文章目录[隐藏]
app shield 算法分析 2 / 13
- app shield 参数加密破解|unidbg
- shield 参数加密破解 - python 执行 c++
- app sessionid searchid|算法分析
- app sessionid searchid|算法还原
- pc timestamp2 加密参数分析破解
- app shield so 加密算法分析破解还原|前言
- app shield so 加密算法分析破解还原|so 算法简单分析
- app shield so 加密算法分析破解还原|aes 算法分析破解
- app shield so 加密算法分析破解还原|md5 算法分析破解
- app shield so 加密算法分析破解还原|xydata 算法分析破解
- app shield so 加密算法分析破解还原|总结
- app hmac 参数分析
- 7261 版 shield 算法分析破解
仅供学习研究 。请勿用于非法用途,本人将不承担任何法律责任。
前言
这次还是来说一说
xhs shield
推荐一篇看雪大佬发布的分析xhs加密逻辑的文章
https://bbs.pediy.com/thread-267330.htm
文章说的还是比较详细,最后也有放出c++代码,既然大佬都开源了,那我也就不去浪费头发去肝了
就说下如何使用python调用c++并获取到加密结果
博主使用mac系统,自带c++环境,就不说如何安装了,自行百度
c++
把代码 clone 下来,使用编辑器打开,博主这里使用的是 clion
打开之后配置好环境,直接运行 main.cpp 文件。
如果正常执行,没报错,就可以获取到加密结果,有异常的自行百度
python
处理代码
下面使用 python 运行 c++
这里先简单修改下代码,把 c 代码,改成 c++
很简单,就是把 *.h 里定义的类复制到 *.cpp 文件里,在删除 *.cpp 文件里的 include
修改 main.cpp
然后在来改下 main.cpp,阅读代码发现有三个值是可变的 strMain, url, xyAes.cpp -> key,修改这三个地方让其通过外部动态传递进来
c++ 代码
#include <iostream>
#include <cstdlib>
#include <string>
using namespace std;
#include "xyAes.cpp"
#include "xyMd5.cpp"
#include "xyXor.cpp"
#include "base64.cpp"
// 写法固定,
extern "C" {
// 释放内存
void freeme(char *ptr) {
free(ptr);
}
// 获取加密参数,有三个参数,返回值是个字符串
char* getXhsShield(char *sXml, char *url, char *aesKey) {
xyAes* xy = new xyAes;
string strMain = sXml;
unsigned char *decode = new unsigned char [strMain.length() / 4 * 3];
base64_decode(strMain.c_str(),strMain.length(),decode);
unsigned char out[256] = {0};
xy->testAesDec(reinterpret_cast<char *>(decode), reinterpret_cast<char *>(out),
reinterpret_cast<char *>(aesKey));
delete []decode;
xyMd5* md5 = new xyMd5;
char md5Result[16] = {0};
md5->GenrateResult(reinterpret_cast<unsigned char *>(url),md5Result);
xyXor* xyshield = new xyXor;
unsigned char in[128] = {
0x00, 0x00, 0x00, 0x01, 0xEC, 0xFA, 0xAF, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07,
0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x10, 0x36, 0x38, 0x37, 0x30, 0x32, 0x31, 0x33, 0x37,
0x30, 0x63, 0x35, 0x39, 0x32, 0x35, 0x39, 0x2D, 0x37, 0x65, 0x39, 0x31, 0x2D, 0x33, 0x65, 0x38,
0x62, 0x2D, 0x62, 0x38, 0x66, 0x32, 0x2D, 0x33, 0x35, 0x38, 0x35, 0x35, 0x61, 0x38, 0x35, 0x36,
0x35, 0x62, 0x36
};
memcpy(in + 67,md5Result,16);
unsigned char base[128] = {00 ,00 ,00 ,01 ,00 ,00 ,00 ,01 ,00 ,00 ,00 ,0x53 ,00 ,00 ,00 ,0x53};
xyshield->GenrateResult(in,base + 16);
char res[128] = {0};
base64_encode(base,0x63,res);
char *new_res = strdup(res);
return new_res;
}
}python 代码
from ctypes import *
lib = cdll.LoadLibrary("./main.so")
lib.freeme.restype = None
lib.freeme.argtypes = [c_void_p]
lib.getXhsShield.restype = c_void_p
lib.getXhsShield.argtypes = [c_void_p, c_void_p, c_void_p]
def get_shield_cpp(shield_url_path, common_params, platform_info):
s_xml = 'JPUl6G8k4MGEwml9FmGV1qV8UScx3IQkecsFkyLORcNmYJnHbONSjsgi2ZaSNhRGvm6FY7iYeaZpB1frFhqwlWzVgtUcByKgLNsMLFPYi7HDdhf23YR573g8ggnNwV5e'
s_xml = s_xml.encode()
shield_url = f'{shield_url_path}{common_params}{platform_info}'.encode()
aes_key = '70c59259-7e91-3e8'.encode()
ptr = lib.getXhsShield(s_xml, shield_url, aes_key)
lib.freeme(ptr)
print('XY' + cast(ptr, c_char_p).value.decode())
if __name__ == '__main__':
common_params = ''
platform_info = ''
shield_url = '/api/sns/v1/user/teenager/statusdeviceId=70c59259-7e91-3e8b-b8f2-35855a8565b6&identifier_flag=0&tz=Asia%2FShanghai&fid=161856398010307b510d8c42675f8f332860bd48186c&app_id=ECFAAF01&device_fingerprint1=2021040810451492d7a829c8e6b091209359dfd80365a00173354acd00c486&uis=light&launch_id=1620054097&project_id=ECFAAF&device_fingerprint=2021040810451492d7a829c8e6b091209359dfd80365a00173354acd00c486&versionName=6.87.0.1&platform=android&sid=session.1619581616447127665217&t=1620055467&build=6870213&x_trace_page_current=explore_feed&lang=zh-Hans&channel=Liteplatform=android&build=6870213&deviceId=70c59259-7e91-3e8b-b8f2-35855a8565b6'
get_shield_cpp(shield_url, common_params, platform_info)先把 c++ 编译成 so 文件, 在使用 ctypes 模块执行 c++
编译命令: g++ main.cpp -fPIC -shared -o main.so
运行没问题,结果也正常出来了
