版本 V10.0.0
环境检测
{
"xposed": {
"action": "warn_and_exit",
"msg": {
"zh_CN": "检测到您的设备安装有Xposed框架,存在非法攻击风险!"
},
"button": {
"zh_CN": "我已明白此风险,依然继续"
},
"waiting_time": 2000,
"title": {
"zh_CN": "Xposed框架提醒"
}
},
"integrity": {
"action": "warn_and_exit",
"msg": {
"zh_CN": "检测到您当前应用有被二次打包风险,请下载官方版本!"
},
"button": {
"zh_CN": "我已明白此风险,依然继续"
},
"waiting_time": 2000,
"title": {
"zh_CN": "完整性校验提醒"
}
},
"emu": {
"action": "warn_and_exit",
"msg": {
"zh_CN": "检测到应用正在模拟器上运行,存在隐私信息泄露和被非法攻击等风险!"
},
"button": {
"zh_CN": "我已明白此风险,依然继续"
},
"waiting_time": 2000,
"title": {
"zh_CN": "模拟器运行提醒"
}
},
"hook": {
"action": "warn_and_exit",
"msg": {
"zh_CN": "检测到您的应用进程内有HOOK框架特征,存在非法攻击风险!"
},
"button": {
"zh_CN": "我已明白此风险,依然继续"
},
"waiting_time": 2000,
"title": {
"zh_CN": "HOOK框架提醒"
}
},
"inject": {
"action": "warn_and_exit",
"msg": {
"zh_CN": "检测到您的应用被注入攻击,有非法攻击风险!"
},
"button": {
"zh_CN": "我已明白此风险,依然继续"
},
"waiting_time": 2000,
"title": {
"zh_CN": "防注入提醒"
}
},
"polling": {
"action": "warn_and_exit",
"msg": {
"zh_CN": "检测到您的应用正在被调试,存在非法攻击风险!"
},
"button": {
"zh_CN": "我已明白此风险,依然继续"
},
"waiting_time": 2000,
"title": {
"zh_CN": "防调试提醒"
}
},
"frida": {
"action": "warn_and_exit",
"msg": {
"zh_CN": "检测到您的应用已经被Frida注入,有非法攻击风险!"
},
"button": {
"zh_CN": "我已明白此风险,依然继续"
},
"waiting_time": 2000,
"title": {
"zh_CN": "Frida框架提醒"
}
},
"root": {
"action": "warn_and_exit",
"msg": {
"zh_CN": "检测到您的设备已ROOT,存在隐私信息泄露和被非法攻击等风险!"
},
"button": {
"zh_CN": "我已明白此风险,依然继续"
},
"waiting_time": 2000,
"title": {
"zh_CN": "设备已被ROOT"
}
},
"proxy": {
"title": {
"zh_CN": "网络代理提醒"
},
"button": {
"zh_CN": "我已明白此风险,依然继续"
},
"msg": {
"zh_CN": "检测到您正在使用网络代理功能,存在隐私信息泄露和被非法攻击等风险!"
},
"action": "warn_and_exit",
"waiting_time": 2000
}
}
一般就是 XPosed检测 root检测 frida检测 代理检测(2层)直接hook掉
逻辑上是。 登陆接口---->触发验证码---->校验验证码 3个接口完成 即可发现登陆返回200
例如登陆验证包接口
请求地址 https://login-service.mobile-bank.psbc.com/sn00/api/route/loginOrRegister/T000003
请求方式 POST
请求参数
{
"isNeedEncrypt": False,
"mobileno": PhoneNumber,
"deviceInfo": {
"curEnvName": "release",
"isRoot": "0",
"display": "width:1080,height:2028",
"ip": "",
"gps": "",
"phoneMemorySize": "4",
"uuid": uuidString, # uuid 自己生成
"platform": "android",
"errorAbstract": "isPrivacyAgreed",
"uuidOldVersion": "",
"h5Env": "{\"h5Container\":\"mPaas\",\"updateEnv\":\"mPaas\"}",
"cityName": "北京市",
"osVersion": "12",
"imei": "",
"isH5BindCard": "1",
"model": "Google Pixel 3",
"sdk": "31",
"networkType": "2",
"brand": "google",
"board": "blueline",
"suptNfcFlag": "1"
},
"tokenInfo": {
"appVersion": "10.0.0",
"custNo": "",
"versionNum": "178",
"reqTime": "",
"ecifCustNo": "",
"pageName": "LoginPswActivity",
"appChannel": "youbank",
"crowdVersion": "default",
"isInner": "0",
"reqMsgId": "",
"token": ""
}
}
请求头
{
"version": "v1",
"reqMsgId": "20241217000003195086501300921001",
"reqTime": "20241217090654",
"transCode": "T000003", # 业务代码
"language": "0",
"systemAppNo": "xxx",
"WorkspaceId": "product",
"Content-Type": "application/json; charset=utf-8",
"Content-Length": "1950",
"Host": "login-service.mobile-bank.psbc.com",
"Connection": "Keep-Alive",
"Accept-Encoding": "gzip",
"User-Agent": "okhttp/3.12.13"
}
charles 测试删除参数能过(但没固定)
响应数据
{
