360wifi逆向

原創 怪兽有魔法 2020-07-08 07:33

這是2018年分析的360wifi,腳本不確定是否還能用,在此整理一下

參考看雪360wifi逆向分析:http://bbs.pediy.com/thread-219006.htm

嘗試分析當前最新版360wifi,並編寫查詢腳本

相較老版本的360wifi,當前最新版本採用了360加固,所以分析之前進行了脫殼處理,脫殼這塊就不詳述了,網上可以找到資料。

參考:https://www.jianshu.com/p/138c9de2c987

post網址:POST http://api.free.wifi.360.cn/intf.php?check_update_key=&full=1&qid=0&devtype=android&nettype=WIFI&manufacturer=samsung&model=SCH-I939D&os=4.3&channel=100000&v=398&m2=a7c73fd3c903520e9e3676c382fca29f&auth_name=android_sdk&nance=1500542429897&inviter_qid=0&l_ver=-1&l_ver_t=1500444674114&1st_ch=100000&method=Wifi.scan&lld=L9vnVT7ql4XtRBS1Rn8izjS5pfd0PeShtmdijNF0O77b5V2UlF9oSOojIBLfo4uiLCfddZig0IMJVA2vKT4y5F3pp6Cm0PVlZdmUBqFrFwOChai3TP5OzqMzmkVLsoxc12HkrvymUrlcOgERbR16ng%3D%3D&tp=1&sign=e4e9bfa069e424e8f33e5e2314d8044d HTTP/1.1
User-agent: 360freewifi
Cookie: Q=;T=;
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: api.free.wifi.360.cn
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 3305


params_i=VyXfJz2JQIOcYZ4iJ7w%2BA36quHq%2FC9Qcm%2BNLPpbkATE%3D&params=OUz7OJu3WKYUjBVZCLPxTSN4%2B1POx4R6AEAauF78Q6a4hynmrg7DT7%2B4ia%2FF9ObYeS1hqpfUCxsh2Buv9jNEny3csh3LeJ0453I20KNgta2kMgW4ab2qykKpnmlKOcuXlnx30P%2FKt3u2jXyjAgAL3eHNwnxtkC9SICxC3Wu%2B6ZR54BddJNnQ%2BCGVB%2FPiVGMAbn7p%2BdzqoVEjePtTzseEegBAGrhe%2FEOmWpBKk7TOZ1RvV8%2F7OZQjGyRomv3Q1tTJ2%2BVdlJRfaEhOYudqvpMRPrWrZS1rBZ96FbgfszZmV8O2llYxBgBiZGAw05eMbmEDg7jlO1YnoADB6i6RKULChu3QAYKqO47AYiJ42SNr%2B49qbGsw%2BZq6eyJw1LU7PjR8RkZbRfa407BGtAuLZSQMcHiuNxu1NOr7dGe%2BdsC9A7wh2Buv9jNEny3csh3LeJ0453I20KNgta3nEIvjg%2FcEiozqa%2F7i4HSTMSAWAv6H8dG2jXyjAgAL3eHNwnxtkC9SICxC3Wu%2B6ZR54BddJNnQ%2BCGVB%2FPiVGMAFIwVWQiz8U0jePtTzseEegBAGrhe%2FEOm%2F2b5cLwo45BlmxRoXh44HkthTjtY5EIp5z8f%2BaIDMMOkghB1%2BRcOxKWXh2qBfaVr0WMYWybGQPIldgpIY8q3rnCYuuk1Xp5r6EjLZCWelMKbkNHe0jcS4d9BTcAhHEEbky55S8DdQ1SwG9lTrQOtZFJ607fP4E4M2E4b0oa9d2a3ctmGKqarORmm3AsZheDd35yxfwKl7RczWyXRqXyeLplWuWlO12Mh2GAXG%2FWAe3p0bDTTKnufKpFXmar4cjbrrsTtPrvrJfljcINav4aryaQ9YO8xJixAntYU%2FkbTbpQTBsW%2FpbdT4nRn8PznAcT1IuO5wgVOfNKqU0eoJuHtBWkPpincCDVjEqeodMnMPW%2BOcohPJVzMgWhs9n4VXr7Jar7ysq%2FUA5eOnekGrudKTnoz0JtPin%2FSURCTxnrHKLgCZkKZz4RuD8aZ8aS3I6Mol3n0wcTzQzCDFFiCanCcSW5PlfK9c0dkcWzm0vaGY9WurRr1%2F2PQ89PlDuTM4%2FEI21vT5yL%2B7a254DsMjM9UkpznQ0TOApFXCoOGRol%2FN4jZ3uL%2BZJwfaRUSVotACzbyY%2FGKZ1KK9Lx2RphtjRlYyRrhKBfUtgwxvxqJpUWONcozXXwbLo2pQx4h9T9VvTATNRAqwz0r0cbtRBS1Rn8izruKwtMHg%2B8kcxHXbBVZY1N6CEy8HL7ssTAOAflogY3JaQiWBft1iGlYCf2pg%2FKqUtbzk7pxk1siKWae6dvebxB0Z752wL0DvCHYG6%2F2M0SfLdyyHct4nTjncjbQo2C1rdyfKE%2Fa2wjH7caaXJ2gq29fzHYr6MQQabaNfKMCAAvd4c3CfG2QL1IgLELda77plHngF10k2dD4IZUH8%2BJUYwBufun53OqhUSN4%2B1POx4R6AEAauF78Q6aJBNHW2aG3XQGsUvzJT5n%2BTBQ%2BCBih%2BnmOnekGrudKTnoz0JtPin%2FSURCTxnrHKLgpjge4FvpVc6WaTW4RJXEbU7lgQNa%2BgdWDFFiCanCcSW5PlfK9c0dkcWzm0vaGY9WurRr1%2F2PQ89PlDuTM4%2FEI21vT5yL%2B7a254DsMjM9UkpznQ0TOApFXCoOGRol%2FN4h5R0n7JjgTjXLqEq3yYabaIdgbr%2FYzRJ8t3LIdy3idOOdyNtCjYLWtBfA2d%2BbU%2Be6mBZzt35AiQIXSWNkxHLkxto18owIAC93hzcJ8bZAvUiAsQt1rvumUeeAXXSTZ0PghlQfz4lRjABSMFVkIs%2FFNI3j7U87HhHoAQBq4XvxDpriHKeauDsNPEtEVBPlxxFaTxRbcoHoiGyHYG6%2F2M0SfLdyyHct4nTjncjbQo2C1raQyBbhpvarKU5GEkafRtImWfHfQ%2F8q3e7aNfKMCAAvd4c3CfG2QL1IgLELda77plHngF10k2dD4IZUH8%2BJUYwBufun53OqhUSN4%2B1POx4R6AEAauF78Q6bWFSLcVi0MGhnK8f3xNuLwb1fP%2BzmUIxuR%2FOFvZXXW16SCEHX5Fw7EpZeHaoF9pWvRYxhbJsZA8g7BLUzTiMHLzMOwUJA2RcLqFtoPc9PjmZuQ0d7SNxLh30FNwCEcQRuTLnlLwN1DVLAb2VOtA61kSB7v62tkCpTYThvShr13Zrdy2YYqpqs5VLNkDb5b3nxvV8%2F7OZQjG2EoTWGeD7sMpIIQdfkXDsSll4dqgX2la9FjGFsmxkDyxoPUHMj1hpTburyN%2FwB0AcsJ%2Bt2NaUKMm5DR3tI3EuHfQU3AIRxBG5MueUvA3UNUsBvZU60DrWRSetO3z%2BBODNhOG9KGvXdmt3LZhiqmqzlcL9EhYrpHlscEBG8XtuGZb5HvPR86uJz9kJmuUU5Exo6d6Qau50pOejPQm0%2BKf9JREJPGescouEFpCQrGz3pYcWQLmxUtFQY3vbOQjFHfNYMUWIJqcJxJbk%2BV8r1zR2RxbObS9oZj1a6tGvX%2FY9Dz0%2BUO5Mzj8QjbW9PnIv7trbngOwyMz1SSmgyCSe6Egl4ahl%2B4ag13abP3vOhoNj%2Bxjp3pBq7nSk56M9CbT4p%2F0lEQk8Z6xyi4bW7xffGma5jW6F8hKowFKArBmc87JUUBgxRYgmpwnEluT5XyvXNHZHFs5tL2hmPVrq0a9f9j0PPT5Q7kzOPxCNtb0%2Bci%2Fu2tueA7DIzPVJKKnB6oh5AsM3ZEy0A7cAI5Qljt9ITYWkuup1I3g9%2B4sCP%2F%2BZSSVYTX3HQpCKyiQygdF1C%2FmtwMCt8xSI1wctbT7DRBFxunUoicW26C1aE3T9U2Ri%2Fv0uOg277BcTELWpVcdTKuDghlTos0dOnGlpwXtnHHWxaFFgsx9srmm3LXJrSszkX8KsVm44I7JsQAzwYKHmJnQmjfgkJY7fSE2FpLDzbGnTLK2X%2Fb5V2UlF9oSE5i52q%2BkxE%2BtatlLWsFn3o3VR%2BhgltAY%2BCXfJ4UOTU4EnCrA%2Bpr6w6DuOU7ViegAMHqLpEpQsKG7dABgqo7jsDQNqWq5leFNQ%3D%3D

 

服務器返回包:

{"errno":0,"errmsg":"","data":{"list":"DkiJ9N5bci8ZtalQGyJVnWvKqD5dgl2djcbr3KDWJL0nY\/4VF5kXOnJWqQsXkAMjvRG9EJZvpjVORu9Wx1dXgJ835x3HC3WxpD1g7zEmLEAMHHPn2qH5dV5n3Bnc15oQpIIQdfkXDsQjy4dU3kUfO2fth5WlH3QLDnvFgy9vfJnhYVpLOHnvPjqBtPJ4jdDjY\/OFJTHS1xVZsYySmFPKY7Qd\/niSLwpSJ0HLN5HR\/4FKf6xnzr2ftKuGozqzQraIOy92Cq8KBPLltvsWwkz8txoMrl5KMzm\/EVypy6a9lXBnZNC9dH+C7dABljkAZqnsnx5flbMmUu8nSu1M3lILai4i04cVYwEBgg3cJ+56JjEMDVt3vGCiv0RJSLGV\/tBlooslNrv5P63NLhbFPWLsVqe3B+NWO8qJIXwsDFe2u+sHyUb68TE22DQmHEnUpGO40jrD427dZmTwG9WJwDKnyI6d6Qau50pOLsO6fGF0t\/Pi6PIgC6tfoBpvZdt2ftm6Jc6J4w8+3LAmoYM5+NBBsTeMBMgn\/v9xidpo1acfqbfknFUbfZZl4FOCqtyVbvzS\/qWs+i1dsO73r3hjvaTvdoGYzcyE0VJzVoNccorqlJgZNWhHkPaQ6jtHv+ImmwEazog26IOyAnWq4sT9JRHQuSuUmwjTg0r38l1Zg4+s4d2sWtlg7DT+\/O8cOys34HRtRLbflm7kePUxbyMz1ZZRbzFE3taBi7vnuIwEnsdUN1YAQBq4XvxDpkwR5iKr7QDr0GDwr0cjx5+lEQZTE4GkU4ekmcbFki2XgxRYgmpwnEkEz59KI7Koe8EDyW3gpCjjLCRO2WFXf6sNMDPwE0MfJbV\/wAulF7KyRwenO0oPaiEX995C5ZAHiO0HMPrsfk4vHMN4RgvW2JR20O7IM+dPIwmSRYR4lnmfFnG5l6obhQNDg+S4lHdc92UjXQYoaLQ3ID+8ZMPNqI4CspJMD4JJF1Sp7Jr5fVT+Q8Mb+YSD4dT68PdSBzsQXYxtlk4Qvtr3FvkpmSQWAalXuhhFk49zVNa19Z\/NezP32vE68mumzrtw6BrO+vryWrIIGG+nWyfZIIDSzV23RSNHN6fCgYVP3LP3dMRwwg3yUzMDofPJiRoYznDxgLHyhWK2kDj9iaR+0GDwr0cjx5+lEQZTE4GkU4ekmcbFki2XgxRYgmpwnEn0tIR9haudQ46d6Qau50pOp7ARcJrYpyfi6PIgC6tfoLwBOtB5VFSNJc6J4w8+3LAmoYM5+NBBsTeMBMgn\/v9xidpo1acfqbfknFUbfZZl4FOCqtyVbvzS\/qWs+i1dsO73r3hjvaTvdoGYzcyE0VJzVoNccorqlJgZNWhHkPaQ6jtHv+ImmwEadNgCZSaQCBhMZJnxUzqcLz9NOyno1RmNgUHW7A4PCGDbkeugVpZFoGk7OBcVEKxfbW7xffGma5jetw29xPhx5oRwGUwj1z1M3brXjakGeXIZsAKD+KgvHtBg8K9HI8efpREGUxOBpFOHpJnGxZItl4MUWIJqcJxJU3dumP6BdMjBA8lt4KQo4ywkTtlhV3+r982eOXblrMa1f8ALpReyskcHpztKD2ohF\/feQuWQB4jtBzD67H5OLxzDeEYL1tiUdtDuyDPnTyMJkkWEeJZ5nxZxuZeqG4UDQ4PkuJR3XPdlI10GKGi0NyA\/vGTDzaiOArKSTA+CSRdUqeya+X1U\/kPDG\/mEg+HUotMVuqv6kBrJQKamOZhwa3vFmo9ik+3Knx5flbMmUu8nSu1M3lILai4i04cVYwEBgg3cJ+56JjFX2ShwLLNlGy7IxqHUNhRDWNv3LAh1ZwxV\/quhtGQWi8RPkxrI3T27baVmrhMJdESqUMdYVmdBMVcyIQx62o4p\/wGLKNTuFEnVNkYv79LjoNPjwTPeek1MmVa5aU7XYyHYYBcb9YB7emB2albN8\/F4ordcwTynzjlsz\/eDJp66tQqorOaOWl2yXPGKbs1qPrt5YJ7stE226dxYc18\/hjzPbYOWcSxB+qdV2d8KIKkvULQd\/niSLwpSS2G6X7oD3NK2lwj4FmSs+0u17+f03R\/1rhwIYNHFzsgLSxFaW32GVsteBbkYqC8JhZf4KPGiy\/07NmS36m2uSk0TLlcAFecFlxnevaI5ySftMkW3IYyjZrGGrvf7NVckCbHdPQc2hJgsri0lHsnGvIIN3CfueiYxtdB1AE8tjiBHLNIMar01otnq1EJey2lnU9lG5TMQfjDTTP0poAACv5URheCIf7vTLG8bF+muzXspGhGDULJsWDUQKsM9K9HG7UQUtUZ\/Is53UXA7ubVcY8EDyW3gpCjjLCRO2WFXf6t4PYGP1qCmLnQLqUNsKKNrQjrqd90O6UkFeLWV5ZuAsfGTzcY8hFVaK2ljAK1eZH3vf\/XHbwYry3OrQhlOfPuLq4ajOrNCtogiz08H8vJOu3lgnuy0TbbpBPweqlMLC8WuxVu+ifjALUzoW64yL8qH0KbjLbGKhSo+WMdJDLYMlw2z6wyJFkXS8LJug2mlyo9UTbptp3XaJF\/whJZgoK40uR8nR\/lQDfVdxZk2IhenySnS+ONJxhOtEqeodMnMPW\/S0fShCvdHWg6xypKB6QuVWms3IWiaDVsPa5XzwV+PPcyVrIGSmwCQif6LXIUknN7gW7mUcyZMddvlXZSUX2hISgNduvxGYe90C6lDbCija0I66nfdDulJBXi1leWbgLHxk83GPIRVWitpYwCtXmR973\/1x28GK8tzq0IZTnz7i6uGozqzQraIIs9PB\/LyTrt5YJ7stE226QT8HqpTCwvFrsVbvon4wC1M6FuuMi\/Kh9Cm4y2xioUqI9rcjfDo26SIDGPSCGSygBhKwnZvEhK7d8UpHMQBKgTwsm6DaaXKj1RNum2nddokX\/CElmCgrjRzz4AeV0k2xZEFpNkizqVR009tdF\/zYHMSp6h0ycw9b6vyO5aV9\/FbBZU5yUDTn\/u38qJH9utBQDS03+bDgYUO0CP0lMESShiDuOU7ViegAIPpm2FUf8w2Idgbr\/YzRJ+6VZK3JfV+Q3QLqUNsKKNrQjrqd90O6UkFeLWV5ZuAsfGTzcY8hFVaK2ljAK1eZH3vf\/XHbwYry3OrQhlOfPuLq4ajOrNCtogiz08H8vJOu3lgnuy0TbbpBPweqlMLC8WuxVu+ifjALUzoW64yL8qH0KbjLbGKhSouTyx1n\/u+2P9nOoCDNg3NGUDdb\/wzqMzWtfWfzXsz99rxOvJrps67cOgazvr68lqyCBhvp1sn2QXwNnfm1PnupgWc7d+QIkCF0ljZMRy5MZznQ0TOApFXCoOGRol\/N4gMtY\/WbIZnG7fyokf260FANLTf5sOBhQ7QI\/SUwRJKGIO45TtWJ6AADvVI\/Yy22dJyvQHoogjli6SCEHX5Fw7EZLTKHQ8RPlTO7o29K7XhZ\/i50j4JSN1a7gYwwlb4b5FU1WWApQk\/D3gieYPnn5Ycq4ajOrNCtojrUh1n6RMN4Hlgnuy0Tbbpw\/1N1zGdbghtg5ZxLEH6p9exs44a11aB+EoHHWZJtyUh\/Tio7tEWT7S5d09LiD1n4OfgoYSFix3tQi9F5P95uEu30qvf4Fl8sYau9\/s1VyT2FgPPpUmRu8F0EtbGytiPhjjbwIN+y2zZ\/dwcDa1QjH\/zd9g0\/xIFvAB9gM10ec0u+iVj9QGsI7IHuprqGC130GDwr0cjx5+lEQZTE4GkU4ekmcbFki2XgxRYgmpwnEmjYbAyDbp1Z8EDyW3gpCjjLCRO2WFXf6sh\/S1pNPKDQ7V\/wAulF7KyRwenO0oPaiEX995C5ZAHiO0HMPrsfk4vHMN4RgvW2JR20O7IM+dPIwmSRYR4lnmfFnG5l6obhQNDg+S4lHdc92UjXQYoaLQ3ID+8ZMPNqI4CspJMD4JJF1Sp7Jr5fVT+Q8Mb+YSD4dT7X2bawU\/aqWAAg\/Pfbqw+MWTJrNG06WKfHl+VsyZS7ydK7UzeUgtqLK4tJR7JxryCDdwn7nomMQ7BLUzTiMHLzMOwUJA2RcKiiyU2u\/k\/rfIc1NLWM924TXcfK\/r+NznWJ7o0\/q3PICF8LAxXtrvrB8lG+vExNtg0JhxJ1KRjuNI6w+Nu3WZkfnJLpAbMtQTb5V2UlF9oSLTcwtWQVLhctX\/AC6UXsrJHB6c7Sg9qIRf33kLlkAeI7Qcw+ux+Ti8cw3hGC9bYlHbQ7sgz508jCZJFhHiWeZ8WcbmXqhuFA0OD5LiUd1z3ZSNdBihotDcgP7xkw82ojgKykkwPgkkXVKnsmvl9VP5Dwxv5hIPh1Kl3VoxLvFcmllycdIcfLe6Z0bej3fEBuEbKccxqrVdenx5flbMmUu8nSu1M3lILaiyuLSUeyca8gg3cJ+56JjHGg9QcyPWGlNu6vI3\/AHQBwSKTpqOxbgUdW1cNlg2ikUo7fSmGAhc5tVOLkIG+SmOfcGri0nqrD7aNfKMCAAvdOsVWLEjsMBL4JY6p10tzUXZGmG2NGVjJqzT3phylgJhn7YeVpR90Cw57xYMvb3yZ4WFaSzh57z46gbTyeI3Q42PzhSUx0tcVWbGMkphTymO0Hf54ki8KUidByzeR0f+BSn+sZ869n7SrhqM6s0K2iDsvdgqvCgTy5bb7FsJM\/LcaDK5eSjM5vxFcqcumvZVwfYsoWkBJt8QeKmrWZi4cFshoCFQ6o8nmEmUEDd7up0aFnR\/E4s47uLx26HWkqKinbnKOPa6RvlZ1HL4uijBrjtZfFCC993SlmlB+3XUabi1cL9EhYrpHlscEBG8XtuGZis2aX4faEa8hfCwMV7a76wfJRvrxMTbYNCYcSdSkY7ibkNHe0jcS4XK9AeiiCOWLpIIQdfkXDsSaoc41lO7o36K3XME8p845bM\/3gyaeurVcd\/Q1ycLRlYOljvR2j7ZVeWCe7LRNtuncWHNfP4Y8z22DlnEsQfqnVdnfCiCpL1C0Hf54ki8KUkthul+6A9zStpcI+BZkrPtLte\/n9N0f9a4cCGDRxc7IC0sRWlt9hlZlHIxfIn4jKs18rdIc5srK4Qofn1SApi\/yXVmDj6zh3axa2WDsNP787xw7KzfgdG0UHxXrxUr\/fJFXmar4cjbrtS3PXEPfH14G4frJrkPdzQBAGrhe\/EOm4nAUQjqNNPa38qJH9utBQDS03+bDgYUO0CP0lMESShiDuOU7ViegANk4QS+oIlqMIdgbr\/YzRJ\/NZFzgAvL7OigF0Cc+FBWRYU451Zm7rKv5A5k8hALSEuCopH4EpxQnOcucj9o5IM73r3hjvaTvdvspx0GoS2TB7bjIk9xxfavdKQxNFMMoXwmSRYR4lnmf4IVhqnqFa66phSZKEVTfqXrps\/deo7ZObcKQybB9rPaT2Yly8GfFsHi6IlZpMTt7XlPvScvWjvlrbjri8aVfGnRXAWFmXHj6jRFh95Ukm\/jfMUiNcHLW0+w0QRcbp1KIjbGLSLPlu2Kk9EEeWKGPVchg2ZZLAKHZSjt9KYYCFzm1U4uQgb5KY59wauLSeqsPto18owIAC90uaaDARLXXV\/S9ba4MU2\/GdkaYbY0ZWMkIMzkv3HAdFbV\/wAulF7KyRwenO0oPaiEX995C5ZAHiO0HMPrsfk4vHMN4RgvW2JR20O7IM+dPIwmSRYR4lnmfFnG5l6obhQNDg+S4lHdc92UjXQYoaLQ3ID+8ZMPNqI4CspJMD4JJF1Sp7Jr5fVT+Q8Mb+YSD4dSNARwAScSIqta19Z\/NezP32vE68mumzrtw6BrO+vryWrIIGG+nWyfZM9vrwMPNHIcNBWrEUMME772gQolLXS86ipweqIeQLDNgWDV6vPcTH5URheCIf7vTLG8bF+muzXspGhGDULJsWDUQKsM9K9HG7UQUtUZ\/Is53UXA7ubVcY8EDyW3gpCjjLCRO2WFXf6t4PYGP1qCmLnQLqUNsKKNrQjrqd90O6UkFeLWV5ZuAsfGTzcY8hFVaK2ljAK1eZH3vf\/XHbwYry3OrQhlOfPuLq4ajOrNCtogiz08H8vJOu3lgnuy0TbbpBPweqlMLC8WuxVu+ifjALUzoW64yL8qH0KbjLbGKhSpehmDUxvfuZgvVBRvo3mpTEmUEDd7up0aFnR\/E4s47uLx26HWkqKinsa+tOStfQ8Q=","check_update_key":"8e6c02a7fdf1a80b4b7d2f6ea3bfc754"}}

 

相較老版本,之前的mehon = Wifi.password 轉變成methon = Wifi.scan,代碼定位到這個地方,是參與字符拼接的形式的:

查看交叉調用,定位到:

再查看誰調用了這個地方,找到了獲取密碼的方法:

 

構造POST包中params_i明文數據爲:(mac地址,此值可固定)

{"c_mac":"60:21:C0:FA:30:27"}

 

params明文數據爲:(包含有要查詢的ssid與bssid)

params = """[{"wps":"0","alt":"0.0","ssid":"linweifang","signal":100,"lng":"118.79316711","mac":"24:69:68:FA:D8:12","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"WiFi-33","signal":100,"lng":"118.79316711","mac":"3c:46:d8:cb:6c:c9","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"TTL_TL","signal":100,"lng":"118.79316711","mac":"f4:28:53:27:06:4c","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"HUAWEI-MT65Q6","signal":100,"lng":"118.79316711","mac":"94:77:2b:20:dd:b4","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"NULL","signal":100,"lng":"118.79316711","mac":"f0:b4:29:15:a3:04","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"NNZZFF","signal":64,"lng":"118.79316711","mac":"40:16:9f:ae:8b:8a","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"test_csr","signal":100,"lng":"118.79316711","mac":"c8:3a:35:c8:02:ef","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"TP-NZF","signal":75,"lng":"118.79316711","mac":"80:89:17:cb:67:40","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"TL-Aurora_1","signal":68,"lng":"118.79316711","mac":"02:1a:11:f7:04:f8","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"TP-WIFI-24","signal":88,"lng":"118.79316711","mac":"82:89:17:04:ce:eb","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"TP-WIFI-50","signal":62,"lng":"118.79316711","mac":"82:89:17:06:ce:eb","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"BC","signal":28,"lng":"118.79316711","mac":"ec:88:8f:4d:a0:62","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"TTL_TL_5G","signal":71,"lng":"118.79316711","mac":"f4:28:53:27:06:48","lat":"32.00914764","enc_type":2},{"wps":"1","alt":"0.0","ssid":"TP-LINK_A21EDC","signal":62,"lng":"118.79316711","mac":"28:2c:b2:a2:1e:dc","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"MZ","signal":35,"lng":"118.79316711","mac":"80:89:17:cc:29:05","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"linweifang","signal":33,"lng":"118.79316711","mac":"24:69:68:fa:d8:12","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"360免費WiFi-A1","signal":31,"lng":"118.79316711","mac":"24:05:0f:4c:63:a1","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"你哪來的自信?","signal":28,"lng":"118.79316711","mac":"b0:d5:9d:4b:2b:9c","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"caomuren","signal":24,"lng":"118.79316711","mac":"b0:95:8e:c7:fc:e2","lat":"32.00914764","enc_type":2}]"""

 

 

獲取密鑰:

最後傳到libsecurity.so中的getkey()

由於ida動態調試卡死,我把dump下來的dex文件轉smali使用Android studio進行動態調試,可看到key的生成。

密鑰:f7ef96aecea7c4d1f9e502af(密鑰不唯一,不同的設備會生成不同的密鑰)

加密:加密方式:DESede/ECB/PKCS5Padding  加密後base64編碼並url編碼

結果爲:

params_i=VyXfJz2JQIOcYZ4iJ7w%2BA36quHq%2FC9Qcm%2BNLPpbkATE%3D&params=OUz7OJu3WKYUjBVZCLPxTSN4%2B1POx4R6AEAauF78Q6aBulZ7n%2FyZ5J0atYF%2FnG3pM1sl0al8ni6ZVrlpTtdjIdhgFxv1gHt65csPrrfzlyi11Acy0hLnFrkA5QkWGz79OogXFnx%2BxNqkPWDvMSYsQCu3elLivO4kXGQ3HNoJQml0Z%2FD85wHE9SLjucIFTnzSqlNHqCbh7QVpD6Yp3Ag1YxKnqHTJzD1vjnKITyVczIFobPZ%2BFV6%2ByWq%2B8rKv1AOXjp3pBq7nSk6p4yQJYNbJqrSZFrPc7XfKAmZCmc%2BEbg%2FGmfGktyOjKJd59MHE80MwgxRYgmpwnElLiVqwTluS0XFs5tL2hmPVrq0a9f9j0PPT5Q7kzOPxCCIMzCYmNNezueA7DIzPVJKc50NEzgKRV09Tz3MXABeES2FOO1jkQinnPx%2F5ogMww6SCEHX5Fw7EBsmhf3BeheHRYxhbJsZA8gwNW3e8YKK%2FRElIsZX%2B0GXqFtoPc9PjmZuQ0d7SNxLhXRlxxzWnA%2FCTLnlLwN1DVLAb2VOtA61kUnrTt8%2FgTgzYThvShr13Zrdy2YYqpqs53uvwb0aaJlfFAUftefhMxawOt%2BxU6XqPdGe%2BdsC9A7wh2Buv9jNEn7y%2BcCIRIJISZA7IH0eIB3QggNLNXbdFI0c3p8KBhU%2Fcs%2Fd0xHDCDfK2jXyjAgAL3bEgOEZLvkStrahgUuE2wZp54BddJNnQ%2BCGVB%2FPiVGMAbn7p%2BdzqoVEjePtTzseEegBAGrhe%2FEOmLAtTtqc8FZIVElaLQAs28mPximdSivS8dkaYbY0ZWMkABPjRoOccBXUDGD1xsR0D1erGyg4FDIzEbX9KsI7htTUQKsM9K9HG7UQUtUZ%2FIs6TYiSvu5x%2FPnMR12wVWWNTeghMvBy%2B7LEwDgH5aIGNyWkIlgX7dYhpWAn9qYPyqlLW85O6cZNbIilmnunb3m8Q6DrG8LQ637KOnekGrudKTqnjJAlg1smqtJkWs9ztd8qYEKRkq9ST1I7PZ94TvlTfPlwjvWA2bASDFFiCanCcSUuJWrBOW5LRcWzm0vaGY9WurRr1%2F2PQ89PlDuTM4%2FEI21vT5yL%2B7a254DsMjM9UkoqcHqiHkCwzdkTLQDtwAjlCWO30hNhaS66nUjeD37iwI%2F%2F5lJJVhNeDSyBPDp7rdkugyjM3D1QePEKofBDIXhkQ0s4bHOKpkFxo%2FgERPaha1TZGL%2B%2FS46Cdjge6TRHUClx1Mq4OCGVOVvUiU1SwQqW2ccdbFoUWCzH2yuabctcmtKzORfwqxWbduteNqQZ5cuuPPuG8sIpIndvNNwEaPKLniZ7pNNzRNSwkTtlhV3%2BrhRLmmCOrRMQuB3rw7hSMg4Wu1TvJHBvxt95nuw1nfhnMlayBkpsAkJWfsrzEiodsT9dkL6AQKfVVjMfAosLfnjNDsa6u4LRAoOyWdhk56LJQleKTTAPZDrwAfYDNdHnNbtZqWVIr5VW4cgh4aDWYx0thTjtY5EIp4CN08dY976l2RphtjRlYyQAE%2BNGg5xwFvxqJpUWONcozXXwbLo2pQxi7oqitXJa4NRAqwz0r0cbtRBS1Rn8izpNiJK%2B7nH8%2BcxHXbBVZY1N6CEy8HL7ssavZQuQSZWVjaQiWBft1iGlYCf2pg%2FKqUtpZKUgcJreNii1%2BxxffLdNLYU47WORCKYeGU9J6L6AFdkaYbY0ZWMkABPjRoOccBYY428CDfsts2f3cHA2tUIyRk8uVEI1DdzUQKsM9K9HG7UQUtUZ%2FIs6TYiSvu5x%2FPnMR12wVWWNTeghMvBy%2B7LGr2ULkEmVlY2kIlgX7dYhpWAn9qYPyqlLaWSlIHCa3jQVJn82x2t2SS2FOO1jkQinJo5FrkM8F5nZGmG2NGVjJAAT40aDnHAWGONvAg37LbNn93BwNrVCMf%2FN32DT%2FEgU1ECrDPSvRxu1EFLVGfyLOk2Ikr7ucfz5zEddsFVljU3oITLwcvuyxMA4B%2BWiBjclpCJYF%2B3WIaVgJ%2FamD8qpSHVtXDZYNopFLYU47WORCKaGufNMq7CU%2FdkaYbY0ZWMkABPjRoOccBZGZSwJLE6FOpV%2F4WFoOyMsacuEanVW7SzUQKsM9K9HG7UQUtUZ%2FIs6TYiSvu5x%2FPnMR12wVWWNTeghMvBy%2B7LEwDgH5aIGNyWkIlgX7dYhpWAn9qYPyqlLNLhbFPWLsVv7cJkt%2FgyiJndvNNwEaPKIqoWk72XZ%2ByywkTtlhV3%2BrhRLmmCOrRMRzz4AeV0k2xZEFpNkizqVR009tdF%2FzYHPMlayBkpsAkJWfsrzEiodsT9dkL6AQKfVVjMfAosLfnjNDsa6u4LRAi9dViijUZuJQleKTTAPZDrwAfYDNdHnNQDVMlORazUp0DvNBRILhe2hs9n4VXr7Je8WDTToztXUj%2F%2FmUklWE14NLIE8Onut2S6DKMzcPVB6sS6F%2FQxO7Sykqk%2FgsK0VxWPcwmQCHoKfVNkYv79LjoJ2OB7pNEdQKXHUyrg4IZU5W9SJTVLBCpbZxx1sWhRYLMfbK5pty1ya0rM5F%2FCrFZpfa00O30kifaGz2fhVevsnYz1xReoP0kSP%2F%2BZSSVYTXg0sgTw6e63ZLoMozNw9UHgS6FblajYb2rDdH%2Bnw4LMuQtoPMh5cw2dU2Ri%2Fv0uOgnY4Huk0R1ApcdTKuDghlTlb1IlNUsEKltnHHWxaFFgsx9srmm3LXJrSszkX8KsVmWsYydVTufO226wMid03WEWhs9n4VXr7JxXFy4TbAeoYj%2F%2FmUklWE14NLIE8Onut2S6DKMzcPVB6%2FaOpy8MUTTsW2TCm9o48FbH4Dj5p%2BwVbVNkYv79LjoJ2OB7pNEdQKXHUyrg4IZU5W9SJTVLBCpbZxx1sWhRYLMfbK5pty1ya0rM5F%2FCrFZjlAgMUUOwY9M2wefgPuKnuGcbY1zz4kkm9Xz%2Fs5lCMbS6wUhhNM37mkghB1%2BRcOxAbJoX9wXoXh0WMYWybGQPLN7J1TJ4PxmphQGM04eW%2FRY0nLN1W%2FUuSbkNHe0jcS4V0Zccc1pwPwky55S8DdQ1SwG9lTrQOtZFJ607fP4E4M2E4b0oa9d2a3ctmGKqarOfGKozqg7l9HlZCwjap9QW8zBrauadkrHF0lvBCy6K3yVe2xGCsR6X%2BOnekGrudKTqnjJAlg1smqtJkWs9ztd8r7OindcecDrg7XlQMSOKnnOHKm%2FVwWHEWDFFiCanCcSUuJWrBOW5LRcWzm0vaGY9WurRr1%2F2PQ89PlDuTM4%2FEI21vT5yL%2B7a254DsMjM9UkmWzIWHW3cGCEXKLrxTlVmRCWO30hNhaS9WSWbb6rLXj2%2BVdlJRfaEhLCqQL9zbmsrWrZS1rBZ96Rmg6DYrsF9rLykD8Hah2tTghFNl2zq20g7jlO1YnoADr5SlnhpBS5e3QAYKqO47Adt%2FI7Wgge3U%3D

以python編寫爲例,將編碼後的params_i和params傳給requests.post()的data參數。

 

接下來是URL的構造:

API_URL:"http://api.free.wifi.360.cn/intf.php"

AsyncApiHelper.METHOD_WIFI_PWD:“Wifi.scan”

((List)v3):剛剛構造的一部分url:"check_update_key"="","full"=1

((List)v4): 構造的data參數

接下來:

黑線中比較 傳進來的“Wifi.scan”是否等於“Kmc.geturl”,不相等執行紅框中的內容

 

這裏不相等,於是執行紅框中getSignUrl方法,此方法就是真正開始構造url及getsign(sign值是用來校驗的,服務器端也會對你構造的url進行運算,得出sign值,與你傳過去的sign值進行比較,不相同就會返回“簽名錯誤”)

v6即爲構造好的url

構造url:

1st_ch=100000&auth_name=android_sdk&channel=100000&check_update_key=&devtype=android&full=1&inviter_qid=0&l_ver=-1&l_ver_t=1500444674114&lld=L9vnVT7ql4XtRBS1Rn8izjS5pfd0PeShtmdijNF0O77b5V2UlF9oSOojIBLfo4uiLCfddZig0IMJVA2vKT4y5F3pp6Cm0PVlZdmUBqFrFwOChai3TP5OzqMzmkVLsoxc12HkrvymUrlcOgERbR16ng%3D%3D&m2=a7c73fd3c903520e9e3676c382fca29f&manufacturer=samsung&method=Wifi.scan&model=SCH-I939D&nance=1500629489610&nettype=WIFI&os=4.3&qid=0&tp=1&v=398&sign=

附代碼:

Python2.7

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import urllib
import urllib2
import json
import hashlib
from Crypto.Cipher import DES3
from Crypto import Random
import collections
import time
import base64
from pyDes import *
import requests

reload(sys)
sys.setdefaultencoding('utf8')

des_key = 'f7ef96aecea7c4d1f9e502af'
NumberKey = '7c9ae72287dee5ba59207a319bf60403'


def main():
    params_i = """{"c_mac":"60:21:C0:FA:30:27"}"""  #固定值
    params_i = encode(params_i)
    params = """[{"wps":"0","alt":"0.0","ssid":"360WiFi-1DCDE9","signal":100,"lng":"118.79316711","mac":"a4:56:02:1d:cd:e9","lat":"32.00914764","enc_type":2},{"wps":"0","alt":"0.0","ssid":"WiFi-33","signal":100,"lng":"118.79316711","mac":"3c:46:d8:cb:6c:c9","lat":"32.00914764","enc_type":2}]"""
    params = encode(params) #params傳入需要查詢的ssid和bssid
    values = {'params_i':params_i,'params':params}
    data = urllib.urlencode(values)
    url = geturl()
    print url
    send_headers = {
        "User-Agent": "360freewifi",
        "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    }
    r = requests.post(url, headers = send_headers,data = data)
    print r.content
    result = json.loads(r.content.decode('utf-8'))
    if len(result['data']) == 0:
        print "Not Found"
        sys.exit()
    pwd_info = result['data']['list']
    pwd_info = decode(pwd_info)
    pwd_info = json.loads(pwd_info)
    for tip in pwd_info:
        if len(tip["pwd"]) > 1:
            print tip["ssid"] + ' ==> '+ tip["pwd"]


def encode(data):   #加密 加密方式:DESede/ECB/PKCS5Padding  加密後base64編碼
    k = triple_des(des_key, ECB, None, pad=None, padmode=PAD_PKCS5)
    encode_data = k.encrypt(data)
    encode_data = base64.encodestring(encode_data)
    return formatbase64(encode_data)

def decode(data):   #解密 先base64解碼  再DESede/ECB/PKCS5Padding解密
    data = formatbase64(data)
    data = base64.decodestring(data)
    k = triple_des(des_key, ECB, None, pad=None, padmode=PAD_PKCS5)
    decode_data = k.decrypt(data)
    print decode_data
    return decode_data

def formatbase64(data):
    format_data = ''
    for i in data:
        if i == '\r' or i == '\n':
            pass
        else:
            format_data += i
    return format_data

def geturl():
    st= collections.OrderedDict()     #值除時間外全部固定
    st['1st_ch'] = '100000'
    st['auth_name'] = 'android_sdk'
    st['channel'] = '100000'
    st['check_update_key'] = ''
    st['devtype'] = 'android'
    st['full'] = "1"
    st['inviter_qid'] = '0'
    st['l_ver'] = "-1"
    st['l_ver_t'] = "1500444674114"
    st['lld'] = "L9vnVT7ql4XtRBS1Rn8izjS5pfd0PeShtmdijNF0O77b5V2UlF9oSOojIBLfo4uiLCfddZig0IMJVA2vKT4y5F3pp6Cm0PVlZdmUBqFrFwOChai3TP5OzqMzmkVLsoxc12HkrvymUrlcOgERbR16ng=="
    st['m2'] = 'a7c73fd3c903520e9e3676c382fca29f'
    st['manufacturer'] = 'samsung'
    st['method'] = 'Wifi.scan'
    st['model'] = 'SCH-I939D'
    st['nance'] = str(int(time.time() * 1000))
    st['nettype'] = 'WIFI'
    st['os'] = '4.3'
    st['qid'] = "0"
    st['tp'] = '1'
    st['v'] = '398'
    st['sign'] = makeSign(st,NumberKey)   #把前面構造好的數據加NumberKey進行處理,得到sign
    url = "http://api.free.wifi.360.cn/intf.php?"
    surl = urllib.urlencode(st)
    url = url + surl
    return url


