抖⾳xlog算法hook分析记录抖⾳xlog风控算法抖⾳xlog参数分
析
1.抖⾳xlog算法是什么?
与X-Gorgon算法和设备注册服务的不同,他主要是搜集环境信息参数包括⼀些检测点,组成⼀个json串然后调⽤data加密传到服务器进⾏分析⽐对。我们抓包可以看到⼀条url为/v2/r?,POST包,其body体为加密函数,加密过程VM化,只能动态调试跟踪理解,具体过程略复杂。抖⾳xlog接⼝⽤于收集设备环境数据,主要⽤于检测设备环境是否“合规”,也就是⼤伙经常听到的过“风控”!xlog接⼝的body是加密后的设备环境数据,加密通过xlog算法加密。⽬前抖⾳APP最新版12.x依然还是⽤的02算法,此算法抖⾳官⽅⽼长时间没更新了......
POST /v2/r?os=0&ver=0.6.10.25.17-IH-Do&m=2&app_ver=12.4.0®ion=zh_CN&aid=1128&did=19671560880 HTTP/1.1 Host:
Connection: keep-alive
Cookie: ssionid=
X-SS-REQ-TICKET: 1599446905153
sdk-version: 1
x-tt-trace-id: 00-8c16dd31094948432b05140591f60468-8c16dd3109494843-01
Ur-Agent: com.ss.android.ugc.aweme/990 (Linux; U; Android 5.1.1; zh_CN; YQ601; Build/LMY47V; Cronet/77.0.3844.0)
Accept-Encoding: gzip, deflate
X-Gorgon: 0408d012000449c94d909ca41fa968eb6a8ab9ea7528d54eadae
X-Khronos: 1599446905
抖⾳xlog算法是在native层,⽆法通过反编译dex获取到具体算法实现,xlog算法⼤概逻辑是:
⾸先调⽤解密⽅法,将02开头的 byte[]数组进⾏解密,解密后是⼀个json字符串,然后再调⽤xlog加密接⼝进⾏加密,然后提交,返回的依然是⼀个02开头的,然后再进⾏解密,就可以看到结果了,
再次之前还有⼀个 sdfp包,也是需要⽤到这个加密解密的 可以参考⽂档
package hook;
TextUtils;
import java.curity.MessageDigest;
import java.curity.NoSuchAlgorithmException;
public final class ByteUtil {
private static final String NULL_MD5_STRING = "00000000000000000000000000000000";
public static byte[] b(String paramString) {
int i = paramString.length();
byte[] arrayOfByte = new byte[i / 2];
for (byte b = 0; b < i; b += 2)
arrayOfByte[b / 2] = (byte)((Character.digit(paramString.charAt(b), 16) << 4) + Character
.digit(paramString.charAt(b + 1), 16));
return arrayOfByte;
}
public static String ByteToStr(byte[] bArr) {
int i = 0;
char[] toCharArray = "0123456789abcdef".toCharArray();
char[] cArr = new char[(bArr.length * 2)];
while (i < bArr.length) {
int i2 = bArr[i] & 255;
int i3 = i * 2;
cArr[i3] = toCharArray[i2 >>> 4];
cArr[i3 + 1] = toCharArray[i2 & 15];
i++;
i++;
}
return new String(cArr);
}
public static String getXGon(String url, String stub, String ck, String ssionid){ StringBuilder sb=new StringBuilder();
if (TextUtils.isEmpty(url)){
sb.append(NULL_MD5_STRING);
}el {
sb.append(encryption(url).toLowerCa());
}
if (TextUtils.isEmpty(stub)){
sb.append(NULL_MD5_STRING);
}el {
sb.append(stub);
}
if (TextUtils.isEmpty(ck)){
sb.append(NULL_MD5_STRING);
}el {
sb.append(encryption(ck).toLowerCa());
}
if (TextUtils.isEmpty(ssionid)){
sb.append(NULL_MD5_STRING);
}el {
sb.append(encryption(ssionid).toLowerCa());
}
String();
}
public static String encryption(String str) {
String re_md5=null;
try {
MessageDigest md = Instance("MD5");
md.Bytes());
byte b[] = md.digest();
int i;
StringBuffer buf = new StringBuffer("");
for (int offt = 0; offt < b.length; offt++) {
i = b[offt];
if (i < 0)
i += 256;
if (i < 16)
buf.append("0");
buf.HexString(i));
}
re_md5 = String();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
return UpperCa();
}
public static byte[] StrToByte(String str) {
String str2 = str;
Object[] objArr = new Object[1];
int i = 0;
objArr[0] = str2;
int length = str.length();
byte[] bArr = new byte[(length / 2)];
while (i < length) {
bArr[i / 2] = (byte) ((Character.digit(str2.charAt(i), 16) << 4) + Character
.digit(str2.charAt(i + 1), 16));
i += 2;
}
陌生人的善意return bArr;
}
}
我们根据抖⾳最新的12.4版本进⾏逆向,解密xlog接⼝的数据后,发现抖⾳在这⽅⾯真的是做到了极致,解密后数据如下:
{
