我们经常需要爬取一些某宝的数据,使用一些忽略ssl校验的xposed工具却抓不到包,最后我们发现它用的是sdpy协议.我们只需要hook它的app里的一些方法即可抓包。
public void hookNet(final ClassLoader classLoader) {
Class SwitchConfig = findClassIfExists("mtopsdk.mtop.global.SwitchConfig", classLoader);
findAndHookMethod(SwitchConfig, "isGlobalSpdySwitchOpen", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
Boolean isGlobalSpdySwitchOpen = (Boolean) param.getResult();
log("SwitchConfig.isGlobalSpdySwitchOpen()=" + isGlobalSpdySwitchOpen);
param.setResult(false);
}
});
findAndHookMethod(SwitchConfig, "isGlobalSpdySslSwitchOpen", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
Boolean isGlobalSpdySwitchOpen = (Boolean) param.getResult();
log("SwitchConfig.isGlobalSpdySslSwitchOpen()=" + isGlobalSpdySwitchOpen);
param.setResult(false);
hookSignRequest(classLoader);
}
});
}
我们发现了它的抓包,但是抓包却有签名x-sign的校验,我们就必须hook取到它的x-sign参数生成。
我们发现它在mtopsdk.security包名下。
public void hookSign(final ClassLoader classLoader) {
String []subClassArr = {"b", "c", "d", "e"};
for (int i = 0; i < subClassArr.length; i++) {
final Class SwitchConfig = findClassIfExists("mtopsdk.security."+subClassArr[i], classLoader);
Log.i(TAG, "hookSign: find " +SwitchConfig.getName());
hookSignRequest(classLoader);
if(subClassArr[i] .equalsIgnoreCase("b")){
findAndHookMethod(SwitchConfig, "getSign", HashMap.class, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
Log.i(TAG, "start: go into"+SwitchConfig.getName());
Log.i(TAG, "start: go into" + param.args.length);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
String sign = (String) param.getResult();
log("SwitchConfig.hookSign()=" + sign);
}
});
}
findAndHookMethod(SwitchConfig, "getMtopApiSign", HashMap.class, String.class, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
Log.i(TAG, "start: go into"+SwitchConfig.getName());
Log.i(TAG, "start: go into" + param.args.length);
Log.i(TAG, "start: go into");
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
String sign = (String) param.getResult();
hookSignRequest(classLoader);
log("SwitchConfig.hookSign()=" + sign);
}
});
}
}
大家如果对它感兴趣,可以和我联系