抓包进阶之通杀okhttp证书

三层检验

okhttp在客户端有三种检验证书方法
证书验证sslSocketFactory
证书锁定certificatePinner
域名验证hostmaneVerfier

如何做到通杀？
三个检验方法都基于 OkHttpClient.Builder()
要先找到 OkHttpClient，由于经过混淆的，无法直接定位

步骤

先把内存中的类的存到数组

var classesNames = new Array()   // 存放加载的类

// 1.把已经加载内存中的类枚举出来，存到一个数组里
function loadClasses(){
    Java.perform(function (){
        Java.enumerateLoadedClasses({
            onMatch: function(clsName, handle){
                classesNames.push(clsName);
                console.log(clsName)
            },
            onComplete: function(){
                console.log("Search Class Completed!");
            }
        })
    })
}


function main(){
    loadClasses()
}
setImmediate(main)

查找 okhttp3.OkHttpClient类和证书CertificatePinner类

function findOkhttpClass(){
    Java.perform(function (){
        var Modifier = Java.use("java.lang.reflect.Modifier")  // 反射框架，可以提供类的一些属性，例如是不是final，sttic等
		// 判断类是否是OkhttpClient
        function isOkhttpClient(clsName){
			// Okhttp3.OkHttpClient
            if(clsName.split('.').length != 2){
                return false;
            }
            
            try{
                var cls = Java.use(clsName)
                var interfaces = cls.class.getInterfaces()  // 通过反射获得当前类的一些接口
                const count = interfaces.length
                //console.log(count)
				// 当前类如果实现的接口小于2，就不是，okhttp实现的接口Cloneable, Call.Factory, WebSocket.Factory 
                if(count < 2){
                    return false
                }
                var flag = false
				// 对实现的接口进行遍历，进行判断
                for(var i = 0; i < count; i++){
                    var interface_ = interfaces[i]
                    var interface_name = interface_.getName()
                    
                    if(interface_name.indexOf("Cloneable") > 0){
                        flag = true
                    }else{
                        if(interface_name.indexOf("$") <= 0){  // 内部类Call.Factory
                            return false
                        }
                    }
                }
                if(!flag) return false;
                
				// 过滤当前类没有内部类
                if(cls.class.getDeclaredClasses().length < 1){
                    return false
                }
				// 过滤父类不是Object，OkHttpClient没有继承其他类
                if(cls.class.getSuperclass().getName() != 'java.lang.Object'){
                    return false
                }
                
            }catch(e){
                return false
            }
            return true;
        }

        function isCertificatePinner(clsName,prefix){
            // prefix=Okhttp3.
			// CertificatePinner类
            if(!clsName.startsWith(prefix)){
                return false
            }

            if(clsName.indexOf("$") > 0){
                return false
            }
            
            if(clsName.split('.').length != 2){
                return false;
            }

            var cls = Java.use(clsName)
            if(cls.class.isInterface()){
                return false
            }

            
            if(cls.class.getInterfaces().length > 0){
                return false
            }

         
            if(cls.class.getDeclaredClasses().length < 1){
                return false
            }
            
            if(cls.class.getSuperclass().getName() != "java.lang.Object"){
                return false
            }
			// 类属性是否有Final
            if(!Modifier.isFinal(cls.class.getModifiers())){
                return false
            }
            var flag = false
			// 获得所有方法，然后遍历
            var methods = cls.class.getDeclaredMethods()
            for(var i = 0; i < methods.length; i++){
                var method = methods[i]
				// 过滤方法没有参数的
                if(method.getParameterCount() < 1){
                    continue
                }
				// 方法的第一个参数是java.security.cert.Certificate
                if(method.getParameterTypes()[0].getName() == "java.security.cert.Certificate"){
                    flag = true
                    break
                }
            }
            if(!flag) return false

