安卓逆向——dy急速版设备抓包分析

于 2021-06-15 16:03:24 发布
阅读量2.7k 收藏 2
点赞数 1
分类专栏: 安卓逆向 爬虫 文章标签: 抖音 设备注册分析
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/qq_39551311/article/details/117927128
版权
本文详细介绍了在Android环境下,使用Xposed和jadx对dy急速版设备注册过程进行抓包和源码分析的过程。通过抓包发现了device_register请求,并探讨了加密参数的处理,以及如何通过hook模拟未加密的data请求。最后提到了模拟请求后的返回结果及后续可能的研究方向——设备激活。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

dy急速版设备注册分析

使用环境

1.  抓包 :

当手机第一次安装抖音的时候会注册设备和激活设备号,当出现 以下弹框的时候,点击 确定,就可以抓到dy的注册信息的包

               

 抓到包的时候可以注意一下这几个请求,参数有相互传递请求

这里是 注册设备的请求 device_register ,post请求的参数它加密了,不易直观看到(不过有时候会直接看到,模拟器测试)

POST https://ib.snssdk.com/service/2/device_register/?device_id=686536891052717&ac=wifi&mac_address=DC%3AEE%3A06%3A17%3A77%3AE6&channel=wandoujia_douyinjisu_1&aid=2329&app_name=douyin_lite&version_code=100900&version_name=10.9.0&device_platform=android&ssmix=a&device_type=Nexus+6P&device_brand=google&language=zh&os_api=23&os_version=6.0.1&openudid=8993f428546899d9&manifest_version_code=100900&resolution=1440*2392&dpi=560&update_version_code=10909900&_rticket=1623745015024&ts=1623745014&app_type=normal&cdid=08dfe8e0-7405-479b-b001-37738fe449e1&tt_data=a&os_api=23&device_type=Nexus%206P&device_platform=android&ssmix=a&manifest_version_code=100900&dpi=560&version_code=100900&mac_address=DC%3AEE%3A06%3A17%3A77%3AE6&app_name=douyin_lite&cdid=08dfe8e0-7405-479b-b001-37738fe449e1&version_name=10.9.0&ts=1623745015&openudid=8993f428546899d9&device_id=686536891052717&resolution=1440*2392&os_version=6.0.1&language=zh&device_brand=google&app_type=normal&ac=wifi&update_version_code=10909900&aid=2329&channel=wandoujia_douyinjisu_1&_rticket=1623745015056 HTTP/1.1
Host: ib.snssdk.com
Connection: keep-alive
Content-Length: 1078
X-SS-REQ-TICKET: 1623745015049
sdk-version: 1
Content-Type: application/octet-stream;tt-data=a
X-SS-STUB: FAEF1DCF3C34ECF7F8285AD633EB81AE
x-tt-trace-id: 00-0ebeb1bc0102eb222e0e4fc35a610000-0ebeb1bc0102eb22-01
User-Agent: com.ss.android.ugc.aweme.lite/100900 (Linux; U; Android 6.0.1; zh_CN; Nexus 6P; Build/MTC20L; Cronet/TTNetVersion:4df3ca9d 2019-11-25)
Accept-Encoding: gzip, deflate
X-Gorgon: 0404e8a400057c4953b55eb276cee98f25f0a078359cb99277d3
X-Khronos: 1623745015

tc     ľӚ K _) A   (   I  <     0 M    $       Ѯ )3O Р 	3&   0 5 2  0*Վ     0   ɠ:   {  2 ̰Į䭏e\ D J   b ! cAiݷJ f "

*** FIDDLER: RawDisplay truncated at 128 characters. Right-click to disable truncation. ***

不过数据都加密的也看不出什么东西,

2.  源码分析 :

使用jadx 打开 apk 文件,全局搜索 device_register,可以看到如下,进入device_register 的请求 看看

这 a 类是个内部类 ,class a extends Thread  还是继承线程的

进入 sendEncryptLog 加密的方法,

使用 hook 脚本,分析查看参数

[*] v1 :https://log.snssdk.com/service/2/device_register/?ac=wifi&mac_address=DC%3AEE%3A06%3A17%3A77%3AE6&channel=wandoujia_douyinjisu_1&aid=2329&app_name=douyin_lite&version_code=100900&version_name=10.9.0&device_platform=android&ssmix=a&device_type=Nexus+6P&device_brand=google&language=zh&os_api=23&os_version=6.0.1&openudid=1bfa1339f238c042&manifest_version_code=100900&resolution=1440*2392&dpi=560&update_version_code=10909900&_rticket=1623838351939&ts=1623838351&app_type=normal&cdid=899f8a7f-ae6d-49cd-b910-48114ca8f701
[*] v2 :{"magic_tag":"ss_app_log","header":{"display_name":"抖音极速版","update_version_code":10909900,"manifest_version_code":100900,"app_version_minor":"","aid":2329,"channel":"wandoujia_douyinjisu_1","appkey":"5d5a7666570df39cc40005a7","package":"com.ss.android.ugc.aweme.lite","app_version":"10.9.0","version_code":100900,"sdk_version":"2.13.0-rc.2","sdk_target_version":29,"git_hash":"a74dfe1e","os":"Android","os_version":"6.0.1","os_api":23,"device_model":"Nexus 6P","device_brand":"google","device_manufacturer":"Huawei","cpu_abi":"armeabi-v7a","build_serial":"84B5T16111000553","release_build":"c17f5d1_20200720","density_dpi":560,"display_density":"mdpi","resolution":"2392x1440","language":"zh","mc":"DC:EE:06:17:77:E6","timezone":8,"access":"wifi","not_request_sender":0,"rom":"EMUI-3230295","rom_version":"MTC20L","cdid":"899f8a7f-ae6d-49cd-b910-48114ca8f701","sig_hash":"aea615ab910015038f73c47e45d21466","openudid":"1bfa1339f238c042","clientudid":"dc924d67-5dad-45bc-b541-57253e1cd31a","serial_number":"84B5T16111000553","sim_serial_number":[],"region":"CN","tz_name":"Asia\/Shanghai","tz_offset":28800,"oaid_may_support":false,"req_id":"23db36c1-df6b-4ada-9600-c9f7053bffcd","custom":{"filter_warn":0,"web_ua":"Mozilla\/5.0 (Linux; Android 6.0.1; Nexus 6P Build\/MTC20L; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/44.0.2403.117 Mobile Safari\/537.36"},"apk_first_install_time":1623744772648,"is_system_app":0,"sdk_flavor":"china"},"_gen_time":1623838351891}
[*] v3 :com.ss.android.ugc.aweme.app.host.HostApplication@17095a6
[*] v4 :false

第一个参数是 请求的url ,这就是 第二个参数加密的值,抓包乱码

{
    "magic_tag":"ss_app_log",
    "header":{
        "display_name":"抖音极速版",
        "update_version_code":10909900,
        "manifest_version_code":100900,
        "app_version_minor":"",
        "aid":2329,
        "channel":"wandoujia_douyinjisu_1",
        "appkey":"5d5a7666570df39cc40005a7",
        "package":"com.ss.android.ugc.aweme.lite",
        "app_version":"10.9.0",
        "version_code":100900,
        "sdk_version":"2.13.0-rc.2",
        "sdk_target_version":29,
        "git_hash":"a74dfe1e",
        "os":"Android",
        "os_version":"6.0.1",
        "os_api":23,
        "device_model":"Nexus 6P",
        "device_brand":"google",
        "device_manufacturer":"Huawei",
        "cpu_abi":"armeabi-v7a",
        "build_serial":"84B5T16111000553",
        "release_build":"c17f5d1_20200720",
        "density_dpi":560,
        "display_density":"mdpi",
        "resolution":"2392x1440",
        "language":"zh",
        "mc":"DC:EE:06:17:77:E6",
        "timezone":8,
        "access":"wifi",
        "not_request_sender":0,
        "rom":"EMUI-3230295",
        "rom_version":"MTC20L",
        "cdid":"899f8a7f-ae6d-49cd-b910-48114ca8f701",
        "sig_hash":"aea615ab910015038f73c47e45d21466",
        "openudid":"1bfa1339f238c042",
        "clientudid":"dc924d67-5dad-45bc-b541-57253e1cd31a",
        "serial_number":"84B5T16111000553",
        "sim_serial_number":[

        ],
        "region":"CN",
        "tz_name":"Asia\/Shanghai",
        "tz_offset":28800,
        "oaid_may_support":false,
        "req_id":"23db36c1-df6b-4ada-9600-c9f7053bffcd",
        "custom":{
            "filter_warn":0,
            "web_ua":"Mozilla\/5.0 (Linux; Android 6.0.1; Nexus 6P Build\/MTC20L; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/44.0.2403.117 Mobile Safari\/537.36"
        },
        "apk_first_install_time":1623744772648,
        "is_system_app":0,
        "sdk_flavor":"china"
    },
    "_gen_time":1623838351891
}

返回的数据

{"new_user":0,"device_token":"AAA6EC2LC3PMC6YDKTRJ3RIFS5BGXAJLBS75BRJONJNL2KHZPE524UZSTZU27LW6QWIUOI6BWNMCDMZJIH6VWXSAWURVFJR5JW2XV2DCOI2UQB6A4VLPLUGUVEDCO","server_time":1623838354,"device_id":686536891052717,"install_id":2797623686211224,"device_id_str":"686536891052717","install_id_str":"2797623686211224"}

进入 数据处理的函数 b.a 方法 

在进入 EncryptorUtil.a 的方法 

回到前面 的加密和发起请求的地方,接收返回值的str2 

它 可能抛出异常的话,应该是直接请求 返回数据了,bytes 就没有进入 sendEncryptLog 里面去 加密后,在发起请求了

通过 hook  sendEncryptLog的方法 

第二个参数 设置null,就会加密失败,请求 未加密的data 发起请求

3. 模拟请求

··知道请求和参数后,用代码模拟去请求

 返回结果

{"server_time":1626424971,"device_id":1671701443648477,"install_id":2885593786762167,"device_id_str":"1671701443648477","install_id_str":"2885593786762167","new_user":0,"device_token":"AAAUNJR6NA236Y3NWNMWAB25ANK7W4FTRK7MPCQYISLUOA4BU7X3ELL6VRD3IHXBPR76HCQ3L7DC32OGKLJYVSXSZ7S3RH4OQTM7RTPO7QDQMBQMDSBZ5LL4JQP3Y"}

有些请求是需要再次激活才能使用

下一篇研究  注册后激活

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

.含笑.

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值