Packet capture analysis and sign encryption algorithm implementation of a software store app

[Author homepage]:Wu Qiulin
[Author introduction]: A high-quality creator in the Python field, an expert on Alibaba Cloud Blog, and an expert on Huawei Cloud Sharing. Long-term commitment to research and development in the field of Python and crawlers!
[Recommended by the author]: Friends who are interested in JS reversal can pay attention to "Reptile JS Reverse Practice" , for distribution Friends who are interested in the new crawler platform can follow "Practical Construction and Development of Distributed Crawler Platform"
There will also be verification code penetration and APP that will be continuously updated in the future. A series of articles on reverse engineering and Python fields

1. Write in front

  The first step in APP reverse analysis is packet capture analysis! There are countless pitfalls that can be encountered at the level of packet capture. Nowadays, larger APPs basically have their own protocols, and then there are various anti-packet captures, wifi proxy detection, forwarding detection, certificate verification...

As someone who has been working with reptiles for many years, I would like to tell you about the past and future of reptiles:

Base:

Grammar, crawler library + framework, parsing library (all kinds), packet capture tools (everything), multi-threading, multi-process, distributed crawler, automation and storage solutions

Six or seven years ago, a small amount of anti-reptile capabilities were added to the above part. If you go to any company that deals with reptiles, there must be a seat for the reptile team leader!

Web reverse engineering:

Browser structure, basic syntax, Bom and Dom attributes and methods, debugging skills and tools, encryption positioning, code obfuscation, environment repair, AST, code deduction, algorithm restoration, fingerprinting and risk control capabilities (more than half of them require long-term practice plus experience accumulation)

If you had mastered the above two items and were the backbone of the reptile team in any company three years ago, you would be the chief elder!

APP reverse:

Reverse principles, Java and Smali syntax, decompilation tools, various Hook techniques and tools, debugging and positioning skills, shell smashing, and reinforcement

There are also various verification codes that you may or may not have seen before: slider, click, operation, graphics and text, logic

The end of reptiles is undoubtedly the reverse direction, and there is no way to finish learning!

---

Analysis title:

T1BQT+i9r+S7tuWVhuW6l++8jOiHquW3seS4i+i9vQ==

2. Packet capture configuration

  This APP has a certificate verification. If you capture the packet directly, the situation will be as follows:

Here, we can also use Frida to hook the certificate verification. Of course, you need to decompile the APP and locate the verification part.

Here I use the Charles + Drony solution to capture the package of this APP. The solution is not unique. You can also use Postren.

After Android 7.0, the CA certificate added by the user to the system is not trusted by default. So here we need to put Charles' certificate in the system certificate path of the phone, otherwise the https protocol packet will fail (Ensure that the phone is rooted)

/etc/security/cacerts #系统证书路径
/data/misc/user/0/cacerts-added #用户证书路径

Save the Charles certificate locally and use the following command to calculate:

openssl x509 -subject_hash_old -in wql.pem（文件名）

Copy the file calculated aboved27ccb05 to the mobile phone system certificate. The number of the suffix name is to prevent file name conflicts. Push The command to the mobile phone is as follows:

adb push d27ccb05.0 /sdcard

adb shell enters the command line mode and moves the certificate path to the d27ccb05.0 certificate we just pushed to /sdcard in the mobile system, as shown below:

su #切换权限
cd /sdcard # 切换目录
mv d27ccb05.0 /etc/security/cacerts # 移动证书

Then we go to the mobile phone to look at the system certificate, and we can see the certificate file we just moved in, as shown below:

Next, Drony is configured as follows. The main one is the LAN IP address plus port. This port is Charles’ port, as shown below:

Finally, pull down and click Rule Configuration. Here, just select the APP application we want to capture packets from, as shown below:

3. Packet capture analysis

After completing the above configuration preparations, you can start capturing packets. Open the APP, Charles and Drony. Click to search for keywords in the APP and capture the request of the search interface. The packet capture information of the search interface is as follows:

You can see that there are many request parameters for headers, but most of them are fixed values. Dynamic ones includesign, id

Let’s take a look at the request information interface again. You can see that the parameters are basically the same. The difference between the two interfaces issign The encryption parameter content has changed

4. Interface testing

We first take out the packet capture request and put it into the Postman tool to test and verify. The search interface test is as follows:

The detailed interface test is as follows:

It proves that there is no problem with the interface~

5. sign encryption algorithm

sign encryption generation is mainly achieved through multiple parametersid, ocs, oak, saltmd5 calculation

Then the URL also participates in encryption. The encrypted plaintext before md5 is as follows:

salt is a string of salt with several fixed parameters. It can be found by global search after decompiling the APK, because the 7+ version of the app here was deleted. No more verification of impressions

Going directly to the algorithm, the core encryption generation algorithm is as follows:

const crypto = require('crypto');

function getMd5(body) {
    
    
    return crypto.createHash('md5').update(body, 'utf8').digest('hex');
}

function getSign(url, t) {
    
    
    const oak = "cdb09c43063ea6db";
    const oakRear = "08f4fe8a43775179bdc58acb383220bc";
    const idd = "867686020" + Math.floor(Math.random() * (999999 - 100000 + 1) + 100000) + "///";
    const ocs = "google%2FNexus+6P%2F23%2F6.0.1%2FUNKNOWN%2F2%2FMHC19Q%2F7902";
    const salt = "STORENEWMIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANYFY/UJGSzhIhpx6YM5KJ9yRHc7YeURxzb9tDvJvMfENHlnP3DtVkOIjERbpsSd76fjtZnMWY60TpGLGyrNkvuV40L15JQhHAo9yURpPQoI0eg3SLFmTEI/MUiPRCwfwYf2deqKKlsmMSysYYHX9JiGzQuWiYZaawxprSuiqDGvAgMBAAECgYEAtQ0QV00gGABISljNMy5aeDBBTSBWG2OjxJhxLRbndZM81OsMFysgC7dq+bUS6ke1YrDWgsoFhRxxTtx/2gDYciGp/c/h0Td5pGw7T9W6zo2xWI5oh1WyTnn0Xj17O9CmOk4fFDpJ6bapL+fyDy7gkEUChJ9+p66WSAlsfUhJ2TECQQD5sFWMGE2IiEuz4fIPaDrNSTHeFQQr/ZpZ7VzB2tcG7GyZRx5YORbZmX1jR7l3H4F98MgqCGs88w6FKnCpxDK3AkEA225CphAcfyiH0ShlZxEXBgIYt3V8nQuc/g2KJtiV6eeFkxmOMHbVTPGkARvt5VoPYEjwPTg43oqTDJVtlWagyQJBAOvEeJLno9aHNExvznyD4/pR4hec6qqLNgMyIYMfHCl6d3UodVvC1HO1/nMPl+4GvuRnxuoBtxj/PTe7AlUbYPMCQQDOkf4sVv58tqslO+I6JNyHy3F5RCELtuMUR6rG5x46FLqqwGQbO8ORq+m5IZHTV/Uhr4h6GXNwDQRh1EpVW0gBAkAp/v3tPI1riz6UuG0I6uf5er26yl5evPyPrjrD299L4Qy/1EIunayC7JYcSGlR01+EDYYgwUkec+QgrRC/NstV";
    
    const middleBody = ocs + t + idd + url.split('.com').slice(-1)[0].replace("?", "");
    const length = (middleBody.length + 48).toString();
    const body = oak + oakRear + middleBody + length + salt;

    return getMd5(body);
}

const url = "https://api-cn.store.heytapmobi.com/search/v1/search?start=0&tabId=&searchType=10&size=10&keyword=快手"
const timestamp = Math.floor(Date.now() / 1000); // 当前时间戳
console.log(getSign(url, timestamp));

6. Data effect display

Search interface and detail interface request headers:

Details page data content:

  Well, it’s time to say goodbye to everyone again. Creation is not easy, please give me a thumbs up and leave. Your support is the driving force for my creation. I hope to bring you more high-quality articles.