某政银行APP登陆逆向
版本 V10.0.0
环境检测
{"xposed": {"action": "warn_and_exit","msg": {"zh_CN": "检测到您的设备安装有Xposed框架,存在非法攻击风险!"},"button": {"zh_CN": "我已明白此风险,依然继续"},"waiting_time": 2000,"title": {"zh_CN": "Xposed框架提醒"}},"integrity": {"action": "warn_and_exit","msg": {"zh_CN": "检测到您当前应用有被二次打包风险,请下载官方版本!"},"button": {"zh_CN": "我已明白此风险,依然继续"},"waiting_time": 2000,"title": {"zh_CN": "完整性校验提醒"}},"emu": {"action": "warn_and_exit","msg": {"zh_CN": "检测到应用正在模拟器上运行,存在隐私信息泄露和被非法攻击等风险!"},"button": {"zh_CN": "我已明白此风险,依然继续"},"waiting_time": 2000,"title": {"zh_CN": "模拟器运行提醒"}},"hook": {"action": "warn_and_exit","msg": {"zh_CN": "检测到您的应用进程内有HOOK框架特征,存在非法攻击风险!"},"button": {"zh_CN": "我已明白此风险,依然继续"},"waiting_time": 2000,"title": {"zh_CN": "HOOK框架提醒"}},"inject": {"action": "warn_and_exit","msg": {"zh_CN": "检测到您的应用被注入攻击,有非法攻击风险!"},"button": {"zh_CN": "我已明白此风险,依然继续"},"waiting_time": 2000,"title": {"zh_CN": "防注入提醒"}},"polling": {"action": "warn_and_exit","msg": {"zh_CN": "检测到您的应用正在被调试,存在非法攻击风险!"},"button": {"zh_CN": "我已明白此风险,依然继续"},"waiting_time": 2000,"title": {"zh_CN": "防调试提醒"}},"frida": {"action": "warn_and_exit","msg": {"zh_CN": "检测到您的应用已经被Frida注入,有非法攻击风险!"},"button": {"zh_CN": "我已明白此风险,依然继续"},"waiting_time": 2000,"title": {"zh_CN": "Frida框架提醒"}},"root": {"action": "warn_and_exit","msg": {"zh_CN": "检测到您的设备已ROOT,存在隐私信息泄露和被非法攻击等风险!"},"button": {"zh_CN": "我已明白此风险,依然继续"},"waiting_time": 2000,"title": {"zh_CN": "设备已被ROOT"}},"proxy": {"title": {"zh_CN": "网络代理提醒"},"button": {"zh_CN": "我已明白此风险,依然继续"},"msg": {"zh_CN": "检测到您正在使用网络代理功能,存在隐私信息泄露和被非法攻击等风险!"},"action": "warn_and_exit","waiting_time": 2000}
}
一般就是 XPosed检测 root检测 frida检测 代理检测(2层)直接hook掉
逻辑上是。 登陆接口---->触发验证码---->校验验证码 3个接口完成 即可发现登陆返回200
例如登陆验证包接口
请求地址 https://login-service.mobile-bank.psbc.com/sn00/api/route/loginOrRegister/T000003请求方式 POST请求参数 {"isNeedEncrypt": False,"mobileno": PhoneNumber,"deviceInfo": {"curEnvName": "release","isRoot": "0","display": "width:1080,height:2028","ip": "","gps": "","phoneMemorySize": "4","uuid": uuidString, # uuid 自己生成"platform": "android","errorAbstract": "isPrivacyAgreed","uuidOldVersion": "","h5Env": "{\"h5Container\":\"mPaas\",\"updateEnv\":\"mPaas\"}","cityName": "北京市","osVersion": "12","imei": "","isH5BindCard": "1","model": "Google Pixel 3","sdk": "31","networkType": "2","brand": "google","board": "blueline","suptNfcFlag": "1"},"tokenInfo": {"appVersion": "10.0.0","custNo": "","versionNum": "178","reqTime": "","ecifCustNo": "","pageName": "LoginPswActivity","appChannel": "youbank","crowdVersion": "default","isInner": "0","reqMsgId": "","token": ""}}
请求头
{"version": "v1","reqMsgId": "20241217000003195086501300921001","reqTime": "20241217090654","transCode": "T000003", # 业务代码"language": "0","systemAppNo": "xxx","WorkspaceId": "product","Content-Type": "application/json; charset=utf-8","Content-Length": "1950","Host": "login-service.mobile-bank.psbc.com","Connection": "Keep-Alive","Accept-Encoding": "gzip","User-Agent": "okhttp/3.12.13"
}
charles 测试删除参数能过(但没固定)
响应数据
