1285 words
6 minutes
作业帮账号密码登录协议分析
com.baidu.homework
:method: POST
:authority: passport.zybang.com
:scheme: https
:path: /session/submit/login
content-length: 563
content-type: application/x-www-form-urlencoded
x-zyb-trace-t: 1756880879961
x-zyb-trace-id: 4f74142c48e5a8e7:4f74142c48e5a8e7:0:1
zyb-did: 03fd41c26060000247dea08020000001
dp-ticket: 5t21W9Cc0kDLc7k8CFdX1VnkDCwNzRxASQGle0KHfm1uJHY6bzkYC1f4w7LKHODGmxX2TnAs4z5JyAxOn+He/oOHGqiVfkhplJTJhpLDr9P4A59dCKN9zNFN5xmrZKkXqhFRYLK/RhJJTaP6yHa8eiLuhEoZik3j/K6P8rFsw0KdG4iD5nod7Cexkemf8fcSG5vfgF/+uNX1kdwig/TiMSxLSk4rVqBkKVbUO22E5oI/D36Q0x5EzjCelU5K+IKY6PDQDaD6xgvOQ5I8zIhW4+xkOMLSSdXSkVRiQshK/h1G2EaoyhsBoLrhGtdIEEt94OtS4aFGE3vNRmKlP6F4bpdN9mWRLiHTLizmEkSEyesyoBo9dK/PKmg0sIAmo+50SYJ283qJFAEQocNk95J2q12Rtvm3P13/7q+h89HGu78LSBC4IEqshb7IuHu7R3BGPhniaaNHkZDOvY7DuagT6KkHFQdGT8bahyezbCyGTW1t5TPY=
na__zyb_source__: homework
zyb-adid: 3dda5ea09f111a6799667a73432537ec78880958
user-agent: homework/14.33.2 (iPhone; iOS 15.8.1; Scale/2.00)
accept-language: zh-Hans;q=1, en;q=0.9
zyb-cuid: 7cbf5422d400a656855bf9b9716513e7c30c17e4
accept: */*
accept-encoding: gzip, deflate
_t_=1756880872&adid=3dda5ea09f111a6799667a73432537ec78880958&appId=homework&bundleID=com.baidu.homework&channel=appstore&cuid=7cbf5422d400a656855bf9b9716513e7c30c17e4&dayivc=65&device=iPhone%206s&did=03fd41c26060000247dea08020000001&feSkinName=skin-gray&hybrid=1&iOSVersion=15.8.1&isNotchScreen=0&nt=wifi&os=ios&password=14e1b600b1fd579f47433b88e8d85291&personalRecommendNA=1&phone=MwaNM_hJMWl7MzB%3D&screenscale=2&screensize=1334x750&sign=070caebcc6f57941c0affd8686a98424&token=2_XPXQH3c5HRPtFHkSwi3sCCURmT25QfxM&vc=1480&vcname=14.33.2&yongsterStatus=0&zbkvc=970
shit. IDA had wrong again
sign
based on my research, [mmEFqSK2tFHKXQ==]@ always in front of these shit.
frida-ps -Uai
oops.