            flag = false
			// 获取类的所有成员变量
            var fields = cls.class.getDeclaredFields()
			// 类包含set集合
            for(var k = 0; k < fields.length; k++){
                var field = fields[k];
                if(field.getType().getName() == "java.util.Set"){
                    flag = true
                    break
                }
            }
            if(!flag) return false

            console.log(clsName)
            return true
        }
    
        for(var i = 0; i < classesNames.length; i++){
			// 如果类名是OkhttpClient，就保存为变量
            if(isOkhttpClient(classesNames[i])){
                OkhttpClientClassName = classesNames[i]
                //console.log(OkhttpClientClassName)
                var splits = classesNames[i].split('.')
                var len = splits.length
                for(var j = 0; j < len-1; j++){
					// Okhttp3.OkHttpClient
                    prefix = prefix + splits[j] + '.'  // 当前包名的一个前缀，prefix=Okhttp3.
                }
            }
        }
        // 找CertificatePinner类
        for(var i = 0; i < classesNames.length; i++){
            if(isCertificatePinner(classesNames[i],prefix)){
                CertificatePinnerClassName = classesNames[i]
                //console.log(CertificatePinnerClassName)
            }
        }

        console.error("Found Class: "+classesNames.length)
        console.error("Okhttp's package prefix: "+prefix)
        console.error("Find the OkhttpClient: "+OkhttpClientClassName)
        console.error("Find the OkhttpCertificatePinner: "+CertificatePinnerClassName)

        if(OkhttpClientClassName == "" || CertificatePinnerClassName == "" || prefix == ""){
            console.error("Can't find the okhttp class")
        }
    })
}

attach模式运行

找到之后进行hook

找builder内部类

function hook(){
    Java.perform(function (){
        var Modifier = Java.use("java.lang.reflect.Modifier")
        //TrustAllManager，自定义类，hook方法置空，什么都不干
        var TrustAllManagerClass = Java.registerClass({
            name: "TrustAllManager",
            implements:[Java.use("javax.net.ssl.X509TrustManager")],
            methods: {
                checkClientTrusted(chain, authType) {
                    console.log("checkClientTrusted Called!!")
                },
                checkServerTrusted(chain, authType) {
                    console.log("checkServerTrusted Called!!")
                },
                getAcceptedIssuers() {
                  return [];
                },
              }
        })
        var trustAllManagerHandle = TrustAllManagerClass.$new()
		// 仿造
		// SSLContext context = SSLContext.getInstance("TLS");
        // context.init(null, trustManagers ,new SecureRandom());
        // SSLSocketFactory factory = context.getSocketFactory();
        var sslContext = Java.use("javax.net.ssl.SSLContext").getInstance("TLS")
        sslContext.init(null,Java.array("Ljavax.net.ssl.X509TrustManager;",[trustAllManagerHandle]),null)
        var sslSocketFactory = sslContext.getSocketFactory()

        //HostnameVerify，自定义类
        var MyHostnameVerify = Java.registerClass({
            name: "MyHostnameVerify",
            implements:[Java.use("javax.net.ssl.HostnameVerifier")],
            methods: {
                verify(hostname, session){
                    console.log(hostname)
                    return true
                }
            }
        })
        var myHostnameVerifyHandle = MyHostnameVerify.$new()
		
		// 已经拿到okhttp3.OkHttpClient，拿它的内部类builder
        var BuilderClassName = Java.use(OkhttpClientClassName).class.getDeclaredClasses()[0].getName()
        var OkhttpClient$Buidler = Java.use(BuilderClassName)
		// 通过反射获取builder的所有方法
        var methods = OkhttpClient$Buidler.class.getDeclaredMethods()
        
        for(var i = 0; i < methods.length; i++){
            var method = methods[i]
			// 过滤方法没有参数的，目标方法都有参数
			// builder.sslSocketFactory(factory, (X509TrustManager) trustManagers[0]);
			// builder.certificatePinner(cerBuilder.build());
			// builder.hostnameVerifier(new HostnameVerifier(){})；
            if(method.getParameterCount() < 1){
                continue
            }
			// 第一道校验，第一个参数的类名是javax.net.ssl.SSLSocketFactory就进行hook，参数替换为自定义参数
            if(method.getParameterTypes()[0].getName() == "javax.net.ssl.SSLSocketFactory"){
                var sslSocketFacotryMethodName  = method.getName()
				// 获取该方法的重载个数
                var len = OkhttpClient$Buidler[sslSocketFacotryMethodName].overloads.length
				// 遍历重载
                for(var j = 0; j < len; j++){
                    OkhttpClient$Buidler[sslSocketFacotryMethodName].overloads[j].implementation = function(SSLSocketFactory){
						// 把参数替换为自定义的类
                        arguments[0] = sslSocketFactory
                        return this[sslSocketFacotryMethodName].apply(this,arguments)
                    }
                }
                console.log(sslSocketFacotryMethodName,"Hooked!")
            }
			// 第三道校验，第一个参数是javax.net.ssl.HostnameVerifier就进行hook，参数替换为自定义参数
            if(method.getParameterTypes()[0].getName() == "javax.net.ssl.HostnameVerifier"){
                var hostnameVerifierMethodName = method.getName()
                
                var len = OkhttpClient$Buidler[hostnameVerifierMethodName].overloads.length
                for(var j = 0; j < len; j++){
                    OkhttpClient$Buidler[hostnameVerifierMethodName].overloads[j].implementation = function(hostnameVerifier){
                        arguments[0] = myHostnameVerifyHandle
                        return this[hostnameVerifierMethodName].apply(this,arguments)
                    }
                }
                console.log(hostnameVerifierMethodName, "Hooked!")
            }
			// 第二到校验，参数替换为它默认的，builder.certificatePinner(cerBuilder.build());
			// 默认public static final CertificatePinner DEFAULT = new Builder().build();
            if(method.getParameterTypes()[0].getName() == CertificatePinnerClassName){
                var CertificatePinnerClass = Java.use(CertificatePinnerClassName)
                var certificatePinnerMethodName = method.getName()
                var len = OkhttpClient$Buidler[certificatePinnerMethodName].overloads.length
                for(var j = 0; j < len; j++){
                    OkhttpClient$Buidler[certificatePinnerMethodName].overloads[j].implementation = function(){
                        console.log("certificatePinner add called!")
						// 拿到所有的域，遍历
                        var fields = CertificatePinnerClass.class.getDeclaredFields()
                        for(var k = 0; k < fields.length; k++){
                            var field = fields[k];
                            var modifiers = field.getModifiers()
							// public static final CertificatePinner DEFAULT = new Builder().build();
                            if(Modifier.isFinal(modifiers) && Modifier.isStatic(modifiers) && Modifier.isPublic(modifiers)){
                                arguments[0] = field.get(CertificatePinnerClass.class)
                            }
                        }
                        return this[certificatePinnerMethodName].apply(this,arguments)
                    }
                }
                console.log( method.getName(),"Hooked!")
            }
        }

        var CertificatePinnerClass = Java.use(CertificatePinnerClassName)
        var methods = CertificatePinnerClass.class.getDeclaredMethods()
        for (var i = 0; i < methods.length; i++){
            var method = methods[i]
            if(method.getReturnType().getName() == 'void'){
                var methodName = method.getName()
                console.log(methodName+" Hooked!")
                var m_len = CertificatePinnerClass[methodName].overloads.length
                
                for (var j = 0; j < m_len; j++){
                    if(CertificatePinnerClass[methodName].overloads[j].returnType.name == 'V'){
                        CertificatePinnerClass[methodName].overloads[j].implementation = function(){
                            console.log("certificatePinner check called!")
                        }   
                    }
                }
            }
        }
		
    })
}

运行

使用spwan模式主动加载类名

function loadOkhttpClient(){
    Java.perform(function (){
        try{
            // 把找到的类名替换这里
            Java.use("okhttp3.OkHttpClient")
        }catch(e){
            //console.error(e)
        }
    })
    
}

测试

滴答清单app

完整代码

var classesNames = new Array()  // 存放加载的类
var OkhttpClientClassName = ""
var CertificatePinnerClassName = ""
var prefix = ""

function loadOkhttpClient(){
    Java.perform(function (){
        try{
            Java.use("q.x")
        }catch(e){
            //console.error(e)
        }
    })
    
}
// 1.把已经加载内存中的类枚举出来，存到一个数组里
function loadClasses(){
    Java.perform(function (){
        Java.enumerateLoadedClasses({
            onMatch: function(clsName, handle){
                classesNames.push(clsName)
            },
            onComplete: function(){
                console.log("Search Class Completed!")
            }
        })
    })
}

function findOkhttpClass(){
    Java.perform(function (){
        var Modifier = Java.use("java.lang.reflect.Modifier")  // 反射框架，可以提供类的一些属性，例如是不是final，sttic等
		// 判断类是否是OkhttpClient
        function isOkhttpClient(clsName){
			// Okhttp3.OkHttpClient
            if(clsName.split('.').length != 2){
                return false;
            }
            
            try{
                var cls = Java.use(clsName)
                var interfaces = cls.class.getInterfaces()  // 通过反射获得当前类的一些接口
                const count = interfaces.length
                //console.log(count)
				// 当前类如果实现的接口小于2，就不是，okhttp实现的接口Cloneable, Call.Factory, WebSocket.Factory 
                if(count < 2){
                    return false
                }
                var flag = false
				// 对实现的接口进行遍历，进行判断
                for(var i = 0; i < count; i++){
                    var interface_ = interfaces[i]
                    var interface_name = interface_.getName()
                    
                    if(interface_name.indexOf("Cloneable") > 0){
                        flag = true
                    }else{
                        if(interface_name.indexOf("$") <= 0){  // 内部类Call.Factory
                            return false
                        }
                    }
                }
                if(!flag) return false;
                
				// 过滤当前类没有内部类
                if(cls.class.getDeclaredClasses().length < 1){
                    return false
                }
				// 过滤父类不是Object，OkHttpClient没有继承其他类
                if(cls.class.getSuperclass().getName() != 'java.lang.Object'){
                    return false
                }
                
            }catch(e){
                return false
            }
            return true;
        }

        function isCertificatePinner(clsName,prefix){
            // prefix=Okhttp3.
			// CertificatePinner类
            if(!clsName.startsWith(prefix)){
                return false
            }

            if(clsName.indexOf("$") > 0){
                return false
            }
            
            if(clsName.split('.').length != 2){
                return false;
            }

            var cls = Java.use(clsName)
            if(cls.class.isInterface()){
                return false
            }

            
            if(cls.class.getInterfaces().length > 0){
                return false
            }

         
            if(cls.class.getDeclaredClasses().length < 1){
                return false
            }
            
            if(cls.class.getSuperclass().getName() != "java.lang.Object"){
                return false
            }
			// 类属性是否有Final
            if(!Modifier.isFinal(cls.class.getModifiers())){
                return false
            }
            var flag = false
			// 获得所有方法，然后遍历
            var methods = cls.class.getDeclaredMethods()
            for(var i = 0; i < methods.length; i++){
                var method = methods[i]
				// 过滤方法没有参数的
                if(method.getParameterCount() < 1){
                    continue
                }
				// 方法的第一个参数是java.security.cert.Certificate
                if(method.getParameterTypes()[0].getName() == "java.security.cert.Certificate"){
                    flag = true
                    break
                }
            }
            if(!flag) return false

