得物app frida-rpc hook 搜索功能

1.使用charles对得物app 的搜索进行抓包

https://app.dewu.com/api/v1/app/search/ice/community/search/list?hideAddProduct=0&title=%E6%A4%8D%E6%9D%91%E7%A7%80%E5%B0%8F%E6%96%B9%E7%93%B6%01&sortMode=1&typeId=0&sortType=0&showHot=1&catId=0&page=0&limit=20&scene=community_trans_product&newSign=6ad469aaeb1a66e2dbe3f8b7aad11312

经过测试发现newsign是时时变动的

所以先把得物app使用jadx反编译 然后全局搜newsign

 搜到后去这c里面看看

 发现有几个map.put参数

使用frida对这个地方进行hook下

import frida
import sys
import os
os.system("adb forward tcp:27042 tcp:27042")
os.system("adb forward tcp:27043 tcp:27043")
# 远程链接手机上的frida
rdev = frida.get_remote_device()
# 需要hook的包
session = rdev.attach("得物(毒)")
print(session)
scr = """
Java.perform(function () {var RequestUtils= Java.use('com.shizhuang.duapp.common.utils.RequestUtils');RequestUtils.c.implementation = function(a,b){console.log("c方法-------------------------------")console.log(a)console.log(b)var result = this.c(a,b);console.log("a= " + a.entrySet().toArray());console.log("b= " + b);console.log(result)return result;}
})
"""
script = session.create_script(scr)
def on_message(message, data):print(message)print(data)
# 执行回调函数
script.on("message", on_message)
script.load()sys.stdin.read()

 经过反复对比发现一开始传进去固定的参数 然后他会在内部进行增加

最后经过那个c进行生成

所以直接上代码

jsCode = """function newsign(arg_f,j2) {
//arg_f 请求的参数
//{hideAddProduct=0, title=植村秀小方瓶, sortMode=1, typeId=0, sortType=0, catId=0, showHot=1, page=0, limit=20, scene=community_trans_product}
//j2 是时间戳let result = "";Java.perform(function () {let map = Java.use("java.util.HashMap").$new();for (let key in arg_f) {map.put(key + "", arg_f[key] + "")}console.log(map)result = Java.use("com.shizhuang.duapp.common.utils.RequestUtils").c(map, j2)console.log(map)console.log(result)})return result;
}rpc.exports = {newsign:newsign};
"""

只需要安装这个格式给他生成参数就行 下面是完整代码

from fastapi import FastAPI
import uvicorn
import fridajsCode = """function newsign(arg_f,j2) {let result = "";Java.perform(function () {let map = Java.use("java.util.HashMap").$new();for (let key in arg_f) {map.put(key + "", arg_f[key] + "")}console.log(map)result = Java.use("com.shizhuang.duapp.common.utils.RequestUtils").c(map, j2)console.log(map)console.log(result)})return result;
}rpc.exports = {newsign:newsign};
"""rdev = frida.get_remote_device()
# 需要hook的包
process = rdev.attach("得物(毒)")
script = process.create_script(jsCode)
script.load()
from pydantic import BaseModel
app = FastAPI()
class Item(BaseModel):m: dictj2: int
@app.post("/getnewsign")
async def getencrypt(item: Item):print(item.m)print(item.j2)result = script.exports.newsign(item.m, item.j2)return {"data": result}if __name__ == '__main__':uvicorn.run(app, host="0.0.0.0", port=8080)

上面是如何生成加密参数

下面是如何提交

import requests
import time
import json
from fastapi import FastAPI, Query
import uvicornimport urllib.parse
app = FastAPI()
@app.get("/")
async def server2(title=Query(None), page=Query(None)):print(111)print(title)timestamp = int(time.time() * 1000)//得物的title 是需要进行urlencode编码的titles ={}titles['title']=titletitleurlencode =urllib.parse.urlencode(titles)page =page//需要加密的参数params ={'hideAddProduct':0, 'title':title, 'sortMode':1, 'typeId':0, 'sortType':0, 'catId':0, 'showHot':1, 'page':page, 'limit':20, 'scene':'community_trans_product'}data = {"m": params,"j2": timestamp,}print(timestamp)r = requests.post("http://127.0.0.1:8080/getnewsign", data=json.dumps(data))sign = r.json().get("data")# ########### 加密newsign endparams["newSign"] = signprint(sign)url  ='https://fast.dewu.com/api/v1/app/search/ice/community/search/list?hideAddProduct=0&'+titleurlencode+'&sortMode=1&typeId=0&sortType=0&showHot=1&catId=0&page='+str(page)+'&limit=20&scene=community_trans_product&newSign='+signprint(url)print('!!!!!!!!!!!!!!')header ={'duplatform':'android','appId':'duapp','duchannel':'pp','humeChannel':'','duv':'4.80.0','duloginToken':'0e604806|51525851|fafb23432de413d6','dudeviceTrait':'MuMu','dudeviceBrand':'Android','timestamp':f'{timestamp}','shumeiid':'20220828135024fae2e59a8dcdc8f7da4d60545cc47536011c01ddeca71449','oaid':'','User-Agent':'duapp/4.80.0(android;6.0.1)','X-Auth-Token':'Bearer eyJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE2NjE4NTY3MDAsImV4cCI6MTY5MzM5MjcwMCwiaXNzIjoiYjJkZDRmNWRhMTk4OTY4MyIsInN1YiI6ImIyZGQ0ZjVkYTE5ODk2ODMiLCJ1dWlkIjoiYjJkZDRmNWRhMTk4OTY4MyIsInVzZXJJZCI6NTE1MjU4NTEsImlzR3Vlc3QiOmZhbHNlfQ.GCn7953gjAAdDDpfKgaEgd_rFF04zfaOCFjMaTj-7WCzIB6NcHLaKib56PH_e7T2WnU-2XE3WHF531_qaWLQdYD0Xvxo7gLcBMLtGf21rv-CAr7HSGJhW8QfKmvzGE-MMSd90klcPkGVbkVP0scpkMCtJ9BcmlFBb1i5ddDQPF1iQrhmobsaC3OmWq5NUvl7MjvFGxJ93jtohNFIaKZvhC4KEncKG894DIgplyg45bkMAoB7Kq6Agg55-t0zcBU9giTC8x4msSdEVp8tqIYZizQQYN2jprmaq7biRoOK70UqraAlE4hvJJthk5WnOyjz4EztAvFBGCTMQ2NHk3tKTw','isRoot':'0','emu':'1','isProxy':'0','SK':'9JjqA3RNvkfMqQDDVXi8uEpA3rxbSLl0tDJ8eHKmhzjU9nqqCjrSc6BH0RwY4RYSOFLqgeY4F86NPAWx7BABGpf0Ju1t','duproductid':'2D3E5AD66B14B10F6CF5D2F964F8522CBDFE24914A4EEF24D4D5C25559243BDD','ducodeid':'','sks':'0,adw1','Host':'app.dewu.com','Connection':'Keep-Alive','Accept-Encoding':'gzip','Cookie':'duToken=d41d8cd9|51525851|1661856700|45c0ca4eef0de68c'}r1 = requests.get(url=url, headers=header)# print(r1.text)rs =r1.textreturn rsif __name__ == '__main__':uvicorn.run(app, host="0.0.0.0", port=8008)

最后请求地址

http://127.0.0.1:8008/?title=%E5%8F%A3%E7%BA%A2&page=0

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！