注：已下分析仅供学习交流，禁做其它用途

最近想在京东秒杀个东西，发现根本抢不到，抓包看看吧，顺便学习一下。

随便找了个请求发现有三个值每次是不一样的：st，sign，sv 看来这是加密了

秘钥错误会返回signature verification failed

//这里是url参数
functionId=getLegoWareDetailComment
clientVersion=9.4.4
build=87076
client=android
d_brand=Meizu
d_model=Meizu60
osVersion=10.0
screen=1380*720
partner=tencent
oaid=
eid=eidndjfkldaju897dfncHdk
sdkVersion=24
lang=zh_CN
uuid=oe9a3ff1fce3f
aid=oe9a3ff1fce3f
area=1_73_55177_9
networkType=wifi
wifiBssid=5771b7c0c1a46w4123zxcv3nm18190b1
//这几个是加密
st=1616770835649
sign=0f0sfzxcvbnm41df07e7d85b34cb8h31
sv=120
//这个是body
{"category":"12259;12260;9435","shadowMainSku":"0","shieldCurrentComment":"1","shopType":"0","sku":"000000558","venderId":"1009943","wareType":"1"}

秘钥不对会返回：
{
	"code": "600",
	"echo": "signature verification failed"
}

那只能在app里找一下，app版本9.4.4，反编译，拿源码，找到生成sign的地方

private static void b(HttpSetting httpSetting, String str, String str2) {
        String functionId = httpSetting.getFunctionId();
        String property = b.getProperty(Configuration.CLIENT, "");
        String versionName = a.Uk().getStatInfoConfigImpl().getVersionName();
        if (functionId != null) {
            if (OKLog.D) {
                String str3 = TAG;
                OKLog.d(str3, "id:" + httpSetting.getId() + "- ..functionId -->> " + functionId);
                String str4 = TAG;
                OKLog.d(str4, "id:" + httpSetting.getId() + "- ..body -->> " + str);
                String str5 = TAG;
                OKLog.d(str5, "id:" + httpSetting.getId() + "- ..uuid -->> " + str2);
                String str6 = TAG;
                OKLog.d(str6, "id:" + httpSetting.getId() + "- ..client -->> " + property);
                String str7 = TAG;
                OKLog.d(str7, "id:" + httpSetting.getId() + "- ..clientVersion -->> " + versionName);
            }
            try {
                //这里就是了
                String signature = a.Uk().Ur().signature(a.Uk().getApplicationContext(), functionId, str, str2, property, versionName);
                if (OKLog.D) {
                    OKLog.d("Signature", "native  load  sucess " + signature);
                }
                httpSetting.setSignature("&" + signature);
                httpSetting.setUrl(httpSetting.getUrl() + httpSetting.getSignature());
            } catch (Exception unused) {
            }
        }
    }

找到代码了最后发现是调用了so

    public static native String getSignFromJni(Context context, String functionId, String body, String uuid, String client, String clientVersion);

so怎么搞？汇编，动态调试，走起

//so返回的结果
st=1616804726304&sign=bc587e1837f8a996825023b9ea6fa03e&sv=111

OK，总结一下，参数放到so加密生成sign。感兴趣的朋友可以联系，或者直接加QQ1661639956，大家一起交流