            flag = false
			// 获取类的所有成员变量
            var fields = cls.class.getDeclaredFields()
			// 类包含set集合
            for(var k = 0; k < fields.length; k++){
                var field = fields[k];
                if(field.getType().getName() == "java.util.Set"){
                    flag = true
                    break
                }
            }
            if(!flag) return false

            console.log(clsName)
            return true
        }
    
        for(var i = 0; i < classesNames.length; i++){
			// 如果类名是OkhttpClient，就保存为变量
            if(isOkhttpClient(classesNames[i])){
                OkhttpClientClassName = classesNames[i]
                //console.log(OkhttpClientClassName)
                var splits = classesNames[i].split('.')
                var len = splits.length
                for(var j = 0; j < len-1; j++){
					// Okhttp3.OkHttpClient
                    prefix = prefix + splits[j] + '.'  // 当前包名的一个前缀，prefix=Okhttp3.
                }
            }
        }
        // 找CertificatePinner类
        for(var i = 0; i < classesNames.length; i++){
            if(isCertificatePinner(classesNames[i],prefix)){
                CertificatePinnerClassName = classesNames[i]
                //console.log(CertificatePinnerClassName)
            }
        }

        console.error("Found Class: "+classesNames.length)
        console.error("Okhttp's package prefix: "+prefix)
        console.error("Find the OkhttpClient: "+OkhttpClientClassName)
        console.error("Find the OkhttpCertificatePinner: "+CertificatePinnerClassName)

        if(OkhttpClientClassName == "" || CertificatePinnerClassName == "" || prefix == ""){
            console.error("Can't find the okhttp class")
        }
    })
}

function hook(){
    Java.perform(function (){
        var Modifier = Java.use("java.lang.reflect.Modifier")
        //TrustAllManager，自定义类，hook方法置空，什么都不干
        var TrustAllManagerClass = Java.registerClass({
            name: "TrustAllManager",
            implements:[Java.use("javax.net.ssl.X509TrustManager")],
            methods: {
                checkClientTrusted(chain, authType) {
                    console.log("checkClientTrusted Called!!")
                },
                checkServerTrusted(chain, authType) {
                    console.log("checkServerTrusted Called!!")
                },
                getAcceptedIssuers() {
                  return [];
                },
              }
        })
        var trustAllManagerHandle = TrustAllManagerClass.$new()
		// 仿造
		// SSLContext context = SSLContext.getInstance("TLS");
        // context.init(null, trustManagers ,new SecureRandom());
        // SSLSocketFactory factory = context.getSocketFactory();
        var sslContext = Java.use("javax.net.ssl.SSLContext").getInstance("TLS")
        sslContext.init(null,Java.array("Ljavax.net.ssl.X509TrustManager;",[trustAllManagerHandle]),null)
        var sslSocketFactory = sslContext.getSocketFactory()

        //HostnameVerify，自定义类
        var MyHostnameVerify = Java.registerClass({
            name: "MyHostnameVerify",
            implements:[Java.use("javax.net.ssl.HostnameVerifier")],
            methods: {
                verify(hostname, session){
                    console.log(hostname)
                    return true
                }
            }
        })
        var myHostnameVerifyHandle = MyHostnameVerify.$new()
		
		// 已经拿到okhttp3.OkHttpClient，拿它的内部类builder
        var BuilderClassName = Java.use(OkhttpClientClassName).class.getDeclaredClasses()[0].getName()
        var OkhttpClient$Buidler = Java.use(BuilderClassName)
		// 通过反射获取builder的所有方法
        var methods = OkhttpClient$Buidler.class.getDeclaredMethods()
        
        for(var i = 0; i < methods.length; i++){
            var method = methods[i]
			// 过滤方法没有参数的，目标方法都有参数
			// builder.sslSocketFactory(factory, (X509TrustManager) trustManagers[0]);
			// builder.certificatePinner(cerBuilder.build());
			// builder.hostnameVerifier(new HostnameVerifier(){})；
            if(method.getParameterCount() < 1){
                continue
            }
			// 第一道校验，第一个参数的类名是javax.net.ssl.SSLSocketFactory就进行hook，参数替换为自定义参数
            if(method.getParameterTypes()[0].getName() == "javax.net.ssl.SSLSocketFactory"){
                var sslSocketFacotryMethodName  = method.getName()
				// 获取该方法的重载个数
                var len = OkhttpClient$Buidler[sslSocketFacotryMethodName].overloads.length
				// 遍历重载
                for(var j = 0; j < len; j++){
                    OkhttpClient$Buidler[sslSocketFacotryMethodName].overloads[j].implementation = function(SSLSocketFactory){
						// 把参数替换为自定义的类
                        arguments[0] = sslSocketFactory
                        return this[sslSocketFacotryMethodName].apply(this,arguments)
                    }
                }
                console.log(sslSocketFacotryMethodName,"Hooked!")
            }
			// 第三道校验，第一个参数是javax.net.ssl.HostnameVerifier就进行hook，参数替换为自定义参数
            if(method.getParameterTypes()[0].getName() == "javax.net.ssl.HostnameVerifier"){
                var hostnameVerifierMethodName = method.getName()
                
                var len = OkhttpClient$Buidler[hostnameVerifierMethodName].overloads.length
                for(var j = 0; j < len; j++){
                    OkhttpClient$Buidler[hostnameVerifierMethodName].overloads[j].implementation = function(hostnameVerifier){
                        arguments[0] = myHostnameVerifyHandle
                        return this[hostnameVerifierMethodName].apply(this,arguments)
                    }
                }
                console.log(hostnameVerifierMethodName, "Hooked!")
            }
			// 第二到校验，参数替换为它默认的，builder.certificatePinner(cerBuilder.build());
			// 默认public static final CertificatePinner DEFAULT = new Builder().build();
            if(method.getParameterTypes()[0].getName() == CertificatePinnerClassName){
                var CertificatePinnerClass = Java.use(CertificatePinnerClassName)
                var certificatePinnerMethodName = method.getName()
                var len = OkhttpClient$Buidler[certificatePinnerMethodName].overloads.length
                for(var j = 0; j < len; j++){
                    OkhttpClient$Buidler[certificatePinnerMethodName].overloads[j].implementation = function(){
                        console.log("certificatePinner add called!")
						// 拿到所有的域，遍历
                        var fields = CertificatePinnerClass.class.getDeclaredFields()
                        for(var k = 0; k < fields.length; k++){
                            var field = fields[k];
                            var modifiers = field.getModifiers()
							// public static final CertificatePinner DEFAULT = new Builder().build();
                            if(Modifier.isFinal(modifiers) && Modifier.isStatic(modifiers) && Modifier.isPublic(modifiers)){
                                arguments[0] = field.get(CertificatePinnerClass.class)
                            }
                        }
                        return this[certificatePinnerMethodName].apply(this,arguments)
                    }
                }
                console.log( method.getName(),"Hooked!")
            }
        }

        var CertificatePinnerClass = Java.use(CertificatePinnerClassName)
        var methods = CertificatePinnerClass.class.getDeclaredMethods()
        for (var i = 0; i < methods.length; i++){
            var method = methods[i]
            if(method.getReturnType().getName() == 'void'){
                var methodName = method.getName()
                console.log(methodName+" Hooked!")
                var m_len = CertificatePinnerClass[methodName].overloads.length
                
                for (var j = 0; j < m_len; j++){
                    if(CertificatePinnerClass[methodName].overloads[j].returnType.name == 'V'){
                        CertificatePinnerClass[methodName].overloads[j].implementation = function(){
                            console.log("certificatePinner check called!")
                        }   
                    }
                }
            }
        }
		
    })
}


function main(){
    loadOkhttpClient()
    loadClasses()
    findOkhttpClass()
    hook()
    
    
}
setImmediate(main)