吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 1424|回复: 3
收起左侧

[Android 求助] app的拦截器问题---怎么hook 拦截器Interceptor,

[复制链接]
JiangtaoChiu 发表于 2023-3-2 18:49
本帖最后由 JiangtaoChiu 于 2023-3-3 10:22 编辑

附反编译后所hook的部分

附反编译后所hook的部分
前辈们好:现在做到如下,没有思路了,烦请指点一二
现在已有想法:hook到拦截器的请求和响应请求,创建服务,伪造请求,然后不会了在xposed hook 某app时候,hook的是拦截器okhttp3(因为此处能返回我们需要的各类参数)
1、已经找到关键函数,也hook到了,能返回所需要的数据。
2、代码部分:因为初次尝试,打印有点多。贴一下完整代码
[Python] 纯文本查看 复制代码
package com.example.app001.hooksig;

import android.app.Application;
import android.content.Context;

import com.yanzhenjie.andserver.AndServer;
import com.yanzhenjie.andserver.Server;

import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class MyHook implements IXposedHookLoadPackage {


    public Server myserver;

    @Override
    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
        XposedBridge.log("-------------进入handleLoadPackage-----------");
//        某链~
//        if (lpparam.packageName.equals("com.xxxx.beike")) {
//        某家~
        if (lpparam.packageName.equals("com.xxxx-homelink-xxxx.android")) {
            XposedBridge.log("---------------包名验证正确,start hook-----------");
            //hook 多dex
            XposedHelpers.findAndHookMethod(Application.class, "attach", Context.class, new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    XposedBridge.log("-------------进入hook多个dex方法-----------");
                    ClassLoader cl = ((Context)param.args[0]).getClassLoader();
                    Class<?> hookclass = null;
                    try {
//                        hookclass = cl.loadClass("com.lianjia.soundlib.vrrecorder.util.SignUtil");
                        hookclass = cl.loadClass("com.ke.infrastructure.app.signature.algorithm.V1SignAlgorithm");
                        XposedBridge.log("-------------进去try了,查找到类名-----------");
                    } catch (Exception e) {
//                        Log.e("Debug", "查询报错"+e.getMessage());
                        XposedBridge.log("-----------查找不到报错了-----------"+e.getMessage());
                        return;
                    }
//                    Log.i("Debug", "查询成功");
                    XposedBridge.log("Debug, 查询成功   "+ hookclass);
                    XposedHelpers.findAndHookMethod(hookclass,"sign",String.class,String.class, Long.class,new XC_MethodHook() {
                        // 相关hook操作
                                @Override
                                protected void beforeHookedMethod(MethodHookParam param)
                                        throws Throwable {
                                    // Hook函数之前运行的代码
                                    super.beforeHookedMethod(param);
                                    XposedBridge.log("进入hook操作函数-----------");
                                    // 传入參数1
                                    XposedBridge.log("beforeHookedMethod a:" + param.args[0]);
                                    XposedBridge.log("beforeHookedMethod b:" + param.args[1]);
                                    XposedBridge.log("beforeHookedMethod c:" + param.args[2]);
//                                    XposedBridge.log("beforeHookedMethod d:" + param.args[3]);
//                                    XposedBridge.log("beforeHookedMethod e:" + param.args[4]);
//
                                  // 建立服务
//                                    get_wua(cl, param);
                                }
                                @Override
                                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                                    // Hook函数之后运行的代码
                                    XposedBridge.log("Hook函数之后代码区---------------");
                                    //函数返回值
                                    String[] tt = (String[]) param.getResult();
                                    XposedBridge.log("afterHookedMethod 返回值:" + Arrays.toString(tt));
//                                    XposedBridge.log(String.valueOf(param.getResult()));
//                                    String gg = String.valueOf(param.getResult());
//                                    Log.d("tttt", gg);
//                                    XposedBridge.log(gg);


                                }

                            });


                }

            });
        };

    }


    private void get_wua(final Class<?> cls, XC_MethodHook.MethodHookParam param) throws NoSuchMethodException {
        Method m = cls.getDeclaredMethod("sign", String.class, String.class, Long.class);
        if (MyHook.this.myserver == null) {
            XposedBridge.log("创建监听10086端口");
            MyHook.this.myserver = AndServer.serverBuilder().port(10010).timeout(60, TimeUnit.SECONDS)
                    .registerHandler("/wua_and_sign", new beike_wua(m, param.thisObject, cls)).listener(new Server.ServerListener() {
                        @Override
                        public void onStarted() {

                        }
                        @Override
                        public void onStopped() {

                        }
                        @Override
                        public void onError(Exception e) {

                        }
                    }).build();
            XposedBridge.log("--- Base 10010 Build Success ---");
        }
        if (!MyHook.this.myserver.isRunning()) {
            XposedBridge.log("监听10010端口开始");
            MyHook.this.myserver.startup();
        }
    }






}
[Python] 纯文本查看 复制代码
package com.example.app001.hooksig;


import com.yanzhenjie.andserver.RequestHandler;
import com.yanzhenjie.andserver.util.HttpRequestParser;

import org.apache.httpcore.HttpException;
import org.apache.httpcore.HttpRequest;
import org.apache.httpcore.HttpResponse;
import org.apache.httpcore.protocol.HttpContext;

import java.io.IOException;
import java.lang.reflect.Method;
import java.util.Map;
import java.util.concurrent.TimeUnit;

import de.robv.android.xposed.XposedBridge;
import okhttp3.Interceptor;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;

/**
 * C
 */
public class beike_wua implements RequestHandler {

    //创建OkHttpClient 对象
//    private OkHttpClient ok;
    private Class<?> cla;
    private Method m;
    private Object instance;

    public beike_wua(Method m, Object instance, Class<?> cla) {
        // Interceptor
//        ok = new OkHttpClient().newBuilder().addInterceptor((Interceptor) instance).build();
        this.m = m;
        this.instance = instance;
        this.cla = cla;



    }

    public void handle(HttpRequest request, HttpResponse response, HttpContext context) throws HttpException, IOException {
        Map<String, String> map = HttpRequestParser.parseParams(request);
        XposedBridge.log("---------进入handle------"+map);
        String data_1 = String.valueOf(map.get("str1"));
        String data_2 = String.valueOf(map.get("str2"));
        Long data_3 = Long.valueOf(map.get("long3"));

        XposedBridge.log("---------进入handle---00000000000--");
        // 发起伪请求
        // 请求地址
        String url = "https://apps.api.ke.com/house/chengjiao/searchV2?condition=&limit_offset=60&containerType=1&limit_count=20&city_id=110000";
        //创建okhtto请求的对象
        OkHttpClient client = new OkHttpClient()
                .newBuilder()
                .connectTimeout(10, TimeUnit.SECONDS) // 设置超时时间
                .readTimeout(10, TimeUnit.SECONDS) // 设置读取超时时间
                .writeTimeout(10, TimeUnit.SECONDS) // 设置写入超时时间
                .addInterceptor((Interceptor) instance)
                .build();
        XposedBridge.log("---------进入handle---11111111111--");
        //创建请求连接,url里面存放请求连接,get表示其实get请求    放全局
        Request req = new Request.Builder()
                .url(url)
                .header("User-Agent", "Beike2.95.0;Xiaomi MI+8; Android 11")
                .addHeader("Referer", "https://bj.ke.com/ershoufang/")
                .build();

        XposedBridge.log("---------进入handle---11111111111--");
        //使用execute()方法执行请求
        try (Response resp = client.newCall(req).execute()) {
            XposedBridge.log(resp.code()+"");
            if (!resp.isSuccessful()) {
                throw new IOException("Unexpected code " + resp);
            }
            //定义字符串接收请求信息
            final String string = resp.body().string();

            // 处理响应数据
            System.out.println("处理响应数据---------"+string);
            XposedBridge.log("处理响应数据---------"+string);
        } catch (IOException e) {
//            e.printStackTrace();

            XposedBridge.log("---------进入handle---eeeeeeeeee--");
            XposedBridge.log(e);
        }


        XposedBridge.log("data_1   ---   "+data_1);
        XposedBridge.log("data_2  ---   "+data_2);
        XposedBridge.log("data_3   ---   "+data_3);

//        try {
//            String[] arr = (String[]) this.m.invoke(this.instance,data_1, data_2, data_3 );
//
//            String a = "";
//            for (int i = 0; i < arr.length; i++) {
//                if (i==0){
//                    a = arr[i];
//                }else {
//                    a = a+"8888888888888"+arr[i];
//                }
//            }
//            XposedBridge.log("通过插件获取加密参数中..." + arr);
//
//            String re = JSONObject.toJSONString(arr);
//            XposedBridge.log("通过插件获取加密结束..." + re);
//            response.setEntity(new StringEntity(re, HttpRequestParser.CHARSET_UTF8));
//            response.setEntity(new StringEntity(a, HttpRequestParser.CHARSET_UTF8));
//        } catch (Exception e) {
//            XposedBridge.log(e.getMessage());
//        }


        XposedBridge.log("---------进入handle---99999999999999--");
    }


}
//    private HashMap<String,String> parse(String data){
//        HashMap jobj = JSONObject.parseObject(data, HashMap.class);
//        return null;
//    }













发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

 楼主| JiangtaoChiu 发表于 2023-3-3 10:06
[img]%5Burl=https://imgse.com/i/ppkQCeH%5D[/url][/img]
正己 发表于 2023-3-3 12:29
 楼主| JiangtaoChiu 发表于 2023-3-3 14:05
正己 发表于 2023-3-3 12:29
可以参考一下珍惜表哥的库
https://github.com/w296488320/XposedOkHttpCat/tree/master/okHttpCat

感谢大大,刚才发错版块,下次会注意。谢谢
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-12-22 09:56

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表