Source code

home page  »  file  »  Source code  »  TikTok (TikTok International Edition) conversely, ladies and sisters from all over the world, here I come!

TikTok (TikTok International Edition) conversely, ladies and sisters from all over the world, here I come!

Open source address

First of all, throw out the GitHub address. Thank you.

AYTikTokPod

sketch

IOS reverse engineering refers to the process of reverse analysis at the software level.

In the general software development process, it is process oriented. In reverse, you first get the result, and then analyze the process of realizing the result. After the process is clarified, the reverse code writing starts. In the whole process, the analysis process accounts for 90%, and the code writing process only accounts for 10%. So this article is more about an idea. The code is actually very routine

preparation in advance

frida-ios-dump

Used for shelling, which is the first step in reverse. Applications downloaded from the direct AppStore have shells, which makes it impossible for us to perform any operations on them. Unpacked ipa files can also be downloaded directly from some prison break stores, but the version may be older.

If there is a jailbroken machine, it is easy to follow the frida ios dump wiki.

Hopper Disassembler

Hopper Disassembler is a binary disassembler on Mac, which basically meets the needs of disassembly in work, including pseudo code and Control Flow Graph, supports ARM instruction set and optimizes Objective-C.

class-dump

Class dump is a command line tool that can export header files. The program is used to check that Objective-C runtime information is stored in Mach-O files. It generates class declarations, categories, and protocols.

MonkeyDev

The predecessor of MonkeyDev is iOOpenDev. On the basis of iOOpenDev, CaptainHook Tweak, Logos Tweak, and Command line Tool are added.

What MonkeyDev does for us:

  • Create dylib, and modify the properties or methods of the class through hook

  • Inject dylib into the App

  • Re sign ipa file

static analysis

preparation in advance

Get TikTok's unpacked ipa file

As my 6s lost the prison escape environment, I asked my good friends to complete the step of shelling.

As long as there is a jailbreak mobile phone, it is not complicated to smash the shell, just follow the online tutorial steps.

 1.webp.jpg

Class dump export header file

By command

 class-dump -H XXX.app -o /DumpHeaderClass
  • -H is followed by the app file path after shelling

  • -O is the folder path of header file output

As shown in the figure, all the header files in the project after class dump. From here alone, we can see that several third-party libraries used in the TikTok project: the SDK of AFNetworking, YYKit, and FaceBook.

 2.webp.jpg

Tips: Quickly search the corresponding header file or method. You can create a new project and drag the header file folder into the project. What tool can be more convenient to retrieve code than Xcode retrieval?

Hopper static analysis

Drag the unpacked binary executable file directly into Hopper. After waiting for a period of time, Hopper will complete decompilation.

 3.webp.jpg

The list on the left shows the corresponding classes and methods, which can be quickly located through the search box.

The red box shows the mode switching: assembly mode, control flow diagram mode, pseudo code mode, hexadecimal mode

Usually we use most of the control flow diagram and pseudo code.

Reveal view interface

MonkeyDev will automatically inject RevealService. framework for us. RevealService.framework needs to be used with the corresponding version Reveal. Otherwise, please update the RevealService.framework for replacement injection.

 4.webp.jpg

Reveal allows us to quickly locate the controller or view we need.

As shown in the figure, the ViewController on the home page is AWEFeedTableViewController.

Problems&Handling Problems

Question1

Q1: It is found that the TikTok downloaded from the App Store in other regions has nothing after being opened?

T1: It is initially suspected that it is a network problem.

A1: After the global proxy is opened, it is still dark. It is basically ruled out that the problem is caused by the network.

Question2

Q2: If it is not a network problem, will the problem occur in the request parameters?

