某个淘金社区,登陆有md5加密
用blutter 解析一下,找到hash_update的地址,放到frida的脚本中,在console的下面加一句
console.log('hexdump'+hexdump(args[0]))
打印出来4个uint32List,虽然看不懂,但是我们打印了hex
多看几次知道有随机的东西,在多看几次就知道应该是时间戳末尾在控制,反复测试得到所有出现过的字符,易得脚本
import requests
import hashlib
import time
def get_data(p):
A=['gcw7eeh5','eegc15nnccccoqh5r7','15gcnncc','h5ccccgc15nnee/i','15gcnnq4oq/ih5oqccccee','15cc/ir7oqnnq4oqh5','nncc/i','h515r7q4oqcc','oqoqnnr7q4/i','h5nn']
B=['eeoqh5','','h5ccoqeer7','oqr7','r7','oqccgc','oqccgcoqh515r7oqq4','oqgcoqnn/i','h515oqcc','oq']
C=['','','/iq4','q4','op','','','','gc','2115oqr7q4/ioqccgc']
# 16位时间戳
t=str(int(time.time()*1000000))
k=int(t[-1])
# B164D0C43EDB3BAD89D1A073EBE9691D
# 为固定值,可能跟随app版本所迭代
#一下情况特殊出现,需要对换位置
if k==8 or k==5:
message= 'action=sendcode&phone={}&verifytoken={}&verifycodes={}{}B164D0C43EDB3BAD89D1A073EBE9691D..{}W1W2W3W4W5W6W7W8W901020304050607..{}{}'.format(p,'{system::verifytoken}','{system::verifytoken}',A[k],B[k],C[k],t)
else:
message= 'action=sendcode&phone={}&verifytoken={}&verifycodes={}{}W1W2W3W4W5W6W7W8W901020304050607..{}B164D0C43EDB3BAD89D1A073EBE9691D..{}{}'.format(p,'{system::verifytoken}','{system::verifytoken}',A[k],B[k],C[k],t)
# print(message)
return {'action':'sendcode','phone':p,'verifytoken':hashlib.md5(message.encode()).hexdigest(),'verifycodes':t}
data=get_data('19999994444')
resp=requests.get('http://bbs.taojingdaohang.cn/index.php',params=data)
print(resp.text)
测试正常发送短信