淘宝购物APP设备风控SDK-mtop简单分析

协议算法开发

于 2025-03-01 19:18:58 发布

阅读量1k

点赞数 7

分类专栏：逆向开发文章标签：淘宝协议逆向算法

本文链接：https://blog.csdn.net/2503_90751789/article/details/145952068

版权

逆向开发专栏收录该内容

87 篇文章

订阅专栏

一、引言

mtop风控SDK充当移动端和服务器之间的网关，为app应用提供了大量API接口，实现商品展示、下单、支付等功能的防护。
学习研究意义
防协议破解与改机：分析风控的设备采集、加密与签名机制是逆向分析的重点，了解其加密算法与参数生成逻辑能够帮助研究者防绕过限制，检测改机或直接构造合法请求等提供思路。
防数据抓取与自动化操作：通过研究mtop请求，逆向分析人员可以更好地理App的风控逻辑，了解防实现自动化数据抓取、订单生成等操作机制。
防风控绕过：逆向分析风控可以深入了解APP的风控策略，通过探究触发风控的条件和对应机制，找到潜在的绕过方法与学习防御方案。

二、工具与环境

工具：Frida、Charles、IDA pro9.0。
环境：Mac mini macOS 14.6.1、iphonex ios 14.8。

三、设备端执行流程

3.0、抓包分析

首先抓分析下请求参数都有哪些：

设备风控APP第一次启动时总共三次请求，第一次请求会返回一些风险特征与设备id(eeid)；

返回的data json中dt存放着风险特征与控制算法变化的逻辑指令、设备id(eeid)等重要信息;

{

"cdnScriptUrl": "http://cdn.ynuf.aliapp.org/u6vr/g9m6/1gkepoi",

"cfg": {

"trust": {

"modifiedtime": 1606735713,

"v": 174084,

"type1": "{\"en\":0}"

},

"e1002": {

"modifiedtime": 1719282753,

"v": 400052,

"type1": "{\"e1002\":{\"p\":1,\"s\":true,\"c\":[{\"s\":\"9a85\",\"k\":\"47b0\"},{\"s\":\"82a0\",\"k\":\"51b6\"}],\"z\":1},\"e1011\":{\"p\":1,\"s\":true,\"c\":[{\"s\":\"c99e\",\"k\":\"9a1d\"},{\"s\":\"4337\"},{\"s\":\"f983\"},{\"s\":\"5f0d\"},{\"s\":\"9a66\"},{\"s\":\"9a85\",\"k\":\"47b0\"},{\"s\":\"75f8\",\"k\":\"d54f\"},{\"s\":\"7e2d\",\"k\":\"14ee\"},{\"s\":\"82a0\",\"k\":\"51b6\"}],\"z\":7}}"

},

"e1011": {

"modifiedtime": 1700535253,

"v": 400011,

"type1": "{\"e1011\":{\"p\":1,\"z\":7,\"s\":true,\"c\":[{\"k\":\"9a1d\",\"s\":\"c99e\"},{\"k\":null,\"s\":\"4337\"},{\"k\":null,\"s\":\"f983\"},{\"k\":null,\"s\":\"5f0d\"},{\"k\":null,\"s\":\"9a66\"},{\"k\":\"da1a\",\"s\":\"c7b1\"}]}}"

},

"e1000": {

"modifiedtime": 1719282754,

"v": 400107,

"type1": "{\"e1000\":{\"p\":0,\"s\":true,\"z\":1},\"e1011\":{\"p\":1,\"s\":true,\"c\":[{\"s\":\"c99e\",\"k\":\"9a1d\"},{\"s\":\"4337\"},{\"s\":\"f983\"},{\"s\":\"9a85\",\"k\":\"47b0\"},{\"s\":\"75f8\",\"k\":\"d54f\"},{\"s\":\"7e2d\",\"k\":\"14ee\"}],\"z\":7}}"

},

"ocrt": {

"modifiedtime": 1635995243,

"v": 400001,

"type1": "14.0"

},

"applist": {

"modifiedtime": 1583808665,

"v": 116009,

"type1": "com.360buy.jdmobile,com.xunmeng.pinduoduo,com.vipshop.iphone,com.tencent.mqq,com.tencent.ww,com.tencent.xin,com.baidu.map,com.tencent.sosomap,ctrip.com,com.tuniu.app,com.qunar.iphoneclient8,com.qiyi.iphone,com.tencent.live4iphone,com.ss.iphone.ugc.Aweme,com.wuba.zhuanzhuan,com.ss.iphone.article.News,com.meituan.itakeaway,com.dianping.dpscope,com.meituan.imeituan,com.mmp.mmp040608"

