├── LICENSE ├── README.md ├── frida_hook.py ├── hook.js └── tracer.py /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 L3B1anc 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # simpleencrypt 2 | 快速解决app加密问题 3 | https://l3b1anc.github.io/android/2020/11/25/%E5%88%A9%E7%94%A8frida%E5%BF%AB%E9%80%9F%E8%A7%A3%E5%86%B3APP%E4%B8%AD%E6%9F%90tong%E5%8A%A0%E5%AF%86.html 4 | -------------------------------------------------------------------------------- /frida_hook.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import os 3 | import time 4 | import sys 5 | import frida 6 | import requests 7 | import json 8 | 9 | #打印javascript脚本返回消息 10 | def on_message(message, data): 11 | if isinstance(message, dict): 12 | data = toburp(message["payload"].encode('utf-8')) 13 | script.post(data) 14 | else: 15 | if message.has_key("payload"): 16 | print(message["payload"]) 17 | #获取设备应用名 18 | def get_application_name(device, identifier): 19 | for p in device.enumerate_applications(): 20 | if p.identifier == identifier: 21 | return p.name 22 | #获取设备进程pid 23 | def get_process_pid(device, application_name): 24 | for p in device.enumerate_processes(): 25 | if p.name == application_name: 26 | return p.pid 27 | return -1 28 | 29 | def toburp(data): 30 | print(type(data)) 31 | proxies = {'http':'http://127.0.0.1:8080'} 32 | url = 'http://127.0.0.1:8888/test' 33 | r=requests.post(url,data=data,proxies=proxies) 34 | return(r.text) 35 | 36 | def main(): 37 | #连接设备 38 | device = frida.get_device_manager().enumerate_devices()[-1] 39 | #需要attach的apk包名 40 | package_name = "com.*" 41 | #发现进程存活则杀死进程,等待进程重启 42 | pid = get_process_pid(device, package_name) 43 | if pid != -1: 44 | print("[+] killing {0}".format(pid)) 45 | # device.kill(pid) 46 | time.sleep(0.3) 47 | while(1): 48 | pid = get_process_pid(device, package_name) 49 | if pid == -1: 50 | print("[-] {0} is not found...".format(package_name)) 51 | time.sleep(2) 52 | else: 53 | break 54 | print("[+] Injecting script to {0}({1})".format(package_name, pid)) 55 | session = None 56 | try: 57 | #attach目标进程 58 | session = frida.get_device_manager().enumerate_devices()[-1].attach(pid) 59 | #加载javaScript脚本 60 | script_content = open("hook.js").read() 61 | global script 62 | script = session.create_script(script_content) 63 | script.on("message", on_message) 64 | script.load() 65 | sys.stdin.read() 66 | except KeyboardInterrupt as e: 67 | if session is not None: 68 | session.detach() 69 | device.kill(pid) 70 | sys.exit(0) 71 | if __name__ == "__main__": 72 | main() 73 | 74 | -------------------------------------------------------------------------------- /hook.js: -------------------------------------------------------------------------------- 1 | 2 | // hook some method 3 | Java.perform(function () { 4 | console.log("[*] Hooking ..."); 5 | // var clