A, goals,

It’s hard. It’s getting harder and harder these days, a little video update keeps happening, and our plan to block QUIC doesn’t seem to work.

Luckily we also have okHttplogger-Frida

TIP: v9.10.10.22596

Anxious students can directly pull to the back, join the knowledge planet to get JS bar. The classmate who has ideal proposal studies the principle well, next time can adapt oneself.

Second, the steps

The principle of analysis

In a small video App v8.x signature calculation method (a) from the packet capture this article we analyze v8.0 using OkHttplogger-Frida packet capture method.

Okhttplogger-frida: What kind of App is suitable for capturing packets?

Since all requests made by apps using the Okhttp framework are made through RealCall.java, we can hook this class to retrieve request and response.

We open APK with JADX

If Okhttp is not obviously found, it may be confused. Run the find command of this script to try to find it.

To analyze problems

Some friends will say, I tried this script, it doesn’t work, can’t catch the package.

No one is going to be there to help you adapt every version. So we need to understand the principle of the script to do their own adaptation.

First copy okhttpfind.dex to /data/local/ TMP /

Then frida -u -l okhttp_poker.js -f com.example.demo –no-pause runs.

First run the find() command, which prints the App using okhttp3, and write down the output for this line.

var Cls_okio_Buffer = "okio.f";
Copy the code

Now you can start capturing packets by hitting the hold() command

Nice, you can output URL and Request Headers information already.

There are two questions:

1, File Request Body Omit…..

2. Response data is not printed out.

There is such an error

print request error :  Error: writeTo(): argument types do not match any of:
	.overload('okio.g')
    at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:563)
    at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:966)
    at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:547)
    at printerRequest (/okhttp_poker.js:171)
    at printAll (/okhttp_poker.js:106)
    at <anonymous> (/okhttp_poker.js:89)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:16)
    at perform (frida/node_modules/frida-java-bridge/index.js:193)
    at buildNewResponse (/okhttp_poker.js:98)
    at <anonymous> (/okhttp_poker.js:510)
    at apply (native)
    at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:613)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:592)
Copy the code

Adapter code

Okhttp_poker.js :160 line 160 has a filterUrl check, which is intended to filter image files. However, if the request value or return value contains “JPG” or “PNG”, it will also be filtered. Filter only if the last several strings match.

var filterArray = [".JPG", ".jpg", ".PNG", ".png", ".WEBP", ".webp", ".JPEG", ".jpeg", ".GIF", ".gif",".zip", ".data"] ...... */ function filterUrl(url) {//* for (var I = 0; i < filterArray.length; i++) { // if (url.indexOf(filterArray[i]) ! = -1) { // console.log(url + " ?? " + filterArray[i]) // return true; //} if (url.lastIndexOf(filterArray[i]) >= (url.length - 6) ) { // console.log(url + " ?? " + filterArray[i]) return true; } } // */ return false; }Copy the code

The second problem can not be seen for the time being, so we solved the error first.

At printerRequest (/okhttp_poker.js:171) there is the following code

        var buffer = BufferWapper.$new()
        requestBody[M_reqbody_writeTo](buffer)
Copy the code

Write the requestBody value into a buffer variable of type BufferWapper.

Var Cls_okio_Buffer BufferWapper type is the * * = “com. Singleman. Okio. Buffer”; **

There are already two hints for the solution:

Error: we need an okio.g type

Var Cls_okio_Buffer = “okio.f”;

Okio. g or okio.f?

Let’s look at the code analyzed by JADX

public interface g extends z, WritableByteChannel {
......
}

public final class f implements h, g, Cloneable, ByteChannel {
......
}
Copy the code

Okio. g is the interface class, and okio.f is the implementation class that inherits it. So there is no doubt that #okio.f# is used here

Let me modify it this way

$new() var ffBufferWapper = java.use ("okio.f"); var buffer = ffBufferWapper.$new();Copy the code

Let me run it again. Now I’m nice. I’ve printed out the Request and Response.

One last question

After this packet capture, suddenly the APP becomes very unstable, or it will be stuck for a while, or it will fail to access the network.

This problem must be caused by our JS. But how exactly does it happen? How do you troubleshoot the problem?

The best way to solve this problem is by elimination.

1. The printAll function is blocked and nothing is printed. The app runs Ok, indicating that there is no problem with hook and the problem lies in printing.

2. Printing is divided into two parts, printerRequest and printerResponse. The problem is found in printerResponse through shielding method.

Buffer [M_buffer_readByteArray] in getByteString, that is, as long as we read the Response body, There will be problems.

At present, I feel that the problem may be in the reading of the buffer. There may be a reading conflict. Because our hook script read this buffer, the APP could not read the result, so there are various weird problems.

Then I tried various methods, such as changing the function to read and making a deep copy of the buffer, without success. Finally, it was found that the author reserved a hand. In fact, the author had made a sub-deep copy of the Response body and generated a newResponse.

So let’s go ahead and hook our, happily print it out, and then return the generated newResponse back to our app.

One more run. Perfect finish.

Third, summary

Take doctrine although easy to use, but understand the principle of their own adaptation is more important.

When encountering a problem, follow the principle of minimum availability and mask the code step by step to narrow the scope and define the problem.

As long as I think of the things I regret in my life, plum blossoms will fall all over nanshan

TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.

Wechat public account: Fenfei safety, the latest technology dry goods real-time push