Click above ↑ ↑ ↑ blue word [ protocol analysis and restoration ] to follow us
" Solve the problem of packet capture of cocos2d application wss long connection with certificate bound in the application. "
In the process of analyzing applications, packet capture is unavoidable.
It’s okay to say that it’s not encrypted. Just find a tool to grab it and analyze it. Some application data is encrypted with tls, but it uses the system’s built-in certificate. Import the certificate of our packet capture tool into the system, and you can Capture the packet with a middleman such as Charles.
There are also some applications that use sslpinning. Simply importing certificates to the system does not work. You need to use tools such as frida to hook related interfaces to disable sslpinning, such as objection, which is relatively easy to use for conventional difficult packet capture scenarios. In some applications, the non-standard port through which the tls-encrypted data goes is not the http protocol, but the sock protocol. In this case, using some commands or tools to forward traffic can also be done.
However, there are always interfaces used by some applications that are outside the Three Realms and Five Elements and are not covered. For such applications, if you want to capture packets, you need other solutions. For example, a cocos2d application to be introduced today, the wss protocol used by websocket , if you use it, you can’t capture packets normally. If you capture packets, you can’t start them up, but you have to capture them. Some record data needs to be extracted, so special processing is required.
This is a game that uses the shell of a well-known chess and card application, but the content has been changed. The long connection inside is websocket, using port 7779, encrypted by wss protocol, that is, a layer of tls is added outside. This is nothing, but in cocos2djs, The websocket of wss needs to pass in the path of the bound certificate instead of using the system default certificate, as follows:
e.prototype.connect = function() {
var e, t = this;
if (cc.sys.os === cc.sys.OS_ANDROID && cc.sys.isNative) cc.assetManager.getBundle("common").load("res/android/cacert", function(o, i) {
var n = i.nativeUrl;
e = new WebSocket(t._url, null, n);
t.connectWithWs(e);
}); else {
e = new WebSocket(this._url);
this.connectWithWs(e);
}
};In this case, using tools such as objection does not work. As long as you capture the packet, you will inevitably fail to pass the certificate verification. What should you do? You can only change the file. Find the file corresponding to this path. It is a PEM file. The packet capture tool we use, such as Charles’s certificate public key, is exported, added to this file, saved, and replaced into the corresponding directory of the mobile phone. The file format is like this, each public key is independent of each other, and it looks like it is exported from the system for use:
GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP
c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX
gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF
AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj
Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG
j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH
hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC
X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----This file is generally in the assets directory, you can find it by searching.
The next time you encounter it, you might as well try it, it is very simple and saves a lot of trouble.
If you have any questions, send a message to contact us.
Don't forget to click "Looking", "Like" and "Share"
The new rule, to receive tweets in time, you must first star the official account
Don't forget to star or you will miss out
Long press to follow and communicate all the time.