1
2
3
4
5
6
7
8
9
10
11
12
13
14
SELECT h.schema_name,
h.table_name,
h.id AS table_id,
h.associated_table_prefix,
row_estimate.row_estimate
FROM _timescaledb_catalog.hypertable h
CROSS JOIN LATERAL (
SELECT SUM(cl.reltuples) AS row_estimate
FROM _timescaledb_catalog.chunk c
JOIN pg_class cl ON cl.relname = c.table_name
WHERE c.hypertable_id = h.id
GROUP BY h.schema_name, h.table_name
) row_estimate
ORDER BY schema_name, row_estimate DESC, table_name;

首先从 miyoushe 官网下载 apk,然后使用 jadx 反编译 apk。

文章 中可知生成 DS 算法的位置位于 com.mihoyo.hyperion.net 包内,

使用 jadx 打开到对应目录,可以找到 bbbbb.a2222aaaaa.a2222aaaaa.b5555,分别为 DS1 DS2 的算法实现。

预览

右键方法名,选择 Find Usage,可以看到对应的实现。

预览 预览 预览

可以看到 DS LK2 K2 相关的加密算法,通过相关函数输入到 bbbbb.a2222 方法中,找到函数的参数,即为 salt

预览

下面以 DS 为例,把传入 bbbbb.a2222 方法的方法与参数拷贝出来,稍加修改,得到下面的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import java.util.ArrayList;
import java.util.Collection;

public class Main {

public static void main(String[] args) {
System.out.println(f1(f276382k));
}

public static final int[] f276382k = {192, -74, 180, 222, 90, 198, -177147, -84, -66, 126, 168, 156, 186, 66, -88, -4782969, 126, 216, -98, -118, -88, -4782969, -86, 180, 216, 102, 156, 126, -100, -59049, -177147, 198};

public static String f1(int[] iArr) {
int i11;
StringBuilder sb2 = new StringBuilder();
ArrayList<Number> arrayList = new ArrayList(iArr.length);
for (int i12 : iArr) {
if (i12 < 0) {
i11 = ((double) (-i12)) >= Math.pow(3.0d, 6.0d) ? (int) (((Math.log(-i12) / Math.log(3.0d)) - 6) + 48) : ~i12;
} else {
i11 = (i12 / 3) + 48;
}
arrayList.add(Integer.valueOf(i11));
}
ArrayList arrayList2 = new ArrayList(Z(arrayList, 10));
for (Number number : arrayList) {
sb2.append((char) number.intValue());
arrayList2.add(sb2);
}
String sb3 = sb2.toString();
return sb3;
}

public static final <T> int Z(Iterable<? extends T> iterable, int i11) {
return iterable instanceof Collection ? ((Collection) iterable).size() : i11;
}

}

运行后得到 pIlzNr5SAZhdnFW8ZxauW8UlxRdZc45r 即为 salt,带入到相关 api 验证一下,成功。

Ref

  • https://github.com/skylot/jadx
  • https://github.com/UIGF-org/mihoyo-api-collect/issues/1
  • https://github.com/Azure99/GenshinPlayerQuery/issues/20

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# htk-inject-system-cert.sh
set -e # Fail on error
# Create a separate temp directory, to hold the current certificates
# Without this, when we add the mount we can't read the current certs anymore.
mkdir -m 700 /data/local/tmp/htk-ca-copy
# Copy out the existing certificates
cp /system/etc/security/cacerts/* /data/local/tmp/htk-ca-copy/
# Create the in-memory mount on top of the system certs folder
mount -t tmpfs tmpfs /system/etc/security/cacerts
# Copy the existing certs back into the tmpfs mount, so we keep trusting them
mv /data/local/tmp/htk-ca-copy/* /system/etc/security/cacerts/
# Copy our new cert in, so we trust that too
# cp /data/local/tmp/c88f7ed0.0 /system/etc/security/cacerts/
cp /data/misc/user/0/cacerts-added/* /system/etc/security/cacerts/
# Update the perms & selinux context labels, so everything is as readable as before
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
# Delete the temp cert directory & this script itself
rm -r /data/local/tmp/htk-ca-copy
# rm ${injectionScriptPath}
echo "System cert successfully injected"
  • ref: http://91fans.com.cn/post/certificate/#gsc.tab=0