173 words
1 minutes
Reverse Engineering the Tower Operations APP Login Protocol 铁塔换电运维登录协议分析
POST /prod-api/checkPasswordApp HTTP/1.1
Host: hd.chinatowercom.cn:8083
Content-Type: application/json
Accept: application/json
client_type: ios
client_device: apple
client_name: towerOperationsAPP
Accept-Encoding: gzip, deflate, br
client_version: 1611
Accept-Language: zh-CN,zh-Hans;q=0.9
client_osversion: 15.8.1
Content-Length: 373
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_8_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Html5Plus/1.0 (Immersed/20) uni-app
Connection: keep-alive
Cookie: HWWAFSESID=94a5773d6449e10d12; HWWAFSESTIME=1755952785177
{"username":"GI2f7JY94AsuVtqRm5EgoDplXORAC1lcMGiEdy1xa1ZtMpZuynLHyj9KNF6AilaK2IBmK1g79vvxweAi7inSIMueDSlgFV6nRkaUCNftzakw7V54UX0vW+PCCBdo3l0fercLwCuiuGaSOhtp2I1dMj+OvIrk5I8L94aX8lv0mYA=","password":"qnBO6QL84KVkAFrbHgFzmkRBk0nh6L42J6K2/f5gQNGuUheQJFGK3pDfh+XHo9nIFsGnS8lF1TEV/beFCrxY4gkk12M/PhLPLP5W70Ftw+hHK0v7gYJgWcY60zWW0MfOGntW/rbelCrnaX8BlCNMx81hwYScac5+7vKZ3skLggs="}
it’s h5, find file in \Payload\HBuilder.app\Pandora\apps\__UNI__2F9F9AB\www. the app-service.js is the core file. search a place that SEEMS to be the place password encrypted. There’s no dynamic analysis method in ios h5 apps. so we can instrument this js file and replace the original file in system.
open the app, use this command(remember to enter the root)
iPhone:/ root# find . -name app-service.js
./private/var/mobile/Containers/Data/Application/A92AD7E5-F0A1-4FC3-82B0-EFB2655EF0D6/Documents/Pandora/apps/__UNI__2F9F9AB/www/app-service.js
./private/var/mobile/Containers/Data/Application/FE011625-7CBA-4FF1-BC23-53DC8489681B/Library/Pandora/apps/hoo1dnkf8a6kx97zk61@1.0.0.10/www/app-service.js
./private/var/mobile/Containers/Data/Application/1635BA54-D230-42D7-9CEC-BA83C2386537/Library/Pandora/apps/__UNI__FAD4711/www/app-service.js
./private/var/containers/Bundle/Application/D7997287-D8E1-4FB1-A95A-D46F8FF0B0D6/HBuilder.app/Pandora/apps/__UNI__FAD4711/www/app-service.js
./private/var/containers/Bundle/Application/D70EDB88-1F4F-4FBB-B0EC-F1A7000D8C61/HBuilder.app/Pandora/apps/__UNI__2F9F9AB/www/app-service.js
containers/Bundle/ is where app installed, mobile/ is a sandbox, for app saving temporal file. So we should replace the file in mobile/Containers/
scp app-service.js root@192.168.1.6:/private/var/mobile/Containers/Data/Application/A92AD7E5-F0A1-4FC3-82B0-EFB2655EF0D6/Documents/Pandora/apps/__UNI__2F9F9AB/www/app-service.js
double push home button and relaunch this app
defineHandler({
onEnter(log, args, state) {
var dic = ObjC.Object(args[2]);
log(`-[WXStreamModule _buildRequestWithOptions:${args[2]} callbackRsp:${args[3]}]`);
log('body', dic.objectForKey_('body'));
},
onLeave(log, retval, state) {
}
});
// frida-trace -U -N com.chinatower.towerEle4 -m "-[WXStreamModule _buildRequestWithOptions:callbackRsp:]"
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC47r5DjWOpTqOG4/P4uL2VreukntYtSPOt0AU2FxtpqeTDwLX0QknY6ekDOEE/LpZp8t6bYk73zsKjVycM4abrqNfGMkYkyXGa15CUHzibuVnsY3g0wj3tHpG/U1CG7LM2/Yba34rKmLQniGp4umHxW5aCPQSu1di1/mlf/Pj23wIDAQAB
Reverse Engineering the Tower Operations APP Login Protocol 铁塔换电运维登录协议分析
https://zycreverse.netlify.app/posts/iostieta/