Alipay can generate offline code for people to use, and this feature is based on standard HOTP. After some reverse engineering work, we are able to reproduce the six-num code anywhere, only if you get your own 'SEED'.
(The frida script here is known to works with Alipay_10.1.62.5549)
-
1.Get your device rooted, and run frida-server with root priv.
-
2.Run
python3 hook.py
, and get your own "INDEX" and "SEED" value. -
3.Set the
INDEX
andSEED
value in gen_code.py -
4.Run
python gen_code.py | qrencode -t utf8
, and enjoy it!
-
The string format:
'28' + encrypt(INDEX) + nativeOTP(bytes SEED, timestamp/3, 6)
-
nativeOTP()
exists in libAPSE.so, generate standard HOTP code -
INDEX
andSEED
can be found encrypted inshared_prefs/MODE_*_SETTING_FILE.xml
, please usegrep -ir SEEDSG .
-
SEED
has an expiration date(about 30days), and will be revoked right after app logout -
When requesting new
SEED
, it seems only has 20 bytes changed, left 20 bytes unchanged -
INDEX
seems will not change asSEED
renew