├── exe
├── 1.png
├── README_zh.md
├── README.md
└── Sign6.java


/exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zhuke945/dy233_unidbg_sign/HEAD/exe


--------------------------------------------------------------------------------
/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zhuke945/dy233_unidbg_sign/HEAD/1.png


--------------------------------------------------------------------------------
/README_zh.md:
--------------------------------------------------------------------------------
1 | # 某音 23.3.0 版本签名协议
2 | 
3 | 详情见 [README.md](./README.md)
4 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # dy233_unidbg_sign
 2 | use unidbg to emulate dy 23.3.0 for X-Medusa and X-Helios
 3 | 
 4 | ## how to run
 5 | 1. git clone https://github.com/zhkl0228/unidbg (the version is [3512f1d33c417c2f835430916b58612b0f7d599c](https://github.com/zhkl0228/unidbg/commit/3512f1d33c417c2f835430916b58612b0f7d599c))
 6 | 2. download dy233.apk from [wandoujia](https://www.wandoujia.com/apps/7461948/history_v230301?spm=aligames_platform_ug.wdj_seo.0.0.6df17386bjmcsb)
 7 | 3. place "dy233.apk" in the relative directory "unidbg-android/src/test/resources/dy233"
 8 | 4. place "Sign6.java" in the relative directory "unidbg-android/src/test/java/com/ss/android/ugc/aweme"
 9 | 5. remove the code ```vm.checkVersion(version)``` from the relative path "unidbg-android/src/main/java/com/github/unidbg/linux/android/dvm/DalvikModule.java"
10 | 6. place "exe" in the relative directory "unidbg-android/src/main/resources/android/sdk23/proc/self"
11 | 6. execute the main function of Sign6.java
12 | 
13 | ## example
14 | ![result](./1.png)
15 | 
16 | ## bug
17 | There is a bug in the signature obtained by running the code. The X-Argus field should have a length of 240, but it is only 216. At present, I'm still trying to locate and solve the bugs.
18 | 


