之前看到有朋友抓包冲顶大会的分享,还没看到就被删了,后来一直忙也没空研究,这两天正好研究了一下,分享出来。
原理就是利用代理,然后将符合特征的包保存下来,然后本地再搜答案就行了。
测试环境:Kali Linux
用的代理是 mitmdump,好处是可以使用 Python3 写的 inline 脚本。
冲顶大会题目是用 websocket 包推送过来的,所以 inline 脚本中只需要去把 websocket 包写入到文件中就好了。
#冲顶大会
def websocket_message(flow):
try:
data=flow.messages[-1].content.decode('utf-8')
with open('/tmp/raw_data.txt','a') as f:
f.write(data+'\n')
except Exception:
pass
题目的格式: 42["showQuestion",{"answerTime":10,"desc":"12. 茅盾一生中现已获得证实的笔名有多少个?","displayOrder":11,"liveId":161,"options":"["32","128","98"]","questionId":1881,"showTime":16910048815676,"status":0,"type":"showQuestion"}]
百万赢家(花椒直播的)推送的是 https (还是 http,我忘记了,反正不影响抓包)
#百万赢家
def response(flow):
try:
data=flow.response.content.decode('utf-8')
if 'Zepto' in data:
print(data)
with open('/tmp/raw_data.txt','a') as f:
f.write(data+'\n')
except Exception:
pass
所以将以上两个保存成get_question.py
文件,然后运行代理
mitmdump -s get_question.py
手机(我用的安卓)提前安装好证书,证书在默认文件夹.mitmproxy/中,名称是mitmproxy-ca-cert.cer
手动设置代理为电脑的 ip 地址,比如:192.168.1.100,端口默认的为:8080
这个时候就能开始抓包了。
冲顶大会抓下来的包如下,删掉了一些没用的,其实也可以过滤,冲顶大会的问题和答案就推送一次:
42["showQuestion",{"answerTime":10,"desc":"1.我们把自己动手制作这个过程称为?","displayOrder":0,"liveId":159,"options":"[\"DIN\",\"DIY\",\"DIM\"]","questionId":1846,"showTime":16910033865640,"status":0,"type":"showQuestion"}]
42["totalLive",{"showTime":16910033870867,"count":530446}]
42["totalLive",{"showTime":16910033909864,"count":558373}]
42["showAnswer",{"answerTime":10,"correctOption":1,"desc":"1.我们把自己动手制作这个过程称为?","displayOrder":0,"liveId":159,"options":"[\"DIN\",\"DIY\",\"DIM\"]","questionId":1846,"showTime":16910033907129,"stats":[8650,388770,5037],"status":2,"type":"showAnswer"}]
百万赢家抓下来的包如下,含有 Zepto 这个标志,不过百万赢家的题目和答案都是一直推一直推,题目和答案的区别就在 show_answer:false 和 show_answer:1:
#题目
Zepto1516890772573({"errno":0,"errmsg":"操作成功","consume":0,"time":1516891076,"md5":"","data":{"callfreq":5,"key":"197908302","msg":{"answer":{"doing":{"counter":2506,"doing":{"answer":{"A":{"option":"A","value":"陪姐妹一起上厕所"},"B":{"option":"B","value":"姐妹合照只 P 自己"},"C":{"option":"C","value":"为姐妹出谋划策"}},"expire":1516891090,"from":{"avatar":"http://image.huajiao.com/3bf9d9cccf4c642d50d49c52e2b2c105.jpg","brand":"","location":"宇宙专业出题小组","nickname":"百万赢家-官方"},"groupid":620,"is_renew":1,"number":1,"show_answer":false,"shuffle":0,"team_period":"20313","title":"以下哪种行为被称为“塑料花姐妹情”?","type":0},"join_count":0,"version":"c3834e49c0f7f60700e5674420905c6d"},"liveid":"197908302","sync":"answer","version":2506}},"time":1516891076}})
#答案
