阅读此文档的过程中遇到任何问题,请关注公众号【移动端Android和iOS开发技术分享】或加QQ群【309580013

1.目标

由于某多多App现使用longlink进行数据传输,使用charles工具抓包只能抓到https://th.pinduoduo.com/t.gif链接。本文的目则是使用charles等抓包工具能正常抓包

2.操作环境

  • 越狱iPhone一台
  • frida

3.流程

下载最新某多多App。关键词longlink则是我们的切入点,在终端执行frida-trace -U -f com.xunmeng.pinduoduo -m "*[* *ong*ink*]" -M "*[UI* *]" -M "*[_* *]"命令后获取到关键信息列表:

+[AMTitanHelper makesureLongLinkConnect:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanHelper/makesureLongLinkConnect_.js"

-[AMTitanLongLinkInfoManager updateLongLinkStatusInfoWithHost:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/updateLongLinkStatusInfoWithHost_663278c1.js"

-[AMTitanLongLinkInfoManager longLinkStatusInfoDic]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/longLinkStatusInfoDic.js"

-[AMTitanLongLinkInfoManager setLongLinkStatusInfoDic:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/setLongLinkStatusInfoDic_.js"

-[PDDProbeRaceManager longLinkRaceResult:traceId:reportBlock:callback:]: Loaded handler at "/Users/witchan/__handlers__/PDDProbeRaceManager/longLinkRaceResult_traceId_repor_9af8c15b.js"

-[AMTitanNetworkConfig setLonglinkHostConfig:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanNetworkConfig/setLonglinkHostConfig_.js"

-[AMTitanNetworkConfig longlinkHostConfig]: Loaded handler at "/Users/witchan/__handlers__/AMTitanNetworkConfig/longlinkHostConfig.js"

+[PDDNetworkHybrid longLinkErrorCodeMap]: Loaded handler at "/Users/witchan/__handlers__/PDDNetworkHybrid/longLinkErrorCodeMap.js"

-[PddRtc titan:didChangeToConnectionStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/PddRtc/titan_didChangeToConnectionStatu_745d0013.js"

-[PDDWebConfig htmlLongLinkWhiteListFromConfig]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/htmlLongLinkWhiteListFromConfig.js"

-[PDDWebConfig setHtmlLongLinkWhiteList:]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/setHtmlLongLinkWhiteList_.js"

-[PDDWebConfig htmlLongLinkWhiteList]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/htmlLongLinkWhiteList.js"

-[PDDWebViewManager pdd_setProtocolLongLinkEnable:]: Loaded handler at "/Users/witchan/__handlers__/PDDWebViewManager/pdd_setProtocolLongLinkEnable_.js"

-[PDDLiveRoomMicLinkManager registerLongLinkMsgCenter]: Loaded handler at "/Users/witchan/__handlers__/PDDLiveRoomMicLinkManager/registerLongLinkMsgCenter.js"

+[PDDTitanNetworkConfig mainLongLinkBackupIps]: Loaded handler at "/Users/witchan/__handlers__/PDDTitanNetworkConfig/mainLongLinkBackupIps.js"

+[PDDTitanNetworkConfig multicastLongLinkBackupIps]: Loaded handler at "/Users/witchan/__handlers__/PDDTitanNetworkConfig/multicastLongLinkBackupIps.js"

-[AMNetworkInfoManager longLinkInfo]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfoManager/longLinkInfo.js"

-[AMNetworkInfoManager setLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfoManager/setLongLinkInfo_.js"

+[AMNetworkInfo longLinkInfo]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfo/longLinkInfo.js"

+[AMNetworkInfo setLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfo/setLongLinkInfo_.js"

-[AMHTTPRequest longLinkDowngrade]: Loaded handler at "/Users/witchan/__handlers__/AMHTTPRequest/longLinkDowngrade.js"

-[AMHTTPRequest setLongLinkDowngrade:]: Loaded handler at "/Users/witchan/__handlers__/AMHTTPRequest/setLongLinkDowngrade_.js"

-[PDDAntManager titan:didChangeToConnectionStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/PDDAntManager/titan_didChangeToConnectionStatu_745d0013.js"

-[PDDApiMetricsBaseInfo setIsLongLinkReceived:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setIsLongLinkReceived_.js"

-[PDDApiMetricsBaseInfo setLongLinkVip:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkVip_.js"

-[PDDApiMetricsBaseInfo setLongLinkErrorCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkErrorCode_.js"

-[PDDApiMetricsBaseInfo setLongLinkType:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkType_.js"

-[PDDApiMetricsBaseInfo isLongLinkReceived]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/isLongLinkReceived.js"

-[PDDApiMetricsBaseInfo longLinkVip]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkVip.js"

-[PDDApiMetricsBaseInfo longLinkErrorCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkErrorCode.js"

-[PDDApiMetricsBaseInfo longLinkType]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkType.js"

-[PDDApiMetricsCostInfo setLongLinkSendCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkSendCost_.js"

-[PDDApiMetricsCostInfo setLongLinkRecvCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkRecvCost_.js"

-[PDDApiMetricsCostInfo setLongLinkServerCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkServerCost_.js"

-[PDDApiMetricsCostInfo longLinkSendCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkSendCost.js"

-[PDDApiMetricsCostInfo longLinkRecvCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkRecvCost.js"

-[PDDApiMetricsCostInfo setLongLinkNetworkCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkNetworkCost_.js"

-[PDDApiMetricsCostInfo longLinkServerCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkServerCost.js"

-[PDDApiMetricsCostInfo longLinkNetworkCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkNetworkCost.js"

-[PDDApiMetricsExtraInfo setLongLinkReportCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkReportCode_.js"

-[PDDApiMetricsExtraInfo setLongLinkStatusCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkStatusCode_.js"

-[PDDApiMetricsExtraInfo setLongLinkTaskId:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkTaskId_.js"

-[PDDApiMetricsExtraInfo setLongLinkSendSize:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkSendSize_.js"

-[PDDApiMetricsExtraInfo setLonglinkReceiveSize:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLonglinkReceiveSize_.js"

-[PDDApiMetricsExtraInfo setLongLinkForeground:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkForeground_.js"

-[PDDApiMetricsExtraInfo setLongLinkUrl:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkUrl_.js"

-[PDDApiMetricsExtraInfo longLinkReportCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkReportCode.js"

-[PDDApiMetricsExtraInfo longLinkStatusCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkStatusCode.js"

-[PDDApiMetricsExtraInfo isLongLinkForeground]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/isLongLinkForeground.js"

-[PDDApiMetricsExtraInfo longLinkSendSize]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkSendSize.js"

-[PDDApiMetricsExtraInfo longlinkReceiveSize]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longlinkReceiveSize.js"

-[PDDApiMetricsExtraInfo longLinkTaskId]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkTaskId.js"

-[PDDApiMetricsExtraInfo longLinkUrl]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkUrl.js"

-[PDDApiWaitLonglinkConfig isWaitLonglink:method:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiWaitLonglinkConfig/isWaitLonglink_method_.js"

-[AMTitan updateLongLinkHostWhiteList:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/updateLongLinkHostWhiteList_.js"

-[AMTitan updateLongLinkUriBlackList:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/updateLongLinkUriBlackList_.js"

-[AMTitan isLongLinkConnected]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/isLongLinkConnected.js"

-[AMTitan makesureLongLinkConnect:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/makesureLongLinkConnect_.js"

-[AMTitan reportStatusChange:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/reportStatusChange_longLinkInfo_.js"

-[AMTitan onConnectStatusChange:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/onConnectStatusChange_longLinkSt_c4a1163e.js"

-[AMTitanBaseRequest setWaitLonglink:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanBaseRequest/setWaitLonglink_.js"

-[AMTitanBaseRequest waitLonglink]: Loaded handler at "/Users/witchan/__handlers__/AMTitanBaseRequest/waitLonglink.js"

-[AMTitanStnCallback reportConnectStatus:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanStnCallback/reportConnectStatus_longLinkStat_1d404d83.js"

-[AMTitanTask setWaitLonglink:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTask/setWaitLonglink_.js"

-[AMTitanTask waitLonglink]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTask/waitLonglink.js"

+[AMTitanTransferUtil transferToLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTransferUtil/transferToLongLinkInfo_.js"

