【逆向】MDD 4.4.10 getSactionV2 sign算法

[nilaoda]

抓包

略

定位函数

用jadx-gui打开apk，然后搜索相关关键字定位函数位置

通过frida hook这个方法，先看看传入的都是些什么

setTimeout(function(){ 
    if(Java.available) {
        Java.perform(function () {
            var targetClass = Java.use('hb.d');
            targetClass.e.implementation = function (str,t,l) {
                var returnValue = this.e(str,t,l);
                if(str.indexOf("getSaction") > -1) {
                    send("str:"+str+";t:"+t+";l:"+l);
                    send("Return:"+returnValue);
                }
                return returnValue;
            }
        });
    }
});

message: {'type': 'send', 'payload': 'str:api/vod/getSactionV2.action;t:com.tvbc.maiduidui.http.params.GetEpisodeInfoParam@75919f8;l:1655617734672'} data: None

可以看到新版APP已经使用了getSactionV2.action，观察函数可知，程序会调用onlySign()方法

点进onlySign()方法，继续进行hook

setTimeout(function(){ 
    if(Java.available) {
        Java.perform(function () {
            var targetClass = Java.use('com.tvbc.mdd.jni.JniManager');
            targetClass.onlySign.implementation = function (context2,str) {
                var returnValue = this.onlySign(context2,str);
                send("str:"+str);
                send("Return:"+returnValue);
                return returnValue;
            }
        });
    }
});

播放视频，得到hook结果

记录sign的输入和输入，方便后续在程序中测试

出于隐私考虑，这里隐藏了appToken

• 输入：os:Android|version:4.4.10|action:/api/vod/getSactionV2.action|time:1655617802236|appToken:xxx|privateKey:e1be6b4cf4021b3d181170d1879a530a9e4130b69032144d5568abfd6cd6c1c2|data:action=playUrl&checkVodTicket=2&issueVodTicketInfo=0&sactionUuid=ff808081816c058301816fd962aa02c6&
• 输出：g9iNZ6RRxwCePdE3hS6QXcZi0pl3JzVpPV3mZZybDUX5wK8y/MFk8x49bPsKuqu+yVLGmbcZM3aBjyZZyqmMDCcIFsqmYpCA/1pCIOD6g9QL2576o85Y5sIJagK27553gQrAJgfI0+wL4Z7OhGRJ9T4j0yYYAJ9F9w4IgCXdNQPZ2ra8rW33VQAhJXlbIGnl6Mk6Y8jVqHUKfIuu+vSctyUI+puh4Ih5AlgjbsQ2OmHybIhSrPPWxUtLQcU0XLWFeUw1YYFdnc0o66bRHzB6BM45NtZb20foGjIqroVqwd/DHBIObPKMPowC3ozk5lhn5Xvx9jpWPD635xuBtihe2g==

onlySign方法

public String onlySign(Context context2, String str) {
    try {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("1");
        stringBuffer.append(getAppSignSha256(context2));
        if (!judgeInformation(stringBuffer.toString(), context2.getPackageName())) {
            return "null";
        }
        Signature instance2 = Signature.getInstance(getSignType());
        instance2.initSign(getM1());
        instance2.update(str.getBytes("UTF-8"));
        return a.b().g(instance2.sign());
    } catch (Exception e10) {
        Log.e("异常：{", e10.toString() + " }");
        return "null";
    }
}

获取getSignType() 返回值

从最简单的入手

getSignType() 调用了native方法

没有搞过Jni的hook，我就通过Unidbg调用libmdds.so，可以得到返回值

点击展开

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.LibraryResolver;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.DynarmicFactory;
import com.github.unidbg.arm.backend.KvmFactory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.DalvikModule;
import com.github.unidbg.linux.android.dvm.DvmClass;
import com.github.unidbg.linux.android.dvm.StringObject;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.linux.android.dvm.jni.ProxyClassFactory;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.virtualmodule.android.AndroidModule;
import com.github.unidbg.virtualmodule.android.JniGraphics;

import java.io.File;
import java.io.IOException;

public class MddSoSignUtils {
    //-Djava.library.path=prebuilt/win64 -Djna.library.path=prebuilt/win64

    //ARM模拟器
    private static AndroidEmulator emulator = null;
    //vm
    private static VM vm = null;

    private static DvmClass DvmC = null;

    private static LibraryResolver createLibraryResolver() {
        return new AndroidResolver(23);
    }

    private static AndroidEmulator createARMEmulator() {
        return AndroidEmulatorBuilder
                .for32Bit()
                .setProcessName("com.tvbc.maiduidui")
                .addBackendFactory(new DynarmicFactory(true))
                .addBackendFactory(new KvmFactory(true))
                .build();
    }

    static {
        String path = System.getProperty("user.dir");
        emulator = createARMEmulator();
        final Memory memory = emulator.getMemory();
        memory.setLibraryResolver(createLibraryResolver());

        vm = emulator.createDalvikVM();
        vm.setDvmClassFactory(new ProxyClassFactory());
        Module module = new JniGraphics(emulator, vm).register(memory);
        assert module != null;
        new AndroidModule(emulator, vm).register(memory);
        vm.setVerbose(false);

        DalvikModule dm = null;
        dm = vm.loadLibrary(new File(path + "/myso/libmdds.so"), false);
        dm.callJNI_OnLoad(emulator);
        module = dm.getModule();
        //加载so的那个类
        DvmC = vm.resolveClass("com/tvbc/mdd/jni/JniManager");
    }

    public static String getSignType() {

        StringObject ret = DvmC.callStaticJniMethodObject(emulator,
                "getSignType()Ljava/lang/String;"
        );

        return ret.getValue();
    }


    //关闭模拟器
    private static void destroy() throws IOException {
        emulator.close();
    }


    public static void main(String[] args) {
        System.out.println(">>>>>>>>>>>>>>>>>>>Result: " + getSignType());
    }
}

到这里可知其实就是SHA256withRSA的签名算法，接下来只要拿到私钥就可以进行签名了

获取getM1()返回值

可以看到，返回的是PrivateKey对象，由于比较简单，可以通过得到getXMaa() 、getYMbb() 和getKeyType()的值来自行生成

与上文同理，可得：

>>>>>>>>>>>>>>>>>>>getXMaa: MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCY8kcWul6v8XCMm277mN7HCezd4LMrroR2SMY4eJweBqBhXMP1crmQbW1hHMqEIpkVfLZVtD91aB3AfnTt1K4jEb8w5s0PwfWFitIx1/l9T/YsOROBknGH/izsA9jNaszfkM/rS2YkhcINtlFujXJRA7Z+OdVBOODFLi2Yc2nqtQuSx4pZpiul1Kgg9u1XD2K0rGzj9yzscnnsYW5ma9Vr97I8R+8mcqBWnLasFH69hmEnkd/afbRNp/q0Z+zCjXMu3c99yxarwchQN0gHi/Z30Z9D+DdwtYwnWUxjZjR+Hlq7kSjj9ZMA9zltfEo+kpRWMOi6vpeCF5sKXFyiXi1vAgMBAAECgg01

>>>>>>>>>>>>>>>>>>>getYMbb: EAN/fAh9KfP6cMVoeybyMbsp4xLWhCaGOuWVJ8JsIL7vjhy38UvkbDHNTOR9EvUncOqcw/NNGGv0HgUUZ1J2rCZlbiLdTniTKi08Fe9Zpg07hlDv2745hhLzCV46/ssA669byaOTIYKJlBz5694cSk5nyDVWF4ZiuYJM+nI7hoM9iHep4ZlEs+RtM/P8LAGHErxcqFfZj7etsHqJ7fgU/sfEbG3ZqdkoPIoCPXf3Lxh1H8FJDgYZGpTZZicFThSkmgTJFGwRLgi5IzVeWpFwvt6ZuGSCIRDBr2s+X9/p/dVejJJn66eFfuLYWFifnthdqjdFPKo2jSD2Lb09QeV6AvIQKBgQDN6m48+Ekbn7LYkdgXLbTDVCcRXFMpbtLE2tUXjGCLcUoOPfqhq4HRWcykz/pYzSGqu+6/1THMFyj/ZTLNc6LvpQn+G9Ka7i4ZZQnvAYPAVE4T/Fi0UxSNMEfXHocwRn0xfsVET7IjEuK/fYF7H7g4Hrj7El8ErltLNWm3sJeTaQKBgQC+JacTaaNnEINP/Ghi+BZou9msfDwuJgAt88gSyb1CYG/oTqUkhScLiPzSZU9GupOwAoC4nv1wXZyB7kR0hbs9d7/ButoWAZEMMWJu2zyzBBf3RLdC6pqVIJBcF3D2BbwdLsrmiCdxUtSsU8Wyfk3eGIUcp/k1hzsoHV2J5cWXFwKBgH87MO4/Q3zsCifCxdBcj2p5nsIdV80sCtNTm4M3W5gNYgK2zRwDyuy+HbJgR4GDDiBeisDBTEmcrdpQfzlvD+gfA7OdIV5VeOp8Ac1KFExMSwoSTATvqK0sfdcvp7xucYCZoe35iEofqzdCpzSafss+QHHyAf/0c7hewnmbhayxAoGAQK+gefsrConUkiZlAJ4zSWf2cjZFZtGop/lR7ApTZzxVdasjhRwDH2p3z7+FS6N3UJ5ZWfVEdLBz6MO86AMCorOVOXuua2QXCxXVza6ppKDU4lqvGYWkFu1gDuQumpNy3l6nyesxt9yc2w8Yp1NOfCrNReVi4zHhDxGGW74eDPsCgYEAtANYnKNgnB6ZII8PHhFY+diXEa3dVpVeIcj9BF7bsnbLVtx1CQMRnz2vZBzHsnQvQAg7sJxOZGMm1KgWBT2Or/AAHWKqTo+jSyShxtql/lekTiYqcvO1h+8k4lgZTG4f53h7tw4FRdpokea69v/u8snDBkM9KxUg72UlJNryaMI=x

>>>>>>>>>>>>>>>>>>>getKeyType: RSA

a.a().c 返回值

点进去

我到这里才突然反应过来，由于a.a().c 的参数是固定字符串，所以我们hook拿到函数返回值直接用就行了。。 getXMaa()和getYMbb()都不重要。。

function encodeHex(byteArray) {
    const HexClass = Java.use('org.apache.commons.codec.binary.Hex');
    const StringClass = Java.use('java.lang.String');
    const hexChars = HexClass.encodeHex(byteArray);
    return StringClass.$new(hexChars).toString();
}

setTimeout(function(){ 
    if(Java.available) {
        Java.perform(function () {
            var targetClass = Java.use('df.a$c');
            targetClass.c.implementation = function (c) {
                var returnValue = this.c(c);
                console.log(encodeHex(returnValue));
                return returnValue;
            }
        });
    }
});

得到HEX结果：

308204bd020100300d06092a864886f70d0101010500048204a7308204a3020100028201010098f24716ba5eaff1708c9b6efb98dec709ecdde0b32bae847648c638789c1e06a0615cc3f572b9906d6d611cca842299157cb655b43f75681dc07e74edd4ae2311bf30e6cd0fc1f5858ad231d7f97d4ff62c391381927187fe2cec03d8cd6accdf90cfeb4b662485c20db6516e8d725103b67e39d54138e0c52e2d987369eab50b92c78a59a62ba5d4a820f6ed570f62b4ac6ce3f72cec7279ec616e666bd56bf7b23c47ef2672a0569cb6ac147ebd86612791dfda7db44da7fab467ecc28d732eddcf7dcb16abc1c8503748078bf677d19f43f83770b58c27594c6366347e1e5abb9128e3f59300f7396d7c4a3e92945630e8babe9782179b0a5c5ca25e2d6f02030100010282010037f7c087d29f3fa70c5687b26f231bb29e312d68426863ae59527c26c20beef8e1cb7f14be46c31cd4ce47d12f52770ea9cc3f34d186bf41e0514675276ac26656e22dd4e78932a2d3c15ef59a60d3b8650efdbbe398612f3095e3afecb00ebaf5bc9a393218289941cf9ebde1c4a4e67c83556178662b9824cfa723b86833d8877a9e19944b3e46d33f3fc2c018712bc5ca857d98fb7adb07a89edf814fec7c46c6dd9a9d9283c8a023d77f72f18751fc1490e06191a94d96627054e14a49a04c9146c112e08b923355e5a9170bede99b864822110c1af6b3e5fdfe9fdd55e8c9267eba7857ee2d858589f9ed85daa37453caa368d20f62dbd3d41e57a02f2102818100cdea6e3cf8491b9fb2d891d8172db4c35427115c53296ed2c4dad5178c608b714a0e3dfaa1ab81d159cca4cffa58cd21aabbeebfd531cc1728ff6532cd73a2efa509fe1bd29aee2e196509ef0183c0544e13fc58b453148d3047d71e8730467d317ec5444fb22312e2bf7d817b1fb8381eb8fb125f04ae5b4b3569b7b097936902818100be25a71369a36710834ffc6862f81668bbd9ac7c3c2e26002df3c812c9bd42606fe84ea52485270b88fcd2654f46ba93b00280b89efd705d9c81ee447485bb3d77bfc1bada1601910c31626edb3cb30417f744b742ea9a9520905c1770f605bc1d2ecae688277152d4ac53c5b27e4dde18851ca7f935873b281d5d89e5c597170281807f3b30ee3f437cec0a27c2c5d05c8f6a799ec21d57cd2c0ad3539b83375b980d6202b6cd1c03caecbe1db2604781830e205e8ac0c14c499cadda507f396f0fe81f03b39d215e5578ea7c01cd4a144c4c4b0a124c04efa8ad2c7dd72fa7bc6e718099a1edf9884a1fab3742a7349a7ecb3e4071f201fff473b85ec2799b85acb102818040afa079fb2b0a89d4922665009e334967f672364566d1a8a7f951ec0a53673c5575ab23851c031f6a77cfbf854ba377509e5959f54474b073e8c3bce80302a2b395397bae6b64170b15d5cdaea9a4a0d4e25aaf1985a416ed600ee42e9a9372de5ea7c9eb31b7dc9cdb0f18a7534e7c2acd45e562e331e10f11865bbe1e0cfb02818100b403589ca3609c1e99208f0f1e1158f9d89711addd56955e21c8fd045edbb276cb56dc750903119f3daf641cc7b2742f40083bb09c4e646326d4a816053d8eaff0001d62aa4e8fa34b24a1c6daa5fe57a44e262a72f3b587ef24e258194c6e1fe7787bb70e0545da6891e6baf6ffeef2c9c306433d2b1520ef652524daf268c2

a.a().g

这个函数目测就是Base64 Encode而已

最终Java实现

import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;

public class MddV2SignUtil {
    private static String getSignType() {
        return "SHA256withRSA";
    }

    private static String getKeyType() {
        return "RSA";
    }

    private static PrivateKey getM1() {
        try {
            KeyFactory instance2 = KeyFactory.getInstance(getKeyType());
            PrivateKey privateKey = instance2.generatePrivate(new PKCS8EncodedKeySpec(c()));
            //System.out.println(Base64.getEncoder().encodeToString(privateKey.getEncoded()));
            return privateKey;
        } catch (Exception e10) {
            //Log.e("异常：{", e10.toString() + " }");
            return null;
        }
    }

    private static byte[] hexStringToByteArray(String s) {
        s = s.toUpperCase();
        int len = s.length();
        byte[] data = new byte[len / 2];
        for (int i = 0; i < len; i += 2) {
            data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
                    + Character.digit(s.charAt(i + 1), 16));
        }
        return data;
    }

