本章介绍一个爬虫利器,嗯。..,app协议还原工具比较合适,当然如果你自己用,它是一个工具,但是别人把它当成折磨,因为它需要依赖模拟器或者手机。对环境来说有点麻烦!我们一般把这个东西叫做fridarpc算法转发。为什么要使用rpc算法进行转发?我们都知道开发APP的主流方案是Java,一些大中型工厂的APP都是用Java+C++,而C++最终的输出就是这样,就是arm汇编。一般arm组装是最难分析的,所以中大厂会更倾向于把重要的加密放在so里面,增加爬虫或者破解的难度!!!但是如果使用rpc,就不需要分析java层和so层繁琐的加密了!需要通过frida主动调用java层或者so层的方法,然后拿到加密后的内容,然后其他的操作就可以随心所欲了?环境pixel2v10(rooted)Magiskv23.0Charlesv4.6.2Dronyv1.3.154Pythonv3.8.6fridav14.2.18rpc转发案例这次使用的app是度度牛,百年钢度度牛,哈哈哈!抓包通过抓包,发现要走的接口是http://api.dodovip.com/api/user/login,提交一个Encrypt:xxxx,返回一串字符串,什么???我勒个去???所以我们要想模拟这个请求,就必须搞清楚request和response是怎么产生的!将分析app拖入jadx,搜索关键字Encrypt:本节主要加密逻辑:分析不是本章的重点,相关的钩子代码稍微研究一下就能明白!Java.perform(function(){functionprintMap2(map){returnJava.cast(map,Java.use("java.util.HashMap"));}//Java.use("com.dodonew.online.http.RequestUtil").encodeDesMap.overload('java.lang.String','java.lang.String','java.lang.String').implementation=function(data,desKey,desIV){console.log("RequestUtilencodeDesMapiscall")console.log("data:",data)console.log("desKey:",desKey)//65102933console.log("desIV:",desIV)//32028092letresult=this.encodeDesMap(data,desKey,desIV)console.log("RequestUtilencodeDesMapresult:",result)返回结果}Java.use("com.dodonew.online.http.RequestUtil").paraMap.overload('java.util.Map','java.lang.String','java.lang.String').implementation=function(addMap,append,sign){console.log("RequestUtilparaMapiscall")console.log("addMap:",addMap)console.log("addMap:",printMap2(addMap))console.log("append:",append)console.log("sign:",sign)letresult=this.paraMap(addMap,append,sign)console.log("RequestUtilparaMapresult:",result)返回结果}Java.use("com.dodonew.online.http.RequestUtil").decodeDesJson.implementation=function(json,desKey,desIV){console.log("RequestUtildecodeDesJsoniscall")console.log("json:",json)console.log("desKey:",desKey)console.log("desIV:",desIV)letresult=this.decodeDesJson(json,desKey,desIV)console.log("RequestUtildecodeDesJsonresult:",result)returnresult}})根据上面的hook,主动调用应该这样整理,一个加密,一个解密//请求加密函数callparaMap(username,userPwd,timeStamp){letresult="";Java.perform(function(){letmap=Java.use("java.util.HashMap").$new();map.put("timeStamp",timeStamp)map.put("loginImei","Androidnull")map.put("equtype","ANDROID")map.put("userPwd",userPwd)map.put("username",username)//让r1=Java.use("com.dodonew.online.http.RequestUtil").paraMap(map,"sdlkjsdljf0j2fsjk","sign")//console.log("r1:",r1)//result=Java.use("com.dodonew.online.http.RequestUtil").encodeDesMap(r1,"65102933","32028092")//console.log("r2:",r2)})returnresult;}//响应加密函数calldecodedesjson(data){letresult="";Java.perform(function(){result=Java.use("com.dodonew.online.http.RequestUtil").decodeDesJson(data,"65102933","32028092")//console.log("解码:",decode)})returnresult;}构建服务现在上面的逻辑已经理清了,并且已经写好主动调用的js代码就来了。如何将其与python结合起来运行到web中,让爬虫只需要响应参数就可以得到返回值。代码:fromfastapiimportFastAPIimportuvicornimportfridajsCode="""functioncallparamap(username,userPwd,timeStamp){letresult="";Java.perform(function(){letmap=Java.use("java.util.HashMap").$new();map.put("timeStamp",timeStamp)map.put("loginImei","Androidnull")map.put("equtype","ANDROID")map.put("userPwd",userPwd)map.put("username",username)//让r1=Java.use("com.dodonew.online.http.RequestUtil").paraMap(map,"sdlkjsdljf0j2fsjk","sign")//控制台。log("r1:",r1)//result=Java.use("com.dodonew.online.http.RequestUtil").encodeDesMap(r1,"65102933","32028092")//console.log("r2:",r2)})returnresult;}functioncalldecodedesjson(data){letresult="";Java.perform(function(){result=Java.use("com.dodonew.online.http.RequestUtil").decodeDesJson(data,"65102933","32028092")//console.log("decode:",decode)})返回结果;}rpc.exports={encrypt:callparamap,decode:calldecodedesjson,};"""#准备工作#process=frida.get_device_manager().add_remote_device('192.168.3.68:27042').attach("com.dodonew.online")process=frida.get_usb_device().attach('com.dodonew.online')script=process.create_script(jsCode)print('[*]Running小肩膀膀')script.load()app=FastAPI()#http://127.0.0.1:8080/getencrypt?username=18903916120&password=1111×tamp=1647662720061@app.get("/getencrypt")asyncdefgetencrypt(用户名,密码,时间戳):result=script.exports.encrypt(用户名,密码,时间戳)return{"data":result}来自pydanticimportBaseModelclassItem(BaseModel):data:str@app.post("/getdecode")asyncdefgetdecode(item:Item):result=script.exports.decode(item.data)return{"data":result}if__name__=='__main__':uvicorn.run(app,port=8080)运行:构造请求代码:importrequestsimporttimeimportjsondt=time.time()*1000#requestencryptedurl=f"http://127.0.0.1:8080/getencrypt?username=18903916120&password=1111×tamp={dt}"r1=requests.get(url)print(r1.json())#loginurl="http://api.dodovip.com/api/user/login"headers={"Content-Type":"application/json;charset=utf-8"}data={"Encrypt":r1.json().get("data")}print(data)r=requests.post(url=url,headers=headers,data=json.dumps(data))print(r.text)#获取请求解密data={"data":r.text}url="http://127.0.0.1:8080/getdecode"r=requests.post(url=url,headers=headers,data=json.dumps(data))print(r.text)运行:总结这个app还是很简单的,不过应该使用了两次加密,如果代码死板还需要研究,但是如果使用rpc转发方案,随便找几行代码就搞定了!但缺陷也很明显。需要依赖电脑和手机。如果只是收集数据的话,应该是挺适合的!
