1. Detect wifi and set http proxy
java层可通过这两个api来检测
System.getProperty(“http.proxyHost”)
System.getProperty(“http.proxyPort”);
How to solve it
by setting vpn, vpn and then connecting to charles, vpn can choose postern to set up socket to connect to charles
why
vpn属于网络层协议,所以上面的检测不起作用
注意,需要导入charles证书到系统路径,如果出现sslpaning,还需要过掉sslpaning
How to pass sslpaning, just pass through the frida script
function hook_ssl() {
Java.perform(function() {
var ClassName = "com.android.org.conscrypt.Platform";
var Platform = Java.use(ClassName);
var targetMethod = "checkServerTrusted";
var len = Platform[targetMethod].overloads.length;
console.log(len);
for(var i = 0; i < len; ++i) {
Platform[targetMethod].overloads[i].implementation = function () {
console.log("class:", ClassName, "target:", targetMethod, " i:", i, arguments);
//printStack(ClassName + "." + targetMethod);
}
}
});
}
如果是检测vpn呢
奉上检测过VPN检测脚本
function hook_vpn() {
Java.perform(function () {
var string_class = Java.use("java.lang.String")
// 第一种检测VPN的方式
var NetWorkInterface = Java.use("java.net.NetworkInterface")
NetWorkInterface.getName().implementation = function () {
var name = this.getName();
console.log("name: " + name)
if (name == "tun0") {
var result = string_class.$new("rmnet_data1")
console.log("hook result: " + result)
return result
} else {}
return name
}
// 第二种检测VPN的方式
var ConnectivityManager = Java.use("android.net.ConnectivityManager")
ConnectivityManager.getNetWorkCapabilities.implementation = function(arg1){
var result = this.getNetWorkCapabilities(arg1);
console.log("vpn result: " + result)
return null
}
});
}
2. What if it is two-way authentication
Client and server simultaneously verify data encryption and decryption
Client---------> Middleman <-------------Server
The middleman cannot decrypt and encrypt, what should I do?
1.首先需要找到相关证书和加密密码
那么怎么找呢
frida脚本
function hook_KeyStore_load() {
Java.perform(function () {
var StringClass = Java.use("java.lang.String");
var KeyStore = Java.use("java.security.KeyStore");
KeyStore.load.overload('java.security.KeyStore$LoadStoreParameter').implementation = function (arg0) {
printStack("KeyStore.load1");
console.log("KeyStore.load1:", arg0);
this.load(arg0);
};
KeyStore.load.overload('java.io.InputStream', '[C').implementation = function (arg0, arg1) {
printStack("KeyStore.load2");
console.log("KeyStore.load2:", arg0, arg1 ? StringClass.$new(arg1) : null);
this.load(arg0, arg1);
};
console.log("hook_KeyStore_load...");
});
}
这样就可以找到证书,如果证书是加密的呢,那么我们需要解密之后的证书再导入到charles中即可
Thinking
1.如果代码是混淆的呢
可以参考 https://bbs.pediy.com/thread-254114.htm, 主要思路是参数类型特征识别
2.证书是加密的呢
找到加密的地方,解密再导入到抓包工具
3. Summary
以上就是常用的抓不到包的解决思路
参考连接 https://www.anquanke.com/post/id/197657#h3-13