逆向iOS某营业厅验证码登陆算法

逆向目标

分析使用验证码登陆时发送的数据包中mobile和password参数的算法

IMG_4981_20210324-132105_.PNG

IMG_4981_20210324-132105_.PNG

分析过程

1.Fiddler

随便填一个手机号,这里使用18888888888,使用fiddler抓取点击“获取验证码按钮”后发送的数据包,结果如下

POST https://m.client.10010.com/mobileService/sendRadomNum.htm HTTP/1.1
Host: m.client.10010.com
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
User-Agent: ChinaUnicom4.x/300.0 CFNetwork/1126 Darwin/19.5.0
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate, br
Content-Length: 500

reqtime=2021-03-24 13:22:28&simCount=1&[email protected]&mobile=gPNURCE4%2FMLIGDuBx%2FOJDIpbSAJN2Tv%2B%2FokBd2%2BBT5VFElu1Od0sS3bOx1g57kIgKXN6usuCBxKcAm648ZMofFPrOaByo526tC1CDuqEKmxiZUD1VyQwxRqyyNBane08p1RXEvrKUg2CbbryD9cOeglt5Fp0faQ4A3VvTvJidJk%3D

发现手机号被加密后放在mobile参数中,查阅相关资料,推测为RSA或DES加密(只是推测)

2.提取可执行文件

使用CrackerXI+提取目标APP的ipa包,解压后得到可执行文件"ChinaUnicom4.x"

IMG_4983.PNG

QQ截图20210324134801.png

3.分析可执行文件

初次尝试

使用IDA x64分析可执行文件(PS:其实我并不会用IDA)

搜索第一步URL中出现的“sendRadomNum”,得到以下结果

QQ截图20210324135122.png

猜测是“UILoginViewController getMessageCodeResult”这个,双击进入

QQ截图20210324135352.png

到了这一步就不会了,在发这个帖子时我又觉得并不是在“UILoginViewController getMessageCodeResult”中,搜索结果的第一条“VoiceCodeCell getVoiceCodeResult”中也出现了“sendRadomNum.htm”,实际测试发送语音验证码也是POST同一个URL,只不过body中多了send_flag=1

再次尝试

突发奇想我又尝试搜索了“send_flag”,这次搜索出来的结果只有四个

QQ截图20210324182927.png

进入第一个“getVoiceCode”

QQ截图20210324182602.png

加密算法RSA,公钥也找了出来,下一步要做的就是将伪代码转换一下

void __cdecl -[VoiceCodeCell getVoiceCode](VoiceCodeCell *self, SEL a2)
{
  id v3; // x0
  id v4; // x19
  NSString *v5; // x0
  NSString *v6; // x22
  id v7; // x0
  id v8; // x23
  id v9; // x21
  id v10; // x0
  __int64 v11; // x21
  id v12; // x0
  id v13; // x22
  id v14; // x0
  id v15; // x23
  id v16; // x21
 
  v3 = objc_msgSend(&OBJC_CLASS___NSMutableDictionary, "dictionary");
  v4 = objc_retainAutoreleasedReturnValue(v3);
  v5 = -[VoiceCodeCell phoneNum](self, "phoneNum");
  v6 = objc_retainAutoreleasedReturnValue(v5);
  v7 = objc_msgSend(&OBJC_CLASS___NSString, "randomStringWithLength:", 6LL);
  v8 = objc_retainAutoreleasedReturnValue(v7);
  v10 = objc_msgSend(v9, "stringWithFormat:", CFSTR("%@%@"), v6, v8);
  objc_retainAutoreleasedReturnValue(v10);
  objc_release(v8);
  objc_release(v6);
  v12 = +[RsaEncrypt encryptString:publicKey:](
          &OBJC_CLASS___RsaEncrypt,
          "encryptString:publicKey:",
          v11,
          CFSTR("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDc+CZK9bBA9IU+gZUOc6FUGu7yO9WpTNB0PzmgFBh96Mg1WrovD1oqZ+eIF4LjvxKXGOdI79JRdve9NPhQo07+uqGQgE4imwNnRx7PFtCRryiIEcUoavuNtuRVoBAm6qdB0SrctgaqGfLgKvZHOnwTjyNqjBUxzMeQlEC2czEMSwIDAQAB"));
  v13 = objc_retainAutoreleasedReturnValue(v12);
  +[IsSafeData IsStringSate:](&OBJC_CLASS___IsSafeData, "IsStringSate:", v13);
  objc_msgSend(v4, "setObject:forKey:", v13, CFSTR("mobile"));
  objc_msgSend(v4, "setObject:forKey:", CFSTR("1"), CFSTR("send_flag"));
  v14 = +[LoginStatusRequestsHelper instance](&OBJC_CLASS___LoginStatusRequestsHelper, "instance");
  v15 = objc_retainAutoreleasedReturnValue(v14);
  objc_msgSend(
    v15,
    "getVoiceCodeRequest:Delegate:ResultHandle:FailHandle:",
    v4,
    self,
    "getVoiceCodeResult:",
    "getVoiceCodeFail:");
  objc_release(v15);
  objc_release(v13);
  objc_release(v16);
  objc_release(v4);
}

不难看出来是手机号(phoneNum)和一个6位的随机字符串(randomStringWithLength)拼接(stringWithFormat)后进行RSA加密(encryptString:publicKey)

登陆数据包

数据已脱敏处理

POST https://m.client.10010.com/mobileService/radomLogin.htm HTTP/1.1
Host: m.client.10010.com
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
User-Agent: ChinaUnicom4.x/300.0 CFNetwork/1126 Darwin/19.5.0
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate, br
Content-Length: 906

reqtime=2021-04-07 18:00:00&simCount=1&[email protected]&mobile=Zp%2BnRktRubLIsOilI3c8aj4i9nNvLpj8BHHnY3XiK19QCoMCd2PfSV423QFOrZDM%2FMcb1067UaSiPNnJT04fdaeTOn6zGRqkQk7heIfcbN80poo7IsBz1DCGmQDqe1OUmyQ8To7%2BV8YJT85QLoEemAYm2FEdIG6MMk3uu6NJ6Cw%3D&netWay=wifi&appId=ChinaunicomMobileBusiness&yw_code=&pip=192.168.1.1&password=wEN2xUlhyFNqdGTRToAH4v6GJLT%2FBFNuWqMpoNPJRKXkXkGHv1X63%2Fc2olj6PoFH4KVmUUOs5WaMO7YU6%2BTnygO8McaAtngVUjC%2FIdF50mDm%2FDg2ZGgv9jj3EzdkHAvU7seeAdZoWsZONu2dxhDuZnKuKehPBrioeZKVdPWbIvM%3D&deviceOS=13.5&deviceBrand=iphone&deviceModel=iPhone&remark4=&keyVersion=2&voiceoff_flag=1&loginStyle=0&deviceCode=991A7490-939F-4BE2-83BE-934C35C06D84

推测mobile参数和上文获取验证码的算法一致,password参数为验证码加6位随机字符串,经验证确实如此

代码实现

sendRadomNum

QQ截图20210407092118.png

radomLogin

QQ截图20210407092217.png

版权声明:
作者:Admin
链接:https://iloveu.top/index.php/2021/04/10/ios-chinaunicom-login/
来源:如也网络科技
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>
文章目录
关闭