本文仅供学习交流,只提供关键思路不会给出完整代码,严禁用于非法用途,若有侵权请联系我删除!

熟练打开Fiddler设置好手机代理,摆弄半天一直抓不到包,应该是监测到了Fiddler,后面使用 Hook okhttp成功搞到了包,参考大佬的工具:https://github.com/siyujie/okhttp_find ,如果被删除请联系我。

分析后发现关键字搜索,帖子详情等接口Header中都带上了 shield 字段,反编译apk(我使用的是Jadx),经过不断搜索, Hook动态调试定位到关键方法:initializeNative,initialize,intercept

可以看到这几个关键方法都使用native修饰,核心的代码都被隐藏到了 libshield.so文件中。

这里推荐一位大佬的工具Unidbg:GitHub - zhkl0228/unidbg: Allows you to emulate an Android native library, and an experimental iOS emulation

按照教程搭建好环境后,调用JNI_onload方法:

        vm.setVerbose(true); //打印虚拟器日志vm.setJni(this);module = dm.getModule();// 打印 onload方法,会打印出动态注入的方法位置dm.callJNI_OnLoad(emulator);

如下:initializeNative方法的位置为:0x94289, intercept为0x939d9, initialize为0x937b1

RegisterNative(com/xingin/shield/http/XhsHttpInterceptor, initializeNative()V, RX@0x40094289[libshield.so]0x94289)
RegisterNative(com/xingin/shield/http/XhsHttpInterceptor, intercept(Lokhttp3/Interceptor$Chain;J)Lokhttp3/Response;, RX@0x400939d9[libshield.so]0x939d9)
RegisterNative(com/xingin/shield/http/XhsHttpInterceptor, initialize(Ljava/lang/String;)J, RX@0x400937b1[libshield.so]0x937b1)
RegisterNative(com/xingin/shield/http/XhsHttpInterceptor, destroy(J)V, RX@0x40093745[libshield.so]0x93745)

拿到位置后,可以通过unidbg模拟去调用这三个方法得到最终结果:报错一般是缺少环境,根据提示缺啥补啥,调用代码例:

  //初始化nativepublic void initializeNative(){List<Object> params = new ArrayList<>();params.add(vm.getJNIEnv()); //第一个参数默认envparams.add(0); //第二个参数一般为0module.callFunction(emulator,0x94289,params.toArray());}

        XhsShieldSimpleTest xhsShieldTest = new XhsShieldSimpleTest(url,commonParams);xhsShieldTest.initializeNative();long initialize = xhsShieldTest.initialize();xhsShieldTest.intercept(initialize);System.out.println("shieId:"+shiled);

其他:

hmac :b64: IOWtmOWCqOWcqOiuvuWkh+eahC9kYXRhL2RhdGEvY29tLnhpbmdpbi54aHMvc2hhcmVkX3ByZWZzL3MueG1s5Lit

示例:

shieId:XYAAAAAQAAAAEAAABTAAAAUzUWEe0xG1IbD9/c+qCLOlKGmTtFa+lG43AGdeFXQ6RAzYbkyOJgS534qeBbz8N/iJl+2KE3EwxPGGOBbe6g3SNp0LDZQUi2jBrG0rQy6uY02NTR
{"code":0,"success":true,"data":{"items":[{"model_type":"note","note":{"liked":false,"id":"63fdae1500000000270028ae","title":"爆爆赞的宝马火山红","abstract_show":"","desc":"宝马新3系 宝马5系 宝马3系 宝马4系 宝马X3 宝马X5 宝马7系","liked_count":0,"type":"normal","user":{"nickname":"汽车艺术脚垫厂家","images":"https://sns-avatar-qc.xhscdn.com/avatar/633bb5783a9fa858711af990.jpg?imageView2/2/w/80/format/jpg","userid":"62b84fc9000000001b024a26"},"tag_info":{},"images_list":[{"fileid":"1000g008245mup7ofe0005olo9v4msih66ee7558","height":1080,"width":1440,"url":"http://sns-img-bd.xhscdn.com/1000g008245mup7ofe0005olo9v4msih66ee7558?imageView2/2/w/540/format/webp","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mup7ofe0005olo9v4msih66ee7558?imageView2/2/h/1080/format/webp","original":"","trace_id":"1000g008245mup7ofe0005olo9v4msih66ee7558"},{"fileid":"1000g008245mup7ofe00g5olo9v4msih643iq6p8","height":1080,"width":1440,"url":"","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mup7ofe00g5olo9v4msih643iq6p8?imageView2/2/h/1080/format/webp","original":"","trace_id":"1000g008245mup7ofe00g5olo9v4msih643iq6p8"},{"fileid":"1000g008245mup7ofe0105olo9v4msih6l3es0fg","height":1080,"width":1440,"url":"","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mup7ofe0105olo9v4msih6l3es0fg?imageView2/2/h/1080/format/webp","original":"","trace_id":"1000g008245mup7ofe0105olo9v4msih6l3es0fg"},{"fileid":"1000g008245mup7ofe01g5olo9v4msih62roknn0","height":1440,"width":1080,"url":"","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mup7ofe01g5olo9v4msih62roknn0?imageView2/2/w/1080/format/webp","original":"","trace_id":"1000g008245mup7ofe01g5olo9v4msih62roknn0"},{"fileid":"1000g008245mup7ofe0205olo9v4msih6q4hm1rg","height":1440,"width":1080,"url":"","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mup7ofe0205olo9v4msih6q4hm1rg?imageView2/2/w/1080/format/webp","original":"","trace_id":"1000g008245mup7ofe0205olo9v4msih6q4hm1rg"},{"fileid":"1000g008245mup7ofe02g5olo9v4msih6upjjbio","height":1440,"width":1080,"url":"","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mup7ofe02g5olo9v4msih6upjjbio?imageView2/2/w/1080/format/webp","original":"","trace_id":"1000g008245mup7ofe02g5olo9v4msih6upjjbio"},{"fileid":"1000g008245mup7ofe0305olo9v4msih60grgaro","height":1440,"width":1080,"url":"","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mup7ofe0305olo9v4msih60grgaro?imageView2/2/w/1080/format/webp","original":"","trace_id":"1000g008245mup7ofe0305olo9v4msih60grgaro"},{"fileid":"1000g008245mup7ofe03g5olo9v4msih6r4pors8","height":1440,"width":1080,"url":"","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mup7ofe03g5olo9v4msih6r4pors8?imageView2/2/w/1080/format/webp","original":"","trace_id":"1000g008245mup7ofe03g5olo9v4msih6r4pors8"},{"fileid":"1000g008245mup7ofe0405olo9v4msih6325qu48","height":1440,"width":1080,"url":"","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mup7ofe0405olo9v4msih6325qu48?imageView2/2/w/1080/format/webp","original":"","trace_id":"1000g008245mup7ofe0405olo9v4msih6325qu48"}],"has_music":false,"timestamp":1677569557,"geo_info":{"distance":"<100m"}}},{"model_type":"note","note":{"liked":false,"id":"63fdae0f00000000110105b1","title":"","abstract_show":"","desc":"会设置宝马热敏快捷按键,那你会解除吗,我来教你吧!#每天一个汽车用车知识 #汽车知识 #每天分享汽车知识","liked_count":0,"type":"video","user":{"nickname":"汕尾粤宝宝马4S店","images":"https://sns-avatar-qc.xhscdn.com/avatar/60f14ad3e662d40eaf40b4e9.jpg?imageView2/2/w/80/format/jpg","userid":"5b6ade6e0ff975000104b4f4"},"tag_info":{},"video_info":{"id":"136231334653026866","height":1280,"width":720,"url":"http://sns-video-bd.xhscdn.com/stream/110/258/01e3fdad55456232010371038696f03c75_258.mp4?v=2","avg_bitrate":929714,"vmaf":-1,"url_info_list":[{"desc":"h264-RedH264","url":"http://sns-video-bd.xhscdn.com/stream/110/258/01e3fdad55456232010371038696f03c75_258.mp4?v=2","avg_bitrate":929714,"width":720,"height":1280,"vmaf":-1}],"preload_size":1048576,"played_count":0,"duration":15,"frame_ts":0,"is_user_select":false,"is_upload":false,"first_frame":"http://sns-img-bd.xhscdn.com/spectrum/1000g0k0245mjo0cfs0004ab4k8f6td7k4vmkmcg?imageView2/2/w/1080/format/webp","thumbnail":"http://sns-img-bd.xhscdn.com/110/0/01e3fdad55456232001000018696efff40_0.webp","thumbnail_dim":"http://sns-img-bd.xhscdn.com/110/0/01e3fdad55456232001000018696efff40_0.webp?imageView2/2/w/720/h/720/format/webp","can_super_resolution":true},"images_list":[{"fileid":"spectrum/1000g0k0245mjo0cfs0004ab4k8f6td7k4vmkmcg","height":960,"width":720,"url":"http://sns-img-bd.xhscdn.com/spectrum/1000g0k0245mjo0cfs0004ab4k8f6td7k4vmkmcg?imageView2/2/w/540/format/webp","url_size_large":"http://sns-img-bd.xhscdn.com/spectrum/1000g0k0245mjo0cfs0004ab4k8f6td7k4vmkmcg?imageView2/2/w/1080/format/webp","original":"","trace_id":"spectrum/1000g0k0245mjo0cfs0004ab4k8f6td7k4vmkmcg"}],"has_music":false,"timestamp":1677569551,"geo_info":{"distance":"<100m"}}},{"model_type":"note","note":{"liked":false,"id":"63fdade50000000014025872","title":"","abstract_show":"","desc":"2023全新一代宝马X1。宝马x1 奔驰glb 奥迪q3 宝马ix1 雷克萨斯nx","liked_count":0,"type":"normal","user":{"nickname":"安徽宝马情报局","images":"https://sns-avatar-qc.xhscdn.com/avatar/62727252a97743a3a3db2070.jpg?imageView2/2/w/80/format/jpg","userid":"62611c46000000002102a202"},"tag_info":{},"images_list":[{"fileid":"1000g008245mrfemfi0005oj13h38d8g2q47ka3o","height":1024,"width":1536,"url":"http://sns-img-bd.xhscdn.com/1000g008245mrfemfi0005oj13h38d8g2q47ka3o?imageView2/2/w/540/format/webp","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mrfemfi0005oj13h38d8g2q47ka3o?imageView2/2/h/1080/format/webp","original":"","trace_id":"1000g008245mrfemfi0005oj13h38d8g2q47ka3o"},{"fileid":"1000g008245mrfemfi00g5oj13h38d8g2coh3v30","height":1280,"width":1920,"url":"","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mrfemfi00g5oj13h38d8g2coh3v30?imageView2/2/h/1080/format/webp","original":"","trace_id":"1000g008245mrfemfi00g5oj13h38d8g2coh3v30"},{"fileid":"1000g008245mrfemfi0105oj13h38d8g2uata3n8","height":1024,"width":1536,"url":"","url_size_large":"http://sns-img-bd.xhscdn.com/1000g008245mrfemfi0105oj13h38d8g2uata3n8?imageView2/2/h/1080/format/webp","original":"","trace_id":"1000g008245mrfemfi0105oj13h38d8g2uata3n8"}],"has_music":false,"timestamp":1677569509,"geo_info":{"distance":"<100m"}}},{"model_type":"note","note":{"liked":false,"id":"63fdadbd0000000027002350","title":"官方提示‼️刷到的人都有实力拿下这台宝马												


