Created
November 27, 2020 15:25
-
-
Save depau/f6186475c46c25a766b29a5a2e5af964 to your computer and use it in GitHub Desktop.
Tapo app Frida request inspector
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
setTimeout(function() { | |
Java.perform(function () { | |
var Account = Java.use("com.tplink.libtpnetwork.cameranetwork.model.Account"); | |
var Request = Java.use("com.tplink.libtpnetwork.cameranetwork.model.Request"); | |
var Response = Java.use("com.tplink.libtpnetwork.cameranetwork.model.Response"); | |
var TPIoTResponse = Java.use("com.tplink.libtpnetwork.IoTNetwork.TPIoTResponse"); | |
var RequestInterceptor = Java.use("com.tplink.libtpnetwork.cameranetwork.c.a.a.b"); | |
var ByteString = Java.use("com.android.okhttp.okio.ByteString"); | |
var Buffer = Java.use("com.android.okhttp.okio.Buffer"); | |
var OkRequest = Java.use("okhttp3.Request"); | |
var OkBuilder = Java.use("okhttp3.Request$Builder"); | |
Account.$init.implementation = function(user, pass, somebool) { | |
console.log("new Account(" + user + ", " + pass + ", " + somebool + ")"); | |
return this.$init(user, pass, somebool); | |
} | |
console.log("Injected Account"); | |
// Request.$init.overload('com.tplink.libtpnetwork.cameranetwork.model.Method', 'java.lang.Object').implementation = function(method, request) { | |
// console.log("new Request(" + method + ", " + request.toString() + ")"); | |
// return this.$init(method, request); | |
// } | |
// Request.$init.overload('java.lang.String', 'java.lang.Object').implementation = function(method, request) { | |
// console.log("new Request(" + method + ", " + request.toString() + ")"); | |
// return this.$init(method, request); | |
// } | |
// console.log("Injected Request"); | |
RequestInterceptor.intercept.implementation = function(chain) { | |
var request = chain.request(); | |
try { | |
console.log("MyInterceptor.intercept onEnter:", request, "\nrequest headers:\n", request.headers()); | |
var requestBody = request.body(); | |
var contentLength = requestBody ? requestBody.contentLength() : 0; | |
if (contentLength > 0) { | |
var BufferObj = Buffer.$new(); | |
requestBody.writeTo(BufferObj); | |
try { | |
console.log("\nrequest body String:\n", BufferObj.readString(), "\n"); | |
} catch (error) { | |
try { | |
console.log("\nrequest body ByteString:\n", ByteString.of(BufferObj.readByteArray()).hex(), "\n"); | |
} catch (error) { | |
console.log("error try read body:", error); | |
} | |
} | |
} | |
} catch (error) { | |
console.log("error first part:", error); | |
} | |
var response = this.intercept(chain); | |
// try { | |
// console.log("MyInterceptor.intercept onLeave:", response, "\nresponse headers:\n", response.headers()); | |
// var responseBody = response.body(); | |
// console.log("\nresponseBody:", responseBody, "\n"); | |
// | |
// var ContentType = response.headers().get("Content-Type"); | |
// console.log("ContentType:", ContentType); | |
// if (ContentType.indexOf("video") == -1) { | |
// if (ContentType.indexOf("application") == 0) { | |
// var source = responseBody.source(); | |
// if (ContentType.indexOf("application/zip") != 0) { | |
// try { | |
// console.log("\nresponse.body StringClass\n", source.readUtf8(), "\n"); | |
// } catch (error) { | |
// try { | |
// console.log("\nresponse.body ByteString\n", source.readByteString().hex(), "\n"); | |
// } catch (error) { | |
// console.log("error try read resp body:", error); | |
// } | |
// } | |
// } | |
// } | |
// } | |
// | |
// } catch (error) { | |
// console.log("error main:", error); | |
// } | |
return response; | |
}; | |
// PluginService.doCheck.implementation = function() { | |
// console.log("hijacked doCheck"); | |
// } | |
// | |
// var pfinit = PluginFunctions.$init.overload("com.android.tcplugins.FileSystem.PluginService", "android.app.PendingIntent"); | |
// pfinit.implementation = function(a, b) { | |
// var ret = this.$init(a, b); | |
// this.isUserDebugMode = true; | |
// this.isUserExtendedDebugMode = true; | |
// this.isUserDumpAllReadAccess = true; | |
// return ret; | |
// } | |
}); | |
}, 0); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment