飞客茶馆IHG APP HmacSHA256 算法分析

小范q · 发表于 2018-8-25 00:40:08

本帖最后由小范q 于 2018-8-25 00:42 编辑

PS：APP 提供来源
app 下载地址：
http://sj.qq.com/myapp/detail.htm?apkName=com.ideal.flyerteacafes

app 提供来源：
https://bbs.125.la/forum.php?mod=viewthread&tid=14222184&highlight=APP

第一步抓登陆抓包：

POST /api/mobile/index.php?version=4&mobile=yes&cookietime=2592000&module=login&loginsubmit=yes&loginfield=auto&appkey=98bf6a79892a1148a1&token=MHwxNTM1MTI2NDQyODY1fDI3ZTEwY2IwMzJkZWVhYzc1ZThjMjcxYzQ3MTViODkwZWRiYWFiZTIyNTM2OTkzM2E1ZWRjNGM5MzNmOTM0Y2U%253D&appversion=6.24.0&transcode=yes HTTP/1.1
Cookie: cu3z_a47d_saltkey=m93mC04o; cu3z_a47d_uacc=9BDCDB5AC04DB852; cu3z_a47d_lastvisit=1535121212; cu3z_a47d_dismobilemessage=1; cu3z_a47d_nofavfid=1; cu3z_a47d_lastviewtime=0%7C1535125812; acw_tc=AQAAAGMZC0HSRAsADIhP2jtOmVhBTAPH; cu3z_a47d_mobile=2; cu3z_a47d_lastact=1535126355%09index.php%09
User-Agent: FKForum/6.24.0 (oppo oppo a59m; Android 5.1.1; Scale/540*960)
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 91
Host: www.flyertea.com
Connection: Keep-Alive
Accept-Encoding: gzip
username=13812345678&password=1234567890&Registrationid=1507bfd3f79390d77af&loadCache=false

复制代码

第二步分析加密主要参数：

token=MHwxNTM1MTI2NDQyODY1fDI3ZTEwY2IwMzJkZWVhYzc1ZThjMjcxYzQ3MTViODkwZWRiYWFiZTIyNTM2OTkzM2E1ZWRjNGM5MzNmOTM0Y2U%253D

第三步反编译逆向找到其主要算法

--------------------------------------------------------------------------------------------------------------------------
private void usernameLogin(String arg5, String arg6) {
this.getDialog().proDialogShow();
XutilsHelp.clearCookie();
FlyRequestParams v1 = new FlyRequestParams(HttpRequest.HTTP_login);
v1.addQueryStringParameter("transcode", "(TV;)V");
v1.addBodyParameter("username", arg5);
v1.addBodyParameter("password", arg6);
v1.addBodyParameter("Registrationid", JPushInterface.getRegistrationID(FlyerApplication.getContext()));
XutilsHttp.Post(v1, new StringCallback() {
public void flySuccess(Object arg1) {
this.flySuccess(((String)arg1));
}
public void flySuccess(String arg4) {
if(LoginVideoPresenter.this.isViewAttached()) {
Logger.i("<+TE;>;>;)", new Object[0]);
if(JsonAnalysis.isSuccessEquals1(arg4)) {
LoginVideoPresenter.this.loginInit(JsonAnalysis.getBean(arg4, LoginBase.class));
}
else {
ToastUtils.showToast(JsonAnalysis.getMessage(arg4));
LoginVideoPresenter.this.getDialog().proDialogDissmiss();
}
}
}
});
}
------------------------------------------------------------------------------------------------------------------
public class FlyRequestParams extends RequestParams {
private boolean loadCache;
public FlyRequestParams(String arg11) {
super(arg11);
this.loadCache = false;
String v4 = UserManger.isLogin() ? UserManger.getUserInfo().getMember_uid() + ", locaPath=\'" + DateUtil.getDateline() : "0|" + DateUtil.getDateline();
String v3 = StringTools.encodeBase64(v4 + ", locaPath=\'" + HmacSha256.getSignature(v4, "feb0e9a398bf6a79892a114825316a93").getBytes());
this.addQueryStringParameter("appkey", "98bf6a79892a1148a1");
this.addQueryStringParameter("token", v3);
this.addQueryStringParameter("appversion", Tools.getVersion());
String v0 = UserManger.getCookie();
if(!TextUtils.isEmpty(((CharSequence)v0))) {
this.addHeader("Cookie", v0);
}
Object v2 = FlyerApplication.getContext().getSystemService("÷");
this.addHeader("User-Agent", "FKForum/" + Tools.getVersion() + " (" + Build.BRAND + " " + Build.MODEL + "; Android " + Build$VERSION.RELEASE + "; Scale/" + ((WindowManager)v2).getDefaultDisplay().getWidth() + "*" + ((WindowManager)v2).getDefaultDisplay().getHeight() + ") ");
}
------------------------------------------------------------------------------------------------------------------
public static long getDateline() {
return System.currentTimeMillis();
}
------------------------------------------------------------------------------------------------------------------
public static String getSignature(String arg7, String arg8) {
Mac v3;
SecretKeySpec v5 = new SecretKeySpec(arg8.getBytes(), "HmacSHA256");
try {
v3 = Mac.getInstance("HmacSHA256");
v3.init(((Key)v5));
}
catch(InvalidKeyException v0) {
v0.printStackTrace();
}
catch(NoSuchAlgorithmException v0_1) {
v0_1.printStackTrace();
}
return HmacSha256.byte2hex(v3.doFinal(arg7.getBytes()));
}

复制代码

第四步算法总结

Token = Base64En(v1 + ", locaPath=\'" + HmacSha256(v1, key));

PS:
① 【
v1 = UserManger.isLogin() ? UserManger.getUserInfo().getMember_uid() + ", locaPath=\'" + DateUtil.getDateline() : "0|" + DateUtil.getDateline();
简言之当APP处于登陆状态：
               v1 = uid +  ", locaPath=\'" + 现行13位时间戳();
            未登录状态：
               v1 = "0|" + 现行13位时间戳();
】

② key = "feb0e9a398bf6a79892a114825316a93";

第五步算法移植

js 移植见附件

js移植.rar (3.69 KB, 下载次数: 90)

yulanlove77 · 发表于 2022-2-24 20:57:20

算法移植

yulanlove77 · 发表于 2022-2-24 20:56:54

算法移植

ilvjyw · 发表于 2019-10-8 00:53:05

感谢分享谢谢大佬

yz0515zyp · 发表于 2019-10-6 22:59:15

看看能用不

A1652302901 · 发表于 2019-8-27 08:13:43

支持，感谢楼主

akaven · 发表于 2018-10-31 10:22:50

支持下，给了这么多的例子和答案，谢谢

vmp360 · 发表于 2018-9-13 15:05:08

谢谢楼主

脚本定制专员 · 发表于 2018-9-7 14:16:26

列害

感谢分享

woshiyezhen · 发表于 2018-9-5 13:40:44

学习了，不错。。。

		自动登录	找回密码
密码			注册

[技术专题] 飞客茶馆IHG APP HmacSHA256 算法分析

评分