App: beitalicaishi
在注册页面输入phone的时候, 抓到了一个包, 内容是该phone的信息, 请求中有一个参数parms
WX20211013-134447@2x.png
headers = {
'beta.sessionid': '',
'User-Agent': 'com.betawm.baw/7.28/169/Android/9/Pixel XL/BetaWM.BAW/HT74B0204170c6fcb511aa6d18a2/BetaWM.BAW',
'Host': 'auth.betawm.com',
}
params = (
('parms', 'KWgtPsDNxAyUSCJlzEvkQm2l0gCOLrFuXYKMP4CwIA8='),#parms
('LoginSvcID', '4'),
)
response = requests.get('https://auth.betawm.com/AuthServer/GetUserInfo.aspx', headers=headers, params=params)
response.json()
Out[453]:
{'InternalUserID': 869562,
'UserId': 'Beta1065266',
'UserName': '朝XXX落',
'UserEmail': '',
'UserCompany': 'Beta财富',
...}
反编译一顿search, 找到了加密位置:
WX20211013-135013.png
WX20211013-135144.png
用的是AES加密, CBC模式, 里面的iv转Python要这样操作一下:
# python3和java字节的取值范围不同:
# Python3: 0~256
# java: -127~128
# java中key,iv等参数对应的类型是字节数组
iv=[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
iv = bytes(i % 256 for i in iv)
以下是详细加密方法:
def add_to_16(text):
if len(text.encode('utf-8')) % 16:
add = 16 - (len(text.encode('utf-8')) % 16)
else:
add = 0
text = text + ('\0' * add)
return text.encode('utf-8')
def encryt_cbc(text, key, iv):
cipher = AES.new(key, AES.MODE_CBC,iv)
x = AES.block_size - (len(text) % AES.block_size)
if x != 0:
text = text + chr(x)*x
msg = cipher.encrypt(text)
# msg = base64.urlsafe_b64encode(msg).replace('=', '')
msg = base64.b64encode(msg)
return msg.decode()
iv=[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
iv = bytes(i % 256 for i in iv)
phone='153****1316'
text=f'mphone={phone}'
key = '!~oX@y$]2wiq3#Fj'.encode('utf-8')#key是固定的
parms=encryt_cbc(text,key,iv)
网友评论