ƽ - LCG - LSG |׿ƽ||ƽܛ|ŷƱ  www.ykwek.com

 һܴa
 ע[Register]

QQ

ֻһ_ʼ

: ctf Ó ̳
鿴: 29959|؏: 429

欧洲国家联赛集锦 : [Android ԭ] wx֧Լܵķ

    [朽]
l 2020-1-4 21:01
2020-1-9 18:47 ݋

NHWՈκ;

19דvһwxfh]PYͦһfąfhԴaκ֧fhDˎԼͿһ@˅fh҂ֻҪȥD~PĽM߉݋
ʂ䣺
ߣxp,frIDA,jadx,IDA               wx汾706707708^
_wx־xlogֱ
DƬ1.png
Ȼҵ_PisLogcatOpenxֵĵط޸ĵ傀1
DƬ2.png
ȻҲֱό{
DƬ3.png
DƬ4.png
[JavaScript] ı鿴 ƴa
 ŷƱ  www.ykwek.com         var XLOG=Java.use("com.tencent.mm.sdk.platformtools.ab");
        //var StringClz=Java.use("java.lang.String");
        XLOG.i.overload('java.lang.String', 'java.lang.String', '[Ljava.lang.Object;').implementation=function(s1,s2,s3){
        if(s3==null){
            console.log("i:"+s1+","+s2);
        }else{
            console.log("i:"+s1+","+s2+s3);
        }
            return this.i(arguments[0],arguments[1],arguments[2]);
        }
        XLOG.f.overload('java.lang.String', 'java.lang.String', '[Ljava.lang.Object;').implementation=function(s1,s2,s3){
        if(s3==null){
            console.log("f:"+s1+","+s2);
        }else{
            console.log("f:"+s1+","+s2+s3);
        }
            return this.f(arguments[0],arguments[1],arguments[2]);
        }


΢ŽMԼӽܵsoļLibMMProticalJni.so,Mpack
DƬ5.png
҂ֱhookJava{
DƬ6.png
[JavaScript] ı鿴 ƴa
   var MMProtocalJni=Java.use("com.tencent.mm.protocal.MMProtocalJni");
[/color][/size][/color][/size][size=5][color=red][size=3][color=black]   MMProtocalJni.pack.implementation=function(){  
       console.log("MMpack:"+bytesToHex(arguments[0]));
       return this.pack(arguments[0],arguments[1],arguments[2],arguments[3],arguments[4],arguments[5],arguments[6],arguments[7],arguments[8],arguments[9],arguments[10],arguments[11],arguments[12],arguments[13]);
   }

