某音直接加载SO计算ascp

Richor · 发表于 2019-7-26 16:38

第一步:关键字定位，目标是定位到到as/cp/mas计算位置
直接输入"as="，很快可以定位as和CP的位置

我们点进去看一下
  if (str2.contains("&device_id=") || str2.contains("?device_id=")) {
                  userInfo = UserInfo.getUserInfo(i, URLDecoder.decode(str2), strArr2, str3);
            } else {
                  userInfo = UserInfo.getUserInfo(i, URLDecoder.decode(str2), strArr2, "");
            }
         }
         if (TextUtils.isEmpty(userInfo)) {
            str = str2 + "&as=a1iosdfgh&cp=androide1";
         } else {
            i2 = userInfo.length();
            if (i2 % 2 == 0) {
                  String substring = userInfo.substring(0, i2 >> 1);
                  a a = com.ss.sys.ces.d.b.a(GlobalContext.getContext(), (long) com.ss.android.ugc.aweme.app.f.v().m());
                  a.a(e.a());
                  str = (str2 + "&as=" + substring + "&cp=" + userInfo.substring(i2 >> 1, i2)) + "&mas=" + k.a(a.a(substring.getBytes()));
            } else {
                  str = str2 + "&as=a1qwert123&cp=cbfhckdckkde1";
            }

继续跟入UserInfo.getUserInfo

[Asm] 纯文本查看 复制代码

public class UserInfo {
    static {
        LibUtil.a(GlobalContext.getContext(),"cms");
        LibUtil.a(GlobalContext.getContext(),"userinfo");
    }
    public static native String a();

    public static native String getDescription();

    public static native String getFile();

    public static native String getFingerprint();

    public static native void getPackage(String str);

    public static native String getS();

    public static native byte[] getT();

    public static native int getTemperature();

    public static native int getType();

    public static native String getUserInfo(int i, String str, String[] strArr);

    public static native String getUserInfo(int i, String str, String[] strArr, String str2);

    public static native String getUserInfo(int i, String[] strArr, String[] strArr2, String str);

    public static native String getUserInfoSkipGet(int i, String str, String[] strArr);

    public static native int initUser(String str);

    public static native int isR();

    public static native void setAppId(int i);

}

好了看到native函数了
第二步:
载入so

复制so访问的包内容:

第三步:
通过hook可以知道userinfo其中一种情况传入参数分别为时间戳,url，url关键字(用|分来)，设备ID
我们就可以模拟传入参数

[Java] 纯文本查看 复制代码

 public String REreplace(String inputs,String regex,String replecestr){
        Pattern p = Pattern.compile(regex);
        Matcher m = p.matcher(inputs);
        return m.replaceAll(replecestr);
    }

    public void copyLove2(String cookie,String inputurl) {
        String nowsessionid = "";
        String TAG = "yf";
        int ts = (int) (System.currentTimeMillis() / 1000);
        String _ricket = System.currentTimeMillis() + "";
        String url = inputurl;
        url = REreplace(url, "ts=(.*?)&", "ts=" + String.valueOf(ts) + "&");
        url = REreplace(url, "rticket=(.*?)&", "rticket=" + String.valueOf(_ricket) + "&");

        Log.d(TAG, "copyLove2: url=" + url);
        String[] keyword = {"os_api", "device_type", "device_platform", "ssmix", "iid", "manifest_version_code", "dpi", "uuid", "version_code", "app_name", "version_name", "openudid", "device_id", "resolution", "os_version", "language", "device_brand", "ac", "update_version_code", "aid", "channel", "mcc_mnc"};
        Map<String, String> map = new HashMap<String, String>();
        String body = url.substring(url.indexOf("?") + 1, url.length());
        String[] bodycut = body.split("&");
        for (int i = 0; i < bodycut.length; i++) {
            String cutvalue = bodycut[i];
            String[] cutkey = cutvalue.split("=");
            map.put(cutkey[0], cutkey[1]);
        }

        String newss = "";
        for (int i = 0; i < keyword.length; i++) {
            String nowkey = keyword[i];
            String nowvalue = map.get(nowkey);
            newss = newss + nowkey + "|" + nowvalue + "|";
        }
        String ss = newss;
        Log.d(TAG, "copyLove2: ss=" + ss);
        Log.d(TAG, "copyLove2: ss=" + ss);
        String[] km = ss.split("|");

        int testts = 1563955292;
        String testurl = "https://api.amemv.com/aweme/v1/commit/item/digg/?aweme_id=6714484185333075203&type=1&channel_id=0&os_api=23&device_type=MI%204LTE&ssmix=a&manifest_version_code=721&dpi=480&js_sdk_version=1.18.2.1&uuid=866963021506086&app_name=aweme&version_name=7.2.1&ts=1563958888&app_type=normal&ac=wifi&update_version_code=7204&channel=xiaomi&_rticket=1563958888665&device_platform=android&iid=79862582770&version_code=721&openudid=569e5c63702b680&device_id=66677255338&resolution=1080*1920&os_version=6.0.1&language=zh&device_brand=Xiaomi&aid=1128&mcc_mnc=46000";
        String testascp = UserInfo.getUserInfo(testts, testurl, km, "66677255338");
        Log.d(TAG, "copyLove: testascp=" + testascp);
        String ascp = UserInfo.getUserInfo(ts, url, km, "66677255338");
        Log.d(TAG, "copyLove: ascp=" + ascp);
    }

}

输出结果如下

同理可以通过ascp算出mas的值

lateautumn4lin · 发表于 2020-9-28 14:03

AcsZeg 发表于 2019-7-27 12:40
直接调用so的用处没有想象中的大 xposed写个服务器去hook这个函数让pc可以跟服务器通讯会更好些

确实，没有必要直接调用

AcsZeg · 发表于 2019-7-27 12:40

直接调用so的用处没有想象中的大 xposed写个服务器去hook这个函数让pc可以跟服务器通讯会更好些

easean · 发表于 2019-7-26 18:05

太乱了看不懂,能直接辅助连接然后解析就好了

mzhsohu · 发表于 2019-7-26 18:06

文章很精彩，奈何自己太菜~！

superchina · 发表于 2019-7-26 18:54

写的不错，加油

wkkc555 · 发表于 2019-7-26 20:19

作为一个外行，表示没看懂

wangyuan0558 · 发表于 2019-7-26 22:38

前来围观大佬

Gewplay · 发表于 2019-7-26 23:48

很想知道这是什么？

0mogul0 · 发表于 2019-7-27 12:59

围观大佬

海云帆 · 发表于 2019-7-27 14:08

膜拜大佬

帐号		自动登录	找回密码
密码			注册[Register]

[Android 原创] 某音直接加载SO计算ascp

免费评分