如何提取安卓系统抖音ck数据

发布于 21 天前  118 次阅读


抖音将部分数据缓存至本地,其中包含了ck(device信息、token、app版本信息等),可以通过安卓程序将数据提取出来用于平时测试。因为该数据是缓存在应用的独立数据目录 安卓默认是不允许app互相访问独立数据,这里需要手机root后才可以提取。

/data/data/com.ss.android.ugc.aweme/shared_prefs

提取的核心操作是通过Runtime在安卓手机上执行脚本,执行RunTime执行su后cat查看缓存文件内容 最后读取cat输出的内容。这里给出这部分代码。

public static String execCmdForResult(String... cmds) {
    StringBuffer stringBuffer = new StringBuffer();
    try {
        Process process = Runtime.getRuntime().exec("su");
        OutputStream os = process.getOutputStream();
        process.getErrorStream();
        InputStream is = process.getInputStream();
        int i = cmds.length;
        for (int j = 0; j < i; j++) {
            String str = cmds[j];
            os.write((str + "\n").getBytes());
        }
        os.write("exit\n".getBytes());
        os.flush();
        os.close();
 
        stringBuffer.append(readStream(is));
 
        process.waitFor();
        process.destroy();
    } catch (Exception localException) {
    }
    return stringBuffer.toString();
}
 
 
public static String readStream(InputStream inStream) throws Exception {
    ByteArrayOutputStream outSteam = new ByteArrayOutputStream();
    byte[] buffer = new byte[1024];
    int len = -1;
    while ((len = inStream.read(buffer)) != -1) {
        outSteam.write(buffer, 0, len);
    }
    outSteam.close();
    inStream.close();
    return new String(outSteam.toByteArray());
}

我们主要提取这五个文件 缓存文件包含数据

ttnetCookieStore.xml             cookie,涉及敏感数据,数据需解码(下方代码里的decode方法)token_shared_preference.xml      x-tt-tokenwschannel_multi_process_config.xml    登录的设备信息,包含device_id install_id 应用版本 手机版本等查询通用参数。 applog_stats.xml                 mac_addr fingerprint_codes等LoginSharePreferences.xml        最后登录的账号信息

ttnetCookieStore.xml 部分内容如下:

<string name="http://snssdk.com/|odin_tt">aced000573720031636f6d2e6279746564616e63652e6672616d65776f726b732e626173656c69622e6e6574776f726b2e687474702e622e6858765a0a7f563d0c0300014a00016378707400076f64696e5f74747400806162663762643132383666343137303631623636346364333664313662386635613232303532633739643464346662333563643361646561646337323037373135336335336532323036623437393530643836393566363162643764656630346337336636656466646633653336356530626235613666383164343433633163707074000b2e736e7373646b2e636f6d77080000000005265c007400012f70770f000000010000010000017a6585797578</string>

提取到的内容部分需要解密。解密python代码:

def decode_cookie(str):    length = len(str)    newData = ""    i = 0    while(i<length):        newChar = (int(str[i],16)<<4) + (int(str[i+1],16))        newData += chr(newChar)        i=i+2    return newData

解密java代码:

    /**     * cookie解密     * @param str cookie密文     * @return     */    public static String decodeCookie(String str){        String cookieStr = "";        int i = 0;        while(i < str.length()){            char c1 = str.charAt(i);            int num1 = Integer.parseInt(String.valueOf(c1),16);            char c2 = str.charAt(i+1);            int num2 = Integer.parseInt(String.valueOf(c2),16);            int newChar =  (num1<<4) + num2;            cookieStr +=  (char) Integer.parseInt(String.valueOf(newChar));            i=i + 2;        }        return cookieStr;    }

解密结果:¬í sr 1com.bytedance.frameworks.baselib.network.http.b.hXvZV= J cxpt odin_ttt abf7bd1286f417061b664cd36d16b8f5a22052c79d4d4fb35cd3adeadc72077153c53e2206b47950d8695f61bd7def04c73f6edfdf3e365e0bb5a6f81d443c1cppt .snssdk.com &\ t /pw zeyux

