APP下载地址:https://a.app.qq.com/o/simple.jsp?pkgname=com.lianjia.beike&channel=0002160650432d595942&fromcase=60001

我们拿到app之后第一步先抓一下发送验证码的包:

GET https://app.api.ke.com/user/account/sendverifycodeforbindmobilev2?mobile_phone_no=13326565656 HTTP/1.1

x-req-id: e00ff70e-bc17-4044-a35c-f78acb32018d
Page-Schema: register%2Ffastlogin
Referer: register%2Ffastregister
Cookie: lianjia_udid=865166027426629;lianjia_ssid=75851a93-26c2-49a8-9eb7-cc8f99bf57c9;lianjia_uuid=0a573ab1-63b5-409d-8918-5f7ed7e61b67
Dynamic-SDK-VERSION: 1.1.0
Lianjia-City-Id: 410323
parentSceneId: 5596148239526137856
source-global: {}
User-Agent: Beike2.45.0;gionee f100; Android 5.1.1
Lianjia-Channel: Android_ke_baidupinzhuannei
Lianjia-Device-Id: 865166027426999
Lianjia-Version: 2.45.0
Lianjia-Im-Version: 2.34.0
Lianjia-Recommend-Allowable: 1
Authorization: MjAxODAxMTFfYW5kcm9pZDo4OTQ3ZTViOWUyNzY3ZmFkOGE4NDkxNWIwNDcwZTI3NDNkNDkzMDI2
extension: lj_imei=865166027426629&lj_duid=DuJS34UhUciix/eawe4VSLWEY8mWRVkGBit6fsyNDD/NLlUAbE+xg2ZpttRz/ra6FqHd1+JzBu9GWqfOGfyo1hSQ&lj_android_id=aff431a764d6b2da&lj_device_id_android=865166027426629&mac_id=00:81:23:6b:7d:a4
WLL-KGSA: LJAPPVA accessKeyId=sjoe98HI099dhdD7; nonce=fEELhMml5pD164faC24xpGZP5zuCGwRd; timestamp=1622391411; signature=tQTYX+xYJU5trNKllZ1pXtI254QDxUEVBS4EtHF6w1I=
Host: app.api.ke.com
Connection: Keep-Alive
Accept-Encoding: gzip

简单看一下:是个GET请求URL只有个明文的手机号,猜测加密在协议头
第二步:协议头都是一些位置,IP,设备号,所在城市,和版本号,用精益网页助手测试了一下发现加密

 Authorization: MjAxODAxMTFfYW5kcm9pZDo4OTQ3ZTViOWUyNzY3ZmFkOGE4NDkxNWIwNDcwZTI3NDNkNDkzMDI2

直接精益编程助手一键解码 base64解码结果

20180111_android:8947e5b9e2767fad8a84915b0470e2743d493026

再抓一个包一看前面20180111_android:都一样,看看后面是什么妖魔鬼怪,查下壳,没壳,打开我的jadx-gui,直接搜关键字Authorization,然后就发现Appid + COLON_SEPARATOR + c 组成的,最后 Base64,我hook一下Appid,得出hook结果
d5e343d453aecca8b14b2dc687c381camobile_phone_no=13326565656 直接去md5一对比,既然不对,看了一眼,直接精益编程助手一键编码,原来是sha1,一加密结果为8947e5b9e2767fad8a84915b0470e2743d493026加上20180111_android:和抓到的一样就完事了

最后修改:2021 年 12 月 13 日
如果觉得我的文章对你有用,请随意赞赏