某鱼自定义协议请求抓包与加密参数分析教学文档<\/h1>

1. 背景介绍<\/h2>
某些淘系APP（如某鱼）使用私有协议（如SPDY）进行网络通信，导致传统抓包工具（如Charles、Fiddler）无法直接抓取数据包。本文档将详细介绍如何绕过该私有协议，并分析其请求参数的生成过程。<\/p>

2. 私有协议绕过方法<\/h2>

2.1 定位私有协议开关<\/h3>

使用jadx打开APK文件<\/li>
搜索关键词"spdy"，可以找到多个与私有协议相关的类和方法<\/li>

查找传入布尔值的函数，这些通常是控制SPDY协议开关的函数<\/li> <\/ol>

2.2 Hook方法<\/h3>

有三种主要Hook方法可以绕过私有协议：<\/p>

Frida Hook<\/strong>：动态修改函数参数<\/li>
Xposed Hook<\/strong>：系统级Hook框架<\/li>

其他Hook框架<\/li> <\/ol>
2.3 具体Hook实现<\/h3>
找到控制SPDY开关的函数后，通过Hook修改传入参数为false，强制使用HTTP协议：<\/p>
\/\/ Frida Hook示例 <\/span><\/span><\/span><\/span>Interceptor<\/span>.attach<\/span>(targetFunction<\/span>, { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> \/\/ 修改传入参数为false <\/span><\/span><\/span><\/span> args<\/span>[1<\/span>] =<\/span> ptr<\/span>(0<\/span>); \/\/ 假设第二个参数是布尔值 <\/span><\/span><\/span><\/span> } <\/span><\/span>}); <\/span><\/span><\/code><\/pre>3. 请求参数分析<\/h2> 3.1 关键参数识别<\/h3> 成功Hook后，可以在Charles中看到以下关键参数：<\/p> x-t<\/code>：时间戳相关<\/li> x-c-traceid<\/code>：追踪ID<\/li> x-sign<\/code>：签名参数<\/li> x-sgext<\/code>：扩展参数<\/li> x_mini_wua<\/code>：设备信息相关<\/li> x_umt<\/code>：用户标识相关<\/li> <\/ul> 3.2 参数定位方法<\/h3> 修改法<\/strong>：逐个修改或去掉参数，观察请求响应变化<\/li> 比较法<\/strong>：不同请求间比较参数差异<\/li> Hook法<\/strong>：Hook HashMap的put方法，跟踪参数构造过程<\/li> <\/ol> \/\/ Hook HashMap.put方法示例 <\/span><\/span><\/span><\/span>Java<\/span>.perform<\/span>(function<\/span>() { <\/span><\/span> var<\/span> HashMap<\/span> =<\/span> Java<\/span>.use<\/span>("java.util.HashMap"<\/span>); <\/span><\/span> HashMap<\/span>.put<\/span>.implementation<\/span> =<\/span> function<\/span>(key<\/span>, value<\/span>) { <\/span><\/span> if<\/span> (key<\/span>.toString<\/span>().indexOf<\/span>("x-"<\/span>) ===<\/span> 0<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("Header Param: "<\/span> +<\/span> key<\/span> +<\/span> " = "<\/span> +<\/span> value<\/span>); <\/span><\/span> console<\/span>.log<\/span>(Java<\/span>.use<\/span>("android.util.Log"<\/span>).getStackTraceString<\/span>( <\/span><\/span> Java<\/span>.use<\/span>("java.lang.Throwable"<\/span>).$new<\/span>())); <\/span><\/span> } <\/span><\/span> return<\/span> this<\/span>.put<\/span>.call<\/span>(this<\/span>, key<\/span>, value<\/span>); <\/span><\/span> }; <\/span><\/span>}); <\/span><\/span><\/code><\/pre>4. 加密参数生成分析<\/h2> 4.1 定位关键函数<\/h3> 通过堆栈分析发现可疑函数getUnifiedSign<\/code>，这是生成加密参数的核心函数。<\/p> 4.2 Hook关键函数<\/h3> 使用jadx找到getUnifiedSign<\/code>函数，右键选择"复制为Frida片段"快速生成Hook代码：<\/p> Java<\/span>.perform<\/span>(function<\/span>() { <\/span><\/span> var<\/span> targetClass<\/span> =<\/span> Java<\/span>.use<\/span>("com.xxx.xxx.SignUtils"<\/span>); <\/span><\/span> targetClass<\/span>.getUnifiedSign<\/span>.implementation<\/span> =<\/span> function<\/span>(map<\/span>, str<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("getUnifiedSign called with:"<\/span>); <\/span><\/span> console<\/span>.log<\/span>("map: "<\/span> +<\/span> JSON<\/span>.stringify<\/span>(map<\/span>)); <\/span><\/span> console<\/span>.log<\/span>("str: "<\/span> +<\/span> str<\/span>); <\/span><\/span> var<\/span> result<\/span> =<\/span> this<\/span>.getUnifiedSign<\/span>.call<\/span>(this<\/span>, map<\/span>, str<\/span>); <\/span><\/span> console<\/span>.log<\/span>("result: "<\/span> +<\/span> result<\/span>); <\/span><\/span> return<\/span> result<\/span>; <\/span><\/span> }; <\/span><\/span>}); <\/span><\/span><\/code><\/pre>4.3 参数生成方式<\/h3> 有两种方式获取加密参数：<\/p> 逆向分析<\/strong>：分析代码逻辑，逆向出加密算法<\/li> RPC调用<\/strong>：直接调用原函数获取加密参数<\/li> <\/ol> 5. RPC方式实现加密参数生成<\/h2> 5.1 RPC原理<\/h3> RPC（Remote Procedure Call）允许外部程序（如Python）通过Frida调用目标应用内部的函数。