抖音提取真机cookie，cookie参数解密

本文目的：将手机上的抖音缓存数据提取成我们常用的json格式ck。

抖音将部分数据缓存至本地，其中包含了ck(device信息、token、app版本信息等)，可以通过安卓程序将数据提取出来用于平时测试。因为该数据是缓存在应用的独立数据目录 安卓默认是不允许app互相访问独立数据，这里需要手机root后才可以提取。

缓存文件目录：/data/data/com.ss.android.ugc.aweme/shared_prefs

我们主要提取这五个文件  缓存文件包含数据

ttnetCookieStore.xml             cookie，涉及敏感数据，数据需解码(下方代码里的decode方法)
token_shared_preference.xml      x-tt-token
wschannel_multi_process_config.xml    登录的设备信息，包含device_id install_id 应用版本 手机版本等查询通用参数。 
applog_stats.xml                 mac_addr fingerprint_codes等
LoginSharePreferences.xml        最后登录的账号信息

ttnetCookieStore.xml 部分内容如下：

<string name="http://snssdk.com/|odin_tt">aced000573720031636f6d2e6279746564616e63652e6672616d65776f726b732e626173656c69622e6e6574776f726b2e687474702e622e6858765a0a7f563d0c0300014a00016378707400076f64696e5f74747400806162663762643132383666343137303631623636346364333664313662386635613232303532633739643464346662333563643361646561646337323037373135336335336532323036623437393530643836393566363162643764656630346337336636656466646633653336356530626235613666383164343433633163707074000b2e736e7373646b2e636f6d77080000000005265c007400012f70770f000000010000010000017a6585797578</string>

提取到的内容部分需要解密。

解密python代码：

def decode_cookie(str):
    length = len(str)
    newData = ""
    i = 0
    while(i<length):
        newChar = (int(str[i],16)<<4) + (int(str[i+1],16))
        newData += chr(newChar)
        i=i+2
    return newData

解密java代码：

/**
     * cookie解密
     * @param str cookie密文
     * @return
     */
    public static String decodeCookie(String str){
        String cookieStr = "";
        int i = 0;
        while(i < str.length()){
            char c1 = str.charAt(i);
            int num1 = Integer.parseInt(String.valueOf(c1),16);
            char c2 = str.charAt(i+1);
            int num2 = Integer.parseInt(String.valueOf(c2),16);
            int newChar =  (num1<<4) + num2;
            cookieStr +=  (char) Integer.parseInt(String.valueOf(newChar));
            i=i + 2;
        }
        return cookieStr;
    }

解密结果：

’ sr 1com.bytedance.frameworks.baselib.network.http.b.hXvZ
V= J cxpt odin_ttt abf7bd1286f417061b664cd36d16b8f5a22052c79d4d4fb35cd3adeadc72077153c53e2206b47950d8695f61bd7def04c73f6edfdf3e365e0bb5a6f81d443c1cppt .snssdk.com    &\ t /pw      zeyux

但是我们发现他还是有些其它地方乱码了，但是蓝色方框是我们的结果，其实这是因为他解密之后是一个protobuf格式，我们只需要再次分割拿出来就可以了。具体完整代码都是读取文件和正则匹配或者分割下就好了，关键是ck这里加密，主要给出解密代码.

wschannel_multi_process_config.xml 部分内容如下：

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<boolean name="key_enable_offline_detect" value="false" />
<string name="ws_apps">[{"channel_id":1239108,"app_id":1128,"device_id":"61919431820","install_id":"3149472127268080","urls":["wss:\/\/frontier-aweme.snssdk.com\/ws\/v2"],"app_version":160501,"platform":0,"fpid":9,"app_kay":"e1bd35ec9db7b8d846de66ed140b1ad9","extra":"ws_connect_protocol=0&os_api=25&device_type=MI%206&manifest_version_code=160502&dpi=480&is_guest_mode=0&is_background=1&app_name=aweme&version_name=16.5.1&ts=1624900639&sid=&cpu_support64=true&ttnet_ignore_offline=1&app_type=normal&ac=wifi&appTheme=dark&channel=xiaomi_1128_64&update_version_code=16519900&host_abi=arm64-v8a&_rticket=1624900639691&device_platform=android&iid=3149472127268080&ttnet_heartbeat_interval=30&ne=1&version_code=160501&cdid=903a39a1-841c-4a7c-89d3-9337ec85eec9&openudid=f4135260f97231ac&device_id=61919431820&resolution=1080*1920&ping-interval=30&language=zh&device_brand=Xiaomi&os_version=7.1.1&aid=1128&minor_status=0"}]</string>
</map>