但是我们发现他还是有些其它地方乱码了,但是蓝色方框是我们的结果,其实这是因为他解密之后是一个protobuf格式,我们只需要再次分割拿出来就可以了。具体完整代码都是读取文件和正则匹配或者分割下就好了,关键是ck这里加密,主要给出解密代码

wschannel_multi_process_config.xml 部分内容如下:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<boolean name="key_enable_offline_detect" value="false" />
<string name="ws_apps">[{&quot;channel_id&quot;:1239108,&quot;app_id&quot;:1128,&quot;device_id&quot;:&quot;61919431820&quot;,&quot;install_id&quot;:&quot;3149472127268080&quot;,&quot;urls&quot;:[&quot;wss:\/\/frontier-aweme.snssdk.com\/ws\/v2&quot;],&quot;app_version&quot;:160501,&quot;platform&quot;:0,&quot;fpid&quot;:9,&quot;app_kay&quot;:&quot;e1bd35ec9db7b8d846de66ed140b1ad9&quot;,&quot;extra&quot;:&quot;ws_connect_protocol=0&amp;os_api=25&amp;device_type=MI%206&amp;manifest_version_code=160502&amp;dpi=480&amp;is_guest_mode=0&amp;is_background=1&amp;app_name=aweme&amp;version_name=16.5.1&amp;ts=1624900639&amp;sid=&amp;cpu_support64=true&amp;ttnet_ignore_offline=1&amp;app_type=normal&amp;ac=wifi&amp;appTheme=dark&amp;channel=xiaomi_1128_64&amp;update_version_code=16519900&amp;host_abi=arm64-v8a&amp;_rticket=1624900639691&amp;device_platform=android&amp;iid=3149472127268080&amp;ttnet_heartbeat_interval=30&amp;ne=1&amp;version_code=160501&amp;cdid=903a39a1-841c-4a7c-89d3-9337ec85eec9&amp;openudid=f4135260f97231ac&amp;device_id=61919431820&amp;resolution=1080*1920&amp;ping-interval=30&amp;language=zh&amp;device_brand=Xiaomi&amp;os_version=7.1.1&amp;aid=1128&amp;minor_status=0&quot;}]</string>
</map>

其中ws_apps包含json数据,但是需要解析

[{&quot;channel_id&quot;:1239108,&quot;app_id&quot;:1128,&quot;device_id&quot;:&quot;61919431820&quot;,&quot;install_id&quot;:&quot;3149472127268080&quot;,&quot;urls&quot;:[&quot;wss:\/\/frontier-aweme.snssdk.com\/ws\/v2&quot;],&quot;app_version&quot;:160501,&quot;platform&quot;:0,&quot;fpid&quot;:9,&quot;app_kay&quot;:&quot;e1bd35ec9db7b8d846de66ed140b1ad9&quot;,&quot;extra&quot;:&quot;ws_connect_protocol=0&amp;os_api=25&amp;device_type=MI%206&amp;manifest_version_code=160502&amp;dpi=480&amp;is_guest_mode=0&amp;is_background=1&amp;app_name=aweme&amp;version_name=16.5.1&amp;ts=1624900639&amp;sid=&amp;cpu_support64=true&amp;ttnet_ignore_offline=1&amp;app_type=normal&amp;ac=wifi&amp;appTheme=dark&amp;channel=xiaomi_1128_64&amp;update_version_code=16519900&amp;host_abi=arm64-v8a&amp;_rticket=1624900639691&amp;device_platform=android&amp;iid=3149472127268080&amp;ttnet_heartbeat_interval=30&amp;ne=1&amp;version_code=160501&amp;cdid=903a39a1-841c-4a7c-89d3-9337ec85eec9&amp;openudid=f4135260f97231ac&amp;device_id=61919431820&amp;resolution=1080*1920&amp;ping-interval=30&amp;language=zh&amp;device_brand=Xiaomi&amp;os_version=7.1.1&amp;aid=1128&amp;minor_status=0&quot;}]