<\/p> 5.2 实现步骤<\/h3> 在JS脚本中导出加密函数<\/li> Python构造请求参数<\/li> 通过Frida调用JS导出的函数获取加密参数<\/li> 使用加密参数发起请求<\/li> <\/ol> 5.3 示例代码<\/h3> JS部分（Frida脚本）<\/strong>:<\/p> rpc<\/span>.exports<\/span> =<\/span> { <\/span><\/span> generateSign<\/span>:<\/span> function<\/span>(headerJson<\/span>, dataJson<\/span>) { <\/span><\/span> Java<\/span>.perform<\/span>(function<\/span>() { <\/span><\/span> var<\/span> HashMap<\/span> =<\/span> Java<\/span>.use<\/span>("java.util.HashMap"<\/span>); <\/span><\/span> var<\/span> headerMap<\/span> =<\/span> HashMap<\/span>.$new<\/span>(); <\/span><\/span> for<\/span> (var<\/span> key<\/span> in<\/span> headerJson<\/span>) { <\/span><\/span> headerMap<\/span>.put<\/span>(key<\/span>, headerJson<\/span>[key<\/span>]); <\/span><\/span> } <\/span><\/span> <\/span><\/span> var<\/span> SignUtils<\/span> =<\/span> Java<\/span>.use<\/span>("com.xxx.xxx.SignUtils"<\/span>); <\/span><\/span> var<\/span> result<\/span> =<\/span> SignUtils<\/span>.getUnifiedSign<\/span>(headerMap<\/span>, dataJson<\/span>); <\/span><\/span> return<\/span> result<\/span>; <\/span><\/span> }); <\/span><\/span> } <\/span><\/span>}; <\/span><\/span><\/code><\/pre>Python部分<\/strong>:<\/p> import<\/span> frida <\/span><\/span>import<\/span> json <\/span><\/span>import<\/span> requests <\/span><\/span> <\/span><\/span># 连接Frida<\/span> <\/span><\/span>device =<\/span> frida.<\/span>get_usb_device() <\/span><\/span>session =<\/span> device.<\/span>attach("com.xxx.xxx"<\/span>) <\/span><\/span> <\/span><\/span># 加载JS脚本<\/span> <\/span><\/span>with<\/span> open("script.js"<\/span>, "r"<\/span>) as<\/span> f: <\/span><\/span> js_code =<\/span> f.<\/span>read() <\/span><\/span> <\/span><\/span>script =<\/span> session.<\/span>create_script(js_code) <\/span><\/span>script.<\/span>load() <\/span><\/span> <\/span><\/span># 构造请求参数<\/span> <\/span><\/span>headers =<\/span> { <\/span><\/span> "User-Agent"<\/span>: "xxx"<\/span>, <\/span><\/span> "Content-Type"<\/span>: "application\/json"<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span>data =<\/span> { <\/span><\/span> "keyword"<\/span>: "手机"<\/span>, <\/span><\/span> "page"<\/span>: 1<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span># 调用RPC获取加密参数<\/span> <\/span><\/span>sign_result =<\/span> script.<\/span>exports.<\/span>generate_sign(headers, json.<\/span>dumps(data)) <\/span><\/span> <\/span><\/span># 更新请求头<\/span> <\/span><\/span>headers.<\/span>update({ <\/span><\/span> "x-sign"<\/span>: sign_result["x-sign"<\/span>], <\/span><\/span> "x-sgext"<\/span>: sign_result["x-sgext"<\/span>], <\/span><\/span> "x_mini_wua"<\/span>: sign_result["x_mini_wua"<\/span>], <\/span><\/span> "x_umt"<\/span>: sign_result["x_umt"<\/span>] <\/span><\/span>}) <\/span><\/span> <\/span><\/span># 发起请求<\/span> <\/span><\/span>response =<\/span> requests.<\/span>post("https:\/\/api.xxx.com\/search"<\/span>, headers=<\/span>headers, json=<\/span>data) <\/span><\/span>print(response.<\/span>text) <\/span><\/span><\/code><\/pre>6. 总结<\/h2> 私有协议绕过<\/strong>：通过Hook SPDY开关函数强制使用HTTP协议<\/li> 参数分析<\/strong>：使用HashMap.put Hook定位关键参数生成位置<\/li> 加密分析<\/strong>：通过Hook getUnifiedSign函数分析加密参数生成<\/li> RPC实现<\/strong>：直接调用原函数获取加密参数，避免逆向算法<\/li> <\/ol> 7. 注意事项<\/h2> 不同版本APP可能使用不同的加密方式，需要重新分析<\/li> 频繁调用RPC可能影响性能，生产环境建议逆向算法<\/li> 注意法律合规性，仅用于安全研究和授权测试<\/li> <\/ol>

