中国银行App saprandomnum参数逆向

中国银行App saprandomnum参数逆向

分析

绕过frida,xposed检测后可以用插件开启webview调试。

image-20230607163302272

saprandomnum是由AES加密/ezcs-zone/game/sap/base/app/getrandomnum响应后的结果。

image-20230607163550954

AES加密的KEY(repeatPublicKey)固定,IV是”clientId”+userid MD5后的结果。

1
{"clientId":"689","clientSecret":"0febb4a0e260dcd08e41c0d25a0e7434abb7ecc3c056b368ed","channelFlag":"6","publicKey":"1789313A2A7FC41D9AEF3063B1B53DDB0EEC46A724F680F6848A9D29A6383EE069DE7137031CD924DF365150E4E00269BEFF6A04EAF94B9ACCE5690F1F7C3402","repeatPublicKey":"D56572E740EE8C06"}

image-20230607162006793

1
2
3
4
5
6
7
8
9
10
A = function(e, t) {
    var a = l.a.enc.Utf8.parse(s["repeatPublicKey"])
    , n = l.a.enc.Utf8.parse(t)
    , i = l.a.enc.Utf8.parse(e);
    return l.a.AES.encrypt(i, a, {
        iv: n,
        mode: l.a.mode.CBC,
        padding: l.a.pad.Pkcs7
    }).toString()
}
1
2
3
4
5
function(e) {
    var t = s["clientId"] + e; //clientid + userid
    return t = l.a.MD5(t).toString().toUpperCase(),
        t
}
1
2
3
md5("689"+"18728463722")
s="F95587C1C839CC9345C85B0348DFEDA8"

代码及验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import base64
import hashlib

def md5(s):
    if not isinstance(s, bytes):
        s = s.encode()
    return hashlib.md5(s).hexdigest().upper()

def get_saprandomnum(userid, randomn):
    client_id = '689'
    iv = md5(client_id + userid)[0:16].encode()
    key = b'D56572E740EE8C06'
    crypto = AES.new(key, AES.MODE_CBC, iv=iv)
    data = crypto.encrypt(pad(randomn.encode(), 16))
    saprandomnum = base64.b64encode(data).decode()
    return saprandomnum

userid = '18728463722'
randomn = 'puiwcz4zz4'
saprandomnum = get_saprandomnum(userid, randomn)
print(saprandomnum)

# I90RGPYh7FNAO3GsIenW8w==


image-20230607161803089

image-20230607161741852