App信息

包名：com.aikucun.akapp

关于frida反调试

这个app的反调试我是通过杀线程绕过的，具体过程不再详写，其他文章里有相同的绕过思路。

抓包分析数据

寻找sign参数

jadx反编译apk

搜索"sign"，经过一番搜索，并没有找到相关的代码实现位置，换一种思路搜素"svs"，定位到了参数的位置。

双击查看

onAttachQueryParameters

这里我们可以双击b.u，查看其内容即svs的值，发现它是一个定值v3

接着向下浏览找到了"&sign="，结合上下文发现就是我们要找的sign

很清晰的看出来了sign的值为signV3，是经过signV3函数签名得到的结果。

signV3

查看signV3的内容，它是一个native函数

hook signV3

我们可以hook signV3函数查看其参数和返回值

function hook_signV3(){
    Java.perform(function(){
        let MXSecurity = Java.use("com.mengxiang.arch.security.MXSecurity");
        MXSecurity["signV3"].implementation = function (url, nonceStr, timestamp, body) {
            console.log(`MXSecurity.signV3 is called: url=${url}, nonceStr=${nonceStr}, timestamp=${timestamp}, body=${body}`);
            let result = this["signV3"](url, nonceStr, timestamp, body);
            console.log(`MXSecurity.signV3 result=${result}`);
            return result;
        };
    })
}
hook_signV3()

hook结果

MXSecurity.signV3 is called: url=https://zuul.aikucun.com/akucun-base-data-new/base/address/selectAddrVersion?appid=38741001&did=d545ae984083237bae9a6358ca29910f&noncestr=3f60cc&svs=v3&timestamp=1736605877, nonceStr=3f60cc, timestamp=1736605877, body=
MXSecurity.signV3 is called: url=https://m.xiangdian.com/api/mshop/mshop-aggr-prod/outer/common/bwl/isHitByBatch?appid=38741001&did=d545ae984083237bae9a6358ca29910f&noncestr=bf6c60&svs=v3&timestamp=1736605877, nonceStr=bf6c60, timestamp=1736605877, body=398a40be5a2a6a5a742f35b1b606277a
MXSecurity.signV3 result=508858db8f332eb10fcf604c617229e5ef180f8698e10bd8626d3b9ec67416a4
MXSecurity.signV3 result=a89e326bb0d2fcb6029e3991366ba812ee1deafd6bd0ba81f00850b794fd4a49
MXSecurity.signV3 is called: url=https://m.xiangdian.com/api/mshop/mshop-aggr-prod/outer/v1/material/create/createAuth?appid=38741001&did=d545ae984083237bae9a6358ca29910f&noncestr=2cd903&svs=v3&timestamp=1736605877, nonceStr=2cd903, timestamp=1736605877, body=37a6259cc0c1dae299a7866489dff0bd
MXSecurity.signV3 result=7df7962bdd9a2e5182cbacb123e0f95aba154da8f4499c9dab69b45e90003f17
MXSecurity.signV3 is called: url=https://zuul.aikucun.com/appconfigmgt/api/v1/download/config?appid=38741001&did=d545ae984083237bae9a6358ca29910f&noncestr=63ba42&svs=v3&timestamp=1736605879, nonceStr=63ba42, timestamp=1736605879, body=ce10a5623f4ce537c8cbd4e306504860
MXSecurity.signV3 result=70b90270cefb862185029b36663c9643201f13f790a9b20fd7a31082e30d0fbe

url

url是signV3的第一个参数，

分析url里的参数，url的第一个参数是appid

如下，appid是在so里面获取的，等分析so的时候再去分析它

url的第二个参数是did

如下，调用getDid方法

getDId

在getDid方法里调用了md5String方法，其参数是"micker.cn"拼接getUdid()的返回值，对参数进行md5加密，得到did

getUdid

获取udid的值

如果udid为空，会重新随机一个uuid，设置为udid

nonceStr

nonceStr是signV3的第二个参数

substring

传入signV3方法的第二个参数是substring，查找这个参数是怎么生成的

可以看出来，这个参数是replace$default的子字符串，也就是其前六个字符。

replace$default

如下

StringsJVM调用的replace$default方法，里面传入了一个参数uuid，它是随机生成的

看一下这个方法是怎么实现的，如下

又调用了replace方法，查看其实现

好长一串啊，这里我选择直接hook replace方法分析其参数和返回值

function hook_replace(){
    Java.perform(function(){
        let StringsJVM = Java.use("kotlin.text.StringsKt__StringsJVMKt");
        StringsJVM["replace"].overload('java.lang.String', 'java.lang.String', 'java.lang.String', 'boolean').implementation = function (str, oldValue, newValue, z) {
        console.log(`StringsJVM.replace is called: str=${str}, oldValue=${oldValue}, newValue=${newValue}, z=${z}`);
        let result = this["replace"](str, oldValue, newValue, z);
        console.log(`StringsJVM.replace result=${result}`);
        return result;
        };
    })
}
hook_replace()

hook 结果

1 2	StringsJVM.replace is called: str=14d557b1-496b-4daa-ba2f-d7cffe054397, oldValue=-, newValue=, z=false StringsJVM.replace result=14d557b1496b4daaba2fd7cffe054397

它是把uuid中的-符号给去除了

到这里就知道nonceStr的值就是uuid的前六个字符

timestamp

signV3的第三个参数是timestamp没什么好分析的，是一个时间戳。

body

接下来分析signV3的第四个参数，body

传入signV3的参数是bodyMD5，看名字就与bodyMD5有关系

看这个参数是怎么生成的

调用了bodyMD5()方法，里面传入了一个request参数

bodyMD5

查看这个方法的具体实现

把请求体进行了一个MD5运算

hook bodyMD5

这里可以把bodyMD5方法和md5标准加密算法同时hook，更清晰

function hook_md5(){
    Java.perform(function(){
        let MD5Utils = Java.use("com.mengxiang.arch.utils.MD5Utils");
        MD5Utils["md5"].overload('java.lang.String').implementation = function (value) {
            console.log(`MD5Utils.md5 is called: value=${value}`);
            let result = this["md5"](value);
            console.log(`MD5Utils.md5 result=${result}`);
            return result;
        };
    })
}

function hook_bodymd5(){
    Java.perform(function(){
        let MXV1Sign = Java.use("com.mengxiang.arch.net.sign.MXV1Sign");
        MXV1Sign["bodyMD5"].implementation = function (request) {
            console.log(`MXV1Sign.bodyMD5 is called: request=${request}`);
            let result = this["bodyMD5"](request);
            console.log(`MXV1Sign.bodyMD5 result=${result}`);
            return result;
        };

    })
}

hook_bodymd5()
hook_md5()

hook 结果

MXV1Sign.bodyMD5 is called: request=Request{method=GET, url=https://zuul.aikucun.com/akucun-base-data-new/base/address/selectAddrVersion, tags={class retrofit2.Invocation=com.aikucun.akapp.business.address.service.AddressService.selectAddressVersion() []}}
MXV1Sign.bodyMD5 result=

MXV1Sign.bodyMD5 is called: request=Request{method=POST, url=https://m.xiangdian.com/api/mshop/mshop-aggr-prod/outer/common/bwl/isHitByBatch, tags={class retrofit2.Invocation=com.aikucun.akapp.common.gray.GrayService$GrayServiceApi.grayControl() [{bwlCodes=[B-MATERIAL-CREATE-V2, B-MATERIAL-CREATE-V3, B-MATERIAL-INCOME]}]}}

MD5Utils.md5 is called: value={"bwlCodes":["B-MATERIAL-CREATE-V2","B-MATERIAL-CREATE-V3","B-MATERIAL-INCOME"]}
MD5Utils.md5 result=398a40be5a2a6a5a742f35b1b606277a
MXV1Sign.bodyMD5 result=398a40be5a2a6a5a742f35b1b606277a

MXV1Sign.bodyMD5 is called: request=Request{method=POST, url=https://m.xiangdian.com/api/mshop/mshop-aggr-prod/outer/v1/material/create/createAuth, headers=[app-cache-strategy:1], tags={class retrofit2.Invocation=com.mengxiang.arch.channel.impl.network.NetChannel$APIService.postRequest() [/api/mshop/mshop-aggr-prod/outer/v1/material/create/createAuth, {app-cache-strategy=1}, null]}}
MD5Utils.md5 is called: value=null
MD5Utils.md5 result=37a6259cc0c1dae299a7866489dff0bd
MXV1Sign.bodyMD5 result=37a6259cc0c1dae299a7866489dff0bd

MXV1Sign.bodyMD5 is called: request=Request{method=POST, url=https://zuul.aikucun.com/appconfigmgt/api/v1/download/config, tags={class retrofit2.Invocation=com.aikucun.akapp.business.update.service.UpdateService.checkAppUpgrade() [{configKey=[Ljava.lang.String;@61048d9, system=1, isShowUpdate=false, appId=com.aikucun.akapp, channel=2010, deviceModel=google-Pixel 3, buildCode=76302, version=7.63.2, userCode=, deviceBrand=Google}]}}
MD5Utils.md5 is called: value={"configKey":["versionUpdate"],"system":1,"isShowUpdate":false,"appId":"com.aikucun.akapp","channel":"2010","deviceModel":"google-Pixel 3","buildCode":76302,"version":"7.63.2","userCode":"","deviceBrand":"Google"}
MD5Utils.md5 result=ce10a5623f4ce537c8cbd4e306504860
MXV1Sign.bodyMD5 result=ce10a5623f4ce537c8cbd4e306504860

MXV1Sign.bodyMD5 is called: request=Request{method=POST, url=https://zuul.aikucun.com/appconfigmgt/api/v1/download/config, tags={class retrofit2.Invocation=com.aikucun.akapp.business.update.service.UpdateService.checkAppUpgrade() [{configKey=[Ljava.lang.String;@f07dfd1, system=1, isShowUpdate=false, appId=com.aikucun.akapp, channel=2010, deviceModel=google-Pixel 3, buildCode=76302, version=7.63.2, userCode=, deviceBrand=Google}]}}
MD5Utils.md5 is called: value={"configKey":["versionUpdate"],"system":1,"isShowUpdate":false,"appId":"com.aikucun.akapp","channel":"2010","deviceModel":"google-Pixel 3","buildCode":76302,"version":"7.63.2","userCode":"","deviceBrand":"Google"}
MD5Utils.md5 result=ce10a5623f4ce537c8cbd4e306504860
MXV1Sign.bodyMD5 result=ce10a5623f4ce537c8cbd4e306504860
MXV1Sign.bodyMD5 is called: request=Request{method=POST, url=https://zuul.aikucun.com/appconfigmgt/api/v1/download/config, tags={class retrofit2.Invocation=com.aikucun.akapp.business.update.service.UpdateService.checkAppUpgrade() [{configKey=[Ljava.lang.String;@cf2f91a, system=1, isShowUpdate=false, appId=com.aikucun.akapp, channel=2010, deviceModel=google-Pixel 3, buildCode=76302, version=7.63.2, userCode=, deviceBrand=Google}]}}
MD5Utils.md5 is called: value={"configKey":["versionUpdate"],"system":1,"isShowUpdate":false,"appId":"com.aikucun.akapp","channel":"2010","deviceModel":"google-Pixel 3","buildCode":76302,"version":"7.63.2","userCode":"","deviceBrand":"Google"}
MD5Utils.md5 result=ce10a5623f4ce537c8cbd4e306504860
MXV1Sign.bodyMD5 result=ce10a5623f4ce537c8cbd4e306504860

好了，这里就把signV3方法的参数和返回值分析完成了，接下来就到so里面具体分析这个函数的实现过程了。

so分析

signV3的实现在mx里

定位signV3

IDA打开so文件，在导出函数表里搜索Java，直接就定位到了，双击跳转到函数地址

对反汇编的内容稍作处理，得到如下内容

__int64 __fastcall Java_com_mengxiang_arch_security_MXSecurity_signV3(
        JNIEnv *env,
        jobject obj,
        char *url,
        char *noncestr,
        char *timestamp,
        char *body)
{
  JNIEnv v6; // x8
  size_t v11; // x28
  size_t v12; // x25
  size_t v13; // x26
  size_t v14; // x27
  size_t v15; // x20
  size_t v16; // x21
  size_t v17; // x22
  size_t v18; // x23
  unsigned __int64 v19; // x20
  _QWORD *v20; // x24
  __int64 v21; // x8
  char *v22; // x0
  char *v23; // x0
  char *v24; // x0
  char *v25; // x0
  char *v26; // x0
  char *v27; // x0
  char *v28; // x0
  char *v29; // x0
  __int64 v30; // x8
  char *v31; // x0
  char *v32; // x0
  char *v33; // x0
  unsigned int v34; // w20
  jbyteArray sha256_data; // x21
  char *v36; // x1
  jstring (*NewStringUTF)(JNIEnv *, const char *); // x2
  size_t v39; // [xsp+8h] [xbp-78h]
  char *timestamp_char; // [xsp+10h] [xbp-70h]
  char *noncestr_char; // [xsp+18h] [xbp-68h]
  char *url_char; // [xsp+20h] [xbp-60h]
  const char *body_char; // [xsp+28h] [xbp-58h]

  v6 = *env;
  if ( (byte_32051 & 1) != 0 )
  {
    noncestr_char = v6->GetStringUTFChars(env, noncestr, 0LL);
    timestamp_char = (*env)->GetStringUTFChars(env, timestamp, 0LL);
    url_char = (*env)->GetStringUTFChars(env, url, 0LL);
    body_char = (*env)->GetStringUTFChars(env, body, 0LL);
    v39 = __strlen_chk("appid=", 7uLL);
    v11 = __strlen_chk("&svs=", 6uLL);
    v12 = __strlen_chk("v3", 3uLL);
    v13 = __strlen_chk("&noncestr=", 0xBuLL);
    v14 = strlen(noncestr_char);
    v15 = __strlen_chk("&timestamp=", 0xCuLL);
    v16 = strlen(timestamp_char);
    v17 = __strlen_chk("&secret=", 9uLL);
    v18 = __strlen_chk("&url=", 6uLL);
    v19 = v39 + v11 + v12 + v13 + v14 + v15 + v16 + v17 + v18 + strlen(url_char) + 74;
    v20 = operator new[](v19);
    memset(v20, 0, v19);
    *v20 = 0LL;
    strcat(v20, "appid=");
    v21 = 32LL;
    if ( isDebug )
      v21 = 16LL;
    v22 = strcat(v20, *(lpAppInfo + v21));
    v23 = strcat(v22, "&svs=");
    v24 = strcat(v23, "v3");
    v25 = strcat(v24, "&noncestr=");
    v26 = strcat(v25, noncestr_char);
    v27 = strcat(v26, "&timestamp=");
    v28 = strcat(v27, timestamp_char);
    v29 = strcat(v28, "&secret=");
    v30 = 40LL;
    if ( isDebug )
      v30 = 24LL;
    v31 = strcat(v29, *(lpAppInfo + v30));
    v32 = strcat(v31, "&url=");
    strcat(v32, url_char);
    if ( body_char && strlen(body_char) )
    {
      v33 = strcat(v20, "&");
      strcat(v33, body_char);
    }
    v34 = strlen(v20);
    sha256_data = (*env)->NewByteArray(env, v34);
    (*env)->SetByteArrayRegion(env, sha256_data, 0LL, v34, v20);
    v36 = digest(env, ALGORITHM_SHA256, sha256_data);
    NewStringUTF = (*env)->NewStringUTF;
  }
  else
  {
    NewStringUTF = v6->NewStringUTF;
    v36 = "";
  }
  return NewStringUTF(env, v36);
}