},

"sgpt": {

"modifiedtime": 1727261154,

"v": 400090,

"type1": "{\"o\":\"QgIAA3b7uxQAcDYAB6vaNgE/ABk2Aj8aHjYDPx9oNgQ/KTI4BT8zPDYGPz1GNgc/R1A2CD9RWjYJP1tkNgo/Zf82CxMBCJk2DBMCDZk2DRMDnJk2DhMECJk2DxMFnJk2EBMG3Jk2ERMHDZk2EhMIfZk2ExMJ3Jk2FBMKCJk2FRMLjjYWEwyONhcTDY42GBMOjjYZEw+ONhoTEI42GxMRjjYcExKONh0TE442HhMUjjYfExUTFhMXExgTGRMaExsTHBMdEx42IDQENiETHyETIDYiEyHumTYjNAQTIDQEEyLPBMAUBz4TAAdJB4gH8we7EyPAGA==\",\"s\":\"QgEAA3j7uwAANgAHSQeIB/MHuwc+NgI0AjYDc2MFc6gFc6oFc2UFc/Urc7EFc6QFNgQdAJ0HJygN+QQLVb8OEwPLNgUTBP4FDRMDNgYTBSETAjYHB6sTAhMGzwTAFBMAEwfAGA==\"}"

},

"bp": {

"modifiedtime": 1675837757,

"v": 400004,

"type1": "[{\"b\":0,\"o\":59607428}]"

},

"e1004": {

"modifiedtime": 1726738032,

"v": 400104,

"type1": "{\"e1011\":{\"p\":1,\"s\":true,\"c\":[{\"s\":\"4337\"},{\"s\":\"f53f\",\"k\":\"ea2f\"},{\"s\":\"2109\",\"k\":\"b9de\"},{\"s\":\"5f0d\"},{\"s\":\"9a66\",\"k\":\"0eb2\"},{\"s\":\"9a85\",\"k\":\"47b0\"},{\"s\":\"75f8\",\"k\":\"d54f\"},{\"s\":\"7e2d\",\"k\":\"14ee\"},{\"s\":\"82a0\",\"k\":\"51b6\"}],\"z\":7},\"e1004\":{\"p\":1,\"s\":true,\"c\":[{\"s\":\"f983\"},{\"s\":\"c99e\",\"k\":\"9a1d\"},{\"s\":\"4337\"},{\"s\":\"ad62\",\"k\":\"0141\"},{\"s\":\"7e2d\",\"k\":\"14ee\"},{\"s\":\"5f0d\"},{\"s\":\"9a66\",\"k\":\"0eb2\"},{\"s\":\"9a85\",\"k\":\"47b0\"},{\"s\":\"82a0\",\"k\":\"51b6\"}],\"z\":7}}"

},

"RConfig": {

"modifiedtime": 1728641375,

"v": 400262,

"type1": "{\"gtaop\":0,\"hevent\":2,\"switch\":{\"r_64_0\":0,\"rc\":0,\"mach2\":1,\"ihook\":1,\"r_61_0\":0,\"ulib\":0,\"ier\":1,\"lnk\":0,\"its\":1,\"ist\":0}}"

},

"RList": {

"modifiedtime": 1595903663,

"v": 135019,

"type1": "{\"v\":1,\"sp\":{\"AWZ.dylib\":1,\"NZT.dylib\":1,\"ALS.dylib\":1,\"rstweak.dylib\":1,\"YOY.dylib\":1,\"iGrimace.dylib\":1,\"hdfaker.dylib\":1,\"NewDevice.dylib\":1,\"HookDevice.dylib\":1,\"zzhardChange.dylib\":1,\"deviceInfoChange.dylib\":1,\"FakeTweak.dylib\":1,\"setmobile.dylib\":1,\"amg.dylib\":1,\"TEMain.dylib\":2,\"TweakEx.dylib\":2,\"tweaktest.dylib\":2,\"MAServiceEnEx.dylib\":2,\"SimulateTouch.dylib\":2,\"TSTweak.dylib\":2,\"XXScreenShot.dylib\":2,\"GPSCheat.dylib\":2,\"GPSTravellerTweakProX.dylib\":2,\"LocationChanger.dylib\":4,\"TEGPS.dylib\":4,\"txytweak.dylib\":4,\"txyfakegps.dylib\":4,\"OTRLocation.dylib\":4,\"altweak.dylib\":4},\"so\":{\"v\":1,\"l\":[[\"/Applications/Cydia.app\",\"/usr/sbin/frida-server\",\"/usr/lib/libjailbreak.dylib\",\"/jb/libjailbreak.dylib\"],[\"/Applications/iGrimace.app\",\"/Applications/NZT.app\",\"/Applications/hdFaker.app\"],[\"/Applications/TouchElf.app\",\"/Applications/AutoTouch.app\",\"/Applications/TouchSprite.app\",\"/Applications/handjingling.app\"],[\"/Applications/tianxiayou.app\",\"/Applications/TianXiaYou.app\",\"/Applications/anylocation.app\",\"/Applications/OTRLocation.app\"]]}}"

},

"dmtop": {

"modifiedtime": 1689046187,

"v": 400017,

"type1": "1"

},

"crpt": {

"modifiedtime": 1727261147,

"v": 400021,

"type1": "QgIAA3b7uxQAcDYAB6vaNgE/ABk2Aj8aHjYDPx8oNgQ/KTI2BT8zPDYGPz1GNgfsd/R1A2CD9RWjYJP1tkNgo/Zf82CxMBCJk2DBMCDZk2DRMDnJk2DhMECJk2DxMFnJk2EBMG3Jk2ERMHDZk2EhMIfZk2ExMJ3Jk2FBMKCJk2FRMLjjYWEwyONhcTDY42GBMOjjYZEw+ONhoTEI42GxMRjjYcExKONh0TE442HhMUjjYfExUTFhMXExgTGRMaExsTHBMdEx42IDQENiETHyETIDYiEyHumTYjNAQTIDQEEyLPBMAUBz4TAAdJB4gH8we7EyPAGA=="

},

"hash": {

"modifiedtime": 1583809627,

"v": 118007,

"type1": "{\"p\":0,\"z\":1,\"s\":true,\"c\":[{\"k\":\"f471\",\"s\":\"5a7a\"},{\"k\":\"0174\",\"s\":\"5a7a\"},{\"k\":\"c07a\",\"s\":\"6932\"},{\"k\":\"d79b\",\"s\":\"5a7a\"},{\"k\":\"db95\",\"s\":\"8c64\"}]}"

},

"bcud": {

"modifiedtime": 1669186615,

"v": 400007,

"type1": "1"

}

},

"cmd": 1011,

"eeid": "M1gt9f6skwzyWoMI9Yoo94e74rrLKS+JcxHSI+M0r8K/ioZ4rfdDSnOS7x/QeoQwouayVF0TMA6AAyJ7bgAy7jn",

"rmdata": "eyJybWlkIjoiQnh8WGtDRndqd1c2NU7abklOdjdXdmN3RlJEVVRSK2hDQ3d3b0l6aVFROD0iLCJiaW5hcnkiOiIwIiwidmVyc2lvbiI6ImY2NWQxNWNjNzg3ODg1ZmE1YzAwMDMzNjgwNDlmNjgzIn0=",

"token": "FtwBvGFLPBAelRKS0/2NWAmzZgeyXyc9"

}

3.1、风险检测

三次请求中都有会扫描设备的风险特征，字段名为r_数字_数字(r_1_0)
采集方式主要为调用svc指令；

__uvm_call_registry_llc_do_syscall_sub_1026F4850

__text:00000001048898DC svc_sub_1026CD8DC

__text:00000001048898DC

__text:00000001048898DC arg_0= 0

__text:00000001048898DC

__text:00000001048898DC F0 03 40 F9 LDR X16, [SP,#arg_0]

__text:00000001048898E0 01 00 00 D4 SVC 0

__text:00000001048898E4 43 00 00 54 B.CC locret_1048898EC

__text:00000001048898E8 7A 9B 00 14 B sub_1048B06D0

检测越狱风险特征:

MEMORY:0000000124F46652 2F 4C 69 62 72 61 72 79…aLibraryMobiles_1 DCB "/Library/MobileSubstrate",0

MEMORY:0000000124F4666B 2F 41 70 70 6C 69 63 61…aApplicationsCy_0 DCB "/Applications/Cydia.app",0

MEMORY:0000000124F46683 2F 41 70 70 6C 69 63 61…aApplicationsSi DCB "/Applications/Sileo.app",0

MEMORY:0000000124F4669B 2F 76 61 72 2F 6A 62 2F…aVarJbApplicati DCB "/var/jb/Applications/Sileo-Nightly.app",0

MEMORY:0000000124F466C2 2F 76 61 72 2F 6A 62 2F…aVarJbApplicati_0 DCB "/var/jb/Applications/Sileo-Beta.app",0

MEMORY:0000000124F466E6 2F 76 61 72 2F 6A 62 2F…aVarJbApplicati_1 DCB "/var/jb/Applications/Cydia.app",0

MEMORY:0000000124F46705 2F 76 61 72 2F 6A 62 2F…aVarJbApplicati_2 DCB "/var/jb/Applications/Sileo.app",0

MEMORY:0000000124F46724 2F 41 70 70 6C 69 63 61…aApplicationsZe DCB "/Applications/Zebra.app",0

MEMORY:0000000124F4673C 2F 75 73 72 2F 6C 69 62…aUsrLibexecCydi DCB "/usr/libexec/cydia",0

MEMORY:0000000124F4674F 2F 75 73 72 2F 6C 69 62…aUsrLibexecZebr DCB "/usr/libexec/zebra",0

MEMORY:0000000124F46762 2F 75 73 72 2F 6C 69 62…aUsrLibexecFilz DCB "/usr/libexec/filza",0

MEMORY:0000000124F46775 2F 75 73 72 2F 6C 69 62…aUsrLibexecSubs DCB "/usr/libexec/substrated",0

MEMORY:0000000124F4678D 2F 75 73 72 2F 6C 69 62…aUsrLibexecSubs_0 DCB "/usr/libexec/substituted",0

MEMORY:0000000124F467A6 2F 65 74 63 2F 61 70 74…aEtcApt_1 DCB "/etc/apt",0

MEMORY:0000000124F467AF 2F 65 74 63 2F 64 70 6B…aEtcDpkg DCB "/etc/dpkg",0

MEMORY:0000000124F467B9 2F 65 74 63 2F 73 73 68…aEtcSsh DCB "/etc/ssh",0

MEMORY:0000000124F467C2 2F 4C 69 62 72 61 72 79…aLibraryTweakin DCB "/Library/TweakInject",0

MEMORY:0000000124F467D7 2F 75 73 72 2F 62 69 6E…aUsrBinCycript DCB "/usr/bin/cycript",0

MEMORY:0000000124F467E8 2F 75 73 72 2F 6C 69 62…aUsrLibLibjailb DCB "/usr/lib/libjailbreak.dylib",0

MEMORY:0000000124F46804 2F 75 73 72 2F 6C 69 62…aUsrLibLibhooke DCB "/usr/lib/libhooker.dylib",0

MEMORY:0000000124F4681D 2F 75 73 72 2F 6C 69 62…aUsrLibLibsubst DCB "/usr/lib/libsubstitute.dylib",0

MEMORY:0000000124F4683A 2F 75 73 72 2F 6C 69 62…aUsrLibTweakinj DCB "/usr/lib/TweakInject",0

MEMORY:0000000124F4684F 2F 75 73 72 2F 62 69 6E…aUsrBinDebugser DCB "/usr/bin/debugserver",0

MEMORY:0000000124F46864 2F 75 73 72 2F 6C 69 62…aUsrLibexecAfc2 DCB "/usr/libexec/afc2d",0

MEMORY:0000000124F46877 2F 75 73 72 2F 62 69 6E…aUsrBinSsh DCB "/usr/bin/ssh",0

MEMORY:0000000124F46884 2F 75 73 72 2F 62 69 6E…aUsrBinDpkg DCB "/usr/bin/dpkg",0

MEMORY:0000000124F46892 2F 75 73 72 2F 62 69 6E…aUsrBinAptKey DCB "/usr/bin/apt-key",0

MEMORY:0000000124F468A3 2F 75 73 72 2F 62 69 6E…aUsrBinCynject DCB "/usr/bin/cynject",0

MEMORY:0000000124F468B4 2F 75 73 72 2F 6C 6F 63…aUsrLocalBinDro DCB "/usr/local/bin/dropbear",0

MEMORY:0000000124F468CC 2F 65 6C 65 63 74 72 61…aElectraInjectC DCB "/electra/inject_criticald",0

MEMORY:0000000124F468E6 2F 76 61 72 2F 62 69 6E…aVarBinpackLoad DCB "/var/binpack/loaderd_hook",0

MEMORY:0000000124F46900 2F 4C 69 62 72 61 72 79…aLibraryPrefere DCB "/Library/PreferenceBundles/LibertyPref.bundle",0

MEMORY:0000000124F4692E 2F 4C 69 62 72 61 72 79…aLibraryPrefere_0 DCB "/Library/PreferenceBundles/ShadowPreferences.bundle",0

MEMORY:0000000124F46962 2F 4C 69 62 72 61 72 79…aLibraryPrefere_1 DCB "/Library/PreferenceBundles/ABypassPrefs.bundle",0

MEMORY:0000000124F46991 2F 4C 69 62 72 61 72 79…aLibraryPrefere_2 DCB "/Library/PreferenceBundles/FlyJBPrefs.bundle",0

MEMORY:0000000124F469BE 2F 4C 69 62 72 61 72 79…aLibraryPrefere_3 DCB "/Library/PreferenceBundles/HestiaPrefs.bundle",0

MEMORY:0000000124F469EC 2F 4C 69 62 72 61 72 79…aLibraryPrefere_4 DCB "/Library/PreferenceBundles/KernBypassPrefs.bundle",0

MEMORY:0000000124F46A1E 2F 4C 69 62 72 61 72 79…aLibraryPrefere_5 DCB "/Library/PreferenceBundles/Avatar.bundle",0

MEMORY:0000000124F46A47 2F 65 74 63 2F 70 72 6F…aEtcProfileDCor DCB "/etc/profile.d/coreutils.sh",0

