App: beitalicaishi

在注冊(cè)頁(yè)面輸入phone的時(shí)候, 抓到了一個(gè)包, 內(nèi)容是該phone的信息, 請(qǐng)求中有一個(gè)參數(shù)parms

WX20211013-134447@2x.png

headers = {
    'beta.sessionid': '',
    'User-Agent': 'com.betawm.baw/7.28/169/Android/9/Pixel XL/BetaWM.BAW/HT74B0204170c6fcb511aa6d18a2/BetaWM.BAW',
    'Host': 'auth.betawm.com',
}

params = (
    ('parms', 'KWgtPsDNxAyUSCJlzEvkQm2l0gCOLrFuXYKMP4CwIA8='),#parms
    ('LoginSvcID', '4'),
)

response = requests.get('https://auth.betawm.com/AuthServer/GetUserInfo.aspx', headers=headers, params=params)
response.json()
Out[453]: 
{'InternalUserID': 869562,
 'UserId': 'Beta1065266',
 'UserName': '朝XXX落',
 'UserEmail': '',
 'UserCompany': 'Beta財(cái)富',
...}

反編譯一頓search, 找到了加密位置:

WX20211013-135013.png

WX20211013-135144.png

用的是AES加密, CBC模式, 里面的iv轉(zhuǎn)Python要這樣操作一下:

# python3和java字節(jié)的取值范圍不同：
# Python3： 0~256
# java:         -127~128
# java中key,iv等參數(shù)對(duì)應(yīng)的類型是字節(jié)數(shù)組
iv=[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
iv = bytes(i % 256 for i in iv)

以下是詳細(xì)加密方法:

def add_to_16(text):
    if len(text.encode('utf-8')) % 16:
        add = 16 - (len(text.encode('utf-8')) % 16)
    else:
        add = 0
    text = text + ('\0' * add)
    return text.encode('utf-8')

def encryt_cbc(text, key, iv):
        cipher = AES.new(key, AES.MODE_CBC,iv)
        x = AES.block_size - (len(text) % AES.block_size)
        if x != 0:
            text = text + chr(x)*x
        msg = cipher.encrypt(text)
        # msg = base64.urlsafe_b64encode(msg).replace('=', '')
        msg = base64.b64encode(msg)
        return msg.decode()

iv=[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]

iv = bytes(i % 256 for i in iv)

phone='153****1316'
text=f'mphone={phone}'
key = '!~oX@y$]2wiq3#Fj'.encode('utf-8')#key是固定的

parms=encryt_cbc(text,key,iv)