-
-
[原创]抖音6.6.0利用反射机制实现hook评论
-
发表于: 2019-6-20 15:53
-
As well as we Know,要做抖音协议一定绕不过as,mas,cp的算法,可是本菜技术水平不够,逆向不出来,于是就换个方法去实现类似功能
第一步:
对抖音评论进行抓包分析
POST https://aweme-hl.snssdk.com/aweme/v1/comment/publish/?ts=1560993297&js_sdk_version=&app_type=normal&os_api=23&device_type=NEM-AL10&device_platform=android&ssmix=a&iid=75849615102&manifest_version_code=660&dpi=480&uuid=862917031213764&version_code=660&app_name=aweme&version_name=6.6.0&openudid=4c4500746477e553&device_id=66373834693&resolution=1080*1812&os_version=6.0&language=zh&device_brand=HONOR&ac=wifi&update_version_code=6602&aid=1128&channel=aweGW&_rticket=1560993297416&mcc_mnc=46011 HTTP/1.1
很明显的关键参数:
comment/publish
第二部抖音脱壳:
抖音6.6.0开始加壳了,用FDex2脱壳得到文件
第二步分析关键位置:
用工具(想用啥工具就用啥工具,我比较喜欢ak)看看代码,找到关键参数的位置:package com.ss.android.ugc.aweme.comment.api;
第四步:分析程序:
publishComment(@Field(a = "aweme_id") String str, @Field(a = "text") String str2, @Field(a = "reply_id") String str3, @Field(a = "text_extra") String str4, @Field(a = "is_self_see") int i, @Field(a = "reply_to_reply_id") String str5, @Field(a = "channel_id") int i2);
我们看到这段代码,再看看包的内容:
很明显了这个就是发送的接口,我们逆向回评论函数:
public static CommentResponse a(String str, String str2, @Nullable String str3, List<TextExtraStruct> list, @Nullable String str4, int i) throws Exception {
List<TextExtraStruct> list2 = list;
Object[] objArr = new Object[6];
objArr[0] = str;
objArr[1] = str2;
objArr[2] = str3;
objArr[3] = list2;
objArr[4] = str4;
objArr[5] = Integer.valueOf(i);
ChangeQuickRedirect changeQuickRedirect = a;
Class[] clsArr = new Class[6];
clsArr[0] = String.class;
clsArr[1] = String.class;
clsArr[2] = String.class;
clsArr[3] = List.class;
clsArr[4] = String.class;
clsArr[5] = Integer.TYPE;
if (PatchProxy.isSupport(objArr, null, changeQuickRedirect, true, 24357, clsArr, CommentResponse.class)) {
objArr = new Object[6];
objArr[0] = str;
objArr[1] = str2;
objArr[2] = str3;
objArr[3] = list2;
objArr[4] = str4;
objArr[5] = Integer.valueOf(i);
ChangeQuickRedirect changeQuickRedirect2 = a;
Class[] clsArr2 = new Class[6];
clsArr2[0] = String.class;
clsArr2[1] = String.class;
clsArr2[2] = String.class;
clsArr2[3] = List.class;
clsArr2[4] = String.class;
clsArr2[5] = Integer.TYPE;
return (CommentResponse) PatchProxy.accessDispatch(objArr, null, changeQuickRedirect2, true, 24357, clsArr2, CommentResponse.class);
}
try {
String str5 = str;
String str6 = str2;
String str7 = str3;
CommentResponse commentResponse = (CommentResponse) ((RealApi) b.create(RealApi.class)).publishComment(str5, str6, str7, r.a().toJson(list2), af.a(), str4, i).get();
commentResponse.comment.setLabelInfo(commentResponse.starFakeLabel);
return commentResponse;
} catch (ExecutionException e) {
throw c.propagateCompatibleException(e);
}
}
public static CommentResponse a(String str, String str2, @Nullable String str3, List<TextExtraStruct> list, @Nullable String str4, int i) throws Exception {
List<TextExtraStruct> list2 = list;
Object[] objArr = new Object[6];
objArr[0] = str;
objArr[1] = str2;
objArr[2] = str3;
objArr[3] = list2;
objArr[4] = str4;
objArr[5] = Integer.valueOf(i);
ChangeQuickRedirect changeQuickRedirect = a;
Class[] clsArr = new Class[6];
clsArr[0] = String.class;
clsArr[1] = String.class;
clsArr[2] = String.class;
clsArr[3] = List.class;
clsArr[4] = String.class;
clsArr[5] = Integer.TYPE;
if (PatchProxy.isSupport(objArr, null, changeQuickRedirect, true, 24357, clsArr, CommentResponse.class)) {
objArr = new Object[6];
objArr[0] = str;
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
666楼主弄到so来用了么
