Background 1

Charles package capture artifact was introduced before, which is mainly to solve the problem of quickly locating interface display bugs or interface data anomalies in the development process, so that basically many problems can be solved in the development process.

But…

But I don’t know if you have encountered such a scene.

  • There is a Bug in the online App release, but it may not be in the company at this time (i.e. Charles cannot play a role), we need to locate the problem immediately, data problem? Interface problems? My code hasn’t been touched! Obviously the test environment is good, most users are also good ah.
  • Based on Charles Map Remote or Rewrite, we can make apps flexibly switch between service test environment and formal environment, but there is a prerequisite, that is, a computer 💻, if there is no computer?

The above is just for the development, in see you have such a need !!!!

  • There are some apps where the ads are so egregious that they can really affect the experience (although adding ads is reasonable). Is there a way to remove the ads from some apps?
  • Doesn’t a free VIP smell good?

Introduction of HTTP Catcher

Account for the story background, today’s leading role on stage.

HTTP Catcher is a Web debugging tool that can intercept, view, modify, and replay HTTP/HTTPS requests from iOS systems.

You don’t need to connect to a computer. HTTP Catcher logs HTTP traffic in the background over Wi-Fi and cellular networks. HTTP Catcher makes it very easy to test your apps and websites by viewing their requests and responses directly.

HTTP Catcher creates a VPN configuration. When you enable packet capture, HTTP Catcher launches a local HTTP proxy in the VPN process. All HTTP traffic is forwarded to the local proxy through the VPN.

function

  • Decryption HTTPS
  • Modify requests and responses in real time
  • Request the replay
  • Stop the request
  • Domain filtering
  • The DNS change

You probably have a basic understanding of HTTP Catcher, but this is just a basic introduction.

Installation & Configuration

  1. Download HTTP Catcher from the AppStore.

  2. Install the certificate because we need to grab HTTPS requests.

    As shown above, click Decrypt HTTPS Traffic – Install certificate – Download Certificate – Settings – Install certificate in downloaded Description file

  3. Certificate trust

Next we need to trust this certificate in iOS.

Settings – Pass – About native – Certificate Trust Settings – Select HTTP Catcher CA

This topic describes HTTP Catcher interface functions

The main menu

The serial number meaning
0 ️ ⃣ HTTP Catcher caught packages will now be in this Tab
1 ️ ⃣ Starts listening for requests, emptying previous history requests before starting listening
2 ️ ⃣ Jump to toolbar, toolbar details filter, proxy, DNS hijacking, rewrite, blacklist
4 ️ ⃣ Request list display
5 ️ ⃣ Are monitored requests displayed by request time or domain name aggregation
6 ️ ⃣ Request results can be filtered. Show only JSON or images, media, WebSocket, HTML
7 ️ ⃣ Historical data monitoring package, click the upper right corner to delete.

Decrypt HTTPS traffic switch

If this switch is not enabled, only HTTP traffic is listened on by default.

However, when we develop and test, we usually use HTTP. HTTPS is used when we officially enter the production environment, so there is no need to turn on the secondary switch in the development environment.

The filter

The filter can be used to capture packets in a specified domain name. If the specified domain name is not set, there will be a lot of request packets from other apps after the proxy is enabled, which will slightly affect the data viewing experience.

In addition, the iOS system does not trust the certificates imported by users, so iCloud, AppStore and iTunes cannot be used after the packet capture is started. In order not to affect the use of the above services, we can exclude the domain names under Apple.

DNS hijacking

Let’s say the domain name of the official environment of the App we are developing is api.i.server.com and we want to change the secondary App to the test environment App

Then we need to change the corresponding APi.I.server.com to apI.T.server.com, so that the App becomes the test environment App.

DNS is designed to do just that.

The blacklist

The blacklist cannot send requests to the target address.

As for the application scenario, I haven’t quite got it yet.

rewrite

rewriteThis is basically HTTP Catcher’s most powerful feature, the Rewrite function of Charles.

The main effect is that you can modify anything in the request and response phases for a single HTTP request package.

