2897 words
14 minutes
二三里登录password,sign
2025-08-26
ios
md5
/
English
:method: POST
:scheme: https
:path: /kilos/apis/passport/login.action
:authority: api.ersanli.cn
accept: */*
content-type: application/x-www-form-urlencoded
accept-encoding: gzip, deflate, br
user-agent: AkilometerNews/7.7.3 (iPhone; iOS 15.8.1; Scale/2.00)
accept-language: zh-Hans;q=1, en;q=0.9
content-length: 374

{
    "appId": "1",
    "appVersion": "7.7.3",
    "areaCode": "440101",
    "bigFont": "0",
    "clientType": "2",
    "deviceId": "ef8ae9f767114734b65d56a16e18c168b41b47595e4c95363f7e372d5781436d4b3fd6558b103bcd9ee5bc094339cdad",
    "isP": "0",
    "location": "440101",
    "name": "13246858096",
    "nonce_str": "Q0PE6AR25G0MO1W",
    "osVersion": "15.800000",
    "password": "14e1b600b1fd579f47433b88e8d85291",
    "sign": "89ca68b245add2f16ba114b75a1c7804",
    "sort": "1",
    "timestamp": "1756173655",
    "userCookie": ""
}

sign looks like md5 so we trace md5

defineHandler({
  onEnter(log, args, state) {
    // log('CC_MD5 called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');
    log('CC_MD5() onEnter: ', hexdump(args[0], {length: args[1].toInt32()}));
    this.args2 = args[2];
  },

  onLeave(log, retval, state) {
    log('CC_MD5() onLeave: ', hexdump(this.args2, {length: 16}));  // md5 has 16 bytes
  }
});
// frida-trace -U -N com.HSW.AkilometerNews -i CC_MD5

 11485 ms  CC_MD5() onEnter:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
281be2100  31 32 33 34 35 36                                123456
 11485 ms  CC_MD5() onLeave:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f394fd8  e1 0a dc 39 49 ba 59 ab be 56 e0 57 f2 0f 88 3e  ...9I.Y..V.W...>
 11485 ms  CC_MD5() onEnter:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
281c59cb0  65 31 30 61 64 63 33 39 34 39 62 61 35 39 61 62  e10adc3949ba59ab
281c59cc0  62 65 35 36 65 30 35 37 66 32 30 66 38 38 33 65  be56e057f20f883e
 11485 ms  CC_MD5() onLeave:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f394fd8  14 e1 b6 00 b1 fd 57 9f 47 43 3b 88 e8 d8 52 91  ......W.GC;...R.

we can see the password was encrypted twice by md5 algorithm.

           /* TID 0x103 */
  4147 ms  CC_MD5 called from:
0x100c39140 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[MySecurities md5String:IsCapital:]
0x100caa520 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]
0x18344c4c0 UIKitCore!-[UIControl touchesEnded:withEvent:]
0x182f5212c UIKitCore!-[UIWindow _sendTouchesForEvent:]
0x182f81c4c UIKitCore!-[UIWindow sendEvent:]
0x183122a64 UIKitCore!-[UIApplication sendEvent:]
0x1016e095c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[SecurityBodyEventMonitor sb_sendEvent:]
0x182f56c2c UIKitCore!__dispatchPreprocessedEventFromEventQueue
0x182f4baf0 UIKitCore!__processEventQueue
0x182f50f0c UIKitCore!__eventFetcherSourceCallback
0x180b68448 CoreFoundation!__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__

  4147 ms  CC_MD5() onEnter: 
  4147 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
280984990  31 32 33 34 35 36                                123456
  4591 ms  CC_MD5() onLeave: 
  4591 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccfd8  e1 0a dc 39 49 ba 59 ab be 56 e0 57 f2 0f 88 3e  ...9I.Y..V.W...>
  4591 ms  --------------------------------------------------------------------

