1、上次用打印堆栈的方法找到了libc中malloc函数的调用堆栈,仔细一看都是标准库的调用,没找到x音自己库的调用关系,这条线索自此又断了!想来想去,还是老老实实根据method profiling的调用栈挨个查找吧!原因很简单:因为用户操作的所有java层执行逻辑都被记录了,这里肯定有生成X-Ladon、X-Gorgon、X-Tyhon、X-Argus这4个加密字段的调用,于时就用objection挨个hook,查看这些函数的参数、返回值和调用栈。在hook了上百个函数之后(逆向也是个体力活......),终于找到了突破口:hook 这个函数com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a时,打印的参数包含了4个加密字段,返回值也包含了,说明这个函数肯定和加密字段有关系!
(agent) [398162] Called com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(java.lang.Object, java.lang.Class, java.lang.Object) (agent) [398162] Backtrace: com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(Native Method) com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b(SsCronetHttpClient.java:50856473) com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java) com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(Native Method) com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java:688) com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(Native Method) com.bytedance.frameworks.baselib.network.http.cronet.impl.c.execute(CronetSsCall.java:524502) com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__executeCall$___twin___(CallServerInterceptor.java:33816611) com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_NetworkUtilsLancet_executeCall(CallServerInterceptor.java:50790551) com.bytedance.retrofit2.CallServerInterceptor.executeCall(CallServerInterceptor.java) com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__intercept$___twin___(CallServerInterceptor.java:17236171) com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(CallServerInterceptor.java:33882196) com.bytedance.retrofit2.CallServerInterceptor.intercept(CallServerInterceptor.java) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.a(TTNetMonitorInterceptor.kt:17170528) com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.intercept(TTNetMonitorInterceptor.kt:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.a(TokenSdkCommonParamsInterceptorTTNet.java:17170588) com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.intercept(TokenSdkCommonParamsInterceptorTTNet.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.BaseSsInterceptor__intercept$___twin___(BaseSsInterceptor.java:17170534) com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.com_bytedance_frameworks_baselib_network_http_retrofit_BaseSsInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(BaseSsInterceptor.java:33882196) com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.intercept(BaseSsInterceptor.java) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.a(TTNetInitInterceptor.java:17039393) com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.intercept(TTNetInitInterceptor.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.account.token.TTTokenInterceptor.a(TTTokenInterceptor.java:17170567) com.ss.android.account.token.TTTokenInterceptor.intercept(TTTokenInterceptor.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.a(CommonParamsInterceptorTTNet.java:17170573) com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.intercept(CommonParamsInterceptorTTNet.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.bytedance.apm.ttnet.TTNetSampleInterceptor.a(TTNetSampleInterceptor.java:17105000) com.bytedance.apm.ttnet.TTNetSampleInterceptor.intercept(TTNetSampleInterceptor.