就把某鱼叫X鱼吧,懂的都懂
某(X)鱼app整个get/post请求中,基本必须在请求头中携带Cookie,这个Cookie的相关操作并不是在 mtopsdk这个包中
,并且

  • anetwork.channel.entity.RequestImpl
  • mtopsdk.network.domain.Request
  • mtopsdk.network.domain.Request.Builder

这几个类中的成员变量Map<String, String> headers中也没有cookie,
它是在android.taobao.windvane.connect.HttpConnector类中setConnectProp方法时添加的

private void setConnectProp(HttpURLConnection paramHttpURLConnection, HttpRequest paramHttpRequest) {int i = paramHttpRequest.getRetryTime();paramHttpURLConnection.setConnectTimeout(paramHttpRequest.getConnectTimeout() * (i + 1));paramHttpURLConnection.setReadTimeout(paramHttpRequest.getReadTimeout() * (i + 1));paramHttpURLConnection.setInstanceFollowRedirects(false);paramHttpURLConnection.setRequestProperty("Host", paramHttpRequest.getUri().getHost());paramHttpURLConnection.setRequestProperty("Connection", "close");paramHttpURLConnection.setRequestProperty("Accept-Encoding", "gzip");String str = WVCookieManager.getCookie(paramHttpURLConnection.getURL().toString());if (str != null)paramHttpURLConnection.setRequestProperty("Cookie", str); Map<String, String> map = paramHttpRequest.getHeaders();if (map != null)for (Map.Entry<String, String> entry : map.entrySet())paramHttpURLConnection.setRequestProperty((String)entry.getKey(), (String)entry.getValue());  paramHttpURLConnection.setUseCaches(false);}

这里的静态方法
WVCookieManager.getCookie();只是个代理类,放一下内容吧

package android.taobao.windvane;import android.content.Context;
import android.text.TextUtils;
import android.webkit.CookieManager;
import android.webkit.CookieSyncManager;
import com.taobao.codetrack.sdk.util.ReportUtil;public class WVCookieManager {private static final String TAG = "WVCookieManager";static {ReportUtil.dj(-953400378);}public static String getCookie(String paramString) {return TextUtils.isEmpty(paramString) ? null : CookieManager.getInstance().getCookie(paramString);}public static void onCreate(Context paramContext) {CookieSyncManager.createInstance(paramContext);}public static void setCookie(String paramString1, String paramString2) {if (!TextUtils.isEmpty(paramString1) && paramString2 != null) {if (!CookieManager.getInstance().acceptCookie())CookieManager.getInstance().setAcceptCookie(true); CookieManager.getInstance().setCookie(paramString1, paramString2);} }
}

所以真是的还是来看看,此时你以为事情就清晰了不,当在jd_gui中想转跳到CookieManager.getInstance()内部实现时,发现进不去,而且发现这里引用的是import android.webkit.CookieManager类,而hook起到作用的是anetwork.channel.cookie.CookieManager这个类的public static String getCookie(String paramString){…}才被调用,所以这个是骗人的

但是再次搜索在

  • anetwork.channel.unified.DegradeTask
  • anetwork.channel.unified.NetworkTask
    放下代码
package anetwork.channel.unified;import android.text.TextUtils;
import anet.channel.RequestCb;
import anet.channel.bytes.ByteArray;
import anet.channel.request.Cancelable;
import anet.channel.request.Request;
import anet.channel.session.HttpConnector;
import anet.channel.statist.RequestStatistic;
import anet.channel.util.ALog;
import anet.channel.util.HttpHelper;
import anet.channel.util.StringUtils;
import anetwork.channel.aidl.DefaultFinishEvent;
import anetwork.channel.cookie.CookieManager;
import com.taobao.codetrack.sdk.util.ReportUtil;
import java.util.List;
import java.util.Map;public class DegradeTask implements IUnifiedTask {private static final String TAG = "anet.DegradeTask";volatile Cancelable a;private RequestContext a = null;private int bc = 0;private int contentLength = 0;private volatile boolean isCanceled = false;private Request request;static {ReportUtil.dj(655715856);ReportUtil.dj(471853369);}public DegradeTask(RequestContext paramRequestContext) {this.a = paramRequestContext;this.request = paramRequestContext.config.b();}public void cancel() {this.isCanceled = true;if (this.a != null)this.a.cancel(); }public void run() {if (!this.isCanceled) {if (this.a.config.aW()) {//这里注意待会看看这个判断aw是什么,有意义String str = CookieManager.getCookie(this.a.config.getUrlString());if (!TextUtils.isEmpty(str)) {Request.Builder builder = this.request.a();String str1 = (String)this.request.getHeaders().get("Cookie");//这里注意1String str2 = str;if (!TextUtils.isEmpty(str1))str2 = StringUtils.b(str1, "; ", str); builder.a("Cookie", str2);//这里在看看builder.a方法是不是添加头键值对this.request = builder.a();} } this.request.rs.degraded = 2;this.request.rs.sendBeforeTime = System.currentTimeMillis() - this.request.rs.reqStart;HttpConnector.a(this.request, new RequestCb(this) {public void onDataReceive(ByteArray param1ByteArray, boolean param1Boolean) {if (!(DegradeTask.a(this.a)).isDone.get()) {DegradeTask.a(this.a);if ((DegradeTask.a(this.a)).a != null)(DegradeTask.a(this.a)).a.onDataReceiveSize(DegradeTask.b(this.a), DegradeTask.c(this.a), param1ByteArray); } }public void onFinish(int param1Int, String param1String, RequestStatistic param1RequestStatistic) {....}public void onResponseCode(int param1Int, Map<String, List<String>> param1Map) {....} }
}