The amendment rules are

  • Add the Header
  • Modify the Header
  • Delete the Header
  • Path
  • URL
  • Add the Query parameter
  • Modifying Query parameters
  • Delete Query parameter
  • Add form parameters
  • Modifying form parameters
  • Delete form parameters
  • Modify the Body

WiFi access

In actual combat

To advertising

I want to download one somedayDou figureI searched and downloaded it from the AppStoreDou figure expression. Next is the experience.

  • Open the App and the 5S advertisement pops up.

  • After you open the app, maybe less than 2 seconds, it pops up AppStore ratings, which is…

  • After browsing 20 seconds, pop up the advertisement of 28S directly. And can not close at first, need to browse after 5 seconds to close.

This is where I want to go. Dude, this food is so… (Kind of makes me sick, hahaha)

I was pushed to the limit. I had to resort to technology.

Since the App needs to load ads when it starts up, what the App opening page needs to show must be returned by the server. So we need to grab the interface call when the App starts.

At this time, open Charles, the mobile phone is configured with the agent, and the bag is ready to be captured. Analyze the startup interface.

It can be seen from the above figure that the domain name of the software can be located as adesk.com by observing the interface grabbing situation when the App is just started. Then the next step is to analyze the interface.

After expanding all the requests, you can see that the Config interface in blue at the top is still highlighted as 💩💩💩💩.

Open it up and have a look

{
	"code": 0."msg": null."res": {
		"app_rate": {
			"enable_rate": true."tyle_custom": true."main_title": "Give us some advice!"."sub_title": "Thank you very much for using our products, we value your comments and opinions very much, if you like our products, please give us a good comment!"."confirm_text": "Think well of it."."cancel_text": "Let me think about it."."targeturl": "https://apps.apple.com/cn/app/id1155901497"."rate_interval": 2."rate_limit_time": 2
		},
		"app_update": {... },"app_configuration": {... },"other_data": {... },"app_advertising": {... }}}Copy the code

Boy, this is what makes me score when I enter the App.

If you look at the app_advertising field below, this is clearly the configuration for App advertising.

Now that the interface has been found, we can begin our offensive horn

So far we have seen advertising-like interfaces through interface analysis, but we still need to verify our assumptions. It is recommended to use Charles Map Local on your computer to directly modify the text file to be executed. We then directly changed the corresponding app_advertising field to an empty object to quickly test our own ideas.

{
	"code": 0."msg": null."res": {
		"app_rate": {
			"enable_rate": true."tyle_custom": true."main_title": "Give us some advice!"."sub_title": "Thank you very much for using our products, we value your comments and opinions very much, if you like our products, please give us a good comment!"."confirm_text": "Think well of it."."cancel_text": "Let me think about it."."targeturl": "https://apps.apple.com/cn/app/id1155901497"."rate_interval": 2."rate_limit_time": 2
		},
		"app_update": {... },"app_configuration": {... },"other_data": {... },"app_advertising": {}}}Copy the code

We change the app_advertising field in the corresponding return result to an empty object, save it as “ad.json”, and manually map the response result of the secondary interface to ad.json so that the final return interface is the contents of the ad.json file.

After being set by Charles, there is no advertisement in the App, which is really smooth.

Just now, we have realized advertisement filtering through Charles on the computer, so in fact, most of the time when we use mobile phones, we are not near the computer, and we may not connect to the same WIFI

This is where HTTP Catcher comes in handy. Our main task is to implement the functions Charles implements on the computer.

Enable mobile PHONE HTTP Catcher packet monitoring, open the software, and enter HTTP Catcher patiently after the advertisement is loaded.

As shown above, select new-kv.adesk.com and click the Config interface to swipe left. Choose more

From the menu bar that pops up, select New Rewrite, select Edit in text Editor, and then copy the following to replace the contents in the text box.

{
   "rules": [{"action" : "body"."matchField" : ""."field" : ""."value" : "\"app_advertising1\":{},\"test\""."matchValue" : "\"app_advertising\""."destiontion" : "response"."isRegex" : false}]."enabled" : true."name" : "Go advertising."."description" : ""."locations": [{"method" : "GET"."scheme" : "https"."enabled" : true."port" : 443."query" : "Appver = 2.9.7 & OS. = ios&packagename = com emojifair. Emoji"."host" : "new-kv.adesk.com"."path" : "\/v1\/config"}}]Copy the code

After the replacement, restart HTTP Catcher and open the app to see that 🤩 really doubles the experience.

White piao VIP

Here, take Youdao Cloud Note on iOS as an example

Add the following to the HTTP Catcher Rewrite

{
  "rules": [{"action" : "body"."matchField" : ""."field" : ""."value" : "{\"service\": 1,\"payYear\": \"true\",\"end\": \"4100688000000\",\"um\": {\"nn\":\"atomhu\",\"q\": 3225419776,\"u\": 31360,\"dp\": 0,\"dq\": 100}}"."matchValue" : "[\\s\\S]+"."destiontion" : "response"."isRegex" : true}]."enabled" : true."name" : "Youdao Note Cracking Member"."locations": [{"method" : "POST"."scheme" : "https"."enabled" : true."port" : 443."query" : "method=status"."host" : "note.youdao.com"."path" : "\/yws\/mapi\/payment"}}]Copy the code

Then open Youdao Cloud again, you will magically find that you have become A VIP 🤩🤩🤩🤩

The change to VIP is actually made use of the rewrite function. In the interface where Youdao Cloud returns user information, the VIP status of the user is manually modified.

A lot of software needs us to explore, as for the final OK is affected by many factors.

Software capture report

When I learned to use Charles, it got out of hand. I have grabbed most common apps on the market. Here is a report

The name of the App Crawlable or not Content-Type note
The Denver nuggets ✔ ️ application/json; charset=utf-8 Through the interface to get some of their own directional want to view information, directional search sorting resources

So that’s the projectawesome-IntelliJ-IDEAThe origin of the
Jane’s book The unknown It’s weird. After you start capturing packets

Jane book can’t be used.
CSDN ✔ ️ application/json; charset=utf-8 CSDN has a signature check, and the interface cannot make repeated requests
Dou figure expression ✔ ️ application/json; charset=utf-8 To advertising
Little sleep ✔ ️ application/json; charset=utf-8 You can rewrite your Tilte to VIP

But it doesn’t bring about real change

Because permission validation is the back end
The tides ✔ ️ application/json; charset=utf-8 For a long time, and finally failed to white whoring VIP🤩🤩
Idle fish The unknown I don’t know if it’s Ali

You can’t see anything

Handsome tears
freely ✔ ️
Netease cloud ✔ ️ text/plain; charset=UTF-8 The returned results of netease Cloud should be encrypted

You can’t see anything
B station ✔ ️ application/json; charset=utf-8 bilibili-schedule

Bilibili daily tasks coin, like, share video, live check-in, silver melon seeds for coins, daily comic check-in
weibo ✔ ️ application/json; charset=utf-8 You can grab daily hot list data and so on
The most right ✔ ️ I remember the far right was shut down after a period of overall architecture upgrades. I can only say that I don’t see anything in the revised architecture.
douban ✔ ️ application/json; charset=utf-8 The movie list
The curtain ✔ ️ application/json; charset=utf-8 Can grab excellent notes
Tick list ✔ ️ application/json; charset=utf-8 If you’re cool enough, you can be a VIP
zhihu ✔ ️ application/json; charset=utf-8 Zhihu hot list

Zhihu hot search words
Youdao Cloud Note ✔ ️ application/json; charset=utf-8 Implementation of VIP 🤩 🤩

The faceID function that only VIPs can use can be implemented through the override function
Meituan ✔ ️ application/json; charset=utf-8 Check out a list of stores near you
Hungry? ✔ ️ application/json; charset=utf-8 Check out a list of stores near you
jingdong ✔ ️ application/json; charset=utf-8 Jingdong simulated check-in can be achieved through excuses
ideal ✔ ️ application/json; charset=utf-8 Analysis interface design
Xiao peng ✔ ️ application/json; charset=utf-8 Analysis interface design
Wei to ✔ ️ application/json; charset=utf-8 Analysis of interface design shows that every interface of NIO is signed, and the security is relatively high.

Wrote last

Learning packet capture software like Charles and HTTP Catcher helps you solve tough problems at work.

Even without a computer, problems can be located through mobile phones. No more downloading the official environment App and installing the test environment App later.

At the same time, you can also learn the API interface design of other companies by capturing packages.

If you happen to be particularly interested in this area, there is no problem disabling ads, VIP cracking, or even merchandise killing.