一、抓取数据包
1、请求头有%加十六进制,说以是url编码,先解密一下
GET http://m.mapps.m1905.cn/User/sendVer?request=jYgPer7AuEqdM+DYqs/AbNb35UrMvjLwt4+f0p3RHXc= HTTP/1.1
2、需要找的数值是requests的组成、pid(常量值)、key、did(设备编号)
GET http://m.mapps.m1905.cn/User/sendVer?request=jYgPer7AuEqdM%2BDYqs%2FAbNb35UrMvjLwt4%2Bf0p3RHXc%3D HTTP/1.1 sid: pid: 236 key: 69b39cb24632252f7bb891bdb1f0de85 did: 010067028741939 uid: ver: 100/95/2016020901 User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.2; HD1900 Build/N2G47O) Host: m.mapps.m1905.cn Connection: Keep-Alive Accept-Encoding: gzip
二、搜索链接里关键字"User/sendVer"
1、查看aay.b()函数,DESede算法
key:iufles8787rewjk1qkq9dj76,iv:vs0ld7w3
2、由于DESede是对称加密算法,密文是:jYgPer7AuEqdM+DYqs/AbNb35UrMvjLwt4+f0p3RHXc=,可以反推一下得到加密内容为:mobile=15836353612&templateid=1
三、搜索关键字key
1、查看v0.i()函数
public String i() { return abh.a(abb.c() + "m1905_2014"); }
2、查看abb.c()函数,获取设备id
public static String c() { String v0_2; try { TelephonyManager v0_1 = (TelephonyManager)BaseApplication.a().getSystemService("phone"); v0_2 = v0_1 == null ? "" : v0_1.getDeviceId(); } catch(Exception v0) { v0_2 = ""; } return v0_2; }
3、查看abh.a()函数,获取md5值
public class abh { public static final String a(String arg9) { int v0 = 0; if(!TextUtils.isEmpty(arg9)) { char[] v2 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; try { byte[] v1 = arg9.getBytes(); MessageDigest v3 = MessageDigest.getInstance("MD5"); v3.update(v1); byte[] v3_1 = v3.digest(); char[] v5 = new char[(((int)v1)) * 2]; int v1_1 = 0; while(v0 < v3_1.length) { int v6 = v3_1[v0]; int v7 = v7 + 1; char v8 = v2[v8 >>> 4 & 15]; v5[v1_1] = v8; ++v1_1; v5[v7] = v2[v6 & 15]; ++v0; } arg9 = new String(v5); } catch(Exception v0_1) { arg9 = null; } } return arg9; } }
4、最终就是设备id+m1905_2014,然后再算md5
四、响应值解密
禁止非法,后果自负
