建行生活元旦小游戏逆向

建行生活元旦小游戏逆向

上传分数请求:

image-20230116112325061

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
    "gameId":260,
    "style":13,
    "achieve":"IjQwIg==kDd1MeO16zNfRGemZ5Z252NlFWOkNjY",
    "openId":"oosnVwiweLOWwykpB3FuPYm8iXko",
    "name":"旧巷",
    "awardInfoB":"869806ec6807b7d4a15ef29660629b1b",
    "province_gps":"四川省",
    "city_gps":"成都市",
    "district_gps":"双流区",
    "playerId":81763,
    "fromPlayer":"",
    "newUserInfo":"{"headImg":"https://thirdwx.qlogo.cn/mmopen/vi_32/sfMKiaHzSHkJ2BYGXibOHoliaciahoibIZefkXY5kWq4lPzpic4cCDEF1F7MWpKbkZDVza9xaZ0ibQiaSSo1hRMOPVogBA/132","aphone":"18702870405","ip":"118.116.121.199"}",
    "forTest":false
}

achieve是base64编码后的分数+openId

awardInfoB是一个签名,通过代理修改JavaScript代码,修改md5的代码,观察输入输出,可以轻松分析出计算签名的方式。

image-20230116112053916

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import hashlib
import base64

def md5(s):
    if not isinstance(s, bytes):
        s=s.encode()
    return hashlib.md5(s).hexdigest()

def get_awardInfoB(md5str, salt):
    s = ''
    for i in range(len(md5str)):
        s += md5str[i]
        if i == 3:
            s+=salt[0]
        if i== 6:
            s+=salt[1]
        if i== 11:
            s+=salt[2]
        if i== 21:
            s+=salt[3]
        if i== 26:
            s+=salt[4]
        if i== 30:
            s+=salt[5]
    awardInfoB = md5(s)
    return awardInfoB

score = 1195
token = 'hj7ilcZldzM2Yj0yAeMkbTNjVTO3cjZ'
salt = 'fhwvrj'
s = base64.b64encode(str(score).encode())+token.encode()
print(s.decode())
data = str(score)+token
md5str = md5(data)
awardInfoB = get_awardInfoB(md5str, salt)
print(awardInfoB)

最终排名与奖励: