farwmarth

Those that can,do.Those that can't ,complain


  • 首页

  • 关于

  • 归档

  • 豆瓣

  • 音乐

  • 搜索
close

反编下某疫苗接种app

时间: 2018-12-18   |   阅读: 647 字 ~2分钟

前言

今天带小孩去打疫苗,发现之前的社区医院改成app预约了,下载app用了一下,真是无力吐槽,除了注册功能是好的。其他功能一点开全在转圏加载,预约教程页面还报了个sql语句错误.报着学习的态度想看看大佬们写的代码.

工具准备

  • 夜神模拟器
  • Packet Capture
  • VirtuanXposed
  • mt文件管理器2
  • FDex2
  • gda
  • dex2jar
  • jd-gui

撸起袖子

用packet capture抓了几个包看了下api。

基础api地址: http://api.new.umiaohealth.com + 登录 /account/login + 找可预约记录 /vaccine/getreservationreservedlist + 接种信息 /vaccine/getvaccinemain

模拟登录时有个token字段猜解死活不通过,看来只能反编译下app看下加密代码了. 用gda查了下壳,发现是360加固的. 用gda自带的进程dump连接模拟器老是进程无响应,无果。 祭出这个xposed脱壳模块FDex2(要先安装VirtuanXposed或者xposed). 用mt文件管理器把dump出的dex移动到夜神模拟器和pc的共享目录. dex 这里有多上dex,可以用gda打开看下主代码在哪个dex里.然后用dex2jar转换一下把dex转成jar 然后用jd-gui打开jar反编一下.class文件就行了。

最后找到了加密token的关键代码 HttpClientUtil.java

public void httpPost(Context paramContext, String paramString, AjaxParams paramAjaxParams, BaseParser<?> paramBaseParser, IDataCallback paramIDataCallback)
  {
    FinalHttp localFinalHttp = new FinalHttp();
    localFinalHttp.configTimeout(30000);
    paramAjaxParams.put("token", Base64Utils.getSecretToken(paramContext));
    Header[] arrayOfHeader = Base64Utils.getHttpHeader(paramContext);
    String str1 = ((ParentInfo)ParentInfo.findFirst(ParentInfo.class)).getPid();
    String str2 = str1;
    if (TextUtils.isEmpty(str1)) {
      str2 = "0";
    }
    paramAjaxParams.put("pid", str2);
    paramAjaxParams.put("VersionChecked", CommonUtil.getAppCurrentVersion(paramContext));
    paramAjaxParams.put("devicetype", "android");
    localFinalHttp.post(paramString, arrayOfHeader, paramAjaxParams, "application/x-www-form-urlencoded", new HttpClientUtil.3(this, paramIDataCallback, paramString, paramAjaxParams, paramBaseParser, paramContext));
  }
  

Base64Utils.java

  public static String getSecretToken(Context paramContext)
  {
    paramContext = (ParentInfo)ParentInfo.findFirst(ParentInfo.class);
    String str = paramContext.getToken();
    Object localObject = paramContext.getPid();
    paramContext = (Context)localObject;
    if (TextUtils.isEmpty((CharSequence)localObject)) {
      paramContext = "0";
    }
    tktimes = System.currentTimeMillis() + "";
    int i = Integer.parseInt(tktimes.substring(12));
    localObject = sortSeed[i];
    sortIndex = String.valueOf(localObject[0]) + String.valueOf(localObject[1]) + String.valueOf(localObject[2]);
    localObject = getSortData(localObject[0], str, paramContext, tktimes) + "," + getSortData(localObject[1], str, paramContext, tktimes) + "," + getSortData(localObject[2], str, paramContext, tktimes) + "," + sortIndex;
    paramContext = null;
    try
    {
      localObject = encrypt((String)localObject, "xxx加密");
      paramContext = (Context)localObject;
    }
    catch (Exception localException)
    {
      for (;;)
      {
        localException.printStackTrace();
      }
    }
    return paramContext;
  }

好了,我去写个预约疫苗的脚本去了

#疫苗#
全站https
登录
farwmarth

farwmarth

Programmer

104 日志
32 分类
93 标签
GitHub
© 2009 - 2021 farwmarth
Powered by - Hugo v0.58.2
Theme by - NexT
0%