    private static byte[] c() {
        return hexStringToByteArray("308204bd020100300d06092a864886f70d0101010500048204a7308204a3020100028201010098f24716ba5eaff1708c9b6efb98dec709ecdde0b32bae847648c638789c1e06a0615cc3f572b9906d6d611cca842299157cb655b43f75681dc07e74edd4ae2311bf30e6cd0fc1f5858ad231d7f97d4ff62c391381927187fe2cec03d8cd6accdf90cfeb4b662485c20db6516e8d725103b67e39d54138e0c52e2d987369eab50b92c78a59a62ba5d4a820f6ed570f62b4ac6ce3f72cec7279ec616e666bd56bf7b23c47ef2672a0569cb6ac147ebd86612791dfda7db44da7fab467ecc28d732eddcf7dcb16abc1c8503748078bf677d19f43f83770b58c27594c6366347e1e5abb9128e3f59300f7396d7c4a3e92945630e8babe9782179b0a5c5ca25e2d6f02030100010282010037f7c087d29f3fa70c5687b26f231bb29e312d68426863ae59527c26c20beef8e1cb7f14be46c31cd4ce47d12f52770ea9cc3f34d186bf41e0514675276ac26656e22dd4e78932a2d3c15ef59a60d3b8650efdbbe398612f3095e3afecb00ebaf5bc9a393218289941cf9ebde1c4a4e67c83556178662b9824cfa723b86833d8877a9e19944b3e46d33f3fc2c018712bc5ca857d98fb7adb07a89edf814fec7c46c6dd9a9d9283c8a023d77f72f18751fc1490e06191a94d96627054e14a49a04c9146c112e08b923355e5a9170bede99b864822110c1af6b3e5fdfe9fdd55e8c9267eba7857ee2d858589f9ed85daa37453caa368d20f62dbd3d41e57a02f2102818100cdea6e3cf8491b9fb2d891d8172db4c35427115c53296ed2c4dad5178c608b714a0e3dfaa1ab81d159cca4cffa58cd21aabbeebfd531cc1728ff6532cd73a2efa509fe1bd29aee2e196509ef0183c0544e13fc58b453148d3047d71e8730467d317ec5444fb22312e2bf7d817b1fb8381eb8fb125f04ae5b4b3569b7b097936902818100be25a71369a36710834ffc6862f81668bbd9ac7c3c2e26002df3c812c9bd42606fe84ea52485270b88fcd2654f46ba93b00280b89efd705d9c81ee447485bb3d77bfc1bada1601910c31626edb3cb30417f744b742ea9a9520905c1770f605bc1d2ecae688277152d4ac53c5b27e4dde18851ca7f935873b281d5d89e5c597170281807f3b30ee3f437cec0a27c2c5d05c8f6a799ec21d57cd2c0ad3539b83375b980d6202b6cd1c03caecbe1db2604781830e205e8ac0c14c499cadda507f396f0fe81f03b39d215e5578ea7c01cd4a144c4c4b0a124c04efa8ad2c7dd72fa7bc6e718099a1edf9884a1fab3742a7349a7ecb3e4071f201fff473b85ec2799b85acb102818040afa079fb2b0a89d4922665009e334967f672364566d1a8a7f951ec0a53673c5575ab23851c031f6a77cfbf854ba377509e5959f54474b073e8c3bce80302a2b395397bae6b64170b15d5cdaea9a4a0d4e25aaf1985a416ed600ee42e9a9372de5ea7c9eb31b7dc9cdb0f18a7534e7c2acd45e562e331e10f11865bbe1e0cfb02818100b403589ca3609c1e99208f0f1e1158f9d89711addd56955e21c8fd045edbb276cb56dc750903119f3daf641cc7b2742f40083bb09c4e646326d4a816053d8eaff0001d62aa4e8fa34b24a1c6daa5fe57a44e262a72f3b587ef24e258194c6e1fe7787bb70e0545da6891e6baf6ffeef2c9c306433d2b1520ef652524daf268c2");
    }

    public static String sign(String str) {
        try {
            Signature instance2 = Signature.getInstance(getSignType());
            instance2.initSign(getM1());
            instance2.update(str.getBytes("UTF-8"));
            String sign = Base64.getEncoder().encodeToString(instance2.sign());
            return sign;
        } catch (Exception e) {
            return null;
        }
    }

    public static void main(String[] args) throws Exception {
        String str = "os:Android|version:4.4.10|action:/api/vod/getSactionV2.action|time:1655617802236|appToken:xxx|privateKey:e1be6b4cf4021b3d181170d1879a530a9e4130b69032144d5568abfd6cd6c1c2|data:action=playUrl&checkVodTicket=2&issueVodTicketInfo=0&sactionUuid=ff808081816c058301816fd962aa02c6&";
        Signature instance2 = Signature.getInstance(getSignType());
        instance2.initSign(getM1());
        instance2.update(str.getBytes("UTF-8"));
        String sign = Base64.getEncoder().encodeToString(instance2.sign());
        System.out.println(str);
        System.out.println(sign);
    }
}

[nilaoda]

