Comments (11)
Hey Egirault !!!
I have been playing a lot with your most amazing api. Its insanely great and you have done an awesome job.
I have been trying to play with the fdfe/log endpoint and am unable to decode the request. I have used MITMProxy and Fiddler to decode the network requests.
I need your help to decode the key for the protobuffed message to google that is sent to the google servers in the post request that follows :
POST https://android.clients.google.com/fdfe/log HTTP/1.1
Content-Type: application/x-protobuf
Accept-Language: en-US
Authorization: GoogleLogin auth=XXXXXXXX
X-DFE-Enabled-Experiments: nocache:enable_newsstand
X-DFE-Unsupported-Experiments: nocache:dfe:dc:3,nocache:dfe:uc:IN,apk_translations,buyer_currency,buyer_currency_in_app,checkin.set_asset_paid_app_field,content_ratings,localized_images,market_emails,new_merchant_signup,nocache:apps.offline_docs,nocache:billing.use_charging_poller,nocache:billing.use_provisioning_poller,nocache:billing.use_provisioning_poller_inapp,nocache:billing.use_provisioning_poller_subs,nocache:enable_play_country,nocache:enable_tablet_large,nocache:encrypted_apk,nocache:mixer:use_windsearch,nocache:recs:automated_weight_adjuster_94,nocache:recs:books_annotate_merch_collection_20130620_75,nocache:recs:movies_annotate_merch_collection_20130620_25,nocache:recs:weights_books_50,nocache:recs:weights_books_transition_80,nocache:recs:weights_movies_60,nocache:use_gaia_mint_instead_of_checkout_auth_token,nocache:user_challenge,prod_locale_boost,recent_changes,vca:enable_onetree_search
X-DFE-Device-Id: XXXXXXXX
X-DFE-Client-Id: am-unknown
X-DFE-Logging-Id: XXXXXXX
User-Agent: Android-Finsky/4.4.21 (api=3,versionCode=80240021,sdk=16,device=mako,hardware=vbox86,product=occam)
X-DFE-SmallestScreenWidthDp: 600
X-DFE-Filter-Level: 3
Content-Length: 55
Host: android.clients.google.com
Connection: Keep-Alive
5�拧茂鈥好兟�(�,confirmFreeDownload?doc=com.shashank.testapp
It would be very helpful of you if you could help decode the Chinese characters in the above request.
from googleplay-api.
Added print self.toStr(message) on line 250 of googleplay.py and received the following output:
displayErrorMessage: "Error retrieving information from server. [DF-BPA-21]"
from googleplay-api.
Hi,
Hard to say... I've never tried to download paid apps with the API. I guess
the server response is a bit different than the one sent when downloading a
free app. One could investigate this issue by sniffing the HTTPS traffic
sent by the phone when purchasing an app, and then protobuf-decode it.
2012/12/6 Zach Lanier [email protected]
On Dec 5, 2012, at 20:59, Tyler Shields [email protected] wrote:
Added print self.toStr(message) on line 250 and received the following
output:displayErrorMessage: "Error retrieving information from server.
[DF-BPA-21]"—
Reply to this email directly or view it on
GitHub<
https://github.com/egirault/googleplay-api/issues/12#issuecomment-11070163>.—
Reply to this email directly or view it on GitHubhttps://github.com//issues/12#issuecomment-11070296.
from googleplay-api.
i can help to investigate that issue ,so, how to sniff the HTTPS traffic sent by the phone, any tools or docs?
from googleplay-api.
Hi,
You will need to run an interception proxy such as Burp on a machine
connected on the same wireless network as your phone. After configuring
Android to use this machine as a proxy, you need to install Burp's CA on
the phone. This can be done by putting the root .crt file generated by Burp
on the phone's SD card, and then install it using the Settings > Security >
Install from SD Card option. Here are some resources:
http://portswigger.net/burp/help/proxy_using.html
http://forum.portswigger.net/index.cgi?board=how&action=display&thread=300
Then you look at HTTPS connections that are established to Google' servers,
and search for protobuf-encoded messages (I didn't find any generic way
yet). After dumping the encoded messages to a file, you can use protoc --decode
with the given .proto file to decode it.
I will try to have a look at this issue as soon as I find some time.
2013/1/30 zxia10x [email protected]
i can help to investigate that issue ,so, how to sniff the HTTPS traffic
sent by the phone, any tools or docs?—
Reply to this email directly or view it on GitHubhttps://github.com//issues/12#issuecomment-12878004.
from googleplay-api.
Fiddler is a better choice for http/https man-in-middle sniff.
They have detailed document on their website to tell you how to use it with
android phone. The key problem is to decode the Google protobuf msg. It's
binary encoded and you will need to do some reverse engineer work to decode
it.
Best regards,
Eong
2013/1/30 egirault [email protected]
Hi,
You will need to run an interception proxy such as Burp on a machine
connected on the same wireless network as your phone. After configuring
Android to use this machine as a proxy, you need to install Burp's CA on
the phone. This can be done by putting the root .crt file generated by
Burp
on the phone's SD card, and then install it using the Settings > SecurityInstall from SD Card option. Here are some resources:
http://portswigger.net/burp/help/proxy_using.html
http://forum.portswigger.net/index.cgi?board=how&action=display&thread=300Then you look at HTTPS connections that are established to Google'
servers,
and search for protobuf-encoded messages (I didn't find any generic way
yet). After dumping the encoded messages to a file, you can useprotoc --decode
with the given .proto file to decode it.I will try to have a look at this issue as soon as I find some time.
2013/1/30 zxia10x [email protected]
i can help to investigate that issue ,so, how to sniff the HTTPS traffic
sent by the phone, any tools or docs?—
Reply to this email directly or view it on GitHub<
https://github.com/egirault/googleplay-api/issues/12#issuecomment-12878004>.—
Reply to this email directly or view it on GitHubhttps://github.com//issues/12#issuecomment-12886761.
from googleplay-api.
Yes but the nice thing about Burp is that it supports customs plugins
written in Python/Ruby/Java. You can write a simple one that detects
potential protobuf messages and decode them. This plugin API is pretty new
and I haven't got the time to write such a plugin yet, but I plan to do it.
Anyway, Burp/Paros/Fiddler... I guess it is only a matter of habit.
2013/1/30 eonghk [email protected]
Fiddler is a better choice for http/https man-in-middle sniff.
They have detailed document on their website to tell you how to use it
with
android phone. The key problem is to decode the Google protobuf msg. It's
binary encoded and you will need to do some reverse engineer work to
decode
it.Best regards,
Eong2013/1/30 egirault [email protected]
Hi,
You will need to run an interception proxy such as Burp on a machine
connected on the same wireless network as your phone. After configuring
Android to use this machine as a proxy, you need to install Burp's CA on
the phone. This can be done by putting the root .crt file generated by
Burp
on the phone's SD card, and then install it using the Settings >
SecurityInstall from SD Card option. Here are some resources:
http://portswigger.net/burp/help/proxy_using.htmlhttp://forum.portswigger.net/index.cgi?board=how&action=display&thread=300
Then you look at HTTPS connections that are established to Google'
servers,
and search for protobuf-encoded messages (I didn't find any generic way
yet). After dumping the encoded messages to a file, you can useprotoc --decode
with the given .proto file to decode it.I will try to have a look at this issue as soon as I find some time.
2013/1/30 zxia10x [email protected]
i can help to investigate that issue ,so, how to sniff the HTTPS
traffic
sent by the phone, any tools or docs?—
Reply to this email directly or view it on GitHub<https://github.com/egirault/googleplay-api/issues/12#issuecomment-12878004>.
—
Reply to this email directly or view it on GitHub<
https://github.com/egirault/googleplay-api/issues/12#issuecomment-12886761>.—
Reply to this email directly or view it on GitHubhttps://github.com//issues/12#issuecomment-12901512.
from googleplay-api.
Oh, that's a very cool feature. Thank you for the information.
Best regards,
Eong
2013/1/31 egirault [email protected]
Yes but the nice thing about Burp is that it supports customs plugins
written in Python/Ruby/Java. You can write a simple one that detects
potential protobuf messages and decode them. This plugin API is pretty new
and I haven't got the time to write such a plugin yet, but I plan to do
it.
Anyway, Burp/Paros/Fiddler... I guess it is only a matter of habit.2013/1/30 eonghk [email protected]
Fiddler is a better choice for http/https man-in-middle sniff.
They have detailed document on their website to tell you how to use it
with
android phone. The key problem is to decode the Google protobuf msg.
It's
binary encoded and you will need to do some reverse engineer work to
decode
it.Best regards,
Eong2013/1/30 egirault [email protected]
Hi,
You will need to run an interception proxy such as Burp on a machine
connected on the same wireless network as your phone. After
configuring
Android to use this machine as a proxy, you need to install Burp's CA
on
the phone. This can be done by putting the root .crt file generated by
Burp
on the phone's SD card, and then install it using the Settings >
SecurityInstall from SD Card option. Here are some resources:
http://portswigger.net/burp/help/proxy_using.htmlhttp://forum.portswigger.net/index.cgi?board=how&action=display&thread=300
Then you look at HTTPS connections that are established to Google'
servers,
and search for protobuf-encoded messages (I didn't find any generic
way
yet). After dumping the encoded messages to a file, you can use
protoc --decode
with the given .proto file to decode it.I will try to have a look at this issue as soon as I find some time.
2013/1/30 zxia10x [email protected]
i can help to investigate that issue ,so, how to sniff the HTTPS
traffic
sent by the phone, any tools or docs?—
Reply to this email directly or view it on GitHub<https://github.com/egirault/googleplay-api/issues/12#issuecomment-12878004>.
—
Reply to this email directly or view it on GitHub<https://github.com/egirault/googleplay-api/issues/12#issuecomment-12886761>.
—
Reply to this email directly or view it on GitHub<
https://github.com/egirault/googleplay-api/issues/12#issuecomment-12901512>.—
Reply to this email directly or view it on GitHubhttps://github.com//issues/12#issuecomment-12901782.
from googleplay-api.
I managed to intercept the HTTPS traffic from the Google Play APP running on my simulator.
To download an already purchased APK, the Play APP first sends this request:
GET /fdfe/delivery?doc=com.zeptolab.ctr.paid&ot=1&st=XXXXXXXX&vc=20 HTTP/1.1
Accept-Language: en-US
X-DFE-MCCMNC: 310260
Authorization: GoogleLogin auth=XXXXXXX
X-DFE-Enabled-Experiments: cl:billing.purchase_button_show_wallet_icon
X-DFE-Unsupported-Experiments: nocache:dfe:dc:1,nocache:dfe:uc:US,buyer_currency,buyer_currency_in_app,checkin.set_asset_paid_app_field,cl:billing.select_add_instrument_by_default,cl:warm_welcome.enable,content_ratings,localized_images,market_emails,nocache:billing.use_charging_poller,nocache:billing.use_provisioning_poller,nocache:billing.use_provisioning_poller_inapp,nocache:billing.use_provisioning_poller_subs,nocache:cl:warm_welcome.no_show_consumption_button,nocache:enable_play_country,nocache:enable_tablet_large,nocache:encrypted_apk,nocache:recs:automated_weight_adjuster_57,nocache:recs:books_annotate_merch_collection_20130620_25,nocache:recs:movies_annotate_merch_collection_20130620_25,nocache:recs:track_annotate_merch_collection_20130620_75,nocache:recs:weights_books_20130219_40,nocache:recs:weights_movies_20130614_30,nocache:recs:weights_plusones_20130418_40,nocache:recs:weights_track_20130409_-0,nocache:user_challenge,prod_locale_boost,recent_changes,recs:books_portrait_20121210_00,recs:music_no_portrait_20130211_10,shekel_test
X-DFE-Device-Id: XXXXXXXX
X-DFE-Client-Id: am-google
X-DFE-Logging-Id: 2143067ea0e34383
User-Agent: Android-Finsky/4.1.10 (api=3,versionCode=80210010,sdk=16,device=generic,hardware=goldfish,product=sdk)
X-DFE-SmallestScreenWidthDp: 320
X-DFE-Filter-Level: 3
Host: android.clients.google.com
Connection: Keep-Alive
The decoded response is:
1 {
21 {
2 {
1: 24095593
2: "9-68VyZugyYCLv_1FeNXdD33hHE"
3: "https://android.clients.google.com/market/streaming/Download?packageName=com.zeptolab.ctr.paid&versionCode=20&token=AOTCm0TLevi-QgFKC8eaekC-0BhSsZGDFC7t0sPNvfUeejay
wcqnTaabvx-IFroJyVcBOiQeE2clzoI6E7twPq4-lB0S1tYb2JpQ9ZSntfY&ev=1&downloadId=7120421825546781811"
5 {
1: "MarketDA"
2: "09331046713986310435"
}
6: 1
8: 1
12 {
1: 1
2: "h9khHkqABEIIe31LOEXoTw=="
3: "aIsUS3wwdijIbGWnqNcGQINoQtloixRLfDB2KMhsZac="
}
}
}
}
5 {
1: 74
}
But then the APP crashes and I cannot further download it.
