android逆向奇技淫巧十五:x音关键加密字段算法逆向分析(二)

  1、上次用打印堆栈的方法找到了libc中malloc函数的调用堆栈,仔细一看都是标准库的调用,没找到x音自己库的调用关系,这条线索自此又断了!想来想去,还是老老实实根据method profiling的调用栈挨个查找吧!原因很简单:因为用户操作的所有java层执行逻辑都被记录了,这里肯定有生成X-Ladon、X-Gorgon、X-Tyhon、X-Argus这4个加密字段的调用,于时就用objection挨个hook,查看这些函数的参数、返回值和调用栈。在hook了上百个函数之后(逆向也是个体力活......),终于找到了突破口:hook 这个函数com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a时,打印的参数包含了4个加密字段,返回值也包含了,说明这个函数肯定和加密字段有关系!

(agent) [398162] Called com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(java.lang.Object, java.lang.Class, java.lang.Object)
(agent) [398162] Backtrace:
        com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(Native Method)
        com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b(SsCronetHttpClient.java:50856473)
        com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java)
        com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(Native Method)
        com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java:688)
        com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(Native Method)
        com.bytedance.frameworks.baselib.network.http.cronet.impl.c.execute(CronetSsCall.java:524502)
        com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__executeCall$___twin___(CallServerInterceptor.java:33816611)
        com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_NetworkUtilsLancet_executeCall(CallServerInterceptor.java:50790551)
        com.bytedance.retrofit2.CallServerInterceptor.executeCall(CallServerInterceptor.java)
        com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__intercept$___twin___(CallServerInterceptor.java:17236171)
        com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(CallServerInterceptor.java:33882196)
        com.bytedance.retrofit2.CallServerInterceptor.intercept(CallServerInterceptor.java)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.a(TTNetMonitorInterceptor.kt:17170528)
        com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.intercept(TTNetMonitorInterceptor.kt:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.a(TokenSdkCommonParamsInterceptorTTNet.java:17170588)
        com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.intercept(TokenSdkCommonParamsInterceptorTTNet.java:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.BaseSsInterceptor__intercept$___twin___(BaseSsInterceptor.java:17170534)
        com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.com_bytedance_frameworks_baselib_network_http_retrofit_BaseSsInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(BaseSsInterceptor.java:33882196)
        com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.intercept(BaseSsInterceptor.java)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.a(TTNetInitInterceptor.java:17039393)
        com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.intercept(TTNetInitInterceptor.java:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.account.token.TTTokenInterceptor.a(TTTokenInterceptor.java:17170567)
        com.ss.android.account.token.TTTokenInterceptor.intercept(TTTokenInterceptor.java:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.a(CommonParamsInterceptorTTNet.java:17170573)
        com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.intercept(CommonParamsInterceptorTTNet.java:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.bytedance.apm.ttnet.TTNetSampleInterceptor.a(TTNetSampleInterceptor.java:17105000)
        com.bytedance.apm.ttnet.TTNetSampleInterceptor.intercept(TTNetSampleInterceptor.java:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.a(GlobalParamsAppendInterceptor.kt:17104997)
        com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.intercept(GlobalParamsAppendInterceptor.kt:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.ugc.aweme.lancet.ssretrofitchain.VerifyInterceptor.a(VerifyInterceptor.java:17301552)
        com.ss.android.ugc.aweme.lancet.ssretrofitchain.VerifyInterceptor.intercept(VerifyInterceptor.java:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.bytedance.bdinstall.DeviceInterceptor.a(DeviceInterceptor.java:17170566)
        com.bytedance.bdinstall.DeviceInterceptor.intercept(DeviceInterceptor.java:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.ugc.aweme.net.interceptor.UrlTransformInterceptorTTNet.a(UrlTransformInterceptorTTNet.java:17039412)
        com.ss.android.ugc.aweme.net.interceptor.UrlTransformInterceptorTTNet.intercept(UrlTransformInterceptorTTNet.java:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.ugc.aweme.utils.SecUidInterceptorTTNet.a(SecUidInterceptorTTNet.java:17170600)
        com.ss.android.ugc.aweme.utils.SecUidInterceptorTTNet.intercept(SecUidInterceptorTTNet.java:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.ugc.aweme.net.SyncCommonParameterIntercepter.a(SyncCommonParameterIntercepter.java:17104961)
        com.ss.android.ugc.aweme.net.SyncCommonParameterIntercepter.intercept(SyncCommonParameterIntercepter.java:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.ugc.aweme.net.interceptor.DevicesNullInterceptorTTNet.a(DevicesNullInterceptorTTNet.java:17104973)
        com.ss.android.ugc.aweme.net.interceptor.DevicesNullInterceptorTTNet.intercept(DevicesNullInterceptorTTNet.java:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.ss.android.ugc.aweme.net.cache.IesCacheInterceptor.a(IesCacheInterceptor.kt:17104977)
        com.ss.android.ugc.aweme.net.cache.IesCacheInterceptor.intercept(IesCacheInterceptor.kt:17170538)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
        com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
        com.bytedance.retrofit2.SsHttpCall.getResponseWithInterceptorChain(SsHttpCall.java:327756)
        com.bytedance.retrofit2.SsHttpCall.SsHttpCall__execute$___twin___(SsHttpCall.java:327776)
        com.bytedance.retrofit2.SsHttpCall.com_bytedance_retrofit2_SsHttpCall_com_ss_android_ugc_aweme_lancet_NetIOCheckLancet_execute(SsHttpCall.java:17104937)
        com.bytedance.retrofit2.SsHttpCall.execute(SsHttpCall.java)
        com.bytedance.retrofit2.ExecutorCallAdapterFactory$ExecutorCallbackCall.execute(ExecutorCallAdapterFactory.java:196631)
        com.ss.android.ugc.aweme.account.network.NetworkProxyAccount.sendGetRequest(NetworkProxyAccount.kt:50724975)
        com.ss.android.ugc.aweme.account.network.NetworkProxyAccount.a(NetworkProxyAccount.kt:50790474)
        com.ss.android.ugc.aweme.account.network.b.b.a(TTAccountNetworkImpl.kt:50659364)
        com.bytedance.sdk.account.b.h.d(BaseAccountApi.java:524593)
        com.bytedance.sdk.account.b.h.b(BaseAccountApi.java:393248)
        com.bytedance.sdk.account.b.h$a.run(BaseAccountApi.java:196627)
        com.bytedance.sdk.account.f.a.a.run(ApiDispatcher.java:393319)