调用了digest方法，是SHA256签名算法，参数是sha256_data，分析这个参数是怎么生成的

它是由appid，svs、noncestr、timestamp、secret、url、body这些内容拼接而成的

目前还有两个未知参数appid和secret

appid

这里看到appid的值是lpAppInfo加上一个偏移，偏移与isDebug有关

可以直接用frida直接打印内存中的数据

isDebug的值为0，所以v21的值为32

接下来打印lpAppInfo的值

lpAppInfo的值为773f4e8b70，lpAppInfo是个二级指针，加上偏移，打印它在内存中的数据

还是指向一个地址，继续打印

这里就得到appid的值为38741001

secret

这里和appid参数一样，只需要修改偏移就可以打印secret的值

继续打印

这里得到secret的值为04fdc5e4d9c7420e896ee92b17c68e9f

hook digest

参数分析完成了，接下来hook digest函数

function hook_dlopen(){
    //Android8.0之后加载so通过android_dlopen_ext函数
    var android_dlopen_ext = Module.findExportByName(null,"android_dlopen_ext");
    console.log("addr_android_dlopen_ext",android_dlopen_ext);
    var islibmx = false;
    Interceptor.attach(android_dlopen_ext,{
        onEnter:function(args){
            var pathptr = args[0];
            if(pathptr!=null && pathptr != undefined){
                var path = ptr(pathptr).readCString();
                if(path.indexOf("libmx.so")!=-1){
                    islibmx = true;
                    console.log("android_dlopen_ext:",path);
                }
                
            }
        },
        onLeave:function(retvel){
            //console.log("leave!");
            if(islibmx){
                islibmx=false;
                hook_digest()

            }
        }
    })
}

function hook_digest(){
    var digest_addr = Module.findExportByName("libmx.so","_Z6digestP7_JNIEnvPKcP11_jbyteArray");
    console.log("addr:",digest_addr);
    Interceptor.attach(digest_addr,{
        onEnter:function(args){
            console.log("hooked");
            console.log("args[1]:",args[1].readCString());
            console.log("args[2]:",args[2]);
        },
        onLeave:function(retval){
            console.log("retval:",retval.readCString())
        }
    })
}

function main(){
	hook_dlopen()
}

main()

hook 结果

hooked
args[1]: SHA256
args[2]: 0x15
retval: 580ef777f37fbb91dc13afa7cf6c2cd40db25286898f79af7ee4d707a2776a5b
hooked
args[1]: SHA256
args[2]: 0x19
retval: 06c3972159e698bec75632ecf9dd3e03ef47414f4cb22ec963effa10764a526e
hooked
args[1]: SHA256
args[2]: 0x15
retval: de46725478edde6cc051dcdab7d0cd762678999038fa010d7188e7340c530932
hooked
args[1]: SHA256
args[2]: 0x15
retval: b1eabf65340dd48a7e3d2855ffe38c4b21461f2a5688a7abbdfe970c30799ae2

这里有些小疑惑，args[2]是加密的数据，应该是一个指针，指向一个字符串，而这里是一个数值

找到这个变量定义的地方，原来它的类型是jbyteArray类型，打印出来的值实际上是jbyteArray的句柄值。

打印jbyteArray，我们可以调用如下方法

function jbyteArray2Array(jbyteArray) {
    var ret;
    Java.perform(function() {
        var b = Java.use('[B');
        var buffer = Java.cast(jbyteArray, b);
        ret = Java.array('byte', buffer);
    });
    return ret;
}

加入到hook代码中

function hook_dlopen(){
    //Android8.0之后加载so通过android_dlopen_ext函数
    var android_dlopen_ext = Module.findExportByName(null,"android_dlopen_ext");
    console.log("addr_android_dlopen_ext",android_dlopen_ext);
    var islibmx = false;
    Interceptor.attach(android_dlopen_ext,{
        onEnter:function(args){
            var pathptr = args[0];
            if(pathptr!=null && pathptr != undefined){
                var path = ptr(pathptr).readCString();
                if(path.indexOf("libmx.so")!=-1){
                    islibmx = true;
                    console.log("android_dlopen_ext:",path);
                }
                
