某音直接加载SO计算ascp

第一步:关键字定位，目标是定位到到as/cp/mas计算位置
直接输入"as="，很快可以定位as和CP的位置

我们点进去看一下
  if (str2.contains("&device_id=") || str2.contains("?device_id=")) {
                    userInfo = UserInfo.getUserInfo(i, URLDecoder.decode(str2), strArr2, str3);
                } else {
                    userInfo = UserInfo.getUserInfo(i, URLDecoder.decode(str2), strArr2, "");
                }
            }
            if (TextUtils.isEmpty(userInfo)) {
                str = str2 + "&as=a1iosdfgh&cp=androide1";
            } else {
                i2 = userInfo.length();
                if (i2 % 2 == 0) {
                    String substring = userInfo.substring(0, i2 >> 1);
                    a a = com.ss.sys.ces.d.b.a(GlobalContext.getContext(), (long) com.ss.android.ugc.aweme.app.f.v().m());
                    a.a(e.a());
                    str = (str2 + "&as=" + substring + "&cp=" + userInfo.substring(i2 >> 1, i2)) + "&mas=" + k.a(a.a(substring.getBytes()));
                } else {
                    str = str2 + "&as=a1qwert123&cp=cbfhckdckkde1";
                }

继续跟入UserInfo.getUserInfo
[Asm] 纯文本查看 复制代码

public class UserInfo {
    static {
        LibUtil.a(GlobalContext.getContext(),"cms");
        LibUtil.a(GlobalContext.getContext(),"userinfo");
    }
    public static native String a();

    public static native String getDescription();

    public static native String getFile();

    public static native String getFingerprint();

    public static native void getPackage(String str);

    public static native String getS();

    public static native byte[] getT();

    public static native int getTemperature();

    public static native int getType();

    public static native String getUserInfo(int i, String str, String[] strArr);

    public static native String getUserInfo(int i, String str, String[] strArr, String str2);

    public static native String getUserInfo(int i, String[] strArr, String[] strArr2, String str);

    public static native String getUserInfoSkipGet(int i, String str, String[] strArr);

    public static native int initUser(String str);

    public static native int isR();

    public static native void setAppId(int i);

}

好了看到native函数了
第二步:
载入so

复制so访问的包内容:

第三步:
通过hook可以知道userinfo其中一种情况传入参数分别为时间戳,url，url关键字(用|分来)，设备ID
我们就可以模拟传入参数
[Java] 纯文本查看 复制代码

 public String REreplace(String inputs,String regex,String replecestr){
        Pattern p = Pattern.compile(regex);
        Matcher m = p.matcher(inputs);
        return m.replaceAll(replecestr);
    }

    public void copyLove2(String cookie,String inputurl) {
        String nowsessionid = "";
        String TAG = "yf";
        int ts = (int) (System.currentTimeMillis() / 1000);
        String _ricket = System.currentTimeMillis() + "";
        String url = inputurl;
        url = REreplace(url, "ts=(.*?)&", "ts=" + String.valueOf(ts) + "&");
        url = REreplace(url, "rticket=(.*?)&", "rticket=" + String.valueOf(_ricket) + "&");

        Log.d(TAG, "copyLove2: url=" + url);
        String[] keyword = {"os_api", "device_type", "device_platform", "ssmix", "iid", "manifest_version_code", "dpi", "uuid", "version_code", "app_name", "version_name", "openudid", "device_id", "resolution", "os_version", "language", "device_brand", "ac", "update_version_code", "aid", "channel", "mcc_mnc"};
        Map<String, String> map = new HashMap<String, String>();
        String body = url.substring(url.indexOf("?") + 1, url.length());
        String[] bodycut = body.split("&");
        for (int i = 0; i < bodycut.length; i++) {
            String cutvalue = bodycut[i];
            String[] cutkey = cutvalue.split("=");
            map.put(cutkey[0], cutkey[1]);
        }

        String newss = "";
        for (int i = 0; i < keyword.length; i++) {
            String nowkey = keyword[i];
            String nowvalue = map.get(nowkey);
            newss = newss + nowkey + "|" + nowvalue + "|";
        }
        String ss = newss;
        Log.d(TAG, "copyLove2: ss=" + ss);
        Log.d(TAG, "copyLove2: ss=" + ss);
        String[] km = ss.split("|");

        int testts = 1563955292;
        String testurl = "https://api.amemv.com/aweme/v1/commit/item/digg/?aweme_id=6714484185333075203&type=1&channel_id=0&os_api=23&device_type=MI%204LTE&ssmix=a&manifest_version_code=721&dpi=480&js_sdk_version=1.18.2.1&uuid=866963021506086&app_name=aweme&version_name=7.2.1&ts=1563958888&app_type=normal&ac=wifi&update_version_code=7204&channel=xiaomi&_rticket=1563958888665&device_platform=android&iid=79862582770&version_code=721&openudid=569e5c63702b680&device_id=66677255338&resolution=1080*1920&os_version=6.0.1&language=zh&device_brand=Xiaomi&aid=1128&mcc_mnc=46000";
        String testascp = UserInfo.getUserInfo(testts, testurl, km, "66677255338");
        Log.d(TAG, "copyLove: testascp=" + testascp);
        String ascp = UserInfo.getUserInfo(ts, url, km, "66677255338");
        Log.d(TAG, "copyLove: ascp=" + ascp);
    }

}

输出结果如下

同理可以通过ascp算出mas的值