T2: Use Charles to grab the bag

A2: Refresh the feed and get the url

 /aweme/v1/feed/? version_code= four point three . zero &language=zh&pass-region= one &app_name=trill&vid=B196D171-B02 zero - four hundred and fifty-three E-A19C- nine AAD845151BE&app_version= four point three . zero &carrier_region=CN&is_my_cn= one &channel=App%20Store&mcc_mnc= forty-six thousand and one &device_id= 6631689375623284225 &tz_offset= twenty-eight thousand and eight hundred &account_region=&sys_region=CN&aid= one thousand one hundred and eighty &screen_width= seven hundred and fifty &openudid= sixty-three ceee2a26c0fd4501ebcf1f47a2311c5551f6e zero &os_api= eighteen &ac=WIFI&os_version= twelve &app_language=en&tz_name=Asia/Shanghai&device_platform=iphone&build_number= forty-three thousand and four &device_type=iPhone8, one &iid= 6635504889546049282 &idfa=BFBB2BCA- nine thousand seven hundred and forty-three - four hundred and fifty-one B- ninety-five CC-F01292FC02F6&ad_user_agent=Mozilla%2F5. zero %20%28iPhone%3B%20CPU%20iPhone%20OS%2012_0%20like%20Mac%20OS%20X%29%20AppleWebKit%2F605. one point one five %20%28KHTML%2C%20like%20Gecko%29%20Mobile%2F16A366&count= six &feed_style= zero &filter_warn= zero &max_cursor= zero &min_cursor= zero &pull_type= one &type= zero &volume= zero . twenty-five &mas= 01050 af0364af36a45501b82b389f379ef3f8bda89739cc55924e8&as=a1157001fc8b2c2ce65057&ts= one billion five hundred and forty-four million nine hundred and forty-eight thousand nine hundred and twenty-four

Several of these fields raise doubts:

 01.png

analysis:

  1. Is_my_cn literally means whether it is China or not, and it is likely to judge whether it is a domestic user by marking.

  2. Language type. It is less likely to judge by this, and the probability of accidental injury is high. You can also set the language in Chinese in the outer area, but you can't affect its use. It is unreasonable to do so.

  3. The account_region, carrier_region, sys_region, account, operator, and system regions may be blocked by their regions.

  4. Mcc_mnc, where mcc refers to the mobile country code and mnc refers to the mobile network code.

  5. Tz_name Time zone.

verification: Use Charles' Rewrite or Breakpoints to change the params passed in the URL.

 5.png

result:

Through various combination experiments, it is found that

key value
carrier_region CN

Here we get the first conclusion: TikTok servers block users through operators. Since it is an operator, the field mcc_mnc should also be processed together.

key value
mcc_mnc forty-six thousand and one

Question3

Q3: How to deal with carrier_region and mcc_mnc?

T3: The above is completed through Charles. You can normally watch TikTok's video. It is barely modified, but it has great limitations. For example:

  1. Cannot comment, follow, etc., because only some interfaces are rewritten, and other interfaces are not rewritten.

  2. Without a specific WiFi, you can't watch the video. You can't watch the video through the cellular network. (PS: It can be realized through the interceptor of Thor, which is consistent with Charles' principle)

  3. If interface signature verification is added in subsequent updates, this method will become invalid.

A3:

Scheme I : Modify the carrier_region field through the hook third-party network library AFNetworking or the internally encapsulated NetService class.

This scheme is basically feasible. The requestWithMethod: URLString: parameters: error: method of the HookAFHTTPRequestSerializer class is used. Get parameters, and then modify the value of carrier_region.

advantage:

  1. The scheme is simple and does not require too much internal implementation analysis.

  2. The hook of all interfaces can be completed.

Disadvantages:

  1. The interface signature verification will become invalid.

  2. All network interfaces are hooked. If there are complex and time-consuming operations in the hook function, the performance will be seriously affected.

Scheme II:

The CTCarrier class of CoreTelephony. framework in iOS provides access to carrier_region, mnc and mcc. They can break through regional restrictions through Hook.

 /*
 * isoCountryCode
 *
 * Discussion:
 *   Returns an NSString object that contains country code for
 *   the subscriber's cellular service provider, represented as an ISO 3166-1
 *   country code string
 */


@property  ( nonatomic readonly retain nullable NSString * isoCountryCode __OSX_AVAILABLE_STARTING(__MAC_NA,__IPHONE_4_0);

/*
 * mobileCountryCode
 *
 * Discussion:
 *   An NSString containing the mobile country code for the subscriber's 
 *   cellular service provider, in its numeric representation
 */

@property  ( nonatomic readonly retain nullable NSString  *mobileCountryCode __OSX_AVAILABLE_STARTING(__MAC_NA,__IPHONE_4_0);

/*
 * mobileNetworkCode
 *
 * Discussion:
 *   An NSString containing the  mobile network code for the subscriber's 
 *   cellular service provider, in its numeric representation
 */

@property  ( nonatomic readonly retain nullable NSString  *mobileNetworkCode __OSX_AVAILABLE_STARTING(__MAC_NA,__IPHONE_4_0);


Code writing:

 // MARK: - Hook CTCarrier
CHDeclareClass( CTCarrier )

CHMethod0( NSString  *,  CTCarrier , isoCountryCode) {
     NSDictionary  *areaDic = [UserDefaults valueForKey:HookArea];
     NSString  *code = [areaDic objectForKey: @"code" ];
     return  code;
}
CHMethod0( NSString  *,  CTCarrier , mobileCountryCode) {
     NSDictionary  *areaDic = [UserDefaults valueForKey:HookArea];
     NSString  *mcc = [areaDic objectForKey: @"mcc" ];
     return  mcc;
}
CHMethod0( NSString  *,  CTCarrier , mobileNetworkCode) {
     NSDictionary  *areaDic = [UserDefaults valueForKey:HookArea];
     NSString  *mnc = [areaDic objectForKey: @"mnc" ];
     return  mnc;
}

CHConstructor {
    CHLoadLateClass( CTCarrier );
    CHHook0( CTCarrier , isoCountryCode);
    CHHook0( CTCarrier , mobileCountryCode);
    CHHook0( CTCarrier , mobileNetworkCode);
}

CaptainHook provides us with perfect Hook macros.

  • CHDeclareClass is used to declare classes that need Hook

  • CHMethod is used to implement the corresponding method Hook

  • The CHConstructor is used to load the methods and classes of Hook

  • CHLoadLateClass Load Hook Class

  • CHHook Register Hook Method

The underlying layer of the framework implements the corresponding functions through the runtime interface, such as

 class_getInstanceMethod( Class  _Nullable cls, SEL _Nonnull  name )

method_setImplementation(Method _Nonnull m, IMP _Nonnull imp)

method_getImplementation(Method _Nonnull m)

method_getTypeEncoding(Method _Nonnull m) 

class_addMethod( Class  _Nullable cls, SEL _Nonnull  name , IMP _Nonnull imp, 
                 const  char * _Nullable types)

result:

 6.webp.jpg

The breakthrough of regional restrictions has been completed here.

Question4

Q4: It is found that TikTok in other regions can download videos, but TikTok in Riqu cannot

 6.webp (1).jpg

T4: It uses the same mobile phone, only hooks carrier_region and mcc_mnc, and there is a download restriction problem, which must be caused by the regional copyright policy (I admire the importance of copyright in Zone 11).

A4: Click on the sharing button

 7.webp.jpg

It is found that whether the download permission occurs before the button is clicked. Consider the flag stored in the JSON data returned by the request, and then pass this flag to the AWEAwemeShareViewController.

Use Reveal to analyze the interface. It is found that the cell class name of the TableView is AWEFeedViewCell. Then find AWEFeedViewCell. h from the class dump. A suspicious method is - (void) configWithModel: (id) arg1;

Use MDMethodTrace to trace the method, confirm that the method is called, and arg1 is of type AWEAwemeModel, in which a suspicious attribute @ property (nonatomic, assign) BOOL preventDownload; is found;, It means downloading is prohibited.

Code writing:

 // MARK: - AWEAwemeModel
CHDeclareClass(AWEAwemeModel)

CHMethod1( void , AWEAwemeModel, setPreventDownload,  BOOL , arg1) {
    arg1 = ! [UserDefaults boolForKey:HookDownLoad];
    CHSuper1(AWEAwemeModel, setPreventDownload, arg1);
}

CHConstructor {
    CHLoadLateClass(AWEAwemeModel);
    CHHook1(AWEAwemeModel, setPreventDownload);
}

effect:

 8.webp.jpg

Download button is not disabled! Click with excitement!