附上私钥的两种格式，方便使用

PKCS#1

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAmPJHFrper/FwjJtu+5jexwns3eCzK66EdkjGOHicHgagYVzD
9XK5kG1tYRzKhCKZFXy2VbQ/dWgdwH507dSuIxG/MObND8H1hYrSMdf5fU/2LDkT
gZJxh/4s7APYzWrM35DP60tmJIXCDbZRbo1yUQO2fjnVQTjgxS4tmHNp6rULkseK
WaYrpdSoIPbtVw9itKxs4/cs7HJ57GFuZmvVa/eyPEfvJnKgVpy2rBR+vYZhJ5Hf
2n20Taf6tGfswo1zLt3PfcsWq8HIUDdIB4v2d9GfQ/g3cLWMJ1lMY2Y0fh5au5Eo
4/WTAPc5bXxKPpKUVjDour6XghebClxcol4tbwIDAQABAoIBADf3wIfSnz+nDFaH
sm8jG7KeMS1oQmhjrllSfCbCC+744ct/FL5GwxzUzkfRL1J3DqnMPzTRhr9B4FFG
dSdqwmZW4i3U54kyotPBXvWaYNO4ZQ79u+OYYS8wleOv7LAOuvW8mjkyGCiZQc+e
veHEpOZ8g1VheGYrmCTPpyO4aDPYh3qeGZRLPkbTPz/CwBhxK8XKhX2Y+3rbB6ie
34FP7HxGxt2anZKDyKAj139y8YdR/BSQ4GGRqU2WYnBU4UpJoEyRRsES4IuSM1Xl
qRcL7embhkgiEQwa9rPl/f6f3VXoySZ+unhX7i2FhYn57YXao3RTyqNo0g9i29PU
HlegLyECgYEAzepuPPhJG5+y2JHYFy20w1QnEVxTKW7SxNrVF4xgi3FKDj36oauB
0VnMpM/6WM0hqrvuv9UxzBco/2UyzXOi76UJ/hvSmu4uGWUJ7wGDwFROE/xYtFMU
jTBH1x6HMEZ9MX7FRE+yIxLiv32Bex+4OB64+xJfBK5bSzVpt7CXk2kCgYEAviWn
E2mjZxCDT/xoYvgWaLvZrHw8LiYALfPIEsm9QmBv6E6lJIUnC4j80mVPRrqTsAKA
uJ79cF2cge5EdIW7PXe/wbraFgGRDDFibts8swQX90S3QuqalSCQXBdw9gW8HS7K
5ogncVLUrFPFsn5N3hiFHKf5NYc7KB1dieXFlxcCgYB/OzDuP0N87AonwsXQXI9q
eZ7CHVfNLArTU5uDN1uYDWICts0cA8rsvh2yYEeBgw4gXorAwUxJnK3aUH85bw/o
HwOznSFeVXjqfAHNShRMTEsKEkwE76itLH3XL6e8bnGAmaHt+YhKH6s3Qqc0mn7L
PkBx8gH/9HO4XsJ5m4WssQKBgECvoHn7KwqJ1JImZQCeM0ln9nI2RWbRqKf5UewK
U2c8VXWrI4UcAx9qd8+/hUujd1CeWVn1RHSwc+jDvOgDAqKzlTl7rmtkFwsV1c2u
qaSg1OJarxmFpBbtYA7kLpqTct5ep8nrMbfcnNsPGKdTTnwqzUXlYuMx4Q8Rhlu+
Hgz7AoGBALQDWJyjYJwemSCPDx4RWPnYlxGt3VaVXiHI/QRe27J2y1bcdQkDEZ89
r2Qcx7J0L0AIO7CcTmRjJtSoFgU9jq/wAB1iqk6Po0skocbapf5XpE4mKnLztYfv
JOJYGUxuH+d4e7cOBUXaaJHmuvb/7vLJwwZDPSsVIO9lJSTa8mjC
-----END RSA PRIVATE KEY-----

