摘要:
本文介绍如何通过hook OkHttp3框架来拦截并处理应用的网络响应,特别是在某书APP中,通过深入理解Okhttp3的API,hook RealCall以获取请求和响应数据,实现关键词搜索、笔记和用户等数据的回传操作。
一、原理介绍
1、hook okhttp3类,得到接口数据;
使用Okhttp3中的call方法,在newRealCall()中初始化了RealCall,hook-okhttp3.RealCall即可拿到请求包。可以直接将关键词搜索的,笔记, 用户等多个数据进行hook回传。
2、hook headers 得到xy_common_params;
3、hook getSessionId方法 得到sid账号信息;
4、上传到数据到服务器HttpHelper类;
5、跳转至app某页面:
java"> public static void open_xhs(Context context,String pagetype,String id){String url="";if(pagetype.equals("user")){ //用户信息页url="xhsdiscover://user/"+id;///xhsdiscover://user/6226f1a200000000210234ee xhsdiscover://profile xhsdiscover://home}if(pagetype.equals("search")){ //搜索页//xhsdiscover://search/result?keyword=url="xhsdiscover://search/result?keyword="+id;}if(pagetype.equals("video_feed")){ //视频笔记页url="xhsdiscover://video_feed/"+id;}if(pagetype.equals("item")){ //笔记页url="xhsdiscover://item/"+id;}Uri uri = Uri.parse(url); Intent intent =new Intent(Intent.ACTION_VIEW,uri);;intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);context.startActivity(intent);}二、完整源代码
java">package com.coin.userinfo;import android.app.AndroidAppHelper;
import android.content.Context;
import android.content.Intent;
import android.util.Log;import android.os.Bundle;
import android.util.Base64;
import android.util.Log;
import android.widget.Toast;import org.json.JSONObject;import java.io.InputStream;
import java.lang.reflect.Field;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.StandardCharsets;import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
import utils.HttpHelper;import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
public class MainHook implements IXposedHookLoadPackage {@Overridepublic void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {Log.i("byc","===================app-start1=========================");//XposedBridge.log("===================app-start1==========================");// 判断当前启动的目标程序是否是要hook的应用程序 技术支持:metabycf or byc6352 or 39848872if (loadPackageParam.packageName.equals("com.xingin.xhs")) {Log.i("byc","===================xhs-start=========================");//XposedBridge.log("===================xhs-Sid=========================");XposedHelpers.findAndHookMethod("com.xingin.account.entities.UserInfo", // 包名+类名loadPackageParam.classLoader,"getSessionId", // 要hook的方法名称new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {super.beforeHookedMethod(param);}// hook之后@Overrideprotected void afterHookedMethod(MethodHookParam param)throws Throwable {super.afterHookedMethod(param);// 打印方法返回值信息String result = param.getResult().toString();//XposedBridge.log("====xhs-sid-Cookie:---" + result);Log.i("byc","====xhs-sid-Cookie:---" + result);}});//hook okhttp 得到接口数据Class<?> RealCall = XposedHelpers.findClass("okhttp3.RealCall", loadPackageParam.classLoader);XposedHelpers.findAndHookMethod(RealCall, // 包名+类名"execute",new XC_MethodHook() {// hook之后@Overrideprotected void afterHookedMethod(MethodHookParam param)throws Throwable {super.afterHookedMethod(param);Object result = param.getResult();
// XposedBridge.log("====param:---" + result.toString());Object request = XposedHelpers.getObjectField(result, "request");Object headers = XposedHelpers.getObjectField(request, "headers");
// XposedBridge.log("====headers:---" + headers.toString());String[] fields = (String[]) XposedHelpers.getObjectField(headers, "namesAndValues");String xy_common_params = null;for (int x = 0; x < fields.length; x = x + 1) {try {if (fields[x].equals("xy-common-params")) {xy_common_params = fields[x + 1];break;}} catch (Exception e) {e.printStackTrace();}}if (xy_common_params != null) {//XposedBridge.log("====xy-common-paramsaders:---" + xy_common_params);Log.i("byc","====xy-common-paramsaders:---" + xy_common_params);// todo 等待发送到服务端队列//}Object body = XposedHelpers.callMethod(result, "body");Object source = XposedHelpers.callMethod(body, "source");XposedHelpers.callMethod(source, "request", Long.MAX_VALUE);Object getBuffer = XposedHelpers.callMethod(source, "getBuffer");Object cloneBuffer = XposedHelpers.callMethod(getBuffer, "clone");String message = (String) XposedHelpers.callMethod(cloneBuffer, "readString", StandardCharsets.UTF_8);
// XposedBridge.log("====message:---" + message);//Log.i("byc",request.toString());//Log.i("byc", message);//关键词搜索if (result.toString().contains("search/recommend?keyword=") || result.toString().contains("search/notes?keyword=")) {// todo message//XposedBridge.log("------------search---------" + message);Log.i("byc","------------search---------");Log.i("byc",request.toString());Log.i("byc", message);//String strBase64 = Base64.encodeToString(message.getBytes(), Base64.DEFAULT);}//用户主页if (result.toString().contains("user/info?user_id=")) {//XposedBridge.log("------------user---------" + message);//Log.i("byc","------------user---------" + message);//String strBase64 = Base64.encodeToString(message.getBytes(), Base64.DEFAULT);Log.i("byc","------------user---------");upload_userinfo(message);}//详情页if (result.toString().contains("note/feed?note_id=") || result.toString().contains("note/videofeed?note_id=")) {//XposedBridge.log("------------note---------" + message);Log.i("byc","------------note---------" + message);//String strBase64 = Base64.encodeToString(message.getBytes(), Base64.DEFAULT);//xhsHttpClient(strBase64, "note");}//切换账号if (result.toString().contains("/api/sns/v4/user/login/password")) {}}});}}private void upload_userinfo(String data){try{Log.i("byc",data);JSONObject jsonObject = new JSONObject(data);String userid=jsonObject.getJSONObject("data").getString("userid");Log.i("byc",userid);String url="http://*********:10012/put/user/info?key=234181402307&user_id="+userid;HttpHelper.http_post(url,data);}catch (Exception e){Log.e("byc",e.getMessage().toString());}}}三、数据传输类
java">
package utils;import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.StandardCharsets;public class HttpHelper {/*** 获取网页HTML源代码* @param http_url 网页路径*/public static String http_get(String http_url) throws Exception {URL url=new URL(http_url);HttpURLConnection conn=(HttpURLConnection)url.openConnection();conn.setConnectTimeout(5000);conn.addRequestProperty("Connection","close");conn.setRequestMethod("GET");if(conn.getResponseCode()==200){InputStream inStream=conn.getInputStream();byte[] data=read(inStream);String html=new String(data,"UTF-8");return html;//MyLog.i("byc","ok");}return null;}/*** 读取流中的数据*/public static byte[] read(InputStream inputStream) throws IOException {ByteArrayOutputStream outputStream=new ByteArrayOutputStream();byte[] b=new byte[1024];int len=0;while((len=inputStream.read(b))!=-1){outputStream.write(b);}inputStream.close();return outputStream.toByteArray();}public static boolean http_post(String http_url,String data) {try {boolean result=false;URL url = new URL(http_url);HttpURLConnection conn = (HttpURLConnection) url.openConnection();conn.setRequestMethod("POST");conn.setRequestProperty("Connection", "close");//"close"conn.setRequestProperty("Content-Type", "application/json");conn.setDoOutput(true);conn.setDoInput(true);conn.setUseCaches(false);conn.connect();OutputStream os = conn.getOutputStream();os.write(data.getBytes(StandardCharsets.UTF_8));os.flush();os.close();int responseCode = conn.getResponseCode();if (responseCode == HttpURLConnection.HTTP_OK) {InputStream input = conn.getInputStream();StringBuilder sb = new StringBuilder();int ss;while ((ss = input.read()) != -1) {sb.append((char) ss);}MyLog.i("请求结果 = " + sb.toString());//android.util.Log.e("tag", "请求结果 = " + sb.toString());input.close();result=true;}return result;} catch (Exception e) {MyLog.i("出现异常: " + e.toString());//android.util.Log.e("tag", "出现异常: " + e.toString());//e.printStackTrace();return false;}}
}四、封面
