3.1 淘宝 TV
环境准备
rca.rc.tvtaobao==9.1.1抓包
抓包没有什么限制,打开 postern 就可以抓到包,很简单,发现加密参数还蛮多的。
curl -H "x-sgext: JAGQn136Ur5wUbxOiiJpb5%2Bhr6Gvp7yhraamobylrw%3D%3D" -H "x-bx-version: 6.5.23" -H "f-refer: mtop" -H "x-ttid: 2016060315%40tvtaobao_android_9.1.1" -H "x-app-ver: 9.1.1" -H "x-sign: azQTJB003xAAL0Psbcg2OkMderywz0PvQ%2FfMuXybwOQQoQPy61vwI1WLY8cknGF11U%2FyVtus%2FDgwpYfjE9YHqJHYkn9D30PvQ99D70" -H "x-c-traceid: Y%2FWIAQz9vSMDAFudGh6vu27P16770452860320050112691" -H "x-nettype: WIFI" -H "x-pv: 6.3" -H "x-nq: WIFI" -H "x-features: 27" -H "x-app-conf-v: 0" -H "x-umt: NOQB2otLPMFmQgKGdzIpqWoLG5mEO%2F13" -H "x-mini-wua: HHnB_K9l9td82gO9%2B1Cfa%2FBhKlMjRW8psK2QoBziGlT%2F14M9Msf7AT0lN6Ne2o5lAdxcjO0W9%2Btl0Y4d5iYTQV1BCrILnfq1riMcsTOuMNRNtqKdNFJgNdtZy5haZjGVFgNmYb09y81VwtZAHXa7ZHoND5w%3D%3D" -H "x-utdid: Y%2FWIAQz9vSMDAFudGh6vu27P" -H "x-appkey: 23039499" -H "content-type: application/x-www-form-urlencoded;charset=UTF-8" -H "x-devid: Aga6nIecbED0H3CuX91_GEQIBoSfmVX_gZraLQOXMoMb" -H "x-t: 1677045286" -H "user-agent: MTOPSDK%2F3.1.1.7+%28Android%3B8.1.0%3BHuawei%3BNexus+6P%29" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -H "Host: acs.m.taobao.com" --data-binary "wua=QnR0_myt0XBlt3hSpcMv4FKoJl5DetGPLFPhC034ALNtIWK26szdAKf9cLLhCDXn9htrYoVoy0A%2FrigDIaLrUvd%2F%2B9GYtmDwRf94RbdXNBEtzrzXCU2%2Fg5fda%2FB26OpVXAyK4kDoF5pqKW7Pwu5vPHCbzq0IY5oR2OOvP9C1hpY0E%2BeyXKD4agbMBfgimk8Blf56uFfHDRonG%2FR4Ir2H%2Be00ACdv4vQbnVYDIub2PFNruCBkjay00Pt%2BrM%2FZPCspY6BHPdrUB1EBIDidT4iJy7fruBmIlT%2BiwitT%2FAqnpBmMKojjMvhBkFVhRuwmFw%2FQeDoliQdW4TkLfXXOWbpXz2oovB%2FmFXkILsPBmiYy%2FmZh77wtfHVxMaW51HBfrkkC1fKcdpw0W9cdfX1s4rfWssU7Mdu1vATsBeP%2F%2FFEoPKwHhl6w%3D&data=%7B%22extParams%22%3A%22%7B%5C%22uuid%5C%22%3A%5C%2232CF0BD8B69435E2FAADECD2CCD0D3FC%5C%22%2C%5C%22wua%5C%22%3A%5C%22QnR0_Wka58eaCnHe%2Brn4Gp3e42etJGnfjuF6mJVPSDV5NzQKg%5C%5C%2FH8WGWuynqAIgKPTdJRS1RLlO%5C%5C%2F4ymHhxb8t0ObJsHLpncDJAwp32uVfv3Imap0Yljnd54zKeY6xTn9qIca6Ca3xNCCUA0WbRggp0YO0s1TsJf5nGhZS7%2BHhffDh0lg4ds21W42hyeWfR5wR3y0tOZlhxIgL1QUMbuNpcJSu3p6I2kQq2b101gaqwHAB65czXsup7YfHPtC4JHy%5C%5C%2FYnQ1pP9HJB9%2BaNUT%2BjR51KBxHB5%2BTe9ExLj5koOnZUgcWdQOviXGdlNxj0WUL36Yc7CUt%2BUb1ubTbRdDqbo%2BGBmxHkdYgTbkfIRaFjitjZBDu59hV7v2MbMWJHKOBAEYb8ZEHR05wYXtixAr%2BoJamSPyrTgj7uUNDkYkDfqtBKRMWuGA%3D%5C%22%2C%5C%22utdid%5C%22%3A%5C%22Y%5C%5C%2FWIAQz9vSMDAFudGh6vu27P%5C%22%2C%5C%22umtoken%5C%22%3A%5C%22NOQB2otLPMFmQgKGdzIpqWoLG5mEO%5C%5C%2F13%5C%22%2C%5C%22zpDid%5C%22%3A%5C%22umid_WV600015d63f4261320212cb68347706c%5C%22%2C%5C%22augurZpUid%5C%22%3A%5C%2224377532673%5C%22%2C%5C%22versionName%5C%22%3A%5C%229.1.1%5C%22%2C%5C%22appkey%5C%22%3A%5C%222016060315%5C%22%2C%5C%22isSimulator%5C%22%3Afalse%2C%5C%22subkey%5C%22%3A%5C%22%5C%22%2C%5C%22userAgent%5C%22%3A%5C%22android+8.1.0%5C%22%2C%5C%22mac%5C%22%3A%5C%22MAC020000000000%5C%22%2C%5C%22platform%5C%22%3A%5C%22APK%5C%22%2C%5C%22sdkVersion%5C%22%3A%5C%225.6.56%5C%22%7D%22%2C%22pageSize%22%3A%2220%22%2C%22sellerId%22%3A%222211979812785%22%2C%22shopId%22%3A%22235172504%22%2C%22pageNo%22%3A%221%22%2C%22categoryId%22%3A%221605234263%22%7D" --compressed "https://acs.m.taobao.com/gw/mtop.taobao.tvtao.shop.queryshopitem/1.0/"
逆向分析
先用 jadx 逆向 app,直接搜索关键参数 x-sign, 发现只有 5 个
点进去逐个分析,发现了疑似加密的地方
在这个文件中我们还发现了好几个加签方法,猜测这里就加密的地方了!
