/** * Capture REQUEST BODY by hooking MoshiRequestBodyConverter */ console.log("\n[*] Capturing REQUEST Bodies via MoshiRequestBodyConverter\n"); Java.perform(function() { // Hook MoshiRequestBodyConverter.convert() directly try { var MoshiRequestBodyConverter = Java.use("retrofit2.converter.moshi.MoshiRequestBodyConverter"); console.log("[+] Found MoshiRequestBodyConverter"); var convertOriginal = MoshiRequestBodyConverter.convert.overload('java.lang.Object'); convertOriginal.implementation = function(obj) { // BEFORE calling original, serialize the object ourselves to capture it try { // Get the adapter field to serialize the object var adapterField = this.getClass().getDeclaredField("adapter"); adapterField.setAccessible(true); var adapter = adapterField.get(this); // Create our own buffer and writer to capture the JSON var Buffer = Java.use("r3.f"); var tempBuffer = Buffer.$new(); // Create JsonWriter with buffer var JsonWriter = Java.use("Z2.t"); var JsonWriterConstructor = JsonWriter.class.getDeclaredConstructor([Java.use("r3.i").class]); JsonWriterConstructor.setAccessible(true); var tempWriter = JsonWriterConstructor.newInstance([tempBuffer]); // Serialize to our buffer adapter.toJson(tempWriter, obj); tempWriter.close(); // Read the JSON var jsonContent = tempBuffer.B0(); // readUtf8() console.log("\n" + "=".repeat(80)); console.log("[CAPTURED REQUEST BODY]"); if (jsonContent && jsonContent.length > 0) { if (jsonContent.length > 3000) { console.log(jsonContent.substring(0, 3000)); console.log("\n... (truncated, total: " + jsonContent.length + " chars)"); } else { console.log(jsonContent); } } else { console.log("(empty)"); } console.log("=".repeat(80) + "\n"); } catch (e) { console.log("[CAPTURE ERROR] " + e); } // Call original to return the actual RequestBody return convertOriginal.call(this, obj); }; console.log("[*] MoshiRequestBodyConverter hook installed!\n"); } catch (e) { console.log("[-] Failed to hook MoshiRequestBodyConverter: " + e); } // Also hook the Auth interceptor to show URLs try { var AuthHeaderInterceptor = Java.use("com.adif.elcanomovil.serviceNetworking.interceptors.AuthHeaderInterceptor"); console.log("[+] Found AuthHeaderInterceptor"); AuthHeaderInterceptor.intercept.implementation = function(chain) { try { // Cast chain var ChainClass = Java.use("j3.g"); var chainObj = Java.cast(chain, ChainClass); // Get request var requestField = chainObj.getClass().getDeclaredField("e"); requestField.setAccessible(true); var request = requestField.get(chainObj); if (request) { // Get URL var urlField = request.getClass().getDeclaredField("a"); urlField.setAccessible(true); var urlObj = urlField.get(request); // Get method var methodField = request.getClass().getDeclaredField("b"); methodField.setAccessible(true); var method = methodField.get(request); console.log("\n[REQUEST] " + method + " " + urlObj.toString()); } } catch (e) { console.log("[URL CAPTURE ERROR] " + e); } // Call original return this.intercept(chain); }; console.log("[*] Interceptor hook installed!\n"); } catch (e) { console.log("[-] Failed to hook AuthHeaderInterceptor: " + e); } });