app名字已经版本:
572R5piT5paw6Ze7YXBwIOeJiOacrDU4LjE=
base64解码可知
问题所在
软件的搜索接口有个sign,不带不行
i抓包
先来jadx:
搜部分url
jadx_url
然后点开后查找用例
image.png
接下来看图里的6
image.png
IDA
image.png
点开getRandomKey
image.png
点开de
so_de()
python版本代码:
a1="k`q`dv`k`rvgjdwa"
v5=""
for i in a1:
v5+=chr(ord(i)^5)
print(v5)
=======================================
结果:
neteasenewsboard
getRandomKey解决了,按esc键返回到最开始的方法 ,a5=0,也不等于3 所以下一步是doEn方法
image.png
大概可知 aes加密 neteasenewsboard可能是密码
实验一下:
image.png
猜对了
python代码:
import base64
from Crypto.Cipher import AES
import binascii
import time
import hashlib
import requests
def md5(src):
if isinstance(src, str):
src = src.encode('utf-8')
m = hashlib.md5()
m.update(src)
return m.hexdigest()
def add_to_16(text):
while len(text) % 16 != 0:
text += '\0'
return text
def encrypt(data, password):
if isinstance(password, str):
password = password.encode('utf8')
bs = AES.block_size
pad = lambda s: s + (bs - len(s) % bs) * chr(bs - len(s) % bs)
cipher = AES.new(password, AES.MODE_ECB)
data = cipher.encrypt(pad(data).encode('utf8'))
# encrypt_data = binascii.b2a_hex(data) # 输出hex
encrypt_data = base64.b64encode(data) # 取消注释,输出Base64格式
return encrypt_data.decode('utf8')
def decrypt(decrData, password):
if isinstance(password, str):
password = password.encode('utf8')
cipher = AES.new(password, AES.MODE_ECB)
# plain_text = cipher.decrypt(binascii.a2b_hex(decrData))
plain_text = cipher.decrypt(base64.b64decode(decrData))
return plain_text.decode('utf8').rstrip('\0')
if __name__ == '__main__':
t=int(time.time())
print(1599807640)
data=f"CQljM2ZhZTY4YTE5OGNkNmQ0CVpYMUcyMjgyWEI%3D{t}"
print(t)
data = md5(data)
password = 'neteasenewsboard' # 16,24,32位长的密码(密钥)
password = add_to_16(password)
encrypt_data = encrypt(data, password)
print('加密前数据:{}\n======================='.format(data))
print('加密后的数据:', encrypt_data)
decrypt_data = decrypt(encrypt_data, password)
print('解密后的数据:{}'.format(decrypt_data))
请求里改ts和sign的值就能请求了。
image.png
