DEVHIDE
Login Or Sign up

Frida how to rewrite OkHttp response body

166 Views Asked by At

I have an APK which is obfuscated but I discovered it uses the Okhttp library to perform network traffic.

What I would like to do is write a hook in Frida with which I can rewrite the response body text for some endpoints.

The general way of performing a request with okhttp is as follows:

OkHttpClient client = new OkHttpClient();

String run(String url) throws IOException {
  Request request = new Request.Builder()
      .url(url)
      .build();

  try (Response response = client.newCall(request).execute()) {
    return response.body().string();
  }
}

I am able to hook the obfuscated Response constructor and log Request url values and the ResponseBody text value.

First off all when the app requests an endpoints the constructor log gets printed several times. I guess because of interceptors added to the httpclient.

Secondly I am not able to change the responsebody. I am not able write Frida code to generate a new ResponseBody object with my own response or change the existing responsebody.

The string-method of the responsebody is unfortenately never called by the app so it can not be used for the rewrite.

Any advice on which function would be the most efficient / easy to hook and rewrite on, and if possible someone give an Frida-js snippet on how the rewrite could be performed?

UPDATE: I boiled it down to a hook to the Okhttps' ResponsBody.source function that returns an okio.BufferedSource. Does someone know how I could print this BufferedSource as a string in Frida and how I could return a new bufferedsource starting from a string?

    package com;
    
    import okio.BufferedSource;
    import okio.Okio;
    import okio.RealBufferedSource;
    import okio.Source;
    
    /* loaded from: classes3.dex */
    public final class z90 extends zd7 {
        public final g52 b;
        public final String c;
        public final String d;
        public final RealBufferedSource e;
    
        ...
    
        @Override // com.zd7
        public final BufferedSource f() {
            return this.e;
        }
    }

This class extends zd7 which of an obfuscated/filtered down version of the okhttp's ResponseBody class:

    public abstract class ResponseBody implements Closeable {
        ...
    
        @NotNull
        public abstract BufferedSource source();
    }

( People maybe might suggest another approach: proxying the app with burpsuite/charles and perform the rewrite in there. but the app uses the play integrity api and certificate transparency which result in the app not working when a proxy is enabled. )

okhttp reverse-engineering frida
Original Q&A
0

There are 0 best solutions below

Related Questions in OKHTTP

Related Questions in REVERSE-ENGINEERING

Related Questions in FRIDA

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.