某宝x-sign、x-mini-wua、 x-sgext、 x-umt算法解析

1、环境准备 

      jadx 

      某宝APP 9.XX

      Frida

2、进行抓包

 进行jadx分析 追踪到最后结果

3、进行unidbg黑盒调用

public void call2() {
        int ret = (Integer) JNICLibrary.callStaticJniMethodObject(emulator,
                "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
                10102,
                new ArrayObject(
                        new StringObject(vm, "main"),
                        new StringObject(vm, "6.5.25"),
                        new StringObject(vm, "/data/app/com.xxx.xxx-dxUUnbPHWwZU57BNmoNiNg==/lib/arm64/libsgmainso-6.5.25.so")
                )).getValue();
        System.out.println("call2:" + ret);
    }
    public void call3() {
        DalvikModule dm3 = vm.loadLibrary(new File("unidbg-android/src/test/resources/xxx/libsgsecuritybodyso-6.5.33.so"), true);
        dm3.callJNI_OnLoad(emulator);
        int ret = (Integer) JNICLibrary.callStaticJniMethodObject(emulator,
                "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
                10102,
                new ArrayObject(
                        new StringObject(vm, "securitybody"),
                        new StringObject(vm, "6.5.33"),
                        new StringObject(vm, "/data/app/com.xxxx.xxxx-dxUUnbPHWwZU57BNmoNiNg==/lib/arm64/libsgsecuritybodyso-6.5.33.so")
                )).getValue();
        System.out.println("call3:"+ret);
    }
    public void call4() {
        DalvikModule dm2 = vm.loadLibrary(new File("unidbg-android/src/test/resources/taobao/libsgmiddletierso-6.5.27.so"), true);
        dm2.callJNI_OnLoad(emulator);
        int ret = (Integer) JNICLibrary.callStaticJniMethodObject(emulator,
                "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
                10102,
                new ArrayObject(
                        new StringObject(vm, "middletier"),
                        new StringObject(vm, "6.5.27"),
                        new StringObject(vm, "/data/app/com.xxxx.xxx-dxUUnbPHWwZU57BNmoNiNg==/lib/arm64/libsgmiddletierso-6.5.27.so")
                )).getValue();
        System.out.println("call1:"+ret);
    }

    public void call5(){
//ZC6SCZKQclcDAL6cEiSBzpAI&3313269468&&21646297&128cdf5f43477fcc0b432746fec6200b&1681832168&mtop.taobao.search.highway.upload&1.0&2ff1d7999c388923d9f9bd8ce005b285&700407@taobao_android_9.23.0&AgAvexEOGYPM-wHSrHun
//kITLXNnTDarE1iMdO6KDEqON&30.360142&113.442344&openappkey=DEFAULT_AUTH&27&&&&&&&
        DvmObject ret = JNICLibrary.callStaticJniMethodObject(emulator,
                "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
                70102,
                new ArrayObject(
                        new StringObject(vm,"21646297"),
                        new StringObject(vm,"ZC6SCZKQclcDAL6cEiSBzpAI&3313269468&&21646297&71a1fe384d778e0e45b229837b355048&1681894596&mtop.relationrecommend.mtoprecommend.recommend&1.0&2ff1d7999c388923d9f9bd8ce005b285&700407@taobao_android_9.23.0&AgAvexEOGYPM-wHSrHunkITLXNnTDarE1iMdO6KDEqON&30.360491&113.43443&27&&&&&&&"),
                        DvmBoolean.valueOf(vm, Boolean.FALSE),
                        DvmInteger.valueOf(vm,0),
                        new StringObject(vm, "mtop.relationrecommend.mtoprecommend.recommend"),
                        new StringObject(vm, "pageId=http%3A%2F%2Fs.m.taobao.com%2Fh5entry&pageName=com.taobao.search.searchdoor.SearchDoorActivity"),
                        new StringObject(vm, ""),
                        new StringObject(vm, ""),
                        new StringObject(vm, ""),
                        new StringObject(vm, "r_27")
                )
        );
        System.out.println("result:"+ret.getValue());
    }

得出结果