拼多多anti-token分析

逆向协议风控大师2023-08-27 19:04

前言:拼多多charles抓包分析发现跟商品相关的请求头里都带了一个anti-token的字段且每次都不一样,那么下面的操作就从分析anti-token开始了

1.jadx反编译直接搜索

选中跟http相关的类对这个方法进行打印堆栈

结合堆栈方法调用的情况找到具体anti-token是由拦截器类f.a方法调用的,在http.a.c()方法中生成并且http.p.e()方法中加入请求头

在http.a.c()方法中有个一个判断条件如果为true则走d.a().e()方法生成anti-token

如果为false则走j()方法生成anti-token

hook这个i()方法返回值可知获取商品详情接口返回值为false所以走的是j()方法进行计算anti-token。

SecureNative.deviceInfo3()方法生成,传入的str为pdd生成的固定id 一个字符串.

根据hook_libart 得到info3()方法是在libodd_secure.so中,那么ida打开看看这个so包

2.这部分我们采用unidbg+jnitrace+frida相结合的方式

unidbg前期准备的代码这里就不发了直接调用这个info3方法

这里提示调用gad()方法返回一个字符串那么frida hook这个方法拿到这个值 如下图 一个固定的字符串

16位长度看着像AES的密钥

继续补环境 这里简单补环境就不发了

补完简单的环境代码后,再次运行报这个错误 看错误应该是缺少文件 ,那么看看日志需要补那个文件

继续运行,没有返回值报空指针。execve()函数执行的时候程序exit了这里我们返回对象本身.

execve()函数执行的时候程序exit了

execve filename=/system/bin/sh, args=[sh, -c, cat /proc/sys/kernel/random/boot_id]

这个函数相当于查看 boot_id这个文件信息

捋顺下逻辑应该就是先fork进程 然后在子进程中读取这个文件 然后把他写入pip中

那么自定义syscallhandler后 再次运行成功拿到结果

全部代码如下:

|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 | package pdd; import com.github.unidbg.AndroidEmulator; import com.github.unidbg.Emulator; import com.github.unidbg.Module; import com.github.unidbg.file.FileResult; import com.github.unidbg.file.IOResolver; import com.github.unidbg.file.linux.AndroidFileIO; import com.github.unidbg.linux.android.AndroidARMEmulator; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.file.ByteArrayFileIO; import com.github.unidbg.memory.Memory; import com.github.unidbg.memory.SvcMemory; import com.github.unidbg.spi.SyscallHandler; import com.github.unidbg.unix.UnixSyscallHandler; import java.io.File; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.List; import java.util.UUID; public class Pddmain ``extends AbstractJni ``implements IOResolver<AndroidFileIO> { ``private AndroidEmulator androidEmulator; ``private static final String APK_PATH = ``"/Users/Downloads/com.xunmeng.pinduoduo_6.7.0_60700.apk"``; ``private static final String SO_PATH = ``"/Users/Downloads/com.xunmeng.pinduoduo_6.7.0_60700/lib/armeabi-v7a/libpdd_secure.so"``; ``private Module moduleModule; ``private VM dalvikVM; ``public static void main(String[] args) { ``Pddmain main = ``new Pddmain(); ``main.create(); ``} ``private void create() { ``AndroidEmulatorBuilder androidEmulatorBuilder = ``new AndroidEmulatorBuilder(``false``) { ``@Override ``public AndroidEmulator build() { ``return new AndroidARMEmulator(``"com.xunmeng.pinduoduo"``,rootDir,backendFactories) { ``@Override ``protected UnixSyscallHandler<AndroidFileIO> createSyscallHandler(SvcMemory svcMemory) { ``return new PddArmSysCallHand(svcMemory); ``} ``}; ``} ``}; ``androidEmulator = androidEmulatorBuilder.setProcessName(``""``).build(); ``androidEmulator.getSyscallHandler().addIOResolver(``this``); ``Memory androidEmulatorMemory = androidEmulator.getMemory(); ``androidEmulatorMemory.setLibraryResolver(``new AndroidResolver(``23``)); ``dalvikVM = androidEmulator.createDalvikVM(``new File(APK_PATH)); ``DalvikModule module = dalvikVM.loadLibrary(``new File(SO_PATH), ``true``); ``moduleModule = module.getModule(); ``dalvikVM.setJni(``this``); ``dalvikVM.setVerbose(``true``); ``dalvikVM.callJNI_OnLoad(androidEmulator, moduleModule); ``callInfo3(); ``} ``@Override ``public void callStaticVoidMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) { ``if (``"com/tencent/mars/xlog/PLog->i(Ljava/lang/String;Ljava/lang/String;)V"``.equals(signature)) { ``return``; ``} ``super``.callStaticVoidMethodV(vm, dvmClass, signature, vaList); ``} ``private void callInfo3() { ``List<Object> argList = ``new ArrayList<>(); ``argList.add(dalvikVM.getJNIEnv()); ``argList.add(``0``); ``DvmObject<?> context = dalvikVM.resolveClass(``"android/content/Context"``).newObject(``null``); ``argList.add(dalvikVM.addLocalObject(context)); ``argList.add(dalvikVM.addLocalObject(``new StringObject(dalvikVM, ``"api/oak/integration/render"``))); ``argList.add(dalvikVM.addLocalObject(``new StringObject(dalvikVM, ``"dIrjGpkC"``))); ``Number number = moduleModule.callFunction(androidEmulator, ``0xb6f9``, argList.toArray())[``0``]; ``String toString = dalvikVM.getObject(number.intValue()).getValue().toString(); ``System.out.println(toString); ``} ``@Override ``public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) { ``if (``"com/xunmeng/pinduoduo/secure/EU->gad()Ljava/lang/String;"``.equals(signature)) { ``return new StringObject(vm, ``"cb14a9e76b72a627"``); ``} ``else if (``"java/util/UUID->randomUUID()Ljava/util/UUID;"``.equals(signature)) { ``UUID uuid = UUID.randomUUID(); ``DvmObject<?> dvmObject = vm.resolveClass(``"java/util/UUID"``).newObject(uuid); ``return dvmObject; ``} ``return super``.callStaticObjectMethodV(vm, dvmClass, signature, vaList); ``} ``@Override ``public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) { ``if (``"java/util/UUID->toString()Ljava/lang/String;"``.equals(signature)) { ``UUID uuid = (UUID) dvmObject.getValue(); ``return new StringObject(vm, uuid.toString()); ``} ``else if (``"java/lang/String->replaceAll(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;"``.equals(signature)) { ``String obj = dvmObject.getValue().toString(); ``String arg0 = vaList.getObjectArg(``0``).toString(); ``String arg1 = vaList.getObjectArg(``1``).toString(); ``String replaceAll = obj.replaceAll(arg0, arg1); ``return new StringObject(vm, replaceAll); ``} ``return super``.callObjectMethodV(vm, dvmObject, signature, vaList); ``} ``@Override ``public int callIntMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) { ``if (``"java/lang/String->hashCode()I"``.equals(signature)) { ``return dvmObject.getValue().toString().hashCode(); ``} ``return super``.callIntMethodV(vm, dvmObject, signature, vaList); ``} ``@Override ``public FileResult<AndroidFileIO> resolve(Emulator<AndroidFileIO> emulator, String pathname, ``int oflags) { ``if (``"/proc/stat"``.equals(pathname)) { ``String info = ``"cpu 15884810 499865 12934024 24971554 59427 3231204 945931 0 0 0\n" + ``"cpu0 6702550 170428 5497985 19277857 45380 1821584 529454 0 0 0\n" + ``"cpu1 4438333 121907 3285784 1799772 3702 504395 255852 0 0 0\n" + ``"cpu2 2735453 133666 2450712 1812564 4626 538114 93763 0 0 0\n" + ``"cpu3 2008473 73862 1699542 2081360 5716 367109 66860 0 0 0\n" + ``"intr 1022419954 0 0 0 159719900 0 16265892 4846825 5 5 5 6 0 0 497 24817167 17 176595 1352 0 28375276 0 0 0 0 5239 698 0 0 0 0 0 0 3212852 0 12195284 0 0 0 0 0 43 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 12513 2743129 375 12477726 0 0 0 0 37 1351794 0 36 8 0 0 0 0 0 0 5846 0 0 0 0 0 0 0 0 0 141 32 0 55 0 0 0 0 0 0 0 0 18 0 18 0 0 0 0 0 0 66 0 0 0 0 0 0 0 77 0 166 0 0 0 0 0 394 0 0 0 0 0 1339137 0 0 0 0 0 0 313 0 0 0 55759 7 7 7 0 0 0 0 0 0 0 0 3066136 0 47 0 0 0 2 2 0 0 0 6 8 0 0 0 2 0 462 2952327 35420 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 495589 0 0 0 0 3 27 0 0 0 0 0 0 0 0 0 0 0 0 0 0 37662 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4760 0 0 97 0 0 0 0 0 0 0 0 0 243 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4649 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 22355451 0 0 0 14 0 24449357 96 49415 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 17067 780222 3211 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 649346 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n" + ``"ctxt 1572087931\n" + ``"btime 1649910663\n" + ``"processes 230673\n" + ``"procs_running 6\n" + ``"procs_blocked 0\n" + ``"softirq 374327567 12481657 139161248 204829 7276312 2275183 26796 12851725 80988196 1422751 117638870"``; ``return FileResult.success(``new ByteArrayFileIO(oflags, pathname, info.getBytes(StandardCharsets.UTF_8))); ``} ``return null``; ``} } |

相关推荐
勿忘,瞬间1 天前
Maven
java·maven
Zhen (Evan) Wang1 天前
SQL Server Service Broker启用详解以及常见问题
数据库·sqlserver
马克学长1 天前
SSM文创产品推荐系统设计与实现95ml5(程序+源码+数据库+调试部署+开发环境)带论文文档1万字以上,文末可获取,系统界面在最后面。
数据库·ssm 框架·高校学生管理数字化·ssm 框架应用·商品分类与信息管理
hzk的学习笔记1 天前
Redisson 的 Watchdog 机制
数据库·redis·分布式·缓存
AWS官方合作商1 天前
AWS Lambda的安全之道:S3静态加密与运行时完整性检查的双重保障
安全·云计算·aws
罗光记1 天前
夜晚的梦
数据库·其他·百度·新浪微博·segmentfault
韩立学长1 天前
基于Springboot的智慧管网灌溉系统i1agupa7(程序、源码、数据库、调试部署方案及开发环境)系统界面展示及获取方式置于文档末尾,可供参考。
数据库·spring boot·后端
一 乐1 天前
高校教务|教务管理|基于springboot+vue的高校教务管理系统(源码+数据库+文档)
java·数据库·vue.js·spring boot·后端·教务管理
数字冰雹1 天前
重塑城市公共安全管理的“智慧之眼”
java·大数据·数据库
还是奇怪1 天前
隐藏在字符编码中的陷阱:深入剖析宽字节注入
数据库·sql·安全·web安全
热门推荐
01GitHub 镜像站点02UV安装并设置国内源03BongoCat - 跨平台键盘猫动画工具04综合整理:pdf预览显示:你尝试预览的文件可能对你的计算机有害。如果你信任此文件以及其来源,请打开此文件以看其内容,如何解决以正常预览文件05Linux下V2Ray安装配置指南06安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)07jdk21下载、安装(Windows、Linux、macOS)08《大数据技术原理与应用》实验报告三 熟悉HBase常用操作09PyCharm 社区版全平台安装指南10Labelme从安装到标注:零基础完整指南