闲来抽空研究学习了某宝app的签名逻辑,包括8.8和9.1这2个代表性的版本。
首先聊下抓包,app网络本身是基于Spdy的socket协议,但是会可以通过设置将其关闭,进而走http协议,然后再通过中间人抓包,中间人抓包的教程不赘述,网上教程太多了,如有问题可以+Q 一起交流学习.
Frida hook如下:
// http 开关
var SwitchConfig = Java.use('mtopsdk.mtop.global.SwitchConfig');
var instance = SwitchConfig.getInstance();
var enableSpdy = false;
instance.setGlobalSpdySslSwitchOpen(enableSpdy);
instance.setGlobalSpdySwitchOpen(enableSpdy);
SwitchConfig.isGlobalSpdySwitchOpen.overload().implementation = function(){
var ret = this.isGlobalSpdySwitchOpen.apply(this, arguments);
console.log("isGlobalSpdySwitchOpen "+ret);
return false
}
SwitchConfig.isGlobalSpdySslSwitchOpen.overload().implementation = function(){
var ret = this.isGlobalSpdySslSwitchOpen.apply(this, arguments);
console.log("\n isGlobalSpdySslSwitchOpen "+ret);
return true
}
商品详情接口测试:
# -*- coding:utf-8 -*-
import requests
proxyMeta = "http://xxxx" # 挂代理ip
proxies = {
"http" : proxyMeta,
"https" : proxyMeta,
}
test_url = "http://xxxxxx?item_id=" # 交流学习测试链接,请联系本人
def get_tb_item_detail(item_id:int):
api_url = f"{test_url}{item_id}"
tb_detail_request_params = requests.get(api_url, timeout=3).json()
request_url = tb_detail_request_params["data"]["url"]
request_headers = tb_detail_request_params["data"]["headers"]
resp = requests.get(request_url, headers=request_headers,
# proxies=proxies,
timeout=3
)
return resp
test_id = 638663377529
result = get_tb_item_detail(test_id)
print(result.status_code, result.json())
结果如下: