这是2018年分析的360wifi,脚本不确定是否还能用,在此整理一下
参考看雪360wifi逆向分析:http://bbs.pediy.com/thread-219006.htm
尝试分析当前最新版360wifi,并编写查询脚本
相较老版本的360wifi,当前最新版本采用了360加固,所以分析之前进行了脱壳处理,脱壳这块就不详述了,网上可以找到资料。
参考:https://www.jianshu.com/p/138c9de2c987
post网址:POST http://api.free.wifi.360.cn/intf.php?check_update_key=&full=1&qid=0&devtype=android&nettype=WIFI&manufacturer=samsung&model=SCH-I939D&os=4.3&channel=100000&v=398&m2=a7c73fd3c903520e9e3676c382fca29f&auth_name=android_sdk&nance=1500542429897&inviter_qid=0&l_ver=-1&l_ver_t=1500444674114&1st_ch=100000&method=Wifi.scan&lld=L9vnVT7ql4XtRBS1Rn8izjS5pfd0PeShtmdijNF0O77b5V2UlF9oSOojIBLfo4uiLCfddZig0IMJVA2vKT4y5F3pp6Cm0PVlZdmUBqFrFwOChai3TP5OzqMzmkVLsoxc12HkrvymUrlcOgERbR16ng%3D%3D&tp=1&sign=e4e9bfa069e424e8f33e5e2314d8044d HTTP/1.1
User-agent: 360freewifi
Cookie: Q=;T=;
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: api.free.wifi.360.cn
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 3305
params_i=VyXfJz2JQIOcYZ4iJ7w%2BA36quHq%2FC9Qcm%2BNLPpbkATE%3D¶ms=OUz7OJu3WKYUjBVZCLPxTSN4%2B1POx4R6AEAauF78Q6a4hynmrg7DT7%2B4ia%2FF9ObYeS1hqpfUCxsh2Buv9jNEny3csh3LeJ0453I20KNgta2kMgW4ab2qykKpnmlKOcuXlnx30P%2FKt3u2jXyjAgAL3eHNwnxtkC9SICxC3Wu%2B6ZR54BddJNnQ%2BCGVB%2FPiVGMAbn7p%2BdzqoVEjePtTzseEegBAGrhe%2FEOmWpBKk7TOZ1RvV8%2F7OZQjGyRomv3Q1tTJ2%2BVdlJRfaEhOYudqvpMRPrWrZS1rBZ96FbgfszZmV8O2llYxBgBiZGAw05eMbmEDg7jlO1YnoADB6i6RKULChu3QAYKqO47AYiJ42SNr%2B49qbGsw%2BZq6eyJw1LU7PjR8RkZbRfa407BGtAuLZSQMcHiuNxu1NOr7dGe%2BdsC9A7wh2Buv9jNEny3csh3LeJ0453I20KNgta3nEIvjg%2FcEiozqa%2F7i4HSTMSAWAv6H8dG2jXyjAgAL3eHNwnxtkC9SICxC3Wu%2B6ZR54BddJNnQ%2BCGVB%2FPiVGMAFIwVWQiz8U0jePtTzseEegBAGrhe%2FEOm%2F2b5cLwo45BlmxRoXh44HkthTjtY5EIp5z8f%2BaIDMMOkghB1%2BRcOxKWXh2qBfaVr0WMYWybGQPIldgpIY8q3rnCYuuk1Xp5r6EjLZCWelMKbkNHe0jcS4d9BTcAhHEEbky55S8DdQ1SwG9lTrQOtZFJ607fP4E4M2E4b0oa9d2a3ctmGKqarORmm3AsZheDd35yxfwKl7RczWyXRqXyeLplWuWlO12Mh2GAXG%2FWAe3p0bDTTKnufKpFXmar4cjbrrsTtPrvrJfljcINav4aryaQ9YO8xJixAntYU%2FkbTbpQTBsW%2FpbdT4nRn8PznAcT1IuO5wgVOfNKqU0eoJuHtBWkPpincCDVjEqeodMnMPW%2BOcohPJVzMgWhs9n4VXr7Jar7ysq%2FUA5eOnekGrudKTnoz0JtPin%2FSURCTxnrHKLgCZkKZz4RuD8aZ8aS3I6Mol3n0wcTzQzCDFFiCanCcSW5PlfK9c0dkcWzm0vaGY9WurRr1%2F2PQ89PlDuTM4%2FEI21vT5yL%2B7a254DsMjM9UkpznQ0TOApFXCoOGRol%2FN4jZ3uL%2BZJwfaRUSVotACzbyY%2FGKZ1KK9Lx2RphtjRlYyRrhKBfUtgwxvxqJpUWONcozXXwbLo2pQx4h9T9VvTATNRAqwz0r0cbtRBS1Rn8izruKwtMHg%2B8kcxHXbBVZY1N6CEy8HL7ssTAOAflogY3JaQiWBft1iGlYCf2pg%2FKqUtbzk7pxk1siKWae6dvebxB0Z752wL0DvCHYG6%2F2M0SfLdyyHct4nTjncjbQo2C1rdyfKE%2Fa2wjH7caaXJ2gq29fzHYr6MQQabaNfKMCAAvd4c3CfG2QL1IgLELda77plHngF10k2dD4IZUH8%2BJUYwBufun53OqhUSN4%2B1POx4R6AEAauF78Q6aJBNHW2aG3XQGsUvzJT5n%2BTBQ%2BCBih%2BnmOnekGrudKTnoz0JtPin%2FSURCTxnrHKLgpjge4FvpVc6WaTW4RJXEbU7lgQNa%2BgdWDFFiCanCcSW5PlfK9c0dkcWzm0vaGY9WurRr1%2F2PQ89PlDuTM4%2FEI21vT5yL%2B7a254DsMjM9UkpznQ0TOApFXCoOGRol%2FN4h5R0n7JjgTjXLqEq3yYabaIdgbr%2FYzRJ8t3LIdy3idOOdyNtCjYLWtBfA2d%2BbU%2Be6mBZzt35AiQIXSWNkxHLkxto18owIAC93hzcJ8bZAvUiAsQt1rvumUeeAXXSTZ0PghlQfz4lRjABSMFVkIs%2FFNI3j7U87HhHoAQBq4XvxDpriHKeauDsNPEtEVBPlxxFaTxRbcoHoiGyHYG6%2F2M0SfLdyyHct4nTjncjbQo2C1raQyBbhpvarKU5GEkafRtImWfHfQ%2F8q3e7aNfKMCAAvd4c3CfG2QL1IgLELda77plHngF10k2dD4IZUH8%2BJUYwBufun53OqhUSN4%2B1POx4R6AEAauF78Q6bWFSLcVi0MGhnK8f3xNuLwb1fP%2BzmUIxuR%2FOFvZXXW16SCEHX5Fw7EpZeHaoF9pWvRYxhbJsZA8g7BLUzTiMHLzMOwUJA2RcLqFtoPc9PjmZuQ0d7SNxLh30FNwCEcQRuTLnlLwN1DVLAb2VOtA61kSB7v62tkCpTYThvShr13Zrdy2YYqpqs5VLNkDb5b3nxvV8%2F7OZQjG2EoTWGeD7sMpIIQdfkXDsSll4dqgX2la9FjGFsmxkDyxoPUHMj1hpTburyN%2FwB0AcsJ%2Bt2NaUKMm5DR3tI3EuHfQU3AIRxBG5MueUvA3UNUsBvZU60DrWRSetO3z%2BBODNhOG9KGvXdmt3LZhiqmqzlcL9EhYrpHlscEBG8XtuGZb5HvPR86uJz9kJmuUU5Exo6d6Qau50pOejPQm0%2BKf9JREJPGescouEFpCQrGz3pYcWQLmxUtFQY3vbOQjFHfNYMUWIJqcJxJbk%2BV8r1zR2RxbObS9oZj1a6tGvX%2FY9Dz0%2BUO5Mzj8QjbW9PnIv7trbngOwyMz1SSmgyCSe6Egl4ahl%2B4ag13abP3vOhoNj%2Bxjp3pBq7nSk56M9CbT4p%2F0lEQk8Z6xyi4bW7xffGma5jW6F8hKowFKArBmc87JUUBgxRYgmpwnEluT5XyvXNHZHFs5tL2hmPVrq0a9f9j0PPT5Q7kzOPxCNtb0%2Bci%2Fu2tueA7DIzPVJKKnB6oh5AsM3ZEy0A7cAI5Qljt9ITYWkuup1I3g9%2B4sCP%2F%2BZSSVYTX3HQpCKyiQygdF1C%2FmtwMCt8xSI1wctbT7DRBFxunUoicW26C1aE3T9U2Ri%2Fv0uOg277BcTELWpVcdTKuDghlTos0dOnGlpwXtnHHWxaFFgsx9srmm3LXJrSszkX8KsVm44I7JsQAzwYKHmJnQmjfgkJY7fSE2FpLDzbGnTLK2X%2Fb5V2UlF9oSE5i52q%2BkxE%2BtatlLWsFn3o3VR%2BhgltAY%2BCXfJ4UOTU4EnCrA%2Bpr6w6DuOU7ViegAMHqLpEpQsKG7dABgqo7jsDQNqWq5leFNQ%3D%3D
服务器返回包:
{"errno":0,"errmsg":"","data":{"list":"DkiJ9N5bci8ZtalQGyJVnWvKqD5dgl2djcbr3KDWJL0nY\/4VF5kXOnJWqQsXkAMjvRG9EJZvpjVORu9Wx1dXgJ835x3HC3WxpD1g7zEmLEAMHHPn2qH5dV5n3Bnc15oQpIIQdfkXDsQjy4dU3kUfO2fth5WlH3QLDnvFgy9vfJnhYVpLOHnvPjqBtPJ4jdDjY\/OFJTHS1xVZsYySmFPKY7Qd\/niSLwpSJ0HLN5HR\/4FKf6xnzr2ftKuGozqzQraIOy92Cq8KBPLltvsWwkz8txoMrl5KMzm\/EVypy6a9lXBnZNC9dH+C7dABljkAZqnsnx5flbMmUu8nSu1M3lILai4i04cVYwEBgg3cJ+56JjEMDVt3vGCiv0RJSLGV\/tBlooslNrv5P63NLhbFPWLsVqe3B+NWO8qJIXwsDFe2u+sHyUb68TE22DQmHEnUpGO40jrD427dZmTwG9WJwDKnyI6d6Qau50pOLsO6fGF0t\/Pi6PIgC6tfoBpvZdt2ftm6Jc6J4w8+3LAmoYM5+NBBsTeMBMgn\/v9xidpo1acfqbfknFUbfZZl4FOCqtyVbvzS\/qWs+i1dsO73r3hjvaTvdoGYzcyE0VJzVoNccorqlJgZNWhHkPaQ6jtHv+ImmwEazog26IOyAnWq4sT9JRHQuSuUmwjTg0r38l1Zg4+s4d2sWtlg7DT+\/O8cOys34HRtRLbflm7kePUxbyMz1ZZRbzFE3taBi7vnuIwEnsdUN1YAQBq4XvxDpkwR5iKr7QDr0GDwr0cjx5+lEQZTE4GkU4ekmcbFki2XgxRYgmpwnEkEz59KI7Koe8EDyW3gpCjjLCRO2WFXf6sNMDPwE0MfJbV\/wAulF7KyRwenO0oPaiEX995C5ZAHiO0HMPrsfk4vHMN4RgvW2JR20O7IM+dPIwmSRYR4lnmfFnG5l6obhQNDg+S4lHdc92UjXQYoaLQ3ID+8ZMPNqI4CspJMD4JJF1Sp7Jr5fVT+Q8Mb+YSD4dT68PdSBzsQXYxtlk4Qvtr3FvkpmSQWAalXuhhFk49zVNa19Z\/NezP32vE68mumzrtw6BrO+vryWrIIGG+nWyfZIIDSzV23RSNHN6fCgYVP3LP3dMRwwg3yUzMDofPJiRoYznDxgLHyhWK2kDj9iaR+0GDwr0cjx5+lEQZTE4GkU4ekmcbFki2XgxRYgmpwnEn0tIR9haudQ46d6Qau50pOp7ARcJrYpyfi6PIgC6tfoLwBOtB5VFSNJc6J4w8+3LAmoYM5+NBBsTeMBMgn\/v9xidpo1acfqbfknFUbfZZl4FOCqtyVbvzS\/qWs+i1dsO73r3hjvaTvdoGYzcyE0VJzVoNccorqlJgZNWhHkPaQ6jtHv+ImmwEadNgCZSaQCBhMZJnxUzqcLz9NOyno1RmNgUHW7A4PCGDbkeugVpZFoGk7OBcVEKxfbW7xffGma5jetw29xPhx5oRwGUwj1z1M3brXjakGeXIZsAKD+KgvHtBg8K9HI8efpREGUxOBpFOHpJnGxZItl4MUWIJqcJxJU3dumP6BdMjBA8lt4KQo4ywkTtlhV3+r982eOXblrMa1f8ALpReyskcHpztKD2ohF\/feQuWQB4jtBzD67H5OLxzDeEYL1tiUdtDuyDPnTyMJkkWEeJZ5nxZxuZeqG4UDQ4PkuJR3XPdlI10GKGi0NyA\/vGTDzaiOArKSTA+CSRdUqeya+X1U\/kPDG\/mEg+HUotMVuqv6kBrJQKamOZhwa3vFmo9ik+3Knx5flbMmUu8nSu1M3lILai4i04cVYwEBgg3cJ+56JjFX2ShwLLNlGy7IxqHUNhRDWNv3LAh1ZwxV\/quhtGQWi8RPkxrI3T27baVmrhMJdESqUMdYVmdBMVcyIQx62o4p\/wGLKNTuFEnVNkYv79LjoNPjwTPeek1MmVa5aU7XYyHYYBcb9YB7emB2albN8\/F4ordcwTynzjlsz\/eDJp66tQqorOaOWl2yXPGKbs1qPrt5YJ7stE226dxYc18\/hjzPbYOWcSxB+qdV2d8KIKkvULQd\/niSLwpSS2G6X7oD3NK2lwj4FmSs+0u17+f03R\/1rhwIYNHFzsgLSxFaW32GVsteBbkYqC8JhZf4KPGiy\/07NmS36m2uSk0TLlcAFecFlxnevaI5ySftMkW3IYyjZrGGrvf7NVckCbHdPQc2hJgsri0lHsnGvIIN3CfueiYxtdB1AE8tjiBHLNIMar01otnq1EJey2lnU9lG5TMQfjDTTP0poAACv5URheCIf7vTLG8bF+muzXspGhGDULJsWDUQKsM9K9HG7UQUtUZ\/Is53UXA7ubVcY8EDyW3gpCjjLCRO2WFXf6t4PYGP1qCmLnQLqUNsKKNrQjrqd90O6UkFeLWV5ZuAsfGTzcY8hFVaK2ljAK1eZH3vf\/XHbwYry3OrQhlOfPuLq4ajOrNCtogiz08H8vJOu3lgnuy0TbbpBPweqlMLC8WuxVu+ifjALUzoW64yL8qH0KbjLbGKhSo+WMdJDLYMlw2z6wyJFkXS8LJug2mlyo9UTbptp3XaJF\/whJZgoK40uR8nR\/lQDfVdxZk2IhenySnS+ONJxhOtEqeodMnMPW\/S0fShCvdHWg6xypKB6QuVWms3IWiaDVsPa5XzwV+PPcyVrIGSmwCQif6LXIUknN7gW7mUcyZMddvlXZSUX2hISgNduvxGYe90C6lDbCija0I66nfdDulJBXi1leWbgLHxk83GPIRVWitpYwCtXmR973\/1x28GK8tzq0IZTnz7i6uGozqzQraIIs9PB\/LyTrt5YJ7stE226QT8HqpTCwvFrsVbvon4wC1M6FuuMi\/Kh9Cm4y2xioUqI9rcjfDo26SIDGPSCGSygBhKwnZvEhK7d8UpHMQBKgTwsm6DaaXKj1RNum2nddokX\/CElmCgrjRzz4AeV0k2xZEFpNkizqVR009tdF\/zYHMSp6h0ycw9b6vyO5aV9\/FbBZU5yUDTn\/u38qJH9utBQDS03+bDgYUO0CP0lMESShiDuOU7ViegAIPpm2FUf8w2Idgbr\/YzRJ+6VZK3JfV+Q3QLqUNsKKNrQjrqd90O6UkFeLWV5ZuAsfGTzcY8hFVaK2ljAK1eZH3vf\/XHbwYry3OrQhlOfPuLq4ajOrNCtogiz08H8vJOu3lgnuy0TbbpBPweqlMLC8WuxVu+ifjALUzoW64yL8qH0KbjLbGKhSouTyx1n\/u+2P9nOoCDNg3NGUDdb\/wzqMzWtfWfzXsz99rxOvJrps67cOgazvr68lqyCBhvp1sn2QXwNnfm1PnupgWc7d+QIkCF0ljZMRy5MZznQ0TOApFXCoOGRol\/N4gMtY\/WbIZnG7fyokf260FANLTf5sOBhQ7QI\/SUwRJKGIO45TtWJ6AADvVI\/Yy22dJyvQHoogjli6SCEHX5Fw7EZLTKHQ8RPlTO7o29K7XhZ\/i50j4JSN1a7gYwwlb4b5FU1WWApQk\/D3gieYPnn5Ycq4ajOrNCtojrUh1n6RMN4Hlgnuy0Tbbpw\/1N1zGdbghtg5ZxLEH6p9exs44a11aB+EoHHWZJtyUh\/Tio7tEWT7S5d09LiD1n4OfgoYSFix3tQi9F5P95uEu30qvf4Fl8sYau9\/s1VyT2FgPPpUmRu8F0EtbGytiPhjjbwIN+y2zZ\/dwcDa1QjH\/zd9g0\/xIFvAB9gM10ec0u+iVj9QGsI7IHuprqGC130GDwr0cjx5+lEQZTE4GkU4ekmcbFki2XgxRYgmpwnEmjYbAyDbp1Z8EDyW3gpCjjLCRO2WFXf6sh\/S1pNPKDQ7V\/wAulF7KyRwenO0oPaiEX995C5ZAHiO0HMPrsfk4vHMN4RgvW2JR20O7IM+dPIwmSRYR4lnmfFnG5l6obhQNDg+S4lHdc92UjXQYoaLQ3ID+8ZMPNqI4CspJMD4JJF1Sp7Jr5fVT+Q8Mb+YSD4dT7X2bawU\/aqWAAg\/Pfbqw+MWTJrNG06WKfHl+VsyZS7ydK7UzeUgtqLK4tJR7JxryCDdwn7nomMQ7BLUzTiMHLzMOwUJA2RcKiiyU2u\/k\/rfIc1NLWM924TXcfK\/r+NznWJ7o0\/q3PICF8LAxXtrvrB8lG+vExNtg0JhxJ1KRjuNI6w+Nu3WZkfnJLpAbMtQTb5V2UlF9oSLTcwtWQVLhctX\/AC6UXsrJHB6c7Sg9qIRf33kLlkAeI7Qcw+ux+Ti8cw3hGC9bYlHbQ7sgz508jCZJFhHiWeZ8WcbmXqhuFA0OD5LiUd1z3ZSNdBihotDcgP7xkw82ojgKykkwPgkkXVKnsmvl9VP5Dwxv5hIPh1Kl3VoxLvFcmllycdIcfLe6Z0bej3fEBuEbKccxqrVdenx5flbMmUu8nSu1M3lILaiyuLSUeyca8gg3cJ+56JjHGg9QcyPWGlNu6vI3\/AHQBwSKTpqOxbgUdW1cNlg2ikUo7fSmGAhc5tVOLkIG+SmOfcGri0nqrD7aNfKMCAAvdOsVWLEjsMBL4JY6p10tzUXZGmG2NGVjJqzT3phylgJhn7YeVpR90Cw57xYMvb3yZ4WFaSzh57z46gbTyeI3Q42PzhSUx0tcVWbGMkphTymO0Hf54ki8KUidByzeR0f+BSn+sZ869n7SrhqM6s0K2iDsvdgqvCgTy5bb7FsJM\/LcaDK5eSjM5vxFcqcumvZVwfYsoWkBJt8QeKmrWZi4cFshoCFQ6o8nmEmUEDd7up0aFnR\/E4s47uLx26HWkqKinbnKOPa6RvlZ1HL4uijBrjtZfFCC993SlmlB+3XUabi1cL9EhYrpHlscEBG8XtuGZis2aX4faEa8hfCwMV7a76wfJRvrxMTbYNCYcSdSkY7ibkNHe0jcS4XK9AeiiCOWLpIIQdfkXDsSaoc41lO7o36K3XME8p845bM\/3gyaeurVcd\/Q1ycLRlYOljvR2j7ZVeWCe7LRNtuncWHNfP4Y8z22DlnEsQfqnVdnfCiCpL1C0Hf54ki8KUkthul+6A9zStpcI+BZkrPtLte\/n9N0f9a4cCGDRxc7IC0sRWlt9hlZlHIxfIn4jKs18rdIc5srK4Qofn1SApi\/yXVmDj6zh3axa2WDsNP787xw7KzfgdG0UHxXrxUr\/fJFXmar4cjbrtS3PXEPfH14G4frJrkPdzQBAGrhe\/EOm4nAUQjqNNPa38qJH9utBQDS03+bDgYUO0CP0lMESShiDuOU7ViegANk4QS+oIlqMIdgbr\/YzRJ\/NZFzgAvL7OigF0Cc+FBWRYU451Zm7rKv5A5k8hALSEuCopH4EpxQnOcucj9o5IM73r3hjvaTvdvspx0GoS2TB7bjIk9xxfavdKQxNFMMoXwmSRYR4lnmf4IVhqnqFa66phSZKEVTfqXrps\/deo7ZObcKQybB9rPaT2Yly8GfFsHi6IlZpMTt7XlPvScvWjvlrbjri8aVfGnRXAWFmXHj6jRFh95Ukm\/jfMUiNcHLW0+w0QRcbp1KIjbGLSLPlu2Kk9EEeWKGPVchg2ZZLAKHZSjt9KYYCFzm1U4uQgb5KY59wauLSeqsPto18owIAC90uaaDARLXXV\/S9ba4MU2\/GdkaYbY0ZWMkIMzkv3HAdFbV\/wAulF7KyRwenO0oPaiEX995C5ZAHiO0HMPrsfk4vHMN4RgvW2JR20O7IM+dPIwmSRYR4lnmfFnG5l6obhQNDg+S4lHdc92UjXQYoaLQ3ID+8ZMPNqI4CspJMD4JJF1Sp7Jr5fVT+Q8Mb+YSD4dSNARwAScSIqta19Z\/NezP32vE68mumzrtw6BrO+vryWrIIGG+nWyfZM9vrwMPNHIcNBWrEUMME772gQolLXS86ipweqIeQLDNgWDV6vPcTH5URheCIf7vTLG8bF+muzXspGhGDULJsWDUQKsM9K9HG7UQUtUZ\/Is53UXA7ubVcY8EDyW3gpCjjLCRO2WFXf6t4PYGP1qCmLnQLqUNsKKNrQjrqd90O6UkFeLWV5ZuAsfGTzcY8hFVaK2ljAK1eZH3vf\/XHbwYry3OrQhlOfPuLq4ajOrNCtogiz08H8vJOu3lgnuy0TbbpBPweqlMLC8WuxVu+ifjALUzoW64yL8qH0KbjLbGKhSpehmDUxvfuZgvVBRvo3mpTEmUEDd7up0aFnR\/E4s47uLx26HWkqKinsa+tOStfQ8Q=","check_update_key":"8e6c02a7fdf1a80b4b7d2f6ea3bfc754"}}
相较老版本,之前的mehon = Wifi.password 转变成methon = Wifi.scan,代码定位到这个地方,是参与字符拼接的形式的:
查看交叉调用,定位到:
再查看谁调用了这个地方,找到了获取密码的方法:
构造POST包中params_i明文数据为:(mac地址,此值可固定)
{"c_mac":"60:21:C0:FA:30:27"}
params明文数据为:(包含有要查询的ssid与bssid)
params = """[{"wps":"0","alt":"0.0","ssid":"linweifang","signal":100,"lng":"118.79316711","mac":"24:69:68:FA:D8:12","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"WiFi-33","signal":100,"lng":"118.79316711","mac":"3c:46:d8:cb:6c:c9","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"TTL_TL","signal":100,"lng":"118.79316711","mac":"f4:28:53:27:06:4c","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"HUAWEI-MT65Q6","signal":100,"lng":"118.79316711","mac":"94:77:2b:20:dd:b4","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"NULL","signal":100,"lng":"118.79316711","mac":"f0:b4:29:15:a3:04","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"NNZZFF","signal":64,"lng":"118.79316711","mac":"40:16:9f:ae:8b:8a","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"test_csr","signal":100,"lng":"118.79316711","mac":"c8:3a:35:c8:02:ef","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"TP-NZF","signal":75,"lng":"118.79316711","mac":"80:89:17:cb:67:40","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"TL-Aurora_1","signal":68,"lng":"118.79316711","mac":"02:1a:11:f7:04:f8","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"TP-WIFI-24","signal":88,"lng":"118.79316711","mac":"82:89:17:04:ce:eb","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"TP-WIFI-50","signal":62,"lng":"118.79316711","mac":"82:89:17:06:ce:eb","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"BC","signal":28,"lng":"118.79316711","mac":"ec:88:8f:4d:a0:62","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"TTL_TL_5G","signal":71,"lng":"118.79316711","mac":"f4:28:53:27:06:48","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"TP-LINK_A21EDC","signal":62,"lng":"118.79316711","mac":"28:2c:b2:a2:1e:dc","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"MZ","signal":35,"lng":"118.79316711","mac":"80:89:17:cc:29:05","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"linweifang","signal":33,"lng":"118.79316711","mac":"24:69:68:fa:d8:12","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"360免费WiFi-A1","signal":31,"lng":"118.79316711","mac":"24:05:0f:4c:63:a1","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"你哪来的自信?","signal":28,"lng":"118.79316711","mac":"b0:d5:9d:4b:2b:9c","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"caomuren","signal":24,"lng":"118.79316711","mac":"b0:95:8e:c7:fc:e2","lat":"32.00914764","enc_type":2}]"""
获取密钥:
最后传到libsecurity.so中的getkey()
由于ida动态调试卡死,我把dump下来的dex文件转smali使用Android studio进行动态调试,可看到key的生成。
密钥:f7ef96aecea7c4d1f9e502af(密钥不唯一,不同的设备会生成不同的密钥)
加密:加密方式:DESede/ECB/PKCS5Padding 加密后base64编码并url编码
