某习惯app的Signature分析与vip破解

两只羊 Lv2
  2025-05-10 13:24:58 2025-05-10 13:24:58 创建   2025-05-10 13:26:10 2025-05-10 13:26:10 更新    

脱壳

image-20250510132247271

360的壳,这里上frida-dexdump就可以了

请求Signature分析

测试一下激活码的接口

image-20250510121157773

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /daily/app/flag/flagShow HTTP/1.1
Host: xianbeikeji.com
Accept-Language: zh-CN,zh;q=0.8
User-Agent: okhttp-okgo/jeasonlzy
Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2OGRlNDJkNmZjYjI0ZmFjOTQyOWFkNzE3NjY2YmE5YSIsImlhdCI6MTc0NjgzMTUwMH0.FtiqJoz-h1gBTRPtvU72QeQc1OVe_Abf_XUGgIrPzbteRsPkxUYPvidHGMuzAn-18n1XLiQeUTTjvmR1fhpu_A
Channel: _vivo
Deviceinfo: Xiaomi|M2007J22C|13
Platform: 1
Clientversion: 6.25
Deviceid: 0000000025a6708625a6708600000000
Timestamp: 1746842045674
Nonce: 0006a765c4cf43d298a506739fbee1ac
Signature: 3b018283c1bde1b5ba53140ef95a48ec9d0358a2bee2886e7b4a1a6c7a1b1cfe
Content-Type: application/json;charset=utf-8
Content-Length: 0
Accept-Encoding: gzip, deflate, br
Connection: keep-alive


image-20250510100821848

Frida-dexdump出来,class05中可找到api

image-20250510100912169

在classes中可找到参数

image-20250510101248535

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /daily/app/user/loginV2 HTTP/1.1
Host: xianbeikeji.com
Accept-Language: zh-CN,zh;q=0.8
User-Agent: okhttp-okgo/jeasonlzy
Channel: _vivo
Deviceinfo: Xiaomi|M2007J22C|13
Platform: 1
Clientversion: 6.25
Deviceid: 0000000025a6708625a6708600000000
Timestamp: 1746831380032
Nonce: b0e5757c386c4fb085f61216a751a244
Signature: ce2f0ea7ab92e705ec6ba95e5e99efe252707924600960a3dc96f43effc8a6a5
Content-Type: application/json;charset=utf-8
Content-Length: 58
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

{"account":"17304085257","captcha":"724975","loginType":2}

image-20250510070236594

最后在class02找到DailyCallBack类

image-20250510102129920

追踪到sb.e,发现是hmac算法

image-20250510102837949

1
2
3
4
5
6
7
8
9
10
11
12
13
function hook_sign(){
    Java.perform(function(){
        var sign1 = Java.use("sb.d")
        var enc = sign1.e
        enc.implementation = function(key, parms){
            printStack()
            console.log("key -> ", key, "params =>", parms)
            var result = this.e(key, parms);
            console.log(result)
            return result
        }
    })
}

hook结果与抓包一致

image-20250510103223829

python成功重构

image-20250510112058303

python伪造请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import hmac
import hashlib
import requests
import json
import time
import uuid
# 请求 URL

def getSignature(headers, data):
    # 请求体
    param_list = []

    param_list.append(headers['Channel'])
    param_list.append(headers['Deviceinfo'])
    param_list.append(headers['Deviceid'])
    param_list.append(headers['Clientversion'])
    param_list.append(headers['Nonce'])
    param_list.append(headers['Platform'])
    param_list.append(headers['Timestamp'])
    param_list.append(data)
    param_list.sort()
    param_str = ''.join(str(item) for item in param_list)
    #print(param_str)
    key = b"06fdrlDr625oTBbW" 
    message = (param_str).encode()
    hmac_sha256 = hmac.new(key, message, hashlib.sha256)

    # 输出结果(返回的是一个字节对象)
    return hmac_sha256.hexdigest()



# 请求头
headers = {
    'Accept-Language': 'zh-CN,zh;q=0.8',
    'User-Agent': 'okhttp-okgo/jeasonlzy',
    'Channel': '_vivo',
    'Deviceinfo': 'Xiaomi|M2007J22C|13',
    'Platform': '1',
    'Clientversion': '6.25',
    'Deviceid': '0000000025a6708625a6708600000000',
    'Token': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2OGRlNDJkNmZjYjI0ZmFjOTQyOWFkNzE3NjY2YmE5YSIsImlhdCI6MTc0NjgzMTUwMH0.FtiqJoz-h1gBTRPtvU72QeQc1OVe_Abf_XUGgIrPzbteRsPkxUYPvidHGMuzAn-18n1XLiQeUTTjvmR1fhpu_A',
    'Timestamp': str(int(time.time())),
    'Nonce': str(uuid.uuid4()).replace("-", ""),
    'Signature': None,
    'Content-Type': 'application/json;charset=utf-8',
    'Accept-Encoding': 'gzip, deflate, br',
    'Connection': 'keep-alive',
}

data = {
    "activeCode": "1919810"
}

data = json.dumps(data).replace(" ", "")

Signature = getSignature(headers, data)
print(Signature)
headers['Signature'] = Signature
#print(headers)

url = 'https://xianbeikeji.com/daily/app/user/exchangeActiveCode'

response = requests.post(url, headers=headers, data=data)

print(response.status_code)
print(response.text)



image-20250510120457892

Vip破解

image-20250510121013521

image-20250510124702778

追踪到u3.e这个类

image-20250510124644197

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function hook_user(){
    Java.perform(function(){
        var User = Java.use("com.itally.base.data.bean.UserInfo")
        var isVip = User.isVip
        isVip.implementation = function () {
                let res = this.isVip()
                this.setVipFlag(1)
                this.setVipType(1)
                console.log(res)
                return true;
        };

    })
}

hook这两处位置

image-20250510131537303

现在已经是永久会员了

image-20250510131932044

image-20250510131949424

  • 标题: 某习惯app的Signature分析与vip破解
  • 作者: 两只羊
  • 创建于 : 2025-05-10 13:24:58
  • 更新于 : 2025-05-10 13:26:10
  • 链接: https://twogoat.github.io/2025/05/10/某习惯app的Signature分析与vip破解/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
某习惯app的Signature分析与vip破解
  1. 脱壳
  2. 请求Signature分析
  3. Vip破解