Get important information about apps on the perimeter

NET grab, this kind of terminology, you should have heard a lot.

Regardless of how it is expressed, the essence is to analyze the network interaction when the packet, in order to obtain the desired information.

We may encounter this scenario: "How is this app implemented?" Does it send a network request with a time limit? "," What is the network address for this resource, or should I take token? Can I simulate sending? ” ...

When researching an application, analyzing network packets is often the first tool.

This article addresses a problem: Analyzing important information by grabbing a packet.

Little white: What is a grab bag?

Small range: is to intercept packets sent and received on the network.

White: So many packets on the network, how do you know which ones are useful?

Small range: Only the packets that intercept the target app are narrowed down, but even if the scope is narrowed, further analysis and troubleshooting is required.

Small white: In the garbage heap to find the action time and location of the bad guys? This is the bridge section of the Apostle 2, have you ever seen it?

Xiao Cheng: I'm talking about grabbing a bag! Not the garbage heap! Not the Apostle!

Small white: You catch, you catch, do not seize the urgent ...

There are many tools for grasping the package, which are suitable for use on different platforms.

Only Charles 's use is described here.

Little white: What kind of grab bag tools do you have?

Small range: such as Wireshark, Tcpdump, Tcpflow, Charles, fiddler, Sniffer and so on.

Xiao Bai: Why only introduce Charles, is not the other bad use it?

Xiao Bai: Not the other bad use, I only say one thing at a time!

Little white: you ...

Charles, a tool for intercepting network packets on a Mac.

Official website:

(1) Decoding Charles

Use the cracked Charles.jar to overwrite the Contents/java directory within the package (for example, version 4.0.1).

(2) using Charles

After Charles runs, you can see the packets that were intercepted.

Charles's view is divided by structure and in order (chronologically), which can be filtered in order.

Two views can select a specific URL, and then select Focus, so that the focus on the URL of the relevant request and response, will not jump to jump.

On Mac, catch the HTTPS packet and need to install the SSL certificate:

help->ssl proxying ->install charles root cer..，同时要在keychain中信息这个证书（简介->信任->ssl设置为始终信任）。

For HTTPS packets, after you determine the URL, you can decrypt the HTTPS package by right-clicking to select Enable SSL proxying.

You can right-click to select breakpoints, which will monitor the related behavior of the URL and the next breakpoint (can modify the sending request, etc.), when sending a request, when receiving a reply, receiving response body, will trigger a breakpoint. After a breakpoint is triggered, you can perform actions such as cancel (that is, let it continue), Abort, execute, and so on, such as the value of the request can be modified before executing "execute".

(3) Demo: Get the historical version of AppStore app

Some of the apps used on the iphone are not as good as the older version.

Although AppStore will hide the old version of the download link, the inventory is still there.

How can I get information about all the historical versions of an app via Itunus and download it to a historical version?

The operation is as follows:

打开charles，再打开itunes并搜索到目标app，再下载这个app，会观察到https://p23-buy.itunes.apple.com 是目标url，focus这个url。对这个url选择enable ssl proxying，退出charles。启动charles，删除掉itunes上已下载的目标aap，刷新并重新下载。这时，在目标url下面的buyProduct页面的contents的response部分，会显示一个array，是一堆id串，这个就是不同版本的下载id（用xml text来查看，可拷贝）。再次删除已下载的app，并对目标url加上breakpoints，再次下载app。在发送request时会触发断点，选择edit request页面并选择xml text查看模式，把下载id替换成目标下载id，之后不断点击execute或取消掉断点再执行。这时，itunes会下载到目标版本的app，之后可以找到对应的ipa，并同步到手机。

Take "" As an example, the approximate steps are this:

(a) When downloading, focus target URL on Charles and activating SSL:

(b) Delete the downloaded, start Charles, re-download, pay attention to the content below the target URL:

(c) Delete the downloaded, add breakpoints to the destination URL, download again, modify the request, and then execute:

(d) Download to the oldest version:

(4) Demo: Crawl The details of the QQ music singers

The operation is as follows:

charles，proxy->proxy setting，port使用8888，勾选enalbe transperent http proxying，开启代理。help->local ip address，查看charles代理的ip地址。手机，如iphone，wifi信息->http代理，填写服务器(charles的代理ip)与端口(8888)。手机会连接上charles，允许它连接。对于https协议，手机上需求安装ssl的证书：在safari上输入http://charlesproxy.com/getssl，跳转安装证书。锁定目标url，即可拿到数据。比如，对于iphone上的qq音乐的歌手详情，目标url是https://u.y.qq.com，focus它，右键打开ssl proxy，就可以拿到详情信息。

The approximate demo is this:

(a) Charles opens the agent:

(b) After the mobile phone is connected to the agent, https://u.y.qq.com special processing, you can see the singer information:

(5) Demo: Get the song download link for "Vibrato short video"

Little white: I know! This chattering short video is fun, and all the songs are just the chorus part. Is it possible to use the download link? Is the song encrypted?

Small range: Can be used, the song at least now is not encrypted.

Vibrato, there are about 50 tens of thousands of songs.

You can get the song list information by searching the interface or classifying the song interface. The song list information is in JSON format, including the following information:

"play_url": {    "url_list": [        "http://p3.pstatp.com/obj/29c90000eb8b5ca6fff2"    ],     

Url_list is the song download link. In addition to this, you can find the singer's name, song name and so on.

Little white: Why not tell me more about the request link?

Small trip: Because the demo is just for learning, it should not involve too much commercial content.

Little white: I'll go!

Get important information about apps on the perimeter