version: 23.9
X-SS=STUB:
搜索:x-tt-dt
var hashMap = Java.use(“java.util.HashMap”);
hashMap.put.implementation = function (a, b) {
console.log(“hashMap.put: “, a, b);
return this.put(a, b);
}
常见算法Hook:
# -*- coding: utf-8 -*-import frida
import sys# HOOK指定类的所有重载方法
jscode = “””
Java.perform(function() {
//Base64
var base64=Java.use(‘android.util.Base64’);
var string=Java.use(‘java.lang.String’);
/*base64.encode.overload(‘[B’, ‘int’, ‘int’, ‘int’).implementation = function(){
send(“=================base64 encode====================”);
send(Java.use(“android.util.Log”).getStackTraceString(Java.use(“java.lang.Throwable”).$new()));
send(arguments[0]);
send(arguments[1]);
send(arguments[2]);
send(arguments[3]);
var data=this.encode(arguments[0],arguments[1],arguments[2],arguments[3])
send(“base64:”+string.$new(data));
return data;
}*//*base64.decode.overload(‘[B’, ‘int’, ‘int’, ‘int’).implementation = function(){
send(“=================base64 decode====================”);
send(Java.use(“android.util.Log”).getStackTraceString(Java.use(“java.lang.Throwable”).$new()));
send(arguments[0]);
send(arguments[1]);
send(arguments[2]);
send(arguments[3]);
var data=this.decode(arguments[0],arguments[1],arguments[2],arguments[3])
send(“base64:”+string.$new(data));
return data;
}*/// MD SHA
var messageDigest=Java.use(‘java.security.MessageDigest’);
// update
for(var i = 0; i < messageDigest.update.overloads.length; i++){
messageDigest.update.overloads[i].implementation = function(){
var name=this.getAlgorithm()
send(“=================”+name+”====================”);
send(Java.use(“android.util.Log”).getStackTraceString(Java.use(“java.lang.Throwable”).$new()));
if(arguments.length == 1){
send(arguments[0]);
this.update(arguments[0]);
}else if(arguments.length == 3){
send(arguments[0]);
send(arguments[1]);
send(arguments[2]);
this.update(arguments[0],arguments[1],arguments[2]);
}
}
}
// digest
for(var i = 0; i < messageDigest.digest.overloads.length; i++){
messageDigest.digest.overloads[i].implementation = function(){
var name=this.getAlgorithm()
send(“=================”+name+”====================”);
send(Java.use(“android.util.Log”).getStackTraceString(Java.use(“java.lang.Throwable”).$new()));
if(arguments.length == 0){
var data=this.digest();
send(data);
return data;
}else if(arguments.length == 1){
send(arguments[0]);
var data=this.digest(arguments[0]);
send(data);
return data;
}else if(arguments.length == 3){
send(arguments[0]);
send(arguments[1]);
send(arguments[2]);
var data=this.digest(arguments[0],arguments[1],arguments[2]);
send(data);
return data;
}
}
}
//MAC
var mac=Java.use(‘javax.crypto.Mac’);
for(var i = 0; i < mac.doFinal.overloads.length; i++){
mac.doFinal.overloads[i].implementation = function(){
var name=this.getAlgorithm()
send(“=================”+name+”====================”);
send(Java.use(“android.util.Log”).getStackTraceString(Java.use(“java.lang.Throwable”).$new()));
if(arguments.length == 0){
var data=this.doFinal();
send(data);
return data;
}else if(arguments.length == 1){
send(arguments[0]);
var data=this.doFinal(arguments[0]);
send(data);
return data;
}else if(arguments.length == 2){
send(arguments[0]);
send(arguments[1]);
var data=this.doFinal(arguments[0],arguments[1]);
send(data);
return data;
}
}
}// DES DESede AES PBE RSA
var cipher=Java.use(‘javax.crypto.Cipher’);
for(var i = 0; i < cipher.doFinal.overloads.length; i++){
cipher.doFinal.overloads[i].implementation = function(){
var name=this.getAlgorithm()
send(“=================”+name+”====================”);
send(Java.use(“android.util.Log”).getStackTraceString(Java.use(“java.lang.Throwable”).$new()));
if(arguments.length == 0){
var data=this.doFinal();
send(data);
return data;
