唯品会OAuth api_sign逆向分析
Java层
抓包
image-20211130142917904
jadx打开apk,搜索api_sign
image-20211130143039786
进入看看
com.achievo.vipshop.commons.api.middleware.api.refector.ApiHeaderProcessor -> process
image-20211130143138049
com.achievo.vipshop.commons.h.b -> b
image-20211130143428886
com.achievo.vipshop.commons.h.b -> a
image-20211130143521103
com.vip.vcsp.security.api.VCSPSecurityBasicService -> apiSign
image-20211130143600086
com.vip.vcsp.security.sign.VCSPSecurityConfig -> getMapParamsSign
image-20211130143711225
com.vip.vcsp.security.sign.VCSPSecurityConfig -> getSignHash
image-20211130143752831
com.vip.vcsp.security.sign.VCSPSecurityConfig -> gs
image-20211130143819359
找到这里,发现没办法继续跳转了,不过这个类有个初始化函数initInstance
image-20211130144003950
从中可以看到clazz就是com.vip.vcsp.KeyInfo类
image-20211130144106166
然后在com.vip.vcsp.KeyInfo,我们也找到了gs函数,发现它是调用了gsNav函数,而这个是libkeyinfo.so中的native函数。
frida hook
Java.perform(function() {
var KeyInfo = Java.use("com.vip.vcsp.KeyInfo");
KeyInfo.gsNav.implementation = function(ctx, map, str, z) {
console.log("================");
console.log(map.entrySet().toArray());
console.log(str);
console.log(z)
var ret = this.gsNav(ctx, map, str, z);
console.log("----------------");
console.log(ret);
return ret
}
}
image-20211130144906358
结果正是OAuth api_sign
so层
ida打开libkeyinfo.so,函数窗口搜索Java
image-20211130145030206
说明函数是静态注册的,打开Java_com_vip_vcsp_KeyInfo_gsNav
image-20211130145131358
跟进一下
image-20211130145200189
image-20211130145330167
在Functions_gs可以看到一系列对map的操作,但是不急着对这部分分析,接着往下看
image-20211130145510415
可以看到一个j_getByteHash方法,通过函数名推断它极大可能就是执行摘要算法的地方。
进入看看
image-20211130150609020
image-20211130150632093
通过名称推断是sha1算法。hook一下
Java.perform(function() {
var KeyInfo = Java.use("com.vip.vcsp.KeyInfo");
KeyInfo.gsNav.implementation = function(ctx, map, str, z) {
console.log("================");
console.log(map.entrySet().toArray());
console.log(str);
console.log(z)
var ret = this.gsNav(ctx, map, str, z);
console.log("----------------");
console.log(ret);
return ret
}
var ptr_hash = Module.findExportByName("libkeyinfo.so", "getByteHash");
Interceptor.attach(ptr_hash, {
onEnter: function(args) {
console.log("arg2:", args[2].readCString());
console.log("arg3:", args[3]);
console.log("arg4:", args[4].readCString());
},
onLeave: function(retval) {
console.log("retval:", retval.readCString());
}
})
})
image-20211130150113351
通过输出可以看到,j_getByteHash被调用了3次,第二次的输入是一个字符串加上urlencode之后的参数,而且这些参数的排序了的。然后第三次的输入是一个字符串加上第二次的输出,而第三次的输出正是OAuth api_sign。
然后使用标准的sha1算法测试了一下,和hook的结果一致,说明使用的是标准的sha1实现。
代码实现
import hashlib
from urllib.parse import quote
def calc_sign(params, method='GET'):
if isinstance(params, (list, tuple, dict)):
if hasattr(params, 'items'):
params = params.items()
params = '&'.join(f'{k}={v}' for k, v in sorted(params))
if method.upper() == 'POST':
params = quote(params)
if isinstance(params, str):
params = params.encode()
salt = b'a84c5883206309ad076deea939e850dc'
s1 = hashlib.sha1(salt + params).hexdigest()
s2 = hashlib.sha1(salt + s1.encode()).hexdigest()
return s2
测试-GET
image-20211130175617387
测试-POST
image-20211130175809487
代码仅供把玩。
网友评论