Ethereal
After analysis of the data packets than you can be seen every request automatically generates the appropriate request parameters, and calculates the parameters __skcy, a server after checking these parameters do encrypted information and the requested content, by checking the server will return the correct results.
Find calculated __skcy key function
after we enter the keyword search to
getParametersSignature method CandyPreprocessor class
private String getParametersSignature(Builder builder, Context context) throws Exception {
Object[] objArr = new Object[]{builder, context};
ChangeQuickRedirect changeQuickRedirect = changeQuickRedirect;
String str = "d7fd4e92b3bd07b96007e804b4226165";
if (PatchProxy.isSupport(objArr, this, changeQuickRedirect, false, str, 6917529027641081856L)) {
return (String) PatchProxy.accessDispatch(objArr, this, changeQuickRedirect, false, str);
}
if (builder != null) {
Object baseString = baseString();
if (TextUtils.isEmpty(baseString)) {
throw new Exception("CandyPreprocessor getParametersSignature normalizedURI is null");
}
List arrayList = new ArrayList();
appendList(arrayList, builder, false);
if (this.version == CandyVersion.Ver1_0) {
arrayList.add(new MyEntry("__sksc", this.candyOriginalMaterial.getScheme()));
}
if (formURLEncoded() != null) {
builder = new StringBuilder("/?");
builder.append(new String(this.candyOriginalMaterial.getPostContent()));
appendList(arrayList, Uri.parse(builder.toString()).buildUpon(), true);
}
builder = getPercentList(arrayList);
dictionarySort(builder);
builder = getNormalizedParameters(builder);
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.append(this.candyOriginalMaterial.getHttpMethod());
stringBuilder.append(StringUtil.SPACE);
stringBuilder.append(baseString);
stringBuilder.append(StringUtil.SPACE);
stringBuilder.append(builder);
builder = stringBuilder.toString();
if (formURLEncoded()) {
builder = builder.getBytes();
} else if (this.candyOriginalMaterial.getPostContent() == null) {
builder = builder.getBytes();
} else {
builder = builder.getBytes();
Builder builder2 = new byte[(builder.length + this.candyOriginalMaterial.getPostContent().length)];
System.arraycopy(builder, 0, builder2, 0, builder.length);
System.arraycopy(this.candyOriginalMaterial.getPostContent(), 0, builder2, builder.length, this.candyOriginalMaterial.getPostContent().length);
builder = builder2;
}
return CandyJni.getCandyDataWithKeyForJava(context, builder, "CandyKey");
}
throw new Exception("CandyPreprocessor getParametersSignature builder is null");
}
After the next jump chain, we found a CandyJni of getCandyDataWithKeyForJava method:
public static String getCandyDataWithKeyForJava(Context context, byte[] bArr, String str) {
Object[] objArr = new Object[]{context, bArr, str};
ChangeQuickRedirect changeQuickRedirect = changeQuickRedirect;
String str2 = "8806cdcfdd305bd7b7224b07a9fb85e3";
if (PatchProxy.isSupport(objArr, null, changeQuickRedirect, true, str2, 6917529027641081856L)) {
return (String) PatchProxy.accessDispatch(objArr, null, changeQuickRedirect, true, str2);
}
if (MTGuard.selfExceptionCheck() && bArr != null) {
if (bArr.length != 0) {
return getCandyDataWithKey(context, bArr, str);
}
}
return null;
}
Then we enter
public static native String getCandyDataWithKey(Object obj, byte[] bArr, String str);
This is a local method, therefore, we need to find getCandyDataWithKey method in native code.
Open the file so
We know that it is through the static analysis in getCandyDataWithKey in libmtguard.so, we open it with IDA
We can see in the list of exported functions, only JNI_Onload,
Dynamic debugging reduction algorithm
After a series of dynamic debugging, and ultimately restore the specific algorithm. Request recommendation Interface
Admission to the success of data.