from googleplay-api.
Hey Egirault !!!
I have been playing a lot with your most amazing api. Its insanely great and you have done an awesome job.
I have been trying to play with the fdfe/log endpoint and am unable to decode the request. I have used MITMProxy and Fiddler to decode the network requests.
I need your help to decode the key for the protobuffed message to google that is sent to the google servers in the post request that follows :
POST https://android.clients.google.com/fdfe/log HTTP/1.1
Content-Type: application/x-protobuf
Accept-Language: en-US
Authorization: GoogleLogin auth=XXXXXXXX
X-DFE-Enabled-Experiments: nocache:enable_newsstand
X-DFE-Unsupported-Experiments: nocache:dfe:dc:3,nocache:dfe:uc:IN,apk_translations,buyer_currency,buyer_currency_in_app,checkin.set_asset_paid_app_field,content_ratings,localized_images,market_emails,new_merchant_signup,nocache:apps.offline_docs,nocache:billing.use_charging_poller,nocache:billing.use_provisioning_poller,nocache:billing.use_provisioning_poller_inapp,nocache:billing.use_provisioning_poller_subs,nocache:enable_play_country,nocache:enable_tablet_large,nocache:encrypted_apk,nocache:mixer:use_windsearch,nocache:recs:automated_weight_adjuster_94,nocache:recs:books_annotate_merch_collection_20130620_75,nocache:recs:movies_annotate_merch_collection_20130620_25,nocache:recs:weights_books_50,nocache:recs:weights_books_transition_80,nocache:recs:weights_movies_60,nocache:use_gaia_mint_instead_of_checkout_auth_token,nocache:user_challenge,prod_locale_boost,recent_changes,vca:enable_onetree_search
X-DFE-Device-Id: XXXXXXXX
X-DFE-Client-Id: am-unknown
X-DFE-Logging-Id: XXXXXXX
User-Agent: Android-Finsky/4.4.21 (api=3,versionCode=80240021,sdk=16,device=mako,hardware=vbox86,product=occam)
X-DFE-SmallestScreenWidthDp: 600
X-DFE-Filter-Level: 3
Content-Length: 55
Host: android.clients.google.com
Connection: Keep-Alive
/�ȧ *�&confirmFreeDownload?doc=com.igs.fafafa
It would be very helpful of you if you could help decode the Chinese characters in the above request.
from googleplay-api.
So has someone figured out which .proto to use with protoc when decoding intercepted Google Play API responses?
from googleplay-api.
Related Issues (20)
- download obb file associated with the apk file
- This item cannot be installed in your country. HOT 2
- versionString is missing in search results HOT 5
- Download error on some apps error 104
- Tracking installs
- ERRER
- Any known limitation of amount of downloads in given time ?
- API is dead by now ! HOT 3
- ValueError: too many values to unpack, how to fix it? HOT 14
- server says: BadAuthentication HOT 39
- get details for excepted platform? HOT 1
- Error retrieving information from server. [RH-02] HOT 2
- No request will be sent if the Token value is used
- Some apps are not downloading- IndexError: list index out of range HOT 4
- Problem running search.py HOT 1
- Error while downloading APK: HTTPSConnectionPool
- Updated googleplay-api
- Download.py ERROR !!! HELPME
- BAD Authendication Error
- the project is outdated ?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from googleplay-api.