  4591 ms  CC_MD5 called from:
0x100c39140 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[MySecurities md5String:IsCapital:]
0x100caa54c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]
0x18344c4c0 UIKitCore!-[UIControl touchesEnded:withEvent:]
0x182f5212c UIKitCore!-[UIWindow _sendTouchesForEvent:]
0x182f81c4c UIKitCore!-[UIWindow sendEvent:]
0x183122a64 UIKitCore!-[UIApplication sendEvent:]
0x1016e095c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[SecurityBodyEventMonitor sb_sendEvent:]
0x182f56c2c UIKitCore!__dispatchPreprocessedEventFromEventQueue
0x182f4baf0 UIKitCore!__processEventQueue
0x182f50f0c UIKitCore!__eventFetcherSourceCallback
0x180b68448 CoreFoundation!__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__

  4591 ms  CC_MD5() onEnter: 
  4591 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
280ea27f0  65 31 30 61 64 63 33 39 34 39 62 61 35 39 61 62  e10adc3949ba59ab
280ea2800  62 65 35 36 65 30 35 37 66 32 30 66 38 38 33 65  be56e057f20f883e
  4897 ms  CC_MD5() onLeave: 
  4897 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccfd8  14 e1 b6 00 b1 fd 57 9f 47 43 3b 88 e8 d8 52 91  ......W.GC;...R.
  4897 ms  --------------------------------------------------------------------

  4898 ms  CC_MD5 called from:
0x1917cad50 libMobileGestalt.dylib!0x1d50 (0x191076d50)
0x1917ca508 libMobileGestalt.dylib!0x1508 (0x191076508)
0x1a3da96a0 SpringBoardFoundation!-[UIDevice(SpringBoardFoundation) _deviceInfoForKey:]
0x1831ba914 UIKitCore!-[UIDevice systemVersion]
0x100af34b8 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[HSRequestManager getPublicParams]
0x100caa574 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]
0x18344c4c0 UIKitCore!-[UIControl touchesEnded:withEvent:]
0x182f5212c UIKitCore!-[UIWindow _sendTouchesForEvent:]
0x182f81c4c UIKitCore!-[UIWindow sendEvent:]
0x183122a64 UIKitCore!-[UIApplication sendEvent:]
0x1016e095c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[SecurityBodyEventMonitor sb_sendEvent:]

  4898 ms  CC_MD5() onEnter: 
  4898 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccd00  4d 47 43 6f 70 79 41 6e 73 77 65 72 50 72 6f 64  MGCopyAnswerProd
16f7ccd10  75 63 74 56 65 72 73 69 6f 6e                    uctVersion
  5436 ms  CC_MD5() onLeave: 
  5436 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccd60  a8 d3 5d 76 55 0a f8 1f d8 96 8a 0d a3 29 b0 80  ..]vU........)..
  5436 ms  --------------------------------------------------------------------

  5437 ms  CC_MD5 called from:
0x1917cad50 libMobileGestalt.dylib!0x1d50 (0x191076d50)
0x1917ca518 libMobileGestalt.dylib!0x1518 (0x191076518)
0x1a3da96a0 SpringBoardFoundation!-[UIDevice(SpringBoardFoundation) _deviceInfoForKey:]
0x1831ba914 UIKitCore!-[UIDevice systemVersion]
0x100af34b8 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[HSRequestManager getPublicParams]
0x100caa574 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]
0x18344c4c0 UIKitCore!-[UIControl touchesEnded:withEvent:]
0x182f5212c UIKitCore!-[UIWindow _sendTouchesForEvent:]
0x182f81c4c UIKitCore!-[UIWindow sendEvent:]
0x183122a64 UIKitCore!-[UIApplication sendEvent:]
0x1016e095c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[SecurityBodyEventMonitor sb_sendEvent:]

  5437 ms  CC_MD5() onEnter: 
  5437 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccd00  4d 47 43 6f 70 79 41 6e 73 77 65 72 50 72 6f 64  MGCopyAnswerProd
16f7ccd10  75 63 74 56 65 72 73 69 6f 6e                    uctVersion
  5970 ms  CC_MD5() onLeave: 
  5970 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccd60  a8 d3 5d 76 55 0a f8 1f d8 96 8a 0d a3 29 b0 80  ..]vU........)..
  5970 ms  --------------------------------------------------------------------

