Latest tiktok X-Gorgon 0404 algorithm location search tiktok 2021-01-12 latest shake 14.4 version

Time:2022-4-6

Introduction:

This analysis is tiktok version: 14.4 x-gorgon version: 0404 can be tested.

The following reverse hook records are from tiktok 11.30401, and the new version of hook is similar to previous ones.

Tiktok is the largest and most active platform in tiktok. There are many people in different industries who do reverse analysis. In the process of packet capture, the communication of shaking sounds involves a signature called x-gorgon. This signature is an essential parameter for sending data requests. This time I will take you to analyze this parameter.

Xiaobian is narcissistic. The great God of reverse is a reverse lover. If you need to exchange technology or algorithms, please leave an email in the comment area or contact my email [email protected]

Grab bag

Suppose our business needs tiktok to get the popular video list of shaking, then we first locate the specific interface by capturing the packet. Here I choose to use Charles tool to grab the package, and configure the HTTPS method to Baidu’s method. Android mobile capture is best to use less than 6.0!Latest tiktok X-Gorgon 0404 algorithm location search tiktok 2021-01-12 latest shake 14.4 version

Through packet capturing, it is found that the interface is from:https://aweme.snssdk.com/aweme/v2/feed/Tiktok is followed by a very long parameter. The specific literal analysis is estimated to be the mobile phone’s model and some information generated by the shaking itself. We found that it returned in the protobuf format. Charles has already helped us to parse it well. Then we write python3 script to construct a request like him.

Latest tiktok X-Gorgon 0404 algorithm location search tiktok 2021-01-12 latest shake 14.4 version

We found that it can return data normally, but we can see that its header is well understood except x-gorgon and x-tt-trace-id. we will find that if we change the parameters of the URL, but the header content cannot be modified accordingly, the data will not be returned, as shown below:

{

  • status_code: 2154,
  • aweme_list: [ ],
  • has_more: 1,
  • min_cursor: 0,
  • max_cursor: 0

}

analysis

Then we can be more sure that the x-gorgon in the header signed it once, so we directly read a wave of decompiled code from jadx. Here I directly searched the x-gorgon keyword and listed the following results:

Latest tiktok X-Gorgon 0404 algorithm location search tiktok 2021-01-12 latest shake 14.4 version

Here I choose HashMap put(“X-Gorgon”, a3); This line, jump in and let’s analyze its code

Here we see that one of its values is from A3, and A3 is through string A3 = A.A (com.ss.sys.ces.a.leviathan (I, currenttimemillis, A.A (A2 + str4 + str5 + str6)); The result obtained from this line of code shows that it passes four parameters. Let’s take a closer look at the specific contents of these four parameters:

        A2 source:

            String b2 = tt.d(str);

            d.a(b2);

STR is the parameter passed in from the method. We can get its specific content later through hook, and it will execute TT D () and D.A () are operated twice, and we TT (d) follow in

        Latest tiktok X-Gorgon 0404 algorithm location search tiktok 2021-01-12 latest shake 14.4 version

We see that it fetches this string? And # intermediate value. It is suspected that it is the URL. If it is the URL that proves that it only takes the parameters after the URL, then continue to look at its next method: d.a()

        

We can see that MD5 signature value is taken here, so A2 analysis is over. Let’s continue to analyze the second parameter

        Str4 source:

It’s very simple here. It’s the second parameter map passed in by enumeration. Judge if there is a value of x-ss-stub, get it. Otherwise, fill in 32 zeros. Then we grab the packet and find that there is no parameter of x-ss-stub. In fact, if our packet is post, it will have it. In fact, it is an MD5 signature value of post data.

        Str5 source:

Str5 is also very simple. It also enumerates whether there is a cookie in the map. If so, MD5 the cookie, and this parameter is over

        Str6 source:

1

2

3

4

5

String c2 = tt.e(str3);

if (c2 != null && c2.length() > 0`) {`

str6 = d.a(c2);

StcSDKFactory.getInstance().setSession(c2);

}

Here we remember that str3 is a cookie, which executes TT The E (str3) method obtains a return value. If it is not empty, it also gives the return value MD5. Let’s follow it and see what it does:

    

Here we can see that it enumerates whether there is a sessionid value in the cookie. If so, take it out, and str6 ends here

        Parameter sorting:

