-
-
[原创]利用Frida,对新版Instagram注册流程抓包
-
发表于: 2025-8-11 15:37
-
追随大神的脚步(https://bbs.kanxue.com/thread-267215.htm),新版(391.0.0.42.82)发生了变化,没找到对应的类,只能另想他法。
1)根据前辈分析的结果,搜索“X-IG-App-ID”,在X.5ks中找到了“c5nq.A02("X-IG-App-ID", "567067343352427");”,看来这个是写死的固定值。
函数是public final C6aU startRequest(C5nq c5nq, C5ns c5ns, C5rd c5rd) ;
2)然后发现这个startRequest一层一层的调用,用frida一层一层的跟踪下去,我是用的打印实现类的笨办法。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | function printStacks(){ var throwable = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()); console.log(throwable);}function getObjClassName(obj) { const objClass = Java.use("java.lang.Object").getClass.apply(obj); return Java.use("java.lang.Class").getName.apply(objClass);}var clazz = Java.use('X.5jm'); clazz.startRequest.implementation = function() { console.log("\nX.5jm arguments[0] = " +arguments[0] ); console.log("X.5jm A01 is " + getObjClassName(this.A01.value) ); printStacks(); return this.startRequest.apply(this,arguments); } |
最后追踪到堆栈,这是嵌套了18层地狱吧
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | X.5jm arguments[0] = {Uri: https://graph.instagram.com/logging_client_events. RequestId: 153045711}X.5jm A01 is com.instagram.api.tigon.TigonServiceLayerjava.lang.Throwable at X.5jm.startRequest(Native Method) at X.5jn.startRequest(:22) at X.5jq.startRequest(:52) at X.5kA.startRequest(:351) at X.5ka.startRequest(:23) at X.5kb.startRequest(:207) at X.5kk.startRequest(:95) at X.5kl.startRequest(:59) at X.5pb.startRequest(:280) at X.5kn.startRequest(:36) at X.5kq.startRequest(:86) at X.5ks.startRequest(:110) at X.5oj.startRequest(:31) at X.5ok.startRequest(:21) at X.5ol.startRequest(:92) at X.5om.startRequest(:19) at X.5pc.startRequest(:129) at X.5pn.startRequest(:17) at X.5pq.startRequest(:344) at X.5pv.startRequest(:19) at X.5qz.startRequest(:53) at X.4tq.startRequest(:14) at X.4tq.A00(:17) at X.4sq.A00(:41) at X.4sq.A02(:5) at com.instagram.analytics.analytics2.IGAnalytics2SimpleUploader.GET(:71) at com.facebook.analytics2.logger.legacy.uploader.PrivacyControlledUploader.GET(:2) at X.PRi.A00(:34) at X.DF8.handleMessage(:95) at android.os.Handler.dispatchMessage(Handler.java:106) at android.os.Looper.loopOnce(Looper.java:210) at android.os.Looper.loop(Looper.java:299) at android.os.HandlerThread.run(HandlerThread.java:67) |
“com.instagram.api.tigon.TigonServiceLayer”,这个类,看起来是把请求加到Executor去发送,位置应该是对了。
3)打印com.instagram.api.tigon.TigonServiceLayer.startRequest函数的参数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | function printFields(obj) { console.log(">>>printFields " + getObjClassName(obj) ); var fields = Java.use("java.lang.Object").getClass.apply(obj).getDeclaredFields(); fields.forEach(function (field) { field.setAccessible(true); try { console.log("- " + field.getName() + " = " + field.get(obj)); } catch (e) { console.log("- " + field.getName() + " = <无法读取>"); } }); } var tigonServer = Java.use('com.instagram.api.tigon.TigonServiceLayer'); tigonServer.startRequest.implementation = function() { console.log("\n###tigonServer." ); for (let index = 0; index < arguments.length; index++) { const arg = arguments[index]; console.log("\narg["+index+ "] is "+getObjClassName(arg)); printFields(arg); } console.log("\n***tigonServer." ); return this.startRequest.apply(this,arguments); } |
发现内容基本在第一个参数X.5nq里面
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | arg[0] is X.5nq- printFields X.5nq class X.5nq- A00 = 3- A01 = false- A02 = false- A03 = 683607820- A04 = X.5cr@5f615e1- A05 = X.5kz@1780f06- A06 = 1- A07 = https://i.instagram.com/api/v1/bloks/async_action/com.bloks.7d7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3u0D9L8$3E0K6i4K6u0W2j5$3q4S2i4K6u0W2M7X3g2Y4i4K6u0W2j5$3!0F1k6X3W2J5L8h3q4@1K9h3!0F1i4K6u0W2L8h3g2V1K9i4g2E0i4K6g2X3M7$3g2D9k6h3y4@1K9h3!0F1i4K6u0W2j5i4y4&6L8X3x3`./- A08 = https://i.instagram.com/api/v1/bloks/async_action/com.bloks.791K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3u0D9L8$3E0K6i4K6u0W2j5$3q4S2i4K6u0W2M7X3g2Y4i4K6u0W2j5$3!0F1k6X3W2J5L8h3q4@1K9h3!0F1i4K6u0W2L8h3g2V1K9i4g2E0i4K6g2X3M7$3g2D9k6h3y4@1K9h3!0F1i4K6u0W2j5i4y4&6L8X3x3`./- A09 = [X-IG-App-Locale: zh_CN, X-IG-Device-Locale: zh_CN, X-IG-Mapped-Locale: zh_CN, X-Pigeon-Session-Id: UFS-6314b0fe-36ba-43db-a0cf-2ba6c63f1be9-0, X-Pigeon-Rawclienttime: 1754642242.610, X-IG-Bandwidth-Speed-KBPS: 1902.000, X-IG-Bandwidth-TotalBytes-B: 0, X-IG-Bandwidth-TotalTime-MS: 0, X-Bloks-Version-Id: fb1049782079182ce7240ad652c0cdd80f0c2ffdca5ce115931bf8dd16c52c6f, X-IG-WWW-Claim: 0, X-Bloks-Prism-Button-Version: CONTROL, X-Bloks-Prism-Indigo-Link-Version: 0, X-Bloks-Prism-Colors-Enabled: false, X-Bloks-Prism-Font-Enabled: false, X-Bloks-Is-Layout-RTL: false, X-IG-Device-ID: ee217655-e663-47cb-9c19-167198cc9066, X-IG-Family-Device-ID: e39f3ddd-179f-4be3-9bea-8840233ca3d8, X-IG-Android-ID: android-f4d4cc0c1de7fb83, X-IG-Timezone-Offset: 28800, X-IG-Nav-Chain: com.bloks.620K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4S2j5g2)9J5k6h3I4G2k6$3W2F1i4K6u0W2L8r3!0Y4K9h3&6Q4y4h3k6Z5L8$3#2W2M7r3q4Y4k6g2)9K6b7h3y4G2L8g2)9J5k6h3u0D9L8$3E0K6i4K6u0W2N6%4N6%4i4K6u0W2j5$3q4S2i4K6u0W2L8r3!0Y4K9h3&6Q4x3X3g2D9L8$3N6A6L8W2)9#2k6X3S2G2L8h3g2H3j5h3N6W2i4K6y4m81:button:1754642010.457::,IgCdsScreenNavigationLoggerModule:com.bloks.51cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3u0D9L8$3E0K6i4K6u0W2j5$3q4S2i4K6u0W2M7X3g2Y4i4K6u0W2j5$3!0F1N6r3q4U0N6s2m8G2K9h3&6@1i4K6g2X3M7r3S2G2L8X3g2Q4x3@1p5`.2:button:1754642025.719::, X-IG-CLIENT-ENDPOINT: com.bloks.d23K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3u0D9L8$3E0K6i4K6u0W2j5$3q4S2i4K6u0W2M7X3g2Y4i4K6u0W2j5$3!0F1N6r3q4U0N6s2m8G2K9h3&6@1i4K6g2X3M7r3S2G2L8X3g2Q4x3V1x3`. X-FB-Connection-Type: WIFI, X-IG-Connection-Type: WIFI, X-IG-Capabilities: 3brTv10=, X-IG-App-ID: 567067343352427]- A0A = {enqueue_time=308069416}- A0B = false- A0C = true- A0D = 26 |
A08和A09很明显,一个是请求的URL,一个是请求头。请求内容盲猜在A04和A05里面。JADX打开X.5cr的类,里面也是一些像头一样的类,感觉不是内容。打开X.5kz类,里面就2个属性值A00和A01。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | public final class C5kz implements C5lA { public final C4ym A00; public final byte[] A01; @Override // X.C5lA public final C4ym BDk() { return null; } @Override // X.C5lA public final C4ym BE1() { return this.A00; } @Override // X.C5lA public final InputStream F1R() { return new ByteArrayInputStream(this.A01); } @Override // X.C5lA public final long getContentLength() { return this.A01.length; } public C5kz(List list, boolean z) { String str; String A00 = C5la.A00(list); Charset forName = Charset.forName("UTF-8"); C0Ce.A08(forName); byte[] bytes = A00.getBytes(forName); C0Ce.A08(bytes); this.A01 = bytes; if (z) { str = "application/x-www-form-urlencoded; charset=UTF-8"; } else { str = "application/x-www-form-urlencoded"; } this.A00 = new C4ym("Content-Type", str); }} |
