2021Android網(wǎng)絡(luò)庫(kù)詳解技術(shù)

PAGEPAGE10Android?絡(luò)庫(kù)詳解-tale?絡(luò)庫(kù)：HttpURLConnectionHttpURLConnection介紹HttpURLConnection的使?步驟HOOKHttpURLConnection?絡(luò)庫(kù)：okhttp3+loggingOKHttp簡(jiǎn)介OKHttp的功能HOOKOkHttp3?絡(luò)庫(kù):Retro?tRetro?t簡(jiǎn)介：Retro?t使?步驟HOOKRetro?t參考資料?絡(luò)庫(kù)：HttpURLConnectionHttpURLConnection介紹?種多?途輕量極的HTTP客戶端，使?它來進(jìn)?HTTP操作可以適?于?多數(shù)的應(yīng)?程序雖然HttpURLConnection的API提供的?較簡(jiǎn)單，但是同時(shí)這也使得我們可以更加容易地去使?和擴(kuò)展它繼承?URLConnection，抽象類，?法直接實(shí)例化對(duì)象通過調(diào)?openCollection()?法獲得對(duì)象實(shí)例，默認(rèn)是帶gzip壓縮的；HttpURLConnection的使?步驟使?HttpURLConnection的步驟如下：PlainTextPlainText復(fù)制代碼1創(chuàng)建?個(gè)URL對(duì)象：URLurlnewURL();2調(diào)?URL對(duì)象的openConnection(來獲取HttpURLConnection對(duì)象實(shí)例：HttpURLConnectionconn=(HttpURLConnection)url.openConnection();3設(shè)置HTTP請(qǐng)求使?的?法:GET或者POST，或者其他請(qǐng)求?式?如：PUTconn.setRequestMethod("GET");4設(shè)置連接超時(shí)，讀取超時(shí)的毫秒數(shù)，以及服務(wù)器希望得到的?些消息頭conn.setConnectTimeout(6*1000);conn.setReadTimeout(6*1000);5調(diào)?getInputStream()?法獲得服務(wù)器返回的輸?流，然后輸?流進(jìn)?讀取InputStreamin=conn.getInputStream();6最后調(diào)?disconnect()?法將HTTP連conn.disconnect();HOOKHttpURLConnectionPlainText復(fù)制代碼1創(chuàng)建?個(gè)URL對(duì)象：URLurl=newURL();URL()如果想?吐URL()

則應(yīng)該hookURL的構(gòu)造函數(shù)PlainTextPlainText復(fù)制代碼1 workon(google:8.1.0)[usb]#androidhookingsearchclassesURL.URL.$init需單獨(dú)hook構(gòu)造函數(shù).URL.$initPlainTextPlainText復(fù)制代碼workon(google:8.1.0)[usb]#androidhookingwatchmethod.URL.$init--dump-args--dump-backtrace--dump-return可以發(fā)現(xiàn)在?機(jī)每點(diǎn)擊?下刷新驗(yàn)證碼，就會(huì)彈出新的請(qǐng)求然后可以編寫?吐腳本，打印出經(jīng)過的url地址PlainText復(fù)制代碼1frida-U-fwork-l20201013.js--no-pause使?該?吐腳本嘗試另?款A(yù)PP做實(shí)驗(yàn)PlainText復(fù)制代碼1frida-U-fcom.cz.babySister-l20201013.js--no-pausejava.io.PrintWriterhook 的write?法打印出內(nèi)容：java.io.PrintWriterPlainTextPlainText復(fù)制代碼com.cz.babySisteron(google:8.1.0)[usb]#androidhookingwatchclass_methodjava.io.PrintWriter.write--dump-args--dump-backtrace--dump-returnjava.io.PrintWriter.write編寫hook腳本將和密碼java.io.PrintWriter.writeHttpURLConnection最終HttpURLConnection

?吐腳本如下

內(nèi)容進(jìn)?打印，可以發(fā)現(xiàn)顯示出了?戶輸?的賬號(hào)JavaScript 復(fù)制代碼1 functionhook_HttpUrlConnection(){2Java.perform(function(){//.URL.URL($init)(得到5 tion=function(str){varresult=this.$init(str)console.log("result,str=>",result,str);return10 }11//HttpURLConnectionsetRequestProperty得到各種請(qǐng)求頭屬性等equestProperty.implementation=function(str1,str2){varresult=this.setRequestProperty(str1,str2); console.log(".setRequestPropertyresult,str1,str2->",result,str1,str2);return17 }18 equestMethod.implementation=function(str1){varresult=this.setRequestMethod(str1);console.log(".setRequestMethodresult,str1,str2->",result,str1);return23 }//java.io.PrintWriterwrite得到輸?內(nèi)容lementation=function(str1){varresult=this.write(str1);console.log(".writeresult,str1->",result,str1);return29 }30313233 })3435 }36 setImmediate(hook_HttpUrlConnection)?絡(luò)庫(kù)：okhttp3+loggingOKHttp簡(jiǎn)介OKHttp是?個(gè)處理?絡(luò)請(qǐng)求的開源項(xiàng)?，Android當(dāng)前最?熱?絡(luò)框架OKHttp的功能1PUT，DELETE，POST，GET等請(qǐng)求2?件的上傳下載3加載圖?(內(nèi)部會(huì)圖????動(dòng)壓縮)4?持請(qǐng)求回調(diào)，直接返回對(duì)象對(duì)象集合5?持session的保持HOOKOkHttp31OkhttpClient對(duì)象exampleOkhttpClient對(duì)象在 類創(chuàng)exampleOkhttpClient對(duì)象PlainTextPlainText復(fù)制代碼1 OkHttpClientclient=newOkHttpClient();okhttp3.OkHttpClient可以使?objection查找該 實(shí)例，并查看該屬性域和?法okhttp3.OkHttpClientPlainTextPlainText復(fù)制代碼com.roysue.octolesson2ok3on(google:8.1.0)[usb]#pluginload/Users/tale/.objection/plugins/WallbreakerLoadedplugin:wallbreakercom.roysue.octolesson2ok3on(google:8.1.0)[usb]#pluginwallbreakerasssearchOkHttpClientcom.android.okhttp.OkHttpClient$1com.android.okhttp.OkHttpClientokhttp3.OkHttpClient$1okhttp3.OkHttpClient$Builderokhttp3.OkHttpClientcom.roysue.octolesson2ok3on(google:8.1.0)[usb]#pluginwallbreakerjectsearchokhttp3.OkHttpClient[0x26c2]:okhttp3.OkHttpClient@dc28b06com.roysue.octolesson2ok3on(google:8.1.0)[usb]#pluginwallbreakerjectdump--fullname0x26c22Request對(duì)象JavaJava復(fù)制代碼//構(gòu)造requestRequestrequest=newRequest.Builder().url(url).build();ernal.huc.HttpURLConnectionIernal.huc.HttpURLConnectionImpl發(fā)現(xiàn)每點(diǎn)擊刷新?下，會(huì)增加?新的實(shí)例，然后可以去查看該域3發(fā)起異步請(qǐng)求在將Request對(duì)象封裝成Call對(duì)象后，每次enqueue都會(huì)產(chǎn)??次真實(shí)的?絡(luò)請(qǐng)求JavaJava復(fù)制代碼123456789//發(fā)起異步請(qǐng)求client.newCall(request).enqueue(newCallback(){@OverridepublicvoidonFailure(Callcall,IOExceptione){call.cancel();}@OverridepublicvoidonResponse(Callcall,Responseresponse)throwsIOException{101112131415//打印輸出Log.d(TAG,response.body().string());}}Java 復(fù)制代碼1 publicclassexample2//TAG即為?志打印時(shí)的標(biāo)簽privatestaticStringTAG=56//新建?個(gè)Okhttp客戶端//OkHttpClientclient=newOkHttpClient();OkHttpClientclient=newOkHttpClient.Builder().addNetworkInterceptor(newLoggingInterceptor()).build();12voidrun(Stringurl)throwsIOException{//構(gòu)造requestRequestrequest=newRequest.Builder().url(url).build();1819//發(fā)起異步請(qǐng)求client.newCall(request).enqueue(newCallback(){@OverridepublicvoidonFailure(Callcall,IOExceptione){call.cancel();25 }26@OverridepublicvoidonResponse(Callcall,Responseresponse)throwsIOException{29//打印輸出Log.d(TAG,response.body().string());3233 }34 }35 );36 }37 }做完混淆，通過攔截器分析?法失效?絡(luò)庫(kù):RetrofitRetrofit簡(jiǎn)介：Retrofit是?個(gè)RESTful的HTTP?絡(luò)請(qǐng)求框架的封裝，?絡(luò)請(qǐng)求的?作本質(zhì)上是OkHttp完成，?Retrofit僅負(fù)責(zé)?絡(luò)請(qǐng)求接?的封裝Retrofit使?步驟：添加Retrofit庫(kù)的依賴：PlainTextPlainText復(fù)制代碼implementation'com.squareup.retrofit2:retrofit:2.5.0'//Retrofit依賴implementation'com.squareup.retrofit2:converter-gson:2.5.0'//可選依賴解析on字符所??絡(luò)權(quán)限：PlainTextPlainText復(fù)制代碼1 <uses-permissionandroid:name="android.permission.INTERNET"/>創(chuàng)建?于描述?絡(luò)請(qǐng)求的接?Retrofit將Http請(qǐng)求抽象成Java接?：采?注解描述?絡(luò)請(qǐng)求參數(shù)和配置?絡(luò)請(qǐng)求參數(shù)PlainTextPlainText復(fù)制代碼1 publicinterfaceGetRequest_Interface23456789@GET("openapi.do?keyfrom=abc&key=2032414398&type=data&doctype=json&version=1.1&q=car")Call<Reception>getCall(@Field("name")Stringname);//@GET注解的作?:采?Get?法發(fā)送?絡(luò)請(qǐng)求//getCall()=接收?絡(luò)請(qǐng)求數(shù)據(jù)的?法//其中返回類型為Call<*>，*是接收數(shù)據(jù)的類（即上?定義的Translation類）//如果想直接獲得Responsebody中的內(nèi)容，可以定義?絡(luò)請(qǐng)求返回值為Call<ResponseBody>10 }創(chuàng)建Retrofit實(shí)例PlainTextPlainText復(fù)制代碼Retrofitretrofit=newRetrofit.Builder().baseUrl("/")//設(shè)置?絡(luò)請(qǐng)求的Url地址 .addConverterFactory(GsonConverterFactory.create())//據(jù)解析器.addCallAdapterFactory(RxJavaCallAdapterFactory.create()).build();發(fā)送請(qǐng)求PlainTextPlainText復(fù)制代碼12345678910111213141516171819202122232425//創(chuàng)建?絡(luò)請(qǐng)求接?的實(shí)例GetRequest_Interfacerequest=retrofit.create(GetRequest_Interface.class);//對(duì)發(fā)送請(qǐng)求進(jìn)?封裝Call<Reception>call=request.getCall("");call.enqueue(newCallback<Reception>(){//請(qǐng)求成功時(shí)回調(diào)@OverridepublicvoidonResponse(Call<Reception>call,Response<Recep