2021年7月21日

unidbg实战笔记(2)–抖音libttEncrypt.so调用

作者 huruwo
public class TTEncrypt extends AbstractJni {
    private final AndroidEmulator emulator;
    private final Module module;
    private final VM vm;
    private final DvmClass TTEncryptUtils;

    private TTEncrypt() {
        emulator = new AndroidARMEmulator("com.xxx.offical"); // 创建模拟器实例,要模拟32位或者64位,在这里区分
        Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23, new String[0]));
        vm = emulator.createDalvikVM(null);
        vm.setJni(this);
        vm.setVerbose(true);
        DalvikModule dm = vm.loadLibrary(new File("/Users/chennan/javaproject/unidbg-server/src/main/resources/example_binaries/libttEncrypt.so"), false);
        dm.callJNI_OnLoad(emulator);
        module = dm.getModule();
        TTEncryptUtils = vm.resolveClass("com/bytedance/frameworks/core/encrypt/TTEncryptUtils", new DvmClass[0]);
    }

    private void destroy() throws IOException {
        emulator.close();
        System.out.println("destroy");
    }

    public static void main(String[] args) throws Exception {
        args = new String[]{"1606199751140","548590668454936","m9jc405bmajk2fk3","77:67:74:82:3a:96"};

        TTEncrypt test = new TTEncrypt();
        String str = "{\"_gen_time\":\"" + args[0] + "\",\"header\":{\"access\":\"wifi\",\"aid\":1128,\"app_version\":\"5.5.0\",\"appkey\":\"57bfa27c67e58e7d920028d3\",\"build_serial\":\"41488569\",\"carrier\":\"China Mobile GSM\",\"channel\":\"aweGW\",\"clientudid\":\"bcf9cca3-5644-4828-a79e-c627f6e47da6\",\"cpu_abi\":\"armeabi-v7a\",\"density_dpi\":192,\"device_brand\":\"samsung\",\"device_id\":\"\",\"device_manufacturer\":\"samsung\",\"device_model\":\"SM-G925F\",\"display_density\":\"mdpi\",\"display_name\":\"抖音短视频\",\"language\":\"zh\",\"manifest_version_code\":550,\"mc\":\"" + args[3] + "\",\"mcc_mnc\":\"46000\",\"not_request_sender\":0,\"openudid\":\"" + args[2] + "\",\"os\":\"Android\",\"os_api\":22,\"os_version\":\"5.1.1\",\"packageX\":\"com.ss.android.ugc.aweme\",\"region\":\"CN\",\"release_build\":\"2132ca7_20190320\",\"resolution\":\"1280x720\",\"rom\":\"eng.se.infra.20181117.120021\",\"rom_version\":\"samsung-user 5.1.1 20171130.276299 release-keys\",\"sdk_version\":\"2.5.5.8\",\"serial_number\":\"41488569\",\"sig_hash\":\"aea615ab910015038f73c47e45d21466\",\"sim_region\":\"cn\",\"sim_serial_number\":[{\"sim_serial_number\":\"70459549640190877299\"}],\"timezone\":28800,\"tz_name\":\"Asia\\\\/Shanghai\",\"tz_offset\":0,\"udid\":\"" + args[1] + "\",\"update_version_code\":5502,\"version_code\":550},\"magic_tag\":\"ss_app_log\"}";
        test.ttEncrypt(str);
        test.destroy();
    }

    private void ttEncrypt(String str) throws IOException {
        long start = System.currentTimeMillis();
        byte[] bArr2 = str.getBytes("UTF-8");
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(8192);
        GZIPOutputStream gZIPOutputStream = new GZIPOutputStream(byteArrayOutputStream);
        gZIPOutputStream.write(bArr2);
        gZIPOutputStream.close();
        bArr2 = byteArrayOutputStream.toByteArray();
        ByteArray ret = TTEncryptUtils.callStaticJniMethodObject(this.emulator, "ttEncrypt([BI)[B", new Object[]{new ByteArray(vm,bArr2), bArr2.length});
        byte[] array =  ret.getValue();
        Inspector.inspect(array, "hex="+array.toString());
    }
}