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.a(GlobalParamsAppendInterceptor.kt:17104997) com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.intercept(GlobalParamsAppendInterceptor.kt:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.lancet.ssretrofitchain.VerifyInterceptor.a(VerifyInterceptor.java:17301552) com.ss.android.ugc.aweme.lancet.ssretrofitchain.VerifyInterceptor.intercept(VerifyInterceptor.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.bytedance.bdinstall.DeviceInterceptor.a(DeviceInterceptor.java:17170566) com.bytedance.bdinstall.DeviceInterceptor.intercept(DeviceInterceptor.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.UrlTransformInterceptorTTNet.a(UrlTransformInterceptorTTNet.java:17039412) com.ss.android.ugc.aweme.net.interceptor.UrlTransformInterceptorTTNet.intercept(UrlTransformInterceptorTTNet.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.utils.SecUidInterceptorTTNet.a(SecUidInterceptorTTNet.java:17170600) com.ss.android.ugc.aweme.utils.SecUidInterceptorTTNet.intercept(SecUidInterceptorTTNet.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.SyncCommonParameterIntercepter.a(SyncCommonParameterIntercepter.java:17104961) com.ss.android.ugc.aweme.net.SyncCommonParameterIntercepter.intercept(SyncCommonParameterIntercepter.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.interceptor.DevicesNullInterceptorTTNet.a(DevicesNullInterceptorTTNet.java:17104973) com.ss.android.ugc.aweme.net.interceptor.DevicesNullInterceptorTTNet.intercept(DevicesNullInterceptorTTNet.java:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.ss.android.ugc.aweme.net.cache.IesCacheInterceptor.a(IesCacheInterceptor.kt:17104977) com.ss.android.ugc.aweme.net.cache.IesCacheInterceptor.intercept(IesCacheInterceptor.kt:17170538) com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) com.bytedance.retrofit2.SsHttpCall.getResponseWithInterceptorChain(SsHttpCall.java:327756) com.bytedance.retrofit2.SsHttpCall.SsHttpCall__execute$___twin___(SsHttpCall.java:327776) com.bytedance.retrofit2.SsHttpCall.com_bytedance_retrofit2_SsHttpCall_com_ss_android_ugc_aweme_lancet_NetIOCheckLancet_execute(SsHttpCall.java:17104937) com.bytedance.retrofit2.SsHttpCall.execute(SsHttpCall.java) com.bytedance.retrofit2.ExecutorCallAdapterFactory$ExecutorCallbackCall.execute(ExecutorCallAdapterFactory.java:196631) com.ss.android.ugc.aweme.account.network.NetworkProxyAccount.sendGetRequest(NetworkProxyAccount.kt:50724975) com.ss.android.ugc.aweme.account.network.NetworkProxyAccount.a(NetworkProxyAccount.kt:50790474) com.ss.android.ugc.aweme.account.network.b.b.a(TTAccountNetworkImpl.kt:50659364) com.bytedance.sdk.account.b.h.d(BaseAccountApi.java:524593) com.bytedance.sdk.account.b.h.b(BaseAccountApi.java:393248) com.bytedance.sdk.account.b.h$a.run(BaseAccountApi.java:196627) com.bytedance.sdk.account.f.a.a.run(ApiDispatcher.java:393319) (agent) [398162] Arguments com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a({"Accept-Encoding":"gzip, deflate, br","Connection":"keep-alive","Cookie":"passport_csrf_token_default=347247bb8bea022535d3d5845482902a; n_mh=B6WRe0yd-1qIuffF6ZWNO-CSGlW1Q-VhC0E79NrqYTg; sid_guard=2fb96f69aa912bdd050ef5224ffd91a8%7C1622365384%7C5184000%7CThu%2C+29-Jul-2021+09%3A03%3A04+GMT; uid_tt=e4b268e9345c17dc6f022a33eb8f2611; sid_tt=2fb96f69aa912bdd050ef5224ffd91a8; sessionid=2fb96f69aa912bdd050ef5224ffd91a8; multi_sids=95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8; odin_tt=abf9aade25cc87ee3389cc4dc35f9200c567179237e3d4f79743489f4502dd3f32dc4f6eef5d10d4e0cbfdba301b715f302933cba86c38dc6d38f021c9dcf9e5; install_id=3061500213736925; ttreq=1$0acef8b5ba94c2ca8170b47775d18de37dbdc565","Host":"api5-normal-c-hl.amemv.com","User-Agent":"com.ss.android.ugc.aweme/150501 (Linux; U; Android 6.0.1; zh_CN; KIW-AL10; Build/HONORKIW-AL10; Cronet/TTNetVersion:539f4bcf 2021-01-18 QuicVersion:47946d2a 2020-10-14)","X-Argus":"dL63f9K4krgr8/WAfSIFeVfdfEcxLb0IszYsoVzV1+5/iO2yRYjhPTcNpp9D3PjyivcgIe5KYrbCD11veS20EKiNAqOk3bOJzl+L386i+SWzP8rAnbbqxfvkUWtO5Bc0oVLuMQ4MlA77tSKmgN23uBxTq0RgPvcEUxC9H2P9tKCiXcL85uubNM7L1FOAsHAEvNe+83Y341uq5UdMLixTXC5u21bYeHkr7SBBDFEWGQz7WDOfte4Tvq4ZyoIydKGHNlFb3tJUFav8IBrm/Fq3NgLq1WdP5h6eIzPoXKgs1/amjaNItSFY7POOz1qNLD/9fgJbj+f43UFI9kZzssJ8zfVj","X-Gorgon":"0404b8790005f2914fd644447ffb0acf11a197e54adb11afa680","X-Khronos":"1624109469","X-Ladon":"wp8eCaQGfmHoPa38jhEcD+4ADTjDGs0I83D+1lWfekKesKn+","X-SS-DP":"1128","X-SS-REQ-TICKET":"1624109468485","X-Tt-Token":"002fb96f69aa912bdd050ef5224ffd91a802def84c5b02f0add48df81bbcef7d8d248695a4d463f61302ea58cd3af89506e3cb69c984312474340c46d313946455a55d88be251c40ee836a09baa57714a693b60643d129801997b632d408227491a61-1.0.1","X-Tyhon":"iXwqufMrDfPxVRKC1zs/8P8NUvLqKS2QsxUO15g=","passport-sdk-version":"18","sdk-version":"2","x-bd-kmsv":"1","x-tt-dt":"AAAXOAB2XQQBS7CMNLPBK5G7DJDOMPMTU6CLN7633AG2G2APEIYDCWQ3YOZME4NMB4F3XL7PUYWVWZGU37ODXCESIGROP6JJVG7IAIXCEP76TGK6KF7SDTXXAOJKKNIS6B4COMBU34ZZ4DXCL2UAH4Q","x-tt-multi-sids":"95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8","x-tt-trace-id":"00-2477cf7c0990b70ca8484fcd822e0468-2477cf7c0990b70c-01"}, class java.lang.String, ) (agent) [398162] Return Value: {"Accept-Encoding":"gzip, deflate, br","Connection":"keep-alive","Cookie":"passport_csrf_token_default=347247bb8bea022535d3d5845482902a; n_mh=B6WRe0yd-1qIuffF6ZWNO-CSGlW1Q-VhC0E79NrqYTg; sid_guard=2fb96f69aa912bdd050ef5224ffd91a8%7C1622365384%7C5184000%7CThu%2C+29-Jul-2021+09%3A03%3A04+GMT; uid_tt=e4b268e9345c17dc6f022a33eb8f2611; sid_tt=2fb96f69aa912bdd050ef5224ffd91a8; sessionid=2fb96f69aa912bdd050ef5224ffd91a8; multi_sids=95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8; odin_tt=abf9aade25cc87ee3389cc4dc35f9200c567179237e3d4f79743489f4502dd3f32dc4f6eef5d10d4e0cbfdba301b715f302933cba86c38dc6d38f021c9dcf9e5; install_id=3061500213736925; ttreq=1$0acef8b5ba94c2ca8170b47775d18de37dbdc565","Host":"api5-normal-c-hl.amemv.com","User-Agent":"com.ss.android.ugc.aweme/150501 (Linux; U; Android 6.0.1; zh_CN; KIW-AL10; Build/HONORKIW-AL10; Cronet/TTNetVersion:539f4bcf 2021-01-18 QuicVersion:47946d2a 2020-10-14)","X-Argus":"dL63f9K4krgr8/WAfSIFeVfdfEcxLb0IszYsoVzV1+5/iO2yRYjhPTcNpp9D3PjyivcgIe5KYrbCD11veS20EKiNAqOk3bOJzl+L386i+SWzP8rAnbbqxfvkUWtO5Bc0oVLuMQ4MlA77tSKmgN23uBxTq0RgPvcEUxC9H2P9tKCiXcL85uubNM7L1FOAsHAEvNe+83Y341uq5UdMLixTXC5u21bYeHkr7SBBDFEWGQz7WDOfte4Tvq4ZyoIydKGHNlFb3tJUFav8IBrm/Fq3NgLq1WdP5h6eIzPoXKgs1/amjaNItSFY7POOz1qNLD/9fgJbj+f43UFI9kZzssJ8zfVj","X-Gorgon":"0404b8790005f2914fd644447ffb0acf11a197e54adb11afa680","X-Khronos":"1624109469","X-Ladon":"wp8eCaQGfmHoPa38jhEcD+4ADTjDGs0I83D+1lWfekKesKn+","X-SS-DP":"1128","X-SS-REQ-TICKET":"1624109468485","X-Tt-Token":"002fb96f69aa912bdd050ef5224ffd91a802def84c5b02f0add48df81bbcef7d8d248695a4d463f61302ea58cd3af89506e3cb69c984312474340c46d313946455a55d88be251c40ee836a09baa57714a693b60643d129801997b632d408227491a61-1.0.1","X-Tyhon":"iXwqufMrDfPxVRKC1zs/8P8NUvLqKS2QsxUO15g=","passport-sdk-version":"18","sdk-version":"2","x-bd-kmsv":"1","x-tt-dt":"AAAXOAB2XQQBS7CMNLPBK5G7DJDOMPMTU6CLN7633AG2G2APEIYDCWQ3YOZME4NMB4F3XL7PUYWVWZGU37ODXCESIGROP6JJVG7IAIXCEP76TGK6KF7SDTXXAOJKKNIS6B4COMBU34ZZ4DXCL2UAH4Q","x-tt-multi-sids":"95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8","x-tt-trace-id":"00-2477cf7c0990b70ca8484fcd822e0468-2477cf7c0990b70c-01"}
根据调用栈分析,好几个重载的a函数都依次被调用了,顺着这个逻辑继续分析:这个a函数传入了colletion参数,然后开始从这个参数解析header,存放在arraylist后返回;
public static List a(HttpURLConnection p0){ Object[] objectArray; Map$Entry mnext; String sKey; Iterator iiterator1; int vi = 1; objectArray = new Object[vi]; objectArray[0] = p0; Object object = null; PatchProxyResult pproxy = PatchProxy.proxy(objectArray, object, c.a, vi, 112471); if (pproxy.isSupported) { return pproxy.result; } if (!p0) { return object; } ArrayList arrayList = new ArrayList(); Iterator iiterator = p0.getHeaderFields().entrySet().iterator(); while (iiterator.hasNext()) { mnext = iiterator.next(); sKey = mnext.getKey(); iiterator1 = mnext.getValue().iterator(); while (iiterator1.hasNext()) { arrayList.add(new Header(sKey, iiterator1.next())); } } return arrayList; }
这里既然都在解析http包的header了,有重大嫌疑;用GDA查看调用,发现在execute方法中有调用(和上面调用堆栈打印的完全吻合,没毛病):
这里吐个槽:不知道x音的人员是有意还是无意的:这个关键的a方法被重载了25次,打印调用堆栈时又无法看到这些函数的参数,导致我没法确认到底调用的是哪个a,只能挨个去源代码查,相当费时!
继续跟踪:com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b这个方法调用了上述的a方法,继续hook:
var G=Java.use(\'com.bytedance.frameworks.baselib.network.http.cronet.impl.g\'); var HttpURLConnection=Java.use(\'java.net.HttpURLConnection\'); var Map=Java.use(\'java.util.Map\'); G.b.overload("java.net.HttpURLConnection", "com.bytedance.frameworks.baselib.network.http.a", "com.bytedance.retrofit2.RetrofitMetrics").implementation = function(arg1,arg2,arg3){ send("=================com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b===================="); var data=this.b(arg1,arg2,arg3); send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new())); var conns=Java.cast(arg1,HttpURLConnection); var maps=Java.cast(conns.getHeaderFields(),Map); var keySet=maps.keySet(); var it=keySet.iterator(); while(it.hasNext()){ var keystr=it.next().toString(); var value=maps.get(keystr).toString(); send(keystr+"---------"+value); } return data;
打印第一个参数发现的日志:调用堆栈和之前hook a方法是吻合的,参数也也打印了,还是没有那4个关键的字段;
[*] =================com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b==================== [*] java.lang.Throwable at com.bytedance.frameworks.baselib.network.http.cronet.impl.g.b(Native Method) at com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java) at com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a(SsCronetHttpClient.java:688) at com.bytedance.frameworks.baselib.network.http.cronet.impl.c.execute(CronetSsCall.java:524502) at com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__executeCall$___twin___(CallServerInterceptor.java:33816611) at com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_NetworkUtilsLancet_executeCall(CallServerInterceptor.java:50790551) at com.bytedance.retrofit2.CallServerInterceptor.executeCall(CallServerInterceptor.java) at com.bytedance.retrofit2.CallServerInterceptor.CallServerInterceptor__intercept$___twin___(CallServerInterceptor.java:17236171) at com.bytedance.retrofit2.CallServerInterceptor.com_bytedance_retrofit2_CallServerInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(CallServerInterceptor.java:33882196) at com.bytedance.retrofit2.CallServerInterceptor.intercept(CallServerInterceptor.java) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.a(TTNetMonitorInterceptor.kt:17170528) at