Primer paso de la investigacion. Se aportan el .apk, las carpetas con el apk extraido y el apk descompilado. El archivo API_DOCUMENTATION.md es un archivo donde se anotaran los descubrimientos del funcionamiento de la API, y los .py son scripts para probar la funcionalidad de la API con los métodos que vayamos encontrando. Finalmente, los archivos .js son scripts de Frida para extraer informacion de la APP durante la ejecucion.

frida_scripts/frida_capture_request_body.js

@@ -0,0 +1,132 @@
+/**
+ * Capture REQUEST BODY using writeTo() method
+ */
+
+console.log("\n[*] Capturing REQUEST Bodies\n");
+
+Java.perform(function() {
+
+    try {
+        var AuthHeaderInterceptor = Java.use("com.adif.elcanomovil.serviceNetworking.interceptors.AuthHeaderInterceptor");
+        console.log("[+] Found AuthHeaderInterceptor");
+
+        // Try to find Buffer class
+        var Buffer = null;
+        var bufferNames = ["r.f", "r3.f", "okio.Buffer", "r3.Buffer"];
+        for (var i = 0; i < bufferNames.length; i++) {
+            try {
+                Buffer = Java.use(bufferNames[i]);
+                console.log("[+] Found Buffer class: " + bufferNames[i]);
+                break;
+            } catch (e) {
+                // Try next
+            }
+        }
+
+        if (!Buffer) {
+            console.log("[-] Could not find Buffer class, trying without pre-loading");
+        }
+
+        AuthHeaderInterceptor.intercept.implementation = function(chain) {
+            console.log("\n" + "=".repeat(80));
+            console.log("[HTTP REQUEST]");
+
+            try {
+                // Cast chain
+                var ChainClass = Java.use("j3.g");
+                var chainObj = Java.cast(chain, ChainClass);
+
+                // Get request
+                var requestField = chainObj.getClass().getDeclaredField("e");
+                requestField.setAccessible(true);
+                var request = requestField.get(chainObj);
+
+                if (request) {
+                    // Get URL
+                    var urlField = request.getClass().getDeclaredField("a");
+                    urlField.setAccessible(true);
+                    var urlObj = urlField.get(request);
+                    console.log("[URL] " + urlObj.toString());
+
+                    // Get method
+                    var methodField = request.getClass().getDeclaredField("b");
+                    methodField.setAccessible(true);
+                    var method = methodField.get(request);
+                    console.log("[METHOD] " + method);
+
+                    // Get request body
+                    var bodyField = request.getClass().getDeclaredField("d");
+                    bodyField.setAccessible(true);
+                    var reqBody = bodyField.get(request);
+
+                    if (reqBody) {
+                        try {
+                            // If Buffer wasn't found, try to load it now
+                            if (!Buffer) {
+                                var bufferNames = ["r.f", "r3.f", "okio.Buffer", "r3.Buffer"];
+                                for (var i = 0; i < bufferNames.length; i++) {
+                                    try {
+                                        Buffer = Java.use(bufferNames[i]);
+                                        break;
+                                    } catch (e) {}
+                                }
+                            }
+
+                            if (Buffer) {
+                                // Create a temporary buffer
+                                var buffer = Buffer.$new();
+
+                                // Try to cast buffer to BufferedSink if needed
+                                try {
+                                    var BufferedSink = Java.use("r3.i");
+                                    var sink = Java.cast(buffer, BufferedSink);
+
+                                    // Call writeTo passing the sink
+                                    reqBody.writeTo(sink);
+                                } catch (e) {
+                                    // If cast fails, try direct call
+                                    reqBody.writeTo(buffer);
+                                }
+
+                                // Read the content as UTF-8 string
+                                var bodyContent = buffer.B0();  // readUtf8()
+
+                                console.log("\n[REQUEST BODY]");
+                                if (bodyContent && bodyContent.length > 0) {
+                                    if (bodyContent.length > 2000) {
+                                        console.log(bodyContent.substring(0, 2000));
+                                        console.log("\n... (truncated, total: " + bodyContent.length + " chars)");
+                                    } else {
+                                        console.log(bodyContent);
+                                    }
+                                } else {
+                                    console.log("(empty)");
+                                }
+                            } else {
+                                console.log("\n[REQUEST BODY] Could not load Buffer class");
+                            }
+
+                        } catch (e) {
+                            console.log("[REQUEST BODY ERROR] " + e);
+                        }
+                    } else {
+                        console.log("[REQUEST BODY] null");
+                    }
+                }
+
+            } catch (e) {
+                console.log("[ERROR] " + e);
+            }
+
+            console.log("=".repeat(80) + "\n");
+
+            // Call original
+            return this.intercept(chain);
+        };
+
+        console.log("[*] Hook installed!\n");
+
+    } catch (e) {
+        console.log("[-] Failed: " + e);
+    }
+});