引言:
之前的教程发了小黄鸟也就是httpcanary 实时抓包怎么转发到Fiddler。有粉丝说不能实时显示,好,我现在叫你怎么实时显示出来。
1分析
- 通过写插件,感觉也不靠谱,也没有官方文档,怎么写插件,怎么取数据等,放弃
- 修改小黄鸟代码,想怎么来就怎么来。靠谱
2具体实现
- 修改小黄鸟,
GDA 静态直接分析,一看代码,糟糕,字符串加密了,也是用StringFog, 好直接上一起的代码,先重新翻译下。现在可以中hcy 字样,为啥是这个, 其他逻辑我没有去看,我只知道,他的抓包会生成hcy文件,他应该是处理这个hcy文件的。
Python 改StringFog 代码
import os
import re
import frida
rdev = frida.get_remote_device()
process = frida.get_usb_device(10).attach('HttpCanary')
scr = """
rpc.exports = {
xx:function(arg){
var res;
Java.perform(function () {
// 包.类
res = Java.use("com.guoshi.httpcanary.b").a(arg)
// 类中的方法
/// res = Crypt.encrypt_data(j2,str,j3);
});
return res;
}
}
"""
script = process.create_script(scr)
script.load()
pattern = re.compile('b\.a\("[a-zA-Z0-9=\+/]+"')
def hand(arg):
try:
#print(arg)
f = open(arg,"r",encoding='utf-8')
cont = f.read()
#print(cont)
f.close()
#patt = r'StringFog.decrypt\(".*"\)'
#print(cont)
#matchs = re.findall(patt,cont)
#print(len(matchs))
#if len(matchs) > 0 :
exist = False
org = cont
matches = re.finditer(pattern, cont)
for match in matches:
exist = True
#print(match.group())
oldstr = match.group()
tmp= oldstr.split('"')[1]
res = script.exports.xx(tmp)
tmpres = '"' + res + '"'
#print(oldstr+')')
#print(tmpres)
org = org.replace(oldstr+')',tmpres)
if exist:
print("orgdd:" + org)
print(arg)
f = open(arg,"w",encoding='utf-8')
f.write(org)
f.close()
#if exist:
# print("file" + arg)
except Exception as e:
print(arg + " "+ str(e))
def list_files_in_directory(directory):
for root, dirs, files in os.walk(directory):
#print(f"当前目录: {root}")
for file in files:
#print(f"文件: {file}")
#读取文件#
hand(root+"/" + file)
#f.close()
for subdir in dirs:
#print(f"子目录: {subdir}")
pass
# 要遍历的目录
directory_to_traverse = "D:/httpcananry/src"
# 调用函数遍历目录
list_files_in_directory(directory_to_traverse)
2,
逆向小黄鸟,修改smali 文件,直接重新打包
修改小黄鸟代码
ackage com.guoshi.httpcanary.db;
import com.com.guoshi.httpcanary.capture.HttpUtils;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStreamReader;
public class HttpCaptureRecord {
private String reqFilePath;
private String resFilePath;
public void setReqFilePath(String p0){
this.reqFilePath = p0;
catpurefile(p0);
}
public void setResFilePath(String p0){
this.resFilePath = p0;
catpurefile(p0);
}
private void catpurefile(String filename) {
//File file = new File(filename);
//FileInputStream fis = null;
try {
FileInputStream fis = new FileInputStream(filename);
BufferedReader reader = new BufferedReader(new InputStreamReader(fis));
StringBuilder sb = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
// 处理读取的每一行
sb.append(line);
}
reader.close();
new Thread(new Runnable() {
@Override
public void run() {
String res = HttpUtils.PostJson2("http://192.168.0.11:5002/upload",sb.toString(),"");
}
}).start();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
Apktool 命令直接重新编译
3直接转发到python 服务
Python服务代码
from flask import Flask, request, jsonify
app = Flask(__name__)
import requests
import json
@app.route('/upload',methods=['POST', 'GET'])
def enc():
try:
print("begin upload")
#data = request.args.get('data')
data1 = request.get_json()
print(data1)
return jsonify({'code':1})
except Exception as e:
print(e)
return jsonify({'data': '','msg':'加密异常','code':0})
def main():
app.run(host='0.0.0.0',port=5003)
if __name__=='__main__': #不加这句就会报错
main()