java中通过方法可以解析

        String str = "[{&quot;channel_id&quot;:1239108,&quot;app_id&quot;:1128,&quot;device_id&quot;:&quot;61919431820&quot;,&quot;install_id&quot;:&quot;3149472127268080&quot;,&quot;urls&quot;:[&quot;wss:\\/\\/frontier-aweme.snssdk.com\\/ws\\/v2&quot;],&quot;app_version&quot;:160501,&quot;platform&quot;:0,&quot;fpid&quot;:9,&quot;app_kay&quot;:&quot;e1bd35ec9db7b8d846de66ed140b1ad9&quot;,&quot;extra&quot;:&quot;ws_connect_protocol=0&amp;os_api=25&amp;device_type=MI%206&amp;manifest_version_code=160502&amp;dpi=480&amp;is_guest_mode=0&amp;is_background=1&amp;app_name=aweme&amp;version_name=16.5.1&amp;ts=1624900639&amp;sid=&amp;cpu_support64=true&amp;ttnet_ignore_offline=1&amp;app_type=normal&amp;ac=wifi&amp;appTheme=dark&amp;channel=xiaomi_1128_64&amp;update_version_code=16519900&amp;host_abi=arm64-v8a&amp;_rticket=1624900639691&amp;device_platform=android&amp;iid=3149472127268080&amp;ttnet_heartbeat_interval=30&amp;ne=1&amp;version_code=160501&amp;cdid=903a39a1-841c-4a7c-89d3-9337ec85eec9&amp;openudid=f4135260f97231ac&amp;device_id=61919431820&amp;resolution=1080*1920&amp;ping-interval=30&amp;language=zh&amp;device_brand=Xiaomi&amp;os_version=7.1.1&amp;aid=1128&amp;minor_status=0&quot;}]";        String json = org.apache.commons.lang.StringEscapeUtils.unescapeHtml(str);

最后拿到参数数据:

[{"channel_id":1239108,"app_id":1128,"device_id":"61919431820","install_id":"3149472127268080","urls":["wss:\/\/frontier-aweme.snssdk.com\/ws\/v2"],"app_version":160501,"platform":0,"fpid":9,"app_kay":"e1bd35ec9db7b8d846de66ed140b1ad9","extra":"ws_connect_protocol=0&os_api=25&device_type=MI%206&manifest_version_code=160502&dpi=480&is_guest_mode=0&is_background=1&app_name=aweme&version_name=16.5.1&ts=1624900639&sid=&cpu_support64=true&ttnet_ignore_offline=1&app_type=normal&ac=wifi&appTheme=dark&channel=xiaomi_1128_64&update_version_code=16519900&host_abi=arm64-v8a&_rticket=1624900639691&device_platform=android&iid=3149472127268080&ttnet_heartbeat_interval=30&ne=1&version_code=160501&cdid=903a39a1-841c-4a7c-89d3-9337ec85eec9&openudid=f4135260f97231ac&device_id=61919431820&resolution=1080*1920&ping-interval=30&language=zh&device_brand=Xiaomi&os_version=7.1.1&aid=1128&minor_status=0"}]

或者使用完整的解析代码:

/**     * 解析抖音xml参数     * @param douyinParamXml     * @return     * @throws DocumentException     */    public static String parseParamsXml(String douyinParamXml) throws DocumentException {        //1.创建Reader对象        SAXReader reader = new SAXReader();        //2.加载xml        //读取XML文件,获得document对象        //Document document = reader.read(new File("C:\\Users\\Administrator\\Desktop\\wschannel_multi_process_config.xml"));        //解析XML形式的文本,得到document对象        Document document = DocumentHelper.parseText(douyinParamXml);        //3.获取根节点        Element rootElement = document.getRootElement();        Iterator iterator = rootElement.elementIterator();        while (iterator.hasNext()){            Element stu = (Element) iterator.next();            List<Attribute> attributes = stu.attributes();            for (Attribute attribute : attributes) {                if ("ws_apps".equalsIgnoreCase(attribute.getValue())){                    String json = stu.getStringValue();                    return json;                }            }        }        return null;    }