结果为:
params_i=VyXfJz2JQIOcYZ4iJ7w%2BA36quHq%2FC9Qcm%2BNLPpbkATE%3D¶ms=OUz7OJu3WKYUjBVZCLPxTSN4%2B1POx4R6AEAauF78Q6aBulZ7n%2FyZ5J0atYF%2FnG3pM1sl0al8ni6ZVrlpTtdjIdhgFxv1gHt65csPrrfzlyi11Acy0hLnFrkA5QkWGz79OogXFnx%2BxNqkPWDvMSYsQCu3elLivO4kXGQ3HNoJQml0Z%2FD85wHE9SLjucIFTnzSqlNHqCbh7QVpD6Yp3Ag1YxKnqHTJzD1vjnKITyVczIFobPZ%2BFV6%2ByWq%2B8rKv1AOXjp3pBq7nSk6p4yQJYNbJqrSZFrPc7XfKAmZCmc%2BEbg%2FGmfGktyOjKJd59MHE80MwgxRYgmpwnElLiVqwTluS0XFs5tL2hmPVrq0a9f9j0PPT5Q7kzOPxCCIMzCYmNNezueA7DIzPVJKc50NEzgKRV09Tz3MXABeES2FOO1jkQinnPx%2F5ogMww6SCEHX5Fw7EBsmhf3BeheHRYxhbJsZA8gwNW3e8YKK%2FRElIsZX%2B0GXqFtoPc9PjmZuQ0d7SNxLhXRlxxzWnA%2FCTLnlLwN1DVLAb2VOtA61kUnrTt8%2FgTgzYThvShr13Zrdy2YYqpqs53uvwb0aaJlfFAUftefhMxawOt%2BxU6XqPdGe%2BdsC9A7wh2Buv9jNEn7y%2BcCIRIJISZA7IH0eIB3QggNLNXbdFI0c3p8KBhU%2Fcs%2Fd0xHDCDfK2jXyjAgAL3bEgOEZLvkStrahgUuE2wZp54BddJNnQ%2BCGVB%2FPiVGMAbn7p%2BdzqoVEjePtTzseEegBAGrhe%2FEOmLAtTtqc8FZIVElaLQAs28mPximdSivS8dkaYbY0ZWMkABPjRoOccBXUDGD1xsR0D1erGyg4FDIzEbX9KsI7htTUQKsM9K9HG7UQUtUZ%2FIs6TYiSvu5x%2FPnMR12wVWWNTeghMvBy%2B7LEwDgH5aIGNyWkIlgX7dYhpWAn9qYPyqlLW85O6cZNbIilmnunb3m8Q6DrG8LQ637KOnekGrudKTqnjJAlg1smqtJkWs9ztd8qYEKRkq9ST1I7PZ94TvlTfPlwjvWA2bASDFFiCanCcSUuJWrBOW5LRcWzm0vaGY9WurRr1%2F2PQ89PlDuTM4%2FEI21vT5yL%2B7a254DsMjM9UkoqcHqiHkCwzdkTLQDtwAjlCWO30hNhaS66nUjeD37iwI%2F%2F5lJJVhNeDSyBPDp7rdkugyjM3D1QePEKofBDIXhkQ0s4bHOKpkFxo%2FgERPaha1TZGL%2B%2FS46Cdjge6TRHUClx1Mq4OCGVOVvUiU1SwQqW2ccdbFoUWCzH2yuabctcmtKzORfwqxWbduteNqQZ5cuuPPuG8sIpIndvNNwEaPKLniZ7pNNzRNSwkTtlhV3%2BrhRLmmCOrRMQuB3rw7hSMg4Wu1TvJHBvxt95nuw1nfhnMlayBkpsAkJWfsrzEiodsT9dkL6AQKfVVjMfAosLfnjNDsa6u4LRAoOyWdhk56LJQleKTTAPZDrwAfYDNdHnNbtZqWVIr5VW4cgh4aDWYx0thTjtY5EIp4CN08dY976l2RphtjRlYyQAE%2BNGg5xwFvxqJpUWONcozXXwbLo2pQxi7oqitXJa4NRAqwz0r0cbtRBS1Rn8izpNiJK%2B7nH8%2BcxHXbBVZY1N6CEy8HL7ssavZQuQSZWVjaQiWBft1iGlYCf2pg%2FKqUtpZKUgcJreNii1%2BxxffLdNLYU47WORCKYeGU9J6L6AFdkaYbY0ZWMkABPjRoOccBYY428CDfsts2f3cHA2tUIyRk8uVEI1DdzUQKsM9K9HG7UQUtUZ%2FIs6TYiSvu5x%2FPnMR12wVWWNTeghMvBy%2B7LGr2ULkEmVlY2kIlgX7dYhpWAn9qYPyqlLaWSlIHCa3jQVJn82x2t2SS2FOO1jkQinJo5FrkM8F5nZGmG2NGVjJAAT40aDnHAWGONvAg37LbNn93BwNrVCMf%2FN32DT%2FEgU1ECrDPSvRxu1EFLVGfyLOk2Ikr7ucfz5zEddsFVljU3oITLwcvuyxMA4B%2BWiBjclpCJYF%2B3WIaVgJ%2FamD8qpSHVtXDZYNopFLYU47WORCKaGufNMq7CU%2FdkaYbY0ZWMkABPjRoOccBZGZSwJLE6FOpV%2F4WFoOyMsacuEanVW7SzUQKsM9K9HG7UQUtUZ%2FIs6TYiSvu5x%2FPnMR12wVWWNTeghMvBy%2B7LEwDgH5aIGNyWkIlgX7dYhpWAn9qYPyqlLNLhbFPWLsVv7cJkt%2FgyiJndvNNwEaPKIqoWk72XZ%2ByywkTtlhV3%2BrhRLmmCOrRMRzz4AeV0k2xZEFpNkizqVR009tdF%2FzYHPMlayBkpsAkJWfsrzEiodsT9dkL6AQKfVVjMfAosLfnjNDsa6u4LRAi9dViijUZuJQleKTTAPZDrwAfYDNdHnNQDVMlORazUp0DvNBRILhe2hs9n4VXr7Je8WDTToztXUj%2F%2FmUklWE14NLIE8Onut2S6DKMzcPVB6sS6F%2FQxO7Sykqk%2FgsK0VxWPcwmQCHoKfVNkYv79LjoJ2OB7pNEdQKXHUyrg4IZU5W9SJTVLBCpbZxx1sWhRYLMfbK5pty1ya0rM5F%2FCrFZpfa00O30kifaGz2fhVevsnYz1xReoP0kSP%2F%2BZSSVYTXg0sgTw6e63ZLoMozNw9UHgS6FblajYb2rDdH%2Bnw4LMuQtoPMh5cw2dU2Ri%2Fv0uOgnY4Huk0R1ApcdTKuDghlTlb1IlNUsEKltnHHWxaFFgsx9srmm3LXJrSszkX8KsVmWsYydVTufO226wMid03WEWhs9n4VXr7JxXFy4TbAeoYj%2F%2FmUklWE14NLIE8Onut2S6DKMzcPVB6%2FaOpy8MUTTsW2TCm9o48FbH4Dj5p%2BwVbVNkYv79LjoJ2OB7pNEdQKXHUyrg4IZU5W9SJTVLBCpbZxx1sWhRYLMfbK5pty1ya0rM5F%2FCrFZjlAgMUUOwY9M2wefgPuKnuGcbY1zz4kkm9Xz%2Fs5lCMbS6wUhhNM37mkghB1%2BRcOxAbJoX9wXoXh0WMYWybGQPLN7J1TJ4PxmphQGM04eW%2FRY0nLN1W%2FUuSbkNHe0jcS4V0Zccc1pwPwky55S8DdQ1SwG9lTrQOtZFJ607fP4E4M2E4b0oa9d2a3ctmGKqarOfGKozqg7l9HlZCwjap9QW8zBrauadkrHF0lvBCy6K3yVe2xGCsR6X%2BOnekGrudKTqnjJAlg1smqtJkWs9ztd8r7OindcecDrg7XlQMSOKnnOHKm%2FVwWHEWDFFiCanCcSUuJWrBOW5LRcWzm0vaGY9WurRr1%2F2PQ89PlDuTM4%2FEI21vT5yL%2B7a254DsMjM9UkmWzIWHW3cGCEXKLrxTlVmRCWO30hNhaS9WSWbb6rLXj2%2BVdlJRfaEhLCqQL9zbmsrWrZS1rBZ96Rmg6DYrsF9rLykD8Hah2tTghFNl2zq20g7jlO1YnoADr5SlnhpBS5e3QAYKqO47Adt%2FI7Wgge3U%3D
以python编写为例,将编码后的params_i和params传给requests.post()的data参数。
接下来是URL的构造:
API_URL:"http://api.free.wifi.360.cn/intf.php"
AsyncApiHelper.METHOD_WIFI_PWD:“Wifi.scan”
((List)v3):刚刚构造的一部分url:"check_update_key"="","full"=1
((List)v4): 构造的data参数
接下来:
黑线中比较 传进来的“Wifi.scan”是否等于“Kmc.geturl”,不相等执行红框中的内容
这里不相等,于是执行红框中getSignUrl方法,此方法就是真正开始构造url及getsign(sign值是用来校验的,服务器端也会对你构造的url进行运算,得出sign值,与你传过去的sign值进行比较,不相同就会返回“签名错误”)
v6即为构造好的url
构造url:
1st_ch=100000&auth_name=android_sdk&channel=100000&check_update_key=&devtype=android&full=1&inviter_qid=0&l_ver=-1&l_ver_t=1500444674114&lld=L9vnVT7ql4XtRBS1Rn8izjS5pfd0PeShtmdijNF0O77b5V2UlF9oSOojIBLfo4uiLCfddZig0IMJVA2vKT4y5F3pp6Cm0PVlZdmUBqFrFwOChai3TP5OzqMzmkVLsoxc12HkrvymUrlcOgERbR16ng%3D%3D&m2=a7c73fd3c903520e9e3676c382fca29f&manufacturer=samsung&method=Wifi.scan&model=SCH-I939D&nance=1500629489610&nettype=WIFI&os=4.3&qid=0&tp=1&v=398&sign=
附代码:
Python2.7
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import urllib
import urllib2
import json
import hashlib
from Crypto.Cipher import DES3
from Crypto import Random
import collections
import time
import base64
from pyDes import *
import requests
reload(sys)
sys.setdefaultencoding('utf8')
des_key = 'f7ef96aecea7c4d1f9e502af'
NumberKey = '7c9ae72287dee5ba59207a319bf60403'
def main():
params_i = """{"c_mac":"60:21:C0:FA:30:27"}""" #固定值
params_i = encode(params_i)
params = """[{"wps":"0","alt":"0.0","ssid":"360WiFi-1DCDE9","signal":100,"lng":"118.79316711","mac":"a4:56:02:1d:cd:e9","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"WiFi-33","signal":100,"lng":"118.79316711","mac":"3c:46:d8:cb:6c:c9","lat":"32.00914764","enc_type":2}]"""
params = encode(params) #params传入需要查询的ssid和bssid
values = {'params_i':params_i,'params':params}
data = urllib.urlencode(values)
url = geturl()
print url
send_headers = {
"User-Agent": "360freewifi",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
}
r = requests.post(url, headers = send_headers,data = data)
print r.content
result = json.loads(r.content.decode('utf-8'))
if len(result['data']) == 0:
print "Not Found"
sys.exit()
pwd_info = result['data']['list']
pwd_info = decode(pwd_info)
pwd_info = json.loads(pwd_info)
for tip in pwd_info:
if len(tip["pwd"]) > 1:
print tip["ssid"] + ' ==> '+ tip["pwd"]
def encode(data): #加密 加密方式:DESede/ECB/PKCS5Padding 加密后base64编码
k = triple_des(des_key, ECB, None, pad=None, padmode=PAD_PKCS5)
encode_data = k.encrypt(data)
encode_data = base64.encodestring(encode_data)
return formatbase64(encode_data)
def decode(data): #解密 先base64解码 再DESede/ECB/PKCS5Padding解密
data = formatbase64(data)
data = base64.decodestring(data)
k = triple_des(des_key, ECB, None, pad=None, padmode=PAD_PKCS5)
decode_data = k.decrypt(data)
print decode_data
return decode_data
def formatbase64(data):
format_data = ''
for i in data:
if i == '\r' or i == '\n':
pass
else:
format_data += i
return format_data
def geturl():
st= collections.OrderedDict() #值除时间外全部固定
st['1st_ch'] = '100000'
st['auth_name'] = 'android_sdk'
st['channel'] = '100000'
st['check_update_key'] = ''
st['devtype'] = 'android'
st['full'] = "1"
st['inviter_qid'] = '0'
st['l_ver'] = "-1"
st['l_ver_t'] = "1500444674114"
st['lld'] = "L9vnVT7ql4XtRBS1Rn8izjS5pfd0PeShtmdijNF0O77b5V2UlF9oSOojIBLfo4uiLCfddZig0IMJVA2vKT4y5F3pp6Cm0PVlZdmUBqFrFwOChai3TP5OzqMzmkVLsoxc12HkrvymUrlcOgERbR16ng=="
st['m2'] = 'a7c73fd3c903520e9e3676c382fca29f'
st['manufacturer'] = 'samsung'
st['method'] = 'Wifi.scan'
st['model'] = 'SCH-I939D'
st['nance'] = str(int(time.time() * 1000))
st['nettype'] = 'WIFI'
st['os'] = '4.3'
st['qid'] = "0"
st['tp'] = '1'
st['v'] = '398'
st['sign'] = makeSign(st,NumberKey) #把前面构造好的数据加NumberKey进行处理,得到sign
url = "http://api.free.wifi.360.cn/intf.php?"
surl = urllib.urlencode(st)
url = url + surl
return url
def makeSign(st,NumberKey):
pairToString= urllib.urlencode(st)
deal_sign = sign_encode(pairToString) #替换指定位数的字符
deal_sign = deal_sign + NumberKey #替换后的内容+NumberKey取MD5
sign = getMd5(deal_sign)
return sign
def sign_encode(data): #对构造好的数据,将第1、3、5、7、9、11 。。。字符分别用A和M替换
encode_data = ''
count = 0
for i in range(0,len(data)):
if i % 2 == 0:
if count % 2 ==0:
encode_data += 'A'
else:
encode_data += 'M'
count += 1
else:
encode_data += data[i]
return encode_data
def getMd5(str):
md5 = hashlib.md5()
md5.update(str)
return md5.hexdigest()
if __name__ == "__main__":
main()