下面放一下另一个基本差不多

package anetwork.channel.unified;import android.text.TextUtils;
import anet.channel.Config;
import anet.channel.GlobalAppRuntimeInfo;
import anet.channel.NoAvailStrategyException;
import anet.channel.RequestCb;
import anet.channel.Session;
import anet.channel.SessionCenter;
import anet.channel.SessionGetCallback;
import anet.channel.appmonitor.AppMonitor;
import anet.channel.bytes.ByteArray;
import anet.channel.entity.ConnInfo;
import anet.channel.entity.ENV;
import anet.channel.entity.SessionType;
import anet.channel.request.Cancelable;
import anet.channel.request.Request;
import anet.channel.session.HttpSession;
import anet.channel.statist.ExceptionStatistic;
import anet.channel.statist.RequestStatistic;
import anet.channel.statist.StatObject;
import anet.channel.status.NetworkStatusHelper;
import anet.channel.thread.ThreadPoolExecutorFactory;
import anet.channel.util.ALog;
import anet.channel.util.AppLifecycle;
import anet.channel.util.ErrorConstant;
import anet.channel.util.HttpHelper;
import anet.channel.util.HttpUrl;
import anet.channel.util.StringUtils;
import anetwork.channel.aidl.DefaultFinishEvent;
import anetwork.channel.cache.Cache;
import anetwork.channel.cache.CacheHelper;
import anetwork.channel.config.NetworkConfigCenter;
import anetwork.channel.cookie.CookieManager;
import anetwork.channel.http.NetworkSdkSetting;
import anetwork.channel.interceptor.Callback;
import com.taobao.codetrack.sdk.util.ReportUtil;
import java.io.ByteArrayOutputStream;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;class NetworkTask implements IUnifiedTask {public static final int MAX_RSP_BUFFER_LENGTH = 131072;public static final String TAG = "anet.NetworkTask";volatile Cancelable a;Cache.Entry a;Cache a;ResponseBuffer a;RequestContext a = null;int bc;boolean br;boolean bs;ByteArrayOutputStream c;int contentLength;String f_refer;volatile boolean isCanceled;volatile AtomicBoolean isDone;static {ReportUtil.dj(-2085384120);ReportUtil.dj(471853369);}NetworkTask(RequestContext paramRequestContext, Cache paramCache, Cache.Entry paramEntry) {.....}private Session a() {......return a(null, sessionCenter, httpUrl, bool);}private Session a(Session paramSession, SessionCenter paramSessionCenter, HttpUrl paramHttpUrl, boolean paramBoolean) {return (Session)httpSession;}private SessionCenter a() {String str1 = this.a.config.getRequestProperty("APPKEY");if (TextUtils.isEmpty(str1))return SessionCenter.getInstance(); ENV eNV = ENV.ONLINE;//这里很熟悉,在抓包的头里面出现过这个String str2 = this.a.config.getRequestProperty("ENVIRONMENT");if ("pre".equalsIgnoreCase(str2)) {eNV = ENV.PREPARE;} else if ("test".equalsIgnoreCase(str2)) {eNV = ENV.TEST;} if (eNV != NetworkSdkSetting.CURRENT_ENV) {NetworkSdkSetting.CURRENT_ENV = eNV;SessionCenter.switchEnvironment(eNV);} Config config2 = Config.a(str1, eNV);Config config1 = config2;if (config2 == null)config1 = (new Config.Builder()).b(str1).a(eNV).c(this.a.config.getRequestProperty("AuthCode")).a(); return SessionCenter.getInstance(config1);}private Request a(Request paramRequest) {Request.Builder builder1 = null;Request.Builder builder2 = builder1;if (this.a.config.aW()) {//差不多一样先判断String str = CookieManager.getCookie(this.a.config.getUrlString());builder2 = builder1;if (!TextUtils.isEmpty(str)) {builder1 = paramRequest.a();String str2 = (String)paramRequest.getHeaders().get("Cookie");String str1 = str;if (!TextUtils.isEmpty(str2))str1 = StringUtils.b(str2, "; ", str); builder1.a("Cookie", str1);builder2 = builder1;} } Request.Builder builder3 = builder2;if (this.a != null) {builder1 = builder2;if (builder2 == null)builder1 = paramRequest.a(); if (((Cache.Entry)this.a).etag != null)builder1.a("If-None-Match", ((Cache.Entry)this.a).etag); builder3 = builder1;if (((Cache.Entry)this.a).lastModified > 0L) {builder1.a("If-Modified-Since", CacheHelper.e(((Cache.Entry)this.a).lastModified));builder3 = builder1;} } builder2 = builder3;if (this.a.config.bb == 0) {builder2 = builder3;if ("weex".equalsIgnoreCase(this.f_refer)) {builder2 = builder3;if (builder3 == null)builder2 = paramRequest.a(); builder2.b(3000);} } if (builder2 != null)paramRequest = builder2.a(); return paramRequest;}private static class ResponseBuffer {int code;Map<String, List<String>> header;List<ByteArray> v = new ArrayList<ByteArray>();static {ReportUtil.dj(229651421);}ResponseBuffer(int param1Int, Map<String, List<String>> param1Map) {this.code = param1Int;this.header = param1Map;}int a(Callback param1Callback, int param1Int) {....}void release() {...}
}

hook结果是NetworkTask在中操作的,接着看看if (this.a.config.aW()) {…}

  • anetwork.channel.entity. RequestConfig
public boolean aW() {return !"false".equalsIgnoreCase(this.a.getExtProperty("EnableCookie"));}

我只能说用的属性名叫"EnableCookie"却用等于false取反,水太深了

  • anetwork.channel.entity.RequestImpl
    明显有相关方法
  @Deprecatedpublic void setCookieEnabled(boolean paramBoolean) {String str;if (paramBoolean) {str = "true";} else {str = "false";} setExtProperty("EnableCookie", str);}public void setExtProperty(String paramString1, String paramString2) {if (!TextUtils.isEmpty(paramString1)) {if (this.extProperties == null)this.extProperties = new HashMap<String, String>(); this.extProperties.put(paramString1, paramString2);} }

hook这个方法发现确实有调用

(String)paramRequest.getHeaders().get(“Cookie”);
这个paramRequest是anet.channel.request.Request类应该很有操作性但是到现在已经够清楚了,这个是不是就不太重要了,之接放

 public Map<String, String> getHeaders() {return Collections.unmodifiableMap(this.headers);}

来看看这个 builder1.a(“Cookie”, str1);是不是调用了 hook监听下

 if (!TextUtils.isEmpty(str)) {builder1 = paramRequest.a();String str2 = (String)paramRequest.getHeaders().get("Cookie");String str1 = str;if (!TextUtils.isEmpty(str2))str1 = StringUtils.b(str2, "; ", str); builder1.a("Cookie", str1);//看看这个实现builder2 = builder1;}

顺便直接跳到Request类下面的Builder类a的实现

 public Builder a(String param1String1, String param1String2) {this.headers.put(param1String1, param1String2);return this;}

结果就是完全hook住了说明确实调用了

10019 10284 I EdXposed-Bridge: anet.channel.request.Request$Builder中public Builder a(String param1String1, String param1String2)
08-15 19:14:29.857 10019 10284 I EdXposed-Bridge: 参数1Content-Type 参数2application/x-www-form-urlencoded;charset=UTF-8
08-15 19:14:29.948 10019 10342 I EdXposed-Bridge: setCookieEnabled:false
08-15 19:14:29.948 10019 10342 I EdXposed-Bridge: setExtProperty方法 键:EnableCookie 值:false
08-15 19:14:29.948 10019 10342 I EdXposed-Bridge: addHeader方法 键:f-refer 值:picture
08-15 19:14:29.948 10019 10342 I EdXposed-Bridge: addHeader方法 键:User-Agent 值:TBAndroid/Native
08-15 19:14:29.949 10019 10342 I EdXposed-Bridge: setExtProperty方法 键:f-netReqStart 值:1629026069949
08-15 19:14:29.949 10019 10342 I EdXposed-Bridge: setExtProperty方法 键:f-traceId 值:null
08-15 19:14:29.949 10019 10342 I EdXposed-Bridge: setExtProperty方法 键:f-reqProcess 值:com.taobao.idlefish
08-15 19:14:29.971 10019 10319 I EdXposed-Bridge: setCookieEnabled:false
08-15 19:14:29.971 10019 10319 I EdXposed-Bridge: setExtProperty方法 键:EnableCookie 值:false
08-15 19:14:29.971 10019 10319 I EdXposed-Bridge: addHeader方法 键:f-refer 值:picture
08-15 19:14:29.971 10019 10319 I EdXposed-Bridge: addHeader方法 键:User-Agent 值:TBAndroid/Native
08-15 19:14:29.972 10019 10319 I EdXposed-Bridge: setExtProperty方法 键:f-netReqStart 值:1629026069972
08-15 19:14:29.972 10019 10319 I EdXposed-Bridge: setExtProperty方法 键:f-traceId 值:null
08-15 19:14:29.972 10019 10319 I EdXposed-Bridge: setExtProperty方法 键:f-reqProcess 值:com.taobao.idlefish
08-15 19:14:29.973 10019 10341 I EdXposed-Bridge: setCookieEnabled:false
08-15 19:14:29.973 10019 10341 I EdXposed-Bridge: setExtProperty方法 键:EnableCookie 值:false
08-15 19:14:29.973 10019 10341 I EdXposed-Bridge: addHeader方法 键:f-refer 值:picture
08-15 19:14:29.973 10019 10341 I EdXposed-Bridge: addHeader方法 键:User-Agent 值:TBAndroid/Native
08-15 19:14:29.973 10019 10341 I EdXposed-Bridge: setExtProperty方法 键:f-netReqStart 值:1629026069973
08-15 19:14:29.973 10019 10341 I EdXposed-Bridge: setExtProperty方法 键:f-traceId 值:null
08-15 19:14:29.973 10019 10341 I EdXposed-Bridge: setExtProperty方法 键:f-reqProcess 值:com.taobao.idlefish
08-15 19:14:30.034 10019 10284 I EdXposed-Bridge: NetworkTask:private Request a(Request paramRequest)中String str = CookieManager.getCookie(this.a.config.getUrlString());
08-15 19:14:30.034 10019 10272 I EdXposed-Bridge: NetworkTask:private Request a(Request paramRequest)中String str = CookieManager.getCookie(this.a.config.getUrlString());
08-15 19:14:30.035 10019 10272 I EdXposed-Bridge: NetworkTask:private Request a(Request paramRequest)中String str = CookieManager.getCookie(this.a.config.getUrlString());
08-15 19:14:30.272 10019 10309 I EdXposed-Bridge: setExtProperty方法 键:f-pTraceId 值:null

由此某鱼的Cookie就整的明明白白,但是虽然getCookie虽然要传入一个String参数 观察发现其实就是所请求的api,本以为请求的api得到的cookie字符串里面会有部分不同结果发现,不管用什么参数都返回相同cookie,本来想进去看一下这个方法但是…

 public static String getCookie(String paramString) {// Byte code://   0: aconst_null//   1: astore_1//   2: ldc anetwork/channel/cookie/CookieManager//   4: monitorenter//   5: aload_1//   6: astore_2//   7: invokestatic checkSetup : ()Z//   10: ifeq -> 23//   13: getstatic anetwork/channel/cookie/CookieManager.bn : Z//   16: istore_3//   17: iload_3//   18: ifne -> 28//   21: aload_1//   22: astore_2//   23: ldc anetwork/channel/cookie/CookieManager//   25: monitorexit//   26: aload_2//   27: areturn//   28: aconst_null//   29: astore_2//   30: getstatic anetwork/channel/cookie/CookieManager.webkitCookMgr : Landroid/webkit/CookieManager;//   33: aload_0//   34: invokevirtual getCookie : (Ljava/lang/String;)Ljava/lang/String;//   37: astore_1//   38: aload_1//   39: astore_2//   40: aload_0//   41: aload_2//   42: invokestatic g : (Ljava/lang/String;Ljava/lang/String;)V//   45: goto -> 23//   48: astore_0//   49: ldc anetwork/channel/cookie/CookieManager//   51: monitorexit//   52: aload_0//   53: athrow//   54: astore #4//   56: new java/lang/StringBuilder//   59: astore_1//   60: aload_1//   61: invokespecial <init> : ()V//   64: ldc 'anet.CookieManager'//   66: aload_1//   67: ldc 'get cookie failed. url='//   69: invokevirtual append : (Ljava/lang/String;)Ljava/lang/StringBuilder;//   72: aload_0//   73: invokevirtual append : (Ljava/lang/String;)Ljava/lang/StringBuilder;//   76: invokevirtual toString : ()Ljava/lang/String;//   79: aconst_null//   80: aload #4//   82: iconst_0//   83: anewarray java/lang/Object//   86: invokestatic b : (Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/Throwable;[Ljava/lang/Object;)V//   89: goto -> 40// Exception table://   from  to  target  type//   7  17  48  finally//   30  38  54  java/lang/Throwable//   30  38  48  finally//   40  45  48  finally//   56  89  48  finally}

那就这样吧

某鱼app获取Cookie(token)相关推荐

  1. 操作 js-cookie 获取 cookie 中的 token userInfo 用户头像

    1.操作 cookie 工具 - src/utils/cookie.js import Cookies from 'js-cookie'// Cookie的key值 export const Key ...

  2. 干货!自己的程序利用 编程猫 第三方登录获取用户token

    丨爬取API 关于编程猫的qq and WeChat的接口我已经为大家准备好了,拿来用就好了. QQ平台://www.codemao.cn/get-qq-code.html?appid=1012533 ...

  3. 前端怎么获取cookie的值_作为前端你必须要了解的安全性问题!

    前端技术不断发展,安全性的问题也越来越受到关注.作为前端工程师,保障网络安全也越来越重要. XSS攻击 XSS(Cross Site Scripting)跨站脚本攻击. 攻击者在网站上植入非法的htm ...

  4. Flask框架(flask中对cookie的处理(设置cookie、获取cookie、删除cookie))

    在Flask中对cookie的处理 1. 设置cookie: 设置cookie,默认有效期是临时cookie,浏览器关闭就失效 可以通过 max_age 设置有效期, 单位是秒 resp = make ...

  5. android获取app用户数据,Android 原生app获取用户授权访问Autodesk云应用数据

    oAuth机制对于网站间的授权管理是很容易实现的,设置好app回调端口,当数据服务提供方拿到其用户授权,则返回授权码发送到回调端口.上一篇文章介绍了如何授权Forge app访问Autodesk 云应 ...

  6. 使用identity+jwt保护你的webapi(二)——获取jwt token

    前言 上一篇已经介绍了identity在web api中的基本配置,本篇来完成用户的注册,登录,获取jwt token. 开始 开始之前先配置一下jwt相关服务. 配置JWT 首先NuGet安装包: ...

  7. 前端怎么获取cookie的值_京东购物小程序cookie方案实践(附Demo)

    一.前言 早期为了解决"会话保持"的需求,社区中出现了「cookie 方案」并最终成为 W3C 标准:当某个网站登录成功后,客户端(浏览器)收到一个 cookie 标识(文本)并保 ...

  8. python获取cookie值的方法_Python获取Cookie、设置Cookie的N种方法

    方法一通过python的requests包: import requests url = "https://fanyi.baidu.com" res = requests.get( ...

  9. Session/Cookie/Token还傻傻分不清?

    Cookie.Session.Token 傻傻分不清 Session/Cookie/Token 还傻傻分不清? 相信项目中用JWT Token的应该不在少数,但是发现网上很多文章对 token 的介绍 ...

最新文章

  1. 坚持写博客给我带来了什么
  2. python数据结构与算法(二)
  3. ai怎么画循环曲线_AI插画设计,用AI制作一个只可爱的短腿柯基插画
  4. servlet返回数据_JavaEE の Servlet - Http/Servlet - Day14 - 190507
  5. python3-Python3 zip() 函数
  6. binlog二进制文件解析
  7. 获取地址栏URL中参数, getQuerySting()方法
  8. python皮卡丘编程代码_再接再厉,用python编程13行代码解方程组(纯字符)
  9. 7-12(图) 社交网络图中结点的“重要性”计算(30 分)
  10. graphpad细胞增殖曲线_肿瘤干细胞?居然被这两个新加坡人轻松干掉了?
  11. 关于在hue当中执行定时任务,时间的设置。
  12. 【CCF】201803-2 碰撞的小球
  13. ViewPager切换滑动速度修改
  14. Linux 多播(组播)例程
  15. [转载] Python str方法
  16. Caffe的简介、依赖、框架
  17. BZOJ 1100 luogu 3454(计算几何+KMP)
  18. 到底该如何看待谭浩强的“C程序设计”
  19. 苹果12系统链接到服务器超时,苹果iphone12无法连接wifi怎么回事 解决方法分享
  20. win10默认壁纸位置

热门文章

  1. Spring 项目启动时,打印每个bean加载时间
  2. python代码下面有波浪线_pycharm出现波浪线有哪些原因
  3. linux vim命令pdf,Linux中vi、vim命令大全
  4. linux fish 中set 设定PATH 和BROWSER
  5. 极客日报第 53 期:抖音将代替拼多多成为春晚独家红包合作伙伴;高通正研发 8cx 升级版处理器,对标苹果 M1;DuckDuckGo 日查询量首次突破 1 亿
  6. 老毛桃还原windows server 2012 R2服务器
  7. Vue使用WebUploader上传文件/压缩包
  8. 第一批90后30岁了,该有多少存款?
  9. 如何在UnrealEngine虚幻引擎中进行版本管理
  10. c语言通讯录的遇到的问题,通讯录有问题求解(cpp)