├── .gitignore ├── LICENSE ├── README-EN.md ├── README.md ├── debug-server ├── android_server ├── android_server64 ├── android_server_nonpie ├── android_x86_server ├── gdbserver ├── gdbserver64 ├── lldb-server └── lldb-server64 ├── frida ├── frida-server-12.6.5-android-arm └── frida-server-12.6.5-android-arm64 ├── install.sh ├── screenshot ├── adb-app-apk.png ├── adb-app-sign.png ├── adb-app-so.jpeg ├── adb-app.png ├── adb-debug-gdb.png ├── adb-debug-ida.jpeg ├── adb-debug-lldb.png ├── adb-device.png ├── adb-frida.png └── adb-xlog.png ├── script ├── agent.js ├── dumpdex.py ├── pinning.js └── pstree.sh ├── source ├── build.sh └── mprop.c ├── tools ├── mprop └── mprop32 └── xadb.sh /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 xia0 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README-EN.md: -------------------------------------------------------------------------------- 1 | # xadb 2 | Android automated shell script, auto setup ida/gdb/lldb debug env, auto get device or app info and so on. 3 | 4 | #### Install 5 | 6 | - `git clone xadb_git_project;` 7 | - `cd xadb` 8 | - `./install.sh the_android_sdk_path ` example:`./install.sh ~/xia0/android/sdk` 9 | - If your shell is bash run: `source ~/.bash_profile` 10 | - If your shell is zsh run :`source ~/.zshrc` 11 | 12 | #### Command 13 | 14 | > Tips:adb兼容内置的所有命令。在分别在pixel2 Android8 和pixel3 Android9上面测试通过。 15 | > 16 | > `mprop`只编译了64位的版本,若你为32位的设备,可以自行编译。 17 | > 18 | > 在source目录下面提供了mprop的源码及build脚本 19 | 20 | **关于脱壳,之前基于frida的脱壳脚本只能脱一代壳且兼容性不高,就暂时没放出来。如果有大佬有比较好的方式,可以pr或者联系我完善下这部分。** 21 | 22 | ``` 23 | adb device [imei] show connected android device basic info 24 | adb app [sign/so/pid/apk/debug/dump] show current app, debug and dump dex 25 | adb xlog [package] logcat just current app or special package 26 | adb debug [ida/ida64,lldb/lldb64, gdb/gdb64] open debug and setup ida/lldb/gdb debug enviroment 27 | adb frida/64 start frida server on device 28 | adb pcat [remote-file] copy device file to local 29 | adb pstree show the process tree of device 30 | adb -h show this help usage 31 | adb update update xadb for new version! 32 | ``` 33 | 34 | 35 | 36 | #### Project developers 37 | 38 | - [xia0](https://github.com/4ch12dy) 39 | - [hluwa](https://github.com/hluwa) 40 | 41 | 42 | 43 | #### Update 44 | 45 | - 2019-08-04/support pstree command: `adb pstree` 46 | 47 | ``` 48 | |\ 49 | | 1 root init 50 | | |\ 51 | | | 567 root init subcontext u:r:vendor_init:s0 9 52 | | |\ 53 | | | 568 root init subcontext u:r:vendor_init:s0 10 54 | | |\ 55 | | | 569 root ueventd 56 | | |\ 57 | | | 582 logd logd 58 | | |\ 59 | | | 583 system qseecomd 60 | | | \ 61 | | | 606 system qseecomd 62 | | |\ 63 | | | 585 system android.hardware.keymaster@4.0-service-qti 64 | | |\ 65 | | | 586 system vndservicemanager /dev/vndbinder 66 | | |\ 67 | | | 587 hsm citadeld 68 | ... 69 | ``` 70 | 71 | - 2019-08-05/support ida debug customize the debug port 72 | 73 | Usage: 74 | 75 | - `adb debug ida 23333` set debug port:23333 76 | 77 | - `adb debug ida` set 23946 as default debug port 78 | 79 | 80 | 81 | 82 | #### Screeshot 83 | 84 | ![adb-device](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-device.png?raw=true) 85 | 86 | 87 | 88 | ![adb-app](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-app.png?raw=true) 89 | 90 | 91 | 92 | ![adb-app-so](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-app-so.jpeg?raw=true) 93 | 94 | 95 | 96 | ![adb-app-sign](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-app-sign.png?raw=true) 97 | 98 | 99 | 100 | ![adb-app-apk](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-app-apk.png?raw=true) 101 | 102 | 103 | 104 | ![adb-debug-ida](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-debug-ida.jpeg?raw=true) 105 | 106 | 107 | 108 | ![adb-debug-gdb](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-debug-gdb.png?raw=true) 109 | 110 | 111 | 112 | ![adb-debug-lldb](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-debug-lldb.png?raw=true) 113 | 114 | 115 | 116 | ![adb-frida](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-frida.png?raw=true) 117 | 118 | 119 | 120 | ![adb-xlog](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-xlog.png?raw=true) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # xadb 2 | [English README](./README-EN.md) 3 | 4 | 5 | 6 | Android逆向自动化操作脚本,一键开启调试(ida/gdb/lldb),一键查看app、设备信息,一键脱壳等等 7 | 8 | #### 安装 9 | 10 | - 建议使用git方式下载项目,直接下载zip包会导致不能更新 11 | 12 | `git clone xadb_git_project` 13 | 14 | - 切换到xadb项目目录:`cd xadb` 15 | 16 | - 运行里面的安装脚本,需指定sdk路径,若不指定,则选择AndroidStudio默认的sdk路径 17 | 18 | `./install.sh the_android_sdk_path ` 例如:`./install.sh ~/xia0/android/sdk` 19 | 20 | - 如果你是bash的终端环境则运行 21 | 22 | `source ~/.bash_profile` 23 | 24 | - 如果你是zsh的终端环境则运行 25 | 26 | `source ~/.zshrc` 27 | 28 | #### 注意事项 29 | 30 | 由于项目中提供了一些bin文件,导致文件有点大。不过仍然建议使用git的方式获取项目。 31 | 32 | debug-server、frida以及其他目录文件,你可以根据你的环境自行替换。若已经push到远端设备,你可以在电脑替换目录以后,使用以下命令更新这些文件 33 | 34 | ```shell 35 | adb agent reinstall // 删除Android设备上的所有xadb相关文件,并且从电脑端重新导入安装 36 | adb agent clean // 删除Android设备上/data/local/tmp下的所有文件 37 | ``` 38 | 39 | 40 | 41 | 42 | #### 重要更新 43 | 44 | - [2019/08/22] # xadb集成第一代壳的脱壳功能(power by hluwa) 45 | 46 | - [2019/09/03] # xadb增加了对Windows在MINGW64 shell执行环境的支持(若有bug,请issue) 47 | 48 | #### 支持的命令 49 | 50 | > 说明:adb兼容内置的所有命令。在分别在pixel2 Android8 和pixel3 Android9上面测试通过。 51 | > 52 | > 在source目录下面提供了mprop的源码及build脚本 53 | 54 | ``` 55 | device 56 | [imei] show connected android device basic info 57 | serial 58 | [-s/-r] set/remove adb connect device serial such as emulator connecting 59 | app 60 | [sign/so/pid/apk/debug/dump] show current app, debug and dump dex 61 | xlog 62 | [package] logcat just current app or special pid 63 | debug 64 | [ida/ida64,lldb/lldb64, gdb/gdb64] open debug and setup ida/lldb/gdb debug enviroment 65 | frida/64 66 | start frida server on device 67 | scp 68 | local/remote remote/local copy device file to local or copy local file to device 69 | pstree 70 | show the process tree of device 71 | sign 72 | [local-apk-file] show sign of local apk file 73 | agent 74 | [clean/reinstall] clean caches and reinstall agent 75 | -h 76 | show this help usage 77 | update 78 | update xadb for new version! 79 | ``` 80 | 81 | - adb device 82 | 83 | 获取一些设备的基本信息:品牌、imei、支持的架构、系统版本、sdk版本、wifi地址、是否开启调试?等 84 | 85 | - adb serial [set/remove] 86 | 87 | 指定设备连接的序列号(通过`adb devices`获取),尤其在需要连接模拟器的时候。当设置以后,adb指定选择设置的序列号设备连接。默认为数据线连接的设备,恢复默认需要remove之前设置的序列号。 88 | 89 | 示例用法 90 | 91 | ```shell 92 | xia0 ~ $ adb devices # 列举所有可连接的设备序列号 93 | List of devices attached 94 | 88VX03A6L device 95 | emulator-5554 device 96 | 97 | adb serial -s emulator-5554 #连接指定序列号的设备 98 | adb serial -r #移除设定的序列号 99 | 100 | adb device #默认数据线连接的设备 101 | ``` 102 | 103 | 104 | 105 | - adb app [sign/so/pid/apk/debug/dump/screen] 106 | 107 | 这个命令主要获取当前运行的app一些基本信息。当直接运行`adb app`时候会得到如下信息 108 | 109 | ``` 110 | app=com.tencent.mm 111 | pid=11574 11607 112 | activity=com.tencent.mm/com.tencent.mm.plugin.account.ui.LoginPasswordUI 113 | appdir=/data/app/com.tencent.mm-2YcjHxlY7eF18ihMCYbVEw== 114 | datadir=/data/user/0/com.tencent.mm 115 | ``` 116 | 117 | 常见的包名、所有进程号、当前activity、app路径、沙盒路径 118 | 119 | 这个命令还支持子命令,这些命令都是对当前app的操作。 120 | 121 | - **adb app sign**:获取当前app的签名信息 122 | - **adb app so**:获取当前app的so内存布局 123 | - **adb app apk**:获取当前app的apk文件到本地 124 | - **adb app screen**:获取当前屏幕截图 125 | - **adb app debug**:以后台启动模式开启当前app调试 126 | - **adb app dump**:针对当前app的dex脱壳。 127 | 128 | - adb xlog [package] 129 | 130 | 获取当前app的日志,或后面可以加一个包名指定app的日志 131 | 132 | - adb debug [ida/ida64,lldb/lldb64, gdb/gdb64] 133 | 134 | 开启Android的调试环境,自动打开全局调试选项以及启动对应的调试服务端。其中ida还可以指定端口调试:adb debug ida 23333。默认为23946端口 135 | 136 | - adb frida/frida64 137 | 138 | 启动frida的服务端,暂时需要根据app来选择32位还是64的服务端。后面可以优化为自动选择 139 | 140 | - adb pcat [remote-file] 141 | 142 | 获取一个手机端上任意路径的文件。 143 | 144 | - adb pstree 145 | 146 | 显示手机端上的进程树情况,清晰发现进程以及其子进程关系 147 | 148 | - adb -h 149 | 150 | 获取xadb的用法帮助信息 151 | 152 | - adb update 153 | 154 | 从github更新xadb版本,获取最新的特性。 155 | 156 | 157 | 158 | #### 项目核心开发人员 159 | 160 | - [xia0](https://github.com/4ch12dy) 161 | - [hluwa](https://github.com/hluwa) 162 | 163 | 164 | 165 | #### 更新 166 | 167 | - 2019-08-04/支持获取进程树的命令: `adb pstree` 168 | 169 | ``` 170 | |\ 171 | | 1 root init 172 | | |\ 173 | | | 567 root init subcontext u:r:vendor_init:s0 9 174 | | |\ 175 | | | 568 root init subcontext u:r:vendor_init:s0 10 176 | | |\ 177 | | | 569 root ueventd 178 | | |\ 179 | | | 582 logd logd 180 | | |\ 181 | | | 583 system qseecomd 182 | | | \ 183 | | | 606 system qseecomd 184 | | |\ 185 | | | 585 system android.hardware.keymaster@4.0-service-qti 186 | | |\ 187 | | | 586 system vndservicemanager /dev/vndbinder 188 | | |\ 189 | | | 587 hsm citadeld 190 | ... 191 | ``` 192 | 193 | - 2019-08-05/添加对ida调试自定义端口的支持 194 | 195 | 用法: 196 | 197 | - `adb debug ida 23333` 设置调试端口为23333 198 | 199 | - `adb debug ida` 默认以23946位调试端口 200 | 201 | 202 | 203 | 204 | #### 截图 205 | 206 | ![adb-device](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-device.png?raw=true) 207 | 208 | 209 | 210 | ![adb-app](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-app.png?raw=true) 211 | 212 | 213 | 214 | ![adb-app-so](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-app-so.jpeg?raw=true) 215 | 216 | 217 | 218 | ![adb-app-sign](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-app-sign.png?raw=true) 219 | 220 | 221 | 222 | ![adb-app-apk](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-app-apk.png?raw=true) 223 | 224 | 225 | 226 | ![adb-debug-ida](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-debug-ida.jpeg?raw=true) 227 | 228 | 229 | 230 | ![adb-debug-gdb](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-debug-gdb.png?raw=true) 231 | 232 | 233 | 234 | ![adb-debug-lldb](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-debug-lldb.png?raw=true) 235 | 236 | 237 | 238 | ![adb-frida](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-frida.png?raw=true) 239 | 240 | 241 | 242 | ![adb-xlog](https://github.com/4ch12dy/xadb/blob/master/screenshot/adb-xlog.png?raw=true) 243 | 244 | 245 | 246 | -------------------------------------------------------------------------------- /debug-server/android_server: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/debug-server/android_server -------------------------------------------------------------------------------- /debug-server/android_server64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/debug-server/android_server64 -------------------------------------------------------------------------------- /debug-server/android_server_nonpie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/debug-server/android_server_nonpie -------------------------------------------------------------------------------- /debug-server/android_x86_server: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/debug-server/android_x86_server -------------------------------------------------------------------------------- /debug-server/gdbserver: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/debug-server/gdbserver -------------------------------------------------------------------------------- /debug-server/gdbserver64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/debug-server/gdbserver64 -------------------------------------------------------------------------------- /debug-server/lldb-server: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/debug-server/lldb-server -------------------------------------------------------------------------------- /debug-server/lldb-server64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/debug-server/lldb-server64 -------------------------------------------------------------------------------- /frida/frida-server-12.6.5-android-arm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/frida/frida-server-12.6.5-android-arm -------------------------------------------------------------------------------- /frida/frida-server-12.6.5-android-arm64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/frida/frida-server-12.6.5-android-arm64 -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | shell_root_dir=$(pwd) 3 | shell_file_name="xadb.sh" 4 | shell_file="$shell_root_dir/$shell_file_name" 5 | 6 | bash_profile=$HOME"/.bash_profile" 7 | zsh_profile=$HOME"/.zshrc" 8 | mingw_profile="$HOME/.bash_profile" 9 | 10 | #Please Set the Android SDK Path 11 | ############################### 12 | ANDROID_SDK_PATH="" 13 | ADB_PATH="" 14 | ############################### 15 | 16 | echo "==== install xadb ====" 17 | 18 | function check_sdk_path(){ 19 | sdk_path=$1 20 | if [[ -f "$sdk_path/platform-tools/adb" ]];then 21 | echo "[+] found adb, continue!" 22 | elif [[ -n $ADB_PATH ]];then 23 | echo "[+] found adb, continue!" 24 | else 25 | echo "[-] not Found adb, please check the Android SDK path." 26 | exit 27 | fi 28 | } 29 | 30 | if [[ -e "~/Library/Android/sdk" ]];then 31 | ANDROID_SDK_PATH=~/Library/Android/sdk 32 | fi 33 | 34 | if [[ -n "$1" ]];then 35 | ANDROID_SDK_PATH=$1 36 | elif [[ -e $(which adb) ]]; then 37 | ADB_PATH=$(which adb) 38 | elif [[ -e ~/Library/Android/sdk ]];then 39 | ANDROID_SDK_PATH=~/Library/Android/sdk 40 | else 41 | echo "[-] you should set the Android SDK path." 42 | exit 43 | fi 44 | 45 | check_sdk_path $ANDROID_SDK_PATH 46 | 47 | if [[ ! -d ~/.xadb ]]; then 48 | mkdir -p ~/.xadb 49 | fi 50 | 51 | echo "[*] create xadb support file" 52 | echo "$shell_root_dir" > ~/.xadb/rootdir 53 | echo "$ANDROID_SDK_PATH" > ~/.xadb/sdk-path 54 | echo "$ADB_PATH" > ~/.xadb/adb-path 55 | 56 | if [[ "$SHELL" = "/bin/zsh" ]]; then 57 | 58 | sh_profile=$zsh_profile 59 | 60 | elif [[ "$SHELL" = "/bin/bash" ]]; then 61 | 62 | sh_profile=$bash_profile 63 | 64 | elif [[ "$SHELL" = "/usr/bin/bash" ]]; then 65 | isMINGW=`uname -a | grep -q MINGW && echo "1" || echo "0"` 66 | if [[ $isMINGW = "1" ]]; then 67 | sh_profile=$mingw_profile 68 | fi 69 | 70 | else 71 | echo "[-] not support shell:$SHELL" 72 | exit 73 | fi 74 | 75 | echo "[+] detect current shell profile: $sh_profile" 76 | 77 | # add xadb.sh to shell_profile 78 | echo "[*] add \"source $shell_file\" to $sh_profile" 79 | sed -i "" '/source.*xadb\.sh/d' $sh_profile 2>/dev/null 80 | echo -e "\nsource $shell_file" >> $sh_profile 81 | 82 | # done 83 | echo "[+] install finished, you can re-source $sh_profile or open a new terminal" 84 | echo "======================" -------------------------------------------------------------------------------- /screenshot/adb-app-apk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/screenshot/adb-app-apk.png -------------------------------------------------------------------------------- /screenshot/adb-app-sign.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/screenshot/adb-app-sign.png -------------------------------------------------------------------------------- /screenshot/adb-app-so.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/screenshot/adb-app-so.jpeg -------------------------------------------------------------------------------- /screenshot/adb-app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/screenshot/adb-app.png -------------------------------------------------------------------------------- /screenshot/adb-debug-gdb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/screenshot/adb-debug-gdb.png -------------------------------------------------------------------------------- /screenshot/adb-debug-ida.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/screenshot/adb-debug-ida.jpeg -------------------------------------------------------------------------------- /screenshot/adb-debug-lldb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/screenshot/adb-debug-lldb.png -------------------------------------------------------------------------------- /screenshot/adb-device.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/screenshot/adb-device.png -------------------------------------------------------------------------------- /screenshot/adb-frida.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/screenshot/adb-frida.png -------------------------------------------------------------------------------- /screenshot/adb-xlog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/screenshot/adb-xlog.png -------------------------------------------------------------------------------- /script/agent.js: -------------------------------------------------------------------------------- 1 | (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var c="function"==typeof require&&require;if(!f&&c)return c(i,!0);if(u)return u(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var p=n[i]={exports:{}};e[i][0].call(p.exports,function(r){var n=e[i][1][r];return o(n||r)},p,p.exports,r,e,n,t)}return n[i].exports}for(var u="function"==typeof require&&require,i=0;i 8 && range.base.readCString(4) != "dex\n") { 13 | // if(range.size > 0x24 && range.base.add(0x20).readInt() < range.size){ 14 | // 15 | // } 16 | // } 17 | try { 18 | Memory.scanSync(range.base, range.size, "64 65 78 0a 30 33 35 00").forEach(function (match) { 19 | var range = Process.findRangeByAddress(match.address); 20 | 21 | if (range != null && range.size < match.address.toInt32() + 0x24 - range.base.toInt32()) { 22 | return; 23 | } 24 | 25 | var dex_size = match.address.add("0x20").readInt(); 26 | 27 | if (range != null) { 28 | if (range.file) { 29 | if (range.file.path && (range.file.path.startsWith("/data/app/") || range.file.path.startsWith("/data/dalvik-cache/") || range.file.path.startsWith("/system/"))) { 30 | return; 31 | } 32 | } 33 | 34 | if (match.address.toInt32() + dex_size > range.base.toInt32() + range.size) { 35 | return; 36 | } 37 | } 38 | 39 | result.push({ 40 | "addr": match.address, 41 | "size": dex_size 42 | }); 43 | }); 44 | } catch (e) {} 45 | }); 46 | return result; 47 | } 48 | }; 49 | 50 | },{}]},{},[1]) 51 | //# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIm5vZGVfbW9kdWxlcy9icm93c2VyLXBhY2svX3ByZWx1ZGUuanMiLCJhZ2VudC9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7O0FDQUEsR0FBRyxDQUFDLE9BQUosR0FBYztBQUNWLEVBQUEsVUFBVSxFQUFFLG9CQUFVLE9BQVYsRUFBbUIsSUFBbkIsRUFBdUI7QUFDL0IsSUFBQSxPQUFPLENBQUMsR0FBUixDQUFZLEtBQVo7QUFDQSxXQUFPLElBQUksYUFBSixDQUFrQixPQUFsQixFQUEyQixhQUEzQixDQUF5QyxJQUF6QyxDQUFQO0FBQ0gsR0FKUztBQUtWLEVBQUEsT0FBTyxFQUFFLG1CQUFBO0FBQ0wsUUFBSSxNQUFNLEdBQVUsRUFBcEI7QUFDQSxJQUFBLE9BQU8sQ0FBQyxlQUFSLENBQXdCLEtBQXhCLEVBQStCLE9BQS9CLENBQXVDLFVBQVUsS0FBVixFQUFlO0FBQ2xEO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQSxVQUFJO0FBQ0EsUUFBQSxNQUFNLENBQUMsUUFBUCxDQUFnQixLQUFLLENBQUMsSUFBdEIsRUFBNEIsS0FBSyxDQUFDLElBQWxDLEVBQXdDLHlCQUF4QyxFQUFtRSxPQUFuRSxDQUEyRSxVQUFVLEtBQVYsRUFBZTtBQUN0RixjQUFJLEtBQUssR0FBRyxPQUFPLENBQUMsa0JBQVIsQ0FBMkIsS0FBSyxDQUFDLE9BQWpDLENBQVo7O0FBQ0EsY0FBSSxLQUFLLElBQUksSUFBVCxJQUFpQixLQUFLLENBQUMsSUFBTixHQUFjLEtBQUssQ0FBQyxPQUFOLENBQWMsT0FBZCxLQUEwQixJQUExQixHQUFpQyxLQUFLLENBQUMsSUFBTixDQUFXLE9BQVgsRUFBcEUsRUFBMkY7QUFDdkY7QUFDSDs7QUFDRCxjQUFJLFFBQVEsR0FBRyxLQUFLLENBQUMsT0FBTixDQUFjLEdBQWQsQ0FBa0IsTUFBbEIsRUFBMEIsT0FBMUIsRUFBZjs7QUFDQSxjQUFJLEtBQUssSUFBSSxJQUFiLEVBQW1CO0FBQ2YsZ0JBQUksS0FBSyxDQUFDLElBQVYsRUFBZ0I7QUFDWixrQkFBSSxLQUFLLENBQUMsSUFBTixDQUFXLElBQVgsS0FDQyxLQUFLLENBQUMsSUFBTixDQUFXLElBQVgsQ0FBZ0IsVUFBaEIsQ0FBMkIsWUFBM0IsS0FDTSxLQUFLLENBQUMsSUFBTixDQUFXLElBQVgsQ0FBZ0IsVUFBaEIsQ0FBMkIscUJBQTNCLENBRE4sSUFFTSxLQUFLLENBQUMsSUFBTixDQUFXLElBQVgsQ0FBZ0IsVUFBaEIsQ0FBMkIsVUFBM0IsQ0FIUCxDQUFKLEVBR29EO0FBQ2hEO0FBQ0g7QUFDSjs7QUFDRCxnQkFBSSxLQUFLLENBQUMsT0FBTixDQUFjLE9BQWQsS0FBMEIsUUFBMUIsR0FBcUMsS0FBSyxDQUFDLElBQU4sQ0FBVyxPQUFYLEtBQXVCLEtBQUssQ0FBQyxJQUF0RSxFQUE0RTtBQUN4RTtBQUNIO0FBQ0o7O0FBQ0QsVUFBQSxNQUFNLENBQUMsSUFBUCxDQUFZO0FBQ1Isb0JBQVEsS0FBSyxDQUFDLE9BRE47QUFFUixvQkFBUTtBQUZBLFdBQVo7QUFJSCxTQXZCRDtBQXdCSCxPQXpCRCxDQXlCRSxPQUFPLENBQVAsRUFBVSxDQUVYO0FBQ0osS0FsQ0Q7QUFtQ0EsV0FBTyxNQUFQO0FBQ0g7QUEzQ1MsQ0FBZCIsImZpbGUiOiJnZW5lcmF0ZWQuanMiLCJzb3VyY2VSb290IjoiIn0= 52 | -------------------------------------------------------------------------------- /script/dumpdex.py: -------------------------------------------------------------------------------- 1 | import json 2 | import os 3 | import sys 4 | import frida 5 | import time 6 | import re 7 | 8 | 9 | if len(sys.argv) <= 1: 10 | print("[Dumpdex]: you should pass pid/packageName") 11 | exit() 12 | 13 | device = frida.get_usb_device() 14 | pkg_name = device.get_frontmost_application().identifier 15 | # check is package or pid 16 | 17 | pattern = re.compile(r'^\d+$', re.I) 18 | m = pattern.match(sys.argv[1]) 19 | 20 | if m: 21 | 22 | app_pid = sys.argv[1] 23 | print("[Dumpdex]: you specail the pid:" + app_pid) 24 | # if customize the pid, use this pid. Such as app has mutiple pid 25 | if ('app_pid' in locals() or 'app_pid' in globals()) and app_pid: 26 | session = device.attach(int(app_pid)) 27 | else: 28 | session = device.attach(pkg_name) 29 | else: 30 | pkg_name = sys.argv[1] 31 | print("[Dumpdex]: you specail the package name:" + pkg_name + ", so spawn it and sleep 50s for launch completely") 32 | 33 | pid = device.spawn(pkg_name) 34 | 35 | time.sleep(50); 36 | 37 | session = device.attach(pid) 38 | 39 | script = session.create_script(open(open(os.path.expanduser("~/.xadb/rootdir")).read().strip() + "/script/agent.js").read()) 40 | script.load() 41 | 42 | matches = script.exports.scandex() 43 | for dex in matches: 44 | bs = script.exports.memorydump(dex['addr'], dex['size']) 45 | if not os.path.exists("./" + pkg_name + "/"): 46 | os.mkdir("./" + pkg_name + "/") 47 | open(pkg_name + "/" + dex['addr'] + ".dex", 'wb').write(bs) 48 | print("[Dumpdex]: DexSize=" + hex(dex['size']) + ", SavePath=./" + pkg_name + "/" + dex['addr'] + ".dex") 49 | -------------------------------------------------------------------------------- /script/pinning.js: -------------------------------------------------------------------------------- 1 | // start with: 2 | // frida -U -l pinning.js -f [APP_ID] --no-pause 3 | 4 | Java.perform(function () { 5 | console.log('') 6 | console.log('===') 7 | console.log('* Injecting hooks into common certificate pinning methods *') 8 | console.log('===') 9 | 10 | var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); 11 | var SSLContext = Java.use('javax.net.ssl.SSLContext'); 12 | 13 | // build fake trust manager 14 | var TrustManager = Java.registerClass({ 15 | name: 'com.sensepost.test.TrustManager', 16 | implements: [X509TrustManager], 17 | methods: { 18 | checkClientTrusted: function (chain, authType) { 19 | }, 20 | checkServerTrusted: function (chain, authType) { 21 | }, 22 | getAcceptedIssuers: function () { 23 | return []; 24 | } 25 | } 26 | }); 27 | 28 | // pass our own custom trust manager through when requested 29 | var TrustManagers = [TrustManager.$new()]; 30 | var SSLContext_init = SSLContext.init.overload( 31 | '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom' 32 | ); 33 | SSLContext_init.implementation = function (keyManager, trustManager, secureRandom) { 34 | console.log('! Intercepted trustmanager request'); 35 | SSLContext_init.call(this, keyManager, TrustManagers, secureRandom); 36 | }; 37 | 38 | console.log('* Setup custom trust manager'); 39 | 40 | // okhttp3 41 | try { 42 | var CertificatePinner = Java.use('okhttp3.CertificatePinner'); 43 | CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function (str) { 44 | console.log('! Intercepted okhttp3: ' + str); 45 | return; 46 | }; 47 | 48 | console.log('* Setup okhttp3 pinning') 49 | } catch(err) { 50 | console.log('* Unable to hook into okhttp3 pinner') 51 | } 52 | 53 | // trustkit 54 | try { 55 | var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier"); 56 | Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) { 57 | console.log('! Intercepted trustkit{1}: ' + str); 58 | return true; 59 | }; 60 | 61 | Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) { 62 | console.log('! Intercepted trustkit{2}: ' + str); 63 | return true; 64 | }; 65 | 66 | console.log('* Setup trustkit pinning') 67 | } catch(err) { 68 | console.log('* Unable to hook into trustkit pinner') 69 | } 70 | 71 | // TrustManagerImpl 72 | try { 73 | var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl'); 74 | TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) { 75 | console.log('! Intercepted TrustManagerImp: ' + host); 76 | return untrustedChain; 77 | } 78 | 79 | console.log('* Setup TrustManagerImpl pinning') 80 | } catch (err) { 81 | console.log('* Unable to hook into TrustManagerImpl') 82 | } 83 | 84 | // Appcelerator 85 | try { 86 | var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager'); 87 | PinningTrustManager.checkServerTrusted.implementation = function () { 88 | console.log('! Intercepted Appcelerator'); 89 | } 90 | 91 | console.log('* Setup Appcelerator pinning') 92 | } catch (err) { 93 | console.log('* Unable to hook into Appcelerator pinning') 94 | } 95 | }); -------------------------------------------------------------------------------- /script/pstree.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Display process table in tree form 5 | # 6 | 7 | if [[ "$1" = "" ]] 8 | then 9 | PROC_NUM=1 10 | else 11 | PROC_NUM=$1 12 | fi 13 | 14 | main () { 15 | 16 | PSOUT=`ps -ef | grep -v "^UID" | sort -n -k2` 17 | # This technique will work in ksh, but since there are going to be array 18 | # subscripts larger than 1024, bash is the way to go. 19 | #ps -ef | grep -v "^UID" | while read line 20 | while read line 21 | do 22 | line=`echo "$line" | sed -e s/\>/\\\\\\>/g` 23 | #echo $line 24 | # works in ksh/pdksh as long as the subscript is below 1024.. here it is not 25 | # bash works fine though. 26 | #set -A process $line for a ksh script 27 | process=( $line ) 28 | pid=${process[1]} 29 | owner[$pid]=${process[0]} 30 | ppid[$pid]=${process[2]} 31 | command[$pid]="`echo $line | awk '{for(i=8;i<=NF;i++) {printf "%s ",$i}}'`" 32 | children[${ppid[$pid]}]="${children[${ppid[$pid]}]} $pid" 33 | done < 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | 13 | #define PROP_NAME_MAX 32 14 | #define PROP_VALUE_MAX 92 15 | 16 | static void dump_hex(const char* buf, int len) 17 | { 18 | const uint8_t *data = (const uint8_t*)buf; 19 | int i; 20 | char ascii_buf[17]; 21 | 22 | ascii_buf[16] = '\0'; 23 | 24 | for (i = 0; i < len; i++) { 25 | int val = data[i]; 26 | int off = i % 16; 27 | 28 | if (off == 0) 29 | printf("%08x ", i); 30 | printf("%02x ", val); 31 | ascii_buf[off] = isprint(val) ? val : '.'; 32 | if (off == 15) 33 | printf(" %-16s\n", ascii_buf); 34 | } 35 | 36 | i %= 16; 37 | if (i) { 38 | ascii_buf[i] = '\0'; 39 | while (i++ < 16) 40 | printf(" "); 41 | printf(" %-16s\n", ascii_buf); 42 | } 43 | } 44 | 45 | #define ORI_INST 0x2e6f72 46 | #define HACK_INST 0x2e6f73 47 | 48 | int main(int argc, char **argv) 49 | { 50 | FILE *fp; 51 | int m, rc; 52 | int patch_count; 53 | unsigned long maps, mape, addr, mlen; 54 | unsigned long real_val, real_vaddr; 55 | 56 | char perms[5]; 57 | char line[512]; 58 | char *buffer, *ro; 59 | char* name = NULL, *value = NULL; 60 | 61 | uint32_t tmp; 62 | uint32_t dest_inst = ORI_INST; 63 | uint32_t mod_inst = HACK_INST; 64 | 65 | int restore = 0, verbose = 0; 66 | 67 | for (m = 1; m < argc; m++) { 68 | if (argv[m] == NULL) 69 | continue; 70 | 71 | if (argv[m][0] != '-') { 72 | break; 73 | } 74 | 75 | if (argv[m][1] == 'r') { 76 | restore = 1; 77 | dest_inst = HACK_INST; 78 | mod_inst = ORI_INST; 79 | } else if (argv[m][1] == 'v') { 80 | verbose = 1; 81 | } 82 | } 83 | 84 | if (restore) { 85 | fprintf(stderr, "restore ...\n"); 86 | } 87 | else { 88 | if (argc - m >= 2) { 89 | // fprintf(stderr, "Usage: %s [-r] [-v] [prop_name] [prop_value]\n" 90 | // "e.g.: %s ro.debuggable 1\n", argv[0], argv[0]); 91 | name = argv[m]; 92 | value = argv[m+1]; 93 | } 94 | 95 | fprintf(stderr, "start hacking ...\n"); 96 | } 97 | 98 | fp = fopen("/proc/1/maps", "r"); 99 | if (!fp) { 100 | perror("!! fopen "); 101 | return 1; 102 | } 103 | 104 | // 00008000-000cb000 r-xp 00000000 00:01 6999 /init 105 | memset(line, 0, sizeof(line)); 106 | while (fgets(line, sizeof(line), fp)) { 107 | int main_exe = (strstr(line, "/init") != NULL) ? 1 : 0; 108 | if (main_exe) { 109 | rc = sscanf(line, "%lx-%lx %4s ", &maps, &mape, perms); 110 | if (rc < 3) { 111 | perror("!! sscanf "); 112 | return 1; 113 | } 114 | if (perms[0] == 'r' && perms[1] == '-' && perms[2] == 'x' && perms[3] == 'p') { 115 | break; 116 | } 117 | } 118 | } 119 | fclose(fp); 120 | 121 | fprintf(stderr, "target mapped area: 0x%lx-0x%lx\n", maps, mape); 122 | 123 | mlen = mape - maps; 124 | buffer = (char *) calloc(1, mlen + 16); 125 | if (!buffer) { 126 | perror("!! malloc "); 127 | return 1; 128 | } 129 | rc = ptrace(PTRACE_ATTACH, 1, 0, 0); 130 | if (rc < 0) { 131 | perror("!! ptrace "); 132 | return rc; 133 | } 134 | for (addr = maps; addr < mape; addr += 4) { 135 | tmp = ptrace(PTRACE_PEEKTEXT, 1, (void *) addr, 0); 136 | *((uint32_t*)(buffer + addr - maps)) = tmp; 137 | } 138 | 139 | if (verbose) { 140 | dump_hex(buffer, mlen); 141 | } 142 | 143 | for (m = 0; m < mlen; ++m) { 144 | if (dest_inst == *(uint32_t*)(buffer+m)) { // 72 6F 2E 00 == ro.\0 145 | break; 146 | } 147 | } 148 | 149 | if (m >= mlen) { 150 | fprintf(stderr, ">> inject position not found, may be already patched!\n"); 151 | } 152 | else { 153 | real_vaddr = maps + m; 154 | real_val = *(uint32_t*)(buffer+m); 155 | fprintf(stderr, ">> patching at: 0x%lx [0x%lx -> 0x%08x]\n", real_vaddr, real_val, mod_inst); 156 | 157 | tmp = mod_inst; 158 | rc = ptrace(PTRACE_POKETEXT, 1, (void *)real_vaddr, (void*)tmp); 159 | if (rc < 0) { 160 | perror("!! patching failed "); 161 | } 162 | 163 | tmp = ptrace(PTRACE_PEEKTEXT, 1, (void *)real_vaddr, 0); 164 | fprintf(stderr, ">> %s reread: [0x%lx] => 0x%08x\n", restore ? "restored!" : "patched!", real_vaddr, tmp); 165 | } 166 | 167 | free(buffer); 168 | rc = ptrace(PTRACE_DETACH, 1, 0, 0); 169 | 170 | if (!restore && (name && value && name[0] != 0)) { 171 | char propbuf[PROP_VALUE_MAX]; 172 | fprintf(stderr, "-- setprop: [%s] = [%s]\n", name, value); 173 | __system_property_set(name, value); 174 | usleep(400000); 175 | __system_property_get(name, propbuf); 176 | fprintf(stderr, "++ getprop: [%s] = [%s]\n", name, propbuf); 177 | 178 | } 179 | return rc; 180 | } -------------------------------------------------------------------------------- /tools/mprop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/tools/mprop -------------------------------------------------------------------------------- /tools/mprop32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/4ch12dy/xadb/7ddcea7d7d41729f1b926ec1a41c660e8ab2647e/tools/mprop32 -------------------------------------------------------------------------------- /xadb.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #__ __ _____ ____ 3 | #\ \ / / /\ | __ \ | _ \ 4 | # \ V / / \ | | | | | |_) | 5 | # > < / /\ \ | | | | | _ < 6 | # / . \ / ____ \ | |__| | | |_) | 7 | #/_/ \_\ /_/ \_\ |_____/ |____/ 8 | 9 | #android_dir="$xia0/android/" 10 | XADB_ROOT_DIR=`cat ~/.xadb/rootdir` 11 | 12 | ANDROID_SDK_PATH=`cat ~/.xadb/sdk-path` 13 | 14 | XADB_DEVICE_SERIAL="$HOME/.xadb/device-serial" 15 | 16 | ADB="" 17 | 18 | if [[ -e "$HOME/.xadb/adb-path" ]];then 19 | ADB=`cat ~/.xadb/adb-path` 20 | fi 21 | 22 | if [[ -z $ADB ]];then 23 | ADB=$ANDROID_SDK_PATH/platform-tools/adb 24 | fi 25 | 26 | # If update.lock exsist : there is new version for updating. use adb update 27 | XADB_UPDATE_LOCK_FILE="$HOME/.xadb/update.lock" 28 | 29 | # last-check-update.time : the last timestamp of checking update 30 | XADB_LAST_CHECKUPDATE_TIMEFILE="$HOME/.xadb/last-check-update.time" 31 | 32 | function XADBILOG(){ 33 | 34 | echo -e "\033[32m[I]:$1 \033[0m" 35 | } 36 | 37 | function XADBELOG(){ 38 | 39 | echo -e "\033[31m[E]:$1 \033[0m" 40 | 41 | } 42 | 43 | function XADBDLOG(){ 44 | echo "[DEBUG]:$1" > /dev/null 45 | } 46 | 47 | function XADBTimeNow(){ 48 | now=$(date "+%Y%m%d-%H:%M:%S") 49 | echo $now 50 | } 51 | 52 | function XADBDeviceState(){ 53 | device=`XADB get-state 2>/dev/null` 54 | echo $device 55 | 56 | } 57 | 58 | function XADBCheckUpdate(){ 59 | if [[ ! -f $XADB_LAST_CHECKUPDATE_TIMEFILE ]]; then 60 | 61 | XADBDLOG "XADB_LAST_CHECKUPDATE_TIMEFILE Not Exsist." 62 | sh -c "cd $XADB_ROOT_DIR;git remote show origin | grep -q \"local out of date\" && (touch $XADB_UPDATE_LOCK_FILE) || rm $XADB_UPDATE_LOCK_FILE 2>/dev/null" 63 | echo `date '+%s'` > $XADB_LAST_CHECKUPDATE_TIMEFILE 64 | 65 | else 66 | XADBDLOG "XADB_LAST_CHECKUPDATE_TIMEFILE Exsist." 67 | lastTimestamp=`cat $XADB_LAST_CHECKUPDATE_TIMEFILE` 68 | nowTimestamp=`date '+%s'` 69 | oneDayTimestamp=43200 70 | needTimestamp=`expr $nowTimestamp - $lastTimestamp` 71 | # echo $lastTimestamp $nowTimestamp $needTimestamp 72 | # Last check update is one day ago? 73 | if [[ $needTimestamp > $oneDayTimestamp ]]; then 74 | sh -c "cd $XADB_ROOT_DIR;git remote show origin | grep -q \"local out of date\" && (touch $XADB_UPDATE_LOCK_FILE) || rm $XADB_UPDATE_LOCK_FILE 2>/dev/null" 75 | echo `date '+%s'` > $XADB_LAST_CHECKUPDATE_TIMEFILE 76 | fi 77 | fi 78 | 79 | 80 | if [[ -f $XADB_UPDATE_LOCK_FILE ]]; then 81 | 82 | XADBILOG "XADB has updated! Run \"adb update\" get new version :)" 83 | fi 84 | 85 | XADBDLOG "Update Check Done!" 86 | } 87 | 88 | 89 | function XADBISEMULATOR(){ 90 | test -f $XADB_DEVICE_SERIAL || return 0 && (cat $XADB_DEVICE_SERIAL | grep -q "emulator" && return 1 || return 0 ) 91 | } 92 | 93 | function XADB(){ 94 | test -f $XADB_DEVICE_SERIAL && $ADB -s $(cat $XADB_DEVICE_SERIAL) $@ || $ADB -d $@ 95 | } 96 | 97 | 98 | function XADBCheckxia0(){ 99 | if [[ $(XADBDeviceState) != "device" ]]; then 100 | return 101 | fi 102 | if [[ "$1" = "clean" ]]; then 103 | XADBILOG "This cmd will delete all file in /data/local/tmp, continue? [yes/no]" 104 | read -p "This cmd will delete all file in /data/local/tmp, continue [yes/no]? : " yes_or_no 105 | 106 | if [[ "$yes_or_no" = "yes" ]]; then 107 | XADB shell su -c "rm -fr /data/local/tmp/*" 108 | if [[ "$?" != "0" ]]; then 109 | XADB shell su 0/0 "rm -fr /data/local/tmp/*" 110 | fi 111 | fi 112 | return 113 | # XADB shell "[ -d /sdcard/xia0 ] && rm -fr /sdcard/xia0" 114 | # return 115 | fi 116 | 117 | if [[ "$1" = "force" ]]; then 118 | XADBCheckxia0 clean 119 | XADB push "$XADB_ROOT_DIR/frida" /sdcard/xia0 120 | XADB push "$XADB_ROOT_DIR/tools" /sdcard/xia0 121 | XADB push "$XADB_ROOT_DIR/debug-server" /sdcard/xia0 122 | XADB push "$XADB_ROOT_DIR/script" /sdcard/xia0 123 | return 124 | fi 125 | 126 | script='[ -d /sdcard/xia0 ] || (mkdir -p /sdcard/xia0)' 127 | XADB shell "$script" 128 | 129 | ret=`XADB shell "[ -d /sdcard/xia0/frida ] && echo 1 || echo 0" | tr -d '\r'` 130 | if [[ "$ret" = "0" ]]; then 131 | XADB push "$XADB_ROOT_DIR/frida" /sdcard/xia0 132 | fi 133 | 134 | ret=`XADB shell "[ -d /sdcard/xia0/tools ] && echo 1 || echo 0" | tr -d '\r' ` 135 | if [[ "$ret" = "0" ]]; then 136 | XADB push "$XADB_ROOT_DIR/tools" /sdcard/xia0 137 | fi 138 | 139 | ret=`XADB shell "[ -d /sdcard/xia0/debug-server ] && echo 1 || echo 0" | tr -d '\r'` 140 | if [[ "$ret" = "0" ]]; then 141 | XADB push "$XADB_ROOT_DIR/debug-server" /sdcard/xia0 142 | fi 143 | 144 | ret=`XADB shell "[ -d /sdcard/xia0/script ] && echo 1 || echo 0" | tr -d '\r'` 145 | if [[ "$ret" = "0" ]]; then 146 | XADB push "$XADB_ROOT_DIR/script" /sdcard/xia0 147 | fi 148 | 149 | } 150 | 151 | 152 | 153 | function xadb(){ 154 | 155 | # adb app [command] :show some app info 156 | if [ "$1" = "app" ];then 157 | 158 | # check current screen is in StatusBar? 159 | curScreen=`xadb shell dumpsys window | grep -i mCurrentFocus` 160 | if [[ "$curScreen" == *"StatusBar"* ]]; then 161 | XADBILOG "Current screen is in the StatusBar. Please unlock or focus on app" 162 | return 163 | fi 164 | 165 | case $2 in 166 | package ) 167 | # APPID=`xadb shell dumpsys window | grep -i mCurrentFocus | awk -F'/' '{print $1}' | awk '{print $NF}'` 168 | app_count=`xadb shell dumpsys window | grep -i mCurrentFocus | grep '\b\w*\.[^\}]*' -o -c` 169 | if [[ $app_count -eq 2 ]]; then 170 | APPID=`xadb shell dumpsys window | grep -i mCurrentFocus | grep -v "Waiting For Debugger" | grep '\b\w*\.[^\}]*' -o | awk -F'/' '{print $1}'` 171 | else 172 | APPID=`xadb shell dumpsys window | grep -i mCurrentFocus | grep '\b\w*\.[^\}]*' -o | awk -F'/' '{print $1}'` 173 | fi 174 | 175 | if [[ "$APPID" = "Waiting" ]]; then 176 | APPID=`xadb shell dumpsys window | grep -i mCurrentFocus | awk '{print $6}' | awk -F'}' '{print $1}'` 177 | fi 178 | 179 | echo $APPID 180 | ;; 181 | 182 | activity ) 183 | if [[ $3 = "main" ]]; then 184 | adb app info | tr -d '\r' | grep -A1 "android.intent.action.MAIN" | tr -d '\n' |awk '{print $3}' 185 | else 186 | app_count=`xadb shell dumpsys window | grep -i mCurrentFocus | grep '\b\w*\.[^\}]*' -o -c` 187 | if [[ $app_count -eq 2 ]]; then 188 | adb shell dumpsys window | tr -d '\r' | grep -i mCurrentFocus | grep -v "Waiting For Debugger" | awk '{print $3}' | awk -F'}' '{print $1}' 189 | else 190 | if adb shell dumpsys window | tr -d '\r' | grep -i mCurrentFocus | grep -q "Waiting For Debugger" ; then 191 | echo "[no activity found for app in debugging status]" 192 | else 193 | adb shell dumpsys window | tr -d '\r' | grep -i mCurrentFocus | awk '{print $3}' | awk -F'}' '{print $1}' 194 | fi 195 | fi 196 | fi 197 | ;; 198 | 199 | pid ) 200 | APPID=`xadb app package | tr -d '\r'` 201 | APPPID=`xadb xdo ps | tr -d '\r' | grep "$APPID$" | awk '{print $2}'` 202 | if [[ -z $APPPID || "$APPPID" = "" ]]; then 203 | APPPID=`xadb shell ps | tr -d '\r' | grep "$APPID$" | awk '{print $2}'` 204 | fi 205 | echo $APPPID 206 | ;; 207 | 208 | pidAll ) 209 | APPID=`xadb app package | tr -d '\r'` 210 | APPPID=`xadb xdo ps | tr -d '\r' | grep "$APPID" | awk '{print $2}'` 211 | if [[ -z $APPPID || "$APPPID" = "" ]]; then 212 | APPPID=`xadb shell ps | tr -d '\r' | grep "$APPID$" | awk '{print $2}'` 213 | fi 214 | echo $APPPID 215 | ;; 216 | 217 | debug ) 218 | # 判断是否开启了调试 219 | isdebug=`xadb shell getprop ro.debuggable | tr -d '\r'` 220 | if [[ "$isdebug" = "0" ]]; then 221 | XADBILOG "Not open debug, opening..." 222 | ret=`adb shell "[ -f /data/local/tmp/mprop ] && echo "1" || echo "0"" | tr -d '\r'` 223 | 224 | if [[ "$ret" = "0" ]]; then 225 | xadb sudo "cp /sdcard/xia0/tools/mprop /data/local/tmp/" 226 | fi 227 | xadb sudo "chmod 777 /data/local/tmp/mprop" 228 | xadb sudo "/data/local/tmp/mprop" 229 | xadb sudo "setprop ro.debuggable 1" 230 | xadb sudo "/data/local/tmp/mprop -r" 231 | xadb sudo "getprop ro.debuggable" 232 | xadb sudo "stop" 233 | sleep 2 234 | xadb sudo "start" 235 | sleep 5 236 | 237 | XADBILOG "Opened debug, Retry for happy debugging!" 238 | return 239 | fi 240 | 241 | enforce=`xadb sudo getenforce | tr -d '\r'` 242 | 243 | if [[ "$enforce" =~ "Enforcing" || "$enforce" == "1" ]]; then 244 | XADBILOG "Set enforce to Permissive, Please wait..." 245 | xadb sudo "setenforce 0" 246 | fi 247 | 248 | activity=`xadb app activity | tr -d '\r'` 249 | xadb sudo "am start -D -n $activity" 250 | sleep 2 251 | pid=`xadb app pid` 252 | xadb forward tcp:8700 jdwp:$pid 253 | 254 | ;; 255 | 256 | # get apk file from device 257 | apk ) 258 | if [ -z "$3" ]; then 259 | APP_ID=`xadb app package | tr -d '\r'` 260 | 261 | else 262 | APP_ID=$3 263 | fi 264 | 265 | local_apk_file=`xadb app apk_in $APP_ID` 266 | 267 | XADBILOG "pull app apk from device done:$local_apk_file" 268 | ;; 269 | 270 | apk_in ) 271 | if [ -z "$3" ]; then 272 | APP_ID=`xadb app package | tr -d '\r'` 273 | 274 | else 275 | APP_ID=$3 276 | fi 277 | 278 | if [[ "$APP_ID" =~ "StatusBar" ]];then 279 | XADBELOG "now in statusBar, please unlock or focus on app" 280 | return 281 | fi 282 | 283 | base_apk=`xadb shell pm path $APP_ID | tr -d '\r' | grep "base.apk" |awk -F':' '{printf $2}'` 284 | # XADBILOG "found base.apk:$base_apk and start pull it from device" 285 | 286 | now=`XADBTimeNow` 287 | xadb pull $base_apk $APP_ID-$now.apk 1>/dev/null 288 | current_dir=`pwd` 289 | lcoal_apk="$current_dir/$APP_ID-$now.apk" 290 | echo $lcoal_apk 291 | # XADBILOG "pull apk form device done in:$lcoal_apk" 292 | ;; 293 | sign ) 294 | if [ -z "$3" ]; then 295 | APP_ID=`xadb app package | tr -d '\r'` 296 | 297 | else 298 | APP_ID=$3 299 | fi 300 | 301 | apk_file=`xadb app apk_in $APP_ID` 302 | 303 | if [ -z "$apk_file" ]; then 304 | XADBELOG "$APP_ID apk file can not copy from device" 305 | return 306 | fi 307 | SIGN_RSA=`unzip -l $apk_file | grep "META-INF.*\.RSA" | awk '{printf $4}'` 308 | # echo $SIGN_RSA 309 | unzip -p $apk_file $SIGN_RSA | keytool -printcert 310 | rm $apk_file 311 | ;; 312 | 313 | info ) 314 | if [ -z "$3" ]; then 315 | APP_ID=`xadb app package | tr -d '\r'` 316 | 317 | else 318 | APP_ID=$3 319 | fi 320 | xadb shell dumpsys package $APP_ID 321 | ;; 322 | 323 | version ) 324 | if [ -z "$3" ]; then 325 | APP_ID=`xadb app package | tr -d '\r'` 326 | 327 | else 328 | APP_ID=$3 329 | fi 330 | version_prefix="versionName=" 331 | version=`xadb shell dumpsys package $APP_ID | grep versionName= | tr -d " "` 332 | version_=${version:${#version_prefix}:${#version}} 333 | echo $version_ 334 | ;; 335 | # get cureet screenshot 336 | screen ) 337 | xadb shell screencap -p > screen.png 338 | ;; 339 | 340 | # dump current app so sharelib 341 | so|dumpso ) 342 | if [ -z "$3" ]; then 343 | APPPID=`xadb app pid | tr -d '\r'` 344 | 345 | else 346 | APPPID=$3 347 | fi 348 | 349 | APPID=`adb app package | tr -d '\r'` 350 | XADBILOG "============================[PID=$APPPID PACKAGE:$APPID]==================================" 351 | xadb xdo "cat /proc/$APPPID/maps" | grep '\.so' 352 | ;; 353 | maps ) 354 | if [ -z "$3" ]; then 355 | APPPID=`xadb app pid | tr -d '\r'` 356 | 357 | else 358 | APPPID=$3 359 | fi 360 | 361 | APPID=`adb app package | tr -d '\r'` 362 | XADBILOG "============================[PID=$APPPID PACKAGE:$APPID]==================================" 363 | xadb xdo "cat /proc/$APPPID/maps" 364 | ;; 365 | dump ) 366 | XADBILOG "Dex Dump Power by hluwa, Please wait about 5 second...." 367 | # auto launch frida base device abi 368 | isArm64=`adb device abilist | grep -q "arm64-v8a" && echo "1" || echo "0"` 369 | 370 | if [[ "$isArm64" = "1" ]]; then 371 | XADBILOG "Deice is arm64-v8a, launch frida64" 372 | (adb frida64 > /dev/null 2>&1 &) 373 | else 374 | XADBILOG "Deice is not arm64-v8a, launch frida" 375 | (adb frida > /dev/null 2>&1 &) 376 | fi 377 | 378 | # sleep for frida launch 379 | sleep 5 380 | 381 | 382 | if [[ "$3" = "spawn" ]]; then 383 | 384 | APPID=`xadb app package` 385 | python "$XADB_ROOT_DIR/script/dumpdex.py" $APPID 386 | 387 | else 388 | 389 | APPPID=`xadb app pid` 390 | python "$XADB_ROOT_DIR/script/dumpdex.py" $APPPID 391 | fi 392 | 393 | XADBILOG "Dex Dump Done! Happy Reversing~" 394 | ;; 395 | *) 396 | APP_ID=`xadb app package` 397 | APP_VERSION=$(xadb app version) 398 | APP_PIDS=`xadb app pidAll` 399 | APPA_CTIVITY=`xadb app activity` 400 | APP_MAINACTIVITY=`xadb app activity main` 401 | APP_DIR=`xadb app info | grep codePath` 402 | APP_DIR=${APP_DIR##*codePath=} 403 | APP_DATADIR=`xadb app info | grep dataDir` 404 | APP_DATADIR=${APP_DATADIR##*dataDir=} 405 | echo -e "app=$APP_ID\nversion=$APP_VERSION\npid=$APP_PIDS\nactivity=$APPA_CTIVITY\nmainActivity=$APP_MAINACTIVITY\nappdir=$APP_DIR\ndatadir=$APP_DATADIR" 406 | ;; 407 | esac 408 | 409 | return 410 | fi 411 | 412 | # show device basic info 413 | if [ "$1" = "device" ];then 414 | case $2 in 415 | 416 | imei ) 417 | imei=`xadb shell service call iphonesubinfo 1 | awk -F "'" '{print $2}' | sed '1 d' | tr -d '.' | awk '{print}' ORS=` 418 | echo "$imei" 419 | ;; 420 | 421 | abilist ) 422 | abilist=`xadb shell getprop ro.product.cpu.abilist | tr -d '\r' ` 423 | echo "$abilist" 424 | ;; 425 | 426 | *) 427 | model=`xadb shell getprop ro.product.model | tr -d '\r' ` 428 | serialno=`xadb shell getprop ro.serialno | tr -d '\r'` 429 | brand=`xadb shell getprop ro.product.brand | tr -d '\r'` 430 | manufacturer=`xadb shell getprop ro.product.manufacturer | tr -d '\r'` 431 | abilist=`xadb shell getprop ro.product.cpu.abilist | tr -d '\r' ` 432 | imei=`xadb device imei | tr -d '\r' ` 433 | android_id=`xadb shell settings get secure android_id | tr -d '\r' ` 434 | sdk_api=`xadb shell getprop ro.build.version.sdk | tr -d '\r' ` 435 | os_ver=`xadb shell getprop ro.build.version.release | tr -d '\r' ` 436 | wifi_ip=`xadb shell ip addr show wlan0 | grep "inet\s" | awk -F'/' '{printf $1}' | awk '{printf $2}' | tr -d '\r'` 437 | wifi_mac=$(xadb shell ip address show wlan0 | grep "link/ether" | awk '{printf $2}' | tr -d '\r') 438 | # wifi_mac=`xadb shell cat /sys/class/net/wlan0/address | tr -d '\r'` 439 | debug=`xadb shell getprop ro.debuggable | tr -d '\r'` 440 | 441 | printf "%-20s %-20s \n" "model" "$model" 442 | printf "%-20s %-20s \n" "brand" "$brand" 443 | printf "%-20s %-20s \n" "manufacturer" "$manufacturer" 444 | printf "%-20s %-20s \n" "abilist" "$abilist" 445 | printf "%-20s %-20s \n" "sdk" "$sdk_api" 446 | printf "%-20s %-20s \n" "wifi ipv4" "$wifi_ip" 447 | printf "%-20s %-20s \n" "wifi mac" "$wifi_mac" 448 | printf "%-20s %-20s \n" "os version" "$os_ver" 449 | printf "%-20s %-20s \n" "serialno" "$serialno" 450 | printf "%-20s %-20s \n" "imei" "$imei" 451 | printf "%-20s %-20s \n" "android_id" "$android_id" 452 | printf "%-20s %-20s \n" "can debug?" "$debug" 453 | 454 | ;; 455 | esac 456 | return 457 | fi 458 | 459 | # misc 460 | # if [ "$1" = "dumpdex" ]; then 461 | # xadb sudo "cp /sdcard/xia0/libnativeDump.so /system/lib/" 462 | # xadb sudo "chmod 777 /system/lib/libnativeDump.so" 463 | # return 464 | # fi 465 | 466 | # setup ida debug env 467 | if [[ "$1" =~ "debug" ]]; then 468 | # steps of debug apk 469 | echo "**********************************************************************************" 470 | echo "====>1.adb shell am start -D -n package_id/.MainActivity" 471 | echo "====>2.adb forward tcp:8700 jdwp:pid" 472 | echo "====>3.jdb -connect \"com.sun.jdi.SocketAttach:hostname=localhost,port=8700\"" 473 | echo "====>[gdb]$ target remote :23946" 474 | echo "====>[gdb]$ handle SIG32 nostop noprint" 475 | echo "====>[lldb]$ platform select remote-android" 476 | echo "====>[lldb]$ pro hand -p true -s false SIGBUS" 477 | echo "====>[lldb]$ platform connect unix-abstract-connect:///data/local/tmp/debug.sock" 478 | echo "====>[lldb]$ platform connect connect://remote:5678" 479 | echo "====>[lldb]$ process attach --pid=14396 or platform process attach -p 8098" 480 | echo "**********************************************************************************" 481 | 482 | 483 | XADBISEMULATOR 484 | if [[ $? == 0 ]]; then 485 | # 判断是否开启了调试 486 | isdebug=`xadb shell getprop ro.debuggable`; 487 | if [[ "$isdebug" = "0" ]]; then 488 | XADBILOG "Not open debug, opening..." 