  5970 ms  CC_MD5 called from:
0x1917cad50 libMobileGestalt.dylib!0x1d50 (0x191076d50)
0x1917ca508 libMobileGestalt.dylib!0x1508 (0x191076508)
0x1a3da96a0 SpringBoardFoundation!-[UIDevice(SpringBoardFoundation) _deviceInfoForKey:]
0x18317ff50 UIKitCore!-[UIDevice model]
0x100af4858 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[HSRequestManager getIsIpad]
0x100af353c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[HSRequestManager getPublicParams]
0x100caa574 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]
0x18344c4c0 UIKitCore!-[UIControl touchesEnded:withEvent:]
0x182f5212c UIKitCore!-[UIWindow _sendTouchesForEvent:]
0x182f81c4c UIKitCore!-[UIWindow sendEvent:]
0x183122a64 UIKitCore!-[UIApplication sendEvent:]

  5970 ms  CC_MD5() onEnter: 
  5970 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccce0  4d 47 43 6f 70 79 41 6e 73 77 65 72 44 65 76 69  MGCopyAnswerDevi
16f7cccf0  63 65 4e 61 6d 65                                ceName
  6583 ms  CC_MD5() onLeave: 
  6583 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccd40  ae 4a a5 c0 f7 11 1f 08 b1 63 88 1a a4 f8 da 9f  .J.......c......
  6583 ms  --------------------------------------------------------------------

  6584 ms  CC_MD5 called from:
0x1917cad50 libMobileGestalt.dylib!0x1d50 (0x191076d50)
0x1917ca518 libMobileGestalt.dylib!0x1518 (0x191076518)
0x1a3da96a0 SpringBoardFoundation!-[UIDevice(SpringBoardFoundation) _deviceInfoForKey:]
0x18317ff50 UIKitCore!-[UIDevice model]
0x100af4858 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[HSRequestManager getIsIpad]
0x100af353c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[HSRequestManager getPublicParams]
0x100caa574 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]
0x18344c4c0 UIKitCore!-[UIControl touchesEnded:withEvent:]
0x182f5212c UIKitCore!-[UIWindow _sendTouchesForEvent:]
0x182f81c4c UIKitCore!-[UIWindow sendEvent:]
0x183122a64 UIKitCore!-[UIApplication sendEvent:]

  6584 ms  CC_MD5() onEnter: 
  6584 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccce0  4d 47 43 6f 70 79 41 6e 73 77 65 72 44 65 76 69  MGCopyAnswerDevi
16f7cccf0  63 65 4e 61 6d 65                                ceName
  7207 ms  CC_MD5() onLeave: 
  7207 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccd40  ae 4a a5 c0 f7 11 1f 08 b1 63 88 1a a4 f8 da 9f  .J.......c......
  7207 ms  --------------------------------------------------------------------

  7208 ms  CC_MD5 called from:
0x100c39140 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[MySecurities md5String:IsCapital:]
0x100b7066c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[NSDictionary MD5EncodedStrig]
0x1009bcf68 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[HSNetworkEngine createConnectionWithURL:params:method:completionHandler:errorHandler:]
0x100caa954 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]
0x18344c4c0 UIKitCore!-[UIControl touchesEnded:withEvent:]
0x182f5212c UIKitCore!-[UIWindow _sendTouchesForEvent:]
0x182f81c4c UIKitCore!-[UIWindow sendEvent:]
0x183122a64 UIKitCore!-[UIApplication sendEvent:]
0x1016e095c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[SecurityBodyEventMonitor sb_sendEvent:]
0x182f56c2c UIKitCore!__dispatchPreprocessedEventFromEventQueue
0x182f4baf0 UIKitCore!__processEventQueue

  7208 ms  CC_MD5() onEnter: 
  7208 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
1172dbab0  61 70 70 49 64 3d 31 26 61 70 70 56 65 72 73 69  appId=1&appVersi
1172dbac0  6f 6e 3d 37 2e 37 2e 33 26 61 72 65 61 43 6f 64  on=7.7.3&areaCod
1172dbad0  65 3d 34 34 30 31 30 31 26 62 69 67 46 6f 6e 74  e=440101&bigFont
1172dbae0  3d 30 26 63 6c 69 65 6e 74 54 79 70 65 3d 32 26  =0&clientType=2&
1172dbaf0  64 65 76 69 63 65 49 64 3d 65 66 38 61 65 39 66  deviceId=ef8ae9f
1172dbb00  37 36 37 31 31 34 37 33 34 62 36 35 64 35 36 61  767114734b65d56a
1172dbb10  31 36 65 31 38 63 31 36 38 62 34 31 62 34 37 35  16e18c168b41b475
1172dbb20  39 35 65 34 63 39 35 33 36 33 66 37 65 33 37 32  95e4c95363f7e372
1172dbb30  64 35 37 38 31 34 33 36 64 34 62 33 66 64 36 35  d5781436d4b3fd65
1172dbb40  35 38 62 31 30 33 62 63 64 39 65 65 35 62 63 30  58b103bcd9ee5bc0
1172dbb50  39 34 33 33 39 63 64 61 64 26 69 73 50 3d 30 26  94339cdad&isP=0&
1172dbb60  6c 6f 63 61 74 69 6f 6e 3d 34 34 30 31 30 31 26  location=440101&
1172dbb70  6e 61 6d 65 3d 31 33 35 37 36 33 34 35 37 38 35  name=13576345785
1172dbb80  26 6e 6f 6e 63 65 5f 73 74 72 3d 50 49 59 37 39  &nonce_str=PIY79
1172dbb90  33 41 32 38 43 57 44 46 4a 43 26 6f 73 56 65 72  3A28CWDFJC&osVer
1172dbba0  73 69 6f 6e 3d 31 35 2e 38 30 30 30 30 30 26 70  sion=15.800000&p
1172dbbb0  61 73 73 77 6f 72 64 3d 31 34 65 31 62 36 30 30  assword=14e1b600
1172dbbc0  62 31 66 64 35 37 39 66 34 37 34 33 33 62 38 38  b1fd579f47433b88
1172dbbd0  65 38 64 38 35 32 39 31 26 73 6f 72 74 3d 31 26  e8d85291&sort=1&
1172dbbe0  74 69 6d 65 73 74 61 6d 70 3d 31 37 35 36 31 38  timestamp=175618
1172dbbf0  37 36 35 33 26 75 73 65 72 43 6f 6f 6b 69 65 3d  7653&userCookie=
  7727 ms  CC_MD5() onLeave: 
  7727 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7cce48  48 61 ad e0 2b 0f 5f 4b d8 1f 57 24 32 44 18 fc  Ha..+._K..W$2D..
  7727 ms  --------------------------------------------------------------------

  7727 ms  CC_MD5 called from:
0x100c39140 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[MySecurities md5String:IsCapital:]
0x100b706dc /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[NSDictionary MD5EncodedStrig]
0x1009bcf68 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[HSNetworkEngine createConnectionWithURL:params:method:completionHandler:errorHandler:]
0x100caa954 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]
0x18344c4c0 UIKitCore!-[UIControl touchesEnded:withEvent:]
0x182f5212c UIKitCore!-[UIWindow _sendTouchesForEvent:]
0x182f81c4c UIKitCore!-[UIWindow sendEvent:]
0x183122a64 UIKitCore!-[UIApplication sendEvent:]
0x1016e095c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[SecurityBodyEventMonitor sb_sendEvent:]
0x182f56c2c UIKitCore!__dispatchPreprocessedEventFromEventQueue
0x182f4baf0 UIKitCore!__processEventQueue

  7727 ms  CC_MD5() onEnter: 
  7727 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
1172dbe20  34 38 36 31 61 64 65 30 32 62 30 66 35 66 34 62  4861ade02b0f5f4b
1172dbe30  64 38 31 66 35 37 32 34 33 32 34 34 31 38 66 63  d81f5724324418fc
1172dbe40  78 33 70 62 6b 57 6a 48 34 45 69 42 50 62 52 69  x3pbkWjH4EiBPbRi
1172dbe50  31 44 59 4b 67 49 69 75 53 39 65 68 4f 43 4f 6b  1DYKgIiuS9ehOCOk
1172dbe60  30 44 6b 71 52 45 4f 49 76 66 66 4f 59 74 41 4f  0DkqREOIvffOYtAO
1172dbe70  51 76 52 58 6b 76 6d 76 68 65 39 6a 31 33 51 6f  QvRXkvmvhe9j13Qo
1172dbe80  54 33 61 4f 73 54 50 2f 59 36 77 4c 6c 44 68 67  T3aOsTP/Y6wLlDhg
1172dbe90  39 37 52 68 59 6e 74 34 79 32 33 7a 67 64 35 41  97RhYnt4y23zgd5A
1172dbea0  56 2b 55 69 4e 67 65 72 6c 6d 77 43 6a 57 63 6c  V+UiNgerlmwCjWcl
1172dbeb0  4f 77 77 66 31 49 76 5a 59 58 34 6e 41 6a 4f 64  Owwf1IvZYX4nAjOd
1172dbec0  43 6b 47 67 52 41 62 6f 69 55 2b 47 68 2b 55 76  CkGgRAboiU+Gh+Uv
1172dbed0  57 2b 43 6e 58 6a 6a 46 78 32 36 76 6b 34 59 39  W+CnXjjFx26vk4Y9
1172dbee0  31 4d 7a 74 71 38 53 6a 43 76 43 77 6f 61 51 47  1Mztq8SjCvCwoaQG
1172dbef0  48 58 78 66 79 30 56 78 6d 73 53 38 35 42 42 56  HXxfy0VxmsS85BBV
1172dbf00  33 45 33 39 41 6b 31 32 6e 2f 45 63 56 2b 2f 69  3E39Ak12n/EcV+/i
1172dbf10  68 6b 39 75 49 51 77 71 63 33 42 6c 76 52 38 6d  hk9uIQwqc3BlvR8m
1172dbf20  69 5a 54 47 68 32 45 65 73 71 53 71 4b 6d 2b 52  iZTGh2EesqSqKm+R
1172dbf30  69 77 57 41 51 70 59 72 68 61 57 75 4e 39 5a 63  iwWAQpYrhaWuN9Zc
  8246 ms  CC_MD5() onLeave: 
  8246 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7cce48  34 67 47 b0 d9 21 00 42 45 ad 34 1c b3 cc 1b ea  4gG..!.BE.4.....
  8246 ms  --------------------------------------------------------------------

  8246 ms  CC_MD5 called from:
0x1917cad50 libMobileGestalt.dylib!0x1d50 (0x191076d50)
0x1917ca508 libMobileGestalt.dylib!0x1508 (0x191076508)
0x1a3da96a0 SpringBoardFoundation!-[UIDevice(SpringBoardFoundation) _deviceInfoForKey:]
0x18317ff50 UIKitCore!-[UIDevice model]
0x100d3dcd4 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AFHTTPRequestSerializer init]
0x100d3da24 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AFHTTPRequestSerializer serializer]
0x100d37124 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AFHTTPSessionManager initWithBaseURL:sessionConfiguration:]
0x100d37018 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AFHTTPSessionManager manager]
0x100d2f3d0 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AKMNetEngine doPostWithUrlStr:parameters:contentType:finished:failure:]
0x1009bd14c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[HSNetworkEngine createConnectionWithURL:params:method:completionHandler:errorHandler:]
0x100caa954 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]

  8246 ms  CC_MD5() onEnter: 
  8246 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccaa0  4d 47 43 6f 70 79 41 6e 73 77 65 72 44 65 76 69  MGCopyAnswerDevi
16f7ccab0  63 65 4e 61 6d 65                                ceName
  9235 ms  CC_MD5() onLeave: 
  9235 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccb00  ae 4a a5 c0 f7 11 1f 08 b1 63 88 1a a4 f8 da 9f  .J.......c......
  9235 ms  --------------------------------------------------------------------

  9235 ms  CC_MD5 called from:
0x1917cad50 libMobileGestalt.dylib!0x1d50 (0x191076d50)
0x1917ca518 libMobileGestalt.dylib!0x1518 (0x191076518)
0x1a3da96a0 SpringBoardFoundation!-[UIDevice(SpringBoardFoundation) _deviceInfoForKey:]
0x18317ff50 UIKitCore!-[UIDevice model]
0x100d3dcd4 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AFHTTPRequestSerializer init]
0x100d3da24 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AFHTTPRequestSerializer serializer]
0x100d37124 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AFHTTPSessionManager initWithBaseURL:sessionConfiguration:]
0x100d37018 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AFHTTPSessionManager manager]
0x100d2f3d0 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AKMNetEngine doPostWithUrlStr:parameters:contentType:finished:failure:]
0x1009bd14c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[HSNetworkEngine createConnectionWithURL:params:method:completionHandler:errorHandler:]
0x100caa954 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]

  9235 ms  CC_MD5() onEnter: 
  9235 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccaa0  4d 47 43 6f 70 79 41 6e 73 77 65 72 44 65 76 69  MGCopyAnswerDevi
16f7ccab0  63 65 4e 61 6d 65                                ceName
 10224 ms  CC_MD5() onLeave: 
 10224 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccb00  ae 4a a5 c0 f7 11 1f 08 b1 63 88 1a a4 f8 da 9f  .J.......c......
 10224 ms  --------------------------------------------------------------------

 10224 ms  CC_MD5 called from:
0x1917cad50 libMobileGestalt.dylib!0x1d50 (0x191076d50)
0x1917ca508 libMobileGestalt.dylib!0x1508 (0x191076508)
0x1a3da96a0 SpringBoardFoundation!-[UIDevice(SpringBoardFoundation) _deviceInfoForKey:]
0x1831ba914 UIKitCore!-[UIDevice systemVersion]
0x100d3dcf8 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AFHTTPRequestSerializer init]
0x100d3da24 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AFHTTPRequestSerializer serializer]
0x100d37124 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AFHTTPSessionManager initWithBaseURL:sessionConfiguration:]
0x100d37018 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AFHTTPSessionManager manager]
0x100d2f3d0 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AKMNetEngine doPostWithUrlStr:parameters:contentType:finished:failure:]
0x1009bd14c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[HSNetworkEngine createConnectionWithURL:params:method:completionHandler:errorHandler:]
0x100caa954 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]

 10224 ms  CC_MD5() onEnter: 
 10224 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccaa0  4d 47 43 6f 70 79 41 6e 73 77 65 72 50 72 6f 64  MGCopyAnswerProd
16f7ccab0  75 63 74 56 65 72 73 69 6f 6e                    uctVersion
 11212 ms  CC_MD5() onLeave: 
 11212 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccb00  a8 d3 5d 76 55 0a f8 1f d8 96 8a 0d a3 29 b0 80  ..]vU........)..
 11212 ms  --------------------------------------------------------------------

 11212 ms  CC_MD5 called from:
0x1917cad50 libMobileGestalt.dylib!0x1d50 (0x191076d50)
0x1917ca518 libMobileGestalt.dylib!0x1518 (0x191076518)
0x1a3da96a0 SpringBoardFoundation!-[UIDevice(SpringBoardFoundation) _deviceInfoForKey:]
0x1831ba914 UIKitCore!-[UIDevice systemVersion]
0x100d3dcf8 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AFHTTPRequestSerializer init]
0x100d3da24 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AFHTTPRequestSerializer serializer]
0x100d37124 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AFHTTPSessionManager initWithBaseURL:sessionConfiguration:]
0x100d37018 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AFHTTPSessionManager manager]
0x100d2f3d0 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!+[AKMNetEngine doPostWithUrlStr:parameters:contentType:finished:failure:]
0x1009bd14c /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[HSNetworkEngine createConnectionWithURL:params:method:completionHandler:errorHandler:]
0x100caa954 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC loginWithPassword]
0x100ca8e38 /private/var/containers/Bundle/Application/1C55E0E2-EE7C-4D7A-AA65-DDDB57E070F8/AkilometerNews.app/AkilometerNews!-[AKMLoginVC onclickLoginOrNextCheckNum:]
0x183288748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1833a7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x18313d9ec UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1831d498c UIKitCore!-[UIButton _sendActionsForEvents:withEvent:]