com.ss.android.ugc.aweme.net.monitor.TTNetMonitorInterceptor.intercept(TTNetMonitorInterceptor.kt:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.a(TokenSdkCommonParamsInterceptorTTNet.java:17170588) at com.ss.android.ugc.aweme.net.interceptor.TokenSdkCommonParamsInterceptorTTNet.intercept(TokenSdkCommonParamsInterceptorTTNet.java:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.BaseSsInterceptor__intercept$___twin___(BaseSsInterceptor.java:17170534) at com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.com_bytedance_frameworks_baselib_network_http_retrofit_BaseSsInterceptor_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_intercept(BaseSsInterceptor.java:33882196) at com.bytedance.frameworks.baselib.network.http.retrofit.BaseSsInterceptor.intercept(BaseSsInterceptor.java) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.a(TTNetInitInterceptor.java:17039393) at com.ss.android.ugc.aweme.net.interceptor.TTNetInitInterceptor.intercept(TTNetInitInterceptor.java:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.account.token.TTTokenInterceptor.a(TTTokenInterceptor.java:17170567) at com.ss.android.account.token.TTTokenInterceptor.intercept(TTTokenInterceptor.java:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.a(CommonParamsInterceptorTTNet.java:17170573) at com.ss.android.ugc.aweme.net.interceptor.CommonParamsInterceptorTTNet.intercept(CommonParamsInterceptorTTNet.java:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.bytedance.apm.ttnet.TTNetSampleInterceptor.a(TTNetSampleInterceptor.java:17105000) at com.bytedance.apm.ttnet.TTNetSampleInterceptor.intercept(TTNetSampleInterceptor.java:17170538) at com.bytedance.retrofit2.intercept.RealInterceptorChain.RealInterceptorChain__proceed$___twin___(RealInterceptorChain.java:17170566) at com.bytedance.retrofit2.intercept.RealInterceptorChain.com_bytedance_retrofit2_intercept_RealInterceptorChain_com_ss_android_ugc_aweme_lancet_network_ApiTimeLancet_proceed(RealInterceptorChain.java:34078785) at com.bytedance.retrofit2.intercept.RealInterceptorChain.proceed(RealInterceptorChain.java) at com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.a(GlobalParamsAppendInterceptor.kt:17104997) at com.ss.android.ugc.aweme.net.interceptor.GlobalParamsAppendInterceptorTTNet.intercept(GlobalParamsAppendInterceptor.kt:17170538) [*] access-control-expose-headers---------[tt-idc-switch] [*] content-length---------[74] [*] content-type---------[application/x-protobuf] [*] date---------[Sat, 26 Jun 2021 11:50:26 GMT] [*] eagleid---------[b68317a516247082263773295e] [*] server---------[Tengine] [*] server-timing---------[inner; dur=12, cdn-cache;desc=MISS,edge;dur=0,origin;dur=52] [*] status---------[200] [*] timing-allow-origin---------[*] [*] tt-idc-switch---------[10000@20210622154328] [*] via---------[vcache17.cn1929[52,0]] [*] x-janus-mini-api-forward---------[Janus-Mini(fast)] [*] x-net-info.remoteaddr---------[182.131.23.239:443] [*] x-tt-logid---------[202106261950260101511510510F4ECCF1] [*] x-tt-trace-host---------[01bdedeff83f2d6787af9902c14163b80034333ad6c80ed2a6b851827ee6b9cb2a3d2816e5a085f9a513c90d43e8d56122773fea0355ff04d9ad0070c0c5ea4d84ac1a94e8e7df40d802d924d79fce9ed0be64d511e290ca9d97f48274e48a0378] [*] x-tt-trace-id---------[00-48281e7f0990b70ca848ea5ccc610468-48281e7f0990b70c-01] [*] x-tt-trace-tag---------[id=03;cdn-cache=miss;type=dyn]
这里就有蹊跷了:b函数调用了a函数,a函数的参数有关键字段,但是b函数的参数没有,说明那4个关键字段在b函数中实现的;查看b函数对a函数调用时,代码是这样的:传的参数是用linkedHashMap种取出来的,是不是可以hook linkedHashMap试试了?