为了验证一下,我们先使用 frida hook 一下 getUnifiedSign ,代码如下:
// rca.rc.tvtaobao
function main() {
Java.perform(() => {
let InnerSignImpl = Java.use("mtopsdk.security.InnerSignImpl");
InnerSignImpl["getUnifiedSign"].implementation = function (params, ext, appKey, authCode, useWua) {
console.log("****************************mtopsdk.security.InnerSignImpl.getUnifiedSign***************");
console.log("params=>" + params);
console.log("ext=>" + ext);
console.log("appKey=>" + appKey);
console.log("authCode=>" + authCode);
console.log("useWua=>" + useWua);
let ret = this.getUnifiedSign(params, ext, appKey, authCode, useWua);
console.log('ret=>' + ret);
// 打印一下堆栈
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
return ret;
};
})
}
setTimeout(main, 2000);
发现就已经找了的加密入口了!跟一下源码就找到了实际的加密入口:
但是当我们点进去 getSecurityFactors 里面却发现仅仅是一个接口,所以我们看看是否有实现这个接口的类!发现没有实现的地方,所以猜测是动态加载的!
加密的 data 里面看起来像一个 json ,里面还有一个 wua, 那就先不管,先 hook 一下 hashMap 看看,代码如下:
// 获取 Java 的 HashMap
var linkerHashMap = Java.use('java.util.HashMap');
// 重载 put 方法
linkerHashMap.put.implementation = function (key, value) {
if (key == "wua") {
console.log("find key: ", value);
// 打印一下堆栈
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
}
// console.log("key => ", key, " value => ", value)
return this.put(key, value);
}直接 hook 到了,那么我们来分析一下堆栈,有一个可疑的堆栈是 com.yunos.tvtaobao.biz.request.base.BaseMtopRequest.setParamsData
追踪源码:
发现 wua 获取的方法为 Config.getWua(CoreApplication.getApplication())),我们再 hook 一下:
let Config = Java.use("com.yunos.tv.core.config.Config");
Config["getWua"].implementation = function (context) {
console.log(`Config.getWua is called: context=${context}`);
let result = this["getWua"](context);
console.log(`Config.getWua result=${result}`);
return result;
};
继续跟踪得到 wua = SecurityGuardManager.getInstance(context).getSecurityBodyComp().getSecurityBodyDataEx(String.valueOf(System.currentTimeMillis()), getAppKey(), null, null, 0, 0);,然后点进去再看发现又是一个接口,找了一下又没有发现接口的代码!
RPC
暂时无法分析那就直接配置 RPC 调用吧,调用代码如下:
// rca.rc.tvtaobao
var global_ins = undefined
function getWua() {
var result = "";
Java.perform(() => {
let CoreApplication = Java.use("com.yunos.tv.core.CoreApplication");
let Config = Java.use("com.yunos.tv.core.config.Config");
var application = CoreApplication["getApplication"]()
result = Config["getWua"](application);
})
return result
}
function getUnifiedSign(params = '', appKey = "23039499", authCode = "", useWua = true) {
var result = "";
Java.perform(() => {
if (global_ins == undefined) {
Java.choose("mtopsdk.security.InnerSignImpl", {
onMatch: function (x) {
global_ins = x
},
onComplete: function () {
//onComplete回调会在所有onMatch完成后调用
}
});
}
//onMatch回调会在找到类的实例后调用,也就是说内存中有多少实例,就会调用多少次
let str = Java.use("java.lang.String");
let JSONObject = Java.use("org.json.JSONObject");
let hashMap = Java.use("java.util.HashMap")
let map = hashMap.$new()
let ext = hashMap.$new()
map.put("data", params)
ext.put("pageId", "")
ext.put("pageId", "")
appKey = str.$new(appKey)
authCode = str.$new(authCode)
result = global_ins["getUnifiedSign"](map, ext, appKey, authCode, useWua)
result = JSONObject.$new(result)
})
return result.toString()
}
rpc.exports = {
getWua: getWua,
getUnifiedSign: getUnifiedSign,
}
最后更新于
这有帮助吗?