Hook构造函数,A01里保存的确实就是发送的内容。
1 2 3 4 5 6 7 8 9 10 11 12 | var C5kz = Java.use('X.5kz');C5kz.$init.implementation = function() { var ret= this.$init.apply(this,arguments); console.log("\n###X.5kz" ); var len=this.A01.value.length; console.log("byte[] A01 len:"+len); if(len>0){ console.log("X.5kz.A01:" + jString.$new(this.A01.value)); } console.log("\n***X.5kz" ); return ret; } |
返回的值,是URL编码的
1 2 3 | ###X.5kzbyte[] A01 len:9730X.5kz.A01:params=%7B%22client_input_params%22%3A%7B%22flash_call_permissions_status%22%3A%7B%22READ_PHONE_STATE%22%3A%22DENIED%22%2C%22READ_CALL_LOG%22%3A%22DENIED%22%2C%22ANSWER_PHONE_CALLS%22%3A%22DENIED%22%7D%2C%22device_id%22%3A%22android-f4d4cc0c1de7fb83%22%2C%22was_headers_prefill_available%22%3A0%2C%22login_upsell_phone_list%22%3A%5B%5D%2C%22whatsapp_installed_on_client%22%3A1%2C%22msg_previous_cp%22%3A%22%22%2C%22switch_cp_first_time_loading%22%3A1%2C%22accounts_list%22%3A%5B%5D%2C%22confirmed_cp_and_code%22%3A%7B%7D%2C%22country_code%22%3A%22%22%2C%22family_device_id%22%3A%22e39f3ddd-179f-4be3-9bea-8840233ca3d8%22%2C%22block_store_machine_id%22%3A%22%22%2C%22fb_ig_device_id%22%3A%5B%5D%2C%22phone%22%3A%22855385468758%22%2C%22lois_settings%22%3A%7B%22lois_token%22%3A%22%22%7D%2C%22cloud_trust_token%22%3Anull%2C%22 |
URL解码,然后再格式化JSON,就看到请求的参数了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | { "client_input_params": { "flash_call_permissions_status": { "READ_PHONE_STATE": "DENIED", "READ_CALL_LOG": "DENIED", "ANSWER_PHONE_CALLS": "DENIED" }, "device_id": "android-f4d4cc0c1de7fb83", "was_headers_prefill_available": 0, "login_upsell_phone_list": [], "whatsapp_installed_on_client": 1, "msg_previous_cp": "", "switch_cp_first_time_loading": 1, "accounts_list": [], "confirmed_cp_and_code": {}, "country_code": "", "family_device_id": "e39f3ddd-179f-4be3-9bea-8840233ca3d8", "block_store_machine_id": "", |
后面就是通过native函数,发送出去
1 2 3 4 5 6 7 | public class TigonXplatService extends TigonServiceHolder { public static final int DEFAULT_BUFFER_SIZE = 1024; public final C1z9 mTigonRequestCounter; private native TigonXplatRequestToken sendRequestBodyBufferIntegerBuffer(TigonRequest tigonRequest, byte[] bArr, int i, TigonBodyProvider tigonBodyProvider, byte[] bArr2, int i2, TigonCallbacks tigonCallbacks, Executor executor); private native TigonXplatRequestToken sendRequestIntegerBuffer(TigonRequest tigonRequest, byte[] bArr, int i, ByteBuffer[] byteBufferArr, int i2, TigonCallbacks tigonCallbacks, Executor executor); |
到这里,路还长着,发送的实际内存,是加密的,这个后面要具体分析。
[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
最后于 2025-8-11 15:49
被lvcoffee编辑
,原因:
|
|
|---|---|
|
|
|
|
|
 frida 用的溜
|
|
|
这是请求包里的,不过叫“server_params”确实没理解意思 |
|
|
|
|
|
有偿求后续 |
|
|
reg_context是上一个请求返回的,你过掉sslpinning抓包看就知道了,带regm的就是
最后于 2025-8-13 03:38
被wx_春风十里编辑
,原因:
|
|
|
感谢解答,我继续努力搞明白 |
|
|
|
|
|
|
|
|
有没有大佬,逆向出来了解析这种结构数据的app代码,求一份 |
|
|
|
|
|
|
|
|
|
|
|
fb 的协议是否有,有偿 |
wx_春风十里