def makeSign(st,NumberKey):
    pairToString= urllib.urlencode(st)
    deal_sign = sign_encode(pairToString) #替換指定位數的字符
    deal_sign = deal_sign + NumberKey  #替換後的內容+NumberKey取MD5
    sign = getMd5(deal_sign)
    return sign

def sign_encode(data):  #對構造好的數據,將第1、3、5、7、9、11 。。。字符分別用A和M替換
    encode_data = ''
    count = 0
    for i in range(0,len(data)):
        if i % 2 == 0:
            if  count % 2 ==0:
                encode_data += 'A'
            else:
                encode_data += 'M'
            count += 1
        else:
            encode_data += data[i]
    return encode_data


def getMd5(str):
    md5 = hashlib.md5()
    md5.update(str)
    return md5.hexdigest()


if __name__ == "__main__":
    main()

 

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

安卓逆向:ctf題,通過加密後的文件獲取加密前apk

題目下載: 鏈接: https://pan.baidu.com/s/1r-b0I6AitIghl8yjkyHuEA 提取碼: wjf8 Jeb打開apk   重要的是紅框的代碼 程序運行後會判斷存儲根目錄下是否有"BaoZang.apk

怪兽有魔法 2020-07-08 07:33:08

ida調試so

在IDA的主目錄 dbgsrv 目錄下 ,找到 android_server,拷貝到手機的 data/local/tmp/ 目錄下 adb push (android_server的目錄) /data/local/tmp adb shel

怪兽有魔法 2020-07-08 07:33:08

androidkiller插log

Androidkiller打開apk 工程管理器中MainActivity.smali雙擊: 找到要插入log的地方: 先看反編譯代碼,我們要打印v5的值,即flag 在androidkiller中查找對應源代碼要修改的位置 先找到對

怪兽有魔法 2020-07-08 07:33:07

Springboot之Mybatis-Plus逆向配置

Springboot之Mybatis-Plus逆向配置 一、依賴 <!-- mybatis-plus orm --> <dependency> <groupId>com.baomidou</groupId> <ar

易水墨龙吟 2020-07-08 06:13:17

逆向入門筆記之分析TraceMe.exe

TraceMe.exe是一個示例程序,用於逆向的學習,簡單地模擬了註冊機制。 我們把它拖進IDA中無腦F5一波: 雙擊DialogFunc進入這個函數: BOOL __stdcall DialogFunc(HWND hWnd, UIN

KogRow 2020-07-07 15:59:23

iOS APP逆向砸殼後重簽名防護

iOS APP逆向砸殼後重簽名防護 調研了微博、今日頭條、CSDN、抖音四個APP,砸殼都沒問題,重簽名後是否能安裝? 微博 版本:10.3.2 能否安裝:能 能否正常打開:能 今日頭條 版本:7.6.5 能否安裝:能 能否正常打

泉_哥 2020-07-07 04:38:28

抖音10.4.0版本登錄界面UI佈局賞析

泉_哥 2020-07-07 04:38:18

解決iOS版抖音破解重簽名後無法安裝

解決iOS版抖音破解重簽名後無法安裝 回顧 上篇文章講到 抖音9.8.1無法安裝報錯 DuplicateIdentifier 這個裏更正下:版本爲10.4.0 錯誤詳細信息怎麼查看 這裏可以通過移動設備iPhone或iPad的日

泉_哥 2020-07-07 04:38:18

arm32 stack check

arm64 反彙編分析分析了armv8的stack check原理, 這裏分析下arm32的原理 基本流程和arm64一致,我們看下arm32如何保存canary值,  __set_tls ENTRY(__set_tls) m

TangGeeA 2020-07-06 20:02:06

ida使用技巧

注意一定要選對調試器版本,比如armeabi-v7a 和armeabi都是32位的庫,如果使用64位調試器,下斷點的時候調試器就會報告內存錯誤 Error: Oops! internal error 30066 occured.

TangGeeA 2020-07-06 20:02:05

x86彙編語言筆記(全)(長文警告)

x86彙編語言 最近系統的學了下彙編語言,下面是學習筆記,用的書是清華大學出版社出版的彙編語言第三版,作者王爽(最經典的那版)。 文章目錄x86彙編語言基礎知識**彙編語言指令組成****CPU與外部器件交互需要****總線***

breezeO_o 2020-07-06 15:35:52

CAD導出插件逆向分析

因爲有需要,所以對一款CAD導出插件進行逆向分析。該插件主要作用是把AutoCAD模型對象導出爲obj模型,插件名:OBJ Exporter for Autodesk® AutoCAD®,下稱OBJ Exporter。 OBJ Expor

AfricChang 2020-07-05 12:20:53

編譯APK文件時出現libpng error: Not a PNG file

記錄反編譯遇到的一個小問題. 產生環境:反編譯APK更換資源圖片時. 報錯信息如下: >I: Building resources... >W: libpng error: Not a PNG file >W: ERROR: Failu

Andrio 2020-07-05 04:07:56

AndroidKiller回編譯報錯No resource found that matches the given name 'xxxxxxxx'.

/home//Apktooldir/res/values/styles.xml:293: error: Error retrieving parent for item: No resource found that matches t

Andrio 2020-07-05 04:07:56

第一次攻防世界逆向小記錄(純re小白)

insanity 拖進IDA 直接F5查看見源代碼 shift+F12查看main函數的字符串得到flag python-trade 一道python逆向題 我們下載附件得到pyc文件 (pyc文件就是 py程序編譯後得到的字節

HyyMbb 2020-07-05 01:29:41