用Charles抓包了一下学校跑步app,发现还挺简单,准备破一下?

今天骑自行车的时候想要不顺道打开北理体育刷一刷,刷着刷着想起前几天北大因为跑步数据作弊体育挂科门,心生惶恐,开始拿起手机晃。晃着晃着觉得自己很sb为什么要把时间花在这破事上……一气之下回宿舍决定抓包看看能不能破掉。拿Charles抓包看了看发现原理就是定期post,防黑约等于没有……

流程:

  1. POST startRaceRecord.do 向那边表示开始跑步,那边返回一个本次跑步id
  2. 不停POST addRaceRecordGPS.do 向那边发送跑步速度、步数,经纬度
  3. POST endRaceRecord.do 结束记录,其中包含了本次跑步的id

识别:

  1. 每次跑步有一个独立的token和一个id

具体params:

  1. startRaceRecord.do:设备信息:系统、分辨率、app版本、设备名、机型、sdk
  2. addRaceRecordGPS.do:1~4条一起发一次:速度、经度、纬度、跑步id、时间戳、总步数、总距离、总时长
  3. endRaceRecord.do:跑步id

具体content:

startRaceRecord.do:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /front/raceRecord/1.0/startRaceRecord.do HTTP/1.1
Host: sport-appapi.bit.edu.cn
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: run/1.6.51 (iPhone; iOS 13.1.2; Scale/3.00)
Accept-Language: zh-Hans-CN;q=1, en-CN;q=0.9, ko-KR;q=0.8
Content-Length: 527
Accept-Encoding: gzip, deflate, br

params={
"deviceInfo" : {
"os" : "iOS",
"display" : "1125x2436",
"appVersion" : "1.6.51",
"deviceName" : "我也不认识加缪",
"model" : "iPhone12,5",
"appType" : "iPhone",
"sdk" : "13.1.2"
}&token=49FC62464801779D40B4A4505096CF52E37F

addRaceRecordGPS.do:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
POST /front/raceRecord/1.0/addRaceRecordGPS.do HTTP/1.1
Host: sport-appapi.bit.edu.cn
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: run/1.6.51 (iPhone; iOS 13.1.2; Scale/3.00)
Accept-Language: zh-Hans-CN;q=1, en-CN;q=0.9, ko-KR;q=0.8
Content-Length: 1373
Accept-Encoding: gzip, deflate, br

params=[
{
"speed" : 524,
"longitude" : "116.169566",
"raceRecordId" : "173661",
"raceTimestamp" : "1574152129077",
"totalStep" : 40,
"totalDistance" : 581,
"latitude" : "39.725749",
"totalTime" : 541
},
{
"speed" : 604,
"longitude" : "116.169561",
"raceRecordId" : "173661",
"raceTimestamp" : "1574152135049",
"totalStep" : 40,
"totalDistance" : 591,
"latitude" : "39.725668",
"totalTime" : 547
},
{
"speed" : 312,
"longitude" : "116.169594",
"raceRecordId" : "173661",
"raceTimestamp" : "1574152141098",
"totalStep" : 40,
"totalDistance" : 610,
"latitude" : "39.725825",
"totalTime" : 553
}
]&token=49FC62464801779D40B4A4505096CF52E37F

endRaceRecord.do:

1
2
3
4
5
6
7
8
9
10
11
POST /front/raceRecord/1.0/endRaceRecord.do HTTP/1.1
Host: sport-appapi.bit.edu.cn
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: run/1.6.51 (iPhone; iOS 13.1.2; Scale/3.00)
Accept-Language: zh-Hans-CN;q=1, en-CN;q=0.9, ko-KR;q=0.8
Content-Length: 62
Accept-Encoding: gzip, deflate, br

raceRecordId=173661&token=49FC62464801779D40B4A4505096CF52E37F

🤔

start和end都不用管……从start拿到token和id之后,就可以直接配置gps各参数,然后发过去了……

关键是跑步数据要符合实际……最大的危机是拿自己号尝试会不会被挂科……

绝了 之前的跑步参数全都记录在里面,可以get…… 那就更好办了 稍微改动改动就行