(附:)提取到的内容部分需要解密一遍 部分是明文五个文件提取合并,最后得到以下json 可以拿去测试抖音的接口了(敏感数据已打码)

{
  "cookies": "n_mh=PNM9_mnN-Sn-enP8doLLQFlfusO7exHcL0lP4QE0MKg; install_id=打码; passport_csrf_token_default=打码; sid_guard=打码%7C1623491553%7C5184000%7CWed%2C+11-Aug-2021+09%3A52%3A33+GMT; odin_tt=打码; odin_tt=打码; sessionid_ss=5c91e35bbe600ff83e97f27b9bd2467b; sid_tt=打码; uid_tt_ss=打码; sessionid=打码; uid_tt=打码; d_ticket=6dfa101f3e38eb553ac11d027b16a588a61ef; ttreq=1$4502faafefd6da2e3473b0bbcbc14a1a9a9c2afc; passport_csrf_token=打码; ",
  "token": "打码-1.0.1",
  "devices": {
    "channel_id": 1239108,
    "app_id": 1128,
    "device_id": "xxx",
    "install_id": "xxx",
    "urls": [
      "wss://frontier-aweme.snssdk.com/ws/v2"
    ],
    "app_version": 100900,
    "platform": 0,
    "fpid": 9,
    "app_kay": "e1bd35ec9db7b8d846de66ed140b1ad9",
    "extra": "os_api=23&device_type=MI 5s&manifest_version_code=100901&dpi=416&uuid=打码&is_background=0&app_name=aweme&version_name=10.9.0&ts=1623491553&sid=打码&app_type=normal&ac=wifi&host_abi=armeabi-v7a&update_version_code=10909900&channel=tengxun_new&_rticket=1623491553963&device_platform=android&iid=打码&ne=1&version_code=100900&cdid=打码&openudid=打码&device_id=打码&resolution=1053*1872&os_version=6.0.1&language=zh&device_brand=Xiaomi&aid=1128",
    "os_api": "23",
    "device_type": "MI 5s",
    "manifest_version_code": "100901",
    "dpi": "416",
    "uuid": "打码",
    "is_background": "0",
    "app_name": "aweme",
    "version_name": "10.9.0",
    "ts": "1623491553",
    "sid": "xxx",
    "app_type": "normal",
    "ac": "wifi",
    "host_abi": "armeabi-v7a",
    "update_version_code": "10909900",
    "channel": "tengxun_new",
    "_rticket": "1623491553963",
    "device_platform": "android",
    "iid": "打码",
    "ne": "1",
    "version_code": "100900",
    "cdid": "打码",
    "openudid": "打码",
    "resolution": "1053*1872",
    "os_version": "6.0.1",
    "language": "zh",
    "device_brand": "Xiaomi",
    "aid": "1128"
  },
  "fingerprint_codes": "[1,2,3,4,5,6]",
  "mac_addr": "08:00:27:ED:打码:打码",
  "lastLoginInfo": {
    "phoneNumber": {
      "countryCode_": 86,
      "countryIso_": "CN",
      "nationalNumber_": 打码,
      "rawInput_": ""
    },
    "commonUserInfo": {
      "avatarUrl": "http://p9.douyinpic.com/aweme/100x100/打码.jpeg",
      "secUid": "打码-nFIdeSIthEH52a",
      "userName": "打码"
    },
    "expires": "Jul 12, 2021 5:52:33 PM",
    "lastIsReliableLogin": 0,
    "loginMethodName": "PHONE_SMS",
    "uid": "打码"
  }
}

程序大致就是这样,我也没有琢磨透,先这样吧


我喜欢你我喜欢你,世界上美好的东西不太多,立秋傍晚从河对岸吹来的风,和二十来岁笑起来要人命的你。