getModuleByName receives a file by the name of that shit you dragged into IDA. neither app’s name nor bundle id
defineHandler({
onEnter(log, args, state) {
// Get pointer to the input data and its length
const dataPtr = args[0];
const dataLength = args[1].toInt32();
// Read a small portion of the input to check the prefix without being wasteful
const plaintext = dataPtr.readUtf8String(Math.min(dataLength, 20));
// **Conditional Check**: Only proceed if the input starts with the target string
if (plaintext && plaintext.startsWith("[mmEFqSK2tFH")) {
console.log("\n==================================================");
log("✅ Found MD5 input starting with '[mmEFqSK2tFH'.");
log("Full plaintext: " + dataPtr.readUtf8String(dataLength));
// --- Start of IDA Address Calculation Logic ---
const backtrace = Thread.backtrace(this.context, Backtracer.ACCURATE);
const driverModule = Process.getModuleByName('homework');
const idaBase = new NativePointer('0x100000000');
if (!driverModule) {
log('Error: Could not find the "homework" module. Aborting calculation.');
return;
}
const driverEndAddress = driverModule.base.add(driverModule.size);
const formattedBacktrace = backtrace.map(function(addr) {
const symbol = DebugSymbol.fromAddress(addr);
// Use the reliable memory range check to see if the address is part of your app
const isAppCode = addr.compare(driverModule.base) >= 0 && addr.compare(driverEndAddress) < 0;
if (isAppCode) {
// It's in the Driver app, so calculate the IDA address
const offset = addr.sub(driverModule.base);
const idaAddress = idaBase.add(offset);
return `${idaAddress} Driver!${symbol.name}`;
} else {
// It's a system library, so find its module and show the runtime address
const otherModule = Process.getModuleByAddress(addr);
const moduleName = otherModule ? otherModule.name : 'UnknownModule';
return `${addr} ${moduleName}!${symbol.name}`;
}
}).join('\n');
// Log the final, formatted backtrace
log('Backtrace (with calculated IDA addresses):\n' + formattedBacktrace + '\n');
console.log("==================================================");
}
// You can optionally keep general logging for all MD5 calls
log('CC_MD5() onEnter: ');
log(hexdump(dataPtr, { length: dataLength }));
// Store the output buffer pointer for the onLeave handler
this.args2 = args[2];
},
onLeave(log, retval, state) {
// This will still log the hash result for every call
log('CC_MD5() onLeave (MD5 Hash): ');
log(hexdump(this.args2, { length: 16 }));
log("--------------------------------------------------------------------\n");
}
});
// frida-trace -U -N com.baidu.homework -i CC_MD5
5245 ms ✅ Found MD5 input starting with '[mmEFqSK2tFH'.
