New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
client_id
是否应当在本地生成
#150
Comments
事实核查:根本不携带 |
嗯,那下版本会改一下...现在比较搞不清的是新版有个参数 |
@HuanCheng65 阁下给3大帖子接口加 |
#145 (comment) 中引用的 https://bbs.tiebazs.com/593-1-1.html 声称 因此完全可以合理假设这是贴吧服务端用于实现其在一段时间内(嵌入了unix timestamp因此可能有时效性)追踪同一个唯一贴吧客户端用户的罪恶遥测行径 |
是这个,从抓包看是访问一个url不知道怎么得到的地址然后解密得出来的...域名是sofire.baidu.com |
后面这点算是历史遗留问题... TiebaLite/app/src/main/java/com/huanchengfly/tieba/post/api/models/PersonalizedBean.kt Line 45 in 0c75052
这里的model当时转kt的时候定义的问题 |
sofire应该是一个类似sqlite的本地数据库,在app内部通过 |
我好像没什么能评价的,毕竟我完全不懂贴吧相关的。 |
用frida操作了一波,发现
测试环境: import sys
import frida
jscode = """
Java.perform(function () {
var current_application = Java.use('android.app.ActivityThread').currentApplication();
var context = current_application.getApplicationContext();
let C2628g = Java.use("com.baidu.sofire.g");
var inst_g = C2628g.$new(context)
var xytk = inst_g.a();
console.log(xytk);
});
"""
def on_message(message, data):
print(message)
process = frida.get_remote_device().attach('贴吧极速版')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read() 输出
|
所以 |
@Starry-OvO 之前反编译11.10.8.6的时候看貌似是获取到之后整个写入这个sp...但是具体在哪忘记了,我抽空再看看 |
未雨绸缪,而且发帖和私信接口都与这个有关 |
#starry神步鸡血神后尘进军贴吧黑灰产行业生产广告机 那我盲猜是用于在发帖/私信后方便后续接收 |
经典阅读理解jvm bytecode时间 |
现在最关键的问题是不知道 |
极速版不具备独立生成新版 使用以下frida脚本hook贴吧12.35.1.0的初始化过程可以发现,新版 frida -U -l hook_new.js -f com.baidu.tieba // hook_new.js
Java.perform(function () {
let z00 = Java.use("com.baidu.tieba.z00");
z00["b"].implementation = function (bArr) {
console.log('m22480b is called' + ', ' + 'bArr: ' + bArr);
let ret = this.b(bArr);
console.log('m22480b ret value is ' + ret);
return ret;
};
let C17942pz = Java.use("com.baidu.tieba.pz");
C17942pz["a"].implementation = function (bArr) {
console.log('m49465a is called' + ', ' + 'bArr: ' + bArr);
let ret = this.a(bArr);
console.log('m49465a ret value is ' + ret);
return ret;
};
}); 输出
生成的 所以想问问你能不能看出这两个函数长得像什么摘要算法 |
@Starry-OvO 后面这一坨是跟com/baidu/helios包里的有几个方法有关系 |
如果不是什么通用算法的话我就手搓了 |
应该说挺复杂的...一大坨...我没看出来2333(菜.jpg |
@Starry-OvO 11.10.8.6 |
可能在12.35.1.0已经不是 |
刚下了个12.35.1.0的包看了下,应该是变成了 |
建议立即致电位运算中级高手 n0099/TiebaMonitor#24 (comment)
经典搞v圈小团体 #starry神正式进军c/cpp/rust底层系统语言领域 |
https://www.perfare.net/
?cuid=baidutiebaapp266d7d86-6f18-42b5-b61b-d716cdb23991
&cuid_galaxy2=6CF3E8B6E635CD3AE1E72C082ED9963A%7CO
&cuid_gid
×tamp=1577203677573
&_client_version=10.3.8.41
&nohead=1 https://blog.csdn.net/lovesmiles/article/details/102685514 |
诶,我看看…… iArr[0] = (byte) ((sArr[0] >> 3) & 31);
iArr[1] = (byte) (((sArr[0] & 7) << 2) | ((sArr[1] >> 6) & 3));
iArr[2] = (byte) ((sArr[1] >> 1) & 31);
iArr[3] = (byte) (((sArr[1] & 1) << 4) | ((sArr[2] >> 4) & 15));
iArr[4] = (byte) (((sArr[2] & 15) << 1) | ((sArr[3] >> 7) & 1));
