switchLoader("okhttp3.x") 問題
jimmy0435 opened this issue · comments
不太確定我的使用方法是否正確,想詢問一下。
啟動Frida後,因為目標的APP是混淆過的,所以我使用Find()來尋找classname
var Cls_CallBack = "okhttp3.f";
var Cls_OkHttpClient = "okhttp3.x";
var Cls_Request = "okhttp3.aa";
var Cls_Response = "okhttp3.ac";
...
然後使用switchLoader方法來切換class,不過似乎失敗。
[Google Pixel::com.xxx.xxx]-> switchLoader("okhttp3.x")
Error: java.lang.ClassNotFoundException: Didn't find class "okhttp3.x" on path: DexPathList[[dex file "/data/local/tmp/okhttpfind.dex"],nativeLibraryDirectories=[/system/lib, /vendor/lib]]
Switch ClassLoader To : dalvik.system.PathClassLoader[DexPathList[[zip file "/data/app/com.xxx.xxx-1/base.apk"],nativeLibraryDirectories=[/data/app/com.xxx.xxx-1/lib/arm, /data/app/com.xxx.xxx-1/base.apk!/lib/armeabi-v7a, /system/lib, /vendor/lib]]]
Switch ClassLoader Complete !
[Google Pixel::com.xxx.xxx]-> hold()
Error: java.lang.ClassNotFoundException: Didn't find class "okhttp3.OkHttpClient" on path: DexPathList[[dex file "/data/local/tmp/okhttpfind.dex"],nativeLibraryDirectories=[/system/lib, /vendor/lib]]
at <anonymous> (frida/node_modules/frida-java-bridge/lib/env.js:124)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:443)
at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:812)
at _make (frida/node_modules/frida-java-bridge/lib/class-factory.js:112)
at use (frida/node_modules/frida-java-bridge/lib/class-factory.js:63)
at use (frida/node_modules/frida-java-bridge/index.js:245)
at <anonymous> (/okhttp_poker.js:604)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:12)
at perform (frida/node_modules/frida-java-bridge/index.js:192)
at hold (/okhttp_poker.js:623)
at <eval> (<input>:1)
at eval (native)
at fridaReplEvaluate (/okhttp_poker.js:800)
at apply (native)
at <anonymous> (frida/runtime/message-dispatcher.js:13)
at c (frida/runtime/message-dispatcher.js:23)
另外我有嘗試第二種方法,將find()的結果替換okhttp_poker.js中的變數。可以成功的呼叫hold()並且成功的intercept http封包,但在intercept收到的body顯示TypeError: not a function,不太確定是否有正確使用,再麻煩指教,謝謝。
┌────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
| URL: https://xxx.xxx.com/xxx/xxx?xxx=xxx
|
| Method: GET
|
| Request Headers: 12
| ┌─userkey: xxx
| ┌─areaid: 1
| ┌─appid: 10
| ┌─channelId: xxx
| ┌─deviceId: xxx
| ┌─User-Agent: xxx/5.4.5 Android/7.1.1 (Google Pixel)
| ┌─channelid: xxx
| ┌─useridx: xxx
| ┌─deviceType: android
| ┌─androidId: xxx
| ┌─version: 5.4.5
| └─bundleid: com.xxx.xxx
|
|--> END
|
| URL: https://xxx.xxx.xxx/xxx/xxx?xxx=xxx
|
| Status Code: 200 / OK
|
| Response Headers: 12
| ┌─Server: nginx
| ┌─Date: Thu, 31 Dec 2020 09:01:00 GMT
| ┌─Content-Type: application/json; charset=utf-8
| ┌─Content-Length: 1128
| ┌─Connection: keep-alive
| ┌─Cache-Control: public, max-age=446
| ┌─Expires: Thu, 31 Dec 2020 09:09:26 GMT
| ┌─Last-Modified: Thu, 31 Dec 2020 08:59:26 GMT
| ┌─Vary: *
| ┌─X-AspNetMvc-Version: 5.2
| ┌─X-AspNet-Version: 4.0.30319
| └─X-Powered-By: ASP.NET
|
| Response Body:
print response error : TypeError: not a function
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
'switchLoader'设计的初衷是在不能自动'find'到结果的情况下通过静态分析得到'okhttp'相关类后切换到指定的'classloader',然后再次进行'find'等后续操作的。
一般情况下正常的使用流程是: 'find'->替换->'hold'。
了解,謝謝。