Android抓包chorme之外App的Https请求
上一篇(Charles抓包Android的App)提到抓包Android的App,这个走的是charles证书的形式的,仅对部分支持用户证书的App(chrome之类的浏览器)有效,而对其它App束手无策,经过一番折腾,找到一个方案,这边记录下。
大前提:设备已经Root,电脑端并配好ADB以及python环境,这里就不额外说明了。
1.手机端安装Friday
访问https://github.com/frida/frida/releases,根据自己的设备选择合适的版本下载安装,比如我用的是frida-server-15.2.2-android-arm64.xz。
解压之后,通过adb传到手机上
adb push ./frida-server-$version-android-$arch /data/local/tmp/frida-server
adb模式下以root权限下启动frida
adb shell
su ~
chmod 755 /data/local/tmp/frida-server
/data/local/tmp/frida-server &
2. 电脑端安装Frida
pip install frida-tools
然后把 frida-script.js这个文件下载到本地,
3. 启动服务
frida --no-pause -U -l ./frida-script.js -f 需要抓的apk包名
理论上到这里就结束了,但总会有意外发生,比如这个frida-server-15.2.2-android-arm64.xz在我的设备上并不能执行,报错如下。
{"type":"error","description":"Error: Unable to determine ClassLinker field offsets",
"stack":"Error: Unable to determine ClassLinker field offsets\n
at Ye (frida/node_modules/frida-java-bridge/lib/android.js:400:1)\n
at frida/node_modules/frida-java-bridge/lib/memoize.js:4:1\n
at ze (frida/node_modules/frida-java-bridge/lib/android.js:193:1)\n
at Oe (frida/node_modules/frida-java-bridge/lib/android.js:16:1)\n
at _tryInitialize (frida/node_modules/frida-java-bridge/index.js:29:1)\n
at new _ (frida/node_modules/frida-java-bridge/index.js:21:1)\n
at Object.4../lib/android (frida/node_modules/frida-java-bridge/index.js:332:1)\n
at o (frida/node_modules/browser-pack/_prelude.js:1:1)\n
at frida/node_modules/browser-pack/_prelude.js:1:1\n
at Object.22.frida-java-bridge (frida/runtime/java.js:1:1)",
"fileName":"frida/node_modules/frida-java-bridge/lib/android.js",
"lineNumber":400,
"columnNumber":1}
找了好久,才发现可能gogole play更新的关系有关,最后找了个别人修改好的版本才搞定了。(https://github.com/frida/frida/issues/2176)
I make this patch and put it on my website
https://safasafari.ir/frida-server-arm
https://safasafari.ir/frida-server-arm64
以上步骤来源:https://httptoolkit.com/blog/frida-certificate-pinning/
发布于记忆碎片-网络技术分享 https://huilang.me
文章地址:https://huilang.me/android-zhua-bao-chorme-zhi-wai-app-di-https-qing-qiu/