shield 参数加密破解 - python 执行 c++

app shield 算法分析 2 / 13

仅供学习研究 。请勿用于非法用途,本人将不承担任何法律责任。

前言

这次还是来说一说 xhs shield
推荐一篇看雪大佬发布的分析 xhs 加密逻辑的文章
https://bbs.pediy.com/thread-267330.htm
文章说的还是比较详细,最后也有放出 c++ 代码,既然大佬都开源了,那我也就不去浪费头发去肝了
就说下如何使用 python 调用 c++ 并获取到加密结果
博主使用 mac 系统,自带 c++ 环境,就不说如何安装了,自行百度

c++

把代码 clone 下来,使用编辑器打开,博主这里使用的是 clion
打开之后配置好环境,直接运行 main.cpp 文件。
如果正常执行,没报错,就可以获取到加密结果,有异常的自行百度

1-clion

python

处理代码

下面使用 python 运行 c++
这里先简单修改下代码,把 c 代码,改成 c++
很简单,就是把 *.h 里定义的类复制到 *.cpp 文件里,在删除 *.cpp 文件里的 include

修改 main.cpp

然后在来改下 main.cpp,阅读代码发现有三个值是可变的 strMain, url, xyAes.cpp -> key,修改这三个地方让其通过外部动态传递进来

c++ 代码

#include <iostream>
#include <cstdlib>
#include <string>

using namespace std;
#include "xyAes.cpp"
#include "xyMd5.cpp"
#include "xyXor.cpp"
#include "base64.cpp"

// 写法固定,
extern "C" {

    // 释放内存
    void freeme(char *ptr) {
        free(ptr);
    }

    // 获取加密参数,有三个参数,返回值是个字符串
    char* getXhsShield(char *sXml, char *url, char *aesKey) {
        xyAes* xy = new xyAes;
        string strMain = sXml;
        unsigned char *decode = new unsigned char [strMain.length() / 4 * 3];
        base64_decode(strMain.c_str(),strMain.length(),decode);
        unsigned char out[256] = {0};
        xy->testAesDec(reinterpret_cast<char *>(decode), reinterpret_cast<char *>(out),
        reinterpret_cast<char *>(aesKey));
        delete []decode;

        xyMd5* md5 = new xyMd5;
        char md5Result[16] = {0};
        md5->GenrateResult(reinterpret_cast<unsigned char *>(url),md5Result);

        xyXor* xyshield = new xyXor;
        unsigned char in[128] = {
                0x00, 0x00, 0x00, 0x01, 0xEC, 0xFA, 0xAF, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07,
                0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x10, 0x36, 0x38, 0x37, 0x30, 0x32, 0x31, 0x33, 0x37,
                0x30, 0x63, 0x35, 0x39, 0x32, 0x35, 0x39, 0x2D, 0x37, 0x65, 0x39, 0x31, 0x2D, 0x33, 0x65, 0x38,
                0x62, 0x2D, 0x62, 0x38, 0x66, 0x32, 0x2D, 0x33, 0x35, 0x38, 0x35, 0x35, 0x61, 0x38, 0x35, 0x36,
                0x35, 0x62, 0x36
        };
        memcpy(in + 67,md5Result,16);

        unsigned char base[128] = {00 ,00 ,00 ,01 ,00 ,00 ,00 ,01 ,00 ,00 ,00 ,0x53 ,00 ,00 ,00 ,0x53};
        xyshield->GenrateResult(in,base + 16);

        char res[128] = {0};
        base64_encode(base,0x63,res);
        char *new_res = strdup(res);

        return new_res;
    }
}

python 代码

from ctypes import *

lib = cdll.LoadLibrary("./main.so")

lib.freeme.restype = None
lib.freeme.argtypes = [c_void_p]
lib.getXhsShield.restype = c_void_p
lib.getXhsShield.argtypes = [c_void_p, c_void_p, c_void_p]

def get_shield_cpp(shield_url_path, common_params, platform_info):
    s_xml = 'JPUl6G8k4MGEwml9FmGV1qV8UScx3IQkecsFkyLORcNmYJnHbONSjsgi2ZaSNhRGvm6FY7iYeaZpB1frFhqwlWzVgtUcByKgLNsMLFPYi7HDdhf23YR573g8ggnNwV5e'
    s_xml = s_xml.encode()
    shield_url = f'{shield_url_path}{common_params}{platform_info}'.encode()
    aes_key = '70c59259-7e91-3e8'.encode()

    ptr = lib.getXhsShield(s_xml, shield_url, aes_key)
    lib.freeme(ptr)

    print('XY' + cast(ptr, c_char_p).value.decode())

if __name__ == '__main__':
    common_params = ''
    platform_info = ''
    shield_url = '/api/sns/v1/user/teenager/statusdeviceId=70c59259-7e91-3e8b-b8f2-35855a8565b6&identifier_flag=0&tz=Asia%2FShanghai&fid=161856398010307b510d8c42675f8f332860bd48186c&app_id=ECFAAF01&device_fingerprint1=2021040810451492d7a829c8e6b091209359dfd80365a00173354acd00c486&uis=light&launch_id=1620054097&project_id=ECFAAF&device_fingerprint=2021040810451492d7a829c8e6b091209359dfd80365a00173354acd00c486&versionName=6.87.0.1&platform=android&sid=session.1619581616447127665217&t=1620055467&build=6870213&x_trace_page_current=explore_feed&lang=zh-Hans&channel=Liteplatform=android&build=6870213&deviceId=70c59259-7e91-3e8b-b8f2-35855a8565b6'
    get_shield_cpp(shield_url, common_params, platform_info)

先把 c++ 编译成 so 文件, 在使用 ctypes 模块执行 c++
编译命令: g++ main.cpp -fPIC -shared -o main.so

运行没问题,结果也正常出来了

2-pycharm

暂无评论
本文作者:
本文链接: https://www.qinless.com/?p=17
版权声明:本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 qinless 的博客!
100

发表评论

返回顶部