简单说就是实在逆向不出来算法了,就在js代码里主动调用app的加密的函数,然后把加密之后的结果作为参数直接提交

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import requests, json
import frida

jsCode = """
    function hookTest(username, passward){
        var result;
        Java.perform(function(){
        
            var time = new Date().getTime();
            var signData = 'equtype=ANDROID&loginImei=Android352689082129358&timeStamp=' + 
            time + '&userPwd=' + passward + '&username=' + username + '&key=sdlkjsdljf0j2fsjk';
            var Utils = Java.use('com.dodonew.online.util.Utils');
            var sign = Utils.md5(signData).toUpperCase();
            console.log('sign: ', sign);
    
            var encryptData = '{"equtype":"ANDROID","loginImei":"Android352689082129358","sign":"'+ 
            sign +'","timeStamp":"'+ time +'","userPwd":"' + passward + '","username":"' + username + '"}';
            var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
            var Encrypt = RequestUtil.encodeDesMap(encryptData, '65102933', '32028092');
            console.log('Encrypt: ', Encrypt);
            result = Encrypt;
            
        });
        return result;
    }
    rpc.exports = {
        thisisafuncname: hookTest
    };
"""

# 调用frida脚本
process = frida.get_device_manager().add_remote_device('192.168.3.68:27042').attach("com.dodonew.online")
script = process.create_script(jsCode)
print('[*] Running func')
script.load()
cipherText = script.exports.thisisafuncname('15968079477', 'a12345678')


url = 'http://api.dodovip.com/api/user/login'
data = json.dumps({"Encrypt": cipherText})
headers = {
    "content-type": "application/json; charset=utf-8",
    "User-Agent": "Dalvik/2.1.0 (Linux; U; Android 10; Pixel Build/QP1A.191005.007.A3)"
}
r = requests.post(url=url, data=data, headers=headers)
print(r)
print(r.text)
print(type(r.text))
print(r.content)

也可以把这个代码逻辑给封装成一个web接口,提供给其他语言去访问,web接口返回加密的参数值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
from fastapi import FastAPI
import uvicorn
import frida

jsCode = """
    function hookTest(username, passward){
        var result;
        Java.perform(function(){
        
            var time = new Date().getTime();
            var signData = 'equtype=ANDROID&loginImei=Android352689082129358&timeStamp=' + 
            time + '&userPwd=' + passward + '&username=' + username + '&key=sdlkjsdljf0j2fsjk';
            var Utils = Java.use('com.dodonew.online.util.Utils');
            var sign = Utils.md5(signData).toUpperCase();
            console.log('sign: ', sign);
    
            var encryptData = '{"equtype":"ANDROID","loginImei":"Android352689082129358","sign":"'+ 
            sign +'","timeStamp":"'+ time +'","userPwd":"' + passward + '","username":"' + username + '"}';
            var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
            var Encrypt = RequestUtil.encodeDesMap(encryptData, '65102933', '32028092');
            console.log('Encrypt: ', Encrypt);
            result = Encrypt;
            
        });
        return result;
    }
    rpc.exports = {
        thisisafuncname: hookTest
    };
"""

# 调用frida脚本
process = frida.get_device_manager().add_remote_device('192.168.3.68:27042').attach("com.dodonew.online")
script = process.create_script(jsCode)
print('[*] Running func')
script.load()

app = FastAPI()

@app.get("/get")
async def getEchoApi(item_id, item_user, item_pass):
    result = script.exports.thisisafuncname(item_user, item_pass)
    return {"item_id": item_id, "item_retval": result}

if __name__ == '__main__':
    uvicorn.run(app, port = 8080)

访问http://127.0.0.1:8080/get?item_id=100&item_user=123&item_pass=456

或者可以接收POST类型的请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from fastapi import FastAPI
from pydantic import BaseModel
import uvicorn
import frida

jsCode = """
    function hookTest(username, passward){
        var result;
        Java.perform(function(){
        
            var time = new Date().getTime();
            var signData = 'equtype=ANDROID&loginImei=Android352689082129358&timeStamp=' + 
            time + '&userPwd=' + passward + '&username=' + username + '&key=sdlkjsdljf0j2fsjk';
            var Utils = Java.use('com.dodonew.online.util.Utils');
            var sign = Utils.md5(signData).toUpperCase();
            console.log('sign: ', sign);
    
            var encryptData = '{"equtype":"ANDROID","loginImei":"Android352689082129358","sign":"'+ 
            sign +'","timeStamp":"'+ time +'","userPwd":"' + passward + '","username":"' + username + '"}';
            var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
            var Encrypt = RequestUtil.encodeDesMap(encryptData, '65102933', '32028092');
            console.log('Encrypt: ', Encrypt);
            result = Encrypt;
            
        });
        return result;
    }
    rpc.exports = {
        thisisafuncname: hookTest
    };
"""

# 调用frida脚本
process = frida.get_device_manager().add_remote_device('192.168.3.68:27042').attach("com.dodonew.online")
script = process.create_script(jsCode)
print('[*] Running func')
script.load()

app = FastAPI()


class Item(BaseModel):
    item_id: str = None
    item_user: str = None
    item_pass: str = None


@app.post("/post")
async def getEchoApi(postData: Item):
    result = script.exports.thisisafuncname(postData.item_user, postData.item_pass)
    return {"item_id": postData.item_id, "item_retval": result}

if __name__ == '__main__':
    uvicorn.run(app, port = 8080)