拼多多anti-token分析

逆向协议风控大师2023-08-27 19:04

前言:拼多多charles抓包分析发现跟商品相关的请求头里都带了一个anti-token的字段且每次都不一样,那么下面的操作就从分析anti-token开始了

1.jadx反编译直接搜索

选中跟http相关的类对这个方法进行打印堆栈

结合堆栈方法调用的情况找到具体anti-token是由拦截器类f.a方法调用的,在http.a.c()方法中生成并且http.p.e()方法中加入请求头

在http.a.c()方法中有个一个判断条件如果为true则走d.a().e()方法生成anti-token

如果为false则走j()方法生成anti-token

hook这个i()方法返回值可知获取商品详情接口返回值为false所以走的是j()方法进行计算anti-token。

SecureNative.deviceInfo3()方法生成,传入的str为pdd生成的固定id 一个字符串.

根据hook_libart 得到info3()方法是在libodd_secure.so中,那么ida打开看看这个so包

2.这部分我们采用unidbg+jnitrace+frida相结合的方式

unidbg前期准备的代码这里就不发了直接调用这个info3方法

这里提示调用gad()方法返回一个字符串那么frida hook这个方法拿到这个值 如下图 一个固定的字符串

16位长度看着像AES的密钥

继续补环境 这里简单补环境就不发了

补完简单的环境代码后,再次运行报这个错误 看错误应该是缺少文件 ,那么看看日志需要补那个文件

继续运行,没有返回值报空指针。execve()函数执行的时候程序exit了这里我们返回对象本身.

execve()函数执行的时候程序exit了

execve filename=/system/bin/sh, args=[sh, -c, cat /proc/sys/kernel/random/boot_id]

这个函数相当于查看 boot_id这个文件信息

捋顺下逻辑应该就是先fork进程 然后在子进程中读取这个文件 然后把他写入pip中

那么自定义syscallhandler后 再次运行成功拿到结果

全部代码如下:

