1.抖音xlog算法是什么?
与X-Gorgon算法和设备注册服务的不同,他主要是搜集环境信息参数包括一些检测点,组成一个json串然后调用data加密传到服务器进行分析比对。我们抓包可以看到一条url为/v2/r?,POST包,其body体为加密函数,加密过程VM化,只能动态调试跟踪理解,具体过程略复杂。抖音xlog接口用于收集设备环境数据,主要用于检测设备环境是否“合规”,也就是大伙经常听到的过“风控”!xlog接口的body是加密后的设备环境数据,加密通过xlog算法加密。目前抖音APP最新版12.x依然还是用的02算法,此算法抖音官方老长时间没更新了......
POST https://xlog.snssdk.com/v2/r?os=0&ver=0.6.10.25.17-IH-Do&m=2&app_ver=12.4.0®ion=zh_CN&aid=1128&did=19671560880 HTTP/1.1
Host: xlog.snssdk.com
Connection: keep-alive
Cookie: sessionid=
X-SS-REQ-TICKET: 1599446905153
sdk-version: 1
x-tt-trace-id: 00-8c16dd31094948432b05140591f60468-8c16dd3109494843-01
User-Agent: com.ss.android.ugc.aweme/990 (Linux; U; Android 5.1.1; zh_CN; YQ601; Build/LMY47V; Cronet/77.0.3844.0)
Accept-Encoding: gzip, deflate
X-Gorgon: 0408d012000449c94d909ca41fa968eb6a8ab9ea7528d54eadae
X-Khronos: 1599446905
抖音xlog算法是在native层,无法通过反编译dex获取到具体算法实现,xlog算法大概逻辑是:
首先调用解密方法,将02开头的 byte[]数组进行解密,解密后是一个json字符串,然后再调用xlog加密接口进行加密,然后提交,返回的依然是一个02开头的,然后再进行解密,就可以看到结果了,
再次之前还有一个 sdfp包,也是需要用到这个加密解密的 可以参考文档
package hook;
import android.text.TextUtils;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public final class ByteUtil {
private static final String NULL_MD5_STRING = "00000000000000000000000000000000";
public static byte[] b(String paramString) {
int i = paramString.length();
byte[] arrayOfByte = new byte[i / 2];
for (byte b = 0; b < i; b += 2)
arrayOfByte[b / 2] = (byte)((Character.digit(paramString.charAt(b), 16) << 4) + Character
.digit(paramString.charAt(b + 1), 16));
return arrayOfByte;
}
public static String ByteToStr(byte[] bArr) {
int i = 0;
char[] toCharArray = "0123456789abcdef".toCharArray();
char[] cArr = new char[(bArr.length * 2)];
while (i < bArr.length) {
int i2 = bArr[i] & 255;
int i3 = i * 2;
cArr[i3] = toCharArray[i2 >>> 4];
cArr[i3 + 1] = toCharArray[i2 & 15];
i++;
}
return new String(cArr);
}
public static String getXGon(String url, String stub, String ck, String sessionid){
StringBuilder sb=new StringBuilder();
if (TextUtils.isEmpty(url)){
sb.append(NULL_MD5_STRING);
}else {
sb.append(encryption(url).toLowerCase());
}
if (TextUtils.isEmpty(stub)){
sb.append(NULL_MD5_STRING);
}else {
sb.append(stub);
}
if (TextUtils.isEmpty(ck)){
sb.append(NULL_MD5_STRING);
}else {
sb.append(encryption(ck).toLowerCase());
}
if (TextUtils.isEmpty(sessionid)){
sb.append(NULL_MD5_STRING);
}else {
sb.append(encryption(sessionid).toLowerCase());
}
return sb.toString();
}
public static String encryption(String str) {
String re_md5=null;
try {
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(str.getBytes());
byte b[] = md.digest();
int i;
StringBuffer buf = new StringBuffer("");
for (int offset = 0; offset < b.length; offset++) {
i = b[offset];
if (i < 0)
i += 256;
if (i < 16)
buf.append("0");
buf.append(Integer.toHexString(i));
}
re_md5 = buf.toString();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
return re_md5.toUpperCase();
}
public static byte[] StrToByte(String str) {
String str2 = str;
Object[] objArr = new Object[1];
int i = 0;
objArr[0] = str2;
int length = str.length();
byte[] bArr = new byte[(length / 2)];
while (i < length) {
bArr[i / 2] = (byte) ((Character.digit(str2.charAt(i), 16) << 4) + Character
.digit(str2.charAt(i + 1), 16));
i += 2;
}
return bArr;
}
}
我们根据抖音最新的12.4版本进行逆向,解密xlog接口的数据后,发现抖音在这方面真的是做到了极致,解密后数据如下:
{
"extra": "SS-200",
"grilock": "eyJvcyI6IkFuZHJvaWQiLCJ2ZXJzaW9uIjoiMS4wLjUiLCJ0b2tlbl9pZCI6IlwvOWpudDRyRFRkdyt4bmxqT1pmN3VOUnN1RHNndEMwSFJRSFJaM3pCNXl1enRKRHB1TVVxUk1TaDc3Sld3Y0RLaDFkaEFUSkxyTzkzeEFEVFAraU1XSU1CdDNCSW9jYz0iLCJjb2RlIjoyMDB9",
"ast": 1,
"p1": "38464475038",
"p2": "1143087178466429",
"ait": 1595642532,
"ut": 1751,
"pkg": "com.ss.android.ugc.aweme",
"prn": "CZL-MLP",
"vc": 120001,
"fp": "OPPO/A59/A59:5.1/LMY47I/1519786508:user/release-keys",
"mdi_if": {
"ui": "",
"mc": "",
"mid": "",
"ts": -1
},
"mdi_s": 10,
"wifisid": "HUAWEI-10GLZ6",
"wifimac": "6c:06:d6:c4:6a:c8",
"wifip": "192.168.3.15",
"vpn": 0,
"aplist": [
{
"ss": "",
"bs": "6c:06:d6:c4:6a:cd"
},
{
"ss": "HUAWEI-10GLZ6_Wi-Fi5",
"bs": "6c:06:d6:f4:6a:ce"
},
{
"ss": "HUAWEI-10GLZ6_Wi-Fi5",
"bs": "6c:06:d6:f4:6a:cd"
},
{
"ss": "ChinaNet-5mds",
"bs": "18:52:07:8a:af:c2"
},
{
"ss": "",
"bs": "6c:06:d6:c4:6a:ce"
},
{
"ss": "HUAWEI-10GLZ6",
"bs": "6c:06:d6:c4:6a:cc"
},
{
"ss": "HUAWEI-10GLZ6",
"bs": "6c:06:d6:c4:6a:c8"
},
{
"ss": "",
"bs": "6c:06:d6:c4:6a:c9"
},
{
"ss": "ChinaNet-5mds-5G",
"bs": "18:52:07:8a:af:c1"
},
{
"ss": "www.uoko.com",
"bs": "d4:ee:07:37:db:26"
}
],
"route": {
"iip": "192.168.3.15",
"gip": "192.168.3.1",
"ghw": "6c:06:d6:c4:6a:c2",
"type": "wlan0"
},
"location": "",
"i_mk": -1,
"cell": "[16241,2147483647,2147483647,13898,11]",
"hw": {
"brand": "OPPO",
"model": "OPPO A59s",
"board": "full_oppo6750_15131",
"device": "A59",
"product": "A59",
"manuf": "OPPO",
"tags": "dev-keys",
"inc": "1576670525",