 9.webp.jpg

WTF !!!

continue: Compare the AWEAwemeModel of the day zone and other zones. It is found that a data structure of AWEAwemeModel is like this

 @interface   AWEURLModel
@property ( retain nonatomic NSArray  *originURLList;
@end

@interface   AWEVideoModel
@property ( readonly nonatomic ) AWEURLModel *playURL;
@property ( readonly nonatomic ) AWEURLModel *downloadURL;
@end

@interface   AWEAwemeModel
@property ( nonatomic assign BOOL  preventDownload;
@property ( retain nonatomic ) AWEVideoModel *video;
@end

After a thorough analysis, it is found that the downloadURL of the daily area has only two interfaces, not including the video address. For other regions that can download, the downloadURL has four interfaces, the first two are video addresses. It is further found that the parameters of playURL and downloadURL are always. Directly try to assign the playURL to the downloadURL.

Code writing:

 // MARK: - AWEAwemeModel
CHDeclareClass(AWEAwemeModel)

CHMethod1( void , AWEAwemeModel, setPreventDownload,  BOOL , arg1) {
    arg1 = ! [UserDefaults boolForKey:HookDownLoad];
    CHSuper1(AWEAwemeModel, setPreventDownload, arg1);
}

CHMethod1( void , AWEAwemeModel, setVideo, AWEVideoModel *, arg1) {
     BOOL  isHookDownLoad = [UserDefaults boolForKey:HookDownLoad];
     if  (isHookDownLoad) {
        arg1.downloadURL.originURLList = arg1.playURL.originURLList;
    }
    CHSuper1(AWEAwemeModel, setVideo, arg1);
}

CHConstructor {
    CHLoadLateClass(AWEAwemeModel);
    CHHook1(AWEAwemeModel, setPreventDownload);
    CHHook1(AWEAwemeModel, setVideo);
}

Run again, and successfully download the TikTok video of Dayzone.

Question5

Q5: Is there a watermark when the video is down?

T5: Compared with the original address, the original video has no watermark, so the watermark is added after downloading.

 10.webp.jpg

The directory search watermark verifies the conjecture.

In the header file, classes with watermark names are found.

 11.webp.jpg

Finally, we found that the+(id) watermarkLogoImageArray of the AWEDynamicWaterMarkExporter class; The corresponding watermark image is returned.

Code writing

 #pragma mark WaterMark
CHDeclareClass(AWEDynamicWaterMarkExporter)
CHOptimizedClassMethod0( self NSArray  *, AWEDynamicWaterMarkExporter, watermarkLogoImageArray) {
     BOOL  isHookWaterMark = [UserDefaults boolForKey:HookWaterMark];
     if  (isHookWaterMark) {
         return  @[];
    }
     return  CHSuper0(AWEDynamicWaterMarkExporter, watermarkLogoImageArray);
}
CHConstructor {
    CHLoadLateClass(AWEDynamicWaterMarkExporter);
    CHClassHook0(AWEDynamicWaterMarkExporter, watermarkLogoImageArray);
}

summary

In the whole reverse process, the complete Hook code is not complicated, and the development work is also done on the shoulders of giants. A few lines of cursory work can complete the function reverse.

It is exciting because it finally proves that your reverse idea is right. There is not only one way to success. The entry point may be different, the idea may be different, and the method may be different, but all can succeed.

Author: AYJk

Link: https://juejin.im/post/5c19a38ae51d453e0a209256

fabulous ( zero )

This article is written by Contributors Author, article address: https://blog.isoyu.com/archives/tiktokdouyinguojibannixiangquanqiudexiaojiejiemenwolaila.html
use Knowledge Sharing Attribution 4.0 International License Agreement. Unless the reprint/source is indicated, they are all original or translated by this website. Please sign your name before reprinting. Last editing time: December 24, 2018 at 09:21 p.m

Popular articles

Post reply

[Required]

I am a human?

Please wait three seconds after submission to avoid unsubmission and repetition