抓包获取冲顶大会/百万赢家题目

之前看到有朋友抓包冲顶大会的分享，还没看到就被删了，后来一直忙也没空研究，这两天正好研究了一下，分享出来。

原理就是利用代理，然后将符合特征的包保存下来，然后本地再搜答案就行了。

测试环境：Kali Linux

用的代理是 mitmdump,好处是可以使用 Python3 写的 inline 脚本。

mitmproxy 官方文档

mitmproxy 的 git 地址

冲顶大会题目是用 websocket 包推送过来的，所以 inline 脚本中只需要去把 websocket 包写入到文件中就好了。

#冲顶大会
def websocket_message(flow):
    try:
        data=flow.messages[-1].content.decode('utf-8')
        with open('/tmp/raw_data.txt','a') as f:
            f.write(data+'\n')
    except Exception:
        pass

题目的格式： 42["showQuestion",{"answerTime":10,"desc":"12. 茅盾一生中现已获得证实的笔名有多少个？","displayOrder":11,"liveId":161,"options":"["32","128","98"]","questionId":1881,"showTime":16910048815676,"status":0,"type":"showQuestion"}]

百万赢家（花椒直播的）推送的是 https （还是 http，我忘记了，反正不影响抓包）

#百万赢家
def response(flow):
    try:
        data=flow.response.content.decode('utf-8')
        if 'Zepto' in data:
            print(data)
            with open('/tmp/raw_data.txt','a') as f:
                f.write(data+'\n')
    except Exception:
        pass

所以将以上两个保存成get_question.py文件，然后运行代理

mitmdump -s get_question.py

手机（我用的安卓）提前安装好证书，证书在默认文件夹.mitmproxy/中，名称是mitmproxy-ca-cert.cer

手动设置代理为电脑的 ip 地址，比如：192.168.1.100,端口默认的为：8080

这个时候就能开始抓包了。

冲顶大会抓下来的包如下，删掉了一些没用的，其实也可以过滤，冲顶大会的问题和答案就推送一次：

42["showQuestion",{"answerTime":10,"desc":"1.我们把自己动手制作这个过程称为？","displayOrder":0,"liveId":159,"options":"[\"DIN\",\"DIY\",\"DIM\"]","questionId":1846,"showTime":16910033865640,"status":0,"type":"showQuestion"}]
42["totalLive",{"showTime":16910033870867,"count":530446}]
42["totalLive",{"showTime":16910033909864,"count":558373}]
42["showAnswer",{"answerTime":10,"correctOption":1,"desc":"1.我们把自己动手制作这个过程称为？","displayOrder":0,"liveId":159,"options":"[\"DIN\",\"DIY\",\"DIM\"]","questionId":1846,"showTime":16910033907129,"stats":[8650,388770,5037],"status":2,"type":"showAnswer"}]

百万赢家抓下来的包如下，含有 Zepto 这个标志，不过百万赢家的题目和答案都是一直推一直推，题目和答案的区别就在 show_answer:false 和 show_answer:1：

#题目
Zepto1516890772573({"errno":0,"errmsg":"操作成功","consume":0,"time":1516891076,"md5":"","data":{"callfreq":5,"key":"197908302","msg":{"answer":{"doing":{"counter":2506,"doing":{"answer":{"A":{"option":"A","value":"陪姐妹一起上厕所"},"B":{"option":"B","value":"姐妹合照只 P 自己"},"C":{"option":"C","value":"为姐妹出谋划策"}},"expire":1516891090,"from":{"avatar":"http://image.huajiao.com/3bf9d9cccf4c642d50d49c52e2b2c105.jpg","brand":"","location":"宇宙专业出题小组","nickname":"百万赢家-官方"},"groupid":620,"is_renew":1,"number":1,"show_answer":false,"shuffle":0,"team_period":"20313","title":"以下哪种行为被称为“塑料花姐妹情”？","type":0},"join_count":0,"version":"c3834e49c0f7f60700e5674420905c6d"},"liveid":"197908302","sync":"answer","version":2506}},"time":1516891076}})
#答案
Zepto1516890772592({"errno":0,"errmsg":"操作成功","consume":0,"time":1516891146,"md5":"","data":{"callfreq":5,"key":"197908302","msg":{"answer":{"doing":{"average":"1.07","counter":2507,"doing":{"answer":{"A":{"option":"A","value":"陪姐妹一起上厕所"},"B":{"option":"B","value":"姐妹合照只 P 自己"},"C":{"option":"C","value":"为姐妹出谋划策"}},"correct":"B","expire":1516891124,"from":{"avatar":"http://image.huajiao.com/3bf9d9cccf4c642d50d49c52e2b2c105.jpg","brand":"","location":"宇宙专业出题小组","nickname":"百万赢家-官方"},"groupid":620,"is_renew":1,"number":1,"show_answer":1,"shuffle":0,"team_period":"20313","title":"以下哪种行为被称为“塑料花姐妹情”？","type":0},"join_count":3917617,"record":{"A":74567,"B":3747207,"C":95103,"Z":740},"renew_count":306333,"version":"f74e008b74be3b1221035d64b4a1f030"},"liveid":"197908302","sync":"answer","version":2507}},"time":1516891146}})

基本上抓包过了以后，后面的就是常规套路了：

def main():
    brand_2_old=''
    for raw in tailer.follow(open('/tmp/raw_data.txt','r')):
        if args.brand == 1:
            if 'showQuestion' in raw:
                game=GetAnswer(args.brand,raw)
                game.run()
        elif args.brand == 2:
            try:
                raw=raw.split('(')[-1].split(')')[0]
                raw_json=json.loads(raw)
                raw_question=raw_json['data']['msg']['answer']['doing']['doing']['title']
                raw_question_showanswer=raw_json['data']['msg']['answer']['doing']['doing']['show_answer']
                if not raw_question_showanswer:
                    if raw_question != brand_2_old:
                        game=GetAnswer(args.brand,raw_json)
                        game.run()
                    brand_2_old = raw_question
            except Exception as e:
                continue
        else:
            print("python3 search_question -h")
            print("请查看帮助文档，目前仅支持两个 APP 的抓包获取题目。")
            sys.exit(1)

昨天测试了下冲顶大会，结果如图：

刚才测试了下百万赢家，结果如图：

详细的代码在我的 github 上：抓包获取冲顶大会 /百万赢家题目并搜索答案（ https://github.com/vanpersiexp/chongding ）

写这个纯粹为了好玩，没打算靠答题赚钱，因为主持人废话实在太多，浪费时间。

主要我看 github 上基本上都是图像识别的，所以就当提供另一种思路了。

希望厂家看到后，也可以改进一下。

直接抓包没有之前说的提前 10s 那么邪呼，可能我的程序比较慢吧，但基本上还是比 app 中出现的快一丢丢。