489 | ret=`adb shell "[ -f /data/local/tmp/mprop ] && echo "1" || echo "0""` 490 | 491 | if [[ "$ret" = "0" ]]; then 492 | xadb sudo "cp /sdcard/xia0/tools/mprop /data/local/tmp/" 493 | fi 494 | xadb sudo "chmod 777 /data/local/tmp/mprop" 495 | xadb sudo "/data/local/tmp/mprop" 496 | xadb sudo "setprop ro.debuggable 1" 497 | xadb sudo "/data/local/tmp/mprop -r" 498 | xadb sudo "getprop ro.debuggable" 499 | xadb sudo "stop" 500 | sleep 2 501 | xadb sudo "start" 502 | sleep 5 503 | 504 | XADBILOG "Opened debug, Retry for happy debugging!" 505 | return 506 | fi 507 | fi 508 | 509 | # kill all server if process exsist 510 | xadb kill android_server64 511 | xadb kill android_server 512 | xadb kill android_x86_server 513 | xadb kill gdbserver 514 | xadb kill gdbserver64 515 | xadb kill lldb-server 516 | xadb kill lldb-server64 517 | 518 | 519 | case $2 in 520 | ida_x86 ) 521 | 522 | # if not set debug port. use 23946 as default port 523 | if [[ -z "$3" ]]; then 524 | XADBILOG "Not set debug port, Use 23946 as default port" 525 | debugPort="23946" 526 | else 527 | XADBILOG "Set the debug port:$3" 528 | debugPort=$3 529 | fi 530 | 531 | # 32bit app ida debug 532 | server=`adb shell "[ -f /data/local/tmp/android_x86_server ] && echo "1" || echo "0"" | tr -d '\r'` 533 | 534 | if [[ "$server" = "0" ]]; then 535 | xadb sudo "cp /sdcard/xia0/debug-server/android_x86_server /data/local/tmp/" 536 | fi 537 | 538 | xadb sudo "chmod 777 /data/local/tmp/android_x86_server" 539 | 540 | xadb forward tcp:$debugPort tcp:$debugPort 541 | 542 | xadb sudo "/data/local/tmp/android_x86_server -p$debugPort" 543 | ;; 544 | 545 | ida ) 546 | 547 | # if not set debug port. use 23946 as default port 548 | if [[ -z "$3" ]]; then 549 | XADBILOG "Not set debug port, Use 23946 as default port" 550 | debugPort="23946" 551 | else 552 | XADBILOG "Set the debug port:$3" 553 | debugPort=$3 554 | fi 555 | 556 | # 32bit app ida debug 557 | server=`adb shell "[ -f /data/local/tmp/android_server ] && echo "1" || echo "0"" | tr -d '\r'` 558 | 559 | if [[ "$server" = "0" ]]; then 560 | xadb sudo "cp /sdcard/xia0/debug-server/android_server /data/local/tmp/" 561 | fi 562 | 563 | xadb sudo "chmod 777 /data/local/tmp/android_server" 564 | 565 | xadb forward tcp:$debugPort tcp:$debugPort 566 | 567 | xadb sudo "/data/local/tmp/android_server -p$debugPort" 568 | ;; 569 | 570 | ida64 ) 571 | # if not set debug port. use 23946 as default port 572 | if [[ -z "$3" ]]; then 573 | XADBILOG "Not set debug port, Use 23946 as default port" 574 | debugPort="23946" 575 | else 576 | XADBILOG "Set the debug port:$3" 577 | debugPort=$3 578 | fi 579 | 580 | # 64bit app ida debug 581 | server64=`adb shell "[ -f /data/local/tmp/android_server64 ] && echo "1" || echo "0"" | tr -d '\r'` 582 | 583 | if [[ "$server64" = "0" ]]; then 584 | xadb sudo "cp /sdcard/xia0/debug-server/android_server64 /data/local/tmp/" 585 | fi 586 | 587 | xadb sudo "chmod 777 /data/local/tmp/android_server64" 588 | 589 | xadb forward tcp:$debugPort tcp:$debugPort 590 | 591 | xadb sudo "/data/local/tmp/android_server64 -p$debugPort" 592 | return 593 | ;; 594 | gdb ) 595 | # 32bit app gdb debug 596 | pid=$3 597 | if [ -z "$pid" ]; then 598 | pid=`xadb app pid` 599 | fi 600 | 601 | server=`adb shell "[ -f /data/local/tmp/gdbserver ] && echo "1" || echo "0"" | tr -d '\r'` 602 | 603 | if [[ "$server" = "0" ]]; then 604 | xadb sudo "cp /sdcard/xia0/debug-server/gdbserver /data/local/tmp/" 605 | fi 606 | 607 | xadb sudo "chmod 777 /data/local/tmp/gdbserver" 608 | 609 | xadb forward tcp:23946 tcp:23946 610 | 611 | xadb sudo "/data/local/tmp/gdbserver :23946 --attach $pid" 612 | return 613 | ;; 614 | gdb64 ) 615 | # 64bit app gdb debug 616 | pid=$3 617 | if [ -z "$pid" ]; then 618 | pid=`xadb app pid` 619 | fi 620 | 621 | server64=`adb shell "[ -f /data/local/tmp/gdbserver64 ] && echo "1" || echo "0"" | tr -d '\r'` 622 | 623 | if [[ "$server64" = "0" ]]; then 624 | xadb sudo "cp /sdcard/xia0/debug-server/gdbserver64 /data/local/tmp/" 625 | fi 626 | 627 | xadb sudo "chmod 777 /data/local/tmp/gdbserver64" 628 | 629 | xadb forward tcp:23946 tcp:23946 630 | 631 | xadb sudo "/data/local/tmp/gdbserver64 :23946 --attach $pid" 632 | return 633 | ;; 634 | 635 | lldb ) 636 | server=`adb shell "[ -f /data/local/tmp/lldb-server ] && echo "1" || echo "0"" | tr -d '\r'` 637 | 638 | if [[ "$server" = "0" ]]; then 639 | xadb sudo "cp /sdcard/xia0/debug-server/lldb-server /data/local/tmp/" 640 | fi 641 | 642 | xadb sudo "chmod 777 /data/local/tmp/lldb-server" 643 | 644 | # xadb shell /data/local/tmp/lldb-server platform --server --listen unix-abstract:///data/local/tmp/debug.sock 645 | 646 | if [[ "$3" = "port" ]]; then 647 | xadb forward tcp:5678 tcp:5678 648 | xadb sudo "/data/local/tmp/lldb-server platform --listen \"*:5678\" --server" 649 | else 650 | xadb sudo "/data/local/tmp/lldb-server platform --server --listen unix-abstract:///data/local/tmp/debug.sock" 651 | fi 652 | 653 | return 654 | ;; 655 | 656 | lldb64 ) 657 | server64=`adb shell "[ -f /data/local/tmp/lldb-server64 ] && echo "1" || echo "0"" | tr -d '\r'` 658 | 659 | if [[ "$server64" = "0" ]]; then 660 | xadb sudo "cp /sdcard/xia0/debug-server/lldb-server64 /data/local/tmp/" 661 | fi 662 | 663 | xadb sudo "chmod 777 /data/local/tmp/lldb-server64" 664 | 665 | if [[ "$3" = "port" ]]; then 666 | xadb forward tcp:5678 tcp:5678 667 | xadb sudo "/data/local/tmp/lldb-server64 platform --listen \"*:5678\" --server" 668 | else 669 | xadb sudo "/data/local/tmp/lldb-server64 platform --server --listen unix-abstract:///data/local/tmp/debug.sock" 670 | fi 671 | ;; 672 | * ) 673 | XADBELOG "\"$2\" debug server not found." 674 | return 675 | ;; 676 | esac 677 | return 678 | fi 679 | 680 | if [[ "$1" =~ "frida" ]]; then 681 | # https://github.com/frida/frida/releases 682 | script="find '/sdcard/xia0/frida' -type f -name \"frida*arm\"" 683 | server=`xadb shell "$script" | awk -F'/' '{print $NF}' | tr -d '\r'` 684 | 685 | script="find '/sdcard/xia0/frida' -type f -name \"frida*arm64\"" 686 | server64=`xadb shell "$script" | awk -F'/' '{print $NF}' | tr -d '\r' ` 687 | 688 | XADBILOG "Current frida-server version, for more version visit:[https://github.com/frida/frida/releases]" 689 | printf "[%5s]: %-50s\n" "arm" $server 690 | printf "[%5s]: %-50s\n" "arm64" $server64 691 | 692 | xadb kill $server 693 | xadb kill $server64 694 | 695 | xadb forward tcp:27042 tcp:27042 696 | 697 | if [[ "$1" = "frida64" ]]; then 698 | ret=`xadb shell "[ -f '/data/local/tmp/$server64' ] && echo "1" || echo "0"" | tr -d '\r'` 699 | 700 | if [[ "$ret" = "0" ]]; then 701 | xadb sudo "cp '/sdcard/xia0/frida/$server64' '/data/local/tmp/'" 702 | fi 703 | 704 | xadb sudo "chmod 777 '/data/local/tmp/$server64'" 705 | xadb sudo "'/data/local/tmp/$server64'" 706 | return 707 | fi 708 | 709 | ret=`xadb shell "[ -f '/data/local/tmp/$server' ] && echo "1" || echo "0"" | tr -d '\r' ` 710 | 711 | if [[ "$ret" = "0" ]]; then 712 | xadb sudo "cp '/sdcard/xia0/frida/$server' '/data/local/tmp/'" 713 | fi 714 | 715 | xadb sudo "chmod 777 '/data/local/tmp/$server'" 716 | xadb sudo "'/data/local/tmp/$server'" 717 | 718 | return 719 | fi 720 | 721 | if [[ "$1" = "pcat" ]]; then 722 | filepath=$2 723 | filename=${filepath##*/} 724 | xadb xdo "cat $2" > $filename 725 | return 726 | fi 727 | 728 | if [[ "$1" = "scp" ]]; then 729 | 730 | file1=$2 731 | file2=$3 732 | 733 | # isRemoteFile=`adb shell "[ -f $file1 ] && echo "1" || echo "0"" | tr -d '\r'` 734 | if [[ -f "$file1" || -d "$file1" ]]; then 735 | echo "$file1 is local file, so copy it to device" 736 | xadb push "$file1" "$file2" 737 | else 738 | filename=${file1##*/} 739 | echo "$file1 is remote file, so copy it to local" 740 | xadb sudo "cp -r $file1 /sdcard" 741 | xadb pull "/sdcard/$filename" "$file2" 742 | xadb sudo "rm -r /sdcard/$filename" 743 | fi 744 | return 745 | fi 746 | 747 | # sudo 748 | if [ "$1" = "sudo" ]; then 749 | cmd=${@:2:$#} 750 | XADBILOG "Run \"$cmd\"" 751 | 752 | XADBISEMULATOR 753 | if [[ $? == 1 ]]; then 754 | xadb shell "$cmd" 755 | return 756 | fi 757 | 758 | xadb shell "su -c \"$cmd\"" #2>/dev/null; 759 | 760 | if [[ "$?" != "0" ]]; then 761 | xadb shell su 0/0 "\"$cmd\"" #2>/dev/null; 762 | fi 763 | return 764 | fi 765 | 766 | # xdo == sudo. just for clean output cmd. NO "Run $cmd" Log 767 | if [[ "$1" = "xdo" ]]; then 768 | cmd=${@:2:$#} 769 | 770 | XADBISEMULATOR 771 | if [[ $? == 1 ]]; then 772 | xadb shell "$cmd" 773 | return 774 | fi 775 | 776 | xadb shell su -c "\"$cmd\"" 2>/dev/null; 777 | 778 | if [[ "$?" != "0" ]]; then 779 | xadb shell su 0/0 "$cmd" 2>/dev/null; 780 | fi 781 | 782 | return 783 | fi 784 | 785 | # kill process by name 786 | if [[ "$1" = "kill" ]]; then 787 | process_name=$2 788 | live=`xadb sudo "ps" | tr -d '\r' | grep $process_name | awk '{print $9}'` 789 | # echo $process_name 790 | if [[ -n "$live" && "$live" = "$process_name" ]]; then 791 | xadb sudo "killall -9 $process_name" 792 | fi 793 | return 794 | fi 795 | 796 | 797 | if [[ "$1" = "ps" ]]; then 798 | process_name=$2 799 | if [[ -n "$process_name" ]]; then 800 | xadb sudo "ps -ef" | grep -i $process_name 801 | fi 802 | return 803 | fi 804 | 805 | if [[ "$1" = "maps" ]]; then 806 | apppid="$2" 807 | if [[ -n "$apppid" ]]; then 808 | xadb sudo "cat /proc/$apppid/maps" 809 | fi 810 | return 811 | fi 812 | 813 | # show log of app 814 | if [ "$1" = "xlog" ];then 815 | if [ -z "$2" ]; then 816 | APPPID=`xadb app pid | tr -d '\r'` 817 | xadb xlog $APPPID 818 | return 819 | fi 820 | 821 | APPPID=$2 822 | APPID=`xadb app package | tr -d '\r'` 823 | XADBILOG "============================[PID=$APPPID PACKAGE:$APPID]==================================" 824 | 825 | isLogcatSupportPID=`adb logcat -x 2>&1 | grep -q "Only prints logs from the given pid" && echo "1" || echo "0"` 826 | 827 | if [[ $isLogcatSupportPID = "1" ]]; then 828 | XADBILOG "logcat support --pid option, so use origin to filter pid" 829 | xadb logcat --pid=$APPPID 830 | 831 | else 832 | XADBILOG "logcat not support --pid option, so use xia0PIDFilter to filter pid" 833 | xadb logcat | awk '{if($3 == pid){print $0}}' pid="$APPPID" 834 | fi 835 | 836 | # adb logcat --pid=1234 | grep -q "Unrecognized Option" && echo "0" || echo "1" & sleep 5; kill $!) 837 | return 838 | fi 839 | 840 | if [ "$1" = "pstree" ];then 841 | ret=`adb shell "[ -f /data/local/tmp/pstree.sh ] && echo "1" || echo "0"" | tr -d '\r'` 842 | 843 | if [[ "$ret" = "0" ]]; then 844 | xadb sudo "cp /sdcard/xia0/script/pstree.sh /data/local/tmp/" 845 | fi 846 | 847 | xadb sudo "chmod 777 /sdcard/xia0/script/pstree.sh" 848 | XADBILOG "Runing sh /sdcard/xia0/script/pstree.sh, Please wait..." 849 | xadb xdo "sh /sdcard/xia0/script/pstree.sh" | more 850 | return 851 | fi 852 | 853 | if [ "$1" = "sign" ];then 854 | if [[ -z $2 ]]; then 855 | XADBILOG "[usage] adb sign local-apk-file" 856 | return 857 | fi 858 | 859 | apk_file=$2 860 | 861 | SIGN_RSA=`unzip -l $apk_file | grep "META-INF.*\.RSA" | awk '{printf $4}'` 862 | # echo $SIGN_RSA 863 | unzip -p $apk_file $SIGN_RSA | keytool -printcert 864 | return 865 | fi 866 | 867 | 868 | if [ "$1" = "restart" ];then 869 | XADBILOG "kill all process except init" 870 | adb sudo "kill -- -1" 871 | return 872 | fi 873 | 874 | 875 | if [ "$1" = "agent" ];then 876 | if [[ "$2" = "reinstall" ]]; then 877 | XADBCheckxia0 force 878 | fi 879 | 880 | if [[ "$2" = "clean" ]]; then 881 | XADBCheckxia0 clean 882 | fi 883 | return 884 | fi 885 | 886 | if [ "$1" = "sslkill" ];then 887 | args=${@:2:$#} 888 | frida_args="$args" 889 | if [[ "$args" =~ "-h" ]]; then 890 | XADBELOG "[usage] -f package_id [-D device_id / -U] -p pid" 891 | return 892 | fi 893 | 894 | if [[ ! "$args" =~ "-D" && ! "$args" =~ "-U" ]]; then 895 | XADBILOG "not special device, use -U" 896 | frida_args="$frida_args -U" 897 | fi 898 | 899 | if [[ ! "$args" =~ "-f" ]]; then 900 | apppid=`adb app package` 901 | XADBILOG "not special -f package, use $apppid" 902 | frida_args="$frida_args -f $apppid" 903 | fi 904 | 905 | 906 | frida -l "$XADB_ROOT_DIR/script/pinning.js" $frida_args --no-pause 907 | return 908 | fi 909 | 910 | 911 | if [ "$1" = "update" ];then 912 | XADBDLOG "Run adb update" 913 | sh -c "cd $XADB_ROOT_DIR;git pull" 914 | sh -c "cd $XADB_ROOT_DIR;git remote show origin | grep -q \"local out of date\" && (touch $XADB_UPDATE_LOCK_FILE) || rm $XADB_UPDATE_LOCK_FILE 2>/dev/null" 915 | return 916 | fi 917 | 918 | # usage 919 | if [[ "$1" = "-h" ]]; then 920 | printf " %-8s \n\t %-35s %-20s \n" "device" "[imei]" "show connected android device basic info" 921 | printf " %-8s \n\t %-35s %-20s \n" "serial" "[-s/-r]" "set/remove adb connect device serial such as emulator connecting" 922 | printf " %-8s \n\t %-35s %-20s \n" "app" "[sign/so/pid/apk/debug/dump]" "show current app, debug and dump dex " 923 | printf " %-8s \n\t %-35s %-20s \n" "xlog" "[package]" "logcat just current app or special pid" 924 | printf " %-8s \n\t %-35s %-20s \n" "debug" "[ida/ida64,lldb/lldb64, gdb/gdb64]" "open debug and setup ida/lldb/gdb debug enviroment" 925 | printf " %-8s \n\t %-35s \n" "frida/64" "start frida server on device" 926 | printf " %-8s \n\t %-35s %-20s \n" "scp" "local/remote remote/local" "copy device file to local or copy local file to device" 927 | printf " %-8s \n\t %-35s \n" "pstree" "show the process tree of device" 928 | printf " %-8s \n\t %-35s %-20s \n" "sign" "[local-apk-file]" "show sign of local apk file" 929 | printf " %-8s \n\t %-35s %-20s \n" "agent" "[clean/reinstall]" "clean caches and reinstall agent" 930 | printf " %-8s \n\t %-35s \n" "restart" "soft reboot:kill all process except init" 931 | printf " %-8s \n\t %-35s \n" "-h" "show this help usage" 932 | printf " %-8s \n\t %-35s \n" "update" "update xadb for new version!" 933 | return 934 | fi 935 | 936 | XADB $@ 937 | } 938 | 939 | function XADBTimeout() { 940 | 941 | time=$1 942 | # test -f $XADB_DEVICE_SERIAL && $ADB -s $(cat $XADB_DEVICE_SERIAL) $@ || $ADB -d $@ 943 | if [[ -f $XADB_DEVICE_SERIAL ]]; then 944 | tmp_serial=$(cat $XADB_DEVICE_SERIAL) 945 | payload="$ADB -s $tmp_serial shell uname" 946 | else 947 | payload="$ADB -d shell uname" 948 | fi 949 | # echo $payload 950 | # start the command in a subshell to avoid problem with pipes 951 | # (spawn accepts one command) 952 | command="$SHELL -c \"$payload > /dev/null\"" 953 | 954 | expect -c "set echo \"-noecho\"; set timeout $time; spawn -noecho $command; expect timeout { exit 1 } eof { exit 0 }" 955 | 956 | if [ $? = 1 ] ; then 957 | XADBELOG "timeout after ${time} seconds, will kill-server" 958 | XADB kill-server 959 | fi 960 | } 961 | 962 | function adb(){ 963 | 964 | if [[ "$1" = "kill-server" ]]; then 965 | XADB kill-server 966 | return; 967 | fi 968 | 969 | if [[ "$1" = "serial" ]]; then 970 | if [[ "$2" = "-s" || "$2" = "set" ]]; then 971 | 972 | echo "$3" > $XADB_DEVICE_SERIAL 973 | 974 | elif [[ "$2" = "-r" || "$2" = "remove" ]]; then 975 | test -f $XADB_DEVICE_SERIAL && rm $XADB_DEVICE_SERIAL 976 | else 977 | test -f $XADB_DEVICE_SERIAL && cat $XADB_DEVICE_SERIAL || XADBILOG "not set device serial" 978 | fi 979 | 980 | return 981 | fi 982 | 983 | if [[ "$1" != "update" ]] && [[ "$1" != "-h" ]]; then 984 | if [[ $(XADBDeviceState) != "device" ]]; then 985 | # XADBELOG "no device found, please check connect state" 986 | XADBILOG "The device not found, now use original adb" 987 | XADB $@ 988 | return 989 | fi 990 | fi 991 | XADBTimeout 5 992 | XADBCheckxia0 993 | XADBCheckUpdate 994 | xadb $@ 995 | } --------------------------------------------------------------------------------