-
-
[原创]针对QQ空间游戏-猜歌王的辅助研究
-
发表于: 2013-1-2 13:09
-
元旦期间舍友迷恋上了QQ空间的一个游戏应用-猜歌王,玩得不亦乐乎。突然有一次,上铺告诉遇到一个人,猜歌都特别快,特别准,很明显用了外挂。
上面是背景。
对于这个游戏我的第一思路是模拟,对声音进行采样,提取特征,然后与歌曲库中歌曲对比,理论上是可行的,比如有一款APP叫做SoundHound……但是游戏辅助必然不是通过这种手段。
换个思路,根据经验,歌曲片段应该需要先缓存到本地,于是考虑拦截HTTP封包,对比歌曲库的地址来获取每首歌的歌名,于是乎,打开了火狐的Web控制台,希望能获得有用的东西。
[15:30:45.941] GET http://app100645222.imgcache.qzoneapp.com/app100645222/mp3/355/7355_4.mp3 [HTTP/1.1 200 OK 440ms]
[15:30:45.943] GET http://app100645222.imgcache.qzoneapp.com/app100645222/mp3/902/1079902_1.mp3 [HTTP/1.1 200 OK 466ms]
[15:30:45.945] GET http://app100645222.imgcache.qzoneapp.com/app100645222/mp3/478/718478_3.mp3 [HTTP/1.1 200 OK 524ms]
[15:30:45.947] GET http://app100645222.imgcache.qzoneapp.com/app100645222/mp3/179/101179_1.mp3 [HTTP/1.1 200 OK 389ms]
[15:30:45.949] GET http://app100645222.imgcache.qzoneapp.com/app100645222/mp3/783/727783_1.mp3 [HTTP/1.1 200 OK 463ms]
看到这样子的记录以后,大概有了眉目,但是仍然存在一个问题,需要采集大量的地址与歌曲名或者歌手的对应信息。
无意间一个POST数据引起了我的注意。
请求网址:
http://app100645222.qzone.qzoneapp.com/contest/create.ngi
请求方法:
POST
查看其相应数据,一切大白于天下。
响应头
*****省略*****
响应主体
{"data":{"songs":[{"id":"V2550379","part":4,"mode":1,"answer":2,"opts":["\u6211\u8981\u7ed9\u4f60","\u9738\u738b\u547d","\u7231\u4e0a\u4f60\u4e0d\u662f\u6211\u7684\u9519","365\u5929"],"name":"\u7231\u4e0a\u4f60\u4e0d\u662f\u6211\u7684\u9519","singer":"\u591a\u4eae","album_id":"198946","album_name":"\u591a\u539f\u8bdd","url":"http:\/\/app100645222.imgcache.qzoneapp.com\/app100645222\/mp3\/379\/V2550379_4.mp3","url_aux":"http:\/\/cdn.vanchu.net\/app100645222\/mp3\/379\/V2550379_4.mp3"},{"id":"V2472634","part":6,"mode":0,"answer":0,"opts":["\u4fa7\u7530","\u80e1\u6b4c","\u4fde\u704f\u660e","\u8521\u65fb\u4f51"],"name":"\u5f88\u60f3\u5f88\u60f3\u8bf4\u518d\u89c1","singer":"\u4fa7\u7530","album_id":"191434","album_name":"2012\u5e7412\u6708\u65b0\u6b4c\u901f\u9012","url":"http:\/\/app100645222.imgcache.qzoneapp.com\/app100645222\/mp3\/634\/V2472634_6.mp3","url_aux":"http:\/\/cdn.vanchu.net\/app100645222\/mp3\/634\/V2472634_6.mp3"},{"id":"V2550675","part":1,"mode":1,"answer":0,"opts":["SUPER GIRL \u7231\u65e0\u754f","\u65e0\u8138\u4eba","\u6211\u4eec\u90fd\u80fd\u5e78\u798f\u7740","\u547c\u547c"],"name":"SUPER GIRL \u7231\u65e0\u754f","singer":"\u8427\u4e9a\u8f69","album_id":"198991","album_name":"SUPER GIRL \u7231\u65e0\u754f","url":"http:\/\/app100645222.imgcache.qzoneapp.com\/app100645222\/mp3\/675\/V2550675_1.mp3","url_aux":"http:\/\/cdn.vanchu.net\/app100645222\/mp3\/675\/V2550675_1.mp3"},{"id":"V2634923","part":2,"mode":1,"answer":2,"opts":["\u9738\u738b\u547d","\u5341\u4e8c\u751f\u8096","\u5929\u673a(feat.