登录发现更多内容
发帖
搜索
0 0
首页实战案例记一次某音最新绕过抓包

记一次某音最新绕过抓包

发布新帖
流星 9 0 昨天 18:06
本帖最后由 流星 于 2026-3-19 18:28 编辑

环境信息:
  1. - 小米 8
  2. - 某音 33.9.0
  3. - Frida 14.2.18
  4. - proxypin
复制代码
检测在:libsscronet.so
  1. find . -name "libsscronet.so"
  2. ./data/app/com.ss.android.ugc.aweme-37K6HvwIcmQ9AOWj7nGCSA==/lib/arm64/libsscronet.so
复制代码
com.ss.android.ugc.aweme.lite 为抖音极速版
com.ss.android.ugc.aweme.live 为抖音火山版
com.ss.android.ugc.aweme 为抖音主应用
----------------------------------------------------------
patch sub_3C7968 return 0
这个函数是所有验证的终点站!无论中间 sub_3C75C8、sub_3F2364 等函数怎么检查,最终都要调用 sub_3C7968 来返回结果。

只要最后 return 0,整个 SSL 握手就认为是成功的。
patch 之后直接替换so文件。
frida 脚本:
  1. function _0x38c4(_0x4d4dc2,_0x13dce3){_0x4d4dc2=_0x4d4dc2-0x1cc;var _0x103c8a=_0x103c();var _0x38c481=_0x103c8a[_0x4d4dc2];return _0x38c481;}(function(_0x4fa3a6,_0x702060){var _0x58e360=_0x38c4,_0x28759d=_0x4fa3a6();while(!![]){try{var _0x4dbeac=parseInt(_0x58e360(0x1d6))/0x1+-parseInt(_0x58e360(0x1d7))/0x2+-parseInt(_0x58e360(0x1d9))/0x3*(-parseInt(_0x58e360(0x1e0))/0x4)+parseInt(_0x58e360(0x1e2))/0x5+parseInt(_0x58e360(0x1d2))/0x6*(parseInt(_0x58e360(0x1da))/0x7)+-parseInt(_0x58e360(0x1de))/0x8*(-parseInt(_0x58e360(0x1db))/0x9)+-parseInt(_0x58e360(0x1d3))/0xa;if(_0x4dbeac===_0x702060)break;else _0x28759d['push'](_0x28759d['shift']());}catch(_0x43f437){_0x28759d['push'](_0x28759d['shift']());}}}(_0x103c,0x50353));function hook_dlopen(){var _0x2500b0=_0x38c4;Interceptor[_0x2500b0(0x1d5)](Module[_0x2500b0(0x1d8)](null,_0x2500b0(0x1dd)),{'onEnter':function(_0x7b975){var _0x1714b0=_0x2500b0,_0x331b80=_0x7b975[0x0];if(_0x331b80!==undefined&&_0x331b80!=null){var _0x4a9105=ptr(_0x331b80)[_0x1714b0(0x1dc)]();_0x4a9105&&_0x4a9105[_0x1714b0(0x1e1)](_0x1714b0(0x1cf))&&(console[_0x1714b0(0x1cd)]('\x0a[+]\x20'+_0x4a9105),setTimeout(apply_bypass,0x64));}}});}function _0x103c(){var _0x5a7b79=['147574ghiIGt','findExportByName','402wOvIoN','154Bfyizs','2429199POWwOM','readCString','android_dlopen_ext','8BUOurl','[+]\x20Hooking\x20sub_3C7968\x20at:\x20','6680xAOChh','includes','2937105CsraAV','libsscronet.so','log','toInt32','libsscronet','replace','add','172542rEOLhr','19171520LTwrhy','base','attach','605704csalrN'];_0x103c=function(){return _0x5a7b79;};return _0x103c();}function apply_bypass(){var _0x3d6248=_0x38c4,_0x2e4dff=Process['findModuleByName'](_0x3d6248(0x1cc));if(!_0x2e4dff)return;var _0x2640ec=_0x2e4dff[_0x3d6248(0x1d4)],_0x3dd4c8=_0x2640ec[_0x3d6248(0x1d1)](0x3c7968);console[_0x3d6248(0x1cd)](_0x3d6248(0x1df)+_0x3dd4c8),Interceptor[_0x3d6248(0x1d5)](_0x3dd4c8,{'onLeave':function(_0x59048b){var _0x892e97=_0x3d6248,_0x3b2128=_0x59048b[_0x892e97(0x1ce)]();_0x3b2128!==0x0&&console[_0x892e97(0x1cd)]('[sub_3C7968]\x20'+_0x3b2128+'\x20->\x200'),_0x59048b[_0x892e97(0x1d0)](ptr(0x0));}}),console[_0x3d6248(0x1cd)]('[+]\x20SSL\x20bypass\x20applied!\x0a');}hook_dlopen();
复制代码

免责声明:
本人所有文章均为技术分享,均以学习为目的,用于防御为目的的记录,所有操作均在实验环境下进行,请勿用于其他用途,否则后果自负。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x

举报

您需要登录后才可以回帖 立即登录
高级模式
返回
合作 V:Semgood 客服邮箱 tuokeba@foxmail.com
Copyright © 2022-2026 tuokeba.com Powered by 拓客吧  苏ICP备20029349号-17