下载好app 一只船教育
1.还是先抓包
2.给app脱壳
3.用jadx-gui打开
打开 0x9f557000.dex
并搜索关键字password
一看就是RSA用公钥加密("RSA/ECB/PKCS1Padding")
并搜索关键字password
点击addRSAData查找用例
4.可以同时Hook以下四个方法
encryptByPublicKey,addRSAData,splitString,bcd2Str
得出Hook结果
5.获取token抓包
6.java二进制转字符串 用python实现
def b2str(b: bytes):new_b = ''for a in b:c = ((a & 240) >> 4) & 15# print(c)if c > 9:A1 = (c + ord('A')) - 10else:A1 = c + ord('0')c2 = a & 15if c2 > 9:A2 = (c2 + ord('A')) - 10else:A2 = c2 + ord('0')new_b += chr(A1)new_b += chr(A2)print(new_b)return new_b
7.python改写RSA加密
import rsa
import uuid
import random
import string
import base64
import requests
from Crypto.PublicKey import RSAdef b2str(b: bytes):new_b = ''for a in b:c = ((a & 240) >> 4) & 15# print(c)if c > 9:A1 = (c + ord('A')) - 10else:A1 = c + ord('0')c2 = a & 15if c2 > 9:A2 = (c2 + ord('A')) - 10else:A2 = c2 + ord('0')new_b += chr(A1)new_b += chr(A2)#print(new_b)return new_bdef encryptPassword(data):'''data:内容publicKeyStr:不需要-----BEGIN PUBLIC KEY-----开头,-----END PUBLIC KEY-----结尾的格式,只要中间部分即可key_encoded:不需要-----BEGIN PUBLIC KEY-----开头,-----END PUBLIC KEY-----结尾的格式'''publicKeyStr = 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzOIykY8AmZkoDPDL9zfgV48FKY1RcqWYj4YE/zzvNXDl8e7hnkNRNRHk3InE95ehk340iOumV+RJ9KdihoWKHqnSPH2wTxDdI2WFuI1FOfndL67fJliEHx9z6A7bfFUZZq9xuzoA/zPCZbLsfWfa2mbi96Qc1lI73kCa8sLmDwwIDAQAB'# 1、base64编码publicKeyBytes = base64.b64decode(publicKeyStr.encode())# 3、生成publicKey对象key = RSA.import_key(publicKeyBytes)# key = RSA.import_key(key_encoded)# 4、对原密码加密encryptPassword = rsa.encrypt(data.encode(), key)return b2str(encryptPassword)def login_info(phone):headers = {'domain': 'ketang.aboatedu.com','User-Agent': 'Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MMB29X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36'}Password = ''.join(random.sample(string.digits + string.ascii_letters, 9))# print(Password)screen = random.choice(["1080x1920", "1776x1080", "720x1280", "640x1136", "1080x2040"])model = random.choice(['Nexus 5', 'Nexus 6', 'Nexus 6p', 'Nexus 7', 'Nexus 10', 'Xiaomi', 'HUAWEI', 'HTC 802t', 'HTC M8St','vivo X7', 'vivo X9','vivo X9i', 'vivo X9L', 'OPPO A57', 'vivo Y66', 'Galaxy A3'])schoolId = random.randint(1, 20000)# companyId = random.randint(1, 20000)companyId = 14972uuid_str = ''.join(random.sample(string.digits + string.ascii_letters, 23))version = random.choice(['5.1.1', '5.1', '6.0.1', '6.0', '7.1.2', '8.0', '9.0', '7.0.1', '7.0'])url = 'https://sdk.yunduoketang.com/appApi/company/getUserToken'data = {"v": "2.4.3","os": "2","osv": version,"model": model,"screen": screen,"density": "3.0","uuid": uuid_str,"domain": "ketang.aboatedu.com","optType": "android", "appType": 1,"tSchoolId": schoolId,"companyId": companyId}res = requests.post(url, headers=headers, json=data, verify=False, proxies=proxies)token = res.json()['data']# print(res.json())url = 'https://sdk.yunduoketang.com/appApi/user/login'data = {"v": "2.4.3","os": "2","osv": version,"model": model,"screen": screen,"density": "3.0","uuid": uuid_str,"domain": "ketang.aboatedu.com","optType": "android","appType": 1,"tSchoolId": schoolId,"token": token,"schoolId": schoolId,"mobile": phone,"encryption": 1,"password": encryptPassword(Password)}response = requests.post(url, headers=headers, json=data, verify=False, proxies=proxies)msg = response.json()
if __name__ == '__main__':print(login_info('13776788171'))
app下载地址
链接:https://pan.baidu.com/s/1au0v2Vxfd8Qc6ngdV7hFrg
提取码:lq4y