if (g.d != null) { LinkedHashMap linkedHashMa = new LinkedHashMap(); g.d.getRequestMetrics(p0, linkedHashMa); if (!linkedHashMa.isEmpty()) { p1.b = g.a(linkedHashMa.get("remote_ip"), String.class, str); p1.k = g.a(linkedHashMa.get("dns_time"), Long.class, Long.valueOf(-1)).longValue(); p1.l = g.a(linkedHashMa.get("connect_time"), Long.class, Long.valueOf(-1)).longValue(); p1.m = g.a(linkedHashMa.get("ssl_time"), Long.class, Long.valueOf(-1)).longValue(); p1.n = g.a(linkedHashMa.get("send_time"), Long.class, Long.valueOf(-1)).longValue(); Object oget = linkedHashMa.get("push_time"); p1.o = g.a(oget, Long.class, Long.valueOf(-1)).longValue(); p1.p = g.a(linkedHashMa.get("receive_time"), Long.class, Long.valueOf(-1)).longValue(); p1.q = g.a(linkedHashMa.get("socket_reused"), Boolean.class, Boolean.FALSE).booleanValue(); p1.r = g.a(linkedHashMa.get("ttfb"), Long.class, Long.valueOf(-1)).longValue(); p1.s = g.a(linkedHashMa.get("total_time"), Long.class, Long.valueOf(-1)).longValue(); Long lOf = Long.valueOf(-1); p1.t = g.a(linkedHashMa.get("send_byte_count"), Long.class, lOf).longValue(); p1.u = g.a(linkedHashMa.get("received_byte_count"), Long.class, Long.valueOf(-1)).longValue(); p1.y = g.a(linkedHashMa.get("request_log"), String.class, str); p1.v = g.a(linkedHashMa.get("retry_attempts"), Long.class, Long.valueOf(-1)).longValue(); p1.B = g.a(linkedHashMa.get("request_headers"), String.class, str); p1.C = g.a(linkedHashMa.get("response_headers"), String.class, str); long lValue = g.a(linkedHashMa.get("post_task_start"), Long.class, Long.valueOf(-1)).longValue(); p1.E = lValue; p1.D = g.a(linkedHashMa.get("request_start"), Long.class, Long.valueOf(-1)).longValue(); p1.F = g.a(linkedHashMa.get("wait_ctx"), Long.class, Long.valueOf(-1)).longValue(); } }
hook代码:这里hook linkedHashMap的put方法,看看这4个参数是在哪被put进去的
var linkerHashMap=Java.use(\'java.util.LinkedHashMap\'); linkerHashMap.put.implementation = function(arg1,arg2){ send("=================linkerHashMap.put===================="); var data=this.put(arg1,arg2); send(arg1+"-----"+arg2); send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new())); /*var keySet=this.entrySet(); var it=keySet.iterator(); while(it.hasNext()){ var keystr=it.next().toString(); var value=this.get(keystr).toString(); send(keystr+"---------"+value); }*/ return data; }
结果还真有:put的两个参数分别时anchor_id和requestHeader,request header中再次带上了那4个关键字段!而且这次调用链条比较短,只有8个x音自己的方法,这里也可以作为突破口试试!
[*] =================linkerHashMap.put==================== [*] anchor_id----- [*] requestHeader-----{"Accept-Encoding":"gzip, deflate, br","Connection":"keep-alive","Cookie":"passport_csrf_token_default=347247bb8bea022535d3d5845482902a; n_mh=B6WRe0yd-1qIuffF6ZWNO-CSGlW1Q-VhC0E79NrqYTg; multi_sids=95063141447%3A2fb96f69aa912bdd050ef5224ffd91a8; odin_tt=abf9aade25cc87ee3389cc4dc35f9200c567179237e3d4f79743489f4502dd3f32dc4f6eef5d10d4e0cbfdba301b715f302933cba86c38dc6d38f021c9dcf9e5; uid_tt=e4b268e9345c17dc6f022a33eb8f2611; sid_tt=2fb96f69aa912bdd050ef5224ffd91a8; sessionid=2fb96f69aa912bdd050ef5224ffd91a8; sid_guard=2fb96f69aa912bdd050ef5224ffd91a8%7C1624704024%7C5184000%7CWed%2C+25-Aug-2021+10%3A40%3A24+GMT; install_id=3061500213736925; ttreq=1$0acef8b5ba94c2ca8170b47775d18de37dbdc565","Host":"api3-normal-c-hl.amemv.com","User-Agent":"com.ss.android.ugc.aweme/150501 (Linux; U; Android 6.0.1; zh_CN; KIW-AL10; Build/HONORKIW-AL10; Cronet/TTNetVersion:539f4bcf 2021-01-18 QuicVersion:47946d2a 2020-10-14)","X-Argus":"LMCny8r76r2XCL7OVkZ+mF5J5EWYW2mkjg+SX1xzpoQLLxq9iZY8GqNVD62Ho+yXztnsxCsv+/dcv+s/pT90iFGaR4KagcmXuhRZ87VqQnrhrqC+fVg5E6VGEdC78UwxXdc3paOaAT8VWZDsEL991prze6pK4MV2SGyUoSscz6xoaQvLlaswo4s4KfTKg/5NGnJOTI2nTaP4Lj6bmauZ161aekCebwm0evCpS7qiQStwzAtS8aAbo70LpJZIL7148eoEZbyVqzaDwGt+f3KLH8lTw5RGQh/+OVBRvTjf3LadkZrTSnziaHv2MrW0q/i6gPb8a5YL4oxQGL1K1/hxdqXT","X-Gorgon":"040410c4000039d311f507646d56ed8b9ed49804b96f58574e54","X-Khronos":"1624715497","X-Ladon":"zekAT73tChQ3unJOCVvBOSiso6RWwYTizaH8gd/zdZXBsMh0","X-SS-DP":"1128","X-SS-REQ-TICKET":"1624715497073","X-Tt-Token":"002fb96f69aa912bdd050ef5224ffd91a802e4321d198de0d1a3194067d529cc52050c6b753f0a1c71e9225ad278c4dc6b6205baccc1361f2a35e0d468a3a2d8f256c058c7e690a94aadfa717ad0a0dd2c6035d135be816044efcfc3fc3c9553c9cf6-1.0.1","X-Tyhon":"QE8Nf6CNAm3A6npuoat4TuOLIRGkkD967b0PEb8=","passport-sdk-version":"18","sdk-version":"2","x-bd-kmsv":"1","x-common-params-v2":"aid=1128&app_name=aweme&app_type=normal&cdid=26d986b9-5ef5-4c5d-acb3-8901740e80e4&channel=xiaomi&device_brand=HONOR&device_id=38846646916&device_platform=android&device_type=KIW-AL10&dpi=480&iid=3061500213736925&language=zh&manifest_version_code=150501&openudid=ce387d9d8c8008d7&os_api=23&os_version=6.0.1&resolution=1080*1776&ssmix=a&update_version_code=15509900&uuid=860709034302591&version_code=150500&version_name=15.5.0","x-tt-dt":"AAASQMBZL62AG5YQGHSRITTNU25H2Q7Z34GY4L3K2BKFMRGLUKSSBZMTOQDTDJCX6E4OOZ7RQZY4YE3A55BHQOTBLMERJ6AAA7P4KP2C6X65ZQHQ5OLWN6ON23JXO2EHBJPPBHAVVB5YK2MSLIM2HMI","x-tt-trace-id":"00-489712070990b70ca8427f20a4b20468-489712070990b70c-01"} [*] java.lang.Throwable at java.util.HashMap.put(Native Method) at com.ss.android.ugc.aweme.at.d.a(BaseMetricsEvent.java:50855968) at com.ss.android.ugc.aweme.at.bd.a(VideoPlayFinishEvent.java:524314) at com.ss.android.ugc.aweme.at.d.d(BaseMetricsEvent.java:196628) at com.ss.android.ugc.aweme.at.d.e(BaseMetricsEvent.java:327697) at com.ss.android.ugc.aweme.feed.controller.c.a(DouyinPlayerController.java:34210466) at com.ss.android.ugc.aweme.feed.controller.c.a(DouyinPlayerController.java:471) at com.ss.android.ugc.aweme.feed.controller.t.e(PlayerController.java:17170549) at com.ss.android.ugc.aweme.player.sdk.b.f$2$15.run(SimplifyPlayerImpl.java:196631) at android.os.Handler.handleCallback(Handler.java:743) at android.os.Handler.dispatchMessage(Handler.java:95) at android.os.Looper.loop(Looper.java:150) at android.app.ActivityThread.main(ActivityThread.java:5621) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:794) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:684)
继续第一条线索跟踪,发现调用在这里:Response response1 = new Response(sUrl, ia, object.b.getResponseMessage(), c.a(object.b), result) 代码的第4个参数c.a(object.b)调用了a方法解析header,说明这里hearder已经拼接完成,这里需要重点追踪object.b是怎么得到的!(这个execute方法还多次调用其他重载的g.a方法,这里应该实锤就是发送GET数据包的地方了)
try{ int ia = g.a(object.f, object.b); object.c.g = System.currentTimeMillis(); object.c.j = -1; object.e = g.a(object.b, object.c, ia); object.m = g.a(object.b, "Content-Type"); if (object.f.isResponseStreaming()) { byte vb = ((sa = g.a(object.b, "Content-Encoding")) != null && "gzip".equalsIgnoreCase(sa))? 1: 0; if (c.l != null && c.l.isCronetHttpURLConnection(object.b)) { vb = 0; } if (ia < 200 || ia < 300 || g.a(object.c)) { HttpURLConnection b = object.b; objectArray1 = new Object[2]; objectArray1[vi] = b; objectArray1[vi1] = Byte.valueOf(vb); PatchProxyResult pproxy1 = PatchProxy.proxy(objectArray1, object, c.a, vi, 112469); if (pproxy1.isSupported) { Object result = pproxy1.result; }else if(b == null){ label_010a : Response response1 = new Response(sUrl, ia, object.b.getResponseMessage(), c.a(object.b), result); v3.setExtraInfo(object.c); if (!object.f.isResponseStreaming()) { g.a(object.b); } if (!object.f.isResponseStreaming() && vi2) { e.b().d(); } return v3; }else if(!b.getContentLength()){ this.cancel(); goto label_010a ; }else { c$1 u1 = new c$1(object, b, vb); goto label_010a ; } }
这里打个岔:com.bytedance.frameworks.baselib.network.http.cronet.impl.g.a这个关键类里面import了JSONObject类,想想也觉得合理:这个么多字段,用json串组织是最合适的;于是乎马上hook该类的put和toString方法,代码如下:
var JSONObject=Java.use(\'org.json.JSONObject\'); JSONObject.toString.overload().implementation = function(){ send("=================org.json.JSONObject.toString===================="); send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new())); var data=this.toString(); send("org.json.JSONObject.toString result:"+data); return data; } for(var i = 0; i < JSONObject.put.overloads.length; i++){ JSONObject.put.overloads[i].implementation = function(){ send("=================org.json.JSONObject.put===================="); if(arguments.length == 2){ send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new())); send("key:"+arguments[0]); send("value:"+arguments[1]); var data=this.put(arguments[0],arguments[1]); return data; } } }
结果很失望:X- 开头的字段找到了很多(X-SS-DP、X-SS-REQ-TICKET、X-Tt-Token、x-tt-dt等),但X-Ladon、X-Gorgon、X-Tyhon、X-Argus这四个全都没有!这又说明了一个问题:x音的研发人员已经想到了这里肯能会被截胡,这4个字段大概率是在so层被生成和拼接好后才发送到java层的!高,实在是高!而且用手机和模拟器分别测试时,trace到的函数调用居然还不一样,猜测可能是分别作了不同的流程处理,再次佩服!
至此,hook了很多java层的方法,也打印了关键字段,但是仍然没找到关键字段在哪个so生成的,说明以往的思路是有问题的,需要重新缕缕了!
2、我们平时经常听说so库动态加载,这个容易理解,直接调用system.loadlibrary就行了!但是大家听过说动态加载dex么?这4个加密字段找不到生成的代码,肯定是被刻意隐藏了嘛(这是一句正确的废话)!为了更好的隐藏这些代码,会不会这些代码也被动态加载了?既然前面所有的查找思路都不行,现在也只能死马当活马医、试试这种方式了!
来到/data/data/com.ss.android.ugc.aweme目录下,这里存放了很多app运行时的临时数据; 挨个找的时候,发现了一个app_dex目录如下:
这个目录居然有个dex,这就蹊跷了:这个dex为啥不放在apk安装包了?为什么会出现在这里了?使出反常必有妖!把这个dex拿出来,发现有个方法在加载so!
于时hook这个方法,发现最早加载了这两个so:libsscronet.so和libmetasec_ml.so!这两个so的可疑之处:
- 加载顺序明显比其他so早! 要知道:这4个关键字段涉及到服务端的验证,客户端发送请求都要带上!如果代码加载的时间晚了就来不及计算了,客户端发送的请求是没法带上这些关键字段的!
- 从调用堆栈看,有些类叫preload,就是预先加载!说明这两个so是刻意要提前加载的!
(1)先打开metasec_ml,很顺利地找到了jni_onload,F5看看反编译源码,结果提示如下:
进入函数一看,刚开始入栈+开辟局部变量空间占用了0x108字节:
等到函数结束,没任何pop指令,栈都不平衡!
想着是不是故意加了反IAD的静态编译代码了(就是壳)?如果是,那么执行的时候肯定会还原的,所以继续从内存dump这个so,再用IDA打开看,还是报错:so文件的头已经被破坏了(以前在windows反调试常用的手段之一就是加载dll后抹掉dll文件头信息,没想到在这里也遇到了)!
看来静态分析的路走不通了,后续接着动态调试,或用frida hook,看看里面的关键函数和参数、返回值都是啥!
(2)libsscronet.so:里面导入了大量的网络api,疑似用于发送和接收数据!
参考:
1、https://www.jianshu.com/p/ca5117e1a0a1 Android实现动态加载dex, res, so