案例用的抖音20.3.0版本、夜神模拟器(安卓5系统),抓包工具使用的charles。
正常情况下,开启代理,打开新版抖音会提示当前无网络或者不加载数据。
Hook代码:
import frida, sys
def on_message(message, data):
print("[%s] => %s" % (message, data))
session = frida.get_usb_device().attach('com.ss.android.ugc.aweme')
js_code = """
Java.perform(function(){
console.log("1 start hook");
var ba = Java.use('org.chromium.CronetClient');
if (ba){
console.log("2 find class");
ba.tryCreateCronetEngine.implementation = function(){
return null;
}
}
})
"""
script = session.create_script(js_code)
script.on('message', on_message)
script.load()
sys.stdin.read()启动Frida。此时已经可以抓包了。
Xposed代码:
import android.content.Context;
import android.util.Log;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XC_MethodHook.MethodHookParam;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;
import java.util.concurrent.Executor;
public class HookMain implements IXposedHookLoadPackage {
public static String _tag = "sss";
public void handleLoadPackage(LoadPackageParam lpparam) throws Throwable {
if (lpparam.packageName.equals("com.ss.android.ugc.aweme")) {
Log.e(_tag, "进入抖音");
XposedHelpers.findAndHookMethod("org.chromium.CronetClient", lpparam.classLoader, "tryCreateCronetEngine", new Object[]{Context.class, Boolean.TYPE, Boolean.TYPE, Boolean.TYPE, Boolean.TYPE, String.class, Executor.class, Boolean.TYPE, new XC_MethodHook() {
/* access modifiers changed from: protected */
public void beforeHookedMethod(MethodHookParam param) throws Throwable {
Log.e(HookMain._tag, "CronetClient disable tryCreateCronetEngine");
param.setResult(null);
}
}});
}
}
}