Injector.java

1. package com.elynx.pogoxmitm;
2.  
3. import android.os.Build;
4.  
5. import java.io.InputStream;
6. import java.io.OutputStream;
7. import java.net.HttpURLConnection;
8. import java.nio.ByteBuffer;
9.  
10. import de.robv.android.xposed.IXposedHookLoadPackage;
11. import de.robv.android.xposed.XC_MethodHook;
12. import de.robv.android.xposed.XposedBridge;
13. import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;
14.  
15. import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;
16.  
17. /**
18.  * Class that manages injection of code into target app
19.  */
20. public class Injector implements IXposedHookLoadPackage {
21.     protected static String[] Methods = {"GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS", "TRACE"};
22.  
23.     protected static ThreadLocal<RpcContext> rpcContext = new ThreadLocal<RpcContext>() {
24.         @Override
25.         protected RpcContext initialValue() {
26.             return new RpcContext();
27.         }
28.     };
29.  
30.     public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable {
31.         if (!lpparam.packageName.equals("com.nianticlabs.pokemongo"))
32.             return;
33.  
34.         String NiaNetName = "com.nianticlabs.nia.network.NiaNet";
35.  
36.         // real http class names are from
37.         // https://goshin.github.io/2016/07/14/Black-box-test-using-Xposed/
38.         String HttpURLConnectionImplName;
39.         int apiLevel = Build.VERSION.SDK_INT;
40.  
41.         if (apiLevel >= 23) {
42.             HttpURLConnectionImplName = "com.android.okhttp.internal.huc.HttpURLConnectionImpl";
43.         } else if (apiLevel >= 19) {
44.             HttpURLConnectionImplName = "com.android.okhttp.internal.http.HttpURLConnectionImpl";
45.         } else {
46.             HttpURLConnectionImplName = "libcore.net.http.HttpURLConnectionImpl";
47.         }
48.  
49.         XposedBridge.log("Injecting into PoGo");
50.  
51.         // methods below are roughly in order or being called
52.         // note that joinHeaders and readDataSteam are called from doSyncRequest
53.         // method is executed in unknown context, make sure this is response for NiaNet
54.         findAndHookMethod(HttpURLConnectionImplName, lpparam.classLoader,
55.                 "getOutputStream",
56.                 new XC_MethodHook() {
57.                     @Override
58.                     protected void afterHookedMethod(MethodHookParam param) throws Throwable {
59.                         RpcContext context = rpcContext.get();
60.  
61.                         XposedBridge.log("[request] " + context.shortDump());
62.  
63.                         MitmOutputStream replacement = new MitmOutputStream((OutputStream) param.getResult(), context.requestId);
64.                         param.setResult(replacement);
65.  
66.                         if (BuildConfig.DEBUG) {
67.                             XposedBridge.log("Output stream replaced");
68.                         }
69.                     }
70.                 });
71.  
72.         // method is executed in unknown context, make sure this is response for NiaNet
73.         findAndHookMethod(HttpURLConnectionImplName, lpparam.classLoader,
74.                 "getInputStream",
75.                 new XC_MethodHook() {
76.                     @Override
77.                     protected void afterHookedMethod(MethodHookParam param) throws Throwable {
78.                         RpcContext context = rpcContext.get();
79.  
80.                         XposedBridge.log("[response] " + context.shortDump());
81.  
82.                         MitmInputStream replacement = new MitmInputStream((InputStream) param.getResult(), context.requestId);
83.                         param.setResult(replacement);
84.  
85.                         if (BuildConfig.DEBUG) {
86.                             XposedBridge.log("Input stream replaced");
87.                         }
88.                     }
89.                 });
90.     }
91. }