拼多多anti-token分析

逆向协议风控大师2023-08-27 19:04

前言:拼多多charles抓包分析发现跟商品相关的请求头里都带了一个anti-token的字段且每次都不一样,那么下面的操作就从分析anti-token开始了

1.jadx反编译直接搜索

选中跟http相关的类对这个方法进行打印堆栈

结合堆栈方法调用的情况找到具体anti-token是由拦截器类f.a方法调用的,在http.a.c()方法中生成并且http.p.e()方法中加入请求头

在http.a.c()方法中有个一个判断条件如果为true则走d.a().e()方法生成anti-token

如果为false则走j()方法生成anti-token

hook这个i()方法返回值可知获取商品详情接口返回值为false所以走的是j()方法进行计算anti-token。

SecureNative.deviceInfo3()方法生成,传入的str为pdd生成的固定id 一个字符串.

根据hook_libart 得到info3()方法是在libodd_secure.so中,那么ida打开看看这个so包

2.这部分我们采用unidbg+jnitrace+frida相结合的方式

unidbg前期准备的代码这里就不发了直接调用这个info3方法

这里提示调用gad()方法返回一个字符串那么frida hook这个方法拿到这个值 如下图 一个固定的字符串

16位长度看着像AES的密钥

继续补环境 这里简单补环境就不发了

补完简单的环境代码后,再次运行报这个错误 看错误应该是缺少文件 ,那么看看日志需要补那个文件

继续运行,没有返回值报空指针。execve()函数执行的时候程序exit了这里我们返回对象本身.

execve()函数执行的时候程序exit了

execve filename=/system/bin/sh, args=[sh, -c, cat /proc/sys/kernel/random/boot_id]

这个函数相当于查看 boot_id这个文件信息

捋顺下逻辑应该就是先fork进程 然后在子进程中读取这个文件 然后把他写入pip中

那么自定义syscallhandler后 再次运行成功拿到结果

全部代码如下:

|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 | package pdd; import com.github.unidbg.AndroidEmulator; import com.github.unidbg.Emulator; import com.github.unidbg.Module; import com.github.unidbg.file.FileResult; import com.github.unidbg.file.IOResolver; import com.github.unidbg.file.linux.AndroidFileIO; import com.github.unidbg.linux.android.AndroidARMEmulator; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.file.ByteArrayFileIO; import com.github.unidbg.memory.Memory; import com.github.unidbg.memory.SvcMemory; import com.github.unidbg.spi.SyscallHandler; import com.github.unidbg.unix.UnixSyscallHandler; import java.io.File; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.List; import java.util.UUID; public class Pddmain ``extends AbstractJni ``implements IOResolver<AndroidFileIO> { ``private AndroidEmulator androidEmulator; ``private static final String APK_PATH = ``"/Users/Downloads/com.xunmeng.pinduoduo_6.7.0_60700.apk"``; ``private static final String SO_PATH = ``"/Users/Downloads/com.xunmeng.pinduoduo_6.7.0_60700/lib/armeabi-v7a/libpdd_secure.so"``; ``private Module moduleModule; ``private VM dalvikVM; ``public static void main(String[] args) { ``Pddmain main = ``new Pddmain(); ``main.create(); ``} ``private void create() { ``AndroidEmulatorBuilder androidEmulatorBuilder = ``new AndroidEmulatorBuilder(``false``) { ``@Override ``public AndroidEmulator build() { ``return new AndroidARMEmulator(``"com.xunmeng.pinduoduo"``,rootDir,backendFactories) { ``@Override ``protected UnixSyscallHandler<AndroidFileIO> createSyscallHandler(SvcMemory svcMemory) { ``return new PddArmSysCallHand(svcMemory); ``} ``}; ``} ``}; ``androidEmulator = androidEmulatorBuilder.setProcessName(``""``).build(); ``androidEmulator.getSyscallHandler().addIOResolver(``this``); ``Memory androidEmulatorMemory = androidEmulator.getMemory(); ``androidEmulatorMemory.setLibraryResolver(``new AndroidResolver(``23``)); ``dalvikVM = androidEmulator.createDalvikVM(``new File(APK_PATH)); ``DalvikModule module = dalvikVM.loadLibrary(``new File(SO_PATH), ``true``); ``moduleModule = module.getModule(); ``dalvikVM.setJni(``this``); ``dalvikVM.setVerbose(``true``); ``dalvikVM.callJNI_OnLoad(androidEmulator, moduleModule); ``callInfo3(); ``} ``@Override ``public void callStaticVoidMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) { ``if (``"com/tencent/mars/xlog/PLog->i(Ljava/lang/String;Ljava/lang/String;)V"``.equals(signature)) { ``return``; ``} ``super``.callStaticVoidMethodV(vm, dvmClass, signature, vaList); ``} ``private void callInfo3() { ``List<Object> argList = ``new ArrayList<>(); ``argList.add(dalvikVM.getJNIEnv()); ``argList.add(``0``); ``DvmObject<?> context = dalvikVM.resolveClass(``"android/content/Context"``).newObject(``null``); ``argList.add(dalvikVM.addLocalObject(context)); ``argList.add(dalvikVM.addLocalObject(``new StringObject(dalvikVM, ``"api/oak/integration/render"``))); ``argList.add(dalvikVM.addLocalObject(``new StringObject(dalvikVM, ``"dIrjGpkC"``))); ``Number number = moduleModule.callFunction(androidEmulator, ``0xb6f9``, argList.toArray())[``0``]; ``String toString = dalvikVM.getObject(number.intValue()).getValue().toString(); ``System.out.println(toString); ``} ``@Override ``public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) { ``if (``"com/xunmeng/pinduoduo/secure/EU->gad()Ljava/lang/String;"``.equals(signature)) { ``return new StringObject(vm, ``"cb14a9e76b72a627"``); ``} ``else if (``"java/util/UUID->randomUUID()Ljava/util/UUID;"``.equals(signature)) { ``UUID uuid = UUID.randomUUID(); ``DvmObject<?> dvmObject = vm.resolveClass(``"java/util/UUID"``).newObject(uuid); ``return dvmObject; ``} ``return super``.callStaticObjectMethodV(vm, dvmClass, signature, vaList); ``} ``@Override ``public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) { ``if (``"java/util/UUID->toString()Ljava/lang/String;"``.equals(signature)) { ``UUID uuid = (UUID) dvmObject.getValue(); ``return new StringObject(vm, uuid.toString()); ``} ``else if (``"java/lang/String->replaceAll(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;"``.equals(signature)) { ``String obj = dvmObject.getValue().toString(); ``String arg0 = vaList.getObjectArg(``0``).toString(); ``String arg1 = vaList.getObjectArg(``1``).toString(); ``String replaceAll = obj.replaceAll(arg0, arg1); ``return new StringObject(vm, replaceAll); ``} ``return super``.callObjectMethodV(vm, dvmObject, signature, vaList); ``} ``@Override ``public int callIntMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) { ``if (``"java/lang/String->hashCode()I"``.equals(signature)) { ``return dvmObject.getValue().toString().hashCode(); ``} ``return super``.callIntMethodV(vm, dvmObject, signature, vaList); ``} ``@Override ``public FileResult<AndroidFileIO> resolve(Emulator<AndroidFileIO> emulator, String pathname, ``int oflags) { ``if (``"/proc/stat"``.equals(pathname)) { ``String info = ``"cpu 15884810 499865 12934024 24971554 59427 3231204 945931 0 0 0\n" + ``"cpu0 6702550 170428 5497985 19277857 45380 1821584 529454 0 0 0\n" + ``"cpu1 4438333 121907 3285784 1799772 3702 504395 255852 0 0 0\n" + ``"cpu2 2735453 133666 2450712 1812564 4626 538114 93763 0 0 0\n" + ``"cpu3 2008473 73862 1699542 2081360 5716 367109 66860 0 0 0\n" + ``"intr 1022419954 0 0 0 159719900 0 16265892 4846825 5 5 5 6 0 0 497 24817167 17 176595 1352 0 28375276 0 0 0 0 5239 698 0 0 0 0 0 0 3212852 0 12195284 0 0 0 0 0 43 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 12513 2743129 375 12477726 0 0 0 0 37 1351794 0 36 8 0 0 0 0 0 0 5846 0 0 0 0 0 0 0 0 0 141 32 0 55 0 0 0 0 0 0 0 0 18 0 18 0 0 0 0 0 0 66 0 0 0 0 0 0 0 77 0 166 0 0 0 0 0 394 0 0 0 0 0 1339137 0 0 0 0 0 0 313 0 0 0 55759 7 7 7 0 0 0 0 0 0 0 0 3066136 0 47 0 0 0 2 2 0 0 0 6 8 0 0 0 2 0 462 2952327 35420 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 495589 0 0 0 0 3 27 0 0 0 0 0 0 0 0 0 0 0 0 0 0 37662 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4760 0 0 97 0 0 0 0 0 0 0 0 0 243 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4649 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 22355451 0 0 0 14 0 24449357 96 49415 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 17067 780222 3211 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 649346 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n" + ``"ctxt 1572087931\n" + ``"btime 1649910663\n" + ``"processes 230673\n" + ``"procs_running 6\n" + ``"procs_blocked 0\n" + ``"softirq 374327567 12481657 139161248 204829 7276312 2275183 26796 12851725 80988196 1422751 117638870"``; ``return FileResult.success(``new ByteArrayFileIO(oflags, pathname, info.getBytes(StandardCharsets.UTF_8))); ``} ``return null``; ``} } |

相关推荐
mahuifa5 分钟前
ubuntu18.04编译qt5.14.2源码
开发语言·数据库·qt
瓦力wow6 分钟前
c语言 写一个五子棋
c语言·c++·算法
随缘。。。。14 分钟前
web系统安全管理
java
丁一郎学编程21 分钟前
优先级队列(堆)
java·数据结构
侧耳倾听11128 分钟前
java集合相关的api-总结
java·开发语言
贺函不是涵40 分钟前
【沉浸式求职学习day43】【Java面试题精选3】
java·开发语言·学习
特立独行的猫a44 分钟前
HarmonyOS 影视应用APP开发--配套的后台服务go-imovie项目介绍及使用
华为·golang·harmonyos·影视app
xiaobin889991 小时前
matlab官方免费下载安装超详细教程2025最新matlab安装教程(MATLAB R2024b)
java·开发语言·其他·matlab
hjjdebug1 小时前
c/c++数据类型转换.
c语言·c++·数据类型变换
熬夜学编程的小王1 小时前
【C++进阶篇】C++容器完全指南:掌握set和map的使用,提升编码效率
c++·set·map
热门推荐
01KGG转MP3工具|非KGM文件|解密音频02YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】03从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑04【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高,一键全文降!文件格式不变,公式都保留的!05YOLOv5改进 | 添加CA注意力机制 + 增加预测层 + 更换损失函数之GIoU06Coze扣子平台完整体验和实践(附国内和国际版对比)07Ubuntu24.04安装中文输入法08DeepSeek各版本说明与优缺点分析09苍穹外卖面试总结10组基轨迹建模 GBTM的介绍与实现(Stata 或 R)