iOS逆向之某多多App抓包
2024-05-29 07:06:45
阅读此文档的过程中遇到任何问题,请关注公众号【移动端Android和iOS开发技术分享】或加QQ群【309580013】
1.目标
由于某多多App现使用longlink进行数据传输,使用charles工具抓包只能抓到https://th.pinduoduo.com/t.gif链接。本文的目的则是使用charles等抓包工具能正常抓包
2.操作环境
越狱iPhone一台
frida
3.流程
下载最新某多多App。关键词longlink则是我们的切入点,在终端执行frida-trace -U -f com.xunmeng.pinduoduo -m "*[* *ong*ink*]" -M "*[UI* *]" -M "*[_* *]"命令后获取到关键信息列表:
+[AMTitanHelper makesureLongLinkConnect:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanHelper/makesureLongLinkConnect_.js"
-[AMTitanLongLinkInfoManager updateLongLinkStatusInfoWithHost:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/updateLongLinkStatusInfoWithHost_663278c1.js"
-[AMTitanLongLinkInfoManager longLinkStatusInfoDic]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/longLinkStatusInfoDic.js"
-[AMTitanLongLinkInfoManager setLongLinkStatusInfoDic:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/setLongLinkStatusInfoDic_.js"
-[PDDProbeRaceManager longLinkRaceResult:traceId:reportBlock:callback:]: Loaded handler at "/Users/witchan/__handlers__/PDDProbeRaceManager/longLinkRaceResult_traceId_repor_9af8c15b.js"
-[AMTitanNetworkConfig setLonglinkHostConfig:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanNetworkConfig/setLonglinkHostConfig_.js"
-[AMTitanNetworkConfig longlinkHostConfig]: Loaded handler at "/Users/witchan/__handlers__/AMTitanNetworkConfig/longlinkHostConfig.js"
+[PDDNetworkHybrid longLinkErrorCodeMap]: Loaded handler at "/Users/witchan/__handlers__/PDDNetworkHybrid/longLinkErrorCodeMap.js"
-[PddRtc titan:didChangeToConnectionStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/PddRtc/titan_didChangeToConnectionStatu_745d0013.js"
-[PDDWebConfig htmlLongLinkWhiteListFromConfig]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/htmlLongLinkWhiteListFromConfig.js"
-[PDDWebConfig setHtmlLongLinkWhiteList:]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/setHtmlLongLinkWhiteList_.js"
-[PDDWebConfig htmlLongLinkWhiteList]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/htmlLongLinkWhiteList.js"
-[PDDWebViewManager pdd_setProtocolLongLinkEnable:]: Loaded handler at "/Users/witchan/__handlers__/PDDWebViewManager/pdd_setProtocolLongLinkEnable_.js"
-[PDDLiveRoomMicLinkManager registerLongLinkMsgCenter]: Loaded handler at "/Users/witchan/__handlers__/PDDLiveRoomMicLinkManager/registerLongLinkMsgCenter.js"
+[PDDTitanNetworkConfig mainLongLinkBackupIps]: Loaded handler at "/Users/witchan/__handlers__/PDDTitanNetworkConfig/mainLongLinkBackupIps.js"
+[PDDTitanNetworkConfig multicastLongLinkBackupIps]: Loaded handler at "/Users/witchan/__handlers__/PDDTitanNetworkConfig/multicastLongLinkBackupIps.js"
-[AMNetworkInfoManager longLinkInfo]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfoManager/longLinkInfo.js"
-[AMNetworkInfoManager setLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfoManager/setLongLinkInfo_.js"
+[AMNetworkInfo longLinkInfo]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfo/longLinkInfo.js"
+[AMNetworkInfo setLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfo/setLongLinkInfo_.js"
-[AMHTTPRequest longLinkDowngrade]: Loaded handler at "/Users/witchan/__handlers__/AMHTTPRequest/longLinkDowngrade.js"
-[AMHTTPRequest setLongLinkDowngrade:]: Loaded handler at "/Users/witchan/__handlers__/AMHTTPRequest/setLongLinkDowngrade_.js"
-[PDDAntManager titan:didChangeToConnectionStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/PDDAntManager/titan_didChangeToConnectionStatu_745d0013.js"
-[PDDApiMetricsBaseInfo setIsLongLinkReceived:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setIsLongLinkReceived_.js"
-[PDDApiMetricsBaseInfo setLongLinkVip:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkVip_.js"
-[PDDApiMetricsBaseInfo setLongLinkErrorCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkErrorCode_.js"
-[PDDApiMetricsBaseInfo setLongLinkType:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkType_.js"
-[PDDApiMetricsBaseInfo isLongLinkReceived]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/isLongLinkReceived.js"
-[PDDApiMetricsBaseInfo longLinkVip]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkVip.js"
-[PDDApiMetricsBaseInfo longLinkErrorCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkErrorCode.js"
-[PDDApiMetricsBaseInfo longLinkType]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkType.js"
-[PDDApiMetricsCostInfo setLongLinkSendCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkSendCost_.js"
-[PDDApiMetricsCostInfo setLongLinkRecvCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkRecvCost_.js"
-[PDDApiMetricsCostInfo setLongLinkServerCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkServerCost_.js"
-[PDDApiMetricsCostInfo longLinkSendCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkSendCost.js"
-[PDDApiMetricsCostInfo longLinkRecvCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkRecvCost.js"
-[PDDApiMetricsCostInfo setLongLinkNetworkCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkNetworkCost_.js"
-[PDDApiMetricsCostInfo longLinkServerCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkServerCost.js"
-[PDDApiMetricsCostInfo longLinkNetworkCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkNetworkCost.js"
-[PDDApiMetricsExtraInfo setLongLinkReportCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkReportCode_.js"
-[PDDApiMetricsExtraInfo setLongLinkStatusCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkStatusCode_.js"
-[PDDApiMetricsExtraInfo setLongLinkTaskId:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkTaskId_.js"
-[PDDApiMetricsExtraInfo setLongLinkSendSize:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkSendSize_.js"
-[PDDApiMetricsExtraInfo setLonglinkReceiveSize:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLonglinkReceiveSize_.js"
-[PDDApiMetricsExtraInfo setLongLinkForeground:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkForeground_.js"
-[PDDApiMetricsExtraInfo setLongLinkUrl:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkUrl_.js"
-[PDDApiMetricsExtraInfo longLinkReportCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkReportCode.js"
-[PDDApiMetricsExtraInfo longLinkStatusCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkStatusCode.js"
-[PDDApiMetricsExtraInfo isLongLinkForeground]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/isLongLinkForeground.js"
-[PDDApiMetricsExtraInfo longLinkSendSize]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkSendSize.js"
-[PDDApiMetricsExtraInfo longlinkReceiveSize]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longlinkReceiveSize.js"
-[PDDApiMetricsExtraInfo longLinkTaskId]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkTaskId.js"
-[PDDApiMetricsExtraInfo longLinkUrl]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkUrl.js"
-[PDDApiWaitLonglinkConfig isWaitLonglink:method:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiWaitLonglinkConfig/isWaitLonglink_method_.js"
-[AMTitan updateLongLinkHostWhiteList:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/updateLongLinkHostWhiteList_.js"
-[AMTitan updateLongLinkUriBlackList:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/updateLongLinkUriBlackList_.js"
-[AMTitan isLongLinkConnected]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/isLongLinkConnected.js"
-[AMTitan makesureLongLinkConnect:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/makesureLongLinkConnect_.js"
-[AMTitan reportStatusChange:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/reportStatusChange_longLinkInfo_.js"
-[AMTitan onConnectStatusChange:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/onConnectStatusChange_longLinkSt_c4a1163e.js"
-[AMTitanBaseRequest setWaitLonglink:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanBaseRequest/setWaitLonglink_.js"
-[AMTitanBaseRequest waitLonglink]: Loaded handler at "/Users/witchan/__handlers__/AMTitanBaseRequest/waitLonglink.js"
-[AMTitanStnCallback reportConnectStatus:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanStnCallback/reportConnectStatus_longLinkStat_1d404d83.js"
-[AMTitanTask setWaitLonglink:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTask/setWaitLonglink_.js"
-[AMTitanTask waitLonglink]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTask/waitLonglink.js"
+[AMTitanTransferUtil transferToLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTransferUtil/transferToLongLinkInfo_.js"
经过一层层筛查打印以上方法的入参和返回值,当修改到[AMTitan updateLongLinkHostWhiteList:]方法时,输出的日志参数,引起了我们的注意,updateLongLinkHostWhiteList_.js代码如下:
{onEnter(log, args, state) {log(`-[AMTitan updateLongLinkHostWhiteList:${new ObjC.Object(args[2])}]`);},onLeave(log, retval, state) {log(`-[AMTitan updateLongLinkHostWhiteList:]=${new ObjC.Object(retval)}=`);}
}
日志输出如下:
-[AMTitan updateLongLinkHostWhiteList:("apiv2.yangkeduo.com","apiv3.yangkeduo.com","apiv4.yangkeduo.com","apiv2.hutaojie.com","meta.yangkeduo.com","api.pinduoduo.com","api.yangkeduo.com","apiv5.yangkeduo.com","mobile.yangkeduo.com","meta.pinduoduo.com","m.pinduoduo.net","api-cj.pinduoduo.com","api-isp.pinduoduo.com","risk-data-clean-api.risk.ft.srv.pdd.net"
)]
-[AMTitan updateLongLinkHostWhiteList:]=("apiv2.yangkeduo.com","apiv3.yangkeduo.com","apiv4.yangkeduo.com","apiv2.hutaojie.com","meta.yangkeduo.com","api.pinduoduo.com","api.yangkeduo.com","apiv5.yangkeduo.com","mobile.yangkeduo.com","meta.pinduoduo.com","m.pinduoduo.net","api-cj.pinduoduo.com","api-isp.pinduoduo.com","risk-data-clean-api.risk.ft.srv.pdd.net"
)=
发现关键信息api*.yangkeduo.com,根据方法updateLongLinkHostWhiteList,发现这极有可能是LongLink的接口列表。修改刚刚的js代码为:
{onEnter(log, args, state) {args[2] = ObjC.classes.NSMutableArray.array(); // 修改入参为空数组log(`-[AMTitan updateLongLinkHostWhiteList:${new ObjC.Object(args[2])}]`);},onLeave(log, retval, state) {log(`-[AMTitan updateLongLinkHostWhiteList:]=${new ObjC.Object(retval)}=`);}
}
这时,抓包正常工作,结果如下:
image-20220718193500317
End
阅读此文档的过程中遇到任何问题,请关注公众号【移动端Android和iOS开发技术分享】或加QQ群【309580013】
iOS逆向之某多多App抓包相关推荐
- 拼多多app抓包之代码实现
拼多多app抓包之代码实现 使用charles抓包 操作app后发现,刚打开app时可以抓到零散的数据包,后续的操作无法正常抓包 分析客户端代码 通过jeb打开apk分析获知,核心通信包位于 com. ...
- 使用BurpSuite对IOS客户端app抓包方法
使用BurpSuite对IOS客户端app抓包方法 BurpSuite代理环境设置 设备 BurpSuite设置 打开BurpSuite>proxy>options 导出CA证书 传送文件 ...
- Fiddler Everywhere App抓包-iOS/iPadOS
Fiddler Everywhere App抓包-iOS/iPadOS Fiddler Everywhere来抓取iOS/iPadOS中APP的数据包, Fiddler Everywhere所在的电脑 ...
- 文章向大家介绍安卓逆向,解决app抓包抓不到的问题,主要包括安卓逆向,解决app抓包抓不到的问题使用实例、应用技巧
本文章向大家介绍安卓逆向,解决app抓包抓不到的问题,主要包括安卓逆向,解决app抓包抓不到的问题使用实例.应用技巧.基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下. 有时候 ...
- 基于Inspeckage的安卓APP抓包逆向分析——以步道乐跑APP为例
引言:本人最近稍微弄懂了inspeckage的用法,特在此以步道乐跑APP为例,较详细记录地记录APP抓包与简单的逆向分析过程,用于备忘与共同学习!另外,温馨提醒,本文图片较多,建议连接WiFi阅读! ...
- 安卓逆向——某宝APP抓包之环境对比 (一)
某宝APP抓包之环境对比 (一) 环境一: Android 10 (lineage OS系统) magisk 22.1 (目前最新) edxposed(直接在magisk里面下载) 9.1.0 版本A ...
- Android逆向入门1——引言与抓包
一个人要走多少路 才能称的上是一个男人 一个Python程序员要绕多少弯 才能找到Android逆向的路 废话不多说,Talk is cheap. 本教程食用指南 主要面向Python爬虫工程师 An ...
- 如何进行APP抓包 ? - 学习/实践
1.应用场景 主要用于 对APP进行抓包获取详细的接口信息,这是现在开发必备的. 2.学习/操作 1. 环境 Windows 10 64 位 专业版 或者 Mac pro 需求:对公司APP进行抓包获 ...
- 使用BurpSuite进行APP抓包如何绕过代理检测
文章目录 使用BurpSuite进行APP抓包如何绕过代理检测 场景描述 如果绕过呢? 总结与思考 使用BurpSuite进行APP抓包如何绕过代理检测 场景描述 最近接手到一个项目,对某客户的ios ...
最新文章
- 小程序内容审核违规过滤,在小程序使用security.msgSecCheck
- iOS 11 安全区域适配总结
- 实现首字母或拼音检索-sql语句方式
- 使用ASP生成HTML文件
- bios免电池补丁_补丁和权限 处理器漏洞多大这样看
- SQL Server 2008 R2 Developer Edition图文安装教程
- Redis 阶段总结
- TCL微型计算机如何投屏,TCL电视怎么投屏?3个办法帮助你完美解决
- ggplot2 | 使用小提琴图+箱形图+抖动图展示数据分布情况
- 实时搜索专家Krzana正式进军金融大数据市场
- 我想批量删除专题内最古老的100篇文章
- LINUX编译Android ffmpeg
- HTML制作简单个人简介页面
- 2022年湖北工业大学招生简章之高起专、专升本非全日制学历提升
- 华为手机usb调试打开后自动关闭怎么办?华为手机 usb调试为什么自动关闭?usb调试老是自动关闭怎么回事?...
- python和c 情侣网名_简单情侣网名的介绍
- DSP C6657 image_processing_evmc6657l网页加载图片示例
- java后台生成echarts图表
- Kbuild语法解析
- github国内加速器