҂߸a@֮ǰxp hook־ǰһЩǭhOϢdeviceId,clientVersion֮ܽM҂ҪPעǺַ@transfer_urlǶSaִM˺εľaWCPaySignDZӋһֵWCPaySignԼchannel֮g߀һwɶҲ]о֪ĴпԸVһyԇЕrencrypt_keyԼencrypt_userinfoֶwҲWCPaySignԼchannel֮gֶΛQ
DƬ7.png
transfer_urlֱͨ^java캯URLEncoderõģ
DƬ8.png
҂@QÑĶSaʹÌܒʲôa҂ԼĶSa^εֱhook URLEncoder,ͨ^տa߶їMД^VȻҲԼ،@wһhashMap
[JavaScript] ı鿴 ƴa
 URLEN.encode.overload("java.lang.String").implementation=function(str){
        console.log("URLEN");
        var res=this.encode(str);
        var stack=instance.currentThread().getStackTrace();
        var full_call_stack=where(stack);
        return res.indexOf("wxp%3A%2F%2F")==0&&full_call_stack.indexOf("com.tencent.mm.plugin.remittance.model.w.<init>")?
        "wxp%3A%2F%2Ff2f0NtReekKHV87BM0pY6k3TVjHlljtYL4sQ":res
    }
^@һ}DzǒlĶSaDԼĸ
ôܲ܌FlĴaͳFolHD~sǽoDQԒf@ʾһжHsDoһȻǿԵ^҂ҪMģM҂aIJȻ@ȡصopenid,ticket֮ں渶ĕr@ЩֶQ҂ľͿhMжλWCPaySign㷨{öїֱ{úcom.tencent.mm.ak.t.a
DƬ9.png
@^LjadxgІ}Ҫ޸OxҲjdֱӲ鿴{λ
DƬ10.png
҅xֵĵطһɆT׃reql.bͺMл
DƬ11.png
reqijʼt캯Ĕ
DƬ12.png
ͬӵķhook䘋캯{öї
DƬ13.png
ǰɂÿuĘ셢qVar.getReqObjҲtĘ셢uĘcom.tencent.mm.ak.m.dispatch셢ĵڶq.getReqObj()ķֵ
DƬ14.png
Ҳcom.tencent.mm.wallet_core.c.u.dispatchĵڶ
DƬ15.png
DƬ16.png
wxֵĵطcom.tencent.mm.wallet_core.tenpay.model.m.doSceneеrr
DƬ17.png
@rr֮ǰqԼreq䌍һrrHcom.tencent.mm.wallet_core.tenpay.model.m^еĸijɆTԓҲ҂ҪҵxֵĵطsetRequestDataеڴ֮ǰӋWCPaySign
DƬ18.png
getEncryptUrlqһķF
DƬ19.png
Qһ3DES(md5(str))㷨HҲ_
DƬ20.png
md5ӋֻJava{õĘ˜ʎ
DƬ21.png
3DES㷨Java{ýӿڞencryptǰһkey]ЄtĬJ
DƬ22.png
֮ӿqṩgetUriӿ䷵ֵpostcgiĿcom.tencent.mm.wallet_core.c.u onGYNetEndеĵĂqČ
DƬ23.png
ͨ^@ȡpostӿڞ/cgi-bin/mmpay-bin/transferscanqrcode
Mso
DƬ24.png
{õsolibtenpay_utils.soҲǘ˜ɵC
DƬ25.png
encryptкװlFĬJ
DƬ26.png
@keyLԇˎ׷NܷʽY_
DƬ27.png
DƬ28.png
ܲǘ˜ʵ㷨һÓQҲ]lFʲô׃ֱӌ㷨
Des3StrǷֽMܺDes3Mˆ΂ֽM
DƬ29.png
̾3DESļܷʽEK3(Dk2(Ek1(P)))
DƬ30.png
DES_Encode:
DƬ31.png
a̫LͲNrõIDA6.8䷴g߀ǶЩӵFõ7.0Ҳеȥ@ַgDzһӵ
עȴYȻfridasoе{hookλ}ӑB{ԇ@һcsub_D86CзgĴaкܶ__PAIR__,ֱþWida^ļеĺ궨xԒІ}@}Z}idagòʴ_ֻͨ^{ԇ򿴷RQ
DƬ32.png
мһc^͕lFδa߉݋^HRa£
DƬ33.png
ԌǾδaֱx86“Ro
[Asm] ı鿴 ƴa
push eax;
mov eax,r5;
sub eax,1;
sbb r5,eax;
shl r5,1;
mov eax,r5;
mov v21,eax;
pop eax;
䌍挍߉݋ֻДr5Ƿ0Ԍδaijɣ
v21=(BYTE2(v49)&0x20)?2:0;paysignĽY_
DƬ34.png
ͨ^ԴaąfhMзlͼԫ@ȡصĸֶ
[C] ı鿴 ƴa
{{
  "retcode": "0",
  "retmsg": "",
  "user_name": "wxid_7vf3tr41v3g921",
  "true_name": "**i",
  "fee": "0",
  "desc": "",
  "scene": "32",
  "transfer_qrcode_id": "aOqTgOotZtAyyz2gsfUHWPV9hsUkxMEHkCVpM5OynlvT6Q2fy6Cwv1ffb7NLyPf9PNB-CY1mWSZW0YqQjo39TbJJWLdpPDnX2EROxb1aHTx1FKd6jqZf1wgFS98q0D32",
  "rcvr_ticket": "Y4pH5nL20VA7CcRPboeyg-4PBk3ma7_U_vksGZzWTBYE4ioVEcz_v6PrG_ZS1QtY",
  "get_pay_wifi": 1,
  "receiver_openid": "oX2-vjvhwAutxXTxz85dJeSzzG-k",
  "scan_scene": 1,
  "favor_list": [],
  "amount_remind_bit": 4
}}
^12_ʼͲwxid,Ҳuser_nameصǿ""
DƬ35.png
ƵD~ĕr߀һܴa㷨ٵfһ߀һӵͨ^{×ȥ
DƬ36.png
hook com.tencent.mm.plugin.wallet.pay.a.a.b
DƬ37.png
ܴaǵһauthenijɆT׃
DƬ38.png
com.tencent.mm.plugin.wallet.pay.a.a.aͬҲһ
con.tencent.mm.plugin.wallet.pay.a.a.epostַȻ֮ǰpaysignǂhookҲܫ@ȡ
DƬ39.png
һ{ã
DƬ40.png
AuthencZw()ֵ
DƬ41.png
ܴaͨ^ɆT׃hefMxֵ
DƬ42.png
hefxֵĵط
DƬ43.png
DƬ44.png
ܴaִ
DƬ45.png
ҵһֶvfo
DƬ46.png
DƬ47.png
ܴaַܺgetText()õwcom.tencent.mm.wallet_core.ui.formview.c.a.aķֵ
DƬ48.png
MȥpayutenpayЃɷNֵ
DƬ49.png
҂D~ߴaD~708¼֙C̖D~ߵĶtenpayi|l_וr1ݔ~r100䌍F
DƬ50.png
ݔ~rصľݔĔ͕MмHcom.tencent.mm.wallet_core.ui.formview.WalletFormViewԼcom.tencent.mm.wallet_core.ui.formview.EditHintPasswdViewăɂgetTextFքeݔĽ~Լܴ˴aͨ^˿޸D~~ٌӆν~߀ԭ֮ǰĽ~ɿƌHD~~
[JavaScript] ı鿴 ƴa
        var WalletOpenViewProxyUI=Java.use("com.tencent.mm.wallet_core.ui.e");
        var old="";
        WalletOpenViewProxyUI.e.overload("double","java.lang.String").implementation=function(a1,a2){
            //var uPn=Java.cast(Authen.class,clazz).getDeclaredField("uPn");
            //uPn.setAccessible(true);
            //send("uPn:"+uPn.get(a1));
            if(a1==0.02)//@ʾԭн~
                a1=Number(old) ;
            var res=this.e(a1,a2);
            send("a1:"+a1.toString()+",res:"+res);
            var stack=instance.currentThread().getStackTrace();
            var full_call_stack=where(stack);
            //console.log(full_call_stack);
            return res;
        }
        var wwww=Java.use("com.tencent.mm.wallet_core.ui.formview.WalletFormView");
        wwww.getText.implementation=function(){
            old=this.getText();
            return "0.02";//OÌHD~~
        }

X3_FAI}FXCVP(6EJZ`KAA7J.png V(DE[TN9827JTLT9`0A{8OK.png
ȻdȤҲ԰D~ɹϢoôÑܿܶԼD~~ѽ۸ֳh
҂^mܺgetEncryptDataWithHashһget3DesEncryptData֪ʲôrMеgetInputText()ܫ@ȡܴaoДmlEncryptЛ]ЌFԓɆTһӿ

DƬ51.png
DƬ52.png
wFcom.tenpay.android.wechat.TenpaySecureEncrypt.encryptPasswd,strǂܴaӋһmd5str2Ǖrgrgcom.tenpay.android.wechat.TenpaySecureEditTextsetSaltOõ
DƬ53.png
Mso߀ԭ㷨㷨RSA2048ܴaλ̫ȡmd5Ҳױڼ֮ǰ߀Ҫ}}ǕrgԼSC
a̫LҲͲNͬIDA6.8дһЩe`һcencrypt_pass1@׃ȡͬһַ

DƬ54.png
ȻŒ@ͨ^RԿxֵǰ̧spmȻÿζȡvar_6Cλǰѽһˣ
DƬ55.png
ҲfֻҪspĵطδaЩ}@elsev9=&res,resǂą@N߉݋һІ}ģ
DƬ56.png
ͨ^R@Ҳͨ^spȥ׃Hspѽ̧@挍Džresھֲ׃sУ
DƬ57.png
ܴa㷨߀ԭ҂ģM֧fhǺD~ߴaD~֙C̖D~Ҫreq_keyǂӆ̖˼
DƬ58.png

D~ͨ^CGI_TENPAYֱӂwxidȻ󷵻req_keyߴa^韩Щ֮ǰWCPaySignDz@ȡopenid,ticket,qrcode_idֶͨ^@Щֶȥӆ/cgi-bin/mmpay-bin/busif2fplaceorder@ȡreq_key12֮ǰߴawxidؕrͶCfąfh/cgi-bin/micromsg-bin/tenpay߉݋c֮ǰsetRequestDataҵһžnjmapԪƴӳַӋһpaysignmapԪҲǒߴaصĔ
DƬ59.png