 11212 ms  CC_MD5() onEnter: 
 11212 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccaa0  4d 47 43 6f 70 79 41 6e 73 77 65 72 50 72 6f 64  MGCopyAnswerProd
16f7ccab0  75 63 74 56 65 72 73 69 6f 6e                    uctVersion
 12202 ms  CC_MD5() onLeave: 
 12202 ms              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16f7ccb00  a8 d3 5d 76 55 0a f8 1f d8 96 8a 0d a3 29 b0 80  ..]vU........)..
 12202 ms  --------------------------------------------------------------------

image-20250826135809575

search 34 67 47 b0

image-20250826135903445

then search 48 61 ad e0 2b

image-20250826135958105

we can see 4861ade0... follows another string x3pbkWjH4EiBPbRi... find the initiator we can search 0x100c39140 in IDA. its weird that i cant jump to that function via jump to address :( so i just search the name md5String in IDA

id __cdecl +[MySecurities md5String:IsCapital:](id a1, SEL a2, id a3, bool a4)
{
  id v5; // x0
  const char *v6; // x19
  CC_LONG v7; // w0
  id v8; // x0
  void *v9; // x19
  __int64 v10; // x22
  unsigned __int8 md[16]; // [xsp+8h] [xbp-38h] BYREF

  if ( !a3 )
    return objc_autoreleaseReturnValue(0LL);
  v5 = objc_retainAutorelease(a3);
  v6 = (const char *)sub_1015B4440(v5);
  v7 = strlen(v6);
  CC_MD5(v6, v7, md);
  v8 = objc_alloc((Class)&OBJC_CLASS___NSMutableString);
  v9 = (void *)sub_1015DC260(v8);
  v10 = 0LL;
  if ( a4 )
  {
    do
    {
      sub_1015BAAC0(v9);
      ++v10;
    }
    while ( v10 != 16 );
  }
  else
  {
    do
    {
      sub_1015BAAC0(v9);
      ++v10;
    }
    while ( v10 != 16 );
  }
  return objc_autoreleaseReturnValue(v9);
}

image-20250826140924239

defineHandler({
  onEnter(log, args, state) {
    log(`+[MySecurities md5String:${ObjC.Object(args[2])} IsCapital:${args[3]}]`);
  },

  onLeave(log, retval, state) {
    log(`+[MySecurities md5String retval:${ObjC.Object(retval)}`);
  }
});

// frida-trace -U -N com.HSW.AkilometerNews -m "+[MySecurities md5String:IsCapital:]"

253596 ms  +[MySecurities md5String:123456 IsCapital:0x0]
253627 ms  +[MySecurities md5String:e10adc3949ba59abbe56e057f20f883e IsCapital:0x0]
253628 ms  +[MySecurities md5String:appId=1&appVersion=7.7.3&areaCode=440101&bigFont=0&clientType=2&deviceId=ef8ae9f767114734b65d56a16e18c168b41b47595e4c95363f7e372d5781436d4b3fd6558b103bcd9ee5bc094339cdad&isP=0&location=440101&name=13576345785&nonce_str=OS53947TPIRDVKX&osVersion=15.800000&password=14e1b600b1fd579f47433b88e8d85291&sort=1&timestamp=1756189120&userCookie= IsCapital:0x0]
253629 ms  +[MySecurities md5String:1b7e7250f093d51cb13a1e0cf106f80cx3pbkWjH4EiBPbRi1DYKgIiuS9ehOCOk0DkqREOIvffOYtAOQvRXkvmvhe9j13QoT3aOsTP/Y6wLlDhg97RhYnt4y23zgd5AV+UiNgerlmwCjWclOwwf1IvZYX4nAjOdCkGgRAboiU+Gh+UvW+CnXjjFx26vk4Y91Mztq8SjCvCwoaQGHXxfy0VxmsS85BBV3E39Ak12n/EcV+/ihk9uIQwqc3BlvR8miZTGh2EesqSqKm+RiwWAQpYrhaWuN9Zc IsCapital:0x0]

the string added before that shit is fixed.

二三里登录password,sign
https://zycreverse.netlify.app/posts/iosersanli/
Author
会写点代码的本子画手
Published at
2025-08-26
驾校一点通账号密码登录协议分析:sign
Reverse Engineering the Tower Operations APP Login Protocol 铁塔换电运维登录协议分析
© 2025 会写点代码的本子画手. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari