记某游戏平台APP查询接口简单逆向

1.直接对查询接口进行抓包分析

    

发现是一个get请求，url中带有搜索的游戏名字

但是请求头中有sign

且响应加密了，目前不知道是什么加密算法，需要进一步分析

2.对App进行逆向分析

首先对响应内容进行分析

考虑的是frida的算法自吐脚本，但是frida附加java层崩溃了，这边直接上xposed模块对其算法自吐

对响应内容进行搜索，可以很清楚搜索到是一个AES/CBC/PKCS7PADDING的加密

在对请求头的sign值进行搜索

对请求头中的部分数据进行拼接，并增加一段字符串"uaPlf741lQikz7Vq8Q3mOQis7By92j2jQuW4LicdYr321lSeUA347sA9r4n91J5u"，然后取MD5值即为sign

3.Python实现对其接口调用及数据解密

import hashlib
import random
import string
import time
import urllib

import requests
from Crypto.Cipher import AES
import binascii,base64
from Crypto.Util.Padding import pad, unpad


# 封装一个Aes加解密的类
class AESCipher:
    key = b"c32ac3ds0vk1209c"
    iv = b"d9d71b495a614afc"
    @staticmethod
    def encrypt( plaintext):
        cipher = AES.new(AESCipher.key, AES.MODE_CBC, iv=AESCipher.iv)
        padded_plaintext = pad(plaintext.encode(), AES.block_size, style='pkcs7')
        ciphertext = cipher.encrypt(padded_plaintext)
        return base64.b64encode(ciphertext).decode()
    @staticmethod
    def decrypt( ciphertext):
        cipher = AES.new(AESCipher.key, AES.MODE_CBC, iv=AESCipher.iv)
        ciphertext = binascii.a2b_hex(ciphertext)
        padded_plaintext = cipher.decrypt(ciphertext)
        plaintext = unpad(padded_plaintext, AES.block_size, style='pkcs7').decode()
        return plaintext



def search(game):
    url = f"http://url/v3/game/s/params_version_code/498/keyword/{game}"
    # 16 位的随机字符串，模拟安卓imei
    did = ''.join(random.choices(string.ascii_lowercase + string.digits, k=16))
    # nonce-str 为32为随机字符串
    nonce_str = ''.join(random.choices(string.ascii_letters + string.digits, k=32))
    # did 为18为随机字符串
    bz_did = ''.join([str(random.randint(0, 9)) for _ in range(18)])
    now_time = str(int(time.time()))
    param = {
        "app-id": "7723cn_android_jmb_phone",
        "charset": "utf8",
        "did": did,
        "enable-base64": "1",
        "format": "json",
        "keyword" : game ,
        "method": "game.s",
        "nonce-str": nonce_str,
        "params_version_code":"498",
        "sign-type": "md5",
        "time-stamp": now_time,
        "version": "3.0.0",
    }
    sign_param = urllib.parse.urlencode(param).replace(urllib.parse.quote(game),game)+"uaPlf741lQikz7Vq8Q3mOQis7By92j2jQuW4LicdYr321lSeUA347sA9r4n91J5u"
    sign = hashlib.md5(sign_param.encode()).hexdigest()
    Headers = {
        "time-stamp": now_time,
        "charset": "utf8",
        "app-id": "7723cn_android_jmb_phone",
        "method": "game.s",
        "vers-code": "498",
        "bz_did":bz_did,
        "format": "json",
        "sign": sign,
        "sign-type": "md5",
        "version": "3.0.0",
        "agent-code": "common",
        "token": "0",
        "wwwid": "0",
        "enable-base64": "1",
        "system-version": "33",
        "did": did,
        "nonce-str": nonce_str,
        "User-Agent":"okhttp/3.12.0",
        "Host":"so.gateway.7723api.com"
    }
    response = requests.get(url=url,headers=Headers).text.replace("\n", "").replace(" ", "")
    decrypt_response(response)


def decrypt_response(response):
    result = AESCipher.decrypt(response)
    print(result)

# 按间距中的绿色按钮以运行脚本。
if __name__ == '__main__':
    search('王者')