CN113420199A

CN113420199A - Data acquisition method and device for application program

Info

Publication number: CN113420199A
Application number: CN202110826668.1A
Authority: CN
Inventors: 李勃旺
Original assignee: Beijing Jindi Credit Service Co ltd
Current assignee: Beijing Jindi Credit Service Co ltd
Priority date: 2021-07-21
Filing date: 2021-07-21
Publication date: 2021-09-21

Abstract

The invention discloses a data acquisition method and device of an application program, a storage medium and electronic equipment, wherein the method comprises the following steps: capturing a network request; modifying a return value of a function for indicating data transmission through a non-preset protocol in the captured network request so as to enable the captured network request to perform data transmission through the preset protocol; and sending the modified network request through a preset protocol so as to acquire the returned data according to the modified network request. The invention can obtain the encryption parameters in a multithread concurrent way under the condition of not solving the application program, send the request under the condition of ensuring the normal operation of the application program and efficiently obtain the data of the application program, thereby simplifying the process and directly obtaining the most original request on one hand, reducing the complexity and complexity of directly breaking the encryption algorithm of the application program on the other hand and achieving the effect of obtaining the data.

Description

Data acquisition method and device for application program

Technical Field

The present invention relates to the technical field of computer information processing, and more particularly, to a data acquisition method and apparatus for an application program, a storage medium, and an electronic device.

Background

In some service scenarios, a web crawler needs to obtain public part data of a certain application program. Generally, after an agent is configured on a WiFi (wireless fidelity) of a mobile phone, a certificate issued by a trusted packet capturing tool can be trusted to acquire all traffic requests of the App interacting with the outside under normal conditions. However, some apps cannot use proxy software to perform packet capture analysis because network interaction requests are further encapsulated inside the apps, and are not simple Http/Http requests, so that data sent by the apps to the server cannot be detected in a packet capture tool for detecting Http/Http requests. Because the network request cannot be obtained, how the App interacts with the server cannot be analyzed, the request construction cannot be realized, and the public data of the App cannot be obtained.

Some existing methods can acquire partial public data of the App by using a human hand to operate a click application. However, in this method, an encryption request between the App and the server needs to be intercepted first, so that the data can be captured and analyzed when the simulated human hand clicks, and the direct capture of the packet by using the packet capture tool cannot be successful, so that the reverse analysis can be performed only by cracking the encryption algorithm, which is tedious, difficult and difficult to succeed.

Disclosure of Invention

The invention provides a data acquisition method and device of an application program, and aims to solve the problem of how to quickly and efficiently acquire public data of the application program.

In order to solve the above problem, according to an aspect of the present invention, there is provided a data acquisition method of an application program, the method including:

capturing a network request;

modifying a return value of a function for indicating data transmission through a non-preset protocol in the captured network request so as to enable the captured network request to perform data transmission through the preset protocol;

and sending the modified network request through a preset protocol so as to acquire the returned data according to the modified network request.

Preferably, wherein the method further comprises:

when a network request is obtained, judging the return information of the network request, and when the return information of the network request is empty, determining that the network request carries out data transmission through a non-preset protocol.

Preferably, wherein the method further comprises:

the method comprises the steps of monitoring a network request sent by an application program, and capturing the network request when the network request is determined to be ready for data transmission through a non-preset protocol.

Preferably, wherein the method further comprises:

and analyzing the network function, and determining whether a request function for indicating data transmission through a non-preset protocol exists or not through a preset request function analysis script.

Preferably, wherein the method further comprises:

acquiring stack information of the network request in real time, and determining at least one request function used by the network request according to the acquired stack information to determine a request function set;

judging whether a first decision function for indicating whether to transmit data through a non-preset protocol exists in the request function set or not so as to obtain a first judgment result;

and when the first judgment result indicates that a first decision function for indicating whether to perform data transmission through a non-preset protocol exists, determining that the network request is ready for performing data transmission through the non-preset protocol.

Preferably, wherein the method further comprises:

and determining a first decision function in the request function set for indicating whether to transmit data through a non-preset protocol or not through a preset decision function analysis script.

Preferably, wherein the method further comprises:

judging whether a preset decision function set and the request function set have intersection or not;

when it is determined that an intersection exists between the decision function set and the request function set, determining a request function in the intersection as a target function;

judging whether the target function is a decision function for indicating whether to transmit data through a non-preset protocol or not;

when the objective function is determined to be a decision function for indicating whether to perform data transmission through a non-preset protocol, determining that the objective function is a first decision function, and determining that the network requests to prepare for data transmission through the non-preset protocol.

Preferably, wherein the method further comprises:

when no intersection exists between a preset decision function set and the request function set, or when it is determined that the target function is not a decision function for indicating whether to perform data transmission through a non-preset protocol, directly judging whether a first decision function for indicating whether to perform data transmission through the non-preset protocol exists in the at least one request function, so as to obtain a first judgment result.

Preferably, wherein the method further comprises:

performing decompiling processing on the application program to obtain a decompiled file, analyzing the decompiled file, and obtaining at least one key function related to the network request;

judging whether a second decision function for indicating whether to transmit data through a non-preset protocol exists in the at least one key function or not so as to obtain a second judgment result;

and when the second judgment result indicates that a second decision function for indicating whether to perform data transmission through a non-preset protocol exists, determining the decision function set according to all the second decision functions.

Preferably, wherein the method further comprises:

and performing parameter analysis on the captured network request to determine a request parameter type, and performing simulation construction according to the request parameter type to generate a modified network request.

Preferably, the performing parameter analysis on the grabbed network request to determine the request parameter type includes:

and performing parameter analysis on the captured network request according to a preset parameter type analysis script to determine the request parameter type.

and for any request parameter, determining a request result corresponding to the network request captured after the any request parameter is deleted, and determining the parameter type of the any request parameter according to the request result corresponding to the network request captured after the any request parameter is deleted.

Preferably, the determining the parameter type of any one of the request parameters according to the request result corresponding to the network request captured after the any one of the request parameters is deleted includes:

if the request result corresponding to the network request captured after deleting any one of the request parameters indicates that the request is successful, determining that any one of the request parameters is an unnecessary parameter;

if the request result corresponding to the network request captured after the any request parameter is deleted indicates that the request fails, and the value corresponding to the any request parameter is a value capable of determining meaning, determining that the any request parameter is a first necessary parameter;

and if the request result corresponding to the network request captured after the any request parameter is deleted indicates that the request fails and the value corresponding to the any request parameter is a value with no meaning, determining that the any request parameter is an encryption parameter.

Preferably, wherein the method further comprises:

when the parameter type of any request parameter is determined to be an encryption parameter, based on the stack information of the captured network request and a decompiled file corresponding to the application program, the position is determined by searching the keyword of any request parameter to determine the position of the encryption code, and the code logic is analyzed according to the determined position of the encryption code to determine the encryption logic corresponding to any request parameter.

Preferably, the performing simulation construction according to the request parameter type to generate a modified network request includes:

and carrying out simulation construction according to the request parameter with the parameter type as the necessary parameter, the request parameter with the parameter type as the encryption parameter and/or the encryption logic of the request parameter with the parameter type as the encryption parameter so as to generate the modified network request.

Preferably, wherein the method further comprises:

and calling a script for acquiring the encrypted data through a remote procedure call technology to output the encrypted data, and constructing network requests in batches.

According to another aspect of the present invention, there is provided an apparatus for acquiring application public data by a user, the apparatus comprising:

the grabbing module is used for grabbing the network request;

the return value modification module is used for modifying the return value of a function which is used for indicating data transmission through a non-preset protocol in the captured network request so as to enable the captured network request to carry out data transmission through the preset protocol;

and the public data acquisition module is used for sending the modified network request through a preset protocol so as to acquire the returned data according to the modified network request.

Preferably, the grasping module further comprises:

Preferably, the grasping module is further configured to:

Preferably, wherein the apparatus further comprises: a decision function set determination module to:

and when the second judgment result indicates that a second decision function for indicating whether to perform data transmission through a non-preset protocol exists, determining a decision function set according to all the second decision functions.

Preferably, wherein the system further comprises:

and the network request simulation construction module is used for carrying out parameter analysis on the captured network request so as to determine the request parameter type, and carrying out simulation construction according to the request parameter type so as to generate a modified network request.

Preferably, the network request simulation and construction module performs parameter analysis on the captured network request to determine a request parameter type, including:

Preferably, the network request simulation construction module is further configured to:

Preferably, the determining, by the network request simulation construction module, the parameter type of any one request parameter according to the request result corresponding to the network request captured after the any one request parameter is deleted includes:

Preferably, the network request simulation construction module, which performs simulation construction according to the request parameter type to generate a modified network request, includes:

According to still another aspect of the present invention, there is provided a computer-readable storage medium storing a computer program for executing the above-described method of acquiring application public data.

According to still another aspect of the present invention, there is provided an electronic apparatus including:

a processor;

a memory for storing the processor-executable instructions;

the processor is used for reading the executable instruction from the memory and executing the instruction to realize the method for acquiring the application program public data.

The invention provides a data acquisition method and device of an application program, a storage medium and electronic equipment, which are used for capturing a network request; modifying a return value of a function for indicating data transmission through a non-preset protocol in the captured network request so as to enable the captured network request to perform data transmission through the preset protocol; and sending the modified network request through a preset protocol so as to acquire the returned data according to the modified network request. The method of the embodiment of the invention can obtain the encryption parameters in a multi-thread concurrent manner under the condition of not degrading the application program, and send the normal network request under the condition of ensuring the normal operation of the application program, thereby efficiently obtaining the public data of the application program, simplifying the process on one hand, directly obtaining the most original request, reducing the complexity and complexity of directly cracking the encryption algorithm of the application program on the other hand, and achieving the effect of obtaining the data.

Drawings

A more complete understanding of exemplary embodiments of the present invention may be obtained by reference to the following drawings. The accompanying drawings are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings, like reference numbers generally represent like parts or steps.

FIG. 1 is a flow chart of a data acquisition method 100 for an application provided in accordance with an exemplary embodiment of the present invention;

FIG. 2 is a flow chart of a data acquisition method 200 for an application according to an exemplary embodiment of the invention;

fig. 3 is a flowchart of a method for determining that the network request is ready for data transmission via a non-default protocol according to an exemplary embodiment of the present invention;

fig. 4 is a flowchart of a method for determining that the network request is ready for data transmission via a non-default protocol according to an exemplary embodiment of the present invention;

fig. 5 is a schematic structural diagram of a data acquisition apparatus 500 for an application according to an exemplary embodiment of the present invention;

fig. 6 is a structure of an electronic device according to an exemplary embodiment of the present invention.

Detailed Description

Hereinafter, example embodiments according to the present invention will be described in detail with reference to the accompanying drawings. It is to be understood that the described embodiments are merely a subset of embodiments of the invention and not all embodiments of the invention, with the understanding that the invention is not limited to the example embodiments described herein.

It should be noted that: the relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.

It will be understood by those of skill in the art that the terms "first," "second," and the like in the embodiments of the present invention are used merely to distinguish one element, step, device, module, or the like from another element, and do not denote any particular technical or logical order therebetween.

It should also be understood that in embodiments of the present invention, "a plurality" may refer to two or more and "at least one" may refer to one, two or more.

It is also to be understood that any reference to any component, data, or structure in the embodiments of the invention may be generally understood as one or more, unless explicitly defined otherwise or stated to the contrary hereinafter.

In addition, the term "and/or" in the present invention is only one kind of association relationship describing the associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In the present invention, the character "/" generally indicates that the preceding and following related objects are in an "or" relationship.

It should also be understood that the description of the embodiments of the present invention emphasizes the differences between the embodiments, and the same or similar parts may be referred to each other, so that the descriptions thereof are omitted for brevity.

Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.

The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses.

Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the specification where appropriate.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.

Embodiments of the invention are operational with numerous other general purpose or special purpose computing system environments or configurations, and with numerous other electronic devices, such as terminal devices, computer systems, servers, etc. Examples of well known terminal devices, computing systems, environments, and/or configurations that may be suitable for use with electronic devices, such as terminal devices, computer systems, servers, and the like, include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set-top boxes, programmable consumer electronics, networked personal computers, minicomputer systems, mainframe computer systems, distributed cloud computing environments that include any of the above, and the like.

Electronic devices such as terminal devices, computer systems, servers, etc. may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. The computer system/server may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.

Exemplary method

Fig. 1 is a flowchart illustrating a method for acquiring application public data according to an exemplary embodiment of the present invention. The embodiment can be applied to an electronic device, as shown in fig. 1, and includes the following steps:

step 101, capturing a network request.

And 102, modifying a return value of a function for indicating data transmission through a non-preset protocol in the captured network request so as to enable the captured network request to perform data transmission through the preset protocol.

And 103, sending the modified network request through a preset protocol to acquire the returned data according to the modified network request.

In the invention, by the method, the encryption parameters can be obtained in a multi-thread concurrent manner under the condition of not degrading the application program, and the normal network request can be sent under the condition of ensuring the normal running of the application program, so that the public data of the application program can be efficiently obtained.

Fig. 2 is a flowchart illustrating a method for acquiring application public data according to an exemplary embodiment of the present invention. The embodiment can be applied to an electronic device, as shown in fig. 2, and includes the following steps:

step 201, network request is grabbed.

Preferably, wherein the method further comprises:

As an embodiment, the method further comprises:

For example, when an application program sends a request for obtaining an order to a server, it is determined whether a request function for instructing data transmission through a non-preset protocol exists through a preset request function analysis script.

And if the information returned by the network request is null, determining that the network request carries out data transmission through a non-preset protocol, and constructing the network request to acquire the returned data corresponding to the network request. And if the information returned by the network request is not null, determining that the network request carries out data transmission through a preset protocol, and directly acquiring the data returned by the network request.

Preferably, wherein the method further comprises:

monitoring a network request sent by an application program, and capturing the network request when the network request is determined to be ready for data transmission through a non-preset protocol; in this embodiment, the network request sent by the application program can be monitored in real time.

In the embodiment of the invention, firstly, a network request sent by an application program needs to be monitored, and when the network request is determined to be ready for data transmission through a non-preset protocol, the network request is captured.

Preferably, the network requests sent by the application program are monitored in real time to capture all the network requests for data transmission through the non-preset protocol.

The non-default protocol in the present invention may be a private protocol. For example, if the preset protocol is an http/https protocol, the other protocols are all non-preset protocols. The type of the preset protocol may be set according to requirements, and is not limited to the http/https protocol in the above example.

Preferably, the method further comprises:

acquiring stack information of the network request, and determining at least one request function used by the network request according to the acquired stack information to determine a request function set;

In the invention, all stack information of a network request can be acquired in real time, and at least one request function used by the network request is determined according to the acquired stack information so as to determine a request function set. For example, all stack information of a network request, that is, a list of function calls, is obtained, then the stack information is traced upwards, a request function call related to the network request is found, whether a certain function is a network related function is tested, for example, open-source Okhttp and retrofit related functions, in addition, a function with keyword names such as Requests, Http and the like can also be preliminarily judged as a network request related function, then a specific using method is used to perform research and detailed judgment according to each function, and at least one request function used by the network request is determined. The confirmation method comprises the following steps: the FridaHook is used for directly shielding the return of a function (the return of the Hook function is empty), if the network request fails at the moment, the function can be judged to be the function related to the network request, and the judgment is carried out on each function, so that whether a first decision function for indicating whether to carry out data transmission through a non-preset protocol exists can be determined.

Preferably, wherein the method further comprises:

Preferably, before determining whether a first decision function for indicating whether to perform data transmission through a non-preset protocol exists in the request function set to obtain a first determination result, the method further includes:

Preferably, wherein the method further comprises:

In an embodiment of the present invention, a development environment and a development tool are needed, including: vscode, Python3.8.0, Frida12.11.11, Charles, an android handset (android 6.0.1), Jadx-GUI, and JavaScript. The method comprises the steps of improving a packet capturing process and a subsequent request process, using a Hook technology (adding required operation logic under the condition of not changing the execution logic of an original program) to carry out Hook on an App related function, then using an open source tool Frida, using a Remote Procedure Call (RPC) (remote procedure call) technology to carry out encryption parameter analysis, and then constructing a network request through simulation to obtain a normal http network request so as to obtain public data.

As shown in fig. 3, the process of determining whether a network request is ready for data transmission via a non-default protocol according to an embodiment of the present invention includes:

step 301, acquiring stack information of the network request in real time, and determining at least one request function used by the network request according to the acquired stack information.

All stack information of each network request is acquired in real time through a Frida interface, then upward search is carried out according to the hierarchical relationship, and which functions each network request passes through is checked, so that at least one request function used by each network request is determined according to the acquired stack information.

Step 302, determining whether a first decision function for indicating whether to perform data transmission through a non-preset protocol exists in the at least one request function, so as to obtain a first determination result.

Step 303, when the first determination result indicates that there is a first decision function for indicating whether to perform data transmission according to a non-preset protocol, determining that the network request is ready for performing data transmission according to the non-preset protocol.

The method comprises the steps of obtaining whether a first decision function for indicating whether data transmission is carried out through a non-preset protocol exists or not based on a function library preset through experience or an attempt analysis through a function return value and a function name of a function, obtaining a first judgment result, and determining that the network request is ready for data transmission through the non-preset protocol when the first judgment result indicates that the first decision function for indicating whether data transmission is carried out through the non-preset protocol exists.

For example, the application returns the pool type through the SwitchHttpConfig function, and the upper layer of the function is called in http Utils. Therefore, when the SwitchHttpConfig function exists in a certain network request, the crawling of the network request can be directly performed.

As shown in fig. 4, before determining whether a network request is ready for data transmission via a non-preset protocol, and determining whether a first decision function for indicating whether to perform data transmission via the non-preset protocol exists in at least one request function to obtain a first determination result, the embodiment of the present invention further includes:

step 401, judging whether a preset decision function set and the request function set have an intersection;

step 402, when determining that the decision function set and the request function set have an intersection, determining that the request function in the intersection is a target function;

step 403, determining whether the objective function is a decision function for indicating whether to perform data transmission via a non-preset protocol;

step 404, when the objective function is determined to be a decision function for indicating whether to perform data transmission through a non-preset protocol, determining that the objective function is a first decision function, and determining that the network request is ready for data transmission through the non-preset protocol.

Preferably, when it is determined that a request function of the at least one request function does not exist in the decision function set or when it is determined that the target function is not a decision function for indicating whether to perform data transmission according to a non-preset protocol, the method directly proceeds to step 202 to determine whether a first decision function for indicating whether to perform data transmission according to the non-preset protocol exists in the at least one request function, so as to obtain a first determination result.

Preferably, the method performs decompilation processing on the application program to obtain a decompilated file, and analyzes the decompilated file to obtain at least one key function related to the network request; then, judging whether a second decision function for indicating whether to transmit data through a non-preset protocol exists in the at least one key function or not so as to obtain a second judgment result; and finally, when the second judgment result indicates that a second decision function for indicating whether to perform data transmission through a non-preset protocol exists, determining a decision function set according to all the second decision functions.

According to the method, firstly, an android installation package Apk of a target application program is decompiled by using an android decompiling tool Jadx-GUI, all decompiled files are stored, then, a development tool Vscode is used for opening, a plurality of key functions related to a network request are analyzed, whether a second decision function for indicating whether to carry out data transmission through a non-preset protocol exists in the obtained key functions or not is judged, and a second judgment result is obtained; and when the second judgment result indicates that a second decision function for indicating whether to perform data transmission through a non-preset protocol exists, determining a decision function set according to all the second decision functions. Wherein, the key function includes: and the API of relevant libraries such as http, retrofit and the like. Then, a judgment is made to determine whether a decision function for indicating whether to perform data transmission through a non-preset protocol exists.

For example, if the decision function set is { x, y, a, b, c }, and the request function set in a network request includes { x, b, p }, where b is a decision function for indicating whether to perform data transmission according to a non-default protocol, then the process of determining that the network request is ready for data transmission according to the non-default protocol is: determining that the request function in the request function set exists in the decision function set, namely determining elements in the intersection as x and b; then, when determining the request functions x and b existing in the decision function set, determining the request functions x and b existing in the decision function set as target functions; then, respectively judging whether the target functions x and b are decision functions for indicating whether to transmit data through a non-preset protocol or not, and obtaining that b is a decision function; and when the objective function b is determined to be a decision function for indicating whether to perform data transmission through a non-preset protocol, determining that the objective function is a first decision function, and directly determining that the network request is ready for data transmission through the non-preset protocol.

If the decision function set is { x, y, a, b, c }, the request function set in a certain network request comprises { x, b, p }, wherein p is a decision function used for indicating whether data transmission is carried out through a non-preset protocol, elements in the intersection set are determined to be x and b, x and b are target functions, and x and b are obtained through judgment and are not both the first decision function. If the decision function set is { x, y, a, b, c }, and the request function set in a network request includes { p }, it can be determined that the decision function set and the request function set are not intersected. At this time, it is determined that the request function of the request function set does not exist in the decision function set, or when it is determined that the target function is not a decision function for indicating whether to perform data transmission according to a non-preset protocol, directly enter step 302 to determine whether a first decision function for indicating whether to perform data transmission according to the non-preset protocol exists in the at least one request function, so as to obtain a first determination result.

Step 202, modifying a return value of a function for indicating data transmission through a non-preset protocol in the captured network request, so that the captured network request performs data transmission through the preset protocol.

Still taking the switchhtttpconfig function as an example, if the switchhtttpconfig function returns true, the App always performs data transmission through a non-preset protocol, so that the ordinary Https packet grabbing tool Charles cannot grab a traffic packet. Therefore, the invention modifies the return value of the function switchhtpconfig which is used for indicating the data transmission through the non-preset protocol in the captured network request in a Hook mode, so that the function switchhtpconfig always returns false, thus the program internally judges that the non-preset protocol is unavailable, the captured network request cannot carry out the data transmission through the non-preset protocol, and the flow is forced to go away from the preset protocol. For example, the forced flow performs data transmission through a preset protocol http, so that the relevant request packet can be acquired through Charles, and then the public data can be acquired.

Step 203, performing parameter analysis on the captured network request to determine a request parameter type, and performing simulation construction according to the request parameter type to generate a modified network request.

Preferably, the performing parameter analysis on the grabbed network request according to a preset parameter type analysis script to determine a request parameter type includes:

if the request result corresponding to the network request captured before and after the any request parameter is deleted indicates that the request fails, and the value corresponding to the any request parameter is a value capable of determining meaning, determining the any request parameter as a first necessary parameter;

Preferably, wherein the method further comprises:

Due to the fact that a mobile phone agent and Charles (a packet capturing tool) are configured, at the moment, due to the fact that Hook has an original network related function SwitchHttpConfig, all traffic of an application program during interaction with a server can be sent through a preset protocol Https, and due to the fact that a certificate trusting Charles is arranged in a mobile phone, the Https traffic passing through the Charles can be decrypted.

Specifically, the invention carries out parameter analysis on the captured network requests, wherein some parameters are necessary parameters, such as commodity search words, Beijing, Tianjin and the like; some parameters are unnecessary parameters, such as system version, WiFi, etc.; some of the parameters are encryption parameters and if missing, the network request cannot be communicated. Therefore, the invention determines the parameter type of each parameter by a control variable method for the simulation construction of the subsequent network request.

The invention firstly determines the name of each request parameter in the captured network request, then determines the request result corresponding to the network request captured after deleting any request parameter for any request parameter, and determines the parameter type of any request parameter according to the request result corresponding to the network request captured after deleting any request parameter. And when the parameter type of the request parameter is the encryption parameter, based on all stack information of the captured network request and the decompiled file corresponding to the application program, positioning by searching the keyword of the request parameter so as to determine the encryption logic corresponding to the request parameter.

For example, for request parameters a, b, c (say parameter names), each parameter is traversed in order to determine the parameter type. If the parameter a is removed from the network request, if the request result corresponding to the network request still indicates that the request is successful after the deletion of the parameter a is found, the parameter type of the parameter a is preliminarily determined to be an unnecessary parameter. If the parameter b is removed, the request result is found to be possible to request failure, and the value corresponding to the parameter b is checked, and if the value is readable, the specific meaning of the parameter can be guessed: such as page 1, keyword beijing, etc., represent parameters that need to be changed to obtain a desired result upon a subsequent simulation request. And if the request result indicates that the request fails after the parameter b is deleted, and the value corresponding to the parameter b is a character string of which the meaning cannot be determined, determining that the parameter b is an encryption parameter. For example, the parameter sign — c4ca4238a0b923820dcc509a6f75849b is preliminarily determined as an encryption parameter.

Because the encryption parameters are generally composed of necessary parameters through a specific encryption algorithm, the App end sends a request to the server through a network, the server operates through the same encryption algorithm, and if the obtained result is consistent with the encryption parameter result submitted by the App, the request is regarded as a legal request to obtain data, and therefore, the encryption logic of the encryption parameters also needs to be determined.

In the invention, a script Hook encryption parameter is written by JavaScript. The method analyzes the meaning of certain functions step by step through the functions passing through the function call stack, and quickly locates the generation logic of the encryption parameters by searching the keys of the encryption parameters in combination with the source code analysis compiled by the jadx inverse. And finally, simulating and constructing according to the determined request parameter with the parameter type as the necessary parameter, the request parameter with the parameter type as the encryption parameter and/or the encryption logic of the request parameter with the parameter type as the encryption parameter so as to generate the modified network request. In addition, some encryption logics are very complex and exist in Native functions (calling functions of a C + + library), and at this time, an encryption algorithm may not be completely restored, so that a called place and called parameters need to be found, then the same parameters are imported by using Frida Hook encryption functions, the functions are executed to obtain encrypted data, and a network request is directly constructed according to necessary parameters and the encrypted data to generate a modified network request.

For example, request information about beijing, assuming that there are only two parameters, one of which is a necessary parameter and the other is an encryption parameter, we need to change the necessary parameter such as keyword to beijing, and then encrypt the key word beijing mobile phone application program by Frida Hook function call to obtain an encrypted character string such as b118330bf6d5094d8f1f742713d 7, now there are two parameters, namely beijing and sign b118330bf6d5094d8f1f742713d242e7, and then submit a network request, which is obtained by S203 analysis, and the request header is also obtained by S203, and is generally a fixed key value pair, so that the request is sent to the server through the website, the request header and the request parameter (request body), and finally the server returns a result correctly.

In addition, the invention also uses FridarPC to start Hook script, and outputs the encrypted result to the program by remotely calling the script for acquiring the encryption parameter, thereby constructing normal requests in large batch.

And step 204, sending the modified network request through a preset protocol to acquire the returned data according to the modified network request.

In the present invention, the acquired returned data is public data returned to the application. The method for acquiring the application program public data can be called by FridarPC, can acquire encrypted parameters in a multi-thread concurrent manner, can request for acquiring data in a large scale, simplifies the process and directly acquires the most original request, reduces the complexity and complexity of directly breaking the encryption algorithm of the application program, and achieves the effect of acquiring data.

For example, after the request is constructed, the constructed request is sent to the server, after the request is received by the server, the server encrypts the keyword, beijing, according to a specific encryption algorithm, if the encryption result is also b118330bf6d5094d8f1f742713d242e7, and the comparison is consistent with the sign uploaded by the client, the server considers that the constructed request is legal, and the data is returned through verification.

Exemplary devices

Fig. 5 is a schematic structural diagram of an apparatus for acquiring application public data according to an exemplary embodiment of the present invention. As shown in fig. 5, the present embodiment includes:

a fetching module 501, configured to fetch the network request.

Preferably, the grabbing module 501 comprises:

Preferably, the grabbing module 501 further comprises:

Preferably, the grabbing module 501 further comprises: judging whether a preset decision function set and the request function set have intersection or not;

Preferably, the grabbing module 501 further comprises:

A return value modification module 502, configured to modify a return value of a function, which is used to indicate that data transmission is performed through a non-preset protocol, in the captured network request, so that the captured network request performs data transmission through the preset protocol.

Preferably, the system further comprises:

Preferably, the network request simulation construction module further includes:

The public data obtaining module 503 is configured to send the modified network request through a preset protocol, so as to obtain the public data returned to the application program according to the modified network request.

The apparatus 500 for obtaining application public data according to the embodiment of the present invention corresponds to the method 200 for obtaining application public data according to another embodiment of the present invention, and is not described herein again.

Exemplary electronic device

Fig. 6 is a structure of an electronic device according to an exemplary embodiment of the present invention. The electronic device may be either or both of the first device and the second device, or a stand-alone device separate from them, which stand-alone device may communicate with the first device and the second device to receive the acquired input signals therefrom. FIG. 6 illustrates a block diagram of an electronic device in accordance with an embodiment of the disclosure. As shown in fig. 6, the electronic device includes one or more processors 61 and a memory 62.

The processor 61 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device to perform desired functions.

Memory 62 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, Random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, Read Only Memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium and executed by the processor 61 to implement the method for information mining of historical change records of the software program of the various embodiments of the present disclosure described above and/or other desired functions. In one example, the electronic device may further include: an input device 63 and an output device 64, which are interconnected by a bus system and/or other form of connection mechanism (not shown).

The input device 63 may also include, for example, a keyboard, a mouse, and the like.

The output device 64 can output various information to the outside. The output devices 64 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, among others.

Of course, for simplicity, only some of the components of the electronic device relevant to the present disclosure are shown in fig. 6, omitting components such as buses, input/output interfaces, and the like. In addition, the electronic device may include any other suitable components, depending on the particular application.

Exemplary computer program product and computer-readable storage Medium

In addition to the above-described methods and apparatus, embodiments of the present disclosure may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform the steps in the method of information mining of historical change records according to various embodiments of the present disclosure described in the "exemplary methods" section above of this specification.

The computer program product may write program code for carrying out operations for embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.

Furthermore, embodiments of the present disclosure may also be a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, cause the processor to perform steps in a method of information mining of historical change records according to various embodiments of the present disclosure described in the "exemplary methods" section above in this specification.

The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The foregoing describes the general principles of the present disclosure in conjunction with specific embodiments, however, it is noted that the advantages, effects, etc. mentioned in the present disclosure are merely examples and are not limiting, and they should not be considered essential to the various embodiments of the present disclosure. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the disclosure is not intended to be limited to the specific details so described.

In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts in the embodiments are referred to each other. For the system embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The block diagrams of devices, apparatuses, systems referred to in this disclosure are only given as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations, etc. must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by those skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably therewith. The words "or" and "as used herein mean, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".

The methods and apparatus of the present disclosure may be implemented in a number of ways. For example, the methods and apparatus of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.

It is also noted that in the devices, apparatuses, and methods of the present disclosure, each component or step can be decomposed and/or recombined. These decompositions and/or recombinations are to be considered equivalents of the present disclosure. The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit embodiments of the disclosure to the form disclosed herein. While a number of example aspects and embodiments have been discussed above, those of skill in the art will recognize certain variations, modifications, alterations, additions and sub-combinations thereof.

Claims

1. An application data acquisition method, the method comprising:

capturing a network request;

2. The method of claim 1, further comprising:

3. The method of claim 1 or 2, further comprising:

and analyzing the network function of the network request, and determining whether a request function for indicating data transmission through a non-preset protocol exists or not through a preset request function analysis script.

4. The method of claim 1, further comprising:

5. The method of claim 4, further comprising:

6. The method of claim 5, further comprising:

7. The method of claim 5 or 6, further comprising: judging whether a preset decision function set and the request function set have intersection or not;

8. The method of claim 7, further comprising:

9. The method of claim 7, further comprising:

10. The method of claim 1, further comprising:

11. The method of claim 10, wherein the analyzing parameters of the captured network request to determine a request parameter type comprises:

12. The method of claim 10, wherein the analyzing parameters of the captured network request to determine a request parameter type comprises:

13. The method according to claim 12, wherein the determining the parameter type of any one of the request parameters according to the request result corresponding to the network request captured after deleting any one of the request parameters comprises:

14. The method of claim 13, further comprising:

15. The method of claim 14, wherein the performing a simulation construct according to the request parameter type to generate a modified network request comprises:

16. The method of claim 10, further comprising:

17. An apparatus for a user to obtain application public data, the apparatus comprising:

the grabbing module is used for grabbing the network request;

18. A computer-readable storage medium, characterized in that the storage medium stores a computer program for performing the method of any of the preceding claims 1-16.

19. An electronic device, characterized in that the electronic device comprises:

a processor;

a memory for storing the processor-executable instructions;

the processor is configured to read the executable instructions from the memory and execute the instructions to implement the method of any one of claims 1 to 16.