pytho之app逆向破解password RSA

下载好app 一只船教育

1.还是先抓包

2.给app脱壳

3.用jadx-gui打开

打开 0x9f557000.dex
并搜索关键字password
一看就是RSA用公钥加密("RSA/ECB/PKCS1Padding")

并搜索关键字password
点击addRSAData查找用例

4.可以同时Hook以下四个方法

encryptByPublicKey,addRSAData,splitString,bcd2Str

得出Hook结果

5.获取token抓包

6.java二进制转字符串 用python实现

def b2str(b: bytes):
    new_b = ''
    for a in b:
        c = ((a & 240) >> 4) & 15
        # print(c)
        if c > 9:
            A1 = (c + ord('A')) - 10
        else:
            A1 = c + ord('0')
        c2 = a & 15
        if c2 > 9:
            A2 = (c2 + ord('A')) - 10
        else:
            A2 = c2 + ord('0')
        new_b += chr(A1)
        new_b += chr(A2)
    print(new_b)
    return new_b

7.python改写RSA加密

import rsa
import uuid
import random
import string
import base64
import requests
from Crypto.PublicKey import RSA

def b2str(b: bytes):
    new_b = ''
    for a in b:
        c = ((a & 240) >> 4) & 15
        # print(c)
        if c > 9:
            A1 = (c + ord('A')) - 10
        else:
            A1 = c + ord('0')
        c2 = a & 15
        if c2 > 9:
            A2 = (c2 + ord('A')) - 10
        else:
            A2 = c2 + ord('0')
        new_b += chr(A1)
        new_b += chr(A2)
    #print(new_b)
    return new_b


def encryptPassword(data):
    '''
    data:内容
    publicKeyStr:不需要-----BEGIN PUBLIC KEY-----开头,-----END PUBLIC KEY-----结尾的格式,只要中间部分即可
    key_encoded:不需要-----BEGIN PUBLIC KEY-----开头,-----END PUBLIC KEY-----结尾的格式
    '''
    publicKeyStr = 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzOIykY8AmZkoDPDL9zfgV48FKY1RcqWYj4YE/zzvNXDl8e7hnkNRNRHk3InE95ehk340iOumV+RJ9KdihoWKHqnSPH2wTxDdI2WFuI1FOfndL67fJliEHx9z6A7bfFUZZq9xuzoA/zPCZbLsfWfa2mbi96Qc1lI73kCa8sLmDwwIDAQAB'
    # 1、base64编码
    publicKeyBytes = base64.b64decode(publicKeyStr.encode())
    # 3、生成publicKey对象
    key = RSA.import_key(publicKeyBytes)
    # key = RSA.import_key(key_encoded)
    # 4、对原密码加密
    encryptPassword = rsa.encrypt(data.encode(), key)
    return b2str(encryptPassword)

def login_info(phone):
      headers = {
            'domain': 'ketang.aboatedu.com',
            'User-Agent': 'Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MMB29X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile       Safari/537.36'
        }
        Password = ''.join(random.sample(string.digits + string.ascii_letters, 9))
        # print(Password)
        screen = random.choice(["1080x1920", "1776x1080", "720x1280", "640x1136", "1080x2040"])
        model = random.choice(
            ['Nexus 5', 'Nexus 6', 'Nexus 6p', 'Nexus 7', 'Nexus 10', 'Xiaomi', 'HUAWEI', 'HTC 802t', 'HTC M8St',
             'vivo X7', 'vivo X9',
             'vivo X9i', 'vivo X9L', 'OPPO A57', 'vivo Y66', 'Galaxy A3'])
        schoolId = random.randint(1, 20000)
        # companyId = random.randint(1, 20000)
        companyId = 14972
        uuid_str = ''.join(random.sample(string.digits + string.ascii_letters, 23))
        version = random.choice(['5.1.1', '5.1', '6.0.1', '6.0', '7.1.2', '8.0', '9.0', '7.0.1', '7.0'])
        url = 'https://sdk.yunduoketang.com/appApi/company/getUserToken'
        data = {
            "v": "2.4.3",
            "os": "2",
            "osv": version,
            "model": model,
            "screen": screen,
            "density": "3.0",
            "uuid": uuid_str,
            "domain": "ketang.aboatedu.com",
            "optType": "android", "appType": 1,
            "tSchoolId": schoolId,
            "companyId": companyId
        }
        res = requests.post(url, headers=headers, json=data, verify=False, proxies=proxies)
        token = res.json()['data']
        # print(res.json())

        url = 'https://sdk.yunduoketang.com/appApi/user/login'
        data = {
            "v": "2.4.3",
            "os": "2",
            "osv": version,
            "model": model,
            "screen": screen,
            "density": "3.0",
            "uuid": uuid_str,
            "domain": "ketang.aboatedu.com",
            "optType": "android",
            "appType": 1,
            "tSchoolId": schoolId,
            "token": token,
            "schoolId": schoolId,
            "mobile": phone,
            "encryption": 1,
            "password": encryptPassword(Password)}
      response = requests.post(url, headers=headers, json=data, verify=False, proxies=proxies)
      msg = response.json()
if __name__ == '__main__':
    print(login_info('13776788171')) 
 

app下载地址
链接:https://pan.baidu.com/s/1au0v2Vxfd8Qc6ngdV7hFrg
提取码:lq4y

posted @ 2020-11-20 11:47  莫贞俊晗  阅读(690)  评论(0编辑  收藏  举报