There are dry goods!
A long time ago, I made a live broadcast app (Grapefruit) to get the barrage of the live broadcast room. I took advantage of my spare time to write about the reverse process. This APP needs to log in to enter the live broadcast room!
1. Grab the package first
After logging in to your account, grab the package that enters the live broadcast room. If you enter a few more live broadcast rooms, you will find this package will come out when you enter the live broadcast room:
A ws request is made every time you enter the live broadcast room, so there is reason to suspect that entering the live broadcast room is done through the tcp protocol.
2. Reverse APK source code
Drag the apk into jadx, based on experience, we directly search for the sendMessage keyword (ws sends the protocol data through sendMessage), and we find it:
Now that you have found it, read through the code of the PlayerMessageManager class, and you will find these things:
AndWebSocket, DanmuBean...It is determined that the ws management class and the barrage acquisition entry have not run, of course, you can also hook to determine further.
In the class, we find the function to obtain an instance of PlayerMessageManager:
The passed-in parameter has a LoginInfoEntity object. Click to enter and see that it is some information about the user's login:
At this time, we grab the data of the login interface, and the required information is in the returned data:
3. Write code
We buckle down the PlayerMessageManager and associated classes directly, and then send to establish a ws link and send a request to see:
After sending data through ws, only one encKey is returned. After tracking the code, it is found that roomLimit needs to be obtained according to this encKey and then sent to the server again:
In this way, the barrage data can be obtained smoothly, and it's over!
The reverse engineering of this app is relatively simple, individual keys are in the so layer, but it is not difficult to obtain them. My vx:YY_yhzf