											

记一次shield抓包分析相关推荐
	

    
								
  1. Wireshark抓包分析TCP建立/释放链接的过程以及状态变迁分析
		
    Wireshark抓包分析TCP建立/释放链接的过程以及状态变迁分析 一.介绍计算机网络体系结构 1.计算机的网络体系结构 在抓包分析TCP建立链接之前首先了解下计算机的网络通信的模型,我相信学习过计 ...
    
		
    2. 
						
  2. Java抓包分析四(基于jnetpcap进行抓包)——分析Http请求数据包
		
    在上篇文章中Java抓包分析三(基于jnetpcap进行抓包)--抓取Http请求数据包,我们讲解了TCP三次握手的过程和如何抓取Http数据包,但是我们并没有进行一个数据分析,接下来这篇文章我们将要 ...
    
		
    3. 
						
  3. wireshark  Fiddler抓包分析与解密https  Fiddler修改https请求和响应
		
    Https理论 在说HTTPS之前先说说什么是HTTP,HTTP就是我们平时浏览网页时候使用的一种协议.HTTP协议传输的数据都是未加密的,也就是明文的,因此使用HTTP协议传输隐私信息非常不安全.为 ...
    
		
    4. 
						
  4. 网络:抓包分析dns的原理
		
    DSN理论 DNS是什么 在互联网上有多达到上亿的设备,而这些设备之间互相联通网络,每一台主机都需要一个唯一的标识符(就像是我们每个人都有一张身份证),而这个标识符就是IP地址,由于IP地址是数字,不 ...
    
		
    5. 
						
