-
-
[原创]抖音6.6.0利用反射机制实现hook评论
-
发表于: 2019-6-20 15:53
-
As well as we Know,要做抖音协议一定绕不过as,mas,cp的算法,可是本菜技术水平不够,逆向不出来,于是就换个方法去实现类似功能
第一步:
对抖音评论进行抓包分析
POST 18aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6S2N6$3g2E0k6g2)9J5k6r3S2D9i4K6u0W2M7$3&6K6M7$3c8C8i4K6u0W2j5$3!0E0i4K6u0r3j5i4N6W2L8h3g2Q4x3V1k6$3x3g2)9J5c8X3y4G2L8h3#2W2L8Y4c8Q4x3V1k6H3N6h3u0D9K9i4y4Z5i4K6u0r3i4K6y4r3N6s2y4Q4x3@1b7I4y4e0j5H3z5e0V1K6x3U0V1%4i4K6t1$3j5h3#2H3i4K6y4n7K9Y4y4Q4y4h3k6K6k6r3E0Q4y4h3k6$3k6i4u0K6K9h3!0F1i4K6y4p5i4K6t1$3j5h3#2H3i4K6y4n7j5i4m8H3i4K6g2X3N6s2W2H3k6g2)9K6c8r3&6G2M7X3#2S2L8q4)9J5y4X3q4E0M7q4)9K6b7X3!0K6i4K6g2X3j5i4m8A6i4K6y4p5x3U0y4Q4x3U0k6S2L8i4m8Q4x3@1u0V1k6i4k6A6j5$3g2Q4y4h3k6@1P5i4m8W2i4K6y4p5e0V1g2y4i4K6u0V1b7f1H3I4x3q4)9J5y4X3q4E0M7q4)9K6b7X3c8W2N6X3W2U0k6g2)9#2k6Y4m8D9j5i4c8X3L8%4u0E0i4K6y4p5j5h3&6V1M7X3!0A6k6q4)9J5y4X3q4E0M7q4)9K6b7Y4y4K6L8h3W2^5i4K6y4p5j5g2)9J5y4X3q4E0M7q4)9K6b7X3W2A6k6q4)9K6c8o6M7#2z5o6b7&6y4U0p5#2x3e0l9J5i4K6t1$3j5h3#2H3i4K6y4n7L8h3q4F1K9h3k6W2M7%4c8Q4y4h3k6$3k6i4u0K6K9h3!0F1i4K6g2X3j5$3!0V1k6g2)9K6c8o6j5$3x3q4)9J5y4X3q4E0M7q4)9K6b7X3c8H3K9g2)9K6c8o6b7^5x3q4)9J5y4X3q4E0M7q4)9K6b7Y4g2#2K9h3c8Q4x3@1b7^5y4U0t1&6x3e0M7H3x3K6p5J5x3e0x3%4y4U0c8Q4x3U0k6S2L8i4m8Q4x3@1u0$3k6i4u0K6K9h3!0F1i4K6g2X3j5$3!0V1k6g2)9K6c8o6j5$3x3q4)9J5y4X3q4E0M7q4)9K6b7X3q4H3M7q4)9#2k6X3&6S2L8h3g2Q4x3@1c8S2N6$3g2E0k6g2)9J5y4X3q4E0M7q4)9K6b7Y4k6W2M7Y4y4A6L8$3&6Q4y4h3k6F1j5h3#2W2i4K6y4p5y4W2)9J5k6e0k6Q4x3X3f1H3i4K6t1$3j5h3#2H3i4K6y4n7L8%4m8W2L8Y4g2V1K9h3c8Q4x3@1b7@1j5K6b7#2x3o6l9%4y4o6j5@1y4K6N6W2y4e0f1K6i4K6t1$3j5h3#2H3i4K6y4n7k6r3g2$3K9h3y4W2i4K6g2X3K9h3c8Q4x3@1b7$3y4U0x3%4x3K6R3K6y4o6j5&6x3#2)9J5y4X3q4E0M7q4)9K6b7Y4u0W2M7$3!0D9N6i4c8A6L8$3&6Q4x3@1b7I4x3o6R3H3i4K6u0m8x3e0R3I4x3W2)9J5y4X3q4E0M7q4)9K6b7X3!0K6i4K6g2X3N6X3g2J5M7$3W2G2L8W2)9K6c8o6k6Q4x3X3f1H3i4K6t1$3j5h3#2H3i4K6y4n7L8r3q4F1k6%4g2S2k6$3g2Q4x3@1c8*7K9q4)9J5y4X3q4E0M7q4)9K6b7X3c8W2N6X3W2U0k6g2)9#2k6X3u0J5j5h3&6V1i4K6y4p5d9p5!0z5e0#2u0Q4x3U0k6S2L8i4m8Q4x3@1u0S2j5#2)9K6c8s2N6A6k6X3W2Q4x3U0k6S2L8i4m8Q4x3@1u0#2M7r3c8S2N6r3g2Q4y4h3k6$3k6i4u0K6K9h3!0F1i4K6g2X3j5$3!0V1k6g2)9K6c8o6j5$3x3o6u0Q4x3U0k6S2L8i4m8Q4x3@1u0S2K9h3c8Q4x3@1b7I4x3e0t1^5i4K6t1$3j5h3#2H3i4K6y4n7j5$3S2S2L8X3&6W2L8q4)9K6c8r3q4%4k6f1N6i4i4K6t1$3j5h3#2H3i4K6y4n7i4K6g2X3M7Y4c8A6j5$3E0W2N6q4)9K6c8o6p5#2y4U0l9&6z5e0x3J5z5e0M7@1x3e0k6Q4x3U0k6S2L8i4m8Q4x3@1u0E0j5$3y4Q4y4h3k6E0L8X3y4Q4x3@1b7@1y4U0l9I4x3b7`.`. HTTP/1.1
很明显的关键参数:
comment/publish
第二部抖音脱壳:
抖音6.6.0开始加壳了,用FDex2脱壳得到文件
第二步分析关键位置:
用工具(想用啥工具就用啥工具,我比较喜欢ak)看看代码,找到关键参数的位置:package com.ss.android.ugc.aweme.comment.api;
第四步:分析程序:
publishComment(@Field(a = "aweme_id") String str, @Field(a = "text") String str2, @Field(a = "reply_id") String str3, @Field(a = "text_extra") String str4, @Field(a = "is_self_see") int i, @Field(a = "reply_to_reply_id") String str5, @Field(a = "channel_id") int i2);
