淘特app x-sign参数签名分析

之前看见大佬说淘特app的风控比tb的要小很多，于是学习了下t特的签名分析

一、抓包分析

通过Charles抓包分析，分析请求参数

headers = {
    "x-sgext": "JAWowlF3DRjHdjoiU%2Flc38K43prxmuGa9Jv3muGc94vwhPOE84TzhPaZ7pvume6e7p7unu6Y7pjume6Z7pvum%2BGZ9J36mfue9Zvyi%2FKbocrymPKZ8Z7zyfbOoJ7hmOGZ9YukzuGY8pj1i%2FGL84vzi%2FOL84vwi%2FOL84vxi%2FCL8Yvwi%2FKL8ovyi%2FKL8ovhzeHOp4vyi6Sd9crymw%3D%3D",
    "x-sign": "azOBBF004xAAIEC0%2BnSbXoHpMSMCYECwRSAyFmA8szXsYfQNn3TzGwWYI%2Bhh%2BJcr5DrjI3O0ptqb4nTUEIEEBOH04iBAoECwQKBAff",
    "x-sid": "26ab435dde95f9efff48375d37401d6bb34",
    "x-uid": "273179234",
    "x-pv": "6.3",
    "clipboard": "",
    "x-features": "27",
    "x-app-conf-v": "0",
    "x-mini-wua": "HHnB_g1U%2fffOqRFABD3qtZGgHeLI9tTC6%2B%2Fb89EtvOHAlokRy%2BO5HhpUdd4jNJKM6GEbaK%2BJLDLQAZqa2o32E%2Fjy6CassnEX5wtEz4THSDCobdOUUIInvNuk3fkGq%2FeTlqJBDBi0mIq7VL%2BRwpBzrXQWHKgaPzavPTasLotr4F1ydCso%3D",
    "content-type": "application/x-www-form-urlencoded;charset=UTF-8",
    "cache-control": "no-cache",
    "oaid": "db320a2332307ec2e",
    "x-t": t,
    "x-bx-version": "6.5.53",
    "f-refer": "mtop",
    "x-extdata": "openappkey%3DDEFAULT_AUTH",
    "x-ttid": "700159%40ltao_android_4.21.0",
    "x-app-ver": "4.21.0",
    "x-c-traceid": "YgsIvfeg34fsvYiE1LEJLc1658196954357704613567v",
    "x-umt": "zRtL3fxLOrRShjWCFI15ukiqOTMwrfs4",
    "a-orange-q": "appKey=24717361&appVersion=4.21.0&clientAppIndexVersion=1120220718194900950&clientVersionIndexVersion=0",
    "x-utdid": "YgsIvdfsfdsfdYiE1LEJLS",
    "c-launch-info": "0,0,1658196958695,1658196729168,3",
    "imei": "9dhc6c423d6b256d",
    "x-appkey": "24717361",
    "x-falco-id": "0232b7891c70db644367ee5c74400c2a847_0",
    "x-devid": "NGqVf8ZMr9U39mKnFUSKA3zqQVIlTsdguuttvAG3mhNQrV7mqrIyDjwX4SH6qI7s",
    "user-agent": "MTOPSDK%2F3.1.1.7+%28Android%3B10%3BXiaomi%3BMI+8+Lite%29",
    "Host": "trade-acs.m.taobao.com"
}
cookies = {
}
params = {
    "wua": "TJ7g_4wD7rCCX873i6hcCcSJ3b851M5YGlo7J6KnTHHlSZHFcccccj4o+FO0hvMDw6jL9SY1jklso4z8tCVC9LvIokgTVTWWvmCuWYWyIR6EvtZddddddQj+FpLfepRi8WmjfwfBjsEy4/7qrxSXmahkXAIELxeNpvxHKsE3LQXP73PUTxObYUX5gXEQ7fCXg9vYHPVJXwuLTpH2uJYxY2/wulEP0kFCwT5fzYY1F1H0+dFFeZBT4XxjB0D7L5yUhqGLtGTFXTyjN3S6jzk+CRY0L9V8V6Ba3Q6vduQCxO6lnUErgnKl5RwkRK9hSRphAwI3lX1K/u2gm5N+ZrrrrrrzkcKBBqfFzmVWjn9Dlflbmycn8NIBPu790l1LztufXtHg3",
    "data": "{\"enterNewLink\":\"true\",\"exParams\":\"{}\",\"itemId\":\"673782044083\",\"version\":\"3.0.0\"}"
}
url = "http://trade-acs.m.taobao.com/gw/mtop.alibaba.jnpiter.detail.getdetail/1.0/"
response = requests.post(url, headers=headers, params=params, data=data)

额，熟悉阿里系相关app的应该都知道阿里的主要参数验证x-sgext、x-mini-wua、x-umt、x-sign、wua就是这几个

二、通过jadx-gui分析apk

按照以前某宝的思路，直接搜x-sign。只搜出来几个，这里点进去看下

看一下a5的来历

最后进入这里，一开始还以为找到了。结果hook了半天，没反应，又继续搜，又没找到其它类似的。猜测该方法被其它地方重写了。

于是直接搜a(HashMap<String, String> hashMap, HashMap<String, String> hashMap2, String str, String str2, boolean z, String str3)，果然有

最下面那个点进去就是

hook下看看，入参和返回值都打印出来了，其中参数5是用来验证wua这个返回值的，传入true就会返回wua，否则不会返回wua

三、测试结果

最后模拟测试下，我这里测试的是详情页，不断更换商品id（itemId）也能返回数据。证明参数构造成功。

额，淘特的详情页不加携带登录信息也能返回数据。。不过我这里还没大量测试

最后再分析下x-sign参数来源
使用这个方法打印下该类的所有成员变量试试

    var fields = Java.cast(this.getClass(),Java.use('java.lang.Class')).getDeclaredFields();
    for (var i = 0; i < fields.length; i++) {
        var field = fields[i];
        field.setAccessible(true);
        var name = field.getName();
        var value =field.get(this)
        console.log("key:",name, '/', "value:", value);
    }

可以找找com.xxxxx.wireless.security.middletierplugin.c.a.a$a这个类在哪里

//反射方式替换loader,查找实例
    Java.enumerateClassLoaders({
        onMatch:function(loader){
            try {
                if(loader.findClass("com.xxxxx.wireless.security.middletierplugin.c.a.a$a")){
                    console.log("ok");
                    Java.classFactory.loader = loader;
                    console.log(loader);
                }
            } catch (error) {
                console.log("error");
            }
        },onComplete:function(){}
    })

libsgmiddletier.so这个so文件里面应该就是x-sign的算法了，算法还原就交给各位大佬了。。。。

楼主是小白，大佬勿喷。。