iOS 逆向之某多多 App 抓包

作者：小陈

2022 年 8 月 04 日
本文字数：5754 字
阅读完需：约 19 分钟

阅读此文档的过程中遇到任何问题，请关注公众号【`移动端Android和iOS开发技术分享`】或加 QQ 群【`309580013`】

1.目标

由于某多多 App 现使用 longlink 进行数据传输，使用 charles 工具抓包只能抓到https://th.pinduoduo.com/t.gif链接。本文的目则是使用 charles 等抓包工具能正常抓包

2.操作环境

越狱 iPhone 一台
frida

3.流程

下载最新某多多 App。关键词longlink则是我们的切入点，在终端执行frida-trace -U -f com.xunmeng.pinduoduo -m "*[* *ong*ink*]" -M "*[UI* *]" -M "*[_* *]"命令后获取到关键信息列表：

+[AMTitanHelper makesureLongLinkConnect:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanHelper/makesureLongLinkConnect_.js"-[AMTitanLongLinkInfoManager updateLongLinkStatusInfoWithHost:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/updateLongLinkStatusInfoWithHost_663278c1.js"-[AMTitanLongLinkInfoManager longLinkStatusInfoDic]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/longLinkStatusInfoDic.js"-[AMTitanLongLinkInfoManager setLongLinkStatusInfoDic:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanLongLinkInfoManager/setLongLinkStatusInfoDic_.js"-[PDDProbeRaceManager longLinkRaceResult:traceId:reportBlock:callback:]: Loaded handler at "/Users/witchan/__handlers__/PDDProbeRaceManager/longLinkRaceResult_traceId_repor_9af8c15b.js"-[AMTitanNetworkConfig setLonglinkHostConfig:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanNetworkConfig/setLonglinkHostConfig_.js"-[AMTitanNetworkConfig longlinkHostConfig]: Loaded handler at "/Users/witchan/__handlers__/AMTitanNetworkConfig/longlinkHostConfig.js"+[PDDNetworkHybrid longLinkErrorCodeMap]: Loaded handler at "/Users/witchan/__handlers__/PDDNetworkHybrid/longLinkErrorCodeMap.js"-[PddRtc titan:didChangeToConnectionStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/PddRtc/titan_didChangeToConnectionStatu_745d0013.js"-[PDDWebConfig htmlLongLinkWhiteListFromConfig]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/htmlLongLinkWhiteListFromConfig.js"-[PDDWebConfig setHtmlLongLinkWhiteList:]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/setHtmlLongLinkWhiteList_.js"-[PDDWebConfig htmlLongLinkWhiteList]: Loaded handler at "/Users/witchan/__handlers__/PDDWebConfig/htmlLongLinkWhiteList.js"-[PDDWebViewManager pdd_setProtocolLongLinkEnable:]: Loaded handler at "/Users/witchan/__handlers__/PDDWebViewManager/pdd_setProtocolLongLinkEnable_.js"-[PDDLiveRoomMicLinkManager registerLongLinkMsgCenter]: Loaded handler at "/Users/witchan/__handlers__/PDDLiveRoomMicLinkManager/registerLongLinkMsgCenter.js"+[PDDTitanNetworkConfig mainLongLinkBackupIps]: Loaded handler at "/Users/witchan/__handlers__/PDDTitanNetworkConfig/mainLongLinkBackupIps.js"+[PDDTitanNetworkConfig multicastLongLinkBackupIps]: Loaded handler at "/Users/witchan/__handlers__/PDDTitanNetworkConfig/multicastLongLinkBackupIps.js"-[AMNetworkInfoManager longLinkInfo]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfoManager/longLinkInfo.js"-[AMNetworkInfoManager setLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfoManager/setLongLinkInfo_.js"+[AMNetworkInfo longLinkInfo]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfo/longLinkInfo.js"+[AMNetworkInfo setLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMNetworkInfo/setLongLinkInfo_.js"-[AMHTTPRequest longLinkDowngrade]: Loaded handler at "/Users/witchan/__handlers__/AMHTTPRequest/longLinkDowngrade.js"-[AMHTTPRequest setLongLinkDowngrade:]: Loaded handler at "/Users/witchan/__handlers__/AMHTTPRequest/setLongLinkDowngrade_.js"-[PDDAntManager titan:didChangeToConnectionStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/PDDAntManager/titan_didChangeToConnectionStatu_745d0013.js"-[PDDApiMetricsBaseInfo setIsLongLinkReceived:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setIsLongLinkReceived_.js"-[PDDApiMetricsBaseInfo setLongLinkVip:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkVip_.js"-[PDDApiMetricsBaseInfo setLongLinkErrorCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkErrorCode_.js"-[PDDApiMetricsBaseInfo setLongLinkType:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/setLongLinkType_.js"-[PDDApiMetricsBaseInfo isLongLinkReceived]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/isLongLinkReceived.js"-[PDDApiMetricsBaseInfo longLinkVip]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkVip.js"-[PDDApiMetricsBaseInfo longLinkErrorCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkErrorCode.js"-[PDDApiMetricsBaseInfo longLinkType]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsBaseInfo/longLinkType.js"-[PDDApiMetricsCostInfo setLongLinkSendCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkSendCost_.js"-[PDDApiMetricsCostInfo setLongLinkRecvCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkRecvCost_.js"-[PDDApiMetricsCostInfo setLongLinkServerCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkServerCost_.js"-[PDDApiMetricsCostInfo longLinkSendCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkSendCost.js"-[PDDApiMetricsCostInfo longLinkRecvCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkRecvCost.js"-[PDDApiMetricsCostInfo setLongLinkNetworkCost:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/setLongLinkNetworkCost_.js"-[PDDApiMetricsCostInfo longLinkServerCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkServerCost.js"-[PDDApiMetricsCostInfo longLinkNetworkCost]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsCostInfo/longLinkNetworkCost.js"-[PDDApiMetricsExtraInfo setLongLinkReportCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkReportCode_.js"-[PDDApiMetricsExtraInfo setLongLinkStatusCode:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkStatusCode_.js"-[PDDApiMetricsExtraInfo setLongLinkTaskId:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkTaskId_.js"-[PDDApiMetricsExtraInfo setLongLinkSendSize:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkSendSize_.js"-[PDDApiMetricsExtraInfo setLonglinkReceiveSize:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLonglinkReceiveSize_.js"-[PDDApiMetricsExtraInfo setLongLinkForeground:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkForeground_.js"-[PDDApiMetricsExtraInfo setLongLinkUrl:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/setLongLinkUrl_.js"-[PDDApiMetricsExtraInfo longLinkReportCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkReportCode.js"-[PDDApiMetricsExtraInfo longLinkStatusCode]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkStatusCode.js"-[PDDApiMetricsExtraInfo isLongLinkForeground]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/isLongLinkForeground.js"-[PDDApiMetricsExtraInfo longLinkSendSize]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkSendSize.js"-[PDDApiMetricsExtraInfo longlinkReceiveSize]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longlinkReceiveSize.js"-[PDDApiMetricsExtraInfo longLinkTaskId]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkTaskId.js"-[PDDApiMetricsExtraInfo longLinkUrl]: Loaded handler at "/Users/witchan/__handlers__/PDDApiMetricsExtraInfo/longLinkUrl.js"-[PDDApiWaitLonglinkConfig isWaitLonglink:method:]: Loaded handler at "/Users/witchan/__handlers__/PDDApiWaitLonglinkConfig/isWaitLonglink_method_.js"-[AMTitan updateLongLinkHostWhiteList:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/updateLongLinkHostWhiteList_.js"-[AMTitan updateLongLinkUriBlackList:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/updateLongLinkUriBlackList_.js"-[AMTitan isLongLinkConnected]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/isLongLinkConnected.js"-[AMTitan makesureLongLinkConnect:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/makesureLongLinkConnect_.js"-[AMTitan reportStatusChange:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/reportStatusChange_longLinkInfo_.js"-[AMTitan onConnectStatusChange:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitan/onConnectStatusChange_longLinkSt_c4a1163e.js"-[AMTitanBaseRequest setWaitLonglink:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanBaseRequest/setWaitLonglink_.js"-[AMTitanBaseRequest waitLonglink]: Loaded handler at "/Users/witchan/__handlers__/AMTitanBaseRequest/waitLonglink.js"-[AMTitanStnCallback reportConnectStatus:longLinkStatus:longLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanStnCallback/reportConnectStatus_longLinkStat_1d404d83.js"-[AMTitanTask setWaitLonglink:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTask/setWaitLonglink_.js"-[AMTitanTask waitLonglink]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTask/waitLonglink.js"+[AMTitanTransferUtil transferToLongLinkInfo:]: Loaded handler at "/Users/witchan/__handlers__/AMTitanTransferUtil/transferToLongLinkInfo_.js"

复制代码

经过一层层筛查打印以上方法的入参和返回值，当修改到[AMTitan updateLongLinkHostWhiteList:]方法时，输出的日志参数，引起了我们的注意，updateLongLinkHostWhiteList_.js 代码如下：

{  onEnter(log, args, state) {    log(`-[AMTitan updateLongLinkHostWhiteList:${new ObjC.Object(args[2])}]`);  },  onLeave(log, retval, state) {    log(`-[AMTitan updateLongLinkHostWhiteList:]=${new ObjC.Object(retval)}=`);  }}

复制代码

日志输出如下：

-[AMTitan updateLongLinkHostWhiteList:(    "apiv2.yangkeduo.com",    "apiv3.yangkeduo.com",    "apiv4.yangkeduo.com",    "apiv2.hutaojie.com",    "meta.yangkeduo.com",    "api.pinduoduo.com",    "api.yangkeduo.com",    "apiv5.yangkeduo.com",    "mobile.yangkeduo.com",    "meta.pinduoduo.com",    "m.pinduoduo.net",    "api-cj.pinduoduo.com",    "api-isp.pinduoduo.com",    "risk-data-clean-api.risk.ft.srv.pdd.net")]-[AMTitan updateLongLinkHostWhiteList:]=(    "apiv2.yangkeduo.com",    "apiv3.yangkeduo.com",    "apiv4.yangkeduo.com",    "apiv2.hutaojie.com",    "meta.yangkeduo.com",    "api.pinduoduo.com",    "api.yangkeduo.com",    "apiv5.yangkeduo.com",    "mobile.yangkeduo.com",    "meta.pinduoduo.com",    "m.pinduoduo.net",    "api-cj.pinduoduo.com",    "api-isp.pinduoduo.com",    "risk-data-clean-api.risk.ft.srv.pdd.net")=

复制代码

发现关键信息 api*.yangkeduo.com，根据方法 updateLongLinkHostWhiteList，发现这极有可能是 LongLink 的接口列表。修改刚的 js 代码为：

{  onEnter(log, args, state) {    args[2] = ObjC.classes.NSMutableArray.array(); // 修改入参为空数组    log(`-[AMTitan updateLongLinkHostWhiteList:${new ObjC.Object(args[2])}]`);  },  onLeave(log, retval, state) {    log(`-[AMTitan updateLongLinkHostWhiteList:]=${new ObjC.Object(retval)}=`);  }}

复制代码

这时，抓包正常工作，结果如下：