}else if(arguments.length == 1){
send(arguments[0]);
var data=this.doFinal(arguments[0]);
send(data);
return data;
}else if(arguments.length == 2){
send(arguments[0]);
send(arguments[1]);
var data=this.doFinal(arguments[0],arguments[1]);
send(data);
return data;
}else if(arguments.length == 3){
send(arguments[0]);
send(arguments[1]);
send(arguments[2]);
var data=this.doFinal(arguments[0],arguments[1],arguments[2]);
send(data);
return data;
}else if(arguments.length == 5){
send(arguments[0]);
send(arguments[1]);
send(arguments[2]);
send(arguments[3]);
send(arguments[4]);
var data=this.doFinal(arguments[0],arguments[1],arguments[2],arguments[3],arguments[4]);
send(data);
return data;
}else{
send(arguments[0]);
send(arguments[1]);
send(arguments[2]);
send(arguments[3]);
var data=this.doFinal(arguments[0],arguments[1],arguments[2],arguments[3]);
send(data);
return data;
}
}
}//KEY
var secretKey=Java.use(‘javax.crypto.spec.SecretKeySpec’);
for(var i = 0; i < secretKey.$init.overloads.length; i++){
secretKey.$init.overloads[i].implementation = function(){
var name=this.getAlgorithm()
send(“=================KEY====================”);
//send(Java.use(“android.util.Log”).getStackTraceString(Java.use(“java.lang.Throwable”).$new()));
if(arguments.length == 2){
send(arguments[0]);
send(arguments[1]);
this.$init(arguments[0],arguments[1]);
}else if(arguments.length == 4){
send(arguments[0]);
send(arguments[1]);
send(arguments[2]);
send(arguments[3]);
this.$init(arguments[0],arguments[1],arguments[2],arguments[3]);
}
}
}
//IV
//DES KEY
//DESede KEY
//PBE KEY salt
});
“””def message(message, data):
if message[“type”] == ‘send’:
print(“[*] {0}”.format(message[‘payload’]))
else:
print(message)# process = frida.get_device_manager().add_remote_device(‘127.0.0.1:31928’).attach(‘com.jingdong.app.mall’)
process = frida.get_remote_device().attach(‘com.tencent.mm’)
script = process.create_script(jscode)
script.on(“message”, message)
script.load()
sys.stdin.read()
先降级抓包:
// frida -U -l proxy.js -no-pause -f com.ss.android.ugc.aweme
setImmediate(function () {
Java.perform(function () {
var targetClass = ‘org.chromium.CronetClient’;
var methodName = ‘tryCreateCronetEngine’;
var gclass = Java.use(targetClass);
gclass[methodName].overload(‘android.content.Context’, ‘boolean’, ‘boolean’, ‘boolean’, ‘boolean’, ‘java.lang.String’, ‘java.util.concurrent.Executor’, ‘boolean’).implementation = function (arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7) {
}
});
Java.perform(function () {
let a = Java.use(“ms.bd.c.j2$a”);
var TreeMap = Java.use(‘java.util.TreeMap’);
var HashMap = Java.use(‘java.util.HashMap’);a[“onCallToAddSecurityFactor”].implementation = function (str, map) {
console.log(`a.onCallToAddSecurityFactor is called: str=${str}, map=${Java.cast(map, TreeMap).toString()}`);
let result = this[“onCallToAddSecurityFactor”](str, map);
console.log(“result:” + Java.cast(result, HashMap).toString());
return result;
};
});
});
import frida
import sysjscode = “””
Java.perform(function () {
var hashMap = Java.use(“java.util.HashMap”);
hashMap.put.implementation = function (a, b) {
console.log(“hashMap.put: “, a, b);
if(a.equals(“X-Ladon”)){
console.log(“=================================================”);
console.log(“hashMap.put: “, a, b);
console.log(Java.use(“android.util.Log”).getStackTraceString(Java.use(“java.lang.Throwable”).$new()));
}
return this.put(a, b);
}
});
“””def message(msg, data):
if msg[“type”] == ‘send’:
print(“[*] {0}”.format(msg[‘payload’]))
else:
print(msg)# 指定要附加的设备app
# com.ss.android.ugc.aweme
process = frida.get_usb_device().attach(‘抖音’)
#
script = process.create_script(jscode)
script.on(“message”, message)
script.load()
sys.stdin.read()