A2 = MD5 (URL) it is suspected to MD5 the parameters of the web address

Str4 = x-ss-stub, valid only when post, otherwise 32 zeros

Str5 = MD5 (cookie) MD5 the cookie

Str6 = MD5 (cookie [‘sessionid ‘]) MD5 the sessionid in the cookie, otherwise it is also 32 zeros

After sorting out the four parameters, we continue to analyze them. It combines the strings of the four parameters, and then executes A.A (A2 + str4 + str5 + str6). We follow in to see what operations are done inside

  

We can see that it cycles the total length / 2 times. Each time, it converts STR [i] into decimal shift 4 to the left, and then adds STR [i + 1], which is a simple operation and returns the result. That is, it is originally 4 32 bits (128 bits) and then shortened to 64 bits after encryption. Finally, it executes com ss. sys. ces. a. Leviathan (I, currenttimemillis, A.A (A2 + str4 + str5 + str6)) calculates. We can see that it also passes two parameters, I and currenttimemillis. We can see that I is – 1 and currenttimemillis is the current ten bit timestamp.

    Latest tiktok X-Gorgon 0404 algorithm location search tiktok 2021-01-12 latest shake 14.4 version

Finally, the calculated bytearray is transformed into a string type through displacement and put into the map. Then we can see clearly that k-khronos has just arrived at the currenttimemillis timestamp. We found that due to OM ss. sys. ces. a. Leviathan is in the so layer to libcms So files, and there are a lot of confusion in them, so they are not analyzed again. We can call the method through xposed or unidbg.

0x02: parameter confirmation

After analyzing the algorithm and constructing the specific parameters, we also need to confirm whether the parameters transmitted by it are what we associate with. Here, we find that because its method is a callback, let’s move forward to find a suitable hook point and use Frida to hook

        Latest tiktok X-Gorgon 0404 algorithm location search tiktok 2021-01-12 latest shake 14.4 version

Here, I made a call search on it and found that there is only one place. Let’s follow in and have a look. After following in, it is the following content, which is just a simple assignment to saddsecurityfactorprocesscallback. We are calling it to find out where to call it.

 public static void setAddSecurityFactorProcessCallback(a aVar) {

        sAddSecurityFactorProcessCallback = aVar;

    }    

Latest tiktok X-Gorgon 0404 algorithm location search tiktok 2021-01-12 latest shake 14.4 version

Here we can see the callback pointer variable it takes from here, and then judge whether it will be executed if it is not null. Then we can directly hook this method: tryaddsecurityfactor$___ twin___, Here, my hook code is relatively simple. It directly outputs the values of map and STR passed in and the returned map for confirmation.

//frida -U com.ss.android.ugc.aweme -l test.js
Java.perform(function() {
    var NetworkParams = Java.use("com.bytedance.frameworks.baselib.network.http.NetworkParams");
    NetworkParams['tryAddSecurityFactor$___twin___'].implementation = function(str,map){
    var keyset = map.keySet();
    var it = keyset.iterator();
    console.log("str:t"+str)
    while(it.hasNext()){
        var keystr = it.next().toString();
        var valuestr = map.get(keystr).toString()
        console.log("map:t"+keystr+"t"+valuestr)
    }
    var ret
    ret = this.tryAddSecurityFactor$___twin___(str,map);
    var keyset = ret.keySet();
    var it = keyset.iterator();
    while(it.hasNext()){
        var keystr = it.next().toString();
        var valuestr = ret.get(keystr).toString()
        console.log("ret map:t"+keystr+"t"+valuestr)
    }
    return ret;
    }
});

Latest tiktok X-Gorgon 0404 algorithm location search tiktok 2021-01-12 latest shake 14.4 version

The green part is the value of STR parameter 1, the yellow part is the map, and the blue part is the returned map. Let’s see if xgorgon in the header of Charles’s package is the returned value.

summary

The above is tiktok to a simple x-gorgon analysis and note taking process, hoping to be helpful, and also to make a reference for the safety of its own products.

Disclaimers

  1. Do not use this service for commercial use
  2. Do not use this service to grab a large number of objects
  3. If the service is used to cause unnecessary disputes with the tiktok official, I will not be responsible.
  4. I am purely technical, if tiktok is a violation of your company’s rights and interests, please let me know.

2021-01-12