一个搜书的软件,图片还挺高清的,有多个版本。其中包含flutter 开发的版本,且只有32为so文件,但是也有早期的flutter 包含arm-v8a,但是flutter 版本是2.14,用blutter 解析不了这么早的版本,但是转机又来了,拿一台root的机子抓包,我们其实只要图片下载链接,抓到的数据有加密,没想到的是,所有的逻辑都在java中,但是又有so,用frida hook,RC4解密。写个脚本。易得
import json
import base64
key='963ac4d1931cbd65a058145ede2e443c6a59ac4591ec29c27a41545f602da5f93e61372b6840e4120825cb5e786f37ef31cd22941af1d9898bc5ba70303e71f8'
from Crypto.Cipher import ARC4 as rc4cipher
def rc4_algorithm(encrypt_or_decrypt, data, key1):
if encrypt_or_decrypt == "encrypt":
key = bytes(key1, encoding='utf-8')
enc = rc4cipher.new(key)
res = enc.encrypt(data.encode('utf-8'))
res=base64.b64encode(res)
res = str(res,'utf8')
return res
elif encrypt_or_decrypt == "decrypt":
data = base64.b64decode(data)
key = bytes(key1, encoding='utf-8')
enc = rc4cipher.new(key)
res = enc.decrypt(data)
res = str(res,'utf8')
return res
# rc4_algorithm('decrypt', 'VDyAGqfU78Qa6tb5z5A1zsaWRwpmSSXjSMh4y0EA5dx1gT7QxBpQzTWoE3Co3WCpWta517pIF48jkloERSwwBRTYDFt4fataFjKQyBYgsgizTIRbgCC/', key)
with open("token.txt",'r',encoding='utf-8') as f:
jscode=json.load(f)
# print(jscode)
for i in jscode['chapterList']:
title=rc4_algorithm('decrypt',i['chapterTitle'],key)
print("### "+title)
for _ in i['answers']:
url=rc4_algorithm('decrypt',_['origin'],key)
print(url)