下载好app 一只船教育
1.还是先抓包
2.给app脱壳
3.用jadx-gui打开
打开 0x9f557000.dex
并搜索关键字password
一看就是RSA用公钥加密("RSA/ECB/PKCS1Padding")
并搜索关键字password
点击addRSAData查找用例
4.可以同时Hook以下四个方法
encryptByPublicKey,addRSAData,splitString,bcd2Str
得出Hook结果
5.获取token抓包
6.java二进制转字符串 用python实现
def b2str(b: bytes):
new_b = ''
for a in b:
c = ((a & 240) >> 4) & 15
# print(c)
if c > 9:
A1 = (c + ord('A')) - 10
else:
A1 = c + ord('0')
c2 = a & 15
if c2 > 9:
A2 = (c2 + ord('A')) - 10
else:
A2 = c2 + ord('0')
new_b += chr(A1)
new_b += chr(A2)
print(new_b)
return new_b
7.python改写RSA加密
import rsa
import uuid
import random
import string
import base64
import requests
from Crypto.PublicKey import RSA
def b2str(b: bytes):
new_b = ''
for a in b:
c = ((a & 240) >> 4) & 15
# print(c)
if c > 9:
A1 = (c + ord('A')) - 10
else:
A1 = c + ord('0')
c2 = a & 15
if c2 > 9:
A2 = (c2 + ord('A')) - 10
else:
A2 = c2 + ord('0')
new_b += chr(A1)
new_b += chr(A2)
#print(new_b)
return new_b
def encryptPassword(data):
'''
data:内容
publicKeyStr:不需要-----BEGIN PUBLIC KEY-----开头,-----END PUBLIC KEY-----结尾的格式,只要中间部分即可
key_encoded:不需要-----BEGIN PUBLIC KEY-----开头,-----END PUBLIC KEY-----结尾的格式
'''
publicKeyStr = 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzOIykY8AmZkoDPDL9zfgV48FKY1RcqWYj4YE/zzvNXDl8e7hnkNRNRHk3InE95ehk340iOumV+RJ9KdihoWKHqnSPH2wTxDdI2WFuI1FOfndL67fJliEHx9z6A7bfFUZZq9xuzoA/zPCZbLsfWfa2mbi96Qc1lI73kCa8sLmDwwIDAQAB'
# 1、base64编码
publicKeyBytes = base64.b64decode(publicKeyStr.encode())
# 3、生成publicKey对象
key = RSA.import_key(publicKeyBytes)
# key = RSA.import_key(key_encoded)
# 4、对原密码加密
encryptPassword = rsa.encrypt(data.encode(), key)
return b2str(encryptPassword)
def login_info(phone):
headers = {
'domain': 'ketang.aboatedu.com',
'User-Agent': 'Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MMB29X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36'
}
Password = ''.join(random.sample(string.digits + string.ascii_letters, 9))
# print(Password)
screen = random.choice(["1080x1920", "1776x1080", "720x1280", "640x1136", "1080x2040"])
model = random.choice(
['Nexus 5', 'Nexus 6', 'Nexus 6p', 'Nexus 7', 'Nexus 10', 'Xiaomi', 'HUAWEI', 'HTC 802t', 'HTC M8St',
'vivo X7', 'vivo X9',
'vivo X9i', 'vivo X9L', 'OPPO A57', 'vivo Y66', 'Galaxy A3'])
schoolId = random.randint(1, 20000)
# companyId = random.randint(1, 20000)
companyId = 14972
uuid_str = ''.join(random.sample(string.digits + string.ascii_letters, 23))
version = random.choice(['5.1.1', '5.1', '6.0.1', '6.0', '7.1.2', '8.0', '9.0', '7.0.1', '7.0'])
url = 'https://sdk.yunduoketang.com/appApi/company/getUserToken'
data = {
"v": "2.4.3",
"os": "2",
"osv": version,
"model": model,
"screen": screen,
"density": "3.0",
"uuid": uuid_str,
"domain": "ketang.aboatedu.com",
"optType": "android", "appType": 1,
"tSchoolId": schoolId,
"companyId": companyId
}
res = requests.post(url, headers=headers, json=data, verify=False, proxies=proxies)
token = res.json()['data']
# print(res.json())
url = 'https://sdk.yunduoketang.com/appApi/user/login'
data = {
"v": "2.4.3",
"os": "2",
"osv": version,
"model": model,
"screen": screen,
"density": "3.0",
"uuid": uuid_str,
"domain": "ketang.aboatedu.com",
"optType": "android",
"appType": 1,
"tSchoolId": schoolId,
"token": token,
"schoolId": schoolId,
"mobile": phone,
"encryption": 1,
"password": encryptPassword(Password)}
response = requests.post(url, headers=headers, json=data, verify=False, proxies=proxies)
msg = response.json()
if __name__ == '__main__':
print(login_info('13776788171'))
app下载地址
链接:https://pan.baidu.com/s/1au0v2Vxfd8Qc6ngdV7hFrg
提取码:lq4y