阅读此文档的过程中遇到任何问题,请关注公众号【移动端Android和iOS开发技术分享】或加QQ群【309580013

1.目标

由于某多多App现使用longlink进行数据传输,使用charles工具抓包只能抓到https://th.pinduoduo.com/t.gif链接。本文的目则是使用charles等抓包工具能正常抓包

2.操作环境

  • 越狱iPhone一台
  • frida

3.流程

下载最新某多多App。关键词longlink则是我们的切入点,在终端执行frida-trace -U -f com.xunmeng.pinduoduo -m "*[* *ong*ink*]" -M "*[UI* *]" -M "*[_* *]"命令后获取到关键信息列表:

+[AMTitanHelper makesureLongLinkConnect:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanHelper/makesureLongLinkConnect_.js"

-[AMTitanLongLinkInfoManager updateLongLinkStatusInfoWithHost:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/updateLongLinkStatusInfoWithHost_663278c1.js"

-[AMTitanLongLinkInfoManager longLinkStatusInfoDic]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/longLinkStatusInfoDic.js"

-[AMTitanLongLinkInfoManager setLongLinkStatusInfoDic:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/setLongLinkStatusInfoDic_.js"

-[PDDProbeRaceManager longLinkRaceResult:traceId:reportBlock:callback:]: Loaded handler at "/Users/witchan/__handlers__/PDDProbeRaceManager/longLinkRaceResult_traceId_repor_9af8c15b.js"

-[AMTitanNetworkConfig setLonglinkHostConfig:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanNetworkConfig/setLonglinkHostConfig_.js"

-[AMTitanNetworkConfig longlinkHostConfig]: Loaded handler at "/Users/witchan/__handlers__/AMTitanNetworkConfig/longlinkHostConfig.js"

+[PDDNetworkHybrid longLinkErrorCodeMap]: Loaded handler at "/Users/witchan/__handlers__/PDDNetworkHybrid/longLinkErrorCodeMap.js"

-[PddRtc titan:didChangeToConnectionStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/PddRtc/titan_didChangeToConnectionStatu_745d0013.js"

-[PDDWebConfig htmlLongLinkWhiteListFromConfig]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/htmlLongLinkWhiteListFromConfig.js"

-[PDDWebConfig setHtmlLongLinkWhiteList:]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/setHtmlLongLinkWhiteList_.js"

-[PDDWebConfig htmlLongLinkWhiteList]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/htmlLongLinkWhiteList.js"

-[PDDWebViewManager pdd_setProtocolLongLinkEnable:]: Loaded handler at "/Users/witchan/__handlers__/PDDWebViewManager/pdd_setProtocolLongLinkEnable_.js"

-[PDDLiveRoomMicLinkManager registerLongLinkMsgCenter]: Loaded handler at "/Users/witchan/__handlers__/PDDLiveRoomMicLinkManager/registerLongLinkMsgCenter.js"

+[PDDTitanNetworkConfig mainLongLinkBackupIps]: Loaded handler at "/Users/witchan/__handlers__/PDDTitanNetworkConfig/mainLongLinkBackupIps.js"

+[PDDTitanNetworkConfig multicastLongLinkBackupIps]: Loaded handler at "/Users/witchan/__handlers__/PDDTitanNetworkConfig/multicastLongLinkBackupIps.js"

-[AMNetworkInfoManager longLinkInfo]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfoManager/longLinkInfo.js"

-[AMNetworkInfoManager setLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfoManager/setLongLinkInfo_.js"

+[AMNetworkInfo longLinkInfo]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfo/longLinkInfo.js"

+[AMNetworkInfo setLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfo/setLongLinkInfo_.js"

-[AMHTTPRequest longLinkDowngrade]: Loaded handler at "/Users/witchan/__handlers__/AMHTTPRequest/longLinkDowngrade.js"

-[AMHTTPRequest setLongLinkDowngrade:]: Loaded handler at "/Users/witchan/__handlers__/AMHTTPRequest/setLongLinkDowngrade_.js"

-[PDDAntManager titan:didChangeToConnectionStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/PDDAntManager/titan_didChangeToConnectionStatu_745d0013.js"

-[PDDApiMetricsBaseInfo setIsLongLinkReceived:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setIsLongLinkReceived_.js"