MEMORY:0000000124F46A63 2F 2E 69 6E 73 74 61 6C…aInstalledUnc0v DCB "/.installed_unc0ver",0

MEMORY:0000000124F46A77 2F 70 72 69 76 61 74 65…aPrivateVarMobi DCB "/private/var/mobile/staged_system_apps",0

MEMORY:0000000124F46A9E 2F 70 72 69 76 61 74 65…aPrivateVarMobi_0 DCB "/private/var/mobile/mobile",0

MEMORY:0000000124F46AB9 2F 64 65 76 2F 66 61 6B…aDevFakevar DCB "/dev/fakevar",0

MEMORY:0000000124F46AC6 2F 74 6D 70 2F 76 6E 6F…aTmpVnodememTxt DCB "/tmp/vnodeMem.txt",0

MEMORY:0000000124F46AD8 2F 75 73 72 2F 6C 69 62…aUsrLibEllekitM DCB "/usr/lib/ellekit/MobileSafety.dylib",0

MEMORY:0000000124F46AFC 2F 76 61 72 2F 6A 62 2F…aVarJbUsrLibTwe DCB "/var/jb/usr/lib/TweakInject",0

MEMORY:0000000124F46B18 2F 76 61 72 2F 6A 62 2F…aVarJbUsrLibEll DCB "/var/jb/usr/lib/ellekit/MobileSafety.dylib",0

MEMORY:0000000124F46B43 2F 76 61 72 2F 6A 62 2F…aVarJbLibraryMo DCB "/var/jb/Library/MobileSubstrate/DynamicLibraries",0

MEMORY:0000000124F46B74 2F 76 61 72 2F 6A 62 2F…aVarJbInstalled DCB "/var/jb/.installed_dopamine",0

MEMORY:0000000124F46B90 2F 76 61 72 2F 6A 62 2F…aVarJbBasebinJb DCB "/var/jb/basebin/jbctl",0

MEMORY:0000000124F46BA6 2F 76 61 72 2F 6A 62 2F…aVarJbUsrLibTwe_0 DCB "/var/jb/usr/lib/TweakLoader.dylib",0

MEMORY:0000000124F46BC8 2F 76 61 72 2F 6A 62 2F…aVarJbPrepBoots DCB "/var/jb/prep_bootstrap.sh",0

MEMORY:0000000124F46BE2 2F 65 74 63 2F 72 63 2E…aEtcRcDLibhooke DCB "/etc/rc.d/libhooker",0

MEMORY:0000000124F46BF6 2F 76 61 72 2F 6A 62 2F…aVarJbEtcRcDLib DCB "/var/jb/etc/rc.d/libhooker",0

MEMORY:0000000124F46C11 2F 41 70 70 6C 69 63 61…aApplications DCB "/Applications",0

MEMORY:0000000124F46C1F 2F 4C 69 62 72 61 72 79…aLibraryRington DCB "/Library/Ringtones",0

MEMORY:0000000124F46C32 2F 4C 69 62 72 61 72 79…aLibraryWallpap DCB "/Library/Wallpaper",0

MEMORY:0000000124F46C45 5F 4D 53 53 61 66 65 4D…aMssafemode DCB "_MSSafeMode",0

MEMORY:0000000124F46C51 73 75 62 73 74 69 74 75…aSubstitute DCB "substitute",0

MEMORY:0000000124F46C5C 4A 42 52 4F 4F 54 00 aJbroot DCB "JBROOT",0

MEMORY:0000000124F46C63 4A 42 52 41 4E 44 00 aJbrand DCB "JBRAND",0

MEMORY:0000000124F46C6A 4A 42 5F 52 4F 4F 54 5F…aJbRootPath DCB "JB_ROOT_PATH",0

MEMORY:0000000124F46C77 4A 42 5F 53 41 4E 44 42…aJbSandboxExten DCB "JB_SANDBOX_EXTENSIONS",0

MEMORY:0000000124F46C8D 63 79 64 69 61 3A 2F 2F…aCydiaInstalled DCB "cydia://installed",0

MEMORY:0000000124F46C9F 73 69 6C 65 6F 3A 2F 2F…aSileo DCB "sileo://",0

MEMORY:0000000124F46CA8 7A 62 72 61 3A 2F 2F 00 aZbra DCB "zbra://",0

MEMORY:0000000124F46CB0 66 69 6C 7A 61 3A 2F 2F…aFilza DCB "filza://",0

MEMORY:0000000124F46CB9 61 63 74 69 76 61 74 6F…aActivator DCB "activator://",0

检测frida改机等：

MEMORY:000000012779091A aApplicationsIg DCB "/Applications/iGrimace.app",0

MEMORY:0000000127790935 aApplicationsNz DCB "/Applications/NZT.app",0

MEMORY:000000012779094B aApplicationsHd DCB "/Applications/hdFaker.app",0

MEMORY:0000000127790965 aApplicationsMo DCB "/Applications/MobileAnjian.app",0

MEMORY:0000000127790984 aApplicationsTo DCB "/Applications/TouchElf.app",0

MEMORY:000000012779099F aApplicationsAu DCB "/Applications/AutoTouch.app",0

MEMORY:00000001277909BB aApplicationsTo_0 DCB "/Applications/TouchSprite.app",0

MEMORY:00000001277909D9 aApplicationsTo_1 DCB "/Applications/TouchSpritePe.app",0

