/** * Capture REQUEST BODY using writeTo() method */ console.log("\n[*] Capturing REQUEST Bodies\n"); Java.perform(function() { try { var AuthHeaderInterceptor = Java.use("com.adif.elcanomovil.serviceNetworking.interceptors.AuthHeaderInterceptor"); console.log("[+] Found AuthHeaderInterceptor"); // Try to find Buffer class var Buffer = null; var bufferNames = ["r.f", "r3.f", "okio.Buffer", "r3.Buffer"]; for (var i = 0; i < bufferNames.length; i++) { try { Buffer = Java.use(bufferNames[i]); console.log("[+] Found Buffer class: " + bufferNames[i]); break; } catch (e) { // Try next } } if (!Buffer) { console.log("[-] Could not find Buffer class, trying without pre-loading"); } AuthHeaderInterceptor.intercept.implementation = function(chain) { console.log("\n" + "=".repeat(80)); console.log("[HTTP REQUEST]"); try { // Cast chain var ChainClass = Java.use("j3.g"); var chainObj = Java.cast(chain, ChainClass); // Get request var requestField = chainObj.getClass().getDeclaredField("e"); requestField.setAccessible(true); var request = requestField.get(chainObj); if (request) { // Get URL var urlField = request.getClass().getDeclaredField("a"); urlField.setAccessible(true); var urlObj = urlField.get(request); console.log("[URL] " + urlObj.toString()); // Get method var methodField = request.getClass().getDeclaredField("b"); methodField.setAccessible(true); var method = methodField.get(request); console.log("[METHOD] " + method); // Get request body var bodyField = request.getClass().getDeclaredField("d"); bodyField.setAccessible(true); var reqBody = bodyField.get(request); if (reqBody) { try { // If Buffer wasn't found, try to load it now if (!Buffer) { var bufferNames = ["r.f", "r3.f", "okio.Buffer", "r3.Buffer"]; for (var i = 0; i < bufferNames.length; i++) { try { Buffer = Java.use(bufferNames[i]); break; } catch (e) {} } } if (Buffer) { // Create a temporary buffer var buffer = Buffer.$new(); // Try to cast buffer to BufferedSink if needed try { var BufferedSink = Java.use("r3.i"); var sink = Java.cast(buffer, BufferedSink); // Call writeTo passing the sink reqBody.writeTo(sink); } catch (e) { // If cast fails, try direct call reqBody.writeTo(buffer); } // Read the content as UTF-8 string var bodyContent = buffer.B0(); // readUtf8() console.log("\n[REQUEST BODY]"); if (bodyContent && bodyContent.length > 0) { if (bodyContent.length > 2000) { console.log(bodyContent.substring(0, 2000)); console.log("\n... (truncated, total: " + bodyContent.length + " chars)"); } else { console.log(bodyContent); } } else { console.log("(empty)"); } } else { console.log("\n[REQUEST BODY] Could not load Buffer class"); } } catch (e) { console.log("[REQUEST BODY ERROR] " + e); } } else { console.log("[REQUEST BODY] null"); } } } catch (e) { console.log("[ERROR] " + e); } console.log("=".repeat(80) + "\n"); // Call original return this.intercept(chain); }; console.log("[*] Hook installed!\n"); } catch (e) { console.log("[-] Failed: " + e); } });