\u4e94\u6708\u5929\u963f\u4fe1\uff09","\u5fd8\u4e86\u6211\u4e5f\u4e0d\u9519"],"name":"\u5929\u673a(feat.\u4e94\u6708\u5929\u963f\u4fe1\uff09","singer":"MP\u9b54\u5e7b\u529b\u91cf","album_id":"205656","album_name":"\u5c04\u624b","url":"http:\/\/app100645222.imgcache.qzoneapp.com\/app100645222\/mp3\/923\/V2634923_2.mp3","url_aux":"http:\/\/cdn.vanchu.net\/app100645222\/mp3\/923\/V2634923_2.mp3"},{"id":"V2550447","part":3,"mode":0,"answer":2,"opts":["\u8427\u4e9a\u8f69","A-Lin","Popu Lady","\u9b4f\u6668"],"name":"\u4e00\u76f4\u4e00\u76f4\u7231","singer":"Popu Lady","album_id":"198961","album_name":"\u4e00\u76f4\u4e00\u76f4\u7231","url":"http:\/\/app100645222.imgcache.qzoneapp.com\/app100645222\/mp3\/447\/V2550447_3.mp3","url_aux":"http:\/\/cdn.vanchu.net\/app100645222\/mp3\/447\/V2550447_3.mp3"}],"status":{"stamina":1,"staminaElapsedTime":3012}},"ret":0,"ver":"75","t":1357102078}
响应主体是JSON格式,其中使用了Unicode编码。
将JSON格式数据视图化,可以看得很清楚了。
WebBrowser控件有 BeforeNavigate2 事件
BeforeNavigate2(Sender: TObject; const pDisp: IDispatch; var URL, Flags, TargetFrameName, PostData, Headers: OleVariant; var Cancel: WordBool);
但是经过试验,不能够拦截网页中Flash控件的POST。
利用HOOK对进程进行拦截,对数据包的JSON数据进行解析(注意GZIP压缩),然后获取answer值,0,1,2,3分别对应opts的四个选项。
至此游戏辅助的原型基本呈现。
题外话:经试验,QQ空间多个猜歌应用均存在相同漏洞。
上面是背景。
对于这个游戏我的第一思路是模拟,对声音进行采样,提取特征,然后与歌曲库中歌曲对比,理论上是可行的,比如有一款APP叫做SoundHound……但是游戏辅助必然不是通过这种手段。
换个思路,根据经验,歌曲片段应该需要先缓存到本地,于是考虑拦截HTTP封包,对比歌曲库的地址来获取每首歌的歌名,于是乎,打开了火狐的Web控制台,希望能获得有用的东西。
[15:30:45.941] GET http://app100645222.imgcache.qzoneapp.com/app100645222/mp3/355/7355_4.mp3 [HTTP/1.1 200 OK 440ms]
[15:30:45.943] GET http://app100645222.imgcache.qzoneapp.com/app100645222/mp3/902/1079902_1.mp3 [HTTP/1.1 200 OK 466ms]
[15:30:45.945] GET http://app100645222.imgcache.qzoneapp.com/app100645222/mp3/478/718478_3.mp3 [HTTP/1.1 200 OK 524ms]
[15:30:45.947] GET http://app100645222.imgcache.qzoneapp.com/app100645222/mp3/179/101179_1.mp3 [HTTP/1.1 200 OK 389ms]
[15:30:45.949] GET http://app100645222.imgcache.qzoneapp.com/app100645222/mp3/783/727783_1.mp3 [HTTP/1.1 200 OK 463ms]
看到这样子的记录以后,大概有了眉目,但是仍然存在一个问题,需要采集大量的地址与歌曲名或者歌手的对应信息。
无意间一个POST数据引起了我的注意。请求网址:
http://app100645222.qzone.qzoneapp.com/contest/create.ngi
请求方法:
POST
查看其相应数据,一切大白于天下。
响应头
*****省略*****
响应主体
{"data":{"songs":[{"id":"V2550379","part":4,"mode":1,"answer":2,"opts":["\u6211\u8981\u7ed9\u4f60","\u9738\u738b\u547d","\u7231\u4e0a\u4f60\u4e0d\u662f\u6211\u7684\u9519","365\u5929"],"name":"\u7231\u4e0a\u4f60\u4e0d\u662f\u6211\u7684\u9519","singer":"\u591a\u4eae","album_id":"198946","album_name":"\u591a\u539f\u8bdd","url":"http:\/\/app100645222.imgcache.qzoneapp.com\/app100645222\/mp3\/379\/V2550379_4.mp3","url_aux":"http:\/\/cdn.vanchu.net\/app100645222\/mp3\/379\/V2550379_4.mp3"},{"id":"V2472634","part":6,"mode":0,"answer":0,"opts":["\u4fa7\u7530","\u80e1\u6b4c","\u4fde\u704f\u660e","\u8521\u65fb\u4f51"],"name":"\u5f88\u60f3\u5f88\u60f3\u8bf4\u518d\u89c1","singer":"\u4fa7\u7530","album_id":"191434","album_name":"2012\u5e7412\u6708\u65b0\u6b4c\u901f\u9012","url":"http:\/\/app100645222.imgcache.qzoneapp.com\/app100645222\/mp3\/634\/V2472634_6.mp3","url_aux":"http:\/\/cdn.vanchu.net\/app100645222\/mp3\/634\/V2472634_6.mp3"},{"id":"V2550675","part":1,"mode":1,"answer":0,"opts":["SUPER GIRL \u7231\u65e0\u754f","\u65e0\u8138\u4eba","\u6211\u4eec\u90fd\u80fd\u5e78\u798f\u7740","\u547c\u547c"],"name":"SUPER GIRL \u7231\u65e0\u754f","singer":"\u8427\u4e9a\u8f69","album_id":"198991","album_name":"SUPER GIRL \u7231\u65e0\u754f","url":"http:\/\/app100645222.imgcache.qzoneapp.com\/app100645222\/mp3\/675\/V2550675_1.mp3","url_aux":"http:\/\/cdn.vanchu.net\/app100645222\/mp3\/675\/V2550675_1.mp3"},{"id":"V2634923","part":2,"mode":1,"answer":2,"opts":["\u9738\u738b\u547d","\u5341\u4e8c\u751f\u8096","\u5929\u673a(feat.\u4e94\u6708\u5929\u963f\u4fe1\uff09","\u5fd8\u4e86\u6211\u4e5f\u4e0d\u9519"],"name":"\u5929\u673a(feat.\u4e94\u6708\u5929\u963f\u4fe1\uff09","singer":"MP\u9b54\u5e7b\u529b\u91cf","album_id":"205656","album_name":"\u5c04\u624b","url":"http:\/\/app100645222.imgcache.qzoneapp.com\/app100645222\/mp3\/923\/V2634923_2.mp3","url_aux":"http:\/\/cdn.vanchu.net\/app100645222\/mp3\/923\/V2634923_2.mp3"},{"id":"V2550447","part":3,"mode":0,"answer":2,"opts":["\u8427\u4e9a\u8f69","A-Lin","Popu Lady","\u9b4f\u6668"],"name":"\u4e00\u76f4\u4e00\u76f4\u7231","singer":"Popu Lady","album_id":"198961","album_name":"\u4e00\u76f4\u4e00\u76f4\u7231","url":"http:\/\/app100645222.imgcache.qzoneapp.com\/app100645222\/mp3\/447\/V2550447_3.mp3","url_aux":"http:\/\/cdn.vanchu.net\/app100645222\/mp3\/447\/V2550447_3.mp3"}],"status":{"stamina":1,"staminaElapsedTime":3012}},"ret":0,"ver":"75","t":1357102078}
响应主体是JSON格式,其中使用了Unicode编码。
将JSON格式数据视图化,可以看得很清楚了。
WebBrowser控件有 BeforeNavigate2 事件
BeforeNavigate2(Sender: TObject; const pDisp: IDispatch; var URL, Flags, TargetFrameName, PostData, Headers: OleVariant; var Cancel: WordBool);
但是经过试验,不能够拦截网页中Flash控件的POST。
利用HOOK对进程进行拦截,对数据包的JSON数据进行解析(注意GZIP压缩),然后获取answer值,0,1,2,3分别对应opts的四个选项。
至此游戏辅助的原型基本呈现。
题外话:经试验,QQ空间多个猜歌应用均存在相同漏洞。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