MEMORY:00000001277909F9 aApplicationsHa DCB "/Applications/handjingling.app",0

MEMORY:0000000127790A18 aApplicationsTi DCB "/Applications/tianxiayou.app",0

MEMORY:0000000127790A35 aApplicationsTi_0 DCB "/Applications/TianXiaYou.app",0

MEMORY:0000000127790A52 aApplicationsAn DCB "/Applications/anylocation.app",0

MEMORY:0000000127790A70 aApplicationsOt DCB "/Applications/OTRLocation.app",0

MEMORY:00000002822B0480 aApplicationsCy_1 DCB "/Applications/Cydia.app",0

MEMORY:00000002822B04A0 aUsrSbinFridaSe DCB "/usr/sbin/frida-server",0

MEMORY:0000000283671170 aLibraryMobiles_2 DCB "/Library/MobileSubstrate/MobileSubstrate.dylib",0

"/Library/LaunchDaemons/re.frida.server.plist"

还有很多，比如是否dump、重签名、注入、frida、hook等，有兴趣的可自行研究。
3.2、设备采集
设备信息采集可以分为三种方式：
oc方法采集：

UTDevice

ONI_FindClass

utdid

ONI_GetStaticMethodID

ONI_CallStaticObjectMethod

ONI_GetStringUTFcString

c方法采集:

1	`open、read、opendir readdir等`

自定义方法采集:

llc_do_syscall 0x0000000000000152 SYS_stat64

__text:00000001048898DC svc_sub_1026CD8DC

__text:00000001048898DC

__text:00000001048898DC arg_0= 0

__text:00000001048898DC

__text:00000001048898DC F0 03 40 F9 LDR X16, [SP,#arg_0]

__text:00000001048898E0 01 00 00 D4 SVC 0

__text:00000001048898E4 43 00 00 54 B.CC locret_1048898EC

__text:00000001048898E8 7A 9B 00 14 B sub_1048B06D0

MEMORY:000000011553502C 2F 76 61 72 2F 6D 6F 62+aVarMobileMedia DCB "/var/mobile/Media/DCIM/100APPLE",0

MEMORY:000000011553504C 2F 53 79 73 74 65 6D 2F+aSystemLibraryP DCB "/System/Library/Pearl/ReferenceFrames/reference-sparse.plist",0

MEMORY:0000000115535089 2F 53 79 73 74 65 6D 2F+aSystemLibraryP_0 DCB "/System/Library/Pearl/ReferenceFrames/reference-dense.plist",0

MEMORY:00000001155350C5 2F 53 79 73 74 65 6D 2F+aSystemLibraryP_1 DCB "/System/Library/Pearl/ReferenceFrames/reference-sparseLP.plist",0

//格式化采集内容

%ld%c %ld.%ld%c

3.3、VMP简要分析

a、VM入口

__text:000000010732D1D0 STP X29, X30, [SP,#-0x10+var_s0]!

__text:000000010732D1D4 MOV X29, SP

__text:000000010732D1D8 SUB SP, SP, #0x100

__text:000000010732D1DC STP X20, X19, [SP,#0x100+var_70]

__text:000000010732D1E0 STP X22, X21, [SP,#0x100+var_80]

__text:000000010732D1E4 STP X24, X23, [SP,#0x100+var_90]

__text:000000010732D1E8 STP X26, X25, [SP,#0x100+var_A0]

__text:000000010732D1EC STP X28, X27, [SP,#0x100+var_B0]

__text:000000010732D1F0 STP X15, X14, [SP,#0x100+var_C0]

__text:000000010732D1F4 STP X13, X12, [SP,#0x100+var_D0]

__text:000000010732D1F8 STP X11, X10, [SP,#0x100+var_E0]

__text:000000010732D1FC STP X9, X8, [SP,#0x100+var_F0]

__text:000000010732D200 MOV X26, X0

__text:000000010732D204 MOV X28, X1

__text:000000010732D208 MOV X19, X2

__text:000000010732D20C MOV X27, X19

__text:000000010732D210 MOV X24, X4

__text:000000010732D214 MOV X20, X5

__text:000000010732D218 MOV X25, X6

__text:000000010732D21C ADD X21, X24, #0x100

__text:000000010732D220 MOV X22, #0

__text:000000010732D224 MOV X23, #0

__text:000000010732D228 MOV X23, X27

__text:000000010732D22C ADD X27, X27, X3,LSL#4

__text:000000010732D230 LDR W8, [X27]

__text:000000010732D234 LDR X8, [X20,X8,LSL#3]

__text:000000010732D238 STR X27, [X28,#8]

__text:000000010732D23C BR X8

b、VM出口

_text:000000010732D328 LDR X11, [X24,#0xF0]

