Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bili_ticket related discovery (#903 Extended) #940

Open
2 tasks done
cxw620 opened this issue Jan 18, 2024 · 1 comment
Open
2 tasks done

bili_ticket related discovery (#903 Extended) #940

cxw620 opened this issue Jan 18, 2024 · 1 comment
Labels
新增/Add 添加或修改新的内容
Milestone
API Update

Comments

@cxw620
Copy link
Contributor

cxw620 commented Jan 18, 2024
edited

Since the way getting web bili_ticket was found by @aynuarance in #903, I guess that the way getting app bili_ticket is similar and also makes use of HS256, meaning that what we need to do is finding the HMAC key. After a day of hard work REing of libbili.so(OLLVM obfuscation, f**k you), I successfully did so.

Encryption algorithm: HMAC-SHA256

HMAC KEY INFO:

  • WEB platform
  • mark: ec02
  • key: XgwSnGZ1p
  • APP platform
  • mark: ec01
  • key: Ezlc3tgtl

Details:

Progress:

  • Fake x-exbadbasket from normal APP.
  • RE x-exbadbasket from libbili.so.
@xiaoyv404 xiaoyv404 added this to the API Update milestone Jan 20, 2024
@xiaoyv404 xiaoyv404 added the 新增/Add 添加或修改新的内容 label Jan 20, 2024
@cxw620
Copy link
Contributor Author

cxw620 commented Jan 20, 2024
edited

x-exbadbasket seems not a must so we can leave it empty.

Here's example of x-exbadbasket (already converted into json string and formatted) with explain (may be wrong) of each param. Not familiar with reverse engineering native codes and I need more help.

{
    "b00e":"tv.danmaku.bili", // pn => process name
    "a0c6":"7.57.2", // vn => version name
    "c94e":"3.2.43", // sdk_version => ?
    "cd5e":"android", // os
    "b59e":"", // serial, leave it empty
    "dd3b":0, // root?
    "a769":0, // root?
    "fd49":"11", // osv => os version
    "c203":"", // mac, default empty
    "b935":458243454, // apk_sign => **Not know how `libbili.so` gets such value**
    "ed96":"", // mid
    "f438":"XU0D0580A80C82276D9DF33B4D20665C42E33", // buvid
    "e57c":"Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 XL Build/RP1A.201005.004.A1) 7.57.2 os/android model/Pixel 2 XL mobi_app/android build/7572100 channel/master innerVer/7572110 osVer/11 network/2", // ua
    "aff2":1, // app_id
    "edc2":1705589660, // ctime
    "e24d":7572110, // vc => version code
    "e701":"13566853", // build => build sn
    "e29f":"0", // ptrace
    "e58c":"", // frida => **Not know how `libbili.so` gets such value**
    "fd4c":"", // xposed => **Not know how `libbili.so` gets such value**
    "d7be":"", // magisk => **Not know how `libbili.so` gets such value**
    "e7fa":1, // net
    "debc":"google", // brand
    "adf0":"Pixel 2 XL", // model
    "ccd6":1705677891, // fts
    "ada0":"a3811c3af294c9ff045bf24c9bb0545b2024011923245159b5fa061488ab5b05" // fp => see `fp_local`
}

I'm more than curious about the relation between hashcode and real name(ahh, pure characters seen from the register) like b00e and pn. MD5 or any else? I don't know...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
新增/Add 添加或修改新的内容
Projects
None yet
Milestone
API Update
Development

No branches or pull requests
2 participants
@xiaoyv404 @cxw620