前言

清一色的开篇,目的只为水一篇文章…
本次研究对象 和彩云网盘(mCloud)7.3.4
此记录更偏向于结果,只保证研究版本有效,去年分析的,今年才发,不保证有效

栗子

账密方式登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
POST https://aas.caiyun.feixin.10086.cn/tellin/thirdlogin.do HTTP/1.1
x-DeviceInfo: 1|10.0.3.15|1|7.3.4|Netease|MuMu|87AD2EDF19FFE5D7779D4191937FD5F0|08-00-27-e5-3d-e6|android 6.0.1|900X1600|zh|||
x-ExpRoute-Code: routeCode=18880886001,type=10
Accept-Charset: UTF-8
x-NetType: 1
x-MM-Source: 000
x-SvcType: 1
Accept: text/html,application/xhtml+xml,application/xml;
Connection: keep-alive
x-huawei-channelSrc: 10000023
X-Tingyun-Id: p35OnrDoP8k;c=2;r=1339375589;
Content-Type: text/plain; charset=utf-8
Content-Length: 344
Host: aas.caiyun.feixin.10086.cn
Accept-Encoding: gzip
User-Agent: okhttp/3.11.0

<?xml version="1.0" encoding="UTF-8"?><root><msisdn>18880886001</msisdn><random/><secinfo>871D0A9E95ABA22B4604224CFBA24E605FABBC34</secinfo><version>572</version><clienttype>414</clienttype><pintype>9</pintype><dycpwd/><cpid>58</cpid><verfycode/><requestip>10.0.2.15</requestip><mac/><extInfo/><UID/><loginMode>1</loginMode><srvInfoVer/></root>

# 账密正确情况
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=DE25E78BB56608CD1C186B867BF33C67; Path=/tellin/; Secure; HttpOnly
Content-Type: text/plain;charset=utf-8
Content-Length: 4992
Date: Sun, 25 Oct 2020 04:35:41 GMT
Server: HTTPS

8F5060F5F1158B1CD0C081BA51C02C12DAD4C8F839CE2E44954B1DFE5A7C0137F0FA3FEB366B23A7B9EB4535AC403D0CDF26EB5973C647B26BEB85EBDCA65595AFFC1149A6D387
........

# 账密错误情况
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=87D4DF3AB2ABD9A5CEB777E26419377F; Path=/tellin/; Secure; HttpOnly
Content-Type: text/plain;charset=utf-8
Content-Length: 86
Date: Sun, 25 Oct 2020 04:33:13 GMT
Server: HTTPS

<root><return>200050401</return><desc>The user information is incorrect.</desc></root>

观察以上登录请求发现加密的东西不少,请求头、请求体、响应体都有不同程度的加密

请求头(Request Headers)

只写几个比较重要的,大部分可以为空或者默认值

x-DeviceInfo

1
x-DeviceInfo: 1|10.0.3.15|1|7.3.4|Netease|MuMu|87AD2EDF19FFE5D7779D4191937FD5F0|08-00-27-e5-3d-e6|android 6.0.1|900X1600|zh|||

包含的东西比较多,以|分隔数据 ,下面表格按分割后的数据显示

原始数据 代表内容
1(1) 网络类型
10.0.3.15 IP地址
1(2) 固定默认
7.3.4 SDK版本
Netease MANUFACTURER
MuMu MODEL
87AD2EDF19FFE5D7779D4191937FD5F0 生成UUID
08-00-27-e5-3d-e6 MAC地址
android 6.0.1 ANDROID版本
900X1600 分辨率
zh 默认值

x-ExpRoute-Code

1
x-ExpRoute-Code: routeCode=18880886001,type=10
原始数据 代表内容
routeCode 手机号
type 如果是手机号登录 默认值为10

请求体(Request Payload)

内容组成为XML,大部分可以为空或者默认值

XML

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?xml version="1.0" encoding="UTF-8"?>
<root>
<msisdn>18880886001</msisdn>
<random/>
<secinfo>871D0A9E95ABA22B4604224CFBA24E605FABBC34</secinfo>
<version>572</version>
<clienttype>414</clienttype>
<pintype>9</pintype>
<dycpwd/>
<cpid>58</cpid>
<verfycode/>
<requestip>10.0.2.15</requestip>
<mac/>
<extInfo/>
<UID/>
<loginMode>1</loginMode>
<srvInfoVer/>
</root>

以下sha-1()md5()等代表加密方式 , {}代表字符串拼接填充

原始数据 代表内容
secinfo sha-1(fetion.com.cn:{password})

响应体(Response Payload)

密文

登录成功后,返回数据为一长串密文,需要搭配上下文的东西解密使用

1
2
8F5060F5F1158B1CD0C081BA51C02C12DAD4C8F839CE2E44954B1DFE5A7C0137F0FA3FEB366B23A7B9EB4535AC403D0CDF26EB5973C647B26BEB85EBDCA65595AFFC1149A6D387
........
1
2
3
4
5
6
# 拼接字符串
add_key = GErfJus#Ofr%
# 秘钥算法
clientkeyDecrypt = md5({secinfo}{add_key}) -> substring(0, 16) -> toUpperCase()
# 解密算法
result = AES() -> decodeCerResponse(byte(response), byte(clientkeyDecrypt))

