AI驾驶员之 X-app-token 逆向
写在前面
白天上班当牛马,晚上回家当死人。忙着忙着就快过年了,在这里和大家拜个早年。
本文仅用于逆向工程技术学习与安全研究交流,所有分析均基于个人学习记录。逆向的目的不是破坏,而是为了学习原理、理解机制、提升防护能力。
材料准备
- 某社区APP v15.9.5
- frida == 16.6.6 使用 florida服务
- 几款大伙都很熟悉的分析工具啦
- 我提供的资料,很全面,脱壳后的dex以及so文件,但是没有代码哈,看文章一步步来绝对可以自己分析出来的。
由于参数很明确,这里抓包过程就直接跳过,只做最后参数替换验证生成参数是否可用
打开心爱的jadx
直接搜索 X-app-token 定位到
找到 getToken 函数并进入
很明显是个 native 层函数,但是不急,让我们先hook这个函数观察一下出入参数,简单编写一下hook脚本,如下:
注意注入时机!
Java.perform(function () {
const TARGET = "包名.util.AuthUtils";
function hookIt() {
const AuthUtils = Java.use(TARGET);
// 明确指定签名
const getToken = AuthUtils.getToken.overload("android.content.Context", "java.lang.String");
getToken.implementation = function (context, deviceId) {
console.log(" AuthUtils.getToken called");
console.log(" deviceId = " + deviceId);
// 用 overload.call 调原方法,避免递归
const ret = getToken.call(this, context, deviceId);
console.log(" ret = " + ret);
return ret;
};
console.log("[+] Hooked " + TARGET + ".getToken(Context,String)");
}
try {
hookIt();
} catch (e) {
console.log("[-] Java.use failed in default loader: " + e);
}
});
我们就得到知道了出入参数:
deviceId = 很长很长的设备码
ret = v3JDJ5JDEwJE5qazNOVGRsWXpRdk4yW加密参数(脱敏)1SW1iMy9kcWgvWExZYS9IM0RlaGhCUUdML1NjUzBP
那么就直接 rpc 吧,文章到这里就结束了,感谢大佬们的观看
打开心爱的ida
既然知道是哪个so文件,那我们就直接分析不就行了。ida~,启动!
shift + F12 直接查看字符串,搜索 token ,哦呼,有!美滋滋。(其实这个版本能搜到,但是其他版本是搜索到的,其他版本还需要去枚举定位,比较麻烦)直接攻入! F5 启动!
一看,只有区区不到 744 行,这么点,那么身为AI驾驶员的我,就要好好的奴役我的AI了。
全部复制粘贴,询问AI这段代码的具体在干什么?
flowchart TD
A([进入 native getToken<br/>test(env=a1, thiz=a2, context=a3, deviceId=jstr=a4)]) --> B{a3 或 a4 为空?}
B -- 是 --> B1[FindClass RuntimeException<br/>ThrowNew: "Invalid arguments..."] --> R0([return 0/null])
B -- 否 --> C{verifyAppSignature(env, context) 通过?}
C -- 否 --> C1[FindClass RuntimeException<br/>ThrowNew: "Application signature verification failed"] --> R0
C -- 是 --> D[deviceId: jstring_to_string]
D --> E[pkgName: getPackageName(context)]
E --> F[versionCode: getVersionCode(context)]
F --> G[分配并拷贝内置大字符串(混淆数据)]
G --> H[base64_decode(内置数据)]
H --> I[xor_decrypt(decoded, key=90)]
I --> J[now = time(0)]
J --> K[offset = 4 * ((now + versionCode) % 100) + 128]
K --> L[从解密缓冲区截取片段<br/>start=offset, len=min(128, remaining)]
L --> M[base64_decode(截取片段)]
M --> N[md5(deviceId字符串)]
N --> O[构造参数串 S(大量 append)<br/>大致包含: pkgName、解密片段派生、md5(deviceId)、now、versionCode<br/>并用 '&' '/' 等拼接]
O --> P[base64_encode(S)]
P --> Q[md5(base64(S)) 或对派生串再 md5(多轮)]
Q --> Q2[清理 base64 padding '='<br/>去前导/尾部 '='(erase)]
Q2 --> S1[salt = "$2y$10$" + 清理后的片段]
S1 --> S2[password = 某个 md5/base64 派生结果(与 deviceId 等相关)]
S2 --> T[bcrypt_hashpw(password, salt) -> bcryptOut(60字节左右)]
T --> U[base64_encode(bcryptOut)]
U --> V[token = "v3" + base64(bcryptOut)]
V --> W[NewStringUTF(env, token) / 返回 jstring]
W --> R([return token])
AI还是太好用啦!但是他说的不一定是对的,他的上限取决于你的使用。
这里其实就可以注意到几个点,反复使用md5 和 b64 那么我们就可以hook 这里去观察他参数的变化过程。
一共是这几个函数:
_ZN3MD5C2ERKNSt6__ndk112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEE
_Z13base64_decodeRKNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE
_Z13base64_encodeRKNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE
_Z10trimBase64RNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE
_Z11xor_decryptRKNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEc
可以直接枚举so --> Module.enumerateExports('libauth.so') 或者去ida里面分析跳转,都可以。
在AI给出的分析中我们发现,时间参与了盐值的生成。那么我们可以自己生成一个,看看对不对。
这里我直接给出详细的hook脚本
function hookAuthWhenReady() {
/* ---------- helpers ---------- */
const isReadablePtr = p => {
try { return p && !p.isNull() && Process.findRangeByAddress(p) !== null; } catch { return false; }
};
const readNdkString = obj => {
try {
const b0 = obj.readU8();
const long = b0 & 1;
const len = long ? obj.add(8).readU32() : (b0 >> 1);
const ptr = long ? obj.add(16).readPointer() : obj.add(1);
if (len < 0 || len > 8192 || !isReadablePtr(ptr)) return { ok: false };
let s = null;
try { s = ptr.readUtf8String(len); } catch {}
return { ok: true, len, ptr, s };
} catch {
return { ok: false };
}
};
const hex = u8 => Array.from(u8, b => ((b >>> 4).toString(16) + (b & 15).toString(16))).join("");
const headHex = (p, n) => {
try {
if (!isReadablePtr(p)) return null;
const ba = p.readByteArray(n);
return hex(new Uint8Array(ba));
} catch { return null; }
};
function safeReadCString(p, maxLen) {
if (!p || p.isNull()) return null;
if (!isReadablePtr(p)) return null;
try { return p.readCString(); } catch {}
try { return p.readUtf8String(maxLen); } catch {}
return null;
}
/* ---------- global state (for seed calc / gating prints) ---------- */
let g_ts = 0;
let g_vc = 0;
let g_pkg = "";
let g_inToken = false; // 仅在 getToken 调用链中打印 time()
let g_ts_native = 0; // native time() 返回(v22)
/* ---------- Java hook ---------- */
function hookJava() {
Java.perform(() => {
let pkg = "<unk>", vcStr = "<unk>";
try {
const ctx = Java.use("android.app.ActivityThread").currentApplication();
pkg = ctx.getPackageName();
vcStr = ctx.getPackageManager().getPackageInfo(pkg, 0).versionCode.value.toString();
} catch {}
const Auth = Java.use("包名.util.AuthUtils");
const ov = Auth.getToken.overload("android.content.Context", "java.lang.String");
ov.implementation = function (c, d) {
const ts = (Date.now() / 1e3) | 0;
g_ts = ts;
g_vc = parseInt(vcStr, 10) || 0;
g_pkg = pkg;
console.log(`\n>>>> PARAM DUMP <<<<\npackage=${pkg}\nvc=${vcStr}\ndevice_id=${d}\nts=${ts}`);
g_inToken = true;
try {
const t = ov.call(this, c, d);
console.log("token=", t, "\n>>>> END <<<<");
return t;
} finally {
g_inToken = false;
}
};
console.log("[+] Java getToken hooked");
});
}
/* ---------- native hooks ---------- */
const hooked = {
md5Ctor: 0, md5Fin: 0,
b64d: 0, b64e: 0, trim: 0,
xor: 0, blow: 0,
time: 0
};
function hookMD5Ctor() {
if (hooked.md5Ctor) return true;
const a = Module.findExportByName(
"libauth.so",
"_ZN3MD5C2ERKNSt6__ndk112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEE"
);
if (!a) return false;
hooked.md5Ctor = 1;
console.log("[+] MD5::MD5 =", a);
Interceptor.attach(a, {
onEnter(args) {
const r = readNdkString(ptr(args[1]));
if (!r.ok) return;
if (r.s !== null) console.log(`[MD5] in(${r.len}) "${r.s}"`);
else console.log(`[MD5] in(${r.len}) <bin> head=${headHex(r.ptr, Math.min(32, r.len))}`);
}
});
return true;
}
function hookMD5Fin() {
if (hooked.md5Fin) return true;
const a = Module.findExportByName("libauth.so", "_ZN3MD58finalizeEv");
if (!a) return false;
hooked.md5Fin = 1;
console.log("[+] MD5::finalize =", a);
Interceptor.attach(a, {
onEnter(args) { this.t = ptr(args[0]); },
onLeave() {
try {
const d = this.t.add(92).readByteArray(16);
console.log(`[MD5] digest ${hex(new Uint8Array(d))}`);
} catch {}
}
});
return true;
}
function hookB64Decode() {
if (hooked.b64d) return true;
const a = Module.findExportByName(
"libauth.so",
"_Z13base64_decodeRKNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE"
);
if (!a) return false;
hooked.b64d = 1;
console.log("[+] base64_decode =", a);
Interceptor.attach(a, {
onEnter(args) {
this.i = ptr(args[0]);
this.o = ptr(this.context.x8); // sret
},
onLeave() {
const ri = readNdkString(this.i);
const ro = readNdkString(this.o);
if (ri.ok) console.log(`[B64D] in(${ri.len}) ${ri.s !== null ? `"${ri.s}"` : "<bin>"}`);
if (ro.ok) {
if (ro.s !== null) console.log(`[B64D] out(${ro.len}) "${ro.s}"`);
else console.log(`[B64D] out(${ro.len}) <bin> head=${headHex(ro.ptr, Math.min(32, ro.len))}`);
}
}
});
return true;
}
function hookB64Encode() {
if (hooked.b64e) return true;
const a = Module.findExportByName(
"libauth.so",
"_Z13base64_encodeRKNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE"
);
if (!a) return false;
hooked.b64e = 1;
console.log("[+] base64_encode =", a);
Interceptor.attach(a, {
onEnter(args) {
this.i = ptr(args[0]);
this.o = ptr(this.context.x8); // sret
},
onLeave() {
const ri = readNdkString(this.i);
const ro = readNdkString(this.o);
if (ri.ok) {
if (ri.s !== null) console.log(`[B64E] in(${ri.len}) "${ri.s}"`);
else console.log(`[B64E] in(${ri.len}) <bin> head=${headHex(ri.ptr, Math.min(20, ri.len))}`);
}
if (ro.ok) {
if (ro.s !== null) console.log(`[B64E] out(${ro.len}) "${ro.s}"`);
else console.log(`[B64E] out(${ro.len}) <bin> head=${headHex(ro.ptr, Math.min(32, ro.len))}`);
}
}
});
return true;
}
function hookTrimBase64() {
if (hooked.trim) return true;
const a = Module.findExportByName(
"libauth.so",
"_Z10trimBase64RNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE"
);
if (!a) return false;
hooked.trim = 1;
console.log("[+] trimBase64 =", a);
Interceptor.attach(a, {
onEnter(args) {
this.s = ptr(args[0]);
const r = readNdkString(this.s);
if (r.ok) console.log(`[TRIM] before(${r.len}) "${r.s}"`);
},
onLeave() {
const r = readNdkString(this.s);
if (r.ok) console.log(`[TRIM] after(${r.len}) "${r.s}"`);
}
});
return true;
}
function hookXorDecrypt() {
if (hooked.xor) return true;
const a = Module.findExportByName(
"libauth.so",
"_Z11xor_decryptRKNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEc"
);
if (!a) return false;
hooked.xor = 1;
console.log("[+] xor_decrypt =", a);
Interceptor.attach(a, {
onEnter(args) {
this.i = ptr(args[0]);
this.o = ptr(this.context.x8); // sret
this.key = (args[1] ? args[1].toInt32() : 0) & 0xff;
const ri = readNdkString(this.i);
if (ri.ok) {
if (ri.s !== null) console.log(`[XOR] in(${ri.len}) "${ri.s}" key=0x${this.key.toString(16)}`);
else console.log(`[XOR] in(${ri.len}) <bin> head=${headHex(ri.ptr, Math.min(32, ri.len))} key=0x${this.key.toString(16)}`);
} else {
console.log(`[XOR] in(<unreadable>) key=0x${this.key.toString(16)}`);
}
},
onLeave() {
const ro = readNdkString(this.o);
if (!ro.ok) {
console.log("[XOR] out(<unreadable>)");
return;
}
if (ro.s !== null) console.log(`[XOR] out(${ro.len}) "${ro.s}"`);
else console.log(`[XOR] out(${ro.len}) <bin> head=${headHex(ro.ptr, Math.min(32, ro.len))}`);
// v23 = 128 + 4 * (((time + VersionCode) % 100))
// 这里用于验证索引是否对齐;注意:prefix8 并不是这 4 字节本身
if (g_ts && g_vc && ro.len >= 132) {
const idx = ((g_ts + g_vc) % 100) | 0;
const off = 128 + 4 * idx;
if (off + 4 <= ro.len) {
const raw4 = headHex(ro.ptr.add(off), 4);
console.log(`[SEED] pkg=${g_pkg} ts=${g_ts} vc=${g_vc} idx=${idx} off=${off} raw4=${raw4}`);
}
}
}
});
return true;
}
function hookTime() {
if (hooked.time) return true;
const a = Module.findExportByName("libc.so", "time") || Module.findExportByName(null, "time");
if (!a) return false;
hooked.time = 1;
console.log("[+] time =", a);
Interceptor.attach(a, {
onEnter(args) {
this.lr = this.context.lr;
const m = Process.findModuleByAddress(this.lr);
this.fromAuth = !!(m && m.name === "libauth.so");
},
onLeave(retval) {
if (!g_inToken || !this.fromAuth) return;
const t = retval.toInt32();
const hx = (t >>> 0).toString(16).padStart(8, "0");
g_ts_native = t;
console.log(`[TIME] v22=time(0) => ${t} (0x${hx}) lr=${this.lr}`);
}
});
return true;
}
function hookBlowfish() {
if (hooked.blow) return true;
let addr = Module.findExportByName(null, "_crypt_blowfish_rn");
if (!addr) {
try {
Process.getModuleByName("libauth.so").enumerateExportsSync().some(e => {
if (e.name === "_crypt_blowfish_rn") { addr = e.address; return true; }
return false;
});
} catch {}
}
if (!addr) return false;
hooked.blow = 1;
console.log("[+] _crypt_blowfish_rn =", addr);
Interceptor.attach(addr, {
onEnter(args) {
this.key = ptr(args[0]);
this.salt = ptr(args[1]);
this.out = ptr(args[2]);
this.len = args[3].toInt32();
console.log(`\n[BF] enter len=${this.len}`);
const keyStr = safeReadCString(this.key, 256);
if (keyStr !== null) console.log(`[BF] key="${keyStr}"`);
else console.log(`[BF] key=<non-string> head=${headHex(this.key, 32)}`);
const saltStr = safeReadCString(this.salt, 128);
if (saltStr !== null) console.log(`[BF] salt="${saltStr}"`);
else console.log(`[BF] salt=<non-string> head=${headHex(this.salt, 32)}`);
},
onLeave(retval) {
console.log(`[BF] ret=${retval}`);
if (retval.toInt32() && isReadablePtr(this.out)) {
const outStr = safeReadCString(this.out, Math.min(this.len, 256));
if (outStr !== null) console.log(`[BF] out="${outStr}"`);
else console.log(`[BF] out=<non-string> head=${headHex(this.out, 64)}`);
}
console.log("[BF] leave\n");
}
});
return true;
}
function tryAttachAll() {
const ok = [
hookMD5Ctor(),
hookMD5Fin(),
hookB64Decode(),
hookB64Encode(),
hookTrimBase64(),
hookXorDecrypt(),
hookTime(),
hookBlowfish()
];
if (!ok[0]) console.log("[-] MD5 ctor miss");
if (!ok[1]) console.log("[-] MD5 finalize miss");
if (!ok[2]) console.log("[-] base64_decode miss");
if (!ok[3]) console.log("[-] base64_encode miss");
if (!ok[4]) console.log("[-] trimBase64 miss");
if (!ok[5]) console.log("[-] xor_decrypt miss");
if (!ok[6]) console.log("[-] time miss");
if (!ok[7]) console.log("[-] blowfish miss");
return ok.some(Boolean);
}
/* ---------- load timing ---------- */
if (tryAttachAll()) {
if (Java.available) hookJava();
return;
}
const dl = Module.findExportByName(null, "android_dlopen_ext") || Module.findExportByName(null, "dlopen");
if (!dl) {
console.log("[-] dlopen not found");
if (Java.available) hookJava();
return;
}
console.log(" waiting for libauth.so ...");
Interceptor.attach(dl, {
onEnter(a) {
try {
const so = a[0].readCString();
this.hit = so.includes("libauth.so");
if (this.hit) console.log(" dlopen", so);
} catch {}
},
onLeave() {
if (this.hit) setTimeout(tryAttachAll, 0);
}
});
if (Java.available) hookJava();
}
setImmediate(hookAuthWhenReady);
结合AI给出的分析和我们hook的日志来看
日志如下(我强烈建议你自己动手去看自己的日志,我下面日志做脱敏处理,也是为了安全,和提防伸手党):
>>>> PARAM DUMP <<<<
package=包名
vc=脱敏
device_id=你的设备码(x-app-device)
ts=1768982373
[B64D] in(1240) "Dg4YDxUcCykLah82Fg8XMQ0eHzALCR8pDyMfNxYeFBsPI2seChwDLxMjajMXDxdvEyAYDxAcOS4XIzEyFw8LaxAJax4VCQ8iFyAyCxYMFy0MamopEyMyCRcOCykNDhweCBwfLQtqCAwXCQsxDwlqMBEJFy4QHjIDFgwLMQ8wHyARCQspF2oYDBYOCy0PM2pqFAkXKRdoGAIWDBc2EBlrHhQcNhQWGQtqDQ4fIBYJCyILah8yFh8XNhMwHyARHDktFyBqNhYzFB8MIB8wCgkDLxQeMTEWHBctDDMiDhEcMS4LIDICFhwXKQ0ZbjAWCQMuD2gYDg4OG2oWHB8vFyy脱敏wsuEAluMRQcEykTIDIADg4YDgMcHy0LIwgDFgkXNhMJbmoWHD0pDB4IABYPCzUNDhgeCxwDLggZIg0WMBQfDB4YHhccMS4UHg82FhwLbgwJaw8QHD0tFyAIDRYeC24PD2otCyNqNxYPC24NCWsOFwkXKQ8jDzMXDxQbDwkiDxYcAy8TaggPFjMXKQ0eHB8WHBciE2gYCxYMF2oNCW4xFRw5LRdqCAIWDBc1DRlqMBEcHyIWGRdqDDMiDhQcGy4IHggNFg8LNhAZaw4QHBstFBkiPQMb"
[B64D] out(930) <bin> head=0e0e180f151c0b290b6a1f361脱敏f300b091f290f231f37161e141b
