version: 23.9
X-SS=STUB:
搜索:x-tt-dt
var hashMap = Java.use("java.util.HashMap");
hashMap.put.implementation = function (a, b) {
console.log("hashMap.put: ", a, b);
return this.put(a, b);
}
https://codeooo.blog.csdn.net//article/details/120025814
jscode = """
Java.perform(function () {
var hashMap = Java.use("java.util.HashMap");
hashMap.put.implementation = function (a, b) {
console.log("hashMap.put: ", a, b);
return this.put(a, b);
}
});
"""
先降级抓包:
// frida -U -l proxy.js -no-pause -f com.ss.android.ugc.aweme
setImmediate(function () {
Java.perform(function () {
var targetClass = 'org.chromium.CronetClient';
var methodName = 'tryCreateCronetEngine';
var gclass = Java.use(targetClass);
gclass[methodName].overload('android.content.Context', 'boolean', 'boolean', 'boolean', 'boolean', 'java.lang.String', 'java.util.concurrent.Executor', 'boolean').implementation = function (arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7) {
}
});
Java.perform(function () {
let a = Java.use("ms.bd.c.j2$a");
var TreeMap = Java.use('java.util.TreeMap');
var HashMap = Java.use('java.util.HashMap');
a["onCallToAddSecurityFactor"].implementation = function (str, map) {
console.log(`a.onCallToAddSecurityFactor is called: str=${str}, map=${Java.cast(map, TreeMap).toString()}`);
let result = this["onCallToAddSecurityFactor"](str, map);
console.log("result:" + Java.cast(result, HashMap).toString());
return result;
};
});
});
import frida
import sys
jscode = """
Java.perform(function () {
var hashMap = Java.use("java.util.HashMap");
hashMap.put.implementation = function (a, b) {
console.log("hashMap.put: ", a, b);
if(a.equals("X-Ladon")){
console.log("=================================================");
console.log("hashMap.put: ", a, b);
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
}
return this.put(a, b);
}
});
"""
def message(msg, data):
if msg["type"] == 'send':
print("[*] {0}".format(msg['payload']))
else:
print(msg)
# 指定要附加的设备app
# com.ss.android.ugc.aweme
process = frida.get_usb_device().attach('抖音')
#
script = process.create_script(jscode)
script.on("message", message)
script.load()
sys.stdin.read()
rpc:
# -*- coding: utf-8 -*-
# @Author : Codeooo
# @Time : 2023-07-14
import hashlib
import frida, sys, time
from urllib.parse import quote
keyword = quote("商品")
now_time = int(time.time())
jsCode = """
function a_liz(str, map) {
var result = "";
var Map = Java.use("java.util.TreeMap").$new();
var HashMap = Java.use("java.util.HashMap").$new();
// var strObj = Java.use('java.lang.String').$new();
var strArray = new Array();
strArray = map.split(",");
for (var i = 0; i < strArray.length; i++) {
var List = Java.use('java.util.ArrayList').$new();
var key = strArray[i].split("=")[0];
List.add(strArray[i].split("=")[1].replace("[", "").replace("]", ""));
Map.put(key, List);
}
// console.log(Map);
Java.perform(function () {
Java.choose("ms.bd.c.j2$a", {
onMatch: function (obj) {
result = Java.cast(obj.onCallToAddSecurityFactor(str, Map), HashMap).toString();
},
onComplete: function () {
console.log("end");
}
});
})
return result;
}
rpc.exports = {
encrypt: a_liz,
};
"""
data = f"keyword={keyword}&offset=0&count=12&source=video_search&from_user=&search_source=normal_search&is_pull_refresh=0&hot_search=0&search_id=&query_correct_type=1&is_filter_search=0&sort_type=0&publish_time=0&search_range=0&enter_from=homepage_hot&backtrace=&user_avatar_shrink=64_64&video_cover_shrink=372_496&rs_word_count=6&location_permission=0&need_filter_settings=0&enable_history=1"
X_SS_STUB = hashlib.md5(data.encode()).hexdigest().upper()
str = "https://aweme.snssdk.com/aweme/v1/general/search/stream/xxxxxxxxx"
map = "accept-encoding=[gzip], activity_now_client=[1681462266302], cookie=[store-region=cn-js; store-region-src=did; install_id=3732170013938503; ttreq=1$3d3ed40a54b302113f09f78bcadee4bf1be05acb; odin_tt=ff258b7589c691a89eeeea8fe0a412ff9eb167536130a2f7f57b3db418cb21c8e07dca0a2066b08237cdee7ab88847fa3b2b3f0b5765f7530308aa98a9a38115491c5071a3c0e73951d81dc245a17660; msToken=68aMp02Fs6w7X8bVU3nJfd9qwNG6N13ZsdWWlrW2vn86oDmrygIJDgKZ-OpB9Sp7GZqEMrRXGmSihg1QkZVd_1OuGHX45WsCEtojly9p4DM=; MONITOR_WEB_ID=20416beb-e7d6-44c7-9070-30ebbd0ff8db], passport-sdk-version=[20356], sdk-version=[2], x-ss-req-ticket=[1681462264870], x-ss-stub=[094A2062302E33904E611337243B1623], x-tt-dt=[AAATGDCFDGLWM6RUIPRDT7RBJKJQ32W3VGYDKYRVKCFJW5UDBNZ72B2X7Y35PYZJFKSXKI5R4QHROINCK6FL4SRGJB2FOK5WTG35CRXQGCO2LA2JJZGKSXJ4UKQC26LUAEOARSZCWRY32G7NUH32VDQ], x-vc-bdturing-sdk-version=[2.2.1.cn]"
# data = [a1, a2, a3, a4, a5]
process = frida.get_device_manager().add_remote_device().attach('抖音')
script = process.create_script(jsCode)
script.load()
result = script.exports.encrypt(str, map)
print(result)
sys.stdin.read()
