抖音极速版APP接口分析

0x01、目标需求:

.a) 分析抖音极速版APP的接口参数以及相关的签名获取的方式

.b) 需要获取设备注册接口、热门接口、拉去用户信息接口、关注列表接口，粉丝接口、搜索接口等、

0x02、分析背景:

.a) 抖音极速版

.b) 软件无壳

.c) 软件通讯过程中部分接口采取了信息加密或压缩的方式,每个接口头部有签名大家所熟知的x-gorgon参数

.d) 请求数据部分压缩加密

0x03、分析流程:

.a) 通过数据包抓取或敏感函数hook方式获得接口功能

.b) 通过函数内部参数的组装继续分析参数的来源以及加密的流程

0x04、设备注册接口:

.a) Header部分截图如下：

0x001. 该注册设备请求中提交的数据是在so层做的处理，具体做的什么分析后再说。

接口关键词搜索

搜索关键处理位置的代码

0x002. 查看关键请求代码

关键请求代码

0x002. 使用Frida HOOK该函数查看请求的数据以及返回值数据,这样后续我们可以随机构造设备信息。

hook该函数查看请求参数以及返回数据

0x003. 请求提交的JSON数据格式化后如下:

请求JSON数据


//原始数据如下:
//请求地址
https://log.snssdk.com/service/2/device_register/?ac=wifi&mac_address=98%3AF6%3A21%3A58%3AF6%3A4D&channel=xiaomi&aid=2329&app_name=douyin_lite&version_code=100900&version_name=10.9.0&device_platform=android&ssmix=a&device_type=M2003J15SC&device_brand=Redmi&language=zh&os_api=29&os_version=10&openudid=41c3e414221aa6ad&manifest_version_code=100900&resolution=1080*2110&dpi=440&update_version_code=10909900&_rticket=1595473969009&app_type=normal&ts=1595473969&cdid=d80bdb5e-7c76-4fbc-a313-516f2e05a267&oaid=bf1afc899b836848

//提交的数据
{"magic_tag":"ss_app_log","header":{"display_name":"抖音极速版","update_version_code":10909900,"manifest_version_code":100900,"app_version_minor":"","aid":2329,"channel":"xiaomi","appkey":"5d5a7666570df39cc40005a7","package":"com.ss.android.ugc.aweme.lite","app_version":"10.9.0","version_code":100900,"sdk_version":"2.13.0-rc.2","sdk_target_version":29,"git_hash":"a74dfe1e","os":"Android","os_version":"10","os_api":29,"device_model":"M2003J15SC","device_brand":"Redmi","device_manufacturer":"Xiaomi","cpu_abi":"armeabi-v7a","release_build":"c17f5d1_20200720","density_dpi":440,"display_density":"mdpi","resolution":"2110x1080","language":"zh","mc":"98:F6:21:58:F6:4D","timezone":8,"access":"wifi","not_request_sender":0,"rom":"MIUI-V11.0.6.0.QJOCNXM","rom_version":"miui_V11_V11.0.6.0.QJOCNXM","cdid":"d80bdb5e-7c76-4fbc-a313-516f2e05a267","sig_hash":"aea615ab910015038f73c47e45d21466","openudid":"41c3e414221aa6ad","clientudid":"f4c097c2-328c-44fc-8a20-b093ece01e73","sim_serial_number":[],"region":"CN","tz_name":"Asia\/Shanghai","tz_offset":28800,"sim_region":"cn","oaid":{"req_id":"f4512336-29f8-42c0-894c-73be3cddfd83","hw_id_version_code":"null","take_ms":"29","is_track_limited":"false","query_times":"1","id":"bf1afc899b836848","time":"1595471998884"},"oaid_may_support":true,"req_id":"ca46b1b8-21d4-48b3-825a-8a6748b432fc","custom":{"filter_warn":0,"web_ua":"Mozilla\/5.0 (Linux; Android 10; M2003J15SC Build\/QP1A.190711.020; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/81.0.4044.138 Mobile Safari\/537.36"},"apk_first_install_time":1595010878255,"is_system_app":0,"sdk_flavor":"china"},"_gen_time":1595473969005}

//返回数据，其中new_user 为是否为新用户，0否，1是
{"install_id_str":"3095819128410430","new_user":0,"server_time":1595473969,"device_id":1231045367447351,"install_id":3095819128410430,"device_id_str":"1231045367447351"}

0x004. 数据处理过程如下:

调用数据处理函数