(agent) [398162] Arguments com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a({"Accept-Encoding":"gzip, deflate, br","Connection":"keep-alive","Cookie":"passport_csrf_token_default=347247bb8bea022535d3d5845482902a; n_mh=B6WRe0yd-1qIuffF6ZWNO-CSGlW1Q-VhC0E79NrqYTg; sid_guard=2fb96f69aa912bdd050ef5224ffd91a8%7C1622365384%7C5184000%7CThu%2C+29-Jul-2021+09%3A03%3A04+GMT; uid_tt=e4b268e9345c17dc6f022a33eb8f2611; sid_tt=2fb96f69aa912bdd050ef5224ffd91a8; sessionid=2fb96f69aa912bdd050ef5224ffd91a8; multi_sids=95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8; odin_tt=abf9aade25cc87ee3389cc4dc35f9200c567179237e3d4f79743489f4502dd3f32dc4f6eef5d10d4e0cbfdba301b715f302933cba86c38dc6d38f021c9dcf9e5; install_id=3061500213736925; ttreq=1$0acef8b5ba94c2ca8170b47775d18de37dbdc565","Host":"api5-normal-c-hl.amemv.com","User-Agent":"com.ss.android.ugc.aweme/150501 (Linux; U; Android 6.0.1; zh_CN; KIW-AL10; Build/HONORKIW-AL10; Cronet/TTNetVersion:539f4bcf 2021-01-18 QuicVersion:47946d2a 2020-10-14)","X-Argus":"dL63f9K4krgr8/WAfSIFeVfdfEcxLb0IszYsoVzV1+5/iO2yRYjhPTcNpp9D3PjyivcgIe5KYrbCD11veS20EKiNAqOk3bOJzl+L386i+SWzP8rAnbbqxfvkUWtO5Bc0oVLuMQ4MlA77tSKmgN23uBxTq0RgPvcEUxC9H2P9tKCiXcL85uubNM7L1FOAsHAEvNe+83Y341uq5UdMLixTXC5u21bYeHkr7SBBDFEWGQz7WDOfte4Tvq4ZyoIydKGHNlFb3tJUFav8IBrm/Fq3NgLq1WdP5h6eIzPoXKgs1/amjaNItSFY7POOz1qNLD/9fgJbj+f43UFI9kZzssJ8zfVj","X-Gorgon":"0404b8790005f2914fd644447ffb0acf11a197e54adb11afa680","X-Khronos":"1624109469","X-Ladon":"wp8eCaQGfmHoPa38jhEcD+4ADTjDGs0I83D+1lWfekKesKn+","X-SS-DP":"1128","X-SS-REQ-TICKET":"1624109468485","X-Tt-Token":"002fb96f69aa912bdd050ef5224ffd91a802def84c5b02f0add48df81bbcef7d8d248695a4d463f61302ea58cd3af89506e3cb69c984312474340c46d313946455a55d88be251c40ee836a09baa57714a693b60643d129801997b632d408227491a61-1.0.1","X-Tyhon":"iXwqufMrDfPxVRKC1zs/8P8NUvLqKS2QsxUO15g=","passport-sdk-version":"18","sdk-version":"2","x-bd-kmsv":"1","x-tt-dt":"AAAXOAB2XQQBS7CMNLPBK5G7DJDOMPMTU6CLN7633AG2G2APEIYDCWQ3YOZME4NMB4F3XL7PUYWVWZGU37ODXCESIGROP6JJVG7IAIXCEP76TGK6KF7SDTXXAOJKKNIS6B4COMBU34ZZ4DXCL2UAH4Q","x-tt-multi-sids":"95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8","x-tt-trace-id":"00-2477cf7c0990b70ca8484fcd822e0468-2477cf7c0990b70c-01"}, class java.lang.String, )
(agent) [398162] Return Value: {"Accept-Encoding":"gzip, deflate, br","Connection":"keep-alive","Cookie":"passport_csrf_token_default=347247bb8bea022535d3d5845482902a; n_mh=B6WRe0yd-1qIuffF6ZWNO-CSGlW1Q-VhC0E79NrqYTg; sid_guard=2fb96f69aa912bdd050ef5224ffd91a8%7C1622365384%7C5184000%7CThu%2C+29-Jul-2021+09%3A03%3A04+GMT; uid_tt=e4b268e9345c17dc6f022a33eb8f2611; sid_tt=2fb96f69aa912bdd050ef5224ffd91a8; sessionid=2fb96f69aa912bdd050ef5224ffd91a8; multi_sids=95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8; odin_tt=abf9aade25cc87ee3389cc4dc35f9200c567179237e3d4f79743489f4502dd3f32dc4f6eef5d10d4e0cbfdba301b715f302933cba86c38dc6d38f021c9dcf9e5; install_id=3061500213736925; ttreq=1$0acef8b5ba94c2ca8170b47775d18de37dbdc565","Host":"api5-normal-c-hl.amemv.com","User-Agent":"com.ss.android.ugc.aweme/150501 (Linux; U; Android 6.0.1; zh_CN; KIW-AL10; Build/HONORKIW-AL10; Cronet/TTNetVersion:539f4bcf 2021-01-18 QuicVersion:47946d2a 2020-10-14)","X-Argus":"dL63f9K4krgr8/WAfSIFeVfdfEcxLb0IszYsoVzV1+5/iO2yRYjhPTcNpp9D3PjyivcgIe5KYrbCD11veS20EKiNAqOk3bOJzl+L386i+SWzP8rAnbbqxfvkUWtO5Bc0oVLuMQ4MlA77tSKmgN23uBxTq0RgPvcEUxC9H2P9tKCiXcL85uubNM7L1FOAsHAEvNe+83Y341uq5UdMLixTXC5u21bYeHkr7SBBDFEWGQz7WDOfte4Tvq4ZyoIydKGHNlFb3tJUFav8IBrm/Fq3NgLq1WdP5h6eIzPoXKgs1/amjaNItSFY7POOz1qNLD/9fgJbj+f43UFI9kZzssJ8zfVj","X-Gorgon":"0404b8790005f2914fd644447ffb0acf11a197e54adb11afa680","X-Khronos":"1624109469","X-Ladon":"wp8eCaQGfmHoPa38jhEcD+4ADTjDGs0I83D+1lWfekKesKn+","X-SS-DP":"1128","X-SS-REQ-TICKET":"1624109468485","X-Tt-Token":"002fb96f69aa912bdd050ef5224ffd91a802def84c5b02f0add48df81bbcef7d8d248695a4d463f61302ea58cd3af89506e3cb69c984312474340c46d313946455a55d88be251c40ee836a09baa57714a693b60643d129801997b632d408227491a61-1.0.1","X-Tyhon":"iXwqufMrDfPxVRKC1zs/8P8NUvLqKS2QsxUO15g=","passport-sdk-version":"18","sdk-version":"2","x-bd-kmsv":"1","x-tt-dt":"AAAXOAB2XQQBS7CMNLPBK5G7DJDOMPMTU6CLN7633AG2G2APEIYDCWQ3YOZME4NMB4F3XL7PUYWVWZGU37ODXCESIGROP6JJVG7IAIXCEP76TGK6KF7SDTXXAOJKKNIS6B4COMBU34ZZ4DXCL2UAH4Q","x-tt-multi-sids":"95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8","x-tt-trace-id":"00-2477cf7c0990b70ca8484fcd822e0468-2477cf7c0990b70c-01"}

   根据调用栈分析,好几个重载的a函数都依次被调用了,顺着这个逻辑继续分析:这个a函数传入了colletion参数,然后开始从这个参数解析header,存放在arraylist后返回;

public static List a(HttpURLConnection p0){    
       Object[] objectArray;
       Map$Entry mnext;
       String sKey;
       Iterator iiterator1;
       int vi = 1;
       objectArray = new Object[vi];
       objectArray[0] = p0;
       Object object = null;
       PatchProxyResult pproxy = PatchProxy.proxy(objectArray, object, c.a, vi, 112471);
       if (pproxy.isSupported) {    
          return pproxy.result;
       }    
       if (!p0) {    
          return object;
       }    
       ArrayList arrayList = new ArrayList();
       Iterator iiterator = p0.getHeaderFields().entrySet().iterator();
       while (iiterator.hasNext()) {    
          mnext = iiterator.next();
          sKey = mnext.getKey();
          iiterator1 = mnext.getValue().iterator();
          while (iiterator1.hasNext()) {    
             arrayList.add(new Header(sKey, iiterator1.next()));
          }    
       }    
       return arrayList;
    }

  这里既然都在解析http包的header了,有重大嫌疑;用GDA查看调用,发现在execute方法中有调用(和上面调用堆栈打印的完全吻合,没毛病):

   android逆向奇技淫巧十五:x音关键加密字段算法逆向分析(二)

 这里吐个槽:不知道x音的人员是有意还是无意的:这个关键的a方法被重载了25次,打印调用堆栈时又无法看到这些函数的参数,导致我没法确认到底调用的是哪个a,只能挨个去源代码查,相当费时!

   android逆向奇技淫巧十五:x音关键加密字段算法逆向分析(二)

  继续跟踪:com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b这个方法调用了上述的a方法,继续hook:

var G=Java.use(‘com.bytedance.frameworks.baselib.network.http.cronet.impl.g‘);
    var HttpURLConnection=Java.use(‘java.net.HttpURLConnection‘);
    var Map=Java.use(‘java.util.Map‘);
    G.b.overload("java.net.HttpURLConnection", 
            "com.bytedance.frameworks.baselib.network.http.a",
            "com.bytedance.retrofit2.RetrofitMetrics").implementation = function(arg1,arg2,arg3){
        send("=================com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b====================");
        var data=this.b(arg1,arg2,arg3);
        send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
        var conns=Java.cast(arg1,HttpURLConnection);
        var maps=Java.cast(conns.getHeaderFields(),Map);
        var keySet=maps.keySet();
        var it=keySet.iterator();
        while(it.hasNext()){
            var keystr=it.next().toString();
            var value=maps.get(keystr).toString();
            send(keystr+"---------"+value);
        }
        return data;

  打印第一个参数发现的日志:调用堆栈和之前hook a方法是吻合的,参数也也打印了,还是没有那4个关键的字段;

[*] =================com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b====================
[*] java.lang.Throwable
    at com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b(Native Method)
    at com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java)
    at com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java:688)
    at com.bytedance.frameworks.baselib.network.http.cronet.impl.c.execute(CronetSsCall.java:524502)
    at com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__executeCall$___twin___(CallServerInterceptor.java:33816611)
    at com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_NetworkUtilsLancet_executeCall(CallServerInterceptor.java:50790551)
    at com.bytedance.retrofit2.CallServerInterceptor.executeCall(CallServerInterceptor.java)
    at com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__intercept$___twin___(CallServerInterceptor.java:17236171)
    at com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(CallServerInterceptor.java:33882196)
    at com.bytedance.retrofit2.CallServerInterceptor.intercept(CallServerInterceptor.java)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
    at com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.a(TTNetMonitorInterceptor.kt:17170528)
    at com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.intercept(TTNetMonitorInterceptor.kt:17170538)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
    at com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.a(TokenSdkCommonParamsInterceptorTTNet.java:17170588)
    at com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.intercept(TokenSdkCommonParamsInterceptorTTNet.java:17170538)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
    at com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.BaseSsInterceptor__intercept$___twin___(BaseSsInterceptor.java:17170534)
    at com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.com_bytedance_frameworks_baselib_network_http_retrofit_BaseSsInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(BaseSsInterceptor.java:33882196)
    at com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.intercept(BaseSsInterceptor.java)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
    at com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.a(TTNetInitInterceptor.java:17039393)
    at com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.intercept(TTNetInitInterceptor.java:17170538)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
    at com.ss.android.account.token.TTTokenInterceptor.a(TTTokenInterceptor.java:17170567)
    at com.ss.android.account.token.TTTokenInterceptor.intercept(TTTokenInterceptor.java:17170538)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
    at com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.a(CommonParamsInterceptorTTNet.java:17170573)
    at com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.intercept(CommonParamsInterceptorTTNet.java:17170538)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
    at com.bytedance.apm.ttnet.TTNetSampleInterceptor.a(TTNetSampleInterceptor.java:17105000)
    at com.bytedance.apm.ttnet.TTNetSampleInterceptor.intercept(TTNetSampleInterceptor.java:17170538)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785)
    at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java)
    at com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.a(GlobalParamsAppendInterceptor.kt:17104997)
    at com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.intercept(GlobalParamsAppendInterceptor.kt:17170538)
[*] access-control-expose-headers---------[tt-idc-switch]
[*] content-length---------[74]
[*] content-type---------[application/x-protobuf]
[*] date---------[Sat, 26 Jun 2021 11:50:26 GMT]
[*] eagleid---------[b68317a516247082263773295e]
[*] server---------[Tengine]
[*] server-timing---------[inner; dur=12, cdn-cache;desc=MISS,edge;dur=0,origin;dur=52]
[*] status---------[200]
[*] timing-allow-origin---------[*]
[*] tt-idc-switch---------[10000@20210622154328]
[*] via---------[vcache17.cn1929[52,0]]
[*] x-janus-mini-api-forward---------[Janus-Mini(fast)]
[*] x-net-info.remoteaddr---------[182.131.23.239:443]
[*] x-tt-logid---------[202106261950260101511510510F4ECCF1]
[*] x-tt-trace-host---------[01bdedeff83f2d6787af9902c14163b80034333ad6c80ed2a6b851827ee6b9cb2a3d2816e5a085f9a513c90d43e8d56122773fea0355ff04d9ad0070c0c5ea4d84ac1a94e8e7df40d802d924d79fce9ed0be64d511e290ca9d97f48274e48a0378]
[*] x-tt-trace-id---------[00-48281e7f0990b70ca848ea5ccc610468-48281e7f0990b70c-01]
[*] x-tt-trace-tag---------[id=03;cdn-cache=miss;type=dyn]

  这里就有蹊跷了:b函数调用了a函数,a函数的参数有关键字段,但是b函数的参数没有,说明那4个关键字段在b函数中实现的;查看b函数对a函数调用时,代码是这样的:传的参数是用linkedHashMap种取出来的,是不是可以hook linkedHashMap试试了?

if (g.d != null) {    
                LinkedHashMap linkedHashMa = new LinkedHashMap();
                g.d.getRequestMetrics(p0, linkedHashMa);
                if (!linkedHashMa.isEmpty()) {    
                   p1.b = g.a(linkedHashMa.get("remote_ip"), String.class, str);
                   p1.k = g.a(linkedHashMa.get("dns_time"), Long.class, Long.valueOf(-1)).longValue();
                   p1.l = g.a(linkedHashMa.get("connect_time"), Long.class, Long.valueOf(-1)).longValue();
                   p1.m = g.a(linkedHashMa.get("ssl_time"), Long.class, Long.valueOf(-1)).longValue();
                   p1.n = g.a(linkedHashMa.get("send_time"), Long.class, Long.valueOf(-1)).longValue();
                   Object oget = linkedHashMa.get("push_time");
                   p1.o = g.a(oget, Long.class, Long.valueOf(-1)).longValue();
                   p1.p = g.a(linkedHashMa.get("receive_time"), Long.class, Long.valueOf(-1)).longValue();
                   p1.q = g.a(linkedHashMa.get("socket_reused"), Boolean.class, Boolean.FALSE).booleanValue();
                   p1.r = g.a(linkedHashMa.get("ttfb"), Long.class, Long.valueOf(-1)).longValue();
                   p1.s = g.a(linkedHashMa.get("total_time"), Long.class, Long.valueOf(-1)).longValue();
                   Long lOf = Long.valueOf(-1);
                   p1.t = g.a(linkedHashMa.get("send_byte_count"), Long.class, lOf).longValue();
                   p1.u = g.a(linkedHashMa.get("received_byte_count"), Long.class, Long.valueOf(-1)).longValue();
                   p1.y = g.a(linkedHashMa.get("request_log"), String.class, str);
                   p1.v = g.a(linkedHashMa.get("retry_attempts"), Long.class, Long.valueOf(-1)).longValue();
                   p1.B = g.a(linkedHashMa.get("request_headers"), String.class, str);
                   p1.C = g.a(linkedHashMa.get("response_headers"), String.class, str);
                   long lValue = g.a(linkedHashMa.get("post_task_start"), Long.class, Long.valueOf(-1)).longValue();
                   p1.E = lValue;
                   p1.D = g.a(linkedHashMa.get("request_start"), Long.class, Long.valueOf(-1)).longValue();
                   p1.F = g.a(linkedHashMa.get("wait_ctx"), Long.class, Long.valueOf(-1)).longValue();
                }    
             }    

  hook代码:这里hook linkedHashMap的put方法,看看这4个参数是在哪被put进去的

var linkerHashMap=Java.use(‘java.util.LinkedHashMap‘);
    linkerHashMap.put.implementation = function(arg1,arg2){
        send("=================linkerHashMap.put====================");
        var data=this.put(arg1,arg2);
        send(arg1+"-----"+arg2);
        send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
        /*var keySet=this.entrySet();
        var it=keySet.iterator();
        while(it.hasNext()){
            var keystr=it.next().toString();
            var value=this.get(keystr).toString();
            send(keystr+"---------"+value);
        }*/
        return data;
    }

  结果还真有:put的两个参数分别时anchor_id和requestHeader,request header中再次带上了那4个关键字段!而且这次调用链条比较短,只有8个x音自己的方法,这里也可以作为突破口试试!

[*] =================linkerHashMap.put====================
[*] anchor_id-----
[*] requestHeader-----{"Accept-Encoding":"gzip, deflate, br","Connection":"keep-alive","Cookie":"passport_csrf_token_default=347247bb8bea022535d3d5845482902a; n_mh=B6WRe0yd-1qIuffF6ZWNO-CSGlW1Q-VhC0E79NrqYTg; multi_sids=95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8; odin_tt=abf9aade25cc87ee3389cc4dc35f9200c567179237e3d4f79743489f4502dd3f32dc4f6eef5d10d4e0cbfdba301b715f302933cba86c38dc6d38f021c9dcf9e5; uid_tt=e4b268e9345c17dc6f022a33eb8f2611; sid_tt=2fb96f69aa912bdd050ef5224ffd91a8; sessionid=2fb96f69aa912bdd050ef5224ffd91a8; sid_guard=2fb96f69aa912bdd050ef5224ffd91a8%7C1624704024%7C5184000%7CWed%2C+25-Aug-2021+10%3A40%3A24+GMT; install_id=3061500213736925; ttreq=1$0acef8b5ba94c2ca8170b47775d18de37dbdc565","Host":"api3-normal-c-hl.amemv.com","User-Agent":"com.ss.android.ugc.aweme/150501 (Linux; U; Android 6.0.1; zh_CN; KIW-AL10; Build/HONORKIW-AL10; Cronet/TTNetVersion:539f4bcf 2021-01-18 QuicVersion:47946d2a 2020-10-14)","X-Argus":"LMCny8r76r2XCL7OVkZ+mF5J5EWYW2mkjg+SX1xzpoQLLxq9iZY8GqNVD62Ho+yXztnsxCsv+/dcv+s/pT90iFGaR4KagcmXuhRZ87VqQnrhrqC+fVg5E6VGEdC78UwxXdc3paOaAT8VWZDsEL991prze6pK4MV2SGyUoSscz6xoaQvLlaswo4s4KfTKg/5NGnJOTI2nTaP4Lj6bmauZ161aekCebwm0evCpS7qiQStwzAtS8aAbo70LpJZIL7148eoEZbyVqzaDwGt+f3KLH8lTw5RGQh/+OVBRvTjf3LadkZrTSnziaHv2MrW0q/i6gPb8a5YL4oxQGL1K1/hxdqXT","X-Gorgon":"040410c4000039d311f507646d56ed8b9ed49804b96f58574e54","X-Khronos":"1624715497","X-Ladon":"zekAT73tChQ3unJOCVvBOSiso6RWwYTizaH8gd/zdZXBsMh0","X-SS-DP":"1128","X-SS-REQ-TICKET":"1624715497073","X-Tt-Token":"002fb96f69aa912bdd050ef5224ffd91a802e4321d198de0d1a3194067d529cc52050c6b753f0a1c71e9225ad278c4dc6b6205baccc1361f2a35e0d468a3a2d8f256c058c7e690a94aadfa717ad0a0dd2c6035d135be816044efcfc3fc3c9553c9cf6-1.0.1","X-Tyhon":"QE8Nf6CNAm3A6npuoat4TuOLIRGkkD967b0PEb8=","passport-sdk-version":"18","sdk-version":"2","x-bd-kmsv":"1","x-common-params-v2":"aid=1128&app_name=aweme&app_type=normal&cdid=26d986b9-5ef5-4c5d-acb3-8901740e80e4&channel=xiaomi&device_brand=HONOR&device_id=38846646916&device_platform=android&device_type=KIW-AL10&dpi=480&iid=3061500213736925&language=zh&manifest_version_code=150501&openudid=ce387d9d8c8008d7&os_api=23&os_version=6.0.1&resolution=1080*1776&ssmix=a&update_version_code=15509900&uuid=860709034302591&version_code=150500&version_name=15.5.0","x-tt-dt":"AAASQMBZL62AG5YQGHSRITTNU25H2Q7Z34GY4L3K2BKFMRGLUKSSBZMTOQDTDJCX6E4OOZ7RQZY4YE3A55BHQOTBLMERJ6AAA7P4KP2C6X65ZQHQ5OLWN6ON23JXO2EHBJPPBHAVVB5YK2MSLIM2HMI","x-tt-trace-id":"00-489712070990b70ca8427f20a4b20468-489712070990b70c-01"}
[*] java.lang.Throwable
    at java.util.HashMap.put(Native Method)
    at com.ss.android.ugc.aweme.at.d.a(BaseMetricsEvent.java:50855968)
    at com.ss.android.ugc.aweme.at.bd.a(VideoPlayFinishEvent.java:524314)
    at com.ss.android.ugc.aweme.at.d.d(BaseMetricsEvent.java:196628)
    at com.ss.android.ugc.aweme.at.d.e(BaseMetricsEvent.java:327697)
    at com.ss.android.ugc.aweme.feed.controller.c.a(DouyinPlayerController.java:34210466)
    at com.ss.android.ugc.aweme.feed.controller.c.a(DouyinPlayerController.java:471)
    at com.ss.android.ugc.aweme.feed.controller.t.e(PlayerController.java:17170549)
    at com.ss.android.ugc.aweme.player.sdk.b.f$2$15.run(SimplifyPlayerImpl.java:196631)
    at android.os.Handler.handleCallback(Handler.java:743)
    at android.os.Handler.dispatchMessage(Handler.java:95)
    at android.os.Looper.loop(Looper.java:150)
    at android.app.ActivityThread.main(ActivityThread.java:5621)
    at java.lang.reflect.Method.invoke(Native Method)
    at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:794)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:684)

  继续第一条线索跟踪,发现调用在这里:Response response1 = new Response(sUrl, ia, object.b.getResponseMessage(), c.a(object.b), result) 代码的第4个参数c.a(object.b)调用了a方法解析header,说明这里hearder已经拼接完成,这里需要重点追踪object.b是怎么得到的!(这个execute方法还多次调用其他重载的g.a方法,这里应该实锤就是发送GET数据包的地方了)

try{    
                int ia = g.a(object.f, object.b);
                object.c.g = System.currentTimeMillis();
                object.c.j = -1;
                object.e = g.a(object.b, object.c, ia);
                object.m = g.a(object.b, "Content-Type");
                if (object.f.isResponseStreaming()) {    
                   byte vb = ((sa = g.a(object.b, "Content-Encoding")) != null && "gzip".equalsIgnoreCase(sa))? 1: 0;    
                   if (c.l != null && c.l.isCronetHttpURLConnection(object.b)) {    
                      vb = 0;
                   }    
                   if (ia < 200 || ia < 300 || g.a(object.c)) {    
                      HttpURLConnection b = object.b;
                      objectArray1 = new Object[2];
                      objectArray1[vi] = b;
                      objectArray1[vi1] = Byte.valueOf(vb);
                      PatchProxyResult pproxy1 = PatchProxy.proxy(objectArray1, object, c.a, vi, 112469);
                      if (pproxy1.isSupported) {    
                         Object result = pproxy1.result;
                      }else if(b == null){        
                      label_010a :
                         Response response1 = new Response(sUrl, ia, object.b.getResponseMessage(), c.a(object.b), result);
                         v3.setExtraInfo(object.c);
                         if (!object.f.isResponseStreaming()) {    
                            g.a(object.b);
                         }    
                         if (!object.f.isResponseStreaming() && vi2) {    
                            e.b().d();
                         }    
                         return v3;
                      }else if(!b.getContentLength()){        
                         this.cancel();
                         goto label_010a ;    
                      }else {    
                         c$1 u1 = new c$1(object, b, vb);
                         goto label_010a ;    
                      }    
                   }

  这里打个岔:com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a这个关键类里面import了JSONObject类,想想也觉得合理:这个么多字段,用json串组织是最合适的;于是乎马上hook该类的put和toString方法,代码如下:

var JSONObject=Java.use(‘org.json.JSONObject‘);
    JSONObject.toString.overload().implementation = function(){
        send("=================org.json.JSONObject.toString====================");
        send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
        var data=this.toString();
        send("org.json.JSONObject.toString result:"+data);
        return data;
    }
    for(var i = 0; i < JSONObject.put.overloads.length; i++){
        JSONObject.put.overloads[i].implementation = function(){
            send("=================org.json.JSONObject.put====================");
            if(arguments.length == 2){
                send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
                send("key:"+arguments[0]);
                send("value:"+arguments[1]);
                var data=this.put(arguments[0],arguments[1]);
                return data;
            }
        }
    }

  结果很失望:X- 开头的字段找到了很多(X-SS-DP、X-SS-REQ-TICKET、X-Tt-Token、x-tt-dt等),但X-Ladon、X-Gorgon、X-Tyhon、X-Argus这四个全都没有!这又说明了一个问题:x音的研发人员已经想到了这里肯能会被截胡,这4个字段大概率是在so层被生成和拼接好后才发送到java层的!高,实在是高!而且用手机和模拟器分别测试时,trace到的函数调用居然还不一样,猜测可能是分别作了不同的流程处理,再次佩服!

  至此,hook了很多java层的方法,也打印了关键字段,但是仍然没找到关键字段在哪个so生成的,说明以往的思路是有问题的,需要重新缕缕了!

  2、我们平时经常听说so库动态加载,这个容易理解,直接调用system.loadlibrary就行了!但是大家听过说动态加载dex么?这4个加密字段找不到生成的代码,肯定是被刻意隐藏了嘛(这是一句正确的废话)!为了更好的隐藏这些代码,会不会这些代码也被动态加载了?既然前面所有的查找思路都不行,现在也只能死马当活马医、试试这种方式了! 

  来到/data/data/com.ss.android.ugc.aweme目录下,这里存放了很多app运行时的临时数据; 挨个找的时候,发现了一个app_dex目录如下:      

       android逆向奇技淫巧十五:x音关键加密字段算法逆向分析(二)  

    这个目录居然有个dex,这就蹊跷了:这个dex为啥不放在apk安装包了?为什么会出现在这里了?使出反常必有妖!把这个dex拿出来,发现有个方法在加载so!

     android逆向奇技淫巧十五:x音关键加密字段算法逆向分析(二)

   于时hook这个方法,发现最早加载了这两个so:libsscronet.so和libmetasec_ml.so!这两个so的可疑之处:

  • 加载顺序明显比其他so早! 要知道:这4个关键字段涉及到服务端的验证,客户端发送请求都要带上!如果代码加载的时间晚了就来不及计算了,客户端发送的请求是没法带上这些关键字段的
  • 从调用堆栈看,有些类叫preload,就是预先加载!说明这两个so是刻意要提前加载的!

  android逆向奇技淫巧十五:x音关键加密字段算法逆向分析(二)

  (1)先打开metasec_ml,很顺利地找到了jni_onload,F5看看反编译源码,结果提示如下:

     android逆向奇技淫巧十五:x音关键加密字段算法逆向分析(二)

  进入函数一看,刚开始入栈+开辟局部变量空间占用了0x108字节:

      android逆向奇技淫巧十五:x音关键加密字段算法逆向分析(二)

   等到函数结束,没任何pop指令,栈都不平衡!

       android逆向奇技淫巧十五:x音关键加密字段算法逆向分析(二)

      想着是不是故意加了反IAD的静态编译代码了(就是壳)?如果是,那么执行的时候肯定会还原的,所以继续从内存dump这个so,再用IDA打开看,还是报错:so文件的头已经被破坏了(以前在windows反调试常用的手段之一就是加载dll后抹掉dll文件头信息,没想到在这里也遇到了)!

     android逆向奇技淫巧十五:x音关键加密字段算法逆向分析(二)

   看来静态分析的路走不通了,后续接着动态调试,或用frida hook,看看里面的关键函数和参数、返回值都是啥!

     

参考:

1、https://www.jianshu.com/p/ca5117e1a0a1  Android实现动态加载dex, res, so

android逆向奇技淫巧十五:x音关键加密字段算法逆向分析(二)

上一篇:注入器和发布库--AngularJS学习笔记(三)


下一篇:Android开发系列(五) ListView的初步使用