中国移动App熊猫乐园Token获取

中国移动App熊猫乐园Token获取

最开始尝试hook相关字符串方法并搜索Cookie,结果并没有找到cookie相关的字符串。

后来尝试hook Webview相关方法,尝试调用,但因关键cookie设置了httpOnly标识,无法通过API获取。

继续hook webview方法,发现了cookie生成过程:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /xwtecCommon/login/checkToken HTTP/1.1
Host: wap.sc.10086.cn
Content-Length: 48
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Linux; Android 12; M2007J3SC Build/SKQ1.211006.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/96.0.4664.104 Mobile Safari/537.36 leadeon/9.0.0/CMCCIT
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://wap.sc.10086.cn
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://wap.sc.10086.cn/scmccMiniWap/cocosPandaPlay/index.html?value=isNeedLogin&channel=jtst&random=02&channelId=P00000054101&yx=1158360001
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

token=YZsidssolgc2af598f29b6e01e7248ecbc86632263

Cookie是传入token调用/xwtecCommon/login/checkToken后服务器返回的,那么只需要拿到这个token就行了。

token可以通过hook com.tencent.smtt.sdk.WebView.evaluateJavascript()方法拿到(一个token只能使用一次)。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
boolean is_token_uploaded = false;
Class<?> valueCallBackClass = classLoader.loadClass("com.tencent.smtt.sdk.ValueCallback");
findAndHookMethod("com.tencent.smtt.sdk.WebView", classLoader, "evaluateJavascript", String.class, valueCallBackClass, new XC_MethodReplacement() {
    @Override
    protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
        String script = (String) param.args[0];
        
        if(!is_token_uploaded && script.contains("newUsessionId")){
            log(script);
            String token = extracToken(script);
            log("token: "+token);
            // upload token
            upload(token);

            // replace token
            String new_script = script.replaceAll(token, "000000000000000000000000000000000000000000");
            param.args[0] = new_script;

            is_token_uploaded = true;

        }
        Object result = XposedBridge.invokeOriginalMethod(param.method, param.thisObject, param.args);
        return result;
    }
});