5245 ms Full plaintext: [mmEFqSK2tFHKXQ==]@X3RfPTE3NTY4ODE4NzZhZGlkPTNkZGE1ZWEwOWYxMTFhNjc5OTY2N2E3MzQzMjUzN2VjNzg4ODA5NThhcHBJZD1ob21ld29ya2J1bmRsZUlEPWNvbS5iYWlkdS5ob21ld29ya2NoYW5uZWw9YXBwc3RvcmVjdWlkPTdjYmY1NDIyZDQwMGE2NTY4NTViZjliOTcxNjUxM2U3YzMwYzE3ZTRkYXlpdmM9NjVkZXZpY2U9aVBob25lIDZzZGlkPTAzZmQ0MWMyNjA2MDAwMDI0N2RlYTA4MDIwMDAwMDAxZmVTa2luTmFtZT1za2luLWdyYXloeWJyaWQ9MWlPU1ZlcnNpb249MTUuOC4xaXNOb3RjaFNjcmVlbj0wbnQ9d2lmaW9zPWlvc3Bhc3N3b3JkPTE0ZTFiNjAwYjFmZDU3OWY0NzQzM2I4OGU4ZDg1MjkxcGVyc29uYWxSZWNvbW1lbmROQT0xcGhvbmU9TXdhTk1faEpNV2w3TXpCPXNjcmVlbnNjYWxlPTJzY3JlZW5zaXplPTEzMzR4NzUwdG9rZW49Ml9YUFhRSDNjNUhSUHRGSGtTd2kzc0NDVVJtVDI1UWZ4TXZjPTE0ODB2Y25hbWU9MTQuMzMuMnlvbmdzdGVyU3RhdHVzPTB6Ymt2Yz05NzA=
==================================================
5245 ms Backtrace (with calculated IDA addresses):
0x101c1374c Driver!+[ZYBCommunicationTool md5WithEncodiong:string:]
0x100532c5c Driver!-[HTTPFacade createSign:]
0x100530a90 Driver!-[HTTPFacade createPostParamsV1:]
0x10052fcf4 Driver!0x52fcf4 (0x10052fcf4)
0x10052fa98 Driver!0x52fa98 (0x10052fa98)
0x101c151fc Driver!-[ZYBSpamManager getAntispamWithBlock:requestBlock:]
0x10052f900 Driver!-[HTTPFacade checkAntispamWithBlock:]
0x10052e580 Driver!-[HTTPFacade doHttpRequestWithParams:uri:completeBlock:cacheBlock:requestTask:]
0x10052e330 Driver!-[HTTPFacade swizze_doHttpRequestWithParams:uri:completeBlock:]
0x1010a6aec Driver!-[HTTPFacade doHttpRequestWithParams:uri:completeBlock:]
0x1011914c8 Driver!-[HTTPFacade loginWithPhoneNum:passWd:completBlcok:]
0x10119e734 Driver!-[LoginManager loginWithPhoneNum:passWd:completBlcok:]
0x101198b94 Driver!-[LoginByPwdViewController goLogin]
0x1845d8748 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1846f7870 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x10113173c Driver!-[UIButton sendAction:to:forEvent:]
5245 ms CC_MD5() onEnter:
5245 ms 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
108b5c328 5b 6d 6d 45 46 71 53 4b 32 74 46 48 4b 58 51 3d [mmEFqSK2tFHKXQ=
108b5c338 3d 5d 40 58 33 52 66 50 54 45 33 4e 54 59 34 4f =]@X3RfPTE3NTY4O
108b5c348 44 45 34 4e 7a 5a 68 5a 47 6c 6b 50 54 4e 6b 5a DE4NzZhZGlkPTNkZ
108b5c358 47 45 31 5a 57 45 77 4f 57 59 78 4d 54 46 68 4e GE1ZWEwOWYxMTFhN
108b5c368 6a 63 35 4f 54 59 32 4e 32 45 33 4d 7a 51 7a 4d jc5OTY2N2E3MzQzM
108b5c378 6a 55 7a 4e 32 56 6a 4e 7a 67 34 4f 44 41 35 4e jUzN2VjNzg4ODA5N
108b5c388 54 68 68 63 48 42 4a 5a 44 31 6f 62 32 31 6c 64 ThhcHBJZD1ob21ld
108b5c398 32 39 79 61 32 4a 31 62 6d 52 73 5a 55 6c 45 50 29ya2J1bmRsZUlEP
108b5c3a8 57 4e 76 62 53 35 69 59 57 6c 6b 64 53 35 6f 62 WNvbS5iYWlkdS5ob
108b5c3b8 32 31 6c 64 32 39 79 61 32 4e 6f 59 57 35 75 5a 21ld29ya2NoYW5uZ
108b5c3c8 57 77 39 59 58 42 77 63 33 52 76 63 6d 56 6a 64 Ww9YXBwc3RvcmVjd
108b5c3d8 57 6c 6b 50 54 64 6a 59 6d 59 31 4e 44 49 79 5a WlkPTdjYmY1NDIyZ
108b5c3e8 44 51 77 4d 47 45 32 4e 54 59 34 4e 54 56 69 5a DQwMGE2NTY4NTViZ
108b5c3f8 6a 6c 69 4f 54 63 78 4e 6a 55 78 4d 32 55 33 59 jliOTcxNjUxM2U3Y
108b5c408 7a 4d 77 59 7a 45 33 5a 54 52 6b 59 58 6c 70 64 zMwYzE3ZTRkYXlpd
108b5c418 6d 4d 39 4e 6a 56 6b 5a 58 5a 70 59 32 55 39 61 mM9NjVkZXZpY2U9a
108b5c428 56 42 6f 62 32 35 6c 49 44 5a 7a 5a 47 6c 6b 50 VBob25lIDZzZGlkP
108b5c438 54 41 7a 5a 6d 51 30 4d 57 4d 79 4e 6a 41 32 4d TAzZmQ0MWMyNjA2M
108b5c448 44 41 77 4d 44 49 30 4e 32 52 6c 59 54 41 34 4d DAwMDI0N2RlYTA4M
108b5c458 44 49 77 4d 44 41 77 4d 44 41 78 5a 6d 56 54 61 DIwMDAwMDAxZmVTa
108b5c468 32 6c 75 54 6d 46 74 5a 54 31 7a 61 32 6c 75 4c 2luTmFtZT1za2luL
108b5c478 57 64 79 59 58 6c 6f 65 57 4a 79 61 57 51 39 4d WdyYXloeWJyaWQ9M
108b5c488 57 6c 50 55 31 5a 6c 63 6e 4e 70 62 32 34 39 4d WlPU1ZlcnNpb249M
108b5c498 54 55 75 4f 43 34 78 61 58 4e 4f 62 33 52 6a 61 TUuOC4xaXNOb3Rja
108b5c4a8 46 4e 6a 63 6d 56 6c 62 6a 30 77 62 6e 51 39 64 FNjcmVlbj0wbnQ9d
108b5c4b8 32 6c 6d 61 57 39 7a 50 57 6c 76 63 33 42 68 63 2lmaW9zPWlvc3Bhc
108b5c4c8 33 4e 33 62 33 4a 6b 50 54 45 30 5a 54 46 69 4e 3N3b3JkPTE0ZTFiN
108b5c4d8 6a 41 77 59 6a 46 6d 5a 44 55 33 4f 57 59 30 4e jAwYjFmZDU3OWY0N
108b5c4e8 7a 51 7a 4d 32 49 34 4f 47 55 34 5a 44 67 31 4d zQzM2I4OGU4ZDg1M
108b5c4f8 6a 6b 78 63 47 56 79 63 32 39 75 59 57 78 53 5a jkxcGVyc29uYWxSZ
108b5c508 57 4e 76 62 57 31 6c 62 6d 52 4f 51 54 30 78 63 WNvbW1lbmROQT0xc
108b5c518 47 68 76 62 6d 55 39 54 58 64 68 54 6b 31 66 61 GhvbmU9TXdhTk1fa
108b5c528 45 70 4e 56 32 77 33 54 58 70 43 50 58 4e 6a 63 EpNV2w3TXpCPXNjc
108b5c538 6d 56 6c 62 6e 4e 6a 59 57 78 6c 50 54 4a 7a 59 mVlbnNjYWxlPTJzY
108b5c548 33 4a 6c 5a 57 35 7a 61 58 70 6c 50 54 45 7a 4d 3JlZW5zaXplPTEzM
108b5c558 7a 52 34 4e 7a 55 77 64 47 39 72 5a 57 34 39 4d zR4NzUwdG9rZW49M
108b5c568 6c 39 59 55 46 68 52 53 44 4e 6a 4e 55 68 53 55 l9YUFhRSDNjNUhSU
108b5c578 48 52 47 53 47 74 54 64 32 6b 7a 63 30 4e 44 56 HRGSGtTd2kzc0NDV
108b5c588 56 4a 74 56 44 49 31 55 57 5a 34 54 58 5a 6a 50 VJtVDI1UWZ4TXZjP
108b5c598 54 45 30 4f 44 42 32 59 32 35 68 62 57 55 39 4d TE0ODB2Y25hbWU9M
108b5c5a8 54 51 75 4d 7a 4d 75 4d 6e 6c 76 62 6d 64 7a 64 TQuMzMuMnlvbmdzd
108b5c5b8 47 56 79 55 33 52 68 64 48 56 7a 50 54 42 36 59 GVyU3RhdHVzPTB6Y
108b5c5c8 6d 74 32 59 7a 30 35 4e 7a 41 3d mt2Yz05NzA=
6621 ms CC_MD5() onLeave (MD5 Hash):
6621 ms 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
16b71c968 b3 4f 98 84 d2 e3 51 fc e6 7a 08 b4 4d 3a 41 66 .O....Q..z..M:Af
6621 ms --------------------------------------------------------------------
guess the string behind that fixed shit is base64
