📖
逆向学习笔记
  • 📚实用工具
    • 1 Pyenv
    • 2 frida
    • 3. unidbg
      • 3.1 Unidbg 的基本介绍
  • 👮‍♀️JS 逆向
    • 1 京东 Web
    • 2 美团 H5
    • 3. 抖音 Web
    • 4. 京东AST
  • 👮安卓逆向
    • 1 抓包
      • 1.1 tiktok
    • 2 Java 层逆向
      • 2.1 京东特价版
      • 2.2 贝壳
      • 2.3 京东到家
      • 2.4 学而思培优
    • 3 Frida
      • 3.1 淘宝 TV
      • 3.2 AliExpress
    • 4 Unidbg
      • 4.1 绿洲
      • 4.2 京东
      • 4.3 快手
      • 4.4 美团
      • 4.5 拼多多
    • 5. Xposed
      • 5.1 插件编写
      • 5.2 快手极速版
    • 6 so 层逆向
      • 6.1 上海公交
由 GitBook 提供支持
在本页

这有帮助吗?

  1. 安卓逆向
  2. 3 Frida

3.1 淘宝 TV

上一页3 Frida下一页3.2 AliExpress

最后更新于1年前

环境准备

rca.rc.tvtaobao==9.1.1

抓包

抓包没有什么限制,打开 postern 就可以抓到包,很简单,发现加密参数还蛮多的。

curl -H "x-sgext: JAGQn136Ur5wUbxOiiJpb5%2Bhr6Gvp7yhraamobylrw%3D%3D" -H "x-bx-version: 6.5.23" -H "f-refer: mtop" -H "x-ttid: 2016060315%40tvtaobao_android_9.1.1" -H "x-app-ver: 9.1.1" -H "x-sign: azQTJB003xAAL0Psbcg2OkMderywz0PvQ%2FfMuXybwOQQoQPy61vwI1WLY8cknGF11U%2FyVtus%2FDgwpYfjE9YHqJHYkn9D30PvQ99D70" -H "x-c-traceid: Y%2FWIAQz9vSMDAFudGh6vu27P16770452860320050112691" -H "x-nettype: WIFI" -H "x-pv: 6.3" -H "x-nq: WIFI" -H "x-features: 27" -H "x-app-conf-v: 0" -H "x-umt: NOQB2otLPMFmQgKGdzIpqWoLG5mEO%2F13" -H "x-mini-wua: HHnB_K9l9td82gO9%2B1Cfa%2FBhKlMjRW8psK2QoBziGlT%2F14M9Msf7AT0lN6Ne2o5lAdxcjO0W9%2Btl0Y4d5iYTQV1BCrILnfq1riMcsTOuMNRNtqKdNFJgNdtZy5haZjGVFgNmYb09y81VwtZAHXa7ZHoND5w%3D%3D" -H "x-utdid: Y%2FWIAQz9vSMDAFudGh6vu27P" -H "x-appkey: 23039499" -H "content-type: application/x-www-form-urlencoded;charset=UTF-8" -H "x-devid: Aga6nIecbED0H3CuX91_GEQIBoSfmVX_gZraLQOXMoMb" -H "x-t: 1677045286" -H "user-agent: MTOPSDK%2F3.1.1.7+%28Android%3B8.1.0%3BHuawei%3BNexus+6P%29" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -H "Host: acs.m.taobao.com" --data-binary "wua=QnR0_myt0XBlt3hSpcMv4FKoJl5DetGPLFPhC034ALNtIWK26szdAKf9cLLhCDXn9htrYoVoy0A%2FrigDIaLrUvd%2F%2B9GYtmDwRf94RbdXNBEtzrzXCU2%2Fg5fda%2FB26OpVXAyK4kDoF5pqKW7Pwu5vPHCbzq0IY5oR2OOvP9C1hpY0E%2BeyXKD4agbMBfgimk8Blf56uFfHDRonG%2FR4Ir2H%2Be00ACdv4vQbnVYDIub2PFNruCBkjay00Pt%2BrM%2FZPCspY6BHPdrUB1EBIDidT4iJy7fruBmIlT%2BiwitT%2FAqnpBmMKojjMvhBkFVhRuwmFw%2FQeDoliQdW4TkLfXXOWbpXz2oovB%2FmFXkILsPBmiYy%2FmZh77wtfHVxMaW51HBfrkkC1fKcdpw0W9cdfX1s4rfWssU7Mdu1vATsBeP%2F%2FFEoPKwHhl6w%3D&data=%7B%22extParams%22%3A%22%7B%5C%22uuid%5C%22%3A%5C%2232CF0BD8B69435E2FAADECD2CCD0D3FC%5C%22%2C%5C%22wua%5C%22%3A%5C%22QnR0_Wka58eaCnHe%2Brn4Gp3e42etJGnfjuF6mJVPSDV5NzQKg%5C%5C%2FH8WGWuynqAIgKPTdJRS1RLlO%5C%5C%2F4ymHhxb8t0ObJsHLpncDJAwp32uVfv3Imap0Yljnd54zKeY6xTn9qIca6Ca3xNCCUA0WbRggp0YO0s1TsJf5nGhZS7%2BHhffDh0lg4ds21W42hyeWfR5wR3y0tOZlhxIgL1QUMbuNpcJSu3p6I2kQq2b101gaqwHAB65czXsup7YfHPtC4JHy%5C%5C%2FYnQ1pP9HJB9%2BaNUT%2BjR51KBxHB5%2BTe9ExLj5koOnZUgcWdQOviXGdlNxj0WUL36Yc7CUt%2BUb1ubTbRdDqbo%2BGBmxHkdYgTbkfIRaFjitjZBDu59hV7v2MbMWJHKOBAEYb8ZEHR05wYXtixAr%2BoJamSPyrTgj7uUNDkYkDfqtBKRMWuGA%3D%5C%22%2C%5C%22utdid%5C%22%3A%5C%22Y%5C%5C%2FWIAQz9vSMDAFudGh6vu27P%5C%22%2C%5C%22umtoken%5C%22%3A%5C%22NOQB2otLPMFmQgKGdzIpqWoLG5mEO%5C%5C%2F13%5C%22%2C%5C%22zpDid%5C%22%3A%5C%22umid_WV600015d63f4261320212cb68347706c%5C%22%2C%5C%22augurZpUid%5C%22%3A%5C%2224377532673%5C%22%2C%5C%22versionName%5C%22%3A%5C%229.1.1%5C%22%2C%5C%22appkey%5C%22%3A%5C%222016060315%5C%22%2C%5C%22isSimulator%5C%22%3Afalse%2C%5C%22subkey%5C%22%3A%5C%22%5C%22%2C%5C%22userAgent%5C%22%3A%5C%22android+8.1.0%5C%22%2C%5C%22mac%5C%22%3A%5C%22MAC020000000000%5C%22%2C%5C%22platform%5C%22%3A%5C%22APK%5C%22%2C%5C%22sdkVersion%5C%22%3A%5C%225.6.56%5C%22%7D%22%2C%22pageSize%22%3A%2220%22%2C%22sellerId%22%3A%222211979812785%22%2C%22shopId%22%3A%22235172504%22%2C%22pageNo%22%3A%221%22%2C%22categoryId%22%3A%221605234263%22%7D" --compressed "https://acs.m.taobao.com/gw/mtop.taobao.tvtao.shop.queryshopitem/1.0/"
image-20230222135537890

逆向分析

先用 jadx 逆向 app,直接搜索关键参数 x-sign, 发现只有 5 个

点进去逐个分析,发现了疑似加密的地方

在这个文件中我们还发现了好几个加签方法,猜测这里就加密的地方了!

