中国银行App BOBO鱼塘抢券参数解密

中国银行App-BOBO鱼塘抢券参数解密

加密算法逆向

请求截图

image-20230915153710395

body是SM4加密后的结果,密码为随机生成(rand_sm4_key)。

hmac是对SM4加密结果+随机密钥(rand_sm3_key)进行SM3哈希的结果。

skey是对rand_sm4_key+':'+rand_sm3_key 进行SM2加密后的结果。

image-20230915155201463

image-20231011171506738

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from Crypto.Cipher import AES
import binascii
from Crypto.Util.Padding import pad, unpad
from gmssl.sm4 import CryptSM4, SM4_ENCRYPT, SM4_DECRYPT
from gmssl import sm3, func


def sm3_hash(sm3_key, data):
    msg = data + sm3_key
    msg = msg.encode()
    y = sm3.sm3_hash(func.bytes_to_list(msg))
    return y


def sm4_encrypt(sm4_key, data):
    if not isinstance(data, bytes):
        data = data.encode()
    crypt_sm4 = CryptSM4()
    crypt_sm4.set_key(sm4_key, SM4_ENCRYPT)
    result = crypt_sm4.crypt_ecb(data)
    print(binascii.hexlify(result).decode())

def sm4_decrypt(sm4_key, data):
    data = binascii.unhexlify(data)
    crypt_sm4 = CryptSM4()
    crypt_sm4.set_key(sm4_key, SM4_DECRYPT)
    result = crypt_sm4.crypt_ecb(data)  
    return result.decode()

def main():
    sm3_key = 'a78ee5a41de872ec'
    sm4_key = binascii.unhexlify('63336362383666663466376336383936')
    
    s = '2ae6eb439e9a0f95b50c1b190620f1bc5fcede676152908ff09ee82010abe05b'
    print(sm3_hash(sm3_key, s))
    
    data = '586fb2ad2c364fd762c177d5a985e06fb17f5fe275f0fda0fb48e79675abf64e86191832ed6bb8bfa372dd2a41f10fa279b8c560a04ed470f1c75226e8fea49b0c87d0c561f020dece0252779c2d0fa006b0ce5eb11a4f8150c3c16d8c8b474226688085998f5d5220e5c429070e4145c545bea50d446c9d84c55ec29c35bddbf65d204f39f9c5b5b311b6ca9c0f6ff1f3e657536bcc19118a98371ec7fafb2c3241d6004a404d8df53c12856cf88fad3625fcd450fcc0f3e1891dc826809fb240068c87f4bbe558b52b7bc897b749cbc21be80f24349e2e1a12355a77fdc6cf100005bdaeaada3bd4d1bca0579a128d'
    print(sm4_decrypt(sm4_key, data))
    


if __name__ == '__main__':
    main()
1
2
3
4
8b91944e60cc520e9c6af2aae2d053463fd0db909fa4cf8a13ab16d7d41ef066

%7B%22msgcde%22%3A%22EE30031%22%2C%22rtnmsg%22%3A%22%E7%A4%BC%E5%93%81%E5%85%91%E6%8D%A2%E5%A4%B1%E8%B4%A5%3ARC322-%E5%BD%93%E5%89%8D%E6%97%B6%E9%97%B4%E4%B8%8D%E5%9C%A8%E6%8A%A2%E5%85%91%E6%97%B6%E9%97%B4%E8%8C%83%E5%9B%B4%E5%86%85%22%7D

破解

要想实现抓包后修改参数重放请求,需要对原始数据包进行解密,没有私钥的情况下无法对skey解密,无法解密就无法获取到SM4算法的密钥,就无法解密请求数据包。

一个可行的破解方法就是修改原始JS文件,将其中生成密钥的代码进行patch,使其生成固定的密钥。

image-20231011173852595