为什么我死盯加速器,是因为我想白嫖(bushi)
样本:aHR0cHM6Ly93d3B5LmxhbnpvdWIuY29tL2lCWXJpMTQ3ZWRqZQrlr4bnoIE6aDlkaw==哈勃:aHR0cHM6Ly9oYWJvLnFxLmNvbS9maWxlL3Nob3dkZXRhaWw/cGs9QURZR1psMXRCMkFJUEZzOFUyTSUzRCNmYXVsdA==这个加速器有邀请1个用户给6小时无限流量的规则试了一下不需要登录,只是装上填邀请码就行~第一件事先给apk签名~确认没有签名认证,然后用FD抓包,发现可以抓包然后分析一下代码,通过MT管理器的Activity记录功能,找到邀请码界面的类在com.dd.antss.ui.v2.activity.V2GiftCodeActivity看了一下代码发现可以实现
image.png (72.66 KB, 下载次数: 0)
下载附件
2023-8-2 19:03 上传
image.png (30.01 KB, 下载次数: 0)
下载附件
2023-8-2 19:04 上传
image.png (60.79 KB, 下载次数: 0)
下载附件
2023-8-2 19:04 上传
image.png (59.41 KB, 下载次数: 0)
下载附件
2023-8-2 19:05 上传
image.png (114.38 KB, 下载次数: 0)
下载附件
2023-8-2 19:07 上传
image.png (51.94 KB, 下载次数: 0)
下载附件
2023-8-2 19:07 上传
image.png (136.73 KB, 下载次数: 0)
下载附件
2023-8-2 19:08 上传
这一看就是能模拟出来啊 然后直接复制粘贴 简单处理一下红色代码,为了方便直接把classes.dex直接转jar放libs里面了(就是懒)这样剩下很多代码,hhhh最后的结构和代码
image.png (21.72 KB, 下载次数: 0)
下载附件
2023-8-2 19:10 上传
[Java] 纯文本查看 复制代码//
// Decompiled by Jadx - 857ms
//
package org.example;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.InvocationTargetException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Random;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class a {
public static byte[][] a(int i, int i2, byte[] bArr, byte[] bArr2, int i3) throws NoSuchAlgorithmException {
MessageDigest messageDigest = MessageDigest.getInstance("md5");
int i4 = i;
byte[] bArr3 = new byte[i4];
int i5 = i2;
byte[] bArr4 = new byte[i5];
byte[][] bArr5 = {bArr3, bArr4};
if (bArr2 == null) {
return bArr5;
}
byte[] bArr6 = null;
int i6 = 0;
int i7 = 0;
int i8 = 0;
while (true) {
messageDigest.reset();
int i9 = i6 + 1;
if (i6 > 0) {
messageDigest.update(bArr6);
}
messageDigest.update(bArr2);
if (bArr != null) {
messageDigest.update(bArr, 0, 8);
}
bArr6 = messageDigest.digest();
for (int i10 = 1; i10 0) {
while (i4 != 0 && i11 != bArr6.length) {
bArr3[i7] = bArr6[i11];
i4--;
i11++;
i7++;
}
}
if (i5 > 0 && i11 != bArr6.length) {
while (i5 != 0 && i11 != bArr6.length) {
bArr4[i8] = bArr6[i11];
i5--;
i11++;
i8++;
}
}
if (i4 == 0 && i5 == 0) {
break;
}
i6 = i9;
}
for (int i12 = 0; i12
[Java] 纯文本查看 复制代码package org.example;
import com.dd.antss.App;
import com.dd.antss.ui.v2.activity.V2GiftCodeActivity;
import com.lzy.okgo.cache.CacheMode;
import com.lzy.okgo.request.PostRequest;
import e.c.g.b.a;
import e.c.g.g.c;
import e.e.a.e;
import okhttp3.*;
import org.json.JSONException;
import org.json.JSONObject;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.io.IOException;
import java.util.UUID;
public class Main {
public static void main(String[] args) {
g("这里换成你的邀请码", new c() {
@Override
public void a() {
}
@Override
public void b(String s) {
System.out.println("信心" + s);
}
@Override
public void onError(String s) {
}
@Override
public void onFinish() {
}
});
}
public static void g( String var2, c var3) {
V2GiftCodeActivity activity = null;
String time = String.format("%010d", System.currentTimeMillis() / 1000L);
String var5 = json(var2);
var2 = a.z(var5, time);
w(activity, true, "aHR0cDovL2FudC5oeXlzYXBpLmNvbS9hcGkucGhw", var3, time, var5, var2); //aHR0cDovL2FudC5oeXlzYXBpLmNvbS9hcGkucGhw是敏感信息哦~
}
public static String json(String var0) {
JSONObject var1 = new JSONObject();
try {
var1.put("oauth_id", UUID.randomUUID().toString().replace("-" , ""));
var1.put("oauth_type", "android");
var1.put("aff", var0);
var1.put("mod", "user");
var1.put("code", "exchangeAFF");
} catch (JSONException var2) {
var2.printStackTrace();
}
return b(var1.toString());
}
public static String b(String str) {
try {
JSONObject jSONObject = new JSONObject(str);
jSONObject.put("version", 264);
jSONObject.put("app_type", "ss_proxy");
jSONObject.put("language", 0);
jSONObject.put("bundleId", "com.dd.antss");
str = jSONObject.toString();
// d.a("------请求参数加密前:--->" + str);
} catch (JSONException e2) {
e2.printStackTrace();
}
String f = org.example.a.f("c2fc2f64438b1eb36b7e244bdb7bd535", str);
return f;
}
public static final void w(V2GiftCodeActivity v2GiftCodeActivity, boolean z, String str, c cVar, String str2, String str3, String str4) {
OkHttpClient mOkHttpClient = new OkHttpClient();
RequestBody formBody = new FormBody.Builder()
.add("appId", "android")
.add("appVersion", "2.1.8")
.add("timestamp", str2)
.add("data", str3)
.add("sign", str4 )
.build();
Request request = new Request.Builder().url(str).post(formBody).build();
mOkHttpClient.newCall(request).enqueue(new Callback() {
@Override
public void onFailure(Call call, IOException e) {
System.out.println(e);
}
@Override
public void onResponse(Call call, Response response) throws IOException {
System.out.println(response.body().string());
}
});
}
}
image.png (69.32 KB, 下载次数: 0)
下载附件
2023-8-2 19:12 上传
最后的请求代码因为不会用,我会用okhttp3我就换成okhttp3了期间遇到的问题有JSONObject运行失败,原因:android.jar里面有这个类,直接打开压缩包,把org.json包里面的内容删掉classes.jar里面有okhttp3的包,我也直接删掉,包是okhttp3和okio
返回的数据{"errcode":0,"timestamp":1690972529,"data":"F62D8E11EF7AA78DE132D6C0054FE89CAB3D1BE5D6B83DB937E28B7A5BD4A729025A0A2E19DAD73DABAC00401D83B0747316E8A4C4A1E24F335AFB9346407D27CD74B765C1","sign":"dfab3dccba90b441a5a657eb0cba117b"}
这样就是成功