经过一层层筛查打印以上方法的入参和返回值,当修改到[AMTitan updateLongLinkHostWhiteList:]方法时,输出的日志参数,引起了我们的注意,updateLongLinkHostWhiteList_.js代码如下:

{

  onEnter(log, args, state) {

    log(`-[AMTitan updateLongLinkHostWhiteList:${new ObjC.Object(args[2])}]`);

  },

  onLeave(log, retval, state) {

    log(`-[AMTitan updateLongLinkHostWhiteList:]=${new ObjC.Object(retval)}=`);

  }

}

日志输出如下:

-[AMTitan updateLongLinkHostWhiteList:(

    "apiv2.yangkeduo.com",

    "apiv3.yangkeduo.com",

    "apiv4.yangkeduo.com",

    "apiv2.hutaojie.com",

    "meta.yangkeduo.com",

    "api.pinduoduo.com",

    "api.yangkeduo.com",

    "apiv5.yangkeduo.com",

    "mobile.yangkeduo.com",

    "meta.pinduoduo.com",

    "m.pinduoduo.net",

    "api-cj.pinduoduo.com",

    "api-isp.pinduoduo.com",

    "risk-data-clean-api.risk.ft.srv.pdd.net"

)]

-[AMTitan updateLongLinkHostWhiteList:]=(

    "apiv2.yangkeduo.com",

    "apiv3.yangkeduo.com",

    "apiv4.yangkeduo.com",

    "apiv2.hutaojie.com",

    "meta.yangkeduo.com",

    "api.pinduoduo.com",

    "api.yangkeduo.com",

    "apiv5.yangkeduo.com",

    "mobile.yangkeduo.com",

    "meta.pinduoduo.com",

    "m.pinduoduo.net",

    "api-cj.pinduoduo.com",

    "api-isp.pinduoduo.com",

    "risk-data-clean-api.risk.ft.srv.pdd.net"

)=

发现关键信息api*.yangkeduo.com,根据方法updateLongLinkHostWhiteList,发现这极有可能是LongLink的接口列表。修改刚的js代码为:

{

  onEnter(log, args, state) {

    args[2] = ObjC.classes.NSMutableArray.array(); // 修改入参为空数组

    log(`-[AMTitan updateLongLinkHostWhiteList:${new ObjC.Object(args[2])}]`);

  },

  onLeave(log, retval, state) {

    log(`-[AMTitan updateLongLinkHostWhiteList:]=${new ObjC.Object(retval)}=`);

  }

}

这时,抓包正常工作,结果如下:

End

阅读此文档的过程中遇到任何问题,请关注公众号【移动端Android和iOS开发技术分享】或加QQ群【309580013

iOS逆向之某多多App抓包的更多相关文章

  1. scrapy之手机app抓包爬虫

    手机App抓包爬虫 1. items.py class DouyuspiderItem(scrapy.Item): name = scrapy.Field()# 存储照片的名字 imagesUrls ...

  2. APP 抓包(应用层)

    0x01 前言: app抓包是逆向协议的前提,也是一个爬虫工程师的基本要求,最近发现这块知识非常欠缺就抓紧补补了(我太菜了) 然后接下来是通过vpn将流量导出到抓包软件的方式,而不是通过wifi设置代 ...

  3. Fiddler和app抓包

    1:请在“运行”,即下面这个地方输入certmgr.msc并回车,打开证书管理. 打开后,请点击操作--查找证书,如下所示: 然后输入“fiddler”查找所有相关证书,如下所示: 可以看到,我们找到 ...

  4. Fiddler 网页采集抓包利器__手机app抓包

    用curl技术开发了一个微信文章聚合类产品,把抓取到的数据转换成json格式,并在android端调用json数据接口加以显示: 基于weiphp做了一个掌上头条插件,也是用的网页采集技术:和一个创业 ...

  5. Scrapy——6 APP抓包—scrapy框架下载图片

    Scrapy——6 怎样进行APP抓包 scrapy框架抓取APP豆果美食数据 怎样用scrapy框架下载图片 怎样用scrapy框架去下载斗鱼APP的图片? Scrapy创建下载图片常见那些问题 怎 ...

  6. 猫眼电影App抓包获取评论数据接口

     之前在CSDN程序人生公众号上看到了这篇文章<邪不压正>评分持续走低,上万条网友评论揭秘,是救救姜文还是救救观众?,文中提到了通过抓包猫眼App发现了评论的数据接口:http://m.m ...

  7. APP 抓包-fiddler

    App抓包原理 客户端向服务器发起HTTPS请求 抓包工具拦截客户端的请求,伪装成客户端向服务器进行请求 服务器向客户端(实际上是抓包工具)返回服务器的CA证书 抓包工具拦截服务器的响应,获取服务器证 ...

  8. 【破解APP抓包限制】Xposed+JustTrustMe关闭SSL证书验证!

    转载:https://www.jianshu.com/p/310d930dd62f 1 前言 这篇文章主要想解决的问题是,在对安卓手机APP抓包时,出现的HTTPS报文通过MITM代理后证书不被信任的 ...

  9. fiddler抓包+安卓机 完成手机app抓包的配置 遇到的一些问题

    fiddler抓包+安卓模拟器完成手机app抓包的配置:fiddler抓包+雷电模拟器 完成手机app抓包的配置 其实在安卓真机上弄比在虚拟机上弄更麻烦一点,它们的步骤都差不多一样,就是在安卓真机上弄 ...

  10. Fiddler+雷电模拟器进行APP抓包

    1.下载最新版Fiddler,强烈建议在官网下载:https://www.telerik.com/download/fiddler 2. 正常傻瓜式安装,下一步,下一步,安装完毕后,先不用急于打开软件 ...

随机推荐

  1. VS Code中Markdown常用插件

    目录 目录 1.Markdown All in One 2.Markdown Preview Enhanced 3.markdownlint 1.Markdown All in One 自动生成目录 ...

  2. 【原创】K8S环境下研发如何本地调试?kt-connect使用详解

    K8S环境下研发如何本地调试?kt-connect使用详解 背景 注:背景有点啰嗦,讲讲一路走来研发本地调试的变化,嫌烦的可以直接跳过,不影响阅读. 2019年 我在的公司当时是个什么情况,只有两个J ...

  3. Spring Boot2配置Swagger2生成API接口文档

    一.Swagger2介绍 前后端分离开发模式中,api文档是最好的沟通方式. Swagger 是一个规范和完整的框架,用于生成.描述.调用和可视化 RESTful 风格的 Web 服务. 及时性 (接 ...

  4. winform,水晶报表制作

    1.安装最新的 SP:(SP 29 示例 – https://origin.softwaredownloads.sap.com/public/file/0020000001636412020) 2.新 ...

  5. 升级Windows 2003域控制器到Windows 2012 R2

    由于Windows 2003包括R2的扩展支持在今年7月14日就会过期.如果在扩展周期结束之前没有和微软签订昂贵服务协议,那么系统将得不到任何补丁和技术支持. 我这里准备了两台测试用的机器做这个实验. ...

  6. 永恒之蓝(MS17-010)漏洞复现

    1. 漏洞介绍 永恒之蓝: 恒之蓝是指2017年4月14日晚,黑客团体Shadow Brokers(影子经纪人)公布一大批网络攻击工具,其中包含"永恒之蓝"工具,"永恒之 ...

  7. 【微服务】- 配置中心 - Nacos

    微服务 - 配置中心 - Nacos 一个有梦有戏的人 @怒放吧德德 分享学习心得,欢迎指正,大家一起学习成长! 今天的学习任务就是学习使用Nacos作为配置中心. 努力克制自己,拒绝摆烂! 什么是配 ...

  8. Elastic: 如何在阿里云上构建Elastic集群

  9. 几篇关于MySQL数据同步到Elasticsearch的文章---第二篇:canal 实现Mysql到Elasticsearch实时增量同步

    文章转载自: https://mp.weixin.qq.com/s?__biz=MzI2NDY1MTA3OQ==&mid=2247484377&idx=1&sn=199bc88 ...

  10. 中国数字化是怎么转型成新范式TOP 50的?

    我不大认可"中国数字化转型成新范式TOP 50"的,确切的说,照着"中国数字化转型新范式TOP 50"做转型,大概率失败,对中国企业数字化转型的帮助甚微 ,尤其 ...