 其中ws_apps包含json数据，但是需要解析

[{"channel_id":1239108,"app_id":1128,"device_id":"61919431820","install_id":"3149472127268080","urls":["wss:\/\/frontier-aweme.snssdk.com\/ws\/v2"],"app_version":160501,"platform":0,"fpid":9,"app_kay":"e1bd35ec9db7b8d846de66ed140b1ad9","extra":"ws_connect_protocol=0&os_api=25&device_type=MI%206&manifest_version_code=160502&dpi=480&is_guest_mode=0&is_background=1&app_name=aweme&version_name=16.5.1&ts=1624900639&sid=&cpu_support64=true&ttnet_ignore_offline=1&app_type=normal&ac=wifi&appTheme=dark&channel=xiaomi_1128_64&update_version_code=16519900&host_abi=arm64-v8a&_rticket=1624900639691&device_platform=android&iid=3149472127268080&ttnet_heartbeat_interval=30&ne=1&version_code=160501&cdid=903a39a1-841c-4a7c-89d3-9337ec85eec9&openudid=f4135260f97231ac&device_id=61919431820&resolution=1080*1920&ping-interval=30&language=zh&device_brand=Xiaomi&os_version=7.1.1&aid=1128&minor_status=0"}]

java中通过方法可以解析

String str = "[{"channel_id":1239108,"app_id":1128,"device_id":"61919431820","install_id":"3149472127268080","urls":["wss:\\/\\/frontier-aweme.snssdk.com\\/ws\\/v2"],"app_version":160501,"platform":0,"fpid":9,"app_kay":"e1bd35ec9db7b8d846de66ed140b1ad9","extra":"ws_connect_protocol=0&os_api=25&device_type=MI%206&manifest_version_code=160502&dpi=480&is_guest_mode=0&is_background=1&app_name=aweme&version_name=16.5.1&ts=1624900639&sid=&cpu_support64=true&ttnet_ignore_offline=1&app_type=normal&ac=wifi&appTheme=dark&channel=xiaomi_1128_64&update_version_code=16519900&host_abi=arm64-v8a&_rticket=1624900639691&device_platform=android&iid=3149472127268080&ttnet_heartbeat_interval=30&ne=1&version_code=160501&cdid=903a39a1-841c-4a7c-89d3-9337ec85eec9&openudid=f4135260f97231ac&device_id=61919431820&resolution=1080*1920&ping-interval=30&language=zh&device_brand=Xiaomi&os_version=7.1.1&aid=1128&minor_status=0"}]";
        String json = org.apache.commons.lang.StringEscapeUtils.unescapeHtml(str);

最后拿到参数数据：

[{"channel_id":1239108,"app_id":1128,"device_id":"61919431820","install_id":"3149472127268080","urls":["wss:\/\/frontier-aweme.snssdk.com\/ws\/v2"],"app_version":160501,"platform":0,"fpid":9,"app_kay":"e1bd35ec9db7b8d846de66ed140b1ad9","extra":"ws_connect_protocol=0&os_api=25&device_type=MI%206&manifest_version_code=160502&dpi=480&is_guest_mode=0&is_background=1&app_name=aweme&version_name=16.5.1&ts=1624900639&sid=&cpu_support64=true&ttnet_ignore_offline=1&app_type=normal&ac=wifi&appTheme=dark&channel=xiaomi_1128_64&update_version_code=16519900&host_abi=arm64-v8a&_rticket=1624900639691&device_platform=android&iid=3149472127268080&ttnet_heartbeat_interval=30&ne=1&version_code=160501&cdid=903a39a1-841c-4a7c-89d3-9337ec85eec9&openudid=f4135260f97231ac&device_id=61919431820&resolution=1080*1920&ping-interval=30&language=zh&device_brand=Xiaomi&os_version=7.1.1&aid=1128&minor_status=0"}]

或者使用完整的解析代码：

/**
     * 解析抖音xml参数
     * @param douyinParamXml
     * @return
     * @throws DocumentException
     */
    public static String parseParamsXml(String douyinParamXml) throws DocumentException {
        //1.创建Reader对象
        SAXReader reader = new SAXReader();
        //2.加载xml
        //读取XML文件,获得document对象
        //Document document = reader.read(new File("C:\\Users\\Administrator\\Desktop\\wschannel_multi_process_config.xml"));
        //解析XML形式的文本,得到document对象
        Document document = DocumentHelper.parseText(douyinParamXml);
        //3.获取根节点
        Element rootElement = document.getRootElement();
        Iterator iterator = rootElement.elementIterator();
        while (iterator.hasNext()){
            Element stu = (Element) iterator.next();
            List<Attribute> attributes = stu.attributes();
            for (Attribute attribute : attributes) {
                if ("ws_apps".equalsIgnoreCase(attribute.getValue())){
                    String json = stu.getStringValue();
                    return json;
                }
            }
        }
        return null;
    }