PKCS#8

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCY8kcWul6v8XCM
m277mN7HCezd4LMrroR2SMY4eJweBqBhXMP1crmQbW1hHMqEIpkVfLZVtD91aB3A
fnTt1K4jEb8w5s0PwfWFitIx1/l9T/YsOROBknGH/izsA9jNaszfkM/rS2YkhcIN
tlFujXJRA7Z+OdVBOODFLi2Yc2nqtQuSx4pZpiul1Kgg9u1XD2K0rGzj9yzscnns
YW5ma9Vr97I8R+8mcqBWnLasFH69hmEnkd/afbRNp/q0Z+zCjXMu3c99yxarwchQ
N0gHi/Z30Z9D+DdwtYwnWUxjZjR+Hlq7kSjj9ZMA9zltfEo+kpRWMOi6vpeCF5sK
XFyiXi1vAgMBAAECggEAN/fAh9KfP6cMVoeybyMbsp4xLWhCaGOuWVJ8JsIL7vjh
y38UvkbDHNTOR9EvUncOqcw/NNGGv0HgUUZ1J2rCZlbiLdTniTKi08Fe9Zpg07hl
Dv2745hhLzCV46/ssA669byaOTIYKJlBz5694cSk5nyDVWF4ZiuYJM+nI7hoM9iH
ep4ZlEs+RtM/P8LAGHErxcqFfZj7etsHqJ7fgU/sfEbG3ZqdkoPIoCPXf3Lxh1H8
FJDgYZGpTZZicFThSkmgTJFGwRLgi5IzVeWpFwvt6ZuGSCIRDBr2s+X9/p/dVejJ
Jn66eFfuLYWFifnthdqjdFPKo2jSD2Lb09QeV6AvIQKBgQDN6m48+Ekbn7LYkdgX
LbTDVCcRXFMpbtLE2tUXjGCLcUoOPfqhq4HRWcykz/pYzSGqu+6/1THMFyj/ZTLN
c6LvpQn+G9Ka7i4ZZQnvAYPAVE4T/Fi0UxSNMEfXHocwRn0xfsVET7IjEuK/fYF7
H7g4Hrj7El8ErltLNWm3sJeTaQKBgQC+JacTaaNnEINP/Ghi+BZou9msfDwuJgAt
88gSyb1CYG/oTqUkhScLiPzSZU9GupOwAoC4nv1wXZyB7kR0hbs9d7/ButoWAZEM
MWJu2zyzBBf3RLdC6pqVIJBcF3D2BbwdLsrmiCdxUtSsU8Wyfk3eGIUcp/k1hzso
HV2J5cWXFwKBgH87MO4/Q3zsCifCxdBcj2p5nsIdV80sCtNTm4M3W5gNYgK2zRwD
yuy+HbJgR4GDDiBeisDBTEmcrdpQfzlvD+gfA7OdIV5VeOp8Ac1KFExMSwoSTATv
qK0sfdcvp7xucYCZoe35iEofqzdCpzSafss+QHHyAf/0c7hewnmbhayxAoGAQK+g
efsrConUkiZlAJ4zSWf2cjZFZtGop/lR7ApTZzxVdasjhRwDH2p3z7+FS6N3UJ5Z
WfVEdLBz6MO86AMCorOVOXuua2QXCxXVza6ppKDU4lqvGYWkFu1gDuQumpNy3l6n
yesxt9yc2w8Yp1NOfCrNReVi4zHhDxGGW74eDPsCgYEAtANYnKNgnB6ZII8PHhFY
+diXEa3dVpVeIcj9BF7bsnbLVtx1CQMRnz2vZBzHsnQvQAg7sJxOZGMm1KgWBT2O
r/AAHWKqTo+jSyShxtql/lekTiYqcvO1h+8k4lgZTG4f53h7tw4FRdpokea69v/u
8snDBkM9KxUg72UlJNryaMI=
-----END PRIVATE KEY-----

测试

网址：http://www.metools.info/code/c82.html

[nilaoda]

再附网页实现

<script src="https://cdnjs.cloudflare.com/ajax/libs/jsrsasign/8.0.20/jsrsasign-all-min.js"></script>
<script>
const msg = "hello world";
const privateKey = String.raw`-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAmPJHFrper/FwjJtu+5jexwns3eCzK66EdkjGOHicHgagYVzD
9XK5kG1tYRzKhCKZFXy2VbQ/dWgdwH507dSuIxG/MObND8H1hYrSMdf5fU/2LDkT
gZJxh/4s7APYzWrM35DP60tmJIXCDbZRbo1yUQO2fjnVQTjgxS4tmHNp6rULkseK
WaYrpdSoIPbtVw9itKxs4/cs7HJ57GFuZmvVa/eyPEfvJnKgVpy2rBR+vYZhJ5Hf
2n20Taf6tGfswo1zLt3PfcsWq8HIUDdIB4v2d9GfQ/g3cLWMJ1lMY2Y0fh5au5Eo
4/WTAPc5bXxKPpKUVjDour6XghebClxcol4tbwIDAQABAoIBADf3wIfSnz+nDFaH
sm8jG7KeMS1oQmhjrllSfCbCC+744ct/FL5GwxzUzkfRL1J3DqnMPzTRhr9B4FFG
dSdqwmZW4i3U54kyotPBXvWaYNO4ZQ79u+OYYS8wleOv7LAOuvW8mjkyGCiZQc+e
veHEpOZ8g1VheGYrmCTPpyO4aDPYh3qeGZRLPkbTPz/CwBhxK8XKhX2Y+3rbB6ie
34FP7HxGxt2anZKDyKAj139y8YdR/BSQ4GGRqU2WYnBU4UpJoEyRRsES4IuSM1Xl
qRcL7embhkgiEQwa9rPl/f6f3VXoySZ+unhX7i2FhYn57YXao3RTyqNo0g9i29PU
HlegLyECgYEAzepuPPhJG5+y2JHYFy20w1QnEVxTKW7SxNrVF4xgi3FKDj36oauB
0VnMpM/6WM0hqrvuv9UxzBco/2UyzXOi76UJ/hvSmu4uGWUJ7wGDwFROE/xYtFMU
jTBH1x6HMEZ9MX7FRE+yIxLiv32Bex+4OB64+xJfBK5bSzVpt7CXk2kCgYEAviWn
E2mjZxCDT/xoYvgWaLvZrHw8LiYALfPIEsm9QmBv6E6lJIUnC4j80mVPRrqTsAKA
uJ79cF2cge5EdIW7PXe/wbraFgGRDDFibts8swQX90S3QuqalSCQXBdw9gW8HS7K
5ogncVLUrFPFsn5N3hiFHKf5NYc7KB1dieXFlxcCgYB/OzDuP0N87AonwsXQXI9q
eZ7CHVfNLArTU5uDN1uYDWICts0cA8rsvh2yYEeBgw4gXorAwUxJnK3aUH85bw/o
HwOznSFeVXjqfAHNShRMTEsKEkwE76itLH3XL6e8bnGAmaHt+YhKH6s3Qqc0mn7L
PkBx8gH/9HO4XsJ5m4WssQKBgECvoHn7KwqJ1JImZQCeM0ln9nI2RWbRqKf5UewK
U2c8VXWrI4UcAx9qd8+/hUujd1CeWVn1RHSwc+jDvOgDAqKzlTl7rmtkFwsV1c2u
qaSg1OJarxmFpBbtYA7kLpqTct5ep8nrMbfcnNsPGKdTTnwqzUXlYuMx4Q8Rhlu+
Hgz7AoGBALQDWJyjYJwemSCPDx4RWPnYlxGt3VaVXiHI/QRe27J2y1bcdQkDEZ89
r2Qcx7J0L0AIO7CcTmRjJtSoFgU9jq/wAB1iqk6Po0skocbapf5XpE4mKnLztYfv
JOJYGUxuH+d4e7cOBUXaaJHmuvb/7vLJwwZDPSsVIO9lJSTa8mjC
-----END RSA PRIVATE KEY-----`;

function dododo() {
    var sig = new KJUR.crypto.Signature({ "alg": "SHA256withRSA" });
    sig.init(privateKey);
    sig.updateString(palin.value);
    let signatureHex = sig.sign();
    console.log(signatureHex);
    signResult.value = btoa(String.fromCharCode.apply(null, signatureHex.match(/.{2}/g).map(a=>"0x"+a)));
}
</script>

<textarea rows="10" cols="100" id="palin">os:Android|version:4.4.10|action:/api/vod/getSactionV2.action|time:1655617802236|appToken:xxx|privateKey:e1be6b4cf4021b3d181170d1879a530a9e4130b69032144d5568abfd6cd6c1c2|data:action=playUrl&checkVodTicket=2&issueVodTicketInfo=0&sactionUuid=ff808081816c058301816fd962aa02c6&</textarea><br><br>

<button onclick="dododo();">点击sign</button><br><br>

<textarea rows="10" cols="100" id="signResult"></textarea><br><br>

[Lwx7832]

大佬，能否逆向下番茄的app加密

m.fqfilm.com