淘宝系抓包hook模块
frida脚本:
setTimeout(function () {
console.log('start——*-*-*-*-*-');
Java.perform(function () {
var SwitchConfig = Java.use('mtopsdk.mtop.global.SwitchConfig');
SwitchConfig.isGlobalSpdySwitchOpen.overload().implementation = function () {
var ret = this.isGlobalSpdySwitchOpen.apply(this, arguments);
console.log("开启抓包" + ret);
return false;
}
});
});使用xposed模块hook淘宝的SPDY协议,使其能够被抓包
xposed模块
tb_kill_proxy.apk
package com.example.tb_proxy_hook;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook$MethodHookParam;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage$LoadPackageParam;
public class MainMtop implements IXposedHookLoadPackage {
public MainMtop() {
super();
}
public void handleLoadPackage(XC_LoadPackage$LoadPackageParam loadPackageParam) throws Throwable {
if(loadPackageParam.packageName.contains("com.taobao.")) {
this.hook(loadPackageParam.packageName, loadPackageParam.classLoader);
}
}
public void hook(String packageName, ClassLoader classLoader) {
XposedHelpers.findAndHookMethod(XposedHelpers.findClassIfExists("mtopsdk.mtop.global.SwitchConfig", classLoader), "isGlobalSpdySwitchOpen", new Object[]{new XC_MethodHook(packageName) {
protected void afterHookedMethod(XC_MethodHook$MethodHookParam methodHookParam) throws Throwable {
super.afterHookedMethod(methodHookParam);
MainMtop mainMtop = MainMtop.this;
mainMtop.log(" " + this.val$package_name + "开启抓包");
methodHookParam.setResult(Boolean.valueOf(false));
}
}});
}
public void log(Object object) {
String tag = "淘宝系_ ";
if(object != null) {
XposedBridge.log(tag + object.toString());
}
else {
XposedBridge.log(tag + object);
}
}
}
tb_kill_proxy_1.2.apk
package com.example.tb_proxy_hook;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook$MethodHookParam;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XSharedPreferences;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage$LoadPackageParam;
public class MainMtop implements IXposedHookLoadPackage {
public MainMtop() {
super();
}
public void handleLoadPackage(XC_LoadPackage$LoadPackageParam loadPackageParam) throws Throwable {
if((loadPackageParam.packageName.contains("com.taobao")) || (loadPackageParam.packageName.contains("com.tmall"))) {
this.hookTB(loadPackageParam.packageName, loadPackageParam.classLoader);
}
}
public void hookTB(String packageName, ClassLoader classLoader) {
XposedHelpers.findAndHookMethod(XposedHelpers.findClassIfExists("mtopsdk.mtop.global.SwitchConfig", classLoader), "isGlobalSpdySwitchOpen", new Object[]{new XC_MethodHook(packageName) {
protected void afterHookedMethod(XC_MethodHook$MethodHookParam methodHookParam) throws Throwable {
super.afterHookedMethod(methodHookParam);
XSharedPreferences xsharedPreferences = new XSharedPreferences("com.example.tb_proxy_hook", "hook");
xsharedPreferences.reload();
MainMtop mainMtop = MainMtop.this;
mainMtop.log(" " + this.val$package_name + "开启抓包->" + String.valueOf(xsharedPreferences.getBoolean("flag", true)));
methodHookParam.setResult(Boolean.valueOf(xsharedPreferences.getBoolean("flag", true) ^ 1));
}
}});
}
public void log(Object log) {
String logTag = "淘宝系_ ";
if(log != null) {
XposedBridge.log(logTag + log.toString());
}
else {
XposedBridge.log(logTag + log);
}
}
}
目前测试淘宝抓包可以用,喜欢的可以start一下
————————————————
版权声明:本文为CSDN博主「成小新」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/qq_34067821/article/details/103203549
(银泰喵街、淘宝系、支付宝系app) Android Mtop网关接入fiddler/burp/charles抓包研究
本文分析的是银泰喵街的抓包。
拿到android app抓包,出现http包不走fiddler等代理的情况,通过jadx查看该app使用了mtop sdk,
mtop Android SDK接入手册网址https://help.aliyun.com/document_detail/69785.html,查看手册对应的hook位置在SwitchConfig.getInstance().setGlobalSpdySwitchOpen(false);
GlobalSpdySwitchOpen hook设置成false之后,我们就可以看到https://acs.m.taobao.com/gw/的包文了。
下面提供xposed/frida解决方法
1、xposed代码如下
public void hook(ClassLoader classLoader) {
Class SwitchConfig = findClassIfExists("mtopsdk.mtop.global.SwitchConfig", classLoader);
findAndHookMethod(SwitchConfig, "isGlobalSpdySwitchOpen", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
String isGlobalSpdySwitchOpen = (String) param.getResult();
log("SwitchConfig.isGlobalSpdySwitchOpen()=" + isGlobalSpdySwitchOpen);
param.setResult(false);
}
});
}
2、frida代码如下
function hook_spdy(){
var SwitchConfig = Java.use('mtopsdk.mtop.global.SwitchConfig');
SwitchConfig.isGlobalSpdySwitchOpen.overload().implementation = function(){
var ret = this.isGlobalSpdySwitchOpen.apply(this, arguments);
console.log("\nSwitchConfig.isGlobalSpdySwitchOpen()="+ret);
return false;
}
}
3、fiddler抓包成功截图
4、对应代码下载链接
xposed:https://download.csdn.net/download/weixin_33571137/11763987
frida:https://download.csdn.net/download/weixin_33571137/11763981
jadx(支持中文):https://download.csdn.net/download/weixin_33571137/11646486
————————————————
版权声明:本文为CSDN博主「YT010_PL」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/weixin_33571137/article/details/100944804
某淘宝系产品抓包解决方案
转:https://www.freesion.com/article/9804182218/
我们经常需要爬取一些淘宝的数据,使用一些忽略ssl校验的xposed工具却抓不到包,最后我们发现它用的是sdpy协议.我们只需要hook它的app里的一些方法即可抓包。
public void hookNet(final ClassLoader classLoader) {
Class SwitchConfig = findClassIfExists("mtopsdk.mtop.global.SwitchConfig", classLoader);
findAndHookMethod(SwitchConfig, "isGlobalSpdySwitchOpen", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
Boolean isGlobalSpdySwitchOpen = (Boolean) param.getResult();
log("SwitchConfig.isGlobalSpdySwitchOpen()=" + isGlobalSpdySwitchOpen);
param.setResult(false);
}
});
findAndHookMethod(SwitchConfig, "isGlobalSpdySslSwitchOpen", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
Boolean isGlobalSpdySwitchOpen = (Boolean) param.getResult();
log("SwitchConfig.isGlobalSpdySslSwitchOpen()=" + isGlobalSpdySwitchOpen);
param.setResult(false);
hookSignRequest(classLoader);
}
});
}
我们发现了它的抓包,但是抓包却有签名x-sign的校验,我们就必须hook取到它的x-sign参数生成。
我们发现它在mtopsdk.security包名下。
public void hookSign(final ClassLoader classLoader) {
String []subClassArr = {"b", "c", "d", "e"};
for (int i = 0; i < subClassArr.length; i++) {
final Class SwitchConfig = findClassIfExists("mtopsdk.security."+subClassArr[i], classLoader);
Log.i(TAG, "hookSign: find " +SwitchConfig.getName());
hookSignRequest(classLoader);
if(subClassArr[i] .equalsIgnoreCase("b")){
findAndHookMethod(SwitchConfig, "getSign", HashMap.class, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
Log.i(TAG, "start: go into"+SwitchConfig.getName());
Log.i(TAG, "start: go into" + param.args.length);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
String sign = (String) param.getResult();
log("SwitchConfig.hookSign()=" + sign);
}
});
}
findAndHookMethod(SwitchConfig, "getMtopApiSign", HashMap.class, String.class, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
Log.i(TAG, "start: go into"+SwitchConfig.getName());
Log.i(TAG, "start: go into" + param.args.length);
Log.i(TAG, "start: go into");
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
String sign = (String) param.getResult();
hookSignRequest(classLoader);
log("SwitchConfig.hookSign()=" + sign);
}
});
}
}