[XOR] in(930) <bin> head=0e0e180f151c0b290b6a1f361脱敏0d1e1f300b091f290f231f37161e141b key=0x5a
[XOR] out(930) "TTBUOFQsQ0ElLUMkWDEjQSEsUyEmLDNAUy1DPFYuIy0iMUM5IzBUJFctMykhMUQ1JS1DOSUxMzhQLVMwV00sIyhSMTQsWTFDRFEwQ0RVMSQkUS0jKSMtJDhYLVQkUjEzKSQsM0BVLTQwUi00NSMsM2BXLVMlJC1DNFlNLCQ0WTEzLSQxQ0EhLEMlIjEzKFcwMz0lLiNEVzEjPSYuNDkkLFMwVixTKFktQzhXLFMsWC4jLSYtU2BTTTA0LFEuMzhTLjMhIjFDMFMsI0BVLCQkUCwzJSIsIzBSMEM8UCxELSItI2BQLUQoUy0jLFMsIyUkMFQwVk0tRCxYMTMlJC40NSEwU脱敏MwRDkkMTMkVSxUMFQtRCxYMTNFIyxELFYsIzUhLiQ0V00xNCxVLCM0Vy4zJFUxNCxTLFQ4Vy4jYFYxJDUjLUMwUzFDPFIsM0ElLDMsVDA0OSMuNCkmLEQkVixEMSJNLTMoUiwzLFctU0RQLiQwVTFDJSUwUykjMUMhIy0zISUsI0EjMTMwUS1UNFcxRDElLUQtJS4kNFIsIzhZTTBTYFEwQyRYLSMlIS40LFgsVDRZLUQoWTBDQFYtRCxWLjNEVDBDMFktNDUlLFQ4VS1UJFgwMzRWLDQ4UU0wQy0mLUQ4WS1TMSMsUyUiMUNAUSxULFYuI0RULiMsWDFELFMxI2BQLVM0WS4kOFcwM0RXLVMoWC0jKFExLCM0VixTNFAtRDRWLUQlJC1TJFAwNCxgYA"
[SEED] pkg=包名 ts=1768982373 vc=脱敏 idx=24 off=224 raw4=517a6858
[TIME] v22=time(0) => 1768982373 (0x69708765) lr=0x741219ee3c
[B64D] in(128) "QzhXLFMsWC4jLSYtU2BTTTA0LFEuMzhTLjMhIjFDMFMsI0BVL脱敏IsIzBSMEM8UCxELSItI2BQLUQoUy0jLFMsIyUkMFQwVk0tRCxYMTMlJC40NSEwU0RQLFMh"
[B64D] out(96) "C8W,S,X.#-&-S`SM04,Q.38S.3!"1C0S,#@U,$$P,3%",#0R0C<P脱敏-#,S,#%$0T0VM-D,X13%$.45!0SDP,S!"
[MD5] in(146) "你的设备码(x-app-device)"
[MD5] digest a5483ae481脱敏cb21f8215827ea9
[B64E] in(167) "包名&C8W,S,X.#-&-S`SM04,Q.38S.3!"1C0S,#@U,$$P,3%",#0R0C<P,D-"-#`P-D(S-#,S,#%$0T0VM-D,X13%$.45!0SDP,S!&a5483ae4813da4874cb21f8215827ea9&1768982373&脱敏"
[B64E] out(224) "Y29tLmNvb2xhcGsubWFya2V0JkM4VyxTLFguIy0mLVNgU00wNCxRLjM4Uy4zIS脱敏LCMwUjBDPFAsRC0iLSNgUC1EKFMtIyxTLCMlJDBUMFZNLUQs脱敏MFNEUCxTISZhNTQ4M2FlNDgxM2RhNDg3NGNiMjFmODIxNTgyN2VhOSYxNzY4OTgyMzczJjI2MDEwNTE="
[MD5] in(224) "Y29tLmNvb2xhcGsubWFya2V0JkM4VyxTLFguIy0mLVNgU00wNCxRLjM4Uy4zISIxQzBTLCNAVS脱敏jBDPFAsRC0iLSNgUC1EKFMtIyxTLCMlJDBUMFZNLUQsWDEz脱敏ZhNTQ4M2FlNDgxM2RhNDg3NGNiMjFmODIxNTgyN2VhOSYxNzY4OTgyMzczJjI2MDEwNTE="
[MD5] digest ee0bd8e24da1脱敏6d8492ccd7
[MD5] in(167) "包名&C8W,S,X.#-&-S`SM04,Q.38S.3!"1C0S,#@U,$$P,3%",#0R0C<P脱敏S,#%$0T0VM-D,X13%$.45!0SDP,S!&a5483ae4813da4874cb21f8215827ea9&1768982373&脱敏"
[MD5] digest c890f5432f7e8c0633ef0cd5793c2a9c
[B64E] in(41) "69708765/c890f5432f7e8c0633ef0cd5793c2a9c"
[B64E] out(56) "Njk3MDg3NjUvYzg5MGY1脱敏MwNjMzZWYwY2Q1NzkzYzJhOWM="
[BF] enter len=64
[BF] key="ee0bd8e24da1脱敏c06d8492ccd7"
[BF] salt="$2y$10$Njk3MDg3N脱敏jdlOGMwNjMzZWYwY2Q1NzkzYzJhOWM"
[BF] ret=0x745ba40c00
[BF] out="$2y$10$Njk3MDg3NjUvYz脱敏
[B64E] in(60) "$2y$10$Njk3MDg3NjUv脱敏Y1N.3fFtb.sblLP6xa81EA9ZL7FDC3.oYOO"
[B64E] out(80) "JDJ5JDEwJE5qazNNRGczTmpVdll脱敏xTi4zZkZ0Yi5zYmxMUDZ4YTgxRUE5Wkw3RkRDMy5vWU9P"
token= v3JDJ5JDEwJE5qazNNRGczTmpVdll6ZzVNR1kx脱敏Yi5zYmxMUDZ4YTgxRUE5Wkw3RkRDMy5vWU9P
>>>> END <<<<
那么这个答案就很明显了,我来详细讲一下思路
1. 参数准备:
package = 包名
vc = 2601051 版本
device_id = x-app-device
ts = 1768982373 时间戳
encrypted_data = 内置混淆字符串 (1240 chars) 就是so中老长一段的东西"Dg4YDxUcCykLah82Fg8XMQ0eHzALCR8p..."
2. 流程梳理
decoded_data = base64_decode(encrypted_data) Base64 解码加密数据
decrypted_data = xor_decrypt(decoded_data, 90) XOR 解密 (key=90)
current_time = int(time.time())
offset = 4 * ((current_time + version_code) % 100) + 128 基于时间戳计算偏移量
# 提取数据片段 (从 offset 开始,长度最多 128)
data_length = len(decrypted_data)
extract_length = min(128, data_length - offset)
extracted_data = decrypted_data[offset:offset + extract_length]
# Base64 解码提取的数据
secret_key = base64_decode_custom(extracted_data.decode('utf-8', errors='ignore'))
# 计算 device_id 的 MD5 设备指纹
device_md5 = md5_hash(device_id)
# 构建签名字符串
# 格式: package_name & secret_key & device_md5 & version_code
sign_string = f"{package_name}&{secret_key.decode('utf-8', errors='ignore')}&{device_md5}&{current_time}&{version_code}"
# 计算签名字符串的 MD5
sign_md5 = md5_hash(sign_string)
crc32_val = binascii.crc32(secret_key) & 0xFFFFFFFF
hex8 = f"{crc32_val:08x}"
# 十进制时间戳 -> 8位十六进制
hx = f"{current_time & 0xffffffff:08x}"
# 构建最终字符串并计算 MD5
final_string = f"{hx}/{sign_md5}"
# Base64 编码最终 MD5
encoded_final = base64_encode_custom(final_string.encode('utf-8'))
# 去除前导和尾随的 '='
encoded_final = encoded_final.lstrip('=').rstrip('=')
# 生成 salt
bcrypt_salt = f"$2y$10${encoded_final}"
bf_key = md5_hash(base64.b64encode(sign_string.encode("utf-8")).decode("ascii"))
# bcrypt 加密
bcrypt_hash = bcrypt(bf_key, bcrypt_salt)
# Base64 编码 bcrypt 结果
final_token = base64_encode_custom(bcrypt_hash)
# 添加版本前缀
token = f"v3{final_token}"
最后简单验证一下,我们生成的token是完全可用的,那么这个参数逆向分析就到此为止了。
不得不感叹AI在辅助分析和依照你的思路去编写脚本真的太方便了,我们只需要将更多的注意力放到参数算法上的分析,这个参数整体的难度还行。隔壁某盒那个noc参数要难不少,还有frida检测。后面有时间写一个详细的教程(画饼ing,哈哈哈)。
关于日志那块,你按照文章的分析和提供的frida脚本完全可以复现和分析出来这个算法,所以我不会提供!自己做一边,才知道这个算法的流程。
写在后面
其实这里面还有一个java层的混淆,如果有兴趣的小伙伴可以试试。我建议在对抗混淆的时候对使用decodeURIComponent函数 和 encodeURIComponent 函数,这样就不怕因为名字而找不到。
新的一年即将到来,也提前祝大家新年快乐,最最重要的是身体健康。
我在新的一年里也会尽可能的努力更新文章,确保每一篇文章均是可复现,对大佬们有帮助的。大佬可能都看不上,哈哈哈
[复制链接]
发表于 2026-1-25 21:01
|
发表于 2026-1-25 17:29
|楼主
分享到朋友圈
