-
-
未解决
[求助]frida抓取https双向认证链接,获取body信息的困惑,一直获取不到内容
20雪币
-
-
未解决 [求助]frida抓取https双向认证链接,获取body信息的困惑,一直获取不到内容
20雪币
前提介绍 - 某APP使用双向认证链接,希望能够获取到原始请求和响应内容,已确认用Reqable/Charles无法直接抓包,应该是右侧-服务端侧会中止,因没获取客户端证书。
且APP可能是动态获取的,因此暂时没有走获取客户端证书的方向,再抓包的方式,决定采用frida直接获取内容。
下面正式开始,采用frida hook获取原始内容, 确认是okhttp3且混淆,frida脚本已经正常可以hook request/response 类
=============================================================
request 的 method/url/header都可以正常获取,如:
[REQUEST] [method()] Method: POST
[REQUEST] [url()] URL: 447K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6#2M7r3c8S2N6r3g2Q4x3X3g2^5P5s2S2Q4x3X3g2&6P5i4W2Q4x3V1k6#2M7r3c8S2N6r3g2Q4x3V1k6r3d9f1I4q4i4K6u0V1x3U0l9J5y4U0l9#2x3o6p5`.
[REQUEST] [body()] RequestBody: null
[REQUEST] [header(Host)] Value: update.xxx.yyy
[REQUEST] [header(Connection)] Value: keep-alive
[REQUEST] [header(Accept-Encoding)] Value: gzip, deflate
[REQUEST] [body()] RequestBody: okhttp3.internal.f.f@29141fd
==============================================================
response的 code/header 也可以正常获取
[RESPONSE] [code()] Status: 200
[RESPONSE] [headers()] server: nginx
date: Tue, 02 Jun 2026 09:10:06 GMT
content-type: application/json
x-frame-options: SAMEORIGIN
content-language: zh-cn
content-encoding: gzip
expires: Tue, 02 Jun 2026 10:10:06 GMT
cache-control: max-age=3600
eleme: HIT
access-control-allow-origin: *
[RESPONSE] [body()] ResponseBody: okhttp3.internal.c.h@bad7fa8
问题1:可以看到不管是request或response 都是打印的对象, 该用什么方法可以打印出来内容呢,参数了很多方法都无法正确输出。
以response为例,原始的获取代码是:
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 | var Response = Java.use("okhttp3.ab");
Response.c.overload().implementation = function() {
var code = this.c();
logResponse("[code()] Status: " + code);
return code;
};
Response.e.overload().implementation = function() {
var message = this.e();
logResponse("[message()] Message: " + message);
return message;
};
Response.g.overload().implementation = function() {
var headers = this.g();
logResponse("[headers()] " + (headers ? headers.toString() : "null"));
return headers;
};
Response.h.overload().implementation = function() {
var body = this.h();
logResponse("[body()] ResponseBody: " + (body ? body.toString() : "null"));
return body;
};
|
问题2:由于okhttp3代码混淆不好分析,找了一个同版本编译不混淆做对照,顺利找到Request和Response类,但发现有些方法和类在混淆代码中是不存在的,这个是否正常,是否混淆工具 给没使用的代码就可以剔除掉了?
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 | @Nullable
/* renamed from: a */
public String m1093a(String str, String str2) {
String m510a = this.f8914f.m510a(str);
return m510a != null ? m510a : str2;
}
/* renamed from: g */
public C4564r m1087g() {
return this.f8914f;
}
@Nullable
/* renamed from: h */
public AbstractC4412ac m1086h() {
return this.f8915g;
}
|
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | @Nullable
public String header(String name, @Nullable String defaultValue) {
String result = this.headers.get(name);
return result != null ? result : defaultValue;
}
public Headers headers() {
return this.headers;
}
public ResponseBody peekBody(long byteCount) throws IOException {
Buffer result;
BufferedSource source = this.body.source();
source.request(byteCount);
Buffer copy = source.buffer().clone();
if (copy.size() > byteCount) {
result = new Buffer();
result.write(copy, byteCount);
copy.clear();
} else {
result = copy;
}
return ResponseBody.create(this.body.contentType(), result.size(), result);
}
@Nullable
public ResponseBody body() {
return this.body;
}
|
比如这一段a 肯定是 String header / g 是 Headers headers / h 是 ResponseBody body, 但 ResponseBody peekBody 在混淆代码里面是不见了的
传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
