快速定位获取云闪付请求头的HOOK点

快速定位获取云闪付请求头的HOOK点

9.3.4

image-20231122225708742

9.3.8

image-20231122225739707

Frida快速定位

不同版本只是类名不一样,类中的各个方法并无变化。根据方法体中都调用了UPID.getExtraHeads()这个特征可以用frida代码实现快速定位hook点。

1
2
3
4
5
6
7
8
9
10
11
Java.perform(function () {
    var UPID = Java.use("com.unionpay.network.model.UPID");
    UPID.getExtraHeads.overload().implementation = function() {
        var retval = this.getExtraHeads()
        console.log("UPID->getExtraHeads (retType: java.util.Map): " + retval)
        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()))
        return retval;
    }
});


1
2
3
4
5
6
7
UPID->getExtraHeads (retType: java.util.Map): null
java.lang.Exception
        at com.unionpay.network.model.UPID.getExtraHeads(Native Method)
        at com.unionpay.network.aa.i(SourceFile:496) //<-----------------------
        at com.android.volley.toolbox.g.a(SourceFile:89)
        at com.unionpay.network.ae.a(SourceFile:103)
        at com.android.volley.g.run(SourceFile:114)