"extra": "SS-200",
"grilock": "eyJvcyI6IkFuZHJvaWQiLCJ2ZXJzaW9uIjoiMS4wLjUiLCJ0b2tlbl9pZCI6IlwvOWpudDRyRFRkdyt4bmxqT1pmN3VOUnN1RHNndEMwSFJRSFJaM3pC "ast": 1,
"p1": "38464475038",
"p2": "1143087178466429",
"ait": 1595642532,
"ut": 1751,
"pkg": "com.ss.android.ugc.aweme",
"prn": "CZL-MLP",
"vc": 120001,
"fp": "OPPO/A59/A59:5.1/LMY47I/1519786508:ur/relea-keys",
"mdi_if": {
"ui": "",
"mc": "",
"mid": "",
"ts": -1
},
"mdi_s": 10,
"wifisid": "HUAWEI-10GLZ6",
"wifimac": "6c:06:d6:c4:6a:c8",
"wifip": "192.168.3.15",
"vpn": 0,
"aplist": [
{
"ss": "",
"bs": "6c:06:d6:c4:6a:cd"
},
{
"ss": "HUAWEI-10GLZ6_Wi-Fi5",
"bs": "6c:06:d6:f4:6a:ce"
},
{
"ss": "HUAWEI-10GLZ6_Wi-Fi5",
医生简笔画"bs": "6c:06:d6:f4:6a:cd"
},
鲍鱼补什么{
"ss": "ChinaNet-5mds",
"bs": "18:52:07:8a:af:c2"
},
{
"ss": "",
"bs": "6c:06:d6:c4:6a:ce"
青年座谈会
},
{
"ss": "HUAWEI-10GLZ6",
"bs": "6c:06:d6:c4:6a:cc"
},
{
"ss": "HUAWEI-10GLZ6",
"bs": "6c:06:d6:c4:6a:c8"
},
{
"ss": "",
"bs": "6c:06:d6:c4:6a:c9"
},
{
"ss": "ChinaNet-5mds-5G",
"bs": "18:52:07:8a:af:c1"
},
{
"ss": "",
"bs": "d4:ee:07:37:db:26"
}
],
"route": {
"iip": "192.168.3.15",
"gip": "192.168.3.1",
"ghw": "6c:06:d6:c4:6a:c2",
万里尚为邻"type": "wlan0"
},
"location": "",
"i_mk": -1,
"cell": "[16241,2147483647,2147483647,13898,11]",
"hw": {
"brand": "OPPO",
"model": "OPPO A59s",
"board": "full_oppo6750_15131",
举步维艰"device": "A59",
"product": "A59",
"manuf": "OPPO",
"tags": "dev-keys",
"inc": "1576670525",
"des": "full_oppo6750_15131-ur 5.1 LMY47I 1576670525 dev-keys",
"bt": "unknown",
"pfbd": "mt6750",
"display": "720*1280",
"dpi": 320,
"bat": 3075,
"bas": [],
"cpu": {
"core": 8,
"pc": "AArch64 Processor rev 2 (aarch64)",
"hw": "MT6750",
"max": "1508000",
"min": "156000",
"ft": "fp asimd aes pmull sha1 sha2 crc32 wp half thumb fastmult vfp edsp neon vfpv3 tlsi vfpv4 idiva idivt"
},
"mem": {
"ram": "3969265664",
"rom": "28043313152",
"sd": "27990884352",
"ram_f": "1715597312",
"rom_f": "22127783936",
"sd_f": "22041800704"
},
"hdf": "ZmVhdHVyZTpyZXFHbEVzVmVyc2lvbj0weDMwMDAwCmZlYXR1cmU6YW5kcm9pZC5oYXJkd2FyZS5hdWRpby5vdXRwdXQKZmVhdHVyZTphbmRy "slb": "bGlicmFyeTphbmRyb2lkLnRlc3QucnVubmVyCmxpYnJhcnk6Y29sb3Jvcy5zdXBwb3J0CmxpYnJhcnk6Y29tLmFuZHJvaWQuZnV0dXJlLnVzYi5hY2Nlc3 },
"id": {
"i": 22,
"mc": "41b2f037fc3f9e",
"bd": "c26a6cc2d606c406d606c46ad6c2066c", "r": "5.1",
"imei": "865277033537810",
"imsi": "460038101829321",
"acg_m": 1,
"onm": "46003",
"alpha": "5Lit5Zu955S15L+h",
"adid": "1afd67f2ce9c914",
"adid_ex": "1afd67f2ce9c914",
"mac": "ec:f3:42:c7:cb:c3",
"rial": "USDQSSG699999999",
"cm_e": "",
"cm_i": ""
},
"emulator": {
"cb": 10,
"cid": 0,
鸿海期货
孑孓怎么读音"br": "",
"file": [],
"prop": [],
"ghw": 0
},
"env": {
"ver": "0.6.11.28.36",
"tag": "CZL_LAST_VER",
"pkg": "com.ss.android.ugc.aweme",
"tz": "GMT+08:00",
"ml": "zh_CN",
"uid": 10105,
"mc": 0,
"arch": 1,
"e_arch": 1,
"v_bnd": 0,
"su": 0,
"sp": "",
"ro.cure_s": "1",
"ro.debuggable_s": "0",
"rebuild": 0,
"jd": 0,
"dbg": 0,
"tid": 0,
"trm": "",
"dbg_st": 0,
"dbg_tid": 2,
"dbg_if": 101188614,
"hph": "192.168.3.11",
"hpp": "8888",
"envrion": [],
"oem_s": -1,
"oem_a": -1,
"xpod": 0,
"frida": 0,
"cydia": 0,
"rr": 0,
"jexp": 0,
"click": "",
"acb": -1,
"hook": [],
"jvh": [],
"fish": {},
"vapp": "",
"vmos": 0,
"ssr": 0,
"mal": "",
"mor": -1,