我们看到这段代码,再看看包的内容:
很明显了这个就是发送的接口,我们逆向回评论函数:
public static CommentResponse a(String str, String str2, @Nullable String str3, List<TextExtraStruct> list, @Nullable String str4, int i) throws Exception {
List<TextExtraStruct> list2 = list;
Object[] objArr = new Object[6];
objArr[0] = str;
objArr[1] = str2;
objArr[2] = str3;
objArr[3] = list2;
objArr[4] = str4;
objArr[5] = Integer.valueOf(i);
ChangeQuickRedirect changeQuickRedirect = a;
Class[] clsArr = new Class[6];
clsArr[0] = String.class;
clsArr[1] = String.class;
clsArr[2] = String.class;
clsArr[3] = List.class;
clsArr[4] = String.class;
clsArr[5] = Integer.TYPE;
if (PatchProxy.isSupport(objArr, null, changeQuickRedirect, true, 24357, clsArr, CommentResponse.class)) {
objArr = new Object[6];
objArr[0] = str;
objArr[1] = str2;
objArr[2] = str3;
objArr[3] = list2;
objArr[4] = str4;
objArr[5] = Integer.valueOf(i);
ChangeQuickRedirect changeQuickRedirect2 = a;
Class[] clsArr2 = new Class[6];
clsArr2[0] = String.class;
clsArr2[1] = String.class;
clsArr2[2] = String.class;
clsArr2[3] = List.class;
clsArr2[4] = String.class;
clsArr2[5] = Integer.TYPE;
return (CommentResponse) PatchProxy.accessDispatch(objArr, null, changeQuickRedirect2, true, 24357, clsArr2, CommentResponse.class);
}
try {
String str5 = str;
String str6 = str2;
String str7 = str3;
CommentResponse commentResponse = (CommentResponse) ((RealApi) b.create(RealApi.class)).publishComment(str5, str6, str7, r.a().toJson(list2), af.a(), str4, i).get();
commentResponse.comment.setLabelInfo(commentResponse.starFakeLabel);
return commentResponse;
} catch (ExecutionException e) {
throw c.propagateCompatibleException(e);
}
}
public static CommentResponse a(String str, String str2, @Nullable String str3, List<TextExtraStruct> list, @Nullable String str4, int i) throws Exception {
List<TextExtraStruct> list2 = list;
Object[] objArr = new Object[6];
objArr[0] = str;
objArr[1] = str2;
objArr[2] = str3;
objArr[3] = list2;
objArr[4] = str4;
objArr[5] = Integer.valueOf(i);
ChangeQuickRedirect changeQuickRedirect = a;
Class[] clsArr = new Class[6];
clsArr[0] = String.class;
clsArr[1] = String.class;
clsArr[2] = String.class;
clsArr[3] = List.class;
clsArr[4] = String.class;
clsArr[5] = Integer.TYPE;
if (PatchProxy.isSupport(objArr, null, changeQuickRedirect, true, 24357, clsArr, CommentResponse.class)) {
objArr = new Object[6];
objArr[0] = str;
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
c3bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4m8U0y4W2)9J5k6h3y4G2L8g2)9J5c8X3q4*7i4K6u0r3y4o6l9I4x3e0R3%4i4K6u0W2K9s2c8E0L8q4)9K6c8Y4c8Q4x3@1b7I4x3U0p5$3y4K6t1J5y4K6x3$3y4K6l9^5 抖音6.6.0的下载链接,我是官网下载的,这两天更新太快了,刚逆向完就升级到6.8.0 大佬能将论坛里as,maxs,CP的算法教程链接发给我一下么?权限不够看不了,谢谢 |
|
|
 666楼主弄到so来用了么
|
|
|
SO加了混淆,难搞 |
|
|
|
|
|
你破解出来了么? |
|
|
能加一下微信吗 |
|
|
|
|
|
|