-[PDDApiMetricsBaseInfo setLongLinkVip:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkVip_.js"

-[PDDApiMetricsBaseInfo setLongLinkErrorCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkErrorCode_.js"

-[PDDApiMetricsBaseInfo setLongLinkType:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkType_.js"

-[PDDApiMetricsBaseInfo isLongLinkReceived]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/isLongLinkReceived.js"

-[PDDApiMetricsBaseInfo longLinkVip]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkVip.js"

-[PDDApiMetricsBaseInfo longLinkErrorCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkErrorCode.js"

-[PDDApiMetricsBaseInfo longLinkType]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkType.js"

-[PDDApiMetricsCostInfo setLongLinkSendCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkSendCost_.js"

-[PDDApiMetricsCostInfo setLongLinkRecvCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkRecvCost_.js"

-[PDDApiMetricsCostInfo setLongLinkServerCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkServerCost_.js"

-[PDDApiMetricsCostInfo longLinkSendCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkSendCost.js"

-[PDDApiMetricsCostInfo longLinkRecvCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkRecvCost.js"

-[PDDApiMetricsCostInfo setLongLinkNetworkCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkNetworkCost_.js"

-[PDDApiMetricsCostInfo longLinkServerCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkServerCost.js"

-[PDDApiMetricsCostInfo longLinkNetworkCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkNetworkCost.js"

-[PDDApiMetricsExtraInfo setLongLinkReportCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkReportCode_.js"

-[PDDApiMetricsExtraInfo setLongLinkStatusCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkStatusCode_.js"

-[PDDApiMetricsExtraInfo setLongLinkTaskId:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkTaskId_.js"

-[PDDApiMetricsExtraInfo setLongLinkSendSize:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkSendSize_.js"

-[PDDApiMetricsExtraInfo setLonglinkReceiveSize:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLonglinkReceiveSize_.js"

-[PDDApiMetricsExtraInfo setLongLinkForeground:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkForeground_.js"

-[PDDApiMetricsExtraInfo setLongLinkUrl:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkUrl_.js"

-[PDDApiMetricsExtraInfo longLinkReportCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkReportCode.js"

-[PDDApiMetricsExtraInfo longLinkStatusCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkStatusCode.js"

-[PDDApiMetricsExtraInfo isLongLinkForeground]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/isLongLinkForeground.js"

-[PDDApiMetricsExtraInfo longLinkSendSize]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkSendSize.js"

-[PDDApiMetricsExtraInfo longlinkReceiveSize]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longlinkReceiveSize.js"

-[PDDApiMetricsExtraInfo longLinkTaskId]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkTaskId.js"

-[PDDApiMetricsExtraInfo longLinkUrl]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkUrl.js"

-[PDDApiWaitLonglinkConfig isWaitLonglink:method:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiWaitLonglinkConfig/isWaitLonglink_method_.js"

-[AMTitan updateLongLinkHostWhiteList:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/updateLongLinkHostWhiteList_.js"

-[AMTitan updateLongLinkUriBlackList:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/updateLongLinkUriBlackList_.js"

-[AMTitan isLongLinkConnected]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/isLongLinkConnected.js"

-[AMTitan makesureLongLinkConnect:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/makesureLongLinkConnect_.js"

-[AMTitan reportStatusChange:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/reportStatusChange_longLinkInfo_.js"

-[AMTitan onConnectStatusChange:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/onConnectStatusChange_longLinkSt_c4a1163e.js"

-[AMTitanBaseRequest setWaitLonglink:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanBaseRequest/setWaitLonglink_.js"

-[AMTitanBaseRequest waitLonglink]: Loaded handler at "/Users/witchan/__handlers__/AMTitanBaseRequest/waitLonglink.js"

-[AMTitanStnCallback reportConnectStatus:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanStnCallback/reportConnectStatus_longLinkStat_1d404d83.js"

-[AMTitanTask setWaitLonglink:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTask/setWaitLonglink_.js"

-[AMTitanTask waitLonglink]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTask/waitLonglink.js"

+[AMTitanTransferUtil transferToLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTransferUtil/transferToLongLinkInfo_.js"

经过一层层筛查打印以上方法的入参和返回值,当修改到[AMTitan updateLongLinkHostWhiteList:]方法时,输出的日志参数,引起了我们的注意,updateLongLinkHostWhiteList_.js代码如下:

{

  onEnter(log, args, state) {

    log(`-[AMTitan updateLongLinkHostWhiteList:${new ObjC.Object(args[2])}]`);

  },

  onLeave(log, retval, state) {

    log(`-[AMTitan updateLongLinkHostWhiteList:]=${new ObjC.Object(retval)}=`);

  }

}

日志输出如下:

-[AMTitan updateLongLinkHostWhiteList:(

    "apiv2.yangkeduo.com",

    "apiv3.yangkeduo.com",

    "apiv4.yangkeduo.com",

    "apiv2.hutaojie.com",

    "meta.yangkeduo.com",

    "api.pinduoduo.com",

    "api.yangkeduo.com",

    "apiv5.yangkeduo.com",

    "mobile.yangkeduo.com",

    "meta.pinduoduo.com",

    "m.pinduoduo.net",

    "api-cj.pinduoduo.com",

    "api-isp.pinduoduo.com",

    "risk-data-clean-api.risk.ft.srv.pdd.net"

)]

-[AMTitan updateLongLinkHostWhiteList:]=(

    "apiv2.yangkeduo.com",

    "apiv3.yangkeduo.com",

    "apiv4.yangkeduo.com",

    "apiv2.hutaojie.com",

    "meta.yangkeduo.com",

    "api.pinduoduo.com",

    "api.yangkeduo.com",

    "apiv5.yangkeduo.com",

    "mobile.yangkeduo.com",

    "meta.pinduoduo.com",

    "m.pinduoduo.net",

    "api-cj.pinduoduo.com",

    "api-isp.pinduoduo.com",

    "risk-data-clean-api.risk.ft.srv.pdd.net"

)=

发现关键信息api*.yangkeduo.com,根据方法updateLongLinkHostWhiteList,发现这极有可能是LongLink的接口列表。修改刚的js代码为:

{

  onEnter(log, args, state) {

    args[2] = ObjC.classes.NSMutableArray.array(); // 修改入参为空数组

    log(`-[AMTitan updateLongLinkHostWhiteList:${new ObjC.Object(args[2])}]`);

  },

  onLeave(log, retval, state) {

    log(`-[AMTitan updateLongLinkHostWhiteList:]=${new ObjC.Object(retval)}=`);

  }

}

这时,抓包正常工作,结果如下:

End

阅读此文档的过程中遇到任何问题,请关注公众号【移动端Android和iOS开发技术分享】或加QQ群【309580013

iOS逆向之某多多App抓包的更多相关文章

  1. scrapy之手机app抓包爬虫

    手机App抓包爬虫 1. items.py class DouyuspiderItem(scrapy.Item): name = scrapy.Field()# 存储照片的名字 imagesUrls ...

  2. APP 抓包(应用层)

    0x01 前言: app抓包是逆向协议的前提,也是一个爬虫工程师的基本要求,最近发现这块知识非常欠缺就抓紧补补了(我太菜了) 然后接下来是通过vpn将流量导出到抓包软件的方式,而不是通过wifi设置代 ...

  3. Fiddler和app抓包

    1:请在“运行”,即下面这个地方输入certmgr.msc并回车,打开证书管理. 打开后,请点击操作--查找证书,如下所示: 然后输入“fiddler”查找所有相关证书,如下所示: 可以看到,我们找到 ...

  4. Fiddler 网页采集抓包利器__手机app抓包

    用curl技术开发了一个微信文章聚合类产品,把抓取到的数据转换成json格式,并在android端调用json数据接口加以显示: 基于weiphp做了一个掌上头条插件,也是用的网页采集技术:和一个创业 ...

  5. Scrapy——6 APP抓包—scrapy框架下载图片

    Scrapy——6 怎样进行APP抓包 scrapy框架抓取APP豆果美食数据 怎样用scrapy框架下载图片 怎样用scrapy框架去下载斗鱼APP的图片? Scrapy创建下载图片常见那些问题 怎 ...

  6. 猫眼电影App抓包获取评论数据接口

     之前在CSDN程序人生公众号上看到了这篇文章<邪不压正>评分持续走低,上万条网友评论揭秘,是救救姜文还是救救观众?,文中提到了通过抓包猫眼App发现了评论的数据接口:http://m.m ...

  7. APP 抓包-fiddler

    App抓包原理 客户端向服务器发起HTTPS请求 抓包工具拦截客户端的请求,伪装成客户端向服务器进行请求 服务器向客户端(实际上是抓包工具)返回服务器的CA证书 抓包工具拦截服务器的响应,获取服务器证 ...

  8. 【破解APP抓包限制】Xposed+JustTrustMe关闭SSL证书验证!

    转载:https://www.jianshu.com/p/310d930dd62f 1 前言 这篇文章主要想解决的问题是,在对安卓手机APP抓包时,出现的HTTPS报文通过MITM代理后证书不被信任的 ...

  9. fiddler抓包+安卓机 完成手机app抓包的配置 遇到的一些问题

    fiddler抓包+安卓模拟器完成手机app抓包的配置:fiddler抓包+雷电模拟器 完成手机app抓包的配置 其实在安卓真机上弄比在虚拟机上弄更麻烦一点,它们的步骤都差不多一样,就是在安卓真机上弄 ...

  10. Fiddler+雷电模拟器进行APP抓包

    1.下载最新版Fiddler,强烈建议在官网下载:https://www.telerik.com/download/fiddler 2. 正常傻瓜式安装,下一步,下一步,安装完毕后,先不用急于打开软件 ...

随机推荐

  1. Currtid 函数与性能问题

    对于Oracle ,一条tuple 的 rowid正常是不会变化的(引发row movement的操作除外,如:跨分区迁移update,表收缩),因此,应用设计上可以方便的使用rowid,加快访问速度 ...

  2. Linux 压缩、解压缩命令

    Linux 压缩.解压缩命令 tar 语法命令 tar [options-] [files] options: 选择 描述 -A 追加tar文件至归档 -c 创建一个新文档 -d 找出归档和文件系统的 ...

  3. 将生成的Debug文件中的exe文件添加图标

    制作.ico图片地址:https://www.bitbug.net/

  4. CentOS 7.x 升级OpenSSH

    升级SSH 存在中断风险,如果SSH 升级失败将会导致终端无法登录,建议在使用本地虚拟机进行测试后对线上生产环境进行升级操作!!! 三级等保评测中对主机进行漏洞扫描发现linux主机存在高危漏洞,查看 ...

  5. 从nuxt开始的SEO之路

    故事从一个"美好"的早上开始...... 大清早的来到公司,打开电脑,emm, 还是熟悉的味道,鱼儿被我摸熟了的味道......就在开始准备一天的摸鱼之旅的时候,一种不详的预感涌上 ...

  6. PAT (Basic Level) Practice 1033 旧键盘打字 分数 20

    旧键盘上坏了几个键,于是在敲一段文字的时候,对应的字符就不会出现.现在给出应该输入的一段文字.以及坏掉的那些键,打出的结果文字会是怎样? 输入格式: 输入在 2 行中分别给出坏掉的那些键.以及应该输入 ...

  7. 工厂里懂得mes和erp有发展吗?

    在工厂里懂得MES.ERP肯定有发展啊,现在数字化转型.智能制造正当时,ERP.MES之类的系统是刚需,只是不同工厂启动的早晚有别,使用的系统不相同而已,但知识体系.逻辑.理念等大都是相通的.比如你熟 ...

  8. 影响 erp 系统实施成功的因素是什么?

    影响ERP系统实施成功的因素很多,主要有以下几点:企业一把手是否大力支持.实施顾问是否专业负责.ERP系统是否强大灵活且适用三个方面!没有企业一把手的大力支持,ERP的应用基本上不可能获得成功.ERP ...

  9. LeetCode题目答案及理解汇总(持续更新)

    面试算法题 dfs相关 全排列 #include<bits/stdc++.h> using namespace std; const int N = 10; //用一个path数组来存储每 ...

  10. 齐博x2向上滚动特效

    要实现图中圈起来的向上滚动特效,大家可以参考下面的代码 <!--滚动开始--> <style type="text/css"> .auto-roll{ he ...