"data": "a5f1d3cd718c94d279d276d5cfa489755f5909365d9182201b3317c84a4b9f76dccf317c422f63bb4f882156f7627b8a6e6141efeb68f9d4af5acd6096fe2268b41ee8db6d245373b87a7b753cb99390d1dad6a2a9a27b07fdb36673df88d34bd274edd619f1ca623c0fa98affe082ed78b7bada53504de8f35c0db5246af2e1319f4695304159546ddde25640585b8470e598860cc5029882f903058faa761256c5f2c76024199ceb6d43ae23dea4b259d0008dcd307111b8d2541eefc9c4acd352275c0a0481ab4b7f8a68aa7a9908b2383d77395438441d0cf41eb5cde1fb35650d6a6896ab34579d2315728ac4eafdbddb8eae563c4ceed575b4a10fd25acd5653e3684bfd69a69aabb9916188099c6ab674077f5c3aa371725a2a137da9b1740d956a0c99d9069d528fcf6b2bcb0755069075d29cf1ae8a5b708bee63cc061f6972cd61450f196c24b3f479d72042c46088f897d56a1b3981921eca87b24b77922aa9afb2402cab9ee45c569506ed8c8c430ca0778d731dcd773fe0027fe606c5cee03c363e8f0f5646839d3bd42fc5b925c4eca0e90712229bbb5268e65712624af5dc6d37f5fe7dd108a34ba7f8134e3c99fa871ac3f72d29e954d323e20cbb73fae8a506ffac7d6c17f144feeb902c224b86acffdf30c234d1daff88006beb67bb21879fc2d5e7a0394a83176d72e3a33b98813996ef09386b206b56752d261d0eae447246e4d80306e607bd76ff9de75dd48d8a00208990f32b6a0665efd1e47236298ddfcc631cf5c57245d80f3573458c32824386dfbf93be811a1517bc0b2da2da0390d9f46d121619379949f02165478981640263a22117d2e3cad15b1b200555d6805fef3db65a0f9444b59879796a73bf6c77dfd4b01f72e3011805badaf7907e22dc70cf43bcfc33d83a2cfb8196afd0742aab91cef7724adf0925b57cd9bcfef87621f608967d40038f86495e25b2d0fc519b6a8ce2779afd1af5daef5e3f900a11d775a430df99b17a5217b10e909317c9ecbedaabdc4682d8c7a8e36cb771de303d9809d2b7cf2a28a5c2a21d267a0e875ed55808e44b7dc98830bb5529aaca2aed2916e57d2c0736ae967ffd444b5d434ab427cb5a1b26fd6f52883d3609f16bb18b76ae712182c944bedb7e9b70e623c26e675c6d",
"sign": "1436670208882a1d6b035a33d78d8974ea55a9edfaf79a1a3e972a1c022d294",
"key": "c4994cfc3e96e047e670964857b68346bdeb18767a2aa8bd3ff97ed6971e09b7de9c956988b91c0f37928cf4e85917dbccd08c7ef663742944465ca14262d2ec1690bfb60106b232bdc3d15ff89a4751b9437f336ec4f8ad0663db9826307bdb162bcc37d852730a42df583d686a39"
}
其他接口一样 ,这里只拿这一个举例子,主要逆向 data sign key(data 被加密的都是请求体,key加密16位字符串 sign就是 data+key)
data破解
byte[] bytes4 = genRandomKey2.getBytes(Charsets.UTF_8);
jSONObject.put("data", (Object) HexUtil.encode(SM4Util.encrypt_ECB_Padding(bytes, bytes2)));
加密已经看到了 python还原即可
key破解
key的生成代码
def genRandomKey(i2, i3):
"""
:key
:param i2:
:param i3:
:return:
"""
# 定义 CHARS_ALL 中可能包含的字符(大写字母、小写字母和数字)
CHARS_ALL = string.ascii_letters + string.digits # 包含 A-Z, a-z, 0-9
# 创建一个空的字符列表来保存生成的随机字符
key_str = []
# 循环生成随机字符,直到达到指定长度
for _ in range(i3):
if i2 == 0:
# 如果 i2 == 0,从 CHARS_ALL 中随机选择一个字符
key_str.append(random.choice(CHARS_ALL))
else:
# 否则,生成一个随机数字
key_str.append(str(random.randint(0, 9)))
# 将字符列表合并成一个字符串并返回
return ''.join(key_str)
生成16位 传参0,16就行
jSONObject.put("key", (Object) SM2Util.encryptReturnHex(SM2Util.PUBLIC_KEY, genRandomKey2));
直接gpt生成即可 定位过去 key 实际就是数字和字母混合16位 通过加密
sign破解
String str17 = String.valueOf(jSONObject.get("data")) + String.valueOf(jSONObject.get("key"));
byte[] bytes6 = str17.getBytes(charset5)
jSONObject.put("sign", (Object) HexUtil.encode(SM3Util.hash(bytes6)));
最终返回效果解密后的
# login
{"code":"000000","data":{"custNo":"","mobileRegStatus":"0","serverNodeUrl":"https://mobile-bank.psbc.com/sn11/"},"msg":"交易成功","showType":"0","reqMsgId":"20241218171532000003161977293440032001"}
# send_sms
{"code":"020253","msg":"获取次数过多,请明日再试或前往网点办理。","showType":"1","reqMsgId":"2024121817153202100335951101129896001"}
# check_sms
{"code":"000008","msg":"交易超时,请您稍后重试","showType":"2","reqMsgId":"2024121817153202100427977756507953001"}