v10.5.0抖音device_register解密参数

提交链接=
http://ib.snssdk.com/service/2/device_register/?ac=wifi&channel=douyin_huitou_and23&aid=1128&app_name=aweme&version_code=180&version_name=1.8.0&device_platform=android&ssmix=a&device_type=Mi-4c&device_brand=Xiaomi&language=zh&os_api=25&os_version=7.1.2&openudid=f5563f76d2a31c23&manifest_version_code=180&resolution=1080*1920&dpi=440&update_version_code=1800&_rticket=1594320192216&device_id=&iid=
解密内容=
{“magic_tag”:”ss_app_log”,”header”:{“display_name”:”???é?3??-è§?é¢?”,”update_version_code”:1800,”manifest_version_code”:180,”aid”:1128,”channel”:”douyin_huitou_and23″,”appkey”:”57bfa27c67e58e7d920028d3″,”package”:”com.ss.android.ugc.aweme”,”app_version”:”1.8.0″,”version_code”:180,”sdk_version”:201,”os”:”Android”,”os_version”:”7.1.2″,”os_api”:25,”device_model”:”Mi-4c”,”device_brand”:”Xiaomi”,”device_manufacturer”:”Xiaomi”,”cpu_abi”:”armeabi-v7a”,”build_serial”:”c775a381″,”release_build”:”ee89c34_20200331″,”density_dpi”:440,”display_density”:”mdpi”,”resolution”:”1920×1080″,”language”:”zh”,”mc”:”10:2A:B3:D5:FB:E6″,”timezone”:8,”access”:”wifi”,”not_request_sender”:0,”carrier”:”è??????§???¨”,”mcc_mnc”:”46001″,”rom”:”5a32c0b305″,”rom_version”:”lineage_libra-userdebug 7.1.2 NJH47F 5a32c0b305 test-keys”,”sig_hash”:”aea615ab910015038f73c47e45d21466″,”openudid”:”f5563f76d2a31c23″,”clientudid”:”0fb95982-e110-48a3-8d39-a7f48f15faf7″,”serial_number”:”c775a381″,”sim_serial_number”:[],”region”:”CN”,”tz_name”:”Asia\/Shanghai”,”tz_offset”:28800000,”sim_region”:”cn”},”_gen_time”:1594320192214}

>frida -R -f com.ss.android.ugc.aweme –no-pause -l test.js
需关闭面具才能用命令行HOOK,否则无法成功HOOK
之后经过java.util.zip.GZIPOutputStream压缩
在经过com.bytedance.frameworks.encryptor调用Encryptor的native so加密后提交
private static native byte[] ttEncrypt(byte[] bArr, int i);
目前还不清楚这ttEncrypt加密时候跟以往的加密时候一致。
感觉离真相越来越近了。
还是时间有限。下回分解

  1. Jason说道:

    test.js 里面的东西瞧瞧啊,大佬!

  2. sunzhoubo说道:

    不错的分析

发表评论

邮箱地址不会被公开。 必填项已用*标注