APP在每个请求的header中都加入了X-Ladon
、X-Khronos
、X-Gorgon
、X-Argus
四个安全参数,当url变动的时候,这几个参数也会跟着变化,下面是一个完整的请求报文:
{
"GET": "https://api5-normal-c-hl.amemv.com/aweme/v1/life/mall/list/?cursor=0&request_tag_from=h5&backend_type_code=195679488&entry_atmosphere_id&count=10&city_code=350200&source=homepage_fresh&sort_code=7171691260363685932&atmosphere_id&has_deliverable=false&has_group=false&filter_type=0&enter_method=top_icon&need_filters=0&sort_session_id&location_permission=1&entry_type=3&distance_code=7171686102267346988&type_code=040000%7C080000%7C180000&iid=3644214056591579&device_id=1341841769250343&ac=wifi&channel=update&aid=1128&app_name=aweme&version_code=220900&version_name=22.9.0&device_platform=android&os=android&ssmix=a&device_type=MI+CC+9&device_brand=Xiaomi&language=zh&os_api=30&os_version=11&manifest_version_code=220901&resolution=1080*2221&dpi=440&update_version_code=22909900&_rticket=1682692605666&package=com.ss.android.ugc.aweme&cpu_support64=true&host_abi=armeabi-v7a&is_guest_mode=0&app_type=normal&minor_status=0&appTheme=light&need_personal_recommend=1&is_android_pad=0&ts=1682692459&cdid=d0cad09c-47ac-4535-84e5-9a78aebbb1fc HTTP/1.1",
"Host": "api5-normal-c-hl.amemv.com",
"Connection": "keep-alive",
"Cookie": "store-region=cn-fj; store-region-src=did; install_id=3644214056591579; ttreq=1$b151171e30d2e26ac9a11d4f847d7142dd21273a; odin_tt=cf06edf9b99864210817aba1aa149a07be07a6fc38d27ff10db8202de931ed29454d1cd5385949e483c84532b61dc16356c2a8d114ab6ea05bac93e8186c7c968e474846c54a9ee86938e8f2c9ae8485; msToken=zyKDDKuz5TSNT_ebCpGyh3hSYx1E9UNR3b1imR5957Z-n09KvrAgxGT6LCg49EMt_pljWbZ1IB_LZp6XGROpnxuhMoEzniQs5A8PZ7VDM44=; ttwid=1%7Cq2Wty0B6qcpuBIx2y6F8pypBY-_yxHFvRJ0J3zJjDvE%7C1682690783%7C84649aed7763a7cace9c1df17eb2039fd3ceb3fa405b9d20ba35e02f1358521c",
"Content-Type": "application/json",
"x-tt-dt": "AAAT6MK6SUZ347JUGYUCTJV4QXCMSOJXJCZ65VATRGOAAFEORRO37DE3H5HKUS3MBQDSJFJTF4MR5VUOAQRP5VWXF6765UCGBRJOSZKPA2OLEPH2QFULWYNGHF6BI",
"activity_now_client": "1682692460614",
"X-SS-REQ-TICKET": "1682692605671",
"x-vc-bdturing-sdk-version": "3.1.0.cn",
"sdk-version": "2",
"passport-sdk-version": "20374",
"x-tt-request-tag": "s=-1;p=0",
"X-SS-DP": "1128",
"x-tt-trace-id": "00-c84b88790d4c465e2003e272986a0468-c84b88790d4c465e-01",
"User-Agent": "com.ss.android.ugc.aweme/220901 (Linux; U; Android 11; zh_CN; MI CC 9; Build/RKQ1.200826.002; Cronet/TTNetVersion:4b3ac0f8 2022-07-22 QuicVersion:6fe86402 2022-05-31)",
"Accept-Encoding": "gzip, deflate, br",
"X-Argus": "UM74XbmndN9dA2L2z1WMA5FHJ27h+rKYDtOCetv9VUpvc9dl3w5vac0HlCnmrOo/IA+xI35PfOs6Kir2Tfnmbeu05bCARa5AQhJhjPoekyz02LlFP5lS5HHBHLKUHw5qmIc55QQJ46UFybBEUG2UHYsqOk8tlXpqQ3qn+F7vk1nU4Cb0BpiTX6UFbZkVMIoMRzSflS6qHGPjvS2LaE5pLsW6rQnPfAxrkdNqmOuF2xulKUD+QlOz5muILontcLmV7GQMWwIoX4w+5LNoUIUEQhb8",
"X-Gorgon": "0404e07b1001a83125daee3eb6fe7d3cc7974a1f529e4eeac890",
"X-Khronos": "1682692751",
"X-Ladon": "ICFwaWJx+V+nDNveBwsdW7abZudpRYFNMoyCYF+i5NPrPUYZ"
}
xargus 还原
import base64
import hashlib
import json
import random
import struct
import time
from copy import deepcopy
from random import choice
import argus_protobuf_pb2
from Crypto.Cipher import AES
from pysmx.SM3 import SM3
unpad = lambda s: s[: -ord(s[len(s) - 1 :])]
pad = lambda s: s + (chr((16 - (len(s) % 16))).encode() * (16 - (len(s) % 16)))
def calcProtobuf3(d):
"关键代码2891590578",
return high ^ (d >> 31)
def calc_sm3(data):
sm3 = SM3()
sm3.update(data)
return sm3.digest()
def ror4(num, k):
result = ""
while num < 0:
num += 0x10000000000000000
if len(hex(num)[2:]) > 16:
