WooYun.org

在Flyme音乐中搜索：情人节，开始抓包：
GET /open/library/search?query=%E6%83%85%E4%BA%BA%E8%8A%82&track_offset=0&track_count=6&album_offset=0&album_count=3&artist_offset=0&artist_count=3&lc=B9D2DCFA01526C54&conn=wifi HTTP/1.1
oauth_token: 795821c98eBd4fcC2ed3E38167071d22a13C0746
Consumer-key: 211098484
Session-id: 0mdNDgbGbuwH77ql9Cj3SBYa
x-requested-with: XMLHttpRequest
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.2.1; M045 Build/JOP40D)
Host: open.duomi.com
Connection: Keep-Alive
Accept-Encoding: gzip
得到响应内容：
{
"album_offset": 0,
"albums": [
{
"artists": [
{
"id": 61584100,
"name": "庄心妍",
"portrait": "/p1/00/29/71079125.jpg",
"valid": true
}
],
"available": true,
"company": "",
"cover": "/p1/03/31/71149219.jpg",
"id": 2515940,
"name": "情人节",
"num_tracks": 1,
"release_date": "2014-02-10",
"type": "EP/单曲"
},
{
"artists": [
{
"id": 61442579,
"name": "吴克群",
"portrait": "/p1/27/11/70824611.jpg",
"valid": true
}
],
"available": true,
"company": "",
"cover": "/p1/00/31/70548157.jpg",
"id": 2199610,
"name": "情人节",
"num_tracks": 3,
"release_date": "2010-02-11",
"type": "EP/单曲"
},
{
"artists": [
{
"id": 51081344,
"name": "刘心",
"portrait": "/p1/18/07/70869025.jpg",
"valid": true
}
],
"available": true,
"company": "",
"cover": "/p1/17/26/70717310.jpeg",
"id": 2323554,
"name": "情人节",
"num_tracks": 1,
"release_date": "2010-02-14",
"type": "EP/单曲"
}
],
"artist_offset": 0,
"artists": [
{
"id": 51031434,
"name": "My Bloody Valentine",
"num_albums": 11,
"num_tracks": 68,
"portrait": "/p1/02/31/70714939.jpg",
"valid": true
},
{
"id": 61479904,
"name": "男孩女孩的情人节",
"num_albums": 1,
"num_tracks": 5,
"portrait": "/p1/01/08/70843154.jpg",
"valid": true
}
],
"dm_error": 0,
"error_msg": "操作成功",
"recommend": 0,
"total_albums": 129,
"total_artists": 2,
"total_tracks": 1713,
"track_offset": 0,
"tracks": [
{
"album": {
"cover": "http://meizu.pic.duomi.com/imageservice/scaleImage?&url=http://service-img//p1/03/31/71149219.jpg&w=200&h=200&c=0&o=0",
"id": 2515940,
"name": "情人节"
},
"artists": [
{
"id": 61584100,
"name": "庄心妍",
"portrait": "http://meizu.pic.duomi.com/imageservice/scaleImage?&url=http://service-img//p1/00/29/71079125.jpg&w=200&h=200&c=0&o=0",
"valid": true
}
],
"availability": "1111",
"duration": 249,
"id": 26279360,
"lyric": "http://meizu.lyric.duomi.com/lyric/22/01/92258068.lrc",
"popularity": 10,
"title": "情人节"
},
{
"album": {
"cover": "http://meizu.pic.duomi.com/imageservice/scaleImage?&url=http://service-img//p1/17/26/70717310.jpeg&w=200&h=200&c=0&o=0",
"id": 2323554,
"name": "情人节"
},
"artists": [
{
"id": 51081344,
"name": "刘心",
"portrait": "http://meizu.pic.duomi.com/imageservice/scaleImage?&url=http://service-img//p1/18/07/70869025.jpg&w=200&h=200&c=0&o=0",
"valid": true
}
],
"availability": "1110",
"duration": 279,
"id": 24211657,
"lyric": "http://meizu.lyric.duomi.com/lyric/04/26/91226711.lrc",
"popularity": 7,
"title": "情人节"
},
{
"album": {
"cover": "http://meizu.pic.duomi.com/imageservice/scaleImage?&url=http://service-img//p1/00/03/71030424.jpg&w=200&h=200&c=0&o=0",
"id": 2045954,
"name": "Magik新歌精选"
},
"artists": [
{
"id": 61442579,
"name": "吴克群",
"portrait": "http://meizu.pic.duomi.com/imageservice/scaleImage?&url=http://service-img//p1/27/11/70824611.jpg&w=200&h=200&c=0&o=0",
"valid": true
}
],
"availability": "1111",
"duration": 240,
"id": 12877434,
"lyric": "http://meizu.lyric.duomi.com/lyric/02/07/92258668.lrc",
"popularity": 5,
"title": "情人节"
},
{
"artists": [
{
"id": 61005597,
"name": "情人节",
"portrait": "",
"valid": false
}
],
"availability": "1110",
"duration": 180,
"id": 21254374,
"lyric": "",
"popularity": 5,
"title": "Stay Here Forever"
},
{
"artists": [
{
"id": 51077351,
"name": "张芸京",
"portrait": "http://meizu.pic.duomi.com/imageservice/scaleImage?&url=http://service-img//p1/24/22/70880656.jpg&w=200&h=200&c=0&o=0",
"valid": true
}
],
"availability": "1111",
"duration": 267,
"id": 25864815,
"lyric": "",
"popularity": 4,
"title": "情人节"
},
{
"album": {
"cover": "http://meizu.pic.duomi.com/imageservice/scaleImage?&url=http://service-img//p1/08/13/70798180.jpg&w=200&h=200&c=0&o=0",
"id": 2374269,
"name": "网络红歌"
},
"artists": [
{
"id": 61460211,
"name": "炫木",
"portrait": "http://meizu.pic.duomi.com/imageservice/scaleImage?&url=http://service-img//p1/05/16/70893223.jpg&w=200&h=200&c=0&o=0",
"valid": true
}
],
"availability": "1110",
"duration": 202,
"id": 25031589,
"lyric": "http://meizu.lyric.duomi.com/lyric/15/25/91423324.lrc",
"popularity": 4,
"title": "情人节"
}
]
}
接下来在界面上选中某一首歌进行在线试听，此时抓包内容如下：
请求：
GET /open/library/track/medias?id=26279360&lc=B9D2DCFA01526C54&conn=wifi HTTP/1.1
oauth_token: 795821c98eBd4fcC2ed3E38167071d22a13C0746
Consumer-key: 211098484
Session-id: 0mdNDgbGbuwH77ql9Cj3SBYa
x-requested-with: XMLHttpRequest
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.2.1; M045 Build/JOP40D)
Host: open.duomi.com
Connection: Keep-Alive
Accept-Encoding: gzip
响应：
{
"dm_error": 0,
"error_msg": "ERR:000:",
"num_tracks": 1,
"tracks": [
{
"ape_id": 194009147,
"down_media_ids": [
194009148
],
"id": 26279360,
"medias": [
{
"bitrate": 64,
"format": "aac",
"id": 193995715,
"size": 2002221,
"url": "http://meizu.media.duomi.com/dm//duomial/L2FhY3BsdXNfNzUvMTgvMTkvMzczNjgyNzFfNDYzMC0xMzM3MDA1Ng==.dac?type=0&pos=1&uid=340857671"
},
{
"bitrate": 128,
"format": "m4a",
"id": 193995716,
"size": 3814412,
"url": "http://meizu.media.duomi.com/dm//duomial/L201YV8wMzkvMTgvMTkvMzczNjgyNzFfNDYzMC0xMzM3MDA1Ng==.m4a?type=20&pos=1&uid=340857671"
},
{
"bitrate": 320,
"format": "mp3",
"id": 194009148,
"size": 9979819,
"url": "http://meizu.media.duomi.com/dm//duomial/L21wMl8yMzEvMTgvMTkvMzczNjgyNzFfNDYzMC0xMzM3MDA1Ng==.dm3?type=3&pos=1&uid=340857671"
},
{
"bitrate": 320,
"format": "flac",
"id": 194009147,
"size": 25246697,
"url": "http://meizu.media.duomi.com/dm//duomial/L2ZsYWNfMTkxOC8xOC8xOS8zNzM2ODI3MV80NjMwLTEzMzcwMDU2.flac?type=&pos=0&uid=340857671"
}
],
"streaming_media_ids": [
193995715,
193995716
]
}
]
}
至此，一个普通Flyme账户可以拿到所有格式的音乐下载地址了！找个HTTP模拟器用抓到的包测试了一下，Session-id的有效期貌似很长，完全可以写个程序跑...

从抓到的数据包来看问题应该出在多米音乐提供的接口上，但是多米貌似没在乌云注册，我还是提交到魅族吧，你们的工程师已经在QQ上确认这个BUG了！别忽略啊！亲！