  5. 网络安全学习第10篇 - ping程序的实现,抓包分析ping数据包以及ping工具对于网络安全方面的威胁
		
    请结合附件:Ping的实现原理与ping.cpp的内容,编写一个程序,使其能够实现简单的ping的功能,即判断目标网站是否可以连接,然后通过Wireshark进行抓包分析其ICMP协议,指出哪个数据包 ...
    
		
    6. 
						
  6. 实验十四:Wireshark数据抓包分析之ARP协议
		
    实验十四:Wireshark数据抓包分析之ARP协议 目录 一.实验目的及要求 二.实验原理 1.什么是ARP 2.ARP工作流程 3.ARP缓存表 三.实验环境 四.实验步骤及内容 实验步骤一 1. ...
    
		
    7. 
						
  7. hls二次加密 m3u8_HLS实战之Wireshark抓包分析
		
    0.引言 Wireshark(前称Ethereal)是一个网络封包分析软件.网络封包分析软件的功能是撷取网络封包,并尽可能显示出最为详细的网络封包资料.Wireshark使用WinPCAP作为接口,直 ...
    
		
    8. 
						
  8. Wireshark数据抓包分析(网络协议篇)1.2安装Wireshark
		
    Wireshark数据抓包分析(网络协议篇)1.2安装Wireshark Wireshark(前称Ethereal)是一个网络包分析工具.该工具主要是用来捕获网络包,并显示包的详细情况.本节将分别介绍 ...
    
		
    9. 
						
  9. Wireshark数据抓包分析(网络协议篇)第1章网络协议抓包概述
		
    Wireshark数据抓包分析(网络协议篇)第1章网络协议抓包概述 网络协议是用于不同计算机之间进行网络通信的.网络协议是网络上所有设备(如网络服务器.计算机.交换机.路由器等)之间通信规则的集合,它 ...
    
		
    10. 
		


					

最新文章
	

    
						
  1. FBI很气愤:黑了CIA的熊孩子又回来了
		
    2. 
						
  2. windows 如何配置 Go 环境(Zip archive 方式)?
		
    3. 
						
  3. 可以插卡的ipad_ipad哪个可以插手机卡上网的?
		
    4. 
						
  4. 在JavaScript文件中读取properties文件的方法
		
    5. 
						
  5. 蒸发器分段设计matlab程序_制冷系统蒸发器过热度控制回路的MATLAB仿真_何煜
		
    6. 
						
  6. 分布式存储图解_BERT的youxiu变体:ALBERT论文图解介绍
		
    7. 
						
  7. 配置设备作为DHCP 服务器(基于接口地址池)
		
    8. 
						
  8. Shell中计算模块 bc的使用
		
    9. 
						
  9. bootstrap checkbox_[推荐]icheck-bootstrap(漂亮的ckeckbox/radiobox)
		
    10. 
						
  10. 2015轻院校赛 H五子棋
		
    11. 
						
  11. java 解密pdf文件_Java 加密和解密PDF文档
		
    12. 
						
  12. red5流媒体服务器安装
		
    13. 
						
  13. 办公室学什么计算机,(计算机)办公室文员、助理都可以学学,留着迟早用得着
		
    14. 
						
  14. php  laravel 下载远程图片
		
    15. 
						
  15. NTFS文件系统结构及文件恢复
		
    16. 
						
  16. 全程不用usb数据线,adb通过网络连接Android设备
		
    17. 
						
  17. 把linux装在移动硬盘上,我将Linux装到了移动硬盘上o(∩_∩)o
		
    18. 
						
  18. 免费论文下载:林巧稚的论文期刊
		
    19. 
						
  19. 增值电信服务费是什么意思_中国移动的增值业务费是什么意思
		
    20. 
						
  20. 意大利卡乐1tool编程软件从模板新建项目
		
    21. 
		

	


热门文章
	

    
									
  1. php下划线长度如何改变,如何制作固定长度下划线(输入文字而长度不变)
			
    2. 
						
  2. c语言中数据的输入输出格式解析
			
    3. 
						
  3. 跟踪事件oracle,Oracle的10046事件跟踪简述
			
    4. 
						
  4. Linux多路复用之select方案
			
    5. 
						
  5. java中byte数组与int类型的转换(两种方式)
			
    6. 
						
  6. 牛皮席为什么和床垫不贴合呢?
			
    7. 
						
  7. 【算法学习】字符串哈希(Hash)
			
    8. 
						
  8. Android Framework目录解析
			
    9. 
						
  9. 最新kali之ike-scan
			
    10. 
						
  10. 更改Oracle默认端口8080(亲测)
			
    11.