需iv;
再看下data明文,62376363 37386263 31346130 37356639 34353462 62643733 33663564 62626164 7c70686f 6e653d31 38383838 38383838 38382670 77643d31 32333435 36
b7cc78bc14a075f9454bbd733f5dbbad|phone=18888888888&pwd=123456
b7cc78bc14a075f9454bbd733f5dbbad 那边来?
- var jx_toMD5 = ObjC.classes.NSString['- jx_toMD5'];
- Interceptor.attach(jx_toMD5.implementation, {
- onEnter: function (args) {
- console.log("args[0]: ", ObjC.Object(args[0]));
- }, onLeave: function (retval) {
- console.log("retval: ", ObjC.Object(retval));
- }
- });
这里就说看出来 b7cc78bc14a075f9454bbd733f5dbbad 这里来;
sign逆向完毕!
hsign值得到了,其他参数都在请求里,30319502d66d31a4779bf67a54588c4ec572b3b5 这个值那边来的:固定的吗?固定盐?
MD5的时候,同时又把 hsign 直接给勾出来了;
hsign 逆向完毕!
继承看下,hext-union,直接shift + F12, 老话说的好,直接ida搜字符串;
再通过上面hook aes脚本,细致观察看下:
这个是跟设备一些关联;
args[2]:
args[3]:
阐明秘钥没标题;
对比下确实是没标题,只不外他的base64将/ + 号等都做了更换;
我们去ida看下是不是码表也有厘革,方便我们在页面调解:
码表搞出来,更换上来:
对比完善结束。
hext-union完毕!
所以说这个CyberChef是真的好用!!!
https://gchq.github.io/CyberChef/#recipe=To_Hex(‘Space’,0)AES_Encrypt(%7B’option’:‘Hex’,‘string’:‘3338387a%207a683770%2077346961%2067307039’%7D,%7B’option’:‘Hex’,‘string’:‘336b796c%2077676c6d%2063376d7a%2066783265’%7D,‘CBC’,‘Hex’,‘Raw’,%7B’option’:‘Hex’,‘string’:‘’%7D)To_Base64(‘A-Za-z0-9-_’)&input=eyJoY2l0eWlkIjoiMSIsImhpbWVpIjoiMzAzMTk1MDJkNjZkMzFhNDc3OWJmNjdhNTQ1ODhjNGVjNTcyYjNiNSIsInp4YWlkIjoiQTAxLU9zVmdZN2pcL0dYMmZwMXc1WDVkN1BaYVwvem00THBNUVgiLCJoZGV2aWNlaWQiOiI4MGQ3MWE3MmY4MDU0ZDIyODMzNTA0NWRjZjE5Zjk1OSIsImhvc3ZlciI6IjEyLjUuNyIsInp4aWQiOiJaMDEtMTY4MTI0ODkzNi15RjE2ZXdET3VmZzQxZG9DLUQ4OUEifQ
来源:https://blog.csdn.net/weixin_38927522/article/details/129495386
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
