阅读此文档的过程中遇到任何问题,请关注公众号【移动端Android和iOS开发技术分享】或加QQ群【309580013

1.目标

由于某多多App现使用longlink进行数据传输,使用charles工具抓包只能抓到https://th.pinduoduo.com/t.gif链接。本文的目则是使用charles等抓包工具能正常抓包

2.操作环境

  • 越狱iPhone一台
  • frida

3.流程

下载最新某多多App。关键词longlink则是我们的切入点,在终端执行frida-trace -U -f com.xunmeng.pinduoduo -m "*[* *ong*ink*]" -M "*[UI* *]" -M "*[_* *]"命令后获取到关键信息列表:

+[AMTitanHelper makesureLongLinkConnect:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanHelper/makesureLongLinkConnect_.js"

-[AMTitanLongLinkInfoManager updateLongLinkStatusInfoWithHost:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/updateLongLinkStatusInfoWithHost_663278c1.js"

-[AMTitanLongLinkInfoManager longLinkStatusInfoDic]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/longLinkStatusInfoDic.js"

-[AMTitanLongLinkInfoManager setLongLinkStatusInfoDic:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/setLongLinkStatusInfoDic_.js"

-[PDDProbeRaceManager longLinkRaceResult:traceId:reportBlock:callback:]: Loaded handler at "/Users/witchan/__handlers__/PDDProbeRaceManager/longLinkRaceResult_traceId_repor_9af8c15b.js"

-[AMTitanNetworkConfig setLonglinkHostConfig:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanNetworkConfig/setLonglinkHostConfig_.js"

-[AMTitanNetworkConfig longlinkHostConfig]: Loaded handler at "/Users/witchan/__handlers__/AMTitanNetworkConfig/longlinkHostConfig.js"

+[PDDNetworkHybrid longLinkErrorCodeMap]: Loaded handler at "/Users/witchan/__handlers__/PDDNetworkHybrid/longLinkErrorCodeMap.js"

-[PddRtc titan:didChangeToConnectionStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/PddRtc/titan_didChangeToConnectionStatu_745d0013.js"

-[PDDWebConfig htmlLongLinkWhiteListFromConfig]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/htmlLongLinkWhiteListFromConfig.js"

-[PDDWebConfig setHtmlLongLinkWhiteList:]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/setHtmlLongLinkWhiteList_.js"

-[PDDWebConfig htmlLongLinkWhiteList]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/htmlLongLinkWhiteList.js"

-[PDDWebViewManager pdd_setProtocolLongLinkEnable:]: Loaded handler at "/Users/witchan/__handlers__/PDDWebViewManager/pdd_setProtocolLongLinkEnable_.js"

-[PDDLiveRoomMicLinkManager registerLongLinkMsgCenter]: Loaded handler at "/Users/witchan/__handlers__/PDDLiveRoomMicLinkManager/registerLongLinkMsgCenter.js"

+[PDDTitanNetworkConfig mainLongLinkBackupIps]: Loaded handler at "/Users/witchan/__handlers__/PDDTitanNetworkConfig/mainLongLinkBackupIps.js"

+[PDDTitanNetworkConfig multicastLongLinkBackupIps]: Loaded handler at "/Users/witchan/__handlers__/PDDTitanNetworkConfig/multicastLongLinkBackupIps.js"

-[AMNetworkInfoManager longLinkInfo]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfoManager/longLinkInfo.js"

-[AMNetworkInfoManager setLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfoManager/setLongLinkInfo_.js"

+[AMNetworkInfo longLinkInfo]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfo/longLinkInfo.js"

+[AMNetworkInfo setLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfo/setLongLinkInfo_.js"

-[AMHTTPRequest longLinkDowngrade]: Loaded handler at "/Users/witchan/__handlers__/AMHTTPRequest/longLinkDowngrade.js"

-[AMHTTPRequest setLongLinkDowngrade:]: Loaded handler at "/Users/witchan/__handlers__/AMHTTPRequest/setLongLinkDowngrade_.js"

-[PDDAntManager titan:didChangeToConnectionStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/PDDAntManager/titan_didChangeToConnectionStatu_745d0013.js"

-[PDDApiMetricsBaseInfo setIsLongLinkReceived:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setIsLongLinkReceived_.js"

-[PDDApiMetricsBaseInfo setLongLinkVip:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkVip_.js"

-[PDDApiMetricsBaseInfo setLongLinkErrorCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkErrorCode_.js"

-[PDDApiMetricsBaseInfo setLongLinkType:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkType_.js"

-[PDDApiMetricsBaseInfo isLongLinkReceived]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/isLongLinkReceived.js"

-[PDDApiMetricsBaseInfo longLinkVip]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkVip.js"

-[PDDApiMetricsBaseInfo longLinkErrorCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkErrorCode.js"

-[PDDApiMetricsBaseInfo longLinkType]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkType.js"

-[PDDApiMetricsCostInfo setLongLinkSendCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkSendCost_.js"

-[PDDApiMetricsCostInfo setLongLinkRecvCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkRecvCost_.js"

-[PDDApiMetricsCostInfo setLongLinkServerCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkServerCost_.js"

-[PDDApiMetricsCostInfo longLinkSendCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkSendCost.js"

-[PDDApiMetricsCostInfo longLinkRecvCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkRecvCost.js"

-[PDDApiMetricsCostInfo setLongLinkNetworkCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkNetworkCost_.js"

-[PDDApiMetricsCostInfo longLinkServerCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkServerCost.js"

-[PDDApiMetricsCostInfo longLinkNetworkCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkNetworkCost.js"

-[PDDApiMetricsExtraInfo setLongLinkReportCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkReportCode_.js"

-[PDDApiMetricsExtraInfo setLongLinkStatusCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkStatusCode_.js"

-[PDDApiMetricsExtraInfo setLongLinkTaskId:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkTaskId_.js"

-[PDDApiMetricsExtraInfo setLongLinkSendSize:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkSendSize_.js"

-[PDDApiMetricsExtraInfo setLonglinkReceiveSize:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLonglinkReceiveSize_.js"

-[PDDApiMetricsExtraInfo setLongLinkForeground:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkForeground_.js"

-[PDDApiMetricsExtraInfo setLongLinkUrl:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkUrl_.js"

-[PDDApiMetricsExtraInfo longLinkReportCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkReportCode.js"

-[PDDApiMetricsExtraInfo longLinkStatusCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkStatusCode.js"

-[PDDApiMetricsExtraInfo isLongLinkForeground]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/isLongLinkForeground.js"

-[PDDApiMetricsExtraInfo longLinkSendSize]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkSendSize.js"

-[PDDApiMetricsExtraInfo longlinkReceiveSize]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longlinkReceiveSize.js"

-[PDDApiMetricsExtraInfo longLinkTaskId]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkTaskId.js"

-[PDDApiMetricsExtraInfo longLinkUrl]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkUrl.js"

-[PDDApiWaitLonglinkConfig isWaitLonglink:method:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiWaitLonglinkConfig/isWaitLonglink_method_.js"

-[AMTitan updateLongLinkHostWhiteList:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/updateLongLinkHostWhiteList_.js"

-[AMTitan updateLongLinkUriBlackList:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/updateLongLinkUriBlackList_.js"

-[AMTitan isLongLinkConnected]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/isLongLinkConnected.js"

-[AMTitan makesureLongLinkConnect:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/makesureLongLinkConnect_.js"

-[AMTitan reportStatusChange:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/reportStatusChange_longLinkInfo_.js"

-[AMTitan onConnectStatusChange:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/onConnectStatusChange_longLinkSt_c4a1163e.js"

-[AMTitanBaseRequest setWaitLonglink:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanBaseRequest/setWaitLonglink_.js"

-[AMTitanBaseRequest waitLonglink]: Loaded handler at "/Users/witchan/__handlers__/AMTitanBaseRequest/waitLonglink.js"

-[AMTitanStnCallback reportConnectStatus:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanStnCallback/reportConnectStatus_longLinkStat_1d404d83.js"

-[AMTitanTask setWaitLonglink:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTask/setWaitLonglink_.js"

-[AMTitanTask waitLonglink]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTask/waitLonglink.js"

+[AMTitanTransferUtil transferToLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTransferUtil/transferToLongLinkInfo_.js"

经过一层层筛查打印以上方法的入参和返回值,当修改到[AMTitan updateLongLinkHostWhiteList:]方法时,输出的日志参数,引起了我们的注意,updateLongLinkHostWhiteList_.js代码如下:

{

  onEnter(log, args, state) {

    log(`-[AMTitan updateLongLinkHostWhiteList:${new ObjC.Object(args[2])}]`);

  },

  onLeave(log, retval, state) {

    log(`-[AMTitan updateLongLinkHostWhiteList:]=${new ObjC.Object(retval)}=`);

  }

}

日志输出如下:

-[AMTitan updateLongLinkHostWhiteList:(

    "apiv2.yangkeduo.com",

    "apiv3.yangkeduo.com",

    "apiv4.yangkeduo.com",

    "apiv2.hutaojie.com",

    "meta.yangkeduo.com",

    "api.pinduoduo.com",

    "api.yangkeduo.com",

    "apiv5.yangkeduo.com",

    "mobile.yangkeduo.com",

    "meta.pinduoduo.com",

    "m.pinduoduo.net",

    "api-cj.pinduoduo.com",

    "api-isp.pinduoduo.com",

    "risk-data-clean-api.risk.ft.srv.pdd.net"

)]

-[AMTitan updateLongLinkHostWhiteList:]=(

    "apiv2.yangkeduo.com",

    "apiv3.yangkeduo.com",

    "apiv4.yangkeduo.com",

    "apiv2.hutaojie.com",

    "meta.yangkeduo.com",

    "api.pinduoduo.com",

    "api.yangkeduo.com",

    "apiv5.yangkeduo.com",

    "mobile.yangkeduo.com",

    "meta.pinduoduo.com",

    "m.pinduoduo.net",

    "api-cj.pinduoduo.com",

    "api-isp.pinduoduo.com",

    "risk-data-clean-api.risk.ft.srv.pdd.net"

)=

发现关键信息api*.yangkeduo.com,根据方法updateLongLinkHostWhiteList,发现这极有可能是LongLink的接口列表。修改刚的js代码为:

{

  onEnter(log, args, state) {

    args[2] = ObjC.classes.NSMutableArray.array(); // 修改入参为空数组

    log(`-[AMTitan updateLongLinkHostWhiteList:${new ObjC.Object(args[2])}]`);

  },

  onLeave(log, retval, state) {

    log(`-[AMTitan updateLongLinkHostWhiteList:]=${new ObjC.Object(retval)}=`);

  }

}

这时,抓包正常工作,结果如下:

End

阅读此文档的过程中遇到任何问题,请关注公众号【移动端Android和iOS开发技术分享】或加QQ群【309580013

iOS逆向之某多多App抓包的更多相关文章

  1. scrapy之手机app抓包爬虫

    手机App抓包爬虫 1. items.py class DouyuspiderItem(scrapy.Item): name = scrapy.Field()# 存储照片的名字 imagesUrls ...

  2. APP 抓包(应用层)

    0x01 前言: app抓包是逆向协议的前提,也是一个爬虫工程师的基本要求,最近发现这块知识非常欠缺就抓紧补补了(我太菜了) 然后接下来是通过vpn将流量导出到抓包软件的方式,而不是通过wifi设置代 ...

  3. Fiddler和app抓包

    1:请在“运行”,即下面这个地方输入certmgr.msc并回车,打开证书管理. 打开后,请点击操作--查找证书,如下所示: 然后输入“fiddler”查找所有相关证书,如下所示: 可以看到,我们找到 ...

  4. Fiddler 网页采集抓包利器__手机app抓包

    用curl技术开发了一个微信文章聚合类产品,把抓取到的数据转换成json格式,并在android端调用json数据接口加以显示: 基于weiphp做了一个掌上头条插件,也是用的网页采集技术:和一个创业 ...

  5. Scrapy——6 APP抓包—scrapy框架下载图片

    Scrapy——6 怎样进行APP抓包 scrapy框架抓取APP豆果美食数据 怎样用scrapy框架下载图片 怎样用scrapy框架去下载斗鱼APP的图片? Scrapy创建下载图片常见那些问题 怎 ...

  6. 猫眼电影App抓包获取评论数据接口

     之前在CSDN程序人生公众号上看到了这篇文章<邪不压正>评分持续走低,上万条网友评论揭秘,是救救姜文还是救救观众?,文中提到了通过抓包猫眼App发现了评论的数据接口:http://m.m ...

  7. APP 抓包-fiddler

    App抓包原理 客户端向服务器发起HTTPS请求 抓包工具拦截客户端的请求,伪装成客户端向服务器进行请求 服务器向客户端(实际上是抓包工具)返回服务器的CA证书 抓包工具拦截服务器的响应,获取服务器证 ...

  8. 【破解APP抓包限制】Xposed+JustTrustMe关闭SSL证书验证!

    转载:https://www.jianshu.com/p/310d930dd62f 1 前言 这篇文章主要想解决的问题是,在对安卓手机APP抓包时,出现的HTTPS报文通过MITM代理后证书不被信任的 ...

  9. fiddler抓包+安卓机 完成手机app抓包的配置 遇到的一些问题

    fiddler抓包+安卓模拟器完成手机app抓包的配置:fiddler抓包+雷电模拟器 完成手机app抓包的配置 其实在安卓真机上弄比在虚拟机上弄更麻烦一点,它们的步骤都差不多一样,就是在安卓真机上弄 ...

  10. Fiddler+雷电模拟器进行APP抓包

    1.下载最新版Fiddler,强烈建议在官网下载:https://www.telerik.com/download/fiddler 2. 正常傻瓜式安装,下一步,下一步,安装完毕后,先不用急于打开软件 ...

随机推荐

  1. 超详细的格式化输出(format的基本玩法)

    一.format的基本玩法 一.什么是format format是字符串内嵌(字符串内嵌:字符串中再嵌套字符串,加入双引号或单引号)的一个方法,用于格式化字符串.以大括号{}来标明被替换的字符串 fo ...

  2. 如何干涉MySQL优化器使用hash join

    GreatSQL社区原创内容未经授权不得随意使用,转载请联系小编并注明来源. GreatSQL是MySQL的国产分支版本,使用上与MySQL一致. 前言 实验 总结 前言 数据库的优化器相当于人类的大 ...

  3. 我的Vue之旅、01 深入Flexbox布局完全指南

    花了几个小时整合的"A Complete Guide to Flexbox"最新版本,介绍了flexbox的所有属性,外带几个实用的例子. 传统布局.Flexbox 布局的传统解决 ...

  4. Compass- 图形化界面客户端

    到MongoDB官网下载MongoDB Compass, 地址: https://www.mongodb.com/download-center/v2/compass?initial=true 如果是 ...

  5. Java调用C++动态链接库——Jni

    最近项目需要,将C++的算法工程编译成动态链接库,交给 Java后台当作函数库调用.就去了解了下Jni.使用起来还是比较方便的. 1.  首先编写Java的调用类.例如:    public clas ...

  6. 引入Wukong让你的系统瞬间具备IOC能力

    [Github源码] 本文重点要说的是如何通过引入Wukong第三方包让自己的系统能够拥有IOC容器能力,但在具体讲解步骤之前,还是想先简单的介绍一下什么是IOC以及它存在的意义:同时也就能清楚Wuk ...

  7. csv2ECharts,**一行命令查看数据趋势图 工具分享**

    csv2ECharts 一行命令查看数据趋势图! 联系:luomgf@163.com,欢迎交流提出建议 只有一个文件,基于shell,实现将CSV格式数据转化为数据图.运维中尝尝需要查看某个监控指标的 ...

  8. display:block 和display:inline-block的区别和用法

    1).块状元素:(div,p,form,ul,ol,li) ,独占一行,默认情况width为100% 2).行内块状元素:(span,img,a),不会独占一行,相邻的元素一直排在同一行,排满了才会换 ...

  9. P3998 [SHOI2013]发微博 方法记录

    原题链接 [SHOI2013]发微博 题目描述 刚开通的 SH 微博共有 \(n\) 个用户(\(1\sim n\) 标号),在这短短一个月的时间内,用户们活动频繁,共有 \(m\) 条按时间顺序的记 ...

  10. AspNetCore中 使用 Grpc 简单Demo

    为什么要用Grpc 跨语言进行,调用服务,获取跨服务器调用等 目前我的需要使用 我的抓取端是go 写的 查询端用 Net6 写的 导致很多时候 我需要把一些临时数据写入到 Redis 在两个服务器进行 ...