反编下某疫苗接种app

前言

今天带小孩去打疫苗,发现之前的社区医院改成app预约了,下载app用了一下,真是无力吐槽,除了注册功能是好的。其他功能一点开全在转圏加载,预约教程页面还报了个sql语句错误.报着学习的态度想看看大佬们写的代码.

工具准备

撸起袖子

packet capture抓了几个包看了下api。

基础api地址: http://api.new.umiaohealth.com

  • 登录 /account/login
  • 找可预约记录 /vaccine/getreservationreservedlist
  • 接种信息 /vaccine/getvaccinemain

模拟登录时有个token字段猜解死活不通过,看来只能反编译下app看下加密代码了.
用gda查了下壳,发现是360加固的.

用gda自带的进程dump连接模拟器老是进程无响应,无果。

祭出这个xposed脱壳模块FDex2(要先安装VirtuanXposed或者xposed).

用mt文件管理器把dump出的dex移动到夜神模拟器和pc的共享目录.
dex
这里有多上dex,可以用gda打开看下主代码在哪个dex里.然后用dex2jar转换一下把dex转成jar

然后用jd-gui打开jar反编一下.class文件就行了。

最后找到了加密token的关键代码
HttpClientUtil.java

public void httpPost(Context paramContext, String paramString, AjaxParams paramAjaxParams, BaseParser<?> paramBaseParser, IDataCallback paramIDataCallback)
{
FinalHttp localFinalHttp = new FinalHttp();
localFinalHttp.configTimeout(30000);
paramAjaxParams.put("token", Base64Utils.getSecretToken(paramContext));
Header[] arrayOfHeader = Base64Utils.getHttpHeader(paramContext);
String str1 = ((ParentInfo)ParentInfo.findFirst(ParentInfo.class)).getPid();
String str2 = str1;
if (TextUtils.isEmpty(str1)) {
str2 = "0";
}
paramAjaxParams.put("pid", str2);
paramAjaxParams.put("VersionChecked", CommonUtil.getAppCurrentVersion(paramContext));
paramAjaxParams.put("devicetype", "android");
localFinalHttp.post(paramString, arrayOfHeader, paramAjaxParams, "application/x-www-form-urlencoded", new HttpClientUtil.3(this, paramIDataCallback, paramString, paramAjaxParams, paramBaseParser, paramContext));
}

Base64Utils.java

public static String getSecretToken(Context paramContext)
{
paramContext = (ParentInfo)ParentInfo.findFirst(ParentInfo.class);
String str = paramContext.getToken();
Object localObject = paramContext.getPid();
paramContext = (Context)localObject;
if (TextUtils.isEmpty((CharSequence)localObject)) {
paramContext = "0";
}
tktimes = System.currentTimeMillis() + "";
int i = Integer.parseInt(tktimes.substring(12));
localObject = sortSeed[i];
sortIndex = String.valueOf(localObject[0]) + String.valueOf(localObject[1]) + String.valueOf(localObject[2]);
localObject = getSortData(localObject[0], str, paramContext, tktimes) + "," + getSortData(localObject[1], str, paramContext, tktimes) + "," + getSortData(localObject[2], str, paramContext, tktimes) + "," + sortIndex;
paramContext = null;
try
{
localObject = encrypt((String)localObject, "xxx加密");
paramContext = (Context)localObject;
}
catch (Exception localException)
{
for (;;)
{
localException.printStackTrace();
}
}
return paramContext;
}

好了,我去写个预约疫苗的脚本去了