android逆向快手,[原创] 快手签名-Android安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com...

整理了下，发现还有个和达达类似套路的，一起看看吧。

抓包

发送短信验证码POST /rest/n/user/requestMobileCode?app=0&lon=146.3516&did_gt=1562212339132&c=MYAPP%2C1&sys=ANDROID_8.1&isp=&mod=LGE%28AOSP%20on%20TTOG%29&did=ANDROID_a515efd201ca2590&hotfix_ver=&ver=6.5&net=WIFI&country_code=CN&iuid=&appver=6.5.5.9591&max_memory=192&oc=MYAPP%2C1&ftt=&kpn=KUAISHOU&ud=0&language=zh-cn&kpf=ANDROID_PHONE&lat=30.005368 HTTP/1.1

Connection: close

Accept-Language: zh-cn

User-Agent: kwai-android

X-REQUESTID: 141829000

Content-Type: application/x-www-form-urlencoded

Content-Length: 117

Host: apissl.gifshow.com

Accept-Encoding: gzip, deflate

mobileCountryCode=%2B86&mobile=13655338668&type=1&os=android&client_key=3c2cd3f3&sig=c8a22b77755169b9ecfc63b30e428d32

老规矩，确定sig为签名字段。

逆向

确定调用链

找到实现

进入native

   

首先确定进入一个解密字符串的函数，有兴趣的可以看看，直接粘处来解密，char *__fastcall deStr(int a1, size_t a2)

{

int v2; // r4

size_t i_32; // r8

_DWORD *v4; // r1

char *v5; // r5

int v6; // r1

int v7; // r0

int v8; // r3

int v9; // r4

unsigned int v10; // r6

unsigned int v11; // lr

int v12; // r11

char *v13; // r9

unsigned int v14; // r0

int v15; // r5

unsigned int v16; // r2

unsigned int v17; // r0

unsigned int v18; // r1

unsigned int v19; // ST1C_4

__int64 v20; // kr10_8

unsigned int v21; // r1

unsigned int v22; // r1

unsigned int v23; // r0

unsigned int v24; // r11

unsigned int v25; // r0

unsigned int v26; // r8

unsigned int v27; // r2

unsigned int v28; // r0

unsigned int v29; // r2

int v30; // r6

int v31; // r5

unsigned int v32; // r2

unsigned int *v33; // r0

size_t v35; // [sp+4h] [bp-44h]

char *v36; // [sp+8h] [bp-40h]

int v37; // [sp+Ch] [bp-3Ch]

int v38; // [sp+10h] [bp-38h]

int v39; // [sp+14h] [bp-34h]

_DWORD *ptr; // [sp+18h] [bp-30h]

signed int v41; // [sp+28h] [bp-20h]

v2 = a1;

i_32 = a2;

v4 = malloc(32u);

*v4 = 0xFFF3A2E6;

v4[1] = 0xA66E1F1C;

v4[2] = 0x21772905;

v4[3] = 0xC0D58234;

*((_WORD *)v4 + 8) = 0x706;

*(_DWORD *)((char *)v4 + 18) = 0x24ED1653;

*(_DWORD *)((char *)v4 + 22) = 0xCB39377A;

*(_DWORD *)((char *)v4 + 26) = 0xA90383A3;

*((_WORD *)v4 + 15) = 0xF68Bu;

if ( i_32 << 28 )

{

free(v4);

v5 = 0;

}

else

{

ptr = v4;

v5 = (char *)malloc(i_32);

if ( i_32 >> 4 )

{

v6 = 0;

v35 = i_32 >> 4;

v36 = v5;

v37 = v2;

do

{

v7 = v2 + 16 * v6;

v39 = v6;

v8 = 0;

v38 = 16 * v6;

v9 = *(_DWORD *)(v2 + 16 * v6);

v10 = *(_QWORD *)(v7 + 4) >> 32;

v11 = *(_QWORD *)(v7 + 4);

v12 = *(_DWORD *)(v7 + 12);

v41 = 8;

do

{

v13 = (char *)&unk_7B226754 + v8;

v8 -= 28;

v14 = ptr[*((_DWORD *)v13 + 54)] + v12;

v15 = byte_7B226652[(unsigned __int16)v14 >> 8];

v16 = ((((byte_7B226652[(v14 >> 16) & 0xFF] << 16) | (v15 << 8) | ((unsigned int)byte_7B226652[v14 >> 24] << 24)) >> 11) | ((byte_7B226652[(unsigned __int8)v14] | (v15 << 8)) << 21)) ^ v10;

v17 = ptr[*((_DWORD *)v13 + 55)] + v9;

v18 = (32

* (byte_7B226652[(unsigned __int8)v17] | (byte_7B226652[(unsigned __int16)v17 >> 8] << 8) | (byte_7B226652[(v17 >> 16) & 0xFF] << 16) | (byte_7B226652[v17 >> 24] << 24)) | ((unsigned int)byte_7B226652[v17 >> 24] >> 3)) ^ v11;

v19 = v18;

v20 = *(_QWORD *)(v13 + 204);

v21 = v18 + v16 + ptr[HIDWORD(v20)];

v22 = ((((byte_7B226652[(v21 >> 16) & 0xFF] << 16) | (byte_7B226652[(unsigned __int16)v21 >> 8]