拼多多anti-token分析

這篇具有很好參考價值的文章主要介紹了拼多多anti-token分析。希望對大家有所幫助。如果存在錯誤或未考慮完全的地方，請大家不吝賜教，您也可以點(diǎn)擊"舉報違法"按鈕提交疑問。

前言：拼多多charles抓包分析發(fā)現(xiàn)跟商品相關(guān)的請求頭里都帶了一個anti-token的字段且每次都不一樣,那么下面的操作就從分析anti-token開始了

1.jadx反編譯直接搜索

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

選中跟http相關(guān)的類對這個方法進(jìn)行打印堆棧

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

結(jié)合堆棧方法調(diào)用的情況找到具體anti-token是由攔截器類f.a方法調(diào)用的,在http.a.c()方法中生成并且http.p.e()方法中加入請求頭

在http.a.c()方法中有個一個判斷條件如果為true則走d.a().e()方法生成anti-token

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

如果為false則走j()方法生成anti-token

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

hook這個i()方法返回值可知獲取商品詳情接口返回值為false所以走的是j()方法進(jìn)行計(jì)算anti-token。

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

SecureNative.deviceInfo3()方法生成,傳入的str為pdd生成的固定id 一個字符串.

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

根據(jù)hook_libart 得到info3()方法是在libodd_secure.so中,那么ida打開看看這個so包

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

2.這部分我們采用unidbg+jnitrace+frida相結(jié)合的方式

unidbg前期準(zhǔn)備的代碼這里就不發(fā)了直接調(diào)用這個info3方法

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

這里提示調(diào)用gad()方法返回一個字符串那么frida hook這個方法拿到這個值如下圖一個固定的字符串

16位長度看著像AES的密鑰?

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

繼續(xù)補(bǔ)環(huán)境這里簡單補(bǔ)環(huán)境就不發(fā)了

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

補(bǔ)完簡單的環(huán)境代碼后,再次運(yùn)行報這個錯誤看錯誤應(yīng)該是缺少文件 ,那么看看日志需要補(bǔ)那個文件

繼續(xù)運(yùn)行,沒有返回值報空指針。execve()函數(shù)執(zhí)行的時候程序exit了這里我們返回對象本身.

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

execve()函數(shù)執(zhí)行的時候程序exit了

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

execve filename=/system/bin/sh, args=[sh, -c, cat /proc/sys/kernel/random/boot_id]

這個函數(shù)相當(dāng)于查看 boot_id這個文件信息

拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

捋順下邏輯應(yīng)該就是先fork進(jìn)程然后在子進(jìn)程中讀取這個文件然后把他寫入pip中

那么自定義syscallhandler后再次運(yùn)行成功拿到結(jié)果拼多多anti-token分析,協(xié)議開發(fā),java,云計(jì)算,c++,c語言,golang,數(shù)據(jù)庫

全部代碼如下：

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

package?pdd;

import?com.github.unidbg.AndroidEmulator;

import?com.github.unidbg.Emulator;

import?com.github.unidbg.Module;

import?com.github.unidbg.file.FileResult;

import?com.github.unidbg.file.IOResolver;

import?com.github.unidbg.file.linux.AndroidFileIO;

import?com.github.unidbg.linux.android.AndroidARMEmulator;

import?com.github.unidbg.linux.android.AndroidEmulatorBuilder;

import?com.github.unidbg.linux.android.AndroidResolver;

import?com.github.unidbg.linux.android.dvm.*;

import?com.github.unidbg.linux.file.ByteArrayFileIO;

import?com.github.unidbg.memory.Memory;

import?com.github.unidbg.memory.SvcMemory;

import?com.github.unidbg.spi.SyscallHandler;

import?com.github.unidbg.unix.UnixSyscallHandler;

import?java.io.File;

import?java.nio.charset.StandardCharsets;

import?java.util.ArrayList;

import?java.util.List;

import?java.util.UUID;

public?class?Pddmain?extends?AbstractJni?implements?IOResolver<AndroidFileIO>?{

????private?AndroidEmulator?androidEmulator;

????private?static?final?String?APK_PATH?=?"/Users/Downloads/com.xunmeng.pinduoduo_6.7.0_60700.apk";

????private?static?final?String?SO_PATH?=?"/Users/Downloads/com.xunmeng.pinduoduo_6.7.0_60700/lib/armeabi-v7a/libpdd_secure.so";

????private?Module?moduleModule;

????private?VM?dalvikVM;

????public?static?void?main(String[]?args)?{

????????Pddmain?main?=?new?Pddmain();

????????main.create();

????}

????private?void?create()?{

????????AndroidEmulatorBuilder?androidEmulatorBuilder?=?new?AndroidEmulatorBuilder(false)?{

????????????@Override

????????????public?AndroidEmulator?build()?{

????????????????return?new?AndroidARMEmulator("com.xunmeng.pinduoduo",rootDir,backendFactories)?{

????????????????????@Override

????????????????????protected?UnixSyscallHandler<AndroidFileIO>?createSyscallHandler(SvcMemory?svcMemory)?{

????????????????????????return?new?PddArmSysCallHand(svcMemory);

????????????????????}

????????????????};

????????????}

????????};

????????androidEmulator?=?androidEmulatorBuilder.setProcessName("").build();

????????androidEmulator.getSyscallHandler().addIOResolver(this);

????????Memory?androidEmulatorMemory?=?androidEmulator.getMemory();

????????androidEmulatorMemory.setLibraryResolver(new?AndroidResolver(23));

????????dalvikVM?=?androidEmulator.createDalvikVM(new?File(APK_PATH));

????????DalvikModule?module?=?dalvikVM.loadLibrary(new?File(SO_PATH),?true);

????????moduleModule?=?module.getModule();

????????dalvikVM.setJni(this);

????????dalvikVM.setVerbose(true);

????????dalvikVM.callJNI_OnLoad(androidEmulator,?moduleModule);

????????callInfo3();

????}

????@Override

????public?void?callStaticVoidMethodV(BaseVM?vm,?DvmClass?dvmClass,?String?signature,?VaList?vaList)?{

????????if?("com/tencent/mars/xlog/PLog->i(Ljava/lang/String;Ljava/lang/String;)V".equals(signature))?{

????????????return;

????????}

????????super.callStaticVoidMethodV(vm,?dvmClass,?signature,?vaList);

????}

????private?void?callInfo3()?{

????????List<Object>?argList?=?new?ArrayList<>();

????????argList.add(dalvikVM.getJNIEnv());

????????argList.add(0);

????????DvmObject<?>?context?=?dalvikVM.resolveClass("android/content/Context").newObject(null);

????????argList.add(dalvikVM.addLocalObject(context));

????????argList.add(dalvikVM.addLocalObject(new?StringObject(dalvikVM,?"api/oak/integration/render")));

????????argList.add(dalvikVM.addLocalObject(new?StringObject(dalvikVM,?"dIrjGpkC")));

????????Number?number?=?moduleModule.callFunction(androidEmulator,?0xb6f9,?argList.toArray())[0];

????????String?toString?=?dalvikVM.getObject(number.intValue()).getValue().toString();

????????System.out.println(toString);

????}

????@Override

????public?DvmObject<?>?callStaticObjectMethodV(BaseVM?vm,?DvmClass?dvmClass,?String?signature,?VaList?vaList)?{

????????if?("com/xunmeng/pinduoduo/secure/EU->gad()Ljava/lang/String;".equals(signature))?{

????????????return?new?StringObject(vm,?"cb14a9e76b72a627");

????????}?else?if?("java/util/UUID->randomUUID()Ljava/util/UUID;".equals(signature))?{

????????????UUID?uuid?=?UUID.randomUUID();

????????????DvmObject<?>?dvmObject?=?vm.resolveClass("java/util/UUID").newObject(uuid);

????????????return?dvmObject;

????????}

????????return?super.callStaticObjectMethodV(vm,?dvmClass,?signature,?vaList);

????}

????@Override

????public?DvmObject<?>?callObjectMethodV(BaseVM?vm,?DvmObject<?>?dvmObject,?String?signature,?VaList?vaList)?{

????????if?("java/util/UUID->toString()Ljava/lang/String;".equals(signature))?{

????????????UUID?uuid?=?(UUID)?dvmObject.getValue();

????????????return?new?StringObject(vm,?uuid.toString());

????????}?else?if?("java/lang/String->replaceAll(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;".equals(signature))?{

????????????String?obj?=?dvmObject.getValue().toString();

????????????String?arg0?=?vaList.getObjectArg(0).toString();

????????????String?arg1?=?vaList.getObjectArg(1).toString();

????????????String?replaceAll?=?obj.replaceAll(arg0,?arg1);

????????????return?new?StringObject(vm,?replaceAll);

????????}

????????return?super.callObjectMethodV(vm,?dvmObject,?signature,?vaList);

????}

????@Override

????public?int?callIntMethodV(BaseVM?vm,?DvmObject<?>?dvmObject,?String?signature,?VaList?vaList)?{

????????if?("java/lang/String->hashCode()I".equals(signature))?{

????????????return?dvmObject.getValue().toString().hashCode();

????????}

????????return?super.callIntMethodV(vm,?dvmObject,?signature,?vaList);

????}

????@Override

????public?FileResult<AndroidFileIO>?resolve(Emulator<AndroidFileIO>?emulator,?String?pathname,?int?oflags)?{

????????if?("/proc/stat".equals(pathname))?{

????????????String?info?=?"cpu??15884810?499865?12934024?24971554?59427?3231204?945931?0?0?0\n"?+

????????????????????"cpu0?6702550?170428?5497985?19277857?45380?1821584?529454?0?0?0\n"?+

????????????????????"cpu1?4438333?121907?3285784?1799772?3702?504395?255852?0?0?0\n"?+

????????????????????"cpu2?2735453?133666?2450712?1812564?4626?538114?93763?0?0?0\n"?+

????????????????????"cpu3?2008473?73862?1699542?2081360?5716?367109?66860?0?0?0\n"?+

????????????????????"intr?1022419954?0?0?0?159719900?0?16265892?4846825?5?5?5?6?0?0?497?24817167?17?176595?1352?0?28375276?0?0?0?0?5239?698?0?0?0?0?0?0?3212852?0?12195284?0?0?0?0?0?43?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?12513?2743129?375?12477726?0?0?0?0?37?1351794?0?36?8?0?0?0?0?0?0?5846?0?0?0?0?0?0?0?0?0?141?32?0?55?0?0?0?0?0?0?0?0?18?0?18?0?0?0?0?0?0?66?0?0?0?0?0?0?0?77?0?166?0?0?0?0?0?394?0?0?0?0?0?1339137?0?0?0?0?0?0?313?0?0?0?55759?7?7?7?0?0?0?0?0?0?0?0?3066136?0?47?0?0?0?2?2?0?0?0?6?8?0?0?0?2?0?462?2952327?35420?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?495589?0?0?0?0?3?27?0?0?0?0?0?0?0?0?0?0?0?0?0?0?37662?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?4760?0?0?97?0?0?0?0?0?0?0?0?0?243?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?4649?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?22355451?0?0?0?14?0?24449357?96?49415?2?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?17067?780222?3211?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?2?1?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?1?1?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?1?1?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?649346?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0?0\n"?+

????????????????????"ctxt?1572087931\n"?+

????????????????????"btime?1649910663\n"?+

????????????????????"processes?230673\n"?+

????????????????????"procs_running?6\n"?+

????????????????????"procs_blocked?0\n"?+

????????????????????"softirq?374327567?12481657?139161248?204829?7276312?2275183?26796?12851725?80988196?1422751?117638870";

????????????return?FileResult.success(new?ByteArrayFileIO(oflags,?pathname,?info.getBytes(StandardCharsets.UTF_8)));

????????}

????????return?null;

????}

}文章來源地址http://www.zghlxwxcb.cn/news/detail-689900.html

到了這里，關(guān)于拼多多anti-token分析的文章就介紹完了。如果您還想了解更多內(nèi)容，請?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！