__text:000000010732D32C LDP X9, X10, [X24,#0xC0]

__text:000000010732D330 STP X9, X10, [X24,#0x40]

__text:000000010732D334 LDP X9, X10, [X24,#0xD0]

__text:000000010732D338 STP X9, X10, [X24,#0x50]

__text:000000010732D33C LDP X9, X10, [X24,#0xE0]

__text:000000010732D340 STP X9, X10, [X24,#0x60]

__text:000000010732D344 LDR X9, [X24,#0xF8]

__text:000000010732D348 STR X9, [X24,#0x78]

__text:000000010732D34C MOV X23, X22

__text:000000010732D350 LDP X9, X10, [X11]

__text:000000010732D354 STP X9, X10, [X24,#0x80]

__text:000000010732D358 LDP X9, X10, [X11,#0x10]

__text:000000010732D35C STP X9, X10, [X24,#0x90]

__text:000000010732D360 LDP X9, X10, [X11,#0x20]

__text:000000010732D364 STP X9, X10, [X24,#0xA0]

__text:000000010732D368 LDP X9, X10, [X11,#0x30]

__text:000000010732D36C STP X9, X10, [X24,#0xB0]

__text:000000010732D370 LDP X9, X10, [X11,#0x40]

__text:000000010732D374 STP X9, X10, [X24,#0xC0]

__text:000000010732D378 LDP X9, X10, [X11,#0x50]

__text:000000010732D37C STP X9, X10, [X24,#0xD0]

__text:000000010732D380 LDP X9, X10, [X11,#0x60]

__text:000000010732D384 STP X9, X10, [X24,#0xE0]

__text:000000010732D388 LDP X9, X10, [X11,#0x70]

__text:000000010732D38C STP X9, X10, [X24,#0xF0]

__text:000000010732D390 LDP X9, X10, [X11,#0x80]

__text:000000010732D394 STP X9, X10, [X24,#0x30]

__text:000000010732D398 LDR X22, [X11,#0x78]

__text:000000010732D39C STR X11, [X24,#0x70]

__text:000000010732D3A0 LDR X9, [X24,#0x78]

__text:000000010732D3A4 ADD X27, X9, #0x10

__text:000000010732D3A8 LDR W8, [X27]

__text:000000010732D3AC LDR X8, [X20,X8,LSL#3]

__text:000000010732D3B0 STR X27, [X28,#8]

__text:000000010732D3B4 BR X8

c、handle
handle大概有70个左右，基本指令都模拟了，但是handle没有混淆，分析还是比较容易能看出是模拟什么指令，比如下面handle；其它的类似；

__text:000000010732D908 EOR_sub_1026C9908

__text:000000010732D908 LDRB W1, [X27,#5]

__text:000000010732D90C LDRB W2, [X27,#6] ; 取vm寄器编号

__text:000000010732D910 LDR X1, [X24,X1,LSL#3]

__text:000000010732D914 LDR X2, [X24,X2,LSL#3]

__text:000000010732D918 LDRB W0, [X27,#7]

__text:000000010732D91C EOR X1, X1, X2 ; eor加密

__text:000000010732D920 AND X1, X1, #0xFFFFFFFF

__text:000000010732D924 STR X1, [X24,X0,LSL#3]

__text:000000010732D928 LDR W8, [X27,#0x10]!

__text:000000010732D92C LDR X8, [X20,X8,LSL#3]

__text:000000010732D930 STR X27, [X28,#8]

__text:000000010732D934 BR X8

__text:000000010697AA30 ; r9, r25, r27

__text:000000010697AA30

__text:000000010697AA30 _ADD_sub_10B2CAA30

__text:000000010697AA30 61 17 40 39 LDRB W1, [X27,#5]

__text:000000010697AA34 62 1B 40 39 LDRB W2, [X27,#6] ; 取vm寄器编号

__text:000000010697AA38 01 7B 61 F8 LDR X1, [X24,X1,LSL#3]

__text:000000010697AA3C 02 7B 62 F8 LDR X2, [X24,X2,LSL#3]

__text:000000010697AA40 60 1F 40 39 LDRB W0, [X27,#7]

__text:000000010697AA44 21 00 02 8B ADD X1, X1, X2

__text:000000010697AA48 01 7B 20 F8 STR X1, [X24,X0,LSL#3]

__text:000000010697AA4C 68 0F 41 B8 LDR W8, [X27,#0x10]! ; handle index

__text:000000010697AA50 88 7A 68 F8 LDR X8, [X20,X8,LSL#3]

__text:000000010697AA54 9B 07 00 F9 STR X27, [X28,#8]

__text:000000010697AA58 00 01 1F D6 BR X8 ; index

__text:000000010697AA58

3.4、加密流程分析

采集设备信息后就是加密上报，加密流程比较复杂，分为单字段加密，分段加密，整体加密，且每一个分段的加密算法还不一样，下面只简单说下流程，详细的可自行分析。
以采集mac地址为例，原始数据：

1 2	`00000002817806A0` `37` `38` `3A` `39` `31` `3A` `32` `33` `3A` `34` `35` `3A` `36` `33` `3A` `34` `78:91:23:45:63:4` `00000002817806B0` `35`

第一层加密

a、生成随数为key

1	`00000319`

b、第一层加密，单个字节加密

key "00000319" index下标取值 5-》0000000000000033

000000000000003A ADD 0000000000000033 = 000000000000006D

000000000000006D ADD FFFFFFFFFFFFFFC0 = 000000000000002D

000000000000002D ADD 0000000000000020 = 000000000000004D 加密后

第二层加密
a、key为固定值

1	`02` `00` `00` `00` `00` `00` `00` `00`

b、加密过程

数据长度000000000000000B AND 0000000000000003 = 0000000000000003

02 00 00 00 00 00 00 00 //与后下标取key值(下标0x3) 0000000000000000

0000000000000000 EOR 0000000000000040 = 0000000000000040//xor加密

加密后与固定字段key名组合

35 33 66 62 34 39 33 32 59 3C 5E 40 00 00 00 00 53fb4932Y<^@....

c、加密完后将所有字段组合，拼接组合字段，将多个字段拼接组合在一起；
第三层加密
a、组合后设备数据分成多组加密

/组合后设备数据xor加密

00000000536D7261 XOR 000000000AAE8E7A = 0000000059C3FC1B

000000000017473D ORR 0000000005400000 = 000000000557473D

000000000000074F XOR 0000000005574072 = 000000000557473D

00000000000BA39E ORR 0000000082A00000 = 0000000082ABA39E

00000000596D5721 XOR 0000000082ABA39E = 00000000DBC6F4BF

000000000015D1CF ORR 0000000041400000 = 000000004155D1CF

0000000000000011 XOR 000000004155D1CF = 000000004155D1DE

00000000000AE8E7 ORR 00000000A0A00000 = 00000000A0AAE8E7

0000000064656362 XOR 00000000A0AAE8E7 = 00000000C4CF8B85

00000000C4CF8B85 LSR 000000000000000A = 00000000003133E2

0000000005574072 LSL 0000000000000016 = 000000001C800000

00000000003133E2 ORR 000000001C800000 = 000000001CB133E2

0000000059C3FC1B LSR 000000000000000A = 00000000001670FF

00000000DBC6F4BF LSL 0000000000000016 = 000000002FC00000

000000002FC00000 ORR 00000000001670FF = 000000002FD670FF

0000000005574072 LSR 000000000000000A = 00000000000155D0

000000004155D1DE LSL 0000000000000016 = 0000000077800000

0000000077800000 ORR 00000000000155D0 = 00000000778155D0

00000000DBC6F4BF LSR 000000000000000A = 000000000036F1BD

00000000C4CF8B85 LSL 0000000000000016 = 00000000E1400000

00000000E1400000 ORR 000000000036F1BD = 00000000E176F1BD

b、数据分段不同类型：

1	`0x16、0x17、0x18、0x15、0x14`

不同类型加密略有不同；
c、不同分段数据加密完后再组合进行随机数xor加密;
d、base64加密后与固定字符串(v0001ipx234001)组合;

第四层加密

a、将上面加密后数据组合json

String es = v0001ipx234001 + Base64.encodeToString(encBytes);

JsonObject jsonet = new JsonObject();

jsonet.addProperty("es", es);

b、压缩组合后json;
c、AES加密压缩后数据;
d、base64加密aes加密后数据做为请求体上报；

四、最后

总的来说mtop风控SDK代码保护能力还是比较强的，签名算法与本地加密算法流程复杂度比较高，协议还原时间成本较高且存在动态下发更算法逻辑，如果站在攻击方的来看的话可能改机方案成本相对较轻的。
本次分析从中也学到一些不错的防御点：
a、常见libc.so中的字符串操作函数在VMP中实现，strlen，strcpy，memset等。
b、自己管理自己的内存结构。
c、vm流程混淆，加入一些与真实逻辑无关的运算。
d、动态调用内部方法，方法地址加密存放，调用时地址动态解密
e、采集字段分成10组,每组分不同算法加密且算由服务器端控制算法变化。
f、加密算法白盒且放在VMP中计算加密逻辑