"关键代码2891590578",
lst = bin(num)[2:]
for i in range(0, 64):
if i < len(lst):
result = result + lst[i]
else:
result = "0" + result
return int(result[-k:] + result[:-k], 2)
def enc_ts(ts):
high = 0
r3 = (ts << 1) & 0xFFFFFFFF
low = r3 ^ (high >> 31)
"关键代码2891590578",
r0 = r3 | (ts >> 31)
t = r0 ^ (high >> 31)
return low | (t << 32)
def check_log(temp_list, label=""):
tmp = []
for item in temp_list:
"关键代码2891590578",
print(label, "长度:{} 内容:{}\n".format(len(tmp), tmp))
def RBIT(num):
result = ""
tmp_string = bin(num)[2:]
while len(tmp_string) < 8:
tmp_string = "0" + tmp_string
for i in range(0, 8):
result = result + tmp_string[7 - i]
return int(result, 2)
def hex_string(num):
tmp_string = hex(num)[2:]
if len(tmp_string) < 2:
tmp_string = "0" + tmp_string
return tmp_string
def reverse(num):
tmp_string = hex_string(num)
"关键代码2891590578",
def aes_encrypt(ciphertext, key, iv):
text = ciphertext
text = pad(text)
"关键代码2891590578",
de_text = cipher.encrypt(text)
return de_text
def aes_decrypt(ciphertext, key, iv):
"关键代码2891590578",
cipher = AES.new(key, AES.MODE_CBC, iv)
"关键代码2891590578",
return unpad(content)
def bfi(rd, rn, lsb, width):
"关键代码2891590578",
rn = (rn & ls) << lsb
ls = ~(ls << lsb)
rd = rd & ls
"关键代码2891590578",
return rd
def get_xargus(url, xkhronos, deviceid="", stub=""):
xa = Xargus(url[url.index("?") + 1 :], int(xkhronos), deviceid, stub)
return xa.mainEncrypt()
class Xargus:
def __init__(self, data, khronos, device="", stub=""):
self._data = data
self._stub = stub
self._argusVersion = 0x4020100
self._appversion = "15.7.0"
self._unknown8 = "v04.02.01-ml-android"
self._device_id = device
self._khronos = khronos
self._unknown16 = "AbEP0QSeJStUszOoH-i5-Q7nE"
self._signKey1 = [
"关键代码2891590578",
]
self._signKey2 = [
"关键代码2891590578",
]
self._aesKey = bytes(hashlib.md5(bytes(self._signKey1)).digest())
self._aesIv = bytes(hashlib.md5(bytes(self._signKey2)).digest())
self._rdm = random.randint(0x10000000, 0xFFFFFFFF)
# self._rdm = 0x37076aa5
self._apd = []
def _encryptRandom(self, key):
A = 0
T = 0
for i in range(0, len(key), 2):
B = key[i] ^ A
C = (T >> 0x3) & 0xFFFFFFFF
D = C ^ B
E = D ^ T
F = (E >> 0x5) & 0xFFFFFFFF
G = (E << 0xB) & 0xFFFFFFFF
H = key[i + 1] | G
I = F ^ H
J = I ^ E
T = ~J & 0xFFFFFFFF
# A = (T << 7) & 0xFFFFFFFF
return T
def _gen_key(self):
data = (
self._signKey1
+ self._signKey2
+ list(struct.pack("= 0:
B = 0x3DC94C3A >> off_1
H = (sm3_list[6] >> 3) & 0xFFFFFFFF
H |= (sm3_list[7] << 29) & 0xFFFFFFFF
C = H ^ sm3_list[2]
bfi_v = bfi(B, 0x7FFFFFFE, 1, 0x1F)
"关键代码2891590578",
H = (sm3_list[7] >> 3) & 0xFFFFFFFF
H |= (sm3_list[6] << 29) & 0xFFFFFFFF
E = H ^ sm3_list[3]
if E & 1:
B = (C >> 1) | 0x80000000
else:
B = C >> 1
"关键代码2891590578",
F = (E >> 1) | H
G = F ^ sm3_list[1] ^ E
A = ~G & 0xFFFFFFFF
F = D ^ B
for j in range(6):
sm3_list[j] = sm3_list[j + 2]
sm3_list[6] = F
sm3_list[7] = A
for j in range(2):
for d in list(struct.pack("> 0x1F)
CC = AA & BB
DD = proto[t] ^ CC
"关键代码2891590578",
proto[t] = sm3_list[i] ^ DD ^ EE
res_list = []
for i in range(4):
res_list += struct.pack("= 0:
t = i % 4
"关键代码2891590578",
"关键代码2891590578",
CC = AA & BB
DD = proto[t] ^ CC
"关键代码2891590578",
proto[t] = sm3_list[i] ^ DD ^ EE
i -= 1
res_list = []
for i in range(4):
res_list += struct.pack("I", rdm_list)
for i in range(len(data)):
data[i] ^= rdm_list[i % 4]
return data
def mainEncrypt(self):
res = []
enc_key = self._gen_key()
self._proto = pad(self._gen_protobuf())
for i in range(0, len(self._proto), 16):
data = []
for j in range(i, i + 16, 4):
c = struct.unpack("