1、上次用打印堆棧的方法找到了libc中malloc函數的調用堆棧,仔細一看都是標准庫的調用,沒找到x音自己庫的調用關系,這條線索自此又斷了!想來想去,還是老老實實根據method profiling的調用棧挨個查找吧!原因很簡單:因為用戶操作的所有java層執行邏輯都被記錄了,這里肯定有生成X-Ladon、X-Gorgon、X-Tyhon、X-Argus這4個加密字段的調用,於時就用objection挨個hook,查看這些函數的參數、返回值和調用棧。在hook了上百個函數之后(逆向也是個體力活......),終於找到了突破口:hook 這個函數com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a時,打印的參數包含了4個加密字段,返回值也包含了,說明這個函數肯定和加密字段有關系!
(agent) [398162] Called com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(java.lang.Object, java.lang.Class, java.lang.Object) (agent) [398162] Backtrace: com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(Native Method) com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b(SsCronetHttpClient.java:50856473) com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java) com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(Native Method) com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java:688) com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(Native Method) com.bytedance.frameworks.baselib.network.http.cronet.impl.c.execute(CronetSsCall.java:524502) com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__executeCall$___twin___(CallServerInterceptor.java:33816611) com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_NetworkUtilsLancet_executeCall(CallServerInterceptor.java:50790551) com.bytedance.retrofit2.CallServerInterceptor.executeCall(CallServerInterceptor.java) com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__intercept$___twin___(CallServerInterceptor.java:17236171) com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(CallServerInterceptor.java:33882196) com.bytedance.retrofit2.CallServerInterceptor.intercept(CallServerInterceptor.java) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.a(TTNetMonitorInterceptor.kt:17170528) com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.intercept(TTNetMonitorInterceptor.kt:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.a(TokenSdkCommonParamsInterceptorTTNet.java:17170588) com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.intercept(TokenSdkCommonParamsInterceptorTTNet.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.BaseSsInterceptor__intercept$___twin___(BaseSsInterceptor.java:17170534) com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.com_bytedance_frameworks_baselib_network_http_retrofit_BaseSsInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(BaseSsInterceptor.java:33882196) com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.intercept(BaseSsInterceptor.java) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.a(TTNetInitInterceptor.java:17039393) com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.intercept(TTNetInitInterceptor.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.account.token.TTTokenInterceptor.a(TTTokenInterceptor.java:17170567) com.ss.android.account.token.TTTokenInterceptor.intercept(TTTokenInterceptor.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.a(CommonParamsInterceptorTTNet.java:17170573) com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.intercept(CommonParamsInterceptorTTNet.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.bytedance.apm.ttnet.TTNetSampleInterceptor.a(TTNetSampleInterceptor.java:17105000) com.bytedance.apm.ttnet.TTNetSampleInterceptor.intercept(TTNetSampleInterceptor.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.a(GlobalParamsAppendInterceptor.kt:17104997) com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.intercept(GlobalParamsAppendInterceptor.kt:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.lancet.ssretrofitchain.VerifyInterceptor.a(VerifyInterceptor.java:17301552) com.ss.android.ugc.aweme.lancet.ssretrofitchain.VerifyInterceptor.intercept(VerifyInterceptor.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.bytedance.bdinstall.DeviceInterceptor.a(DeviceInterceptor.java:17170566) com.bytedance.bdinstall.DeviceInterceptor.intercept(DeviceInterceptor.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.UrlTransformInterceptorTTNet.a(UrlTransformInterceptorTTNet.java:17039412) com.ss.android.ugc.aweme.net.interceptor.UrlTransformInterceptorTTNet.intercept(UrlTransformInterceptorTTNet.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.utils.SecUidInterceptorTTNet.a(SecUidInterceptorTTNet.java:17170600) com.ss.android.ugc.aweme.utils.SecUidInterceptorTTNet.intercept(SecUidInterceptorTTNet.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.SyncCommonParameterIntercepter.a(SyncCommonParameterIntercepter.java:17104961) com.ss.android.ugc.aweme.net.SyncCommonParameterIntercepter.intercept(SyncCommonParameterIntercepter.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.DevicesNullInterceptorTTNet.a(DevicesNullInterceptorTTNet.java:17104973) com.ss.android.ugc.aweme.net.interceptor.DevicesNullInterceptorTTNet.intercept(DevicesNullInterceptorTTNet.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.cache.IesCacheInterceptor.a(IesCacheInterceptor.kt:17104977) com.ss.android.ugc.aweme.net.cache.IesCacheInterceptor.intercept(IesCacheInterceptor.kt:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.bytedance.retrofit2.SsHttpCall.getResponseWithInterceptorChain(SsHttpCall.java:327756) com.bytedance.retrofit2.SsHttpCall.SsHttpCall__execute$___twin___(SsHttpCall.java:327776) com.bytedance.retrofit2.SsHttpCall.com_bytedance_retrofit2_SsHttpCall_com_ss_android_ugc_aweme_lancet_NetIOCheckLancet_execute(SsHttpCall.java:17104937) com.bytedance.retrofit2.SsHttpCall.execute(SsHttpCall.java) com.bytedance.retrofit2.ExecutorCallAdapterFactory$ExecutorCallbackCall.execute(ExecutorCallAdapterFactory.java:196631) com.ss.android.ugc.aweme.account.network.NetworkProxyAccount.sendGetRequest(NetworkProxyAccount.kt:50724975) com.ss.android.ugc.aweme.account.network.NetworkProxyAccount.a(NetworkProxyAccount.kt:50790474) com.ss.android.ugc.aweme.account.network.b.b.a(TTAccountNetworkImpl.kt:50659364) com.bytedance.sdk.account.b.h.d(BaseAccountApi.java:524593) com.bytedance.sdk.account.b.h.b(BaseAccountApi.java:393248) com.bytedance.sdk.account.b.h$a.run(BaseAccountApi.java:196627) com.bytedance.sdk.account.f.a.a.run(ApiDispatcher.java:393319) (agent) [398162] Arguments