{"data": "a5f1d3cd718c94d279d276d5cfa489755f5909365d9182201b3317c84a4b9f76dccf317c422f63bb4f882156f7627b8a6e6141efeb68f9d4af5acd6096fe2268b41ee8db6d245373b87a7b753cb99390d1dad6a2a9a27b07fdb36673df88d34bd274edd619f1ca623c0fa98affe082ed78b7bada53504de8f35c0db5246af2e1319f4695304159546ddde25640585b8470e598860cc5029882f903058faa761256c5f2c76024199ceb6d43ae23dea4b259d0008dcd307111b8d2541eefc9c4acd352275c0a0481ab4b7f8a68aa7a9908b2383d77395438441d0cf41eb5cde1fb35650d6a6896ab34579d2315728ac4eafdbddb8eae563c4ceed575b4a10fd25acd5653e3684bfd69a69aabb9916188099c6ab674077f5c3aa371725a2a137da9b1740d956a0c99d9069d528fcf6b2bcb0755069075d29cf1ae8a5b708bee63cc061f6972cd61450f196c24b3f479d72042c46088f897d56a1b3981921eca87b24b77922aa9afb2402cab9ee45c569506ed8c8c430ca0778d731dcd773fe0027fe606c5cee03c363e8f0f5646839d3bd42fc5b925c4eca0e90712229bbb5268e65712624af5dc6d37f5fe7dd108a34ba7f8134e3c99fa871ac3f72d29e954d323e20cbb73fae8a506ffac7d6c17f144feeb902c224b86acffdf30c234d1daff88006beb67bb21879fc2d5e7a0394a83176d72e3a33b98813996ef09386b206b56752d261d0eae447246e4d80306e607bd76ff9de75dd48d8a00208990f32b6a0665efd1e47236298ddfcc631cf5c57245d80f3573458c32824386dfbf93be811a1517bc0b2da2da0390d9f46d121619379949f02165478981640263a22117d2e3cad15b1b200555d6805fef3db65a0f9444b59879796a73bf6c77dfd4b01f72e3011805badaf7907e22dc70cf43bcfc33d83a2cfb8196afd0742aab91cef7724adf0925b57cd9bcfef87621f608967d40038f86495e25b2d0fc519b6a8ce2779afd1af5daef5e3f900a11d775a430df99b17a5217b10e909317c9ecbedaabdc4682d8c7a8e36cb771de303d9809d2b7cf2a28a5c2a21d267a0e875ed55808e44b7dc98830bb5529aaca2aed2916e57d2c0736ae967ffd444b5d434ab427cb5a1b26fd6f52883d3609f16bb18b76ae712182c944bedb7e9b70e623c26e675c6d","sign": "1436670208882a1d6b035a33d78d8974ea55a9edfaf79a1a3e972a1c022d294","key": "c4994cfc3e96e047e670964857b68346bdeb18767a2aa8bd3ff97ed6971e09b7de9c956988b91c0f37928cf4e85917dbccd08c7ef663742944465ca14262d2ec1690bfb60106b232bdc3d15ff89a4751b9437f336ec4f8ad0663db9826307bdb162bcc37d852730a42df583d686a39"
}
其他接口一样 ,这里只拿这一个举例子,主要逆向 data sign key(data 被加密的都是请求体,key加密16位字符串 sign就是 data+key)
data破解
byte[] bytes4 = genRandomKey2.getBytes(Charsets.UTF_8);
jSONObject.put("data", (Object) HexUtil.encode(SM4Util.encrypt_ECB_Padding(bytes, bytes2)));
加密已经看到了 python还原即可
key破解
key的生成代码
def genRandomKey(i2, i3):""":key:param i2::param i3::return:"""# 定义 CHARS_ALL 中可能包含的字符(大写字母、小写字母和数字)CHARS_ALL = string.ascii_letters + string.digits # 包含 A-Z, a-z, 0-9# 创建一个空的字符列表来保存生成的随机字符key_str = []# 循环生成随机字符,直到达到指定长度for _ in range(i3):if i2 == 0:# 如果 i2 == 0,从 CHARS_ALL 中随机选择一个字符key_str.append(random.choice(CHARS_ALL))else:# 否则,生成一个随机数字key_str.append(str(random.randint(0, 9)))# 将字符列表合并成一个字符串并返回return ''.join(key_str)
生成16位 传参0,16就行
jSONObject.put("key", (Object) SM2Util.encryptReturnHex(SM2Util.PUBLIC_KEY, genRandomKey2));
直接gpt生成即可 定位过去 key 实际就是数字和字母混合16位 通过加密
sign破解
String str17 = String.valueOf(jSONObject.get("data")) + String.valueOf(jSONObject.get("key"));
byte[] bytes6 = str17.getBytes(charset5)
jSONObject.put("sign", (Object) HexUtil.encode(SM3Util.hash(bytes6)));
最终返回效果解密后的
# login
{"code":"000000","data":{"custNo":"","mobileRegStatus":"0","serverNodeUrl":"https://mobile-bank.psbc.com/sn11/"},"msg":"交易成功","showType":"0","reqMsgId":"20241218171532000003161977293440032001"}
# send_sms
{"code":"020253","msg":"获取次数过多,请明日再试或前往网点办理。","showType":"1","reqMsgId":"2024121817153202100335951101129896001"}
# check_sms
{"code":"000008","msg":"交易超时,请您稍后重试","showType":"2","reqMsgId":"2024121817153202100427977756507953001"}