为了验证一下,我们先使用 frida hook 一下 getUnifiedSign ,代码如下:

// rca.rc.tvtaobao

function main() {
    Java.perform(() => {

        let InnerSignImpl = Java.use("mtopsdk.security.InnerSignImpl");
        InnerSignImpl["getUnifiedSign"].implementation = function (params, ext, appKey, authCode, useWua) {
            console.log("****************************mtopsdk.security.InnerSignImpl.getUnifiedSign***************");
            console.log("params=>" + params);
            console.log("ext=>" + ext);
            console.log("appKey=>" + appKey);
            console.log("authCode=>" + authCode);
            console.log("useWua=>" + useWua);
            let ret = this.getUnifiedSign(params, ext, appKey, authCode, useWua);
            console.log('ret=>' + ret);


            // 打印一下堆栈
            console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));


            return ret;
        };


    })
}


setTimeout(main, 2000);

发现就已经找了的加密入口了!跟一下源码就找到了实际的加密入口:

但是当我们点进去 getSecurityFactors 里面却发现仅仅是一个接口,所以我们看看是否有实现这个接口的类!发现没有实现的地方,所以猜测是动态加载的!

加密的 data 里面看起来像一个 json ,里面还有一个 wua, 那就先不管,先 hook 一下 hashMap 看看,代码如下:

  // 获取 Java 的 HashMap
    var linkerHashMap = Java.use('java.util.HashMap');

    // 重载  put 方法 
    linkerHashMap.put.implementation = function (key, value) {
        if (key == "wua") {
            console.log("find key: ", value);
            // 打印一下堆栈
            console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
        }
        // console.log("key => ", key, " value => ", value)
        return this.put(key, value);

        
    }

直接 hook 到了,那么我们来分析一下堆栈,有一个可疑的堆栈是 com.yunos.tvtaobao.biz.request.base.BaseMtopRequest.setParamsData

追踪源码:

发现 wua 获取的方法为 Config.getWua(CoreApplication.getApplication())),我们再 hook 一下:

let Config = Java.use("com.yunos.tv.core.config.Config");
Config["getWua"].implementation = function (context) {
    console.log(`Config.getWua is called: context=${context}`);
    let result = this["getWua"](context);
    console.log(`Config.getWua result=${result}`);
    return result;
};

继续跟踪得到 wua = SecurityGuardManager.getInstance(context).getSecurityBodyComp().getSecurityBodyDataEx(String.valueOf(System.currentTimeMillis()), getAppKey(), null, null, 0, 0);,然后点进去再看发现又是一个接口,找了一下又没有发现接口的代码!

RPC

暂时无法分析那就直接配置 RPC 调用吧,调用代码如下:

// rca.rc.tvtaobao

var global_ins = undefined


function getWua() {

    var result = "";

    Java.perform(() => {
        let CoreApplication = Java.use("com.yunos.tv.core.CoreApplication");
        let Config = Java.use("com.yunos.tv.core.config.Config");
        var application = CoreApplication["getApplication"]()
        result = Config["getWua"](application);

    })

    return result


}

function getUnifiedSign(params = '', appKey = "23039499", authCode = "", useWua = true) {
    var result = "";
    Java.perform(() => {

        if (global_ins == undefined) {

            Java.choose("mtopsdk.security.InnerSignImpl", {
                onMatch: function (x) {

                    global_ins = x


                },
                onComplete: function () {
                    //onComplete回调会在所有onMatch完成后调用
                }



            });
        }

        //onMatch回调会在找到类的实例后调用,也就是说内存中有多少实例,就会调用多少次
        let str = Java.use("java.lang.String");
        let JSONObject = Java.use("org.json.JSONObject");
        let hashMap = Java.use("java.util.HashMap")
        let map = hashMap.$new()
        let ext = hashMap.$new()
        map.put("data", params)
        ext.put("pageId", "")
        ext.put("pageId", "")

        appKey = str.$new(appKey)
        authCode = str.$new(authCode)

        result = global_ins["getUnifiedSign"](map, ext, appKey, authCode, useWua)
        result = JSONObject.$new(result)

    })

    return result.toString()
}


rpc.exports = {
    getWua: getWua,
    getUnifiedSign: getUnifiedSign,
}
image-20230222135755151
image-20230222135922577
image-20230222140332479
image-20230222163519589
image-20230222163803408
image-20230222163948088
image-20230222173344450
image-20230222173457449
image-20230222173622581
👮
  • 环境准备
  • 抓包
  • 逆向分析
  • RPC