算法为AES加密解密(ECB模式) , 解密秘钥为以上clientkeyDecrypt
clientkeyDecrypt 为MD5后取前16位转大写 , ECB模式无填充解密即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<root>
<return>0</return>
<imspwd>E7E673CD95AEF839206A15A62AFE60E5</imspwd>
<sbc></sbc>
<domain></domain>
<svnlist></svnlist>
<svnuser></svnuser>
<svnpwd></svnpwd>
<htslist></htslist>
<userType>1</userType>
<userid>1711h52AR1yI</userid>
<loginid>160334480555369</loginid>
<heartime>4</heartime>
<funcId>1000000000000000</funcId>
<token>gquJ43xQ|1|RCS|1605936805651|BnEaDQrCg8cUJ1Mp4GjV1.dmGoOVrB0meR52eij8PBOOtkY8x3c5MI92EP_rBWg4tuPUOLExb.wl724cetD5rUHz5BlW5OzaMK0Z6SiA52Kst0Nvt.sBnIi4bYK8x5etKwRZeTUya6ULgApq_vQgTdM9pCaqnaKiDV1vqBGXkaQ-</token>
<expiretime>2592000</expiretime>
<authToken>gquJ43xQ|1|RCS|1605936805651|BnEaDQrCg8cUJ1Mp4GjV1.dmGoOVrB0meR52eij8PBOOtkY8x3c5MI92EP_rBWg4tuPUOLExb.wl724cetD5rUHz5BlW5OzaMK0Z6SiA52Kst0Nvt.sBnIi4bYK8x5etKwRZeTUya6ULgApq_vQgTdM9pCaqnaKiDV1vqBGXkaQ-</authToken>
<atExpiretime>2592000</atExpiretime>
<deviceid>5617A97CE3EA4B7187F4A6D84CB02880</deviceid>
<serverinfo>
<mbhttpsurl>https://ose1.caiyun.feixin.10086.cn:8542/isbo/openApi/</mbhttpsurl>
<fburl>http://mrp.weibo.10086.cn</fburl>
<editurl>http://edit.caiyun.feixin.10086.cn</editurl>
<mediaurl>http://120.132.156.103:80</mediaurl>
<cmpassurl>https://www.cmpassport.com</cmpassurl>
<cytxlurl>https://auth.cytxl.com.cn</cytxlurl>
<fxcaptchaurl>http://nav.fetion.com.cn</fxcaptchaurl>
<xmppaddr>221.176.66.104:5225,221.176.66.104:5226,221.176.66.104:5227</xmppaddr>
<boshurl>221.176.66.104:8081,221.176.66.104:8082,221.176.66.104:8083</boshurl>
<marketurl>http://mcmm.caiyun.feixin.10086.cn:80</marketurl>
<invitecodeurl>http://caiyun.feixin.10086.cn/i.jsp</invitecodeurl>
<pingurl>http://221.176.66.99:80</pingurl>
<rifurl>http://ose.caiyun.feixin.10086.cn:80/richlifeApp</rifurl>
<wapUrl>http://caiyun.feixin.10086.cn:7070</wapUrl>
<rifhttpsurl>https://ose.caiyun.feixin.10086.cn:443/richlifeApp</rifhttpsurl>
<chargeUrl>https://cmmedia.caiyun.feixin.10086.cn:443</chargeUrl>
<isboUrl>https://ose1.caiyun.feixin.10086.cn:8542</isboUrl>
<calURL>http://ose.caiyun.feixin.10086.cn/richlifeApp</calURL>
<testTermConnectURL>http://aas.caiyun.feixin.10086.cn/tellin/usr/puc/ispace/testTermConnect.do</testTermConnectURL>
</serverinfo>
<account>15802336010</account>
<expiryDate>-1</expiryDate>
<areaCode>23</areaCode>
<provCode>23</provCode>
<userExtInfo>
<passID>844163976</passID>
<AndID>844163976</AndID>
<isRegWeibo>-1</isRegWeibo>
<accessToken>NTE1MUFCNjcxMTM2RjA1QTg3N0VBOUU4ODQzRjE3QkIyOEY2RjQ4Qzk5RUY4NUFDMEVBODMxOEQyRTk2NEU1ODo0NDYxMDE=</accessToken>
</userExtInfo>
<srvInfoVer>D071457A5A1AE65EADDB39E38EE3A2F8</srvInfoVer>
</root>

注意解密后数据尾部有N个\x0f or \x0b or \x0c or \x06
可能为其他不同的字符,最好写通用匹配方式去除

实现

仓库地址 和彩云-内容加解密
代码逻辑比较简单,详情施工中…

总结

该文章代码只为学习,麻烦未经允许禁止转载哦

END.