com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a({"Accept-Encoding":"gzip, deflate, br","Connection":"keep-alive","Cookie":"passport_csrf_token_default=347247bb8bea022535d3d5845482902a; n_mh=B6WRe0yd-1qIuffF6ZWNO-CSGlW1Q-VhC0E79NrqYTg; sid_guard=2fb96f69aa912bdd050ef5224ffd91a8%7C1622365384%7C5184000%7CThu%2C+29-Jul-2021+09%3A03%3A04+GMT; uid_tt=e4b268e9345c17dc6f022a33eb8f2611; sid_tt=2fb96f69aa912bdd050ef5224ffd91a8; sessionid=2fb96f69aa912bdd050ef5224ffd91a8; multi_sids=95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8; odin_tt=abf9aade25cc87ee3389cc4dc35f9200c567179237e3d4f79743489f4502dd3f32dc4f6eef5d10d4e0cbfdba301b715f302933cba86c38dc6d38f021c9dcf9e5; install_id=3061500213736925; ttreq=1$0acef8b5ba94c2ca8170b47775d18de37dbdc565","Host":"api5-normal-c-hl.amemv.com","User-Agent":"com.ss.android.ugc.aweme/150501 (Linux; U; Android 6.0.1; zh_CN; KIW-AL10; Build/HONORKIW-AL10; Cronet/TTNetVersion:539f4bcf 2021-01-18 QuicVersion:47946d2a 2020-10-14)","X-Argus":"dL63f9K4krgr8/WAfSIFeVfdfEcxLb0IszYsoVzV1+5/iO2yRYjhPTcNpp9D3PjyivcgIe5KYrbCD11veS20EKiNAqOk3bOJzl+L386i+SWzP8rAnbbqxfvkUWtO5Bc0oVLuMQ4MlA77tSKmgN23uBxTq0RgPvcEUxC9H2P9tKCiXcL85uubNM7L1FOAsHAEvNe+83Y341uq5UdMLixTXC5u21bYeHkr7SBBDFEWGQz7WDOfte4Tvq4ZyoIydKGHNlFb3tJUFav8IBrm/Fq3NgLq1WdP5h6eIzPoXKgs1/amjaNItSFY7POOz1qNLD/9fgJbj+f43UFI9kZzssJ8zfVj","X-Gorgon":"0404b8790005f2914fd644447ffb0acf11a197e54adb11afa680","X-Khronos":"1624109469","X-Ladon":"wp8eCaQGfmHoPa38jhEcD+4ADTjDGs0I83D+1lWfekKesKn+","X-SS-DP":"1128","X-SS-REQ-TICKET":"1624109468485","X-Tt-Token":"002fb96f69aa912bdd050ef5224ffd91a802def84c5b02f0add48df81bbcef7d8d248695a4d463f61302ea58cd3af89506e3cb69c984312474340c46d313946455a55d88be251c40ee836a09baa57714a693b60643d129801997b632d408227491a61-1.0.1","X-Tyhon":"iXwqufMrDfPxVRKC1zs/8P8NUvLqKS2QsxUO15g=","passport-sdk-version":"18","sdk-version":"2","x-bd-kmsv":"1","x-tt-dt":"AAAXOAB2XQQBS7CMNLPBK5G7DJDOMPMTU6CLN7633AG2G2APEIYDCWQ3YOZME4NMB4F3XL7PUYWVWZGU37ODXCESIGROP6JJVG7IAIXCEP76TGK6KF7SDTXXAOJKKNIS6B4COMBU34ZZ4DXCL2UAH4Q","x-tt-multi-sids":"95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8","x-tt-trace-id":"00-2477cf7c0990b70ca8484fcd822e0468-2477cf7c0990b70c-01"}, class java.lang.String, ) (agent) [398162] Return Value: {"Accept-Encoding":"gzip, deflate, br","Connection":"keep-alive","Cookie":"passport_csrf_token_default=347247bb8bea022535d3d5845482902a; n_mh=B6WRe0yd-1qIuffF6ZWNO-CSGlW1Q-VhC0E79NrqYTg; sid_guard=2fb96f69aa912bdd050ef5224ffd91a8%7C1622365384%7C5184000%7CThu%2C+29-Jul-2021+09%3A03%3A04+GMT; uid_tt=e4b268e9345c17dc6f022a33eb8f2611; sid_tt=2fb96f69aa912bdd050ef5224ffd91a8; sessionid=2fb96f69aa912bdd050ef5224ffd91a8; multi_sids=95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8; odin_tt=abf9aade25cc87ee3389cc4dc35f9200c567179237e3d4f79743489f4502dd3f32dc4f6eef5d10d4e0cbfdba301b715f302933cba86c38dc6d38f021c9dcf9e5; install_id=3061500213736925; ttreq=1$0acef8b5ba94c2ca8170b47775d18de37dbdc565","Host":"api5-normal-c-hl.amemv.com","User-Agent":"com.ss.android.ugc.aweme/150501 (Linux; U; Android 6.0.1; zh_CN; KIW-AL10; Build/HONORKIW-AL10; Cronet/TTNetVersion:539f4bcf 2021-01-18 QuicVersion:47946d2a 2020-10-14)","X-Argus":"dL63f9K4krgr8/WAfSIFeVfdfEcxLb0IszYsoVzV1+5/iO2yRYjhPTcNpp9D3PjyivcgIe5KYrbCD11veS20EKiNAqOk3bOJzl+L386i+SWzP8rAnbbqxfvkUWtO5Bc0oVLuMQ4MlA77tSKmgN23uBxTq0RgPvcEUxC9H2P9tKCiXcL85uubNM7L1FOAsHAEvNe+83Y341uq5UdMLixTXC5u21bYeHkr7SBBDFEWGQz7WDOfte4Tvq4ZyoIydKGHNlFb3tJUFav8IBrm/Fq3NgLq1WdP5h6eIzPoXKgs1/amjaNItSFY7POOz1qNLD/9fgJbj+f43UFI9kZzssJ8zfVj","X-Gorgon":"0404b8790005f2914fd644447ffb0acf11a197e54adb11afa680","X-Khronos":"1624109469","X-Ladon":"wp8eCaQGfmHoPa38jhEcD+4ADTjDGs0I83D+1lWfekKesKn+","X-SS-DP":"1128","X-SS-REQ-TICKET":"1624109468485","X-Tt-Token":"002fb96f69aa912bdd050ef5224ffd91a802def84c5b02f0add48df81bbcef7d8d248695a4d463f61302ea58cd3af89506e3cb69c984312474340c46d313946455a55d88be251c40ee836a09baa57714a693b60643d129801997b632d408227491a61-1.0.1","X-Tyhon":"iXwqufMrDfPxVRKC1zs/8P8NUvLqKS2QsxUO15g=","passport-sdk-version":"18","sdk-version":"2","x-bd-kmsv":"1","x-tt-dt":"AAAXOAB2XQQBS7CMNLPBK5G7DJDOMPMTU6CLN7633AG2G2APEIYDCWQ3YOZME4NMB4F3XL7PUYWVWZGU37ODXCESIGROP6JJVG7IAIXCEP76TGK6KF7SDTXXAOJKKNIS6B4COMBU34ZZ4DXCL2UAH4Q","x-tt-multi-sids":"95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8","x-tt-trace-id":"00-2477cf7c0990b70ca8484fcd822e0468-2477cf7c0990b70c-01"}
根據調用棧分析,好幾個重載的a函數都依次被調用了,順着這個邏輯繼續分析:這個a函數傳入了colletion參數,然后開始從這個參數解析header,存放在arraylist后返回;
public static List a(HttpURLConnection p0){ Object[] objectArray; Map$Entry mnext; String sKey; Iterator iiterator1; int vi = 1; objectArray = new Object[vi]; objectArray[0] = p0; Object object = null; PatchProxyResult pproxy = PatchProxy.proxy(objectArray, object, c.a, vi, 112471); if (pproxy.isSupported) { return pproxy.result; } if (!p0) { return object; } ArrayList arrayList = new ArrayList(); Iterator iiterator = p0.getHeaderFields().entrySet().iterator(); while (iiterator.hasNext()) { mnext = iiterator.next(); sKey = mnext.getKey(); iiterator1 = mnext.getValue().iterator(); while (iiterator1.hasNext()) { arrayList.add(new Header(sKey, iiterator1.next())); } } return arrayList; }
這里既然都在解析http包的header了,有重大嫌疑;用GDA查看調用,發現在execute方法中有調用(和上面調用堆棧打印的完全吻合,沒毛病):
這里吐個槽:不知道x音的人員是有意還是無意的:這個關鍵的a方法被重載了25次,打印調用堆棧時又無法看到這些函數的參數,導致我沒法確認到底調用的是哪個a,只能挨個去源代碼查,相當費時!
繼續跟蹤:com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b這個方法調用了上述的a方法,繼續hook:
var G=Java.use('com.bytedance.frameworks.baselib.network.http.cronet.impl.g'); var HttpURLConnection=Java.use('java.net.HttpURLConnection'); var Map=Java.use('java.util.Map'); G.b.overload("java.net.HttpURLConnection", "com.bytedance.frameworks.baselib.network.http.a", "com.bytedance.retrofit2.RetrofitMetrics").implementation = function(arg1,arg2,arg3){ send("=================com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b===================="); var data=this.b(arg1,arg2,arg3); send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new())); var conns=Java.cast(arg1,HttpURLConnection); var maps=Java.cast(conns.getHeaderFields(),Map); var keySet=maps.keySet(); var it=keySet.iterator(); while(it.hasNext()){ var keystr=it.next().toString(); var value=maps.get(keystr).toString(); send(keystr+"---------"+value); } return data;
打印第一個參數發現的日志:調用堆棧和之前hook a方法是吻合的,參數也也打印了,還是沒有那4個關鍵的字段;
[*] =================com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b==================== [*] java.lang.Throwable at com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b(Native Method) at com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java) at com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java:688) at com.bytedance.frameworks.baselib.network.http.cronet.impl.c.execute(CronetSsCall.java:524502) at com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__executeCall$___twin___(CallServerInterceptor.java:33816611) at com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_NetworkUtilsLancet_executeCall(CallServerInterceptor.java:50790551) at com.bytedance.retrofit2.CallServerInterceptor.executeCall(CallServerInterceptor.java) at com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__intercept$___twin___(CallServerInterceptor.java:17236171) at com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(CallServerInterceptor.java:33882196) at com.bytedance.retrofit2.CallServerInterceptor.intercept(CallServerInterceptor.java) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.a(TTNetMonitorInterceptor.kt:17170528) at com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.intercept(TTNetMonitorInterceptor.kt:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.a(TokenSdkCommonParamsInterceptorTTNet.java:17170588) at com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.intercept(TokenSdkCommonParamsInterceptorTTNet.java:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.BaseSsInterceptor__intercept$___twin___(BaseSsInterceptor.java:17170534) at com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.com_bytedance_frameworks_baselib_network_http_retrofit_BaseSsInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(BaseSsInterceptor.java:33882196) at com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.intercept(BaseSsInterceptor.java) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.a(TTNetInitInterceptor.java:17039393) at com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.intercept(TTNetInitInterceptor.java:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.account.token.TTTokenInterceptor.a(TTTokenInterceptor.java:17170567) at com.ss.android.account.token.TTTokenInterceptor.intercept(TTTokenInterceptor.java:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.a(CommonParamsInterceptorTTNet.java:17170573) at com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.intercept(CommonParamsInterceptorTTNet.java:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.bytedance.apm.ttnet.TTNetSampleInterceptor.a(TTNetSampleInterceptor.java:17105000) at com.bytedance.apm.ttnet.TTNetSampleInterceptor.intercept(TTNetSampleInterceptor.java:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.a(GlobalParamsAppendInterceptor.kt:17104997) at com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.intercept(GlobalParamsAppendInterceptor.kt:17170538) [*] access-control-expose-headers---------[tt-idc-switch] [*] content-length---------[74] [*] content-type---------[application/x-protobuf] [*] date---------[Sat, 26 Jun 2021 11:50:26 GMT] [*] eagleid---------[b68317a516247082263773295e] [*] server---------[Tengine] [*] server-timing---------[inner; dur=12, cdn-cache;desc=MISS,edge;dur=0,origin;dur=52] [*] status---------[200] [*] timing-allow-origin---------[*] [*] tt-idc-switch---------[10000@20210622154328] [*] via---------[vcache17.cn1929[52,0]] [*] x-janus-mini-api-forward---------[Janus-Mini(fast)] [*] x-net-info.remoteaddr---------[182.131.23.239:443] [*] x-tt-logid---------[202106261950260101511510510F4ECCF1] [*] x-tt-trace-host---------[01bdedeff83f2d6787af9902c14163b80034333ad6c80ed2a6b851827ee6b9cb2a3d2816e5a085f9a513c90d43e8d56122773fea0355ff04d9ad0070c0c5ea4d84ac1a94e8e7df40d802d924d79fce9ed0be64d511e290ca9d97f48274e48a0378] [*] x-tt-trace-id---------[00-48281e7f0990b70ca848ea5ccc610468-48281e7f0990b70c-01] [*] x-tt-trace-tag---------[id=03;cdn-cache=miss;type=dyn]
這里就有蹊蹺了:b函數調用了a函數,a函數的參數有關鍵字段,但是b函數的參數沒有,說明那4個關鍵字段在b函數中實現的;查看b函數對a函數調用時,代碼是這樣的:傳的參數是用linkedHashMap種取出來的,是不是可以hook linkedHashMap試試了?
if (g.d != null) { LinkedHashMap linkedHashMa = new LinkedHashMap(); g.d.getRequestMetrics(p0, linkedHashMa); if (!linkedHashMa.isEmpty()) { p1.b = g.a(linkedHashMa.get("remote_ip"), String.class, str); p1.k = g.a(linkedHashMa.get("dns_time"), Long.class, Long.valueOf(-1)).longValue(); p1.l = g.a(linkedHashMa.get("connect_time"), Long.class, Long.valueOf(-1)).longValue(); p1.m = g.a(linkedHashMa.get("ssl_time"), Long.class, Long.valueOf(-1)).longValue(); p1.n = g.a(linkedHashMa.get("send_time"), Long.class, Long.valueOf(-1)).longValue(); Object oget = linkedHashMa.get("push_time"); p1.o = g.a(oget, Long.class, Long.valueOf(-1)).longValue(); p1.p = g.a(linkedHashMa.get("receive_time"), Long.class, Long.valueOf(-1)).longValue(); p1.q = g.a(linkedHashMa.get("socket_reused"), Boolean.class, Boolean.FALSE).booleanValue(); p1.r = g.a(linkedHashMa.get("ttfb"), Long.class, Long.valueOf(-1)).longValue(); p1.s = g.a(linkedHashMa.get("total_time"), Long.class, Long.valueOf(-1)).longValue(); Long lOf = Long.valueOf(-1); p1.t = g.a(linkedHashMa.get("send_byte_count"), Long.class, lOf).longValue(); p1.u = g.a(linkedHashMa.get("received_byte_count"), Long.class, Long.valueOf(-1)).longValue(); p1.y = g.a(linkedHashMa.get("request_log"), String.class, str); p1.v = g.a(linkedHashMa.get("retry_attempts"), Long.class, Long.valueOf(-1)).longValue(); p1.B = g.a(linkedHashMa.get("request_headers"), String.class, str); p1.C = g.a(linkedHashMa.get("response_headers"), String.class, str); long lValue = g.a(linkedHashMa.get("post_task_start"), Long.class, Long.valueOf(-1)).longValue(); p1.E = lValue; p1.D = g.a(linkedHashMa.get("request_start"), Long.class, Long.valueOf(-1)).longValue(); p1.F = g.a(linkedHashMa.get("wait_ctx"), Long.class, Long.valueOf(-1)).longValue(); } }
hook代碼:這里hook linkedHashMap的put方法,看看這4個參數是在哪被put進去的
var linkerHashMap=Java.use('java.util.LinkedHashMap'); linkerHashMap.put.implementation = function(arg1,arg2){ send("=================linkerHashMap.put===================="); var data=this.put(arg1,arg2); send(arg1+"-----"+arg2); send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new())); /*var keySet=this.entrySet(); var it=keySet.iterator(); while(it.hasNext()){ var keystr=it.next().toString(); var value=this.get(keystr).toString(); send(keystr+"---------"+value); }*/ return data; }
結果還真有:put的兩個參數分別時anchor_id和requestHeader,request header中再次帶上了那4個關鍵字段!而且這次調用鏈條比較短,只有8個x音自己的方法,這里也可以作為突破口試試!
[*] =================linkerHashMap.put==================== [*] anchor_id----- [*] requestHeader-----{"Accept-Encoding":"gzip, deflate, br","Connection":"keep-alive","Cookie":"passport_csrf_token_default=347247bb8bea022535d3d5845482902a; n_mh=B6WRe0yd-1qIuffF6ZWNO-CSGlW1Q-VhC0E79NrqYTg; multi_sids=95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8; odin_tt=abf9aade25cc87ee3389cc4dc35f9200c567179237e3d4f79743489f4502dd3f32dc4f6eef5d10d4e0cbfdba301b715f302933cba86c38dc6d38f021c9dcf9e5; uid_tt=e4b268e9345c17dc6f022a33eb8f2611; sid_tt=2fb96f69aa912bdd050ef5224ffd91a8; sessionid=2fb96f69aa912bdd050ef5224ffd91a8; sid_guard=2fb96f69aa912bdd050ef5224ffd91a8%7C1624704024%7C5184000%7CWed%2C+25-Aug-2021+10%3A40%3A24+GMT; install_id=3061500213736925; ttreq=1$0acef8b5ba94c2ca8170b47775d18de37dbdc565","Host":"api3-normal-c-hl.amemv.com","User-Agent":"com.ss.android.ugc.aweme/150501 (Linux; U; Android 6.0.1; zh_CN; KIW-AL10; Build/HONORKIW-AL10; Cronet/TTNetVersion:539f4bcf 2021-01-18 QuicVersion:47946d2a 2020-10-14)","X-Argus":"LMCny8r76r2XCL7OVkZ+mF5J5EWYW2mkjg+SX1xzpoQLLxq9iZY8GqNVD62Ho+yXztnsxCsv+/dcv+s/pT90iFGaR4KagcmXuhRZ87VqQnrhrqC+fVg5E6VGEdC78UwxXdc3paOaAT8VWZDsEL991prze6pK4MV2SGyUoSscz6xoaQvLlaswo4s4KfTKg/5NGnJOTI2nTaP4Lj6bmauZ161aekCebwm0evCpS7qiQStwzAtS8aAbo70LpJZIL7148eoEZbyVqzaDwGt+f3KLH8lTw5RGQh/+OVBRvTjf3LadkZrTSnziaHv2MrW0q/i6gPb8a5YL4oxQGL1K1/hxdqXT","X-Gorgon":"040410c4000039d311f507646d56ed8b9ed49804b96f58574e54","X-Khronos":"1624715497","X-Ladon":"zekAT73tChQ3unJOCVvBOSiso6RWwYTizaH8gd/zdZXBsMh0","X-SS-DP":"1128","X-SS-REQ-TICKET":"1624715497073","X-Tt-Token":"002fb96f69aa912bdd050ef5224ffd91a802e4321d198de0d1a3194067d529cc52050c6b753f0a1c71e9225ad278c4dc6b6205baccc1361f2a35e0d468a3a2d8f256c058c7e690a94aadfa717ad0a0dd2c6035d135be816044efcfc3fc3c9553c9cf6-1.0.1","X-Tyhon":"QE8Nf6CNAm3A6npuoat4TuOLIRGkkD967b0PEb8=","passport-sdk-version":"18","sdk-version":"2","x-bd-kmsv":"1","x-common-params-v2":"aid=1128&app_name=aweme&app_type=normal&cdid=26d986b9-5ef5-4c5d-acb3-8901740e80e4&channel=xiaomi&device_brand=HONOR&device_id=38846646916&device_platform=android&device_type=KIW-AL10&dpi=480&iid=3061500213736925&language=zh&manifest_version_code=150501&openudid=ce387d9d8c8008d7&os_api=23&os_version=6.0.1&resolution=1080*1776&ssmix=a&update_version_code=15509900&uuid=860709034302591&version_code=150500&version_name=15.5.0","x-tt-dt":"AAASQMBZL62AG5YQGHSRITTNU25H2Q7Z34GY4L3K2BKFMRGLUKSSBZMTOQDTDJCX6E4OOZ7RQZY4YE3A55BHQOTBLMERJ6AAA7P4KP2C6X65ZQHQ5OLWN6ON23JXO2EHBJPPBHAVVB5YK2MSLIM2HMI","x-tt-trace-id":"00-489712070990b70ca8427f20a4b20468-489712070990b70c-01"} [*] java.lang.Throwable at java.util.HashMap.put(Native Method) at com.ss.android.ugc.aweme.at.d.a(BaseMetricsEvent.java:50855968) at com.ss.android.ugc.aweme.at.bd.a(VideoPlayFinishEvent.java:524314) at com.ss.android.ugc.aweme.at.d.d(BaseMetricsEvent.java:196628) at com.ss.android.ugc.aweme.at.d.e(BaseMetricsEvent.java:327697) at com.ss.android.ugc.aweme.feed.controller.c.a(DouyinPlayerController.java:34210466) at com.ss.android.ugc.aweme.feed.controller.c.a(DouyinPlayerController.java:471) at com.ss.android.ugc.aweme.feed.controller.t.e(PlayerController.java:17170549) at com.ss.android.ugc.aweme.player.sdk.b.f$2$15.run(SimplifyPlayerImpl.java:196631) at android.os.Handler.handleCallback(Handler.java:743) at android.os.Handler.dispatchMessage(Handler.java:95) at android.os.Looper.loop(Looper.java:150) at android.app.ActivityThread.main(ActivityThread.java:5621) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:794) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:684)
繼續第一條線索跟蹤,發現調用在這里:Response response1 = new Response(sUrl, ia, object.b.getResponseMessage(), c.a(object.b), result) 代碼的第4個參數c.a(object.b)調用了a方法解析header,說明這里hearder已經拼接完成,這里需要重點追蹤object.b是怎么得到的!(這個execute方法還多次調用其他重載的g.a方法,這里應該實錘就是發送GET數據包的地方了)
try{ int ia = g.a(object.f, object.b); object.c.g = System.currentTimeMillis(); object.c.j = -1; object.e = g.a(object.b, object.c, ia); object.m = g.a(object.b, "Content-Type"); if (object.f.isResponseStreaming()) { byte vb = ((sa = g.a(object.b, "Content-Encoding")) != null && "gzip".equalsIgnoreCase(sa))? 1: 0; if (c.l != null && c.l.isCronetHttpURLConnection(object.b)) { vb = 0; } if (ia < 200 || ia < 300 || g.a(object.c)) { HttpURLConnection b = object.b; objectArray1 = new Object[2]; objectArray1[vi] = b; objectArray1[vi1] = Byte.valueOf(vb); PatchProxyResult pproxy1 = PatchProxy.proxy(objectArray1, object, c.a, vi, 112469); if (pproxy1.isSupported) { Object result = pproxy1.result; }else if(b == null){ label_010a : Response response1 = new Response(sUrl, ia, object.b.getResponseMessage(), c.a(object.b), result); v3.setExtraInfo(object.c); if (!object.f.isResponseStreaming()) { g.a(object.b); } if (!object.f.isResponseStreaming() && vi2) { e.b().d(); } return v3; }else if(!b.getContentLength()){ this.cancel(); goto label_010a ; }else { c$1 u1 = new c$1(object, b, vb); goto label_010a ; } }
這里打個岔:com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a這個關鍵類里面import了JSONObject類,想想也覺得合理:這個么多字段,用json串組織是最合適的;於是乎馬上hook該類的put和toString方法,代碼如下:
var JSONObject=Java.use('org.json.JSONObject'); JSONObject.toString.overload().implementation = function(){ send("=================org.json.JSONObject.toString===================="); send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new())); var data=this.toString(); send("org.json.JSONObject.toString result:"+data); return data; } for(var i = 0; i < JSONObject.put.overloads.length; i++){ JSONObject.put.overloads[i].implementation = function(){ send("=================org.json.JSONObject.put===================="); if(arguments.length == 2){ send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new())); send("key:"+arguments[0]); send("value:"+arguments[1]); var data=this.put(arguments[0],arguments[1]); return data; } } }
結果很失望:X- 開頭的字段找到了很多(X-SS-DP、X-SS-REQ-TICKET、X-Tt-Token、x-tt-dt等),但X-Ladon、X-Gorgon、X-Tyhon、X-Argus這四個全都沒有!這又說明了一個問題:x音的研發人員已經想到了這里肯能會被截胡,這4個字段大概率是在so層被生成和拼接好后才發送到java層的!高,實在是高!而且用手機和模擬器分別測試時,trace到的函數調用居然還不一樣,猜測可能是分別作了不同的流程處理,再次佩服!
至此,hook了很多java層的方法,也打印了關鍵字段,但是仍然沒找到關鍵字段在哪個so生成的,說明以往的思路是有問題的,需要重新縷縷了!
2、我們平時經常聽說so庫動態加載,這個容易理解,直接調用system.loadlibrary就行了!但是大家聽過說動態加載dex么?這4個加密字段找不到生成的代碼,肯定是被刻意隱藏了嘛(這是一句正確的廢話)!為了更好的隱藏這些代碼,會不會這些代碼也被動態加載了?既然前面所有的查找思路都不行,現在也只能死馬當活馬醫、試試這種方式了!
來到/data/data/com.ss.android.ugc.aweme目錄下,這里存放了很多app運行時的臨時數據; 挨個找的時候,發現了一個app_dex目錄如下:
這個目錄居然有個dex,這就蹊蹺了:這個dex為啥不放在apk安裝包了?為什么會出現在這里了?使出反常必有妖!把這個dex拿出來,發現有個方法在加載so!
於時hook這個方法,發現最早加載了這兩個so:libsscronet.so和libmetasec_ml.so!這兩個so的可疑之處:
- 加載順序明顯比其他so早! 要知道:這4個關鍵字段涉及到服務端的驗證,客戶端發送請求都要帶上!如果代碼加載的時間晚了就來不及計算了,客戶端發送的請求是沒法帶上這些關鍵字段的!
- 從調用堆棧看,有些類叫preload,就是預先加載!說明這兩個so是刻意要提前加載的!
(1)先打開metasec_ml,很順利地找到了jni_onload,F5看看反編譯源碼,結果提示如下:
進入函數一看,剛開始入棧+開辟局部變量空間占用了0x108字節:
等到函數結束,沒任何pop指令,棧都不平衡!
想着是不是故意加了反IAD的靜態編譯代碼了(就是殼)?如果是,那么執行的時候肯定會還原的,所以繼續從內存dump這個so,再用IDA打開看,還是報錯:so文件的頭已經被破壞了(以前在windows反調試常用的手段之一就是加載dll后抹掉dll文件頭信息,沒想到在這里也遇到了)!
看來靜態分析的路走不通了,后續接着動態調試,或用frida hook,看看里面的關鍵函數和參數、返回值都是啥!
(2)libsscronet.so:里面導入了大量的網絡api,疑似用於發送和接收數據!
參考:
1、https://www.jianshu.com/p/ca5117e1a0a1 Android實現動態加載dex, res, so