Zepto1516890772592({"errno":0,"errmsg":"操作成功","consume":0,"time":1516891146,"md5":"","data":{"callfreq":5,"key":"197908302","msg":{"answer":{"doing":{"average":"1.07","counter":2507,"doing":{"answer":{"A":{"option":"A","value":"陪姐妹一起上厕所"},"B":{"option":"B","value":"姐妹合照只 P 自己"},"C":{"option":"C","value":"为姐妹出谋划策"}},"correct":"B","expire":1516891124,"from":{"avatar":"http://image.huajiao.com/3bf9d9cccf4c642d50d49c52e2b2c105.jpg","brand":"","location":"宇宙专业出题小组","nickname":"百万赢家-官方"},"groupid":620,"is_renew":1,"number":1,"show_answer":1,"shuffle":0,"team_period":"20313","title":"以下哪种行为被称为“塑料花姐妹情”?","type":0},"join_count":3917617,"record":{"A":74567,"B":3747207,"C":95103,"Z":740},"renew_count":306333,"version":"f74e008b74be3b1221035d64b4a1f030"},"liveid":"197908302","sync":"answer","version":2507}},"time":1516891146}})
基本上抓包过了以后,后面的就是常规套路了:
def main():
brand_2_old=''
for raw in tailer.follow(open('/tmp/raw_data.txt','r')):
if args.brand == 1:
if 'showQuestion' in raw:
game=GetAnswer(args.brand,raw)
game.run()
elif args.brand == 2:
try:
raw=raw.split('(')[-1].split(')')[0]
raw_json=json.loads(raw)
raw_question=raw_json['data']['msg']['answer']['doing']['doing']['title']
raw_question_showanswer=raw_json['data']['msg']['answer']['doing']['doing']['show_answer']
if not raw_question_showanswer:
if raw_question != brand_2_old:
game=GetAnswer(args.brand,raw_json)
game.run()
brand_2_old = raw_question
except Exception as e:
continue
else:
print("python3 search_question -h")
print("请查看帮助文档,目前仅支持两个 APP 的抓包获取题目。")
sys.exit(1)
昨天测试了下冲顶大会,结果如图:
刚才测试了下百万赢家,结果如图:
详细的代码在我的 github 上:抓包获取冲顶大会 /百万赢家题目并搜索答案( https://github.com/vanpersiexp/chongding )
写这个纯粹为了好玩,没打算靠答题赚钱,因为主持人废话实在太多,浪费时间。
主要我看 github 上基本上都是图像识别的,所以就当提供另一种思路了。
希望厂家看到后,也可以改进一下。
直接抓包没有之前说的提前 10s 那么邪呼,可能我的程序比较慢吧,但基本上还是比 app 中出现的快一丢丢。
刚才5点场冲顶大会,抓到的websocket包是这样的。
1
7654 2018-01-26 12:44:38 +08:00
。。。
|
2
vanpersiexp OP 刚才冲顶大会测试了下,基本上比 app 早两到三秒显示题目和答案吧
|
3
chenyoufu123 2018-01-26 16:34:41 +08:00
刚出来的时候在 mac 上用 charles 抓包测试过,没看到有题目描述啊,难道是我使用的方式不对?
|
4
ctsed 2018-01-26 16:40:41 +08:00 via Android
@vanpersiexp 显示答案的时候已经过了答题时间吧?
|
5
vanpersiexp OP @ctsed 我说的显示答案是搜索结果的答案:P
|
6
vanpersiexp OP @chenyoufu123 我之前先用 BurpSuite 抓的,冲顶大会是 websocket 包,数据长度大概 250 左右的就是问题和答案
|
7
qnxu 2018-01-26 17:22:47 +08:00
厉害了
|
8
pheyer 2018-01-26 17:54:42 +08:00
@vanpersiexp 我搜了一下,好像 BurpSuite 不好处理 websocket 包吧,虽然也有插件支持,但插件不支持 websocket 好像
|
9
vanpersiexp OP @pheyer 我最开始用 Burp 看的,我也没想出来怎么从 Burp 中导出 websocket 包,但 mitmdump 用 inline 脚本可以截取想要的 websocket,所以我用的是 mitmdump
|
10
ahjsrhj 2018-01-27 09:42:07 +08:00
前段时间解包 Android 版冲顶大会看过代码,地址啥的都是明文用 SP 存的,而且 socket 接口没验证,直接读到 url 自己写 socket 连接上去就有题目。感觉安全性做的很 low
|
11
nonoezone 2018-01-29 12:04:39 +08:00
楼主有没有试过西瓜视频的?西瓜的好像不好弄。
|
12
vanpersiexp OP @nonoezone 给你提供个思路,下载 app 简单搜索,在里边搜 dan 哥答题,你可以抓他的包,我周六试过了,所有的答题类 app 都能抓到,而且 dan 哥答题的准确率还行,所以只要把 dan 哥的题抓下来然后再调用 selenium 直接百度看网页,跟 dan 哥答案对比,正确率要更高。而且抓 dan 哥的题目一样比正常早出现个 2-3s。
我周六晚上试了一次,总共五次通关,冲顶一次,西瓜两次,好看视频两次,哈哈。 缺点就是两部手机,一部开着简单搜索抓包,另一部答题。 |
13
cjy9492 2018-01-29 17:27:28 +08:00
@vanpersiexp 能否提供下蛋哥答题的协议格式,我抓了好几次就是没抓到 dan 哥答题的包
|
14
vanpersiexp OP @cjy9492 蛋哥的格式如下面,证书没问题的话抓起来不费劲,处理成 json 就行。区分主要在于 step 的值。
41:42/nv/huajiao/answer,["greet","欢迎使用简单答题"]258:42/nv/huajiao/answer,["answer",{"app":"huajiao","question":{"text":"氨基酸态氮是哪种调味主要成分,也决定了品质的好坏?","url":"","questionId":10},"answers":[{"text":"料酒","url":"","prop":0},{"text":"酱油","url":"","prop":0},{"text":"蚝油","url":"","prop":0}],"sn":10,"step":0,"status":0}] 283:42/nv/huajiao/answer,["answer",{"app":"huajiao","question":{"text":"氨基酸态氮是哪种调味主要成分,也决定了品质的好坏?","url":"","questionId":10},"answers":[{"text":"料酒","url":"","prop":7},{"text":"酱油","url":"","prop":85},{"text":"蚝油","url":"","prop":7}],"sn":10,"tips":"我在思考,答案 B 好像有可能?","step":1,"status":0}] 289:42/nv/huajiao/answer,["answer",{"app":"huajiao","question":{"text":"氨基酸态氮是哪种调味主要成分,也决定了品质的好坏?","url":"","questionId":10},"answers":[{"text":"料酒","url":"","prop":7},{"text":"酱油","url":"","prop":85},{"text":"蚝油","url":"","prop":7}],"sn":10,"tips":"我选 B 吧,应该没错","step":2,"status":0,"result":1}] 41:42/nv/huajiao/answer,["greet","欢迎使用简单答题"]289:42/nv/huajiao/answer,["answer",{"app":"huajiao","question":{"text":"氨基酸态氮是哪种调味主要成分,也决定了品质的好坏?","url":"","questionId":10},"answers":[{"text":"料酒","url":"","prop":7},{"text":"酱油","url":"","prop":85},{"text":"蚝油","url":"","prop":7}],"sn":10,"tips":"我选 B 吧,应该没错","step":2,"status":0,"result":1}] 308:42/nv/huajiao/answer,["answer",{"app":"huajiao","question":{"text":"氨基酸态氮是哪种调味主要成分,也决定了品质的好坏?","url":"","questionId":10},"answers":[{"text":"料酒","url":"","prop":7},{"text":"酱油","url":"","prop":85},{"text":"蚝油","url":"","prop":7}],"sn":10,"tips":"聪明且帅气的我,答对啦!","step":3,"status":0,"result":1,"final_index":1}] |
15
nonoezone 2018-01-30 12:18:49 +08:00
@vanpersiexp 好思路,找个时间试试,不过 dan 哥好像有时有问题。它自己有时会抽风,题目都识别不出来,这样子抓包会不会有问题?西瓜视频现在有个性题的吧,两部手机可能出现的题目都不一样。
|
16
vanpersiexp OP @nonoezone 对,西瓜确实有个性题,这个没办法。dan 哥的数据包需要自己多抓几次,它的格式经常变动,但还是有规律的,然后处理成 json,偶尔出错,但基本上还行比较稳定。
|
17
joanwe 2018-02-05 15:06:37 +08:00
@vanpersiexp 大佬请教下 Charles 能抓 iOS dan 哥的数据包嘛 自己尝试了下只抓到了 index.html
|
18
vanpersiexp OP @joanwe 没测试过 iPhone 的 dan 哥,现在 dan 哥也改 websocket 包了,估计也抓不到。
|