--------------------------------------------------------------------------------
/Sign6.java:
--------------------------------------------------------------------------------
  1 | package com.ss.android.ugc.aweme;
  2 | 
  3 | import com.github.unidbg.AndroidEmulator;
  4 | import com.github.unidbg.arm.backend.*;
  5 | import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
  6 | import com.github.unidbg.linux.android.AndroidResolver;
  7 | import com.github.unidbg.linux.android.dvm.*;
  8 | import com.github.unidbg.linux.android.dvm.array.ArrayObject;
  9 | import com.github.unidbg.linux.android.dvm.wrapper.DvmBoolean;
 10 | import com.github.unidbg.memory.Memory;
 11 | import com.github.unidbg.Module;
 12 | import com.github.unidbg.pointer.UnidbgPointer;
 13 | 
 14 | import java.io.File;
 15 | 
 16 | public class Sign6 extends AbstractJni {
 17 | 
 18 |     private final AndroidEmulator emulator;
 19 |     private final VM vm;
 20 |     private final Module module;
 21 |     private final Memory memory;
 22 | 
 23 |     private Sign6() {
 24 |         emulator = AndroidEmulatorBuilder
 25 |                 .for32Bit()
 26 |                 .setProcessName("com.ss.android.ugc.aweme")
 27 |                 .addBackendFactory(new Unicorn2Factory(true))
 28 |                 .build();
 29 |         emulator.getBackend().registerEmuCountHook(100000);
 30 |         emulator.getSyscallHandler().setVerbose(true);
 31 |         emulator.getSyscallHandler().setEnableThreadDispatcher(true);
 32 | 
 33 |         memory = emulator.getMemory();
 34 |         memory.setLibraryResolver(new AndroidResolver(23));
 35 |         memory.setCallInitFunction(true);
 36 | 
 37 |         vm = emulator.createDalvikVM(new File("unidbg-android/src/test/resources/dy233/dy233.apk"));
 38 |         vm.setJni(this);
 39 |         vm.setVerbose(true);
 40 | 
 41 |         DvmClass a = vm.resolveClass("ms/bd/c/k");
 42 |         DvmClass b = vm.resolveClass("ms/bd/c/a0", a);
 43 |         DvmClass c = vm.resolveClass("com/bytedance/mobsec/metasec/ml/MS", b);
 44 | 
 45 |         DalvikModule dm = vm.loadLibrary("metasec_ml", true);
 46 |         module = dm.getModule();
 47 |         dm.callJNI_OnLoad(emulator);
 48 |         System.out.println("ok");
 49 |     }
 50 | 
 51 |     @Override
 52 |     public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
 53 |         System.out.println("callObjectMethodV "+ signature);
 54 |         switch (signature) {
 55 |             case "java/lang/Thread->getStackTrace()[Ljava/lang/StackTraceElement;": {
 56 |                 DvmObject<?>[] a = {
 57 |                         vm.resolveClass("java/lang/StackTraceElement").newObject("dalvik.system.VMStack"),
 58 |                         vm.resolveClass("java/lang/StackTraceElement").newObject("java.lang.Thread")
 59 |                 };
 60 |                 return new ArrayObject(a);
 61 |             }
 62 |         }
 63 |         return super.callObjectMethodV(vm, dvmObject, signature, vaList);
 64 |     }
 65 | 
 66 |     @Override
 67 |     public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
 68 |         System.out.println("callStaticObjectMethodV "+ signature);
 69 |         switch (signature) {
 70 |             case "com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;": {
 71 |                 int a = vaList.getIntArg(0);
 72 |                 System.out.println("----------------------------");
 73 |                 System.out.println(a);
 74 |                 System.out.println("----------------------------");
 75 |                 if (a == 65539) {
 76 |                     return new StringObject(vm,"/data/user/0/com.ss.android.ugc.aweme/files/;o@Y0f");
 77 |                 } else if (a == 33554433) {
 78 |                     return DvmBoolean.valueOf(vm, Boolean.TRUE);
 79 |                 } else if (a == 33554434) {
 80 |                     return DvmBoolean.valueOf(vm, Boolean.TRUE);
 81 |                 } else if (a == 16777233) {
 82 |                     return new StringObject(vm, "23.3.0");
 83 |                 }
 84 |             }
 85 |             case "java/lang/Thread->currentThread()Ljava/lang/Thread;": {
 86 |                 return vm.resolveClass("java/lang/Thread").newObject(Thread.currentThread());
 87 |             }
 88 |         }
 89 |         return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
 90 |     }
 91 | 
 92 |     @Override
 93 |     public void callStaticVoidMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
 94 |         System.out.println("callStaticVoidMethodV "+ signature);
 95 |         switch (signature) {
 96 |             case "com/bytedance/mobsec/metasec/ml/MS->a()V": {
 97 |                 return;
 98 |             }
 99 |         }
100 |         super.callStaticVoidMethodV(vm, dvmClass, signature, vaList);
101 |     }
102 | 
103 |     private String GetSign(String url, String header) {
104 |         Number number = module.callFunction(emulator,
105 |                 0x438c0+1, url, header
106 |         );
107 |         System.out.printf("0X%X\n", number.intValue());
108 |         int hash = number.intValue();
109 |         if (this.vm.getObject(hash) == null) {
110 |             System.out.printf("0X%X is null\n", number.intValue());
111 |         }
112 |         UnidbgPointer p = memory.pointer(hash & 0xffffffffL);
113 |         return p.getString(0);
114 |     }
115 | 
116 |     public static void main(String[] args) {
117 |         String s1 = "https://ichannel.snssdk.com/service/2/app_alert_check/?ac=wifi&channel=shenmasem_ls_dy_210&aid=1128&app_name=aweme&version_code=230300&version_name=23.3.0&device_platform=android&os=android&ssmix=a&device_type=Pixel&device_brand=google&language=zh&os_api=27&os_version=8.1.0&openudid=b104cd40fd2b3224&manifest_version_code=230301&resolution=1080*1794&dpi=420&update_version_code=23309900&_rticket=1670126182805&package=com.ss.android.ugc.aweme&cpu_support64=true&host_abi=armeabi-v7a&is_guest_mode=0&app_type=normal&minor_status=0&appTheme=light&need_personal_recommend=1&is_android_pad=0&ts=1670126133&cdid=26ed513b-3f69-440f-ba7d-4b53f333e88c&md=0&iid=4072246474186391&device_id=3122268427780248&uuid=352531081299354";
118 |         String s2 = "x-ss-req-ticket\r\n"+
119 |                 "1646193928088\r\n"+
120 |                 "personal-recommend-status\r\n"+
121 |                 "1\r\n"+
122 |                 "x-vc-bdturing-sdk-version\r\n"+
123 |                 "2.2.1.cn\r\n"+
124 |                 "passport-sdk-version\r\n"+
125 |                 "30626\r\n"+
126 |                 "sdk-version\r\n"+
127 |                 "2\r\n"+
128 |                 "x-tt-trace-id\r\n"+
129 |                 "00-48cde91e0100ba02e9a49302ff57211e-48cde91e0100ba02-01\r\n"+
130 |                 "user-agent\r\n"+
131 |                 "com.ss.android.ugc.aweme/230300 (Linux; U; Android 8.1.0; zh_CN; Pixel; Build/OPM1.171019.014;tt-ok/3.12.13.1)\r\n"+
132 |                 "accept-encoding\r\n"+
133 |                 "gzip, deflate";
134 |         Sign6 sign6 = new Sign6();
135 |         String sign = sign6.GetSign(s1, s2);
136 |         System.out.println(sign);
137 |     }
138 | }
139 | 


--------------------------------------------------------------------------------