Android逆向 betopApp 数据包加密分析

2022-04-13  本文已影响0人  LiuJP

1、准备

root 手机安装了charles 证书
mac charles
mac jeb

2、抓包

直接使用chales 抓包



是加密过的数据

3、分析apk

没有加固直接打开(新版本用jeb 打不开可以尝试jadx)
根据字符串"https://api.betopfun.com/pub.php" 搜索到对应的地方根据调用看到很多调用
找出其中一个调用;

 String v0 = com.zuoyou.center.business.network.c.a.a("https://api.betopfun.com/pub.php", "getGameId", new com.zuoyou.center.business.network.b.a.NetDataDecrypt.b().a().a(arg4));
        new com.zuoyou.center.business.network.b.a.NetDataDecrypt.a().a(true).b("4b784c5fb17552de3f8dc1331d365593").a(v0).a().a(new com.zuoyou.center.business.network.b.a.a() {
            public void a(PageItem arg1) {
                com.zuoyou.center.application.b.z = false;
            }

            public void a(PageItem arg7, boolean arg8) {
                GameidBean v7 = (GameidBean)arg7.getData().getRows().get(0);
                if(v7 != null) {
                    String v1 = v7.getGameId();
                    String v2 = v7.getGameName();
                    e.this.a(v1, v2, arg4, ((boolean)(((int)arg5))), ((boolean)(((int)arg6))));
                }
            }

            @Override  // com.zuoyou.center.business.network.b.a.a
            public void b(int arg1) {
                super.b(arg1);
                com.zuoyou.center.application.b.z = false;
            }
        }, "getGameId");

找到这一步就可以使用hook 拿数据,回调函数中就能抓到对应的明文数据
进一步找一下加密算法
在回调函数这个类中找到

 protected void f(String arg5) {
        Object v0 = this.e(arg5);
        Log.d("HttpCallback###1", "result:" + v0);
        if((v0 instanceof BaseResult)) {
            BaseResult v1 = (BaseResult)v0;
            if(v1 != null) {
                if(v1.getCode().equals(NetWorkCode.SUCCESS_CODE.getReturnCode())) {
                    if((v0 instanceof PageItem)) {
                        PageItemData v1_1 = ((PageItem)v0).getData();
                        if(v1_1 != null && v1_1.getRows() != null && v1_1.getRows().size() != 0) {
                            goto label_33;
                        }

                        this.a();
                        this.c(v0);
                        return;
                    }

                label_33:
                    if(this.i) {
                        this.c(arg5);
                    }

                    this.a(v0, false);
                    return;
                }

                if(v1.getCode().equals(NetWorkCode.USER_STATUS.getReturnCode())) {
                    this.d(v1.getMsg());
                    return;
                }

                if(v1.getCode().equals("400")) {
                    this.b(v0);
                    return;
                }

                this.a(v0);
                return;
            }
        }
        else {
            this.b(0xFFFFD8F1);
        }
    }

然后顺藤摸瓜找到在com.zuoyou.center.common包下的这个类

public class h {
    private static final char[] a;

    static {
        h.a = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
    }

    public static String a(String arg1) {
        try {
            MessageDigest v0 = MessageDigest.getInstance("MD5");
            v0.update(arg1.getBytes());
            return h.a(v0.digest());
        }
        catch(Throwable v1) {
            v1.printStackTrace();
            return "";
        }
    }

    public static String a(String arg1, String arg2) {
        try {
            MessageDigest v0 = MessageDigest.getInstance("MD5");
            v0.update(arg1.getBytes(arg2));
            return h.a(v0.digest());
        }
        catch(Exception v1) {
            v1.printStackTrace();
            return "";
        }
    }

    public static String a(String arg3, byte[] arg4) throws Exception {
        try {
            DESKeySpec v0 = new DESKeySpec(arg3.getBytes());
            SecretKey v0_1 = SecretKeyFactory.getInstance("DES").generateSecret(v0);
            Cipher v1 = Cipher.getInstance("DES/CBC/PKCS5Padding");
            v1.init(1, v0_1, new IvParameterSpec(arg3.getBytes()));
            return new String(Base64.encode(Base64.encode(v1.doFinal(arg4), 0), 0));
        }
        catch(Exception v3) {
            throw new Exception(v3);
        }
    }

    private static String a(byte[] arg4) {
        StringBuilder v0 = new StringBuilder(arg4.length * 2);
        int v1;
        for(v1 = 0; v1 < arg4.length; ++v1) {
            v0.append(h.a[(arg4[v1] & 0xF0) >>> 4]);
            v0.append(h.a[arg4[v1] & 15]);
        }

        return v0.toString();
    }

    public static String b(String arg1) throws Exception {
        return h.a("Betop(@Y", arg1.getBytes());
    }

    public static byte[] b(String arg3, byte[] arg4) throws Exception {
        try {
            new SecureRandom();
            DESKeySpec v0 = new DESKeySpec(arg3.getBytes());
            SecretKey v0_1 = SecretKeyFactory.getInstance("DES").generateSecret(v0);
            Cipher v1 = Cipher.getInstance("DES/CBC/PKCS5Padding");
            v1.init(2, v0_1, new IvParameterSpec(arg3.getBytes()));
            return v1.doFinal(arg4);
        }
        catch(Exception v3) {
            throw new Exception(v3);
        }
    }

    public static String c(String arg2) {
        try {
            return new String(h.b("Betop(@Y", Base64.decode(Base64.decode(arg2.getBytes(), 0), 0)));
        }
        catch(Exception unused_ex) {
            return "";
        }
    }
}
上一篇下一篇

猜你喜欢

热点阅读