某鱼自定义协议请求抓包与加密参数分析教学文档<\/h1>

1. 背景介绍<\/h2> 某些淘系APP（如某鱼）使用私有协议（如SPDY）进行网络通信，导致传统抓包工具（如Charles、Fiddler）无法直接抓取数据包。本文档将详细介绍如何绕过该私有协议，并分析其请求参数的生成过程。<\/p>

2. 私有协议绕过方法<\/h2>

3. 请求参数分析<\/h2>

4. 加密参数生成分析<\/h2>

4.1 定位关键函数<\/h3> 通过堆栈分析发现可疑函数getUnifiedSign<\/code>，这是生成加密参数的核心函数。<\/p>

5. RPC方式实现加密参数生成<\/h2>

5.1 RPC原理<\/h3> RPC（Remote Procedure Call）允许外部程序（如Python）通过Frida调用目标应用内部的函数。<\/p>

7. 注意事项<\/h2> 不同版本APP可能使用不同的加密方式，需要重新分析<\/li> 频繁调用RPC可能影响性能，生产环境建议逆向算法<\/li> 注意法律合规性，仅用于安全研究和授权测试<\/li> <\/ol>

1. 背景介绍<\/h2>
某些淘系APP（如某鱼）使用私有协议（如SPDY）进行网络通信，导致传统抓包工具（如Charles、Fiddler）无法直接抓取数据包。本文档将详细介绍如何绕过该私有协议，并分析其请求参数的生成过程。<\/p>

4.1 定位关键函数<\/h3>
通过堆栈分析发现可疑函数`getUnifiedSign<\/code>，这是生成加密参数的核心函数。<\/p>`

5.1 RPC原理<\/h3>
RPC（Remote Procedure Call）允许外部程序（如Python）通过Frida调用目标应用内部的函数。<\/p>

7. 注意事项<\/h2>

不同版本APP可能使用不同的加密方式，需要重新分析<\/li>
频繁调用RPC可能影响性能，生产环境建议逆向算法<\/li>
注意法律合规性，仅用于安全研究和授权测试<\/li> <\/ol>