            }
        },
        onLeave:function(retvel){
            //console.log("leave!");
            if(islibmx){
                islibmx=false;
                hook_digest()

            }
        }
    })
}

function hook_digest(){
    var digest_addr = Module.findExportByName("libmx.so","_Z6digestP7_JNIEnvPKcP11_jbyteArray");
    console.log("addr:",digest_addr);
    Interceptor.attach(digest_addr,{
        onEnter:function(args){
            console.log("hooked");
            console.log("args[1]:",args[1].readCString());
            let arrayStr = Java.use("java.lang.String").$new(jbyteArray2Array(args[2]))
            console.log("args[2]",arrayStr);
        },
        onLeave:function(retval){
            console.log("retval:",retval.readCString())
        }
    })
}

function jbyteArray2Array(jbyteArray) {
    var ret;
    Java.perform(function() {
        var b = Java.use('[B');
        var buffer = Java.cast(jbyteArray, b);
        ret = Java.array('byte', buffer);
    });
    return ret;
 }

function main(){
	hook_dlopen()
}

main()

hook 结果如下

hooked
args[1]: SHA256
args[2] appid=38741001&svs=v3&noncestr=52d7e0&timestamp=1736841686&secret=04fdc5e4d9c7420e896ee92b17c68e9f&url=https://m.xiangdian.com/api/mshop/mshop-aggr-prod/outer/v1/material/create/createAuth?appid=38741001&did=cf05095e7e5c4492023833c88e4701bd&noncestr=52d7e0&svs=v3&timestamp=1736841686&37a6259cc0c1dae299a7866489dff0bd
retval: c8a8920fdb192fbff509a3fcc02a574387bba8387b3699c3b523f6b9a5f1a9bb
hooked
args[1]: SHA256
args[2] appid=38741001&svs=v3&noncestr=dc5f62&timestamp=1736841687&secret=04fdc5e4d9c7420e896ee92b17c68e9f&url=https://zuul.aikucun.com/appconfigmgt/api/v1/download/config?appid=38741001&did=cf05095e7e5c4492023833c88e4701bd&noncestr=dc5f62&svs=v3&timestamp=1736841687&ce10a5623f4ce537c8cbd4e306504860
retval: 374c820993d895d427540bc5a0416a20c0813b0050f9f2d547b6557531b587e3
hooked
args[1]: SHA256
args[2] appid=38741001&svs=v3&noncestr=0446f5&timestamp=1736841688&secret=04fdc5e4d9c7420e896ee92b17c68e9f&url=https://zuul.aikucun.com/appconfigmgt/api/v1/download/config?appid=38741001&did=cf05095e7e5c4492023833c88e4701bd&noncestr=0446f5&svs=v3&timestamp=1736841688&ce10a5623f4ce537c8cbd4e306504860
retval: cf733458b1142b469afbee61529ca5e37730c551ada13e8839cc390660c773db
hooked
args[1]: SHA256
args[2] appid=38741001&svs=v3&noncestr=e8e90a&timestamp=1736841688&secret=04fdc5e4d9c7420e896ee92b17c68e9f&url=https://zuul.aikucun.com/appconfigmgt/api/v1/download/config?appid=38741001&did=cf05095e7e5c4492023833c88e4701bd&noncestr=e8e90a&svs=v3&timestamp=1736841688&ce10a5623f4ce537c8cbd4e306504860
retval: 8af4d51e17d8d8c1d9b3a0da22796ea52871bbeb27a630e74db97befce039814

参数还原

import requests
import hashlib
import uuid
import time


def md5_digest(data):
    md5 = hashlib.md5()
    md5.update(data.encode("utf-8"))
    result = md5.hexdigest()
    return result

url = "https://zuul.aikucun.com/appconfigmgt/api/v1/download/config"

body = '{"configKey":["versionUpdate"],"system":1,"isShowUpdate":false,"appId":"com.aikucun.akapp","channel":"2010","deviceModel":"google-Pixel 3","buildCode":76302,"version":"7.63.2","userCode":"","deviceBrand":"Google"}'
bodymd5 = md5_digest(body)

uuid = str(uuid.uuid4())
appid = "38741001"
svs = "v3"
noncestr = uuid[0:6]
timestamp = str(int(time.time()))
secret = "04fdc5e4d9c7420e896ee92b17c68e9f"
did = md5_digest("micker.cn"+uuid)
cat_url = url+"?"+"appid="+appid+"&did="+did+"&noncestr="+noncestr+"&svs=v3"+"&timestamp="+timestamp+"&"+bodymd5
sha256_str = "appid="+appid+"&svs="+svs+"&noncestr="+noncestr+"&timestamp="+timestamp+"&secret="+secret+"&url="+cat_url
sha256 = hashlib.sha256()
sha256.update(sha256_str.encode("utf-8"))
sign = sha256.hexdigest()
print(sha256_str)


headers = {
  "Auth-Token": "",
  "User-Agent": "Pixel3 android 9 7.63.2 2.0",
  "token": "477c33c6-2f38-4363-a670-314393b47c1b",
  "AKC-MODEL": "Pixel3",
  "AKC-OS": "android",
  "AKC-OS-VERSION": "9",
  "AKC-APP-VERSION": "7.63.2",
  "AKC-APP-API-VERSION": "2.0",
  "AKC-APP-BUILD-VERSION": "76302",
  "AKC-DID": "bedf28c355443e1f695fad8bed68fb62",
  "AKC-APP-CHANNEL": "2010",
  "applicationId": "com.aikucun.akapp",
  "x-auth-token": "",
  "live-channel": "20",
  "dtdToken": "6784f1da9Lvio98PqHQ7NhCTS4TB4ruXU4mwxoe3",
  "app2H5Token": "",
  "uid": "",
  "subUid": "",
  "APP-LOGIN-CHANNEL": "akcApp",
  "app-request-id": "120883481161481b9ab275208092d108",
  "PAGE-NAME": "%E7%99%BB%E5%BD%95",
  "TRACKER-SESSION-ID": "0be8b952d15b980a",
  "APP-USER-TYPE": "6",
  "Content-Type": "application/json; charset=UTF-8",
  "Content-Length": "213",
  "Host": "zuul.aikucun.com",
  "Connection": "Keep-Alive",
  "Accept-Encoding": "gzip"
}

params = {
  "appid": appid,
  "did": did,
  "noncestr": noncestr,
  "svs": svs,
  "timestamp": timestamp,
  "sign": sign
}



data = {
  "configKey": [
    "versionUpdate"
  ],
  "system": 1,
  "isShowUpdate": False,
  "appId": "com.aikucun.akapp",
  "channel": "2010",
  "deviceModel": "google-Pixel 3",
  "buildCode": 76302,
  "version": "7.63.2",
  "userCode": "",
  "deviceBrand": "Google"
}

response = requests.post(url=url,headers=headers,params=params,json=data)
print(response.status_code)
print(response.text)

>>>
appid=38741001&svs=v3&noncestr=ade8eb&timestamp=1736844173&secret=04fdc5e4d9c7420e896ee92b17c68e9f&url=https://zuul.aikucun.com/appconfigmgt/api/v1/download/config?appid=38741001&did=eb3be18635dec1ae73f3a0b86e81c982&noncestr=ade8eb&svs=v3&timestamp=1736844173&ce10a5623f4ce537c8cbd4e306504860
200
{"code":200,"data":{},"message":"success","status":"success","success":true}

白乐天

爱库存app参数sign还原

App信息

关于frida反调试

抓包分析数据

jadx反编译apk

onAttachQueryParameters

signV3

hook signV3

url

getDId

getUdid

nonceStr

timestamp

body

bodyMD5

hook bodyMD5

so分析

定位signV3

appid

secret

hook digest

参数还原