DƬ60.png
@ȡreq_key,KD~bank_typebind_serialǽyпidCFTrʹX@ȡbind_serialҲܺ@ͲӑՓ
DƬ61.png
708ͨ^֙C̖D~ҲǷ֞ͨ^/cgi-bin/mmpay-bin/transferphonegetrcvr@ȡopenidϢͨ^/cgi-bin/mmpay-bin/transferphoneplaceorderӆ@ȡreq_key/cgi-bin/mmpay-bin/tenpay/sns_tf_authen_JӆD~MеĽ~MһNл֮IJ߀Ǻ׿ó㷨҂ԼF
[C#] ı鿴 ƴa
        private int Pow(int x, int n)
        {
            int res = 1;
            while (n > 0)
            {
                if ((n & 1) == 1) res = res * x;//DM
                x = x * x;//xƽ
                n >>= 1;
            }
            return res;
        }
        public string getFee(int money,bool isfirst=false,int sign=-1)
        {
            if (money < 0x80 && isfirst == true)
                return String.Format("{0:X2}", money);
            int i = 0;
            int temp = (int)money;
            while ((temp /= 0x80)>=1)
                i++;//fwΔ
            if (isfirst == true) sign = i;
            int pow= Pow(128, i);//128 iη
            int dwRes = (pow==1)? money:money/pow;
            money = (pow == 1) ?0: money-dwRes * pow;
            if (isfirst == false) dwRes += 0x80;
            string res = String.Format("{0:X2}", dwRes);
            return sign == 0?res: getFee(money, false, --sign)+res;
        }

֙CD~䌍]зܶܶ]зֻnjҲ܌F֙CD~Ĺ
̫˲䌍Ҳͳ̽΢֧ܵ㷨Ȼm߀ҪMһķs@ЬFɵąfhamȻwxһ罻ܛ܏ĿǰҲǺܸߵڱ҂ܶȤԽhҲҪʹwx?IJ?/div>



DƬ1.png

Mu

254ێ +219 ֵ +232
Ⱦħ + 1 + 1 ]ǸXţ
+ 1 + 1 ^䌍ÓX㱻DҲ]ʲô˸ȥȡX
dnldnl + 1 x[email protected]
ŹP + 1 + 1 --------
մѪĢ + 1 + 1 Һٝͬ
С + 1 + 1 Һٝͬ
оӰߔ + 1 + 1 gӭӑՓƽՓ
vanillasky0220 + 1 + 1 Ļ؏
Сe + 1 + 1 Ļ؏Åһwx״a@NԌ
yishujia + 1 + 1 xlԭƷƽՓ
˯JJ + 1 + 1 wx?ϾԴ?Ҫ һЩ_Դð
RCX666 + 1 ӑՓ@
ؼ + 1 + 1 Һٝͬ
kefeijiajia + 1 ֻǞouȻţ
ailuo2005 + 1 + 1 Ļ؏
WESTARK + 1 + 1 x[email protected]
CHASEXX + 1 ĄDNܛȫߺęn
ֺβ + 1 x[email protected]
everyone + 1 + 1 ţB
000 + 1 + 1 x[email protected]
hamson1026 + 1 ҽK֪ʲôX
2ëX + 1 һֱXWXXô@ôԭ߀@N
nieshi666 + 1 + 1 Ļ؏
suss66 + 1 + 1 mȻǸXţȵĘ
Ǻ__ + 1 + 1 x[email protected]
newpass + 1 Ļ؏
+ 1 + 1 Һٝͬ
zycjhcs + 1 + 1 x[email protected]
Sexyxuan + 1 + 1 Һٝͬ
\\4320 + 1 ӑՓ@
jjm580 + 1 + 1 Ļ؏
Oµ} + 1 + 1 ӑՓ@
adofei + 1 + 1 Һٝͬ
HG/ww + 1 + 1 ӑՓ@
zlп + 1 ӑՓ@
Qiao + 1 ӑՓ@
Jayfeng + 1 + 1 mȻ]...
׿ + 1 + 1 X
Algorithms + 1 + 1 Һٝͬ
stederlee + 1 + 1 ӑՓ@
LunMP + 1 + 1 Һٝͬ
wzyzzfzjq + 1 + 1 Һٝͬ
Jerry_bean + 1 + 1 ӑՓ@
fushanpupil + 1 + 1 ӑՓ@
ѻ + 1 + 1 xlԭƷƽՓ
awi0100hjz + 1 + 1 xlԭƷƽՓ
+ 1 ӑՓ@
hangel1 + 1 + 1 Ļ؏
ljkss + 1 + 1 Һٝͬ
fengyugudan + 1 + 1 Һٝͬ
XZB0797 + 1 + 1 ţ
ɡ + 1 + 1 xlԭƷƽՓ
explorer126 + 1 Һٝͬ
w1zar6 + 1 + 1 xlԭƷƽՓ
ЩwC + 1 + 1 x[email protected]
kexiao1987 + 1 + 1 ˼DzҪSd
A666666 + 1 + 1 ѽ̎xƽՓ֧
BuSL + 1 + 1 ӑՓ@
+ 1 + 1 ӑՓ@
СϪ + 1 Һٝͬ
ZGSY + 1 ӑՓ@
cleanmgr + 1 mȻǰ߅]һ俴xз
zeorro + 1 + 1 Һٝͬ
~^ + 1 ӑՓ@
xiaoyueer00 + 1 + 1 Һٝͬ
lxq951 + 1 ӑՓ@
+ 1 x[email protected]
Embers_Young + 1 + 1 ӑՓ@
admsir + 1 + 1 Ļ؏
xulujia723 + 1 + 1
Wώؼ + 1 + 1 Ļ؏
smileat2000 + 1 қ]X
wjsjwr + 1 + 1 x[email protected]
Сҹ + 1 + 1 ӑՓ@
־ + 1 + 1 xlԭƷƽՓ
ڏՏZը + 1 + 1 gӭӑՓƽՓ
aihaopojie + 1 + 1 ĄDNܛȫߺęn
СС + 1 + 1 Һٝͬ
ganyimin + 1 Ļ؏
С9527 + 1 Ļ؏
yunyaoyzj + 1 + 1 mȻ߀ִ֧Wһ
QDHH + 1 ӑՓ@
Фٻ + 1 + 1 Һٝͬ
ֲԪ + 1 Ļ؏
yellsheep + 1 ӑՓ@
仨rַ + 1 + 1 x[email protected]
tk7758991 + 1 ӑՓ@
bluarry + 1 + 1 Һٝͬ
KYO_2 + 1 Һٝͬ
smk418 + 1 + 1 ӑՓ@
843100 + 1 x[email protected]
nullable + 1 + 1 A
bjchen + 1 + 1 x[email protected]
ԻҰ + 1 Һٝͬ
q14975 + 1 + 1 ӑՓ@
tool_kits + 1 + 1 xlԭƷƽՓ
ˮ + 1 + 1 x[email protected]
cydt0816 + 1 + 1 Һٝͬ
+ 1 Һٝͬ
Surprise. + 1 ӑՓ@

鿴ȫu

Ԍ݋]:

lǰҪՓܕҪҵĴ𰸻ѽ˰l^ͬՈ؏Ͱl

؏

e

xiong1992 l 2020-1-6 10:09
DzǿI˖|ȥߌ΢XSa@ʾ֧ɹYsҽoҵһ̖DX^ȥ2ԪĖ|@ʾɹ֧2ԪHֻ֧1ԪDŽe˽oD~D1Ԫ@ʾɹ֧1ԪnjH҅sյD2Ԫ@oþ韩
ŬT l 2020-1-5 00:03
֪ܲܽo׃øһӃ˼·ٰ@ö
TedChen l 2020-1-4 23:55
Ʊ̝pT l 2020-1-4 21:37
X
nshark l 2020-1-4 22:03
Ժ
 | l 2020-1-8 12:43
ccc800 l 2020-1-4 21:33
·^ ۻ
ebacn l 2020-1-4 21:33
xW
52pojieggh l 2020-1-4 21:46
һ
linfengtai2008 l 2020-1-4 21:50
W
š l 2020-1-4 21:52

[email protected] l 2020-1-4 21:59
煖֮ImͿ&#128516;
winson365 l 2020-1-4 22:09
,mĪ

eҎt 棺Kֹˮ؏c}oP`P

ٻ؏ ղ б

RSSӆ|С|“ϵ҂|ŷƱ ( ICP16042023̖ | W 11010502030087̖ )

GMT+8, 2020-4-3 05:01

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

ٻ؏ ŷƱ б