android逆向快手,[原创] 快手签名-Android安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com...
整理了下,发现还有个和达达类似套路的,一起看看吧。
抓包
发送短信验证码POST /rest/n/user/requestMobileCode?app=0&lon=146.3516&did_gt=1562212339132&c=MYAPP%2C1&sys=ANDROID_8.1&isp=&mod=LGE%28AOSP%20on%20TTOG%29&did=ANDROID_a515efd201ca2590&hotfix_ver=&ver=6.5&net=WIFI&country_code=CN&iuid=&appver=6.5.5.9591&max_memory=192&oc=MYAPP%2C1&ftt=&kpn=KUAISHOU&ud=0&language=zh-cn&kpf=ANDROID_PHONE&lat=30.005368 HTTP/1.1
Connection: close
Accept-Language: zh-cn
User-Agent: kwai-android
X-REQUESTID: 141829000
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
Host: apissl.gifshow.com
Accept-Encoding: gzip, deflate
mobileCountryCode=%2B86&mobile=13655338668&type=1&os=android&client_key=3c2cd3f3&sig=c8a22b77755169b9ecfc63b30e428d32
老规矩,确定sig为签名字段。
逆向
确定调用链
![android逆向快手,[原创] 快手签名-Android安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com..._第1张图片](http://img.e-com-net.com/image/info8/f411be68f78a4872b2b81fbaef2e6161.jpg)
找到实现
![android逆向快手,[原创] 快手签名-Android安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com..._第2张图片](http://img.e-com-net.com/image/info8/d57d5e754c604fabb61e1cb87ea0d98b.jpg)
进入native
![android逆向快手,[原创] 快手签名-Android安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com..._第3张图片](http://img.e-com-net.com/image/info8/328780a409ae4029a5dbfc232704347f.jpg)
![android逆向快手,[原创] 快手签名-Android安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com..._第4张图片](http://img.e-com-net.com/image/info8/dcb7ff1c679b49108ad67ddc9d583fe0.jpg)
首先确定进入一个解密字符串的函数,有兴趣的可以看看,直接粘处来解密,char *__fastcall deStr(int a1, size_t a2)
{
int v2; // r4
size_t i_32; // r8
_DWORD *v4; // r1
char *v5; // r5
int v6; // r1
int v7; // r0
int v8; // r3
int v9; // r4
unsigned int v10; // r6
unsigned int v11; // lr
int v12; // r11
char *v13; // r9
unsigned int v14; // r0
int v15; // r5
unsigned int v16; // r2
unsigned int v17; // r0
unsigned int v18; // r1
unsigned int v19; // ST1C_4
__int64 v20; // kr10_8
unsigned int v21; // r1
unsigned int v22; // r1
unsigned int v23; // r0
unsigned int v24; // r11
unsigned int v25; // r0
unsigned int v26; // r8
unsigned int v27; // r2
unsigned int v28; // r0
unsigned int v29; // r2
int v30; // r6
int v31; // r5
unsigned int v32; // r2
unsigned int *v33; // r0
size_t v35; // [sp+4h] [bp-44h]
char *v36; // [sp+8h] [bp-40h]
int v37; // [sp+Ch] [bp-3Ch]
int v38; // [sp+10h] [bp-38h]
int v39; // [sp+14h] [bp-34h]
_DWORD *ptr; // [sp+18h] [bp-30h]
signed int v41; // [sp+28h] [bp-20h]
v2 = a1;
i_32 = a2;
v4 = malloc(32u);
*v4 = 0xFFF3A2E6;
v4[1] = 0xA66E1F1C;
v4[2] = 0x21772905;
v4[3] = 0xC0D58234;
*((_WORD *)v4 + 8) = 0x706;
*(_DWORD *)((char *)v4 + 18) = 0x24ED1653;
*(_DWORD *)((char *)v4 + 22) = 0xCB39377A;
*(_DWORD *)((char *)v4 + 26) = 0xA90383A3;
*((_WORD *)v4 + 15) = 0xF68Bu;
if ( i_32 << 28 )
{
free(v4);
v5 = 0;
}
else
{
ptr = v4;
v5 = (char *)malloc(i_32);
if ( i_32 >> 4 )
{
v6 = 0;
v35 = i_32 >> 4;
v36 = v5;
v37 = v2;
do
{
v7 = v2 + 16 * v6;
v39 = v6;
v8 = 0;
v38 = 16 * v6;
v9 = *(_DWORD *)(v2 + 16 * v6);
v10 = *(_QWORD *)(v7 + 4) >> 32;
v11 = *(_QWORD *)(v7 + 4);
v12 = *(_DWORD *)(v7 + 12);
v41 = 8;
do
{
v13 = (char *)&unk_7B226754 + v8;
v8 -= 28;
v14 = ptr[*((_DWORD *)v13 + 54)] + v12;
v15 = byte_7B226652[(unsigned __int16)v14 >> 8];
v16 = ((((byte_7B226652[(v14 >> 16) & 0xFF] << 16) | (v15 << 8) | ((unsigned int)byte_7B226652[v14 >> 24] << 24)) >> 11) | ((byte_7B226652[(unsigned __int8)v14] | (v15 << 8)) << 21)) ^ v10;
v17 = ptr[*((_DWORD *)v13 + 55)] + v9;
v18 = (32
* (byte_7B226652[(unsigned __int8)v17] | (byte_7B226652[(unsigned __int16)v17 >> 8] << 8) | (byte_7B226652[(v17 >> 16) & 0xFF] << 16) | (byte_7B226652[v17 >> 24] << 24)) | ((unsigned int)byte_7B226652[v17 >> 24] >> 3)) ^ v11;
v19 = v18;
v20 = *(_QWORD *)(v13 + 204);
v21 = v18 + v16 + ptr[HIDWORD(v20)];
v22 = ((((byte_7B226652[(v21 >> 16) & 0xFF] << 16) | (byte_7B226652[(unsigned __int16)v21 >> 8]