|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 | package pdd; import com.github.unidbg.AndroidEmulator; import com.github.unidbg.Emulator; import com.github.unidbg.Module; import com.github.unidbg.file.FileResult; import com.github.unidbg.file.IOResolver; import com.github.unidbg.file.linux.AndroidFileIO; import com.github.unidbg.linux.android.AndroidARMEmulator; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.file.ByteArrayFileIO; import com.github.unidbg.memory.Memory; import com.github.unidbg.memory.SvcMemory; import com.github.unidbg.spi.SyscallHandler; import com.github.unidbg.unix.UnixSyscallHandler; import java.io.File; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.List; import java.util.UUID; public class Pddmain ``extends AbstractJni ``implements IOResolver<AndroidFileIO> { ``private AndroidEmulator androidEmulator; ``private static final String APK_PATH = ``"/Users/Downloads/com.xunmeng.pinduoduo_6.7.0_60700.apk"``; ``private static final String SO_PATH = ``"/Users/Downloads/com.xunmeng.pinduoduo_6.7.0_60700/lib/armeabi-v7a/libpdd_secure.so"``; ``private Module moduleModule; ``private VM dalvikVM; ``public static void main(String[] args) { ``Pddmain main = ``new Pddmain(); ``main.create(); ``} ``private void create() { ``AndroidEmulatorBuilder androidEmulatorBuilder = ``new AndroidEmulatorBuilder(``false``) { ``@Override ``public AndroidEmulator build() { ``return new AndroidARMEmulator(``"com.xunmeng.pinduoduo"``,rootDir,backendFactories) { ``@Override ``protected UnixSyscallHandler<AndroidFileIO> createSyscallHandler(SvcMemory svcMemory) { ``return new PddArmSysCallHand(svcMemory); ``} ``}; ``} ``}; ``androidEmulator = androidEmulatorBuilder.setProcessName(``""``).build(); ``androidEmulator.getSyscallHandler().addIOResolver(``this``); ``Memory androidEmulatorMemory = androidEmulator.getMemory(); ``androidEmulatorMemory.setLibraryResolver(``new AndroidResolver(``23``)); ``dalvikVM = androidEmulator.createDalvikVM(``new File(APK_PATH)); ``DalvikModule module = dalvikVM.loadLibrary(``new File(SO_PATH), ``true``); ``moduleModule = module.getModule(); ``dalvikVM.setJni(``this``); ``dalvikVM.setVerbose(``true``); ``dalvikVM.callJNI_OnLoad(androidEmulator, moduleModule); ``callInfo3(); ``} ``@Override ``public void callStaticVoidMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) { ``if (``"com/tencent/mars/xlog/PLog->i(Ljava/lang/String;Ljava/lang/String;)V"``.equals(signature)) { ``return``; ``} ``super``.callStaticVoidMethodV(vm, dvmClass, signature, vaList); ``} ``private void callInfo3() { ``List<Object> argList = ``new ArrayList<>(); ``argList.add(dalvikVM.getJNIEnv()); ``argList.add(``0``); ``DvmObject<?> context = dalvikVM.resolveClass(``"android/content/Context"``).newObject(``null``); ``argList.add(dalvikVM.addLocalObject(context)); ``argList.add(dalvikVM.addLocalObject(``new StringObject(dalvikVM, ``"api/oak/integration/render"``))); ``argList.add(dalvikVM.addLocalObject(``new StringObject(dalvikVM, ``"dIrjGpkC"``))); ``Number number = moduleModule.callFunction(androidEmulator, ``0xb6f9``, argList.toArray())[``0``]; ``String toString = dalvikVM.getObject(number.intValue()).getValue().toString(); ``System.out.println(toString); ``} ``@Override ``public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) { ``if (``"com/xunmeng/pinduoduo/secure/EU->gad()Ljava/lang/String;"``.equals(signature)) { ``return new StringObject(vm, ``"cb14a9e76b72a627"``); ``} ``else if (``"java/util/UUID->randomUUID()Ljava/util/UUID;"``.equals(signature)) { ``UUID uuid = UUID.randomUUID(); ``DvmObject<?> dvmObject = vm.resolveClass(``"java/util/UUID"``).newObject(uuid); ``return dvmObject; ``} ``return super``.callStaticObjectMethodV(vm, dvmClass, signature, vaList); ``} ``@Override ``public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) { ``if (``"java/util/UUID->toString()Ljava/lang/String;"``.equals(signature)) { ``UUID uuid = (UUID) dvmObject.getValue(); ``return new StringObject(vm, uuid.toString()); ``} ``else if (``"java/lang/String->replaceAll(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;"``.equals(signature)) { ``String obj = dvmObject.getValue().toString(); ``String arg0 = vaList.getObjectArg(``0``).toString(); ``String arg1 = vaList.getObjectArg(``1``).toString(); ``String replaceAll = obj.replaceAll(arg0, arg1); ``return new StringObject(vm, replaceAll); ``} ``return super``.callObjectMethodV(vm, dvmObject, signature, vaList); ``} ``@Override ``public int callIntMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) { ``if (``"java/lang/String->hashCode()I"``.equals(signature)) { ``return dvmObject.getValue().toString().hashCode(); ``} ``return super``.callIntMethodV(vm, dvmObject, signature, vaList); ``} ``@Override ``public FileResult<AndroidFileIO> resolve(Emulator<AndroidFileIO> emulator, String pathname, ``int oflags) { ``if (``"/proc/stat"``.equals(pathname)) { ``String info = ``"cpu 15884810 499865 12934024 24971554 59427 3231204 945931 0 0 0\n" + ``"cpu0 6702550 170428 5497985 19277857 45380 1821584 529454 0 0 0\n" + ``"cpu1 4438333 121907 3285784 1799772 3702 504395 255852 0 0 0\n" + ``"cpu2 2735453 133666 2450712 1812564 4626 538114 93763 0 0 0\n" + ``"cpu3 2008473 73862 1699542 2081360 5716 367109 66860 0 0 0\n" + ``"intr 1022419954 0 0 0 159719900 0 16265892 4846825 5 5 5 6 0 0 497 24817167 17 176595 1352 0 28375276 0 0 0 0 5239 698 0 0 0 0 0 0 3212852 0 12195284 0 0 0 0 0 43 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 12513 2743129 375 12477726 0 0 0 0 37 1351794 0 36 8 0 0 0 0 0 0 5846 0 0 0 0 0 0 0 0 0 141 32 0 55 0 0 0 0 0 0 0 0 18 0 18 0 0 0 0 0 0 66 0 0 0 0 0 0 0 77 0 166 0 0 0 0 0 394 0 0 0 0 0 1339137 0 0 0 0 0 0 313 0 0 0 55759 7 7 7 0 0 0 0 0 0 0 0 3066136 0 47 0 0 0 2 2 0 0 0 6 8 0 0 0 2 0 462 2952327 35420 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 495589 0 0 0 0 3 27 0 0 0 0 0 0 0 0 0 0 0 0 0 0 37662 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4760 0 0 97 0 0 0 0 0 0 0 0 0 243 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4649 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 22355451 0 0 0 14 0 24449357 96 49415 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 17067 780222 3211 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 649346 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n" + ``"ctxt 1572087931\n" + ``"btime 1649910663\n" + ``"processes 230673\n" + ``"procs_running 6\n" + ``"procs_blocked 0\n" + ``"softirq 374327567 12481657 139161248 204829 7276312 2275183 26796 12851725 80988196 1422751 117638870"``; ``return FileResult.success(``new ByteArrayFileIO(oflags, pathname, info.getBytes(StandardCharsets.UTF_8))); ``} ``return null``; ``} } |

相关推荐
1024熙6 分钟前
【C++】——lambda表达式
开发语言·数据结构·c++·算法·lambda表达式
麓殇⊙15 分钟前
mybatis--多对一处理/一对多处理
java·tomcat·mybatis
AWS官方合作商21 分钟前
应对海量数据归档难题?AWS Glacier 的低成本冷存储解决方案实践指南
大数据·云计算·aws
双叶83635 分钟前
(51单片机)点阵屏LED显示图片(点阵屏LED教程)(74Hc595教程)
c语言·开发语言·单片机·嵌入式硬件·51单片机
老马啸西风42 分钟前
Neo4j GDS-09-neo4j GDS 库中路径搜索算法实现
网络·数据库·算法·云原生·中间件·neo4j·图数据库
Python私教1 小时前
Java手写链表全攻略:从单链表到双向链表的底层实现艺术
java·python·链表
AWS官方合作商1 小时前
如何配置AWS EKS自动扩展组:实现高效弹性伸缩
云计算·k8s·aws
cocosgirl1 小时前
AWS Redshift的使用场景及一些常见问题
云计算·aws
小麟有点小靈1 小时前
VSCode写java时常用的快捷键
java·vscode·编辑器
Go高并发架构_王工1 小时前
基于 GoFrame 框架的电子邮件发送实践:优势、特色与经验分享
网络·经验分享·golang
热门推荐
01我决定放弃搞 Java 了02RAG 实践- Ollama+RagFlow 部署本地知识库03DeepSeek各版本说明与优缺点分析04Scipy||第三章 线性代数 (scipy.linalg)05DeepSeek RAGFlow构建本地知识库系统06如何在WPS和Word/Excel中直接使用DeepSeek功能07汽车上的各种质量:整备质量、总质量、装载质量、簧上质量、簧下质量08从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑09本地化部署AI知识库:基于Ollama+DeepSeek+AnythingLLM保姆级教程10游戏引擎学习第217天