第一步:关键字定位,目标是定位到到as/cp/mas计算位置
直接输入"as=",很快可以定位as和CP的位置
我们点进去看一下
if (str2.contains("&device_id=") || str2.contains("?device_id=")) {
userInfo = UserInfo.getUserInfo(i, URLDecoder.decode(str2), strArr2, str3);
} else {
userInfo = UserInfo.getUserInfo(i, URLDecoder.decode(str2), strArr2, "");
}
}
if (TextUtils.isEmpty(userInfo)) {
str = str2 + "&as=a1iosdfgh&cp=androide1";
} else {
i2 = userInfo.length();
if (i2 % 2 == 0) {
String substring = userInfo.substring(0, i2 >> 1);
a a = com.ss.sys.ces.d.b.a(GlobalContext.getContext(), (long) com.ss.android.ugc.aweme.app.f.v().m());
a.a(e.a());
str = (str2 + "&as=" + substring + "&cp=" + userInfo.substring(i2 >> 1, i2)) + "&mas=" + k.a(a.a(substring.getBytes()));
} else {
str = str2 + "&as=a1qwert123&cp=cbfhckdckkde1";
}
继续跟入UserInfo.getUserInfo
[Asm] 纯文本查看 复制代码
public class UserInfo { static { LibUtil.a(GlobalContext.getContext(),"cms"); LibUtil.a(GlobalContext.getContext(),"userinfo"); } public static native String a(); public static native String getDescription(); public static native String getFile(); public static native String getFingerprint(); public static native void getPackage(String str); public static native String getS(); public static native byte[] getT(); public static native int getTemperature(); public static native int getType(); public static native String getUserInfo(int i, String str, String[] strArr); public static native String getUserInfo(int i, String str, String[] strArr, String str2); public static native String getUserInfo(int i, String[] strArr, String[] strArr2, String str); public static native String getUserInfoSkipGet(int i, String str, String[] strArr); public static native int initUser(String str); public static native int isR(); public static native void setAppId(int i); }
好了看到native函数了
第二步:
载入so
复制so访问的包内容:
第三步:
通过hook可以知道userinfo其中一种情况传入参数分别为时间戳,url,url关键字(用|分来),设备ID
我们就可以模拟传入参数
[Java] 纯文本查看 复制代码
public String REreplace(String inputs,String regex,String replecestr){ Pattern p = Pattern.compile(regex); Matcher m = p.matcher(inputs); return m.replaceAll(replecestr); } public void copyLove2(String cookie,String inputurl) { String nowsessionid = ""; String TAG = "yf"; int ts = (int) (System.currentTimeMillis() / 1000); String _ricket = System.currentTimeMillis() + ""; String url = inputurl; url = REreplace(url, "ts=(.*?)&", "ts=" + String.valueOf(ts) + "&"); url = REreplace(url, "rticket=(.*?)&", "rticket=" + String.valueOf(_ricket) + "&"); Log.d(TAG, "copyLove2: url=" + url); String[] keyword = {"os_api", "device_type", "device_platform", "ssmix", "iid", "manifest_version_code", "dpi", "uuid", "version_code", "app_name", "version_name", "openudid", "device_id", "resolution", "os_version", "language", "device_brand", "ac", "update_version_code", "aid", "channel", "mcc_mnc"}; Map<String, String> map = new HashMap<String, String>(); String body = url.substring(url.indexOf("?") + 1, url.length()); String[] bodycut = body.split("&"); for (int i = 0; i < bodycut.length; i++) { String cutvalue = bodycut[i]; String[] cutkey = cutvalue.split("="); map.put(cutkey[0], cutkey[1]); } String newss = ""; for (int i = 0; i < keyword.length; i++) { String nowkey = keyword[i]; String nowvalue = map.get(nowkey); newss = newss + nowkey + "|" + nowvalue + "|"; } String ss = newss; Log.d(TAG, "copyLove2: ss=" + ss); Log.d(TAG, "copyLove2: ss=" + ss); String[] km = ss.split("|"); int testts = 1563955292; String testurl = "https://api.amemv.com/aweme/v1/commit/item/digg/?aweme_id=6714484185333075203&type=1&channel_id=0&os_api=23&device_type=MI%204LTE&ssmix=a&manifest_version_code=721&dpi=480&js_sdk_version=1.18.2.1&uuid=866963021506086&app_name=aweme&version_name=7.2.1&ts=1563958888&app_type=normal&ac=wifi&update_version_code=7204&channel=xiaomi&_rticket=1563958888665&device_platform=android&iid=79862582770&version_code=721&openudid=569e5c63702b680&device_id=66677255338&resolution=1080*1920&os_version=6.0.1&language=zh&device_brand=Xiaomi&aid=1128&mcc_mnc=46000"; String testascp = UserInfo.getUserInfo(testts, testurl, km, "66677255338"); Log.d(TAG, "copyLove: testascp=" + testascp); String ascp = UserInfo.getUserInfo(ts, url, km, "66677255338"); Log.d(TAG, "copyLove: ascp=" + ascp); } }
输出结果如下
同理可以通过ascp算出mas的值