iArr[5] = (byte) ((sArr[3] >> 2) & 31);
iArr[6] = (byte) (((sArr[4] >> 5) & 7) | ((sArr[3] & 3) << 3));
iArr[7] = (byte) (sArr[4] & 31); 感觉是 Base32 之类的东西。这段位运算的功能其实是,把 sArr 里的 5 个字节拆成 40 个位然后每 5 位塞到 iArr 的一个 byte 里面。 sArr 元素的范围是 0~255 , iArr 则是 0~31 。 外循环
不妨把这个 int i6;
for (i6 = 0; i6 < 8 - m22481a; ++i6) {
// this.f90491a 应该就是 Base32 alphabet
// 根据 alphabet 可以区分它是 Base32 的哪种变种
char charAt = this.f90491a.charAt(iArr[i6]);
// this.f90493c 为真的情况下转为小写
if (this.f90493c) charAt = Character.toLowerCase(charAt);
byteArrayOutputStream.write(charAt);
}
// this.f90492b 为真的情况下末尾填充等号字符
if (this.f90492b) for (; i6 < 8; ++i6) byteArrayOutputStream.write('='); 结合上面的 |
经典baseXX n0099/TiebaMonitor#24 (comment) |
@yangbowen 感谢解读,刚验证了一下发现 import base64
src = b''.join(i.to_bytes(1, 'big', signed=True) for i in [-78, 27, 22, -23, 76])
print(base64.b32encode(src).decode('ascii')) 输出
|
顺带一提,代码不要发图片就好了……因为文本方便一点点手动变换,图片就只能看着。 |
记个笔记 使用以下frida脚本追踪12.x版本中生成 import sys
import frida
jscode = """
Java.perform(function () {
var C19380sz = Java.use("com.baidu.tieba.sz");
C19380sz["a"].implementation = function (c3121b, i, i2, i3) {
console.log('a is called ' + 'i: ' + i + ', ' + 'i2: ' + i2 + ', ' + 'i3: ' + i3);
console.log('c3121b:');
logc3121b(c3121b);
var ret = this.a(c3121b, i, i2, i3);
console.log('a ret value is ' + ret);
return ret;
};
var C17942pz = Java.use("com.baidu.tieba.pz");
var inst_pz = C17942pz.$new();
var buffer = Java.array('byte', [54, 57, 51, 67, 48, 55, 50, 56, 49, 54, 56, 48, 69, 55, 51, 68, 69, 69, 48, 57, 51, 57, 54, 52, 50, 66, 52, 53, 57, 69, 53, 57]);
var res = inst_pz.a(buffer);
console.log('res is ' + res);
function logc3121b(c3121b) {
var a_field = c3121b.getClass().getField('a');
var a = a_field.get(c3121b);
var buffer = Java.array('long', a);
for (var i = 0; i < buffer.length; ++i) {
console.log('a: ' + buffer[i]);
}
var b_field = c3121b.getClass().getField('b');
var b = b_field.get(c3121b);
console.log('b: ' + b);
var c_field = c3121b.getClass().getField('c');
var c = c_field.get(c3121b);
console.log('c: ' + c);
};
}
);"""
def on_message(message, data):
print(message)
process = frida.get_remote_device().attach('百度贴吧')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read() 期望输出
|
所以到底什么是
建议立即使用 https://open.youtu.qq.com |
只是一个测试用例 |
|
Starry-OvO/aiotieba@ |
使用如下frida脚本跟踪 setImmediate(function () {
Java.perform(function () {
function printStack() {
Java.perform(function () {
var Exception = Java.use("java.lang.Exception");
var ins = Exception.$new("Exception");
var straces = ins.getStackTrace();
if (straces != undefined && straces != null) {
var strace = straces.toString();
var replaceStr = strace.replace(/,/g, "\r\n");
console.log("=============================Stack strat=======================");
console.log(replaceStr);
console.log("=============================Stack end=======================\r\n");
Exception.$dispose();
}
});
}
var sp = Java.use("android.app.SharedPreferencesImpl$EditorImpl");
sp.putString.overload('java.lang.String', 'java.lang.String').implementation = function (arg1, arg2) {
if (arg1 == "xytk") {
console.log("[SharedPreferencesImpl] putString -> key: " + arg1 + " = " + arg2);
printStack();
}
return this.putString(arg1, arg2);
}
});
}
) 命令行执行 frida -U -l .\hook_sp.js -f com.baidu.tieba_mini 期望结果
|
留档 我的评价是:客户端参数还原的最后一座高峰 动态加载的dex位于
{
"1": "",
"2": "com.baidu.tieba_mini",
"3": "",
"4": "3B92F4025F6181B37BC2CEF5F2129E67|0",
"5": "1007113",
"6": 1675172431954,
"7": "",
"8": "740017",
"9": "x6",
"10": "4.1.4.2",
"11": "",
"12": "",
"13": 1,
"14": 1,
"module_section": [
{
"token": "3B92F4025F6181B37BC2CEF5F2129E6782",
"ut": "3B92F4025F6181B37BC2CEF5F2129E6782",
"magic": "wwqlDj6YyE4ApMIxMZ71EnutjiF7T8TV5yFxuJDK5cW6/4qlvKK/NcaeTe75bkx5B",
"token_rt": "",
"mz": "3B92F4025F6181B37BC2CEF5F2129E67|0",
"ds": "2",
"zid": "3B92F4025F6181B37BC2CEF5F2129E67|0",
"act_st": "0",
"chn_st": "0",
"os_ver": "28",
"reason": {
"1": 1,
"2": 0,
"3": 1675172431951,
"4": 3
},
"tp": "3",
"tk": "3B92F4025F6181B37BC2CEF5F2129E6782#",
"pd": "2956",
"lrc": "0",
"cc": "",
"lre": "",
"ipo": "1",
"rmf": "00116751724240000201190040869",
"15091": "0",
"15082": "00116751724240000201190040869",
"15083": "f6rdan-CDAkamjZZ7dCC9qVOJRAyY4IWYEPabHpcPLmufa_UWcV8zo8X3PdqiFA3IsHJSdnyHhvH7YMba9hOyaAScKB42zHlJ6qyU56xkFSB0kd_K_ac1HnzQ-j4L7K75x1WN1KBlulNfnKdcmEbcm2xfXhD8Fo0UD4e37iPnKY=",
"15006": "1",
"cuid": "693C07281680E73DEE0939642B459E59|VWINRN2KM"
}
]
} 返回 {
"token": "r92Z-2hhGHdoYCdoL9R18qAF6RX2s9wPlercbXOz2CYyjiSg2T6kNQChNaR4tarmYcaeax52Eqp_99DtsINspOg",
"st": "56",
"ver": "4.0.1",
"nc": "0",
"nt": 5,
"op": 4,
"da": [
1,
6,
1
],
"saws": "",
"mts": "",
"rmf": {
"1": "",
"2": "00116752376740010102449993047",
"3": "cjm5Cxku3MV7co8HruoUQdFLrAk50M_sQxqjOM64vGEZTiL0FJldgebGDOMjuOBgaNapHDJCadFeM7xlV83ceoZk2v267GAF3urTv2KXV50="
}
} 完整头部
|
https://github.com/n0099/open-tbclient/commits/src/com/baidu/sofire 在哪儿?
所以是要运行时启动客户端后才会在 另外我已经基于starry神所提及的 |
今早研究极速版9.1.0.0的反编译源码时发现
client_id
(RetrofitTiebaApi.kt#L45)似乎并不像cuid_galaxy2
那样可以在本地随机生成cuid
和cuid_galaxy2
都在com.baidu.tbadk.core.TbadkCoreApplication
的init
函数中生成,而client_id
在此仅有一个读缓存的动作查找

ClientId
的被调位置可以发现一个setClientId
函数再追踪这个

setClientId
函数可以发现它在一个初始化任务中被调用其中
bfD.m15998Iq
函数可以理解为post request,而请求任务bfD
所对应的正是c/s/sync
接口,其余红框都是json解析的配套函数看到

c/s/sync
的返回数据确实包含client_id
如果不在请求参数中包含本地的

client_id
,那么云端会自动生成和返回一个基于当前时间戳的client_id
注:
c/s/sync
接口仅需要BDUSS
,使用post并需要tbclient!!!
签名The text was updated successfully, but these errors were encountered: