用Charles抓包了一下学校跑步app,发现还挺简单,准备破一下?

今天骑自行车的时候想要不顺道打开北理体育刷一刷,刷着刷着想起前几天北大因为跑步数据作弊体育挂科门,心生惶恐,开始拿起手机晃。晃着晃着觉得自己很sb为什么要把时间花在这破事上……一气之下回宿舍决定抓包看看能不能破掉。拿Charles抓包看了看发现原理就是定期post,防黑约等于没有……

流程:

  1. POST startRaceRecord.do 向那边表示开始跑步,那边返回一个本次跑步id
  2. 不停POST addRaceRecordGPS.do 向那边发送跑步速度、步数,经纬度
  3. POST endRaceRecord.do 结束记录,其中包含了本次跑步的id

识别:

  1. 每次跑步有一个独立的token和一个id

具体params:

  1. startRaceRecord.do:设备信息:系统、分辨率、app版本、设备名、机型、sdk
  2. addRaceRecordGPS.do:1~4条一起发一次:速度、经度、纬度、跑步id、时间戳、总步数、总距离、总时长
  3. endRaceRecord.do:跑步id

具体content:

startRaceRecord.do:

POST /front/raceRecord/1.0/startRaceRecord.do HTTP/1.1
Host: sport-appapi.bit.edu.cn
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: run/1.6.51 (iPhone; iOS 13.1.2; Scale/3.00)
Accept-Language: zh-Hans-CN;q=1, en-CN;q=0.9, ko-KR;q=0.8
Content-Length: 527
Accept-Encoding: gzip, deflate, br

params={
  "deviceInfo" : {
    "os" : "iOS",
    "display" : "1125x2436",
    "appVersion" : "1.6.51",
    "deviceName" : "我也不认识加缪",
    "model" : "iPhone12,5",
    "appType" : "iPhone",
    "sdk" : "13.1.2"
  }&token=49FC62464801779D40B4A4505096CF52E37F

addRaceRecordGPS.do:

POST /front/raceRecord/1.0/addRaceRecordGPS.do HTTP/1.1
Host: sport-appapi.bit.edu.cn
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: run/1.6.51 (iPhone; iOS 13.1.2; Scale/3.00)
Accept-Language: zh-Hans-CN;q=1, en-CN;q=0.9, ko-KR;q=0.8
Content-Length: 1373
Accept-Encoding: gzip, deflate, br

params=[
  {
    "speed" : 524,
    "longitude" : "116.169566",
    "raceRecordId" : "173661",
    "raceTimestamp" : "1574152129077",
    "totalStep" : 40,
    "totalDistance" : 581,
    "latitude" : "39.725749",
    "totalTime" : 541
  },
  {
    "speed" : 604,
    "longitude" : "116.169561",
    "raceRecordId" : "173661",
    "raceTimestamp" : "1574152135049",
    "totalStep" : 40,
    "totalDistance" : 591,
    "latitude" : "39.725668",
    "totalTime" : 547
  },
  {
    "speed" : 312,
    "longitude" : "116.169594",
    "raceRecordId" : "173661",
    "raceTimestamp" : "1574152141098",
    "totalStep" : 40,
    "totalDistance" : 610,
    "latitude" : "39.725825",
    "totalTime" : 553
  }
]&token=49FC62464801779D40B4A4505096CF52E37F

endRaceRecord.do:

POST /front/raceRecord/1.0/endRaceRecord.do HTTP/1.1
Host: sport-appapi.bit.edu.cn
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: run/1.6.51 (iPhone; iOS 13.1.2; Scale/3.00)
Accept-Language: zh-Hans-CN;q=1, en-CN;q=0.9, ko-KR;q=0.8
Content-Length: 62
Accept-Encoding: gzip, deflate, br

raceRecordId=173661&token=49FC62464801779D40B4A4505096CF52E37F

🤔

start和end都不用管……从start拿到token和id之后,就可以直接配置gps各参数,然后发过去了……

关键是跑步数据要符合实际……最大的危机是拿自己号尝试会不会被挂科……

绝了 之前的跑步参数全都记录在里面,可以get…… 那就更好办了 稍微改动改动就行

《用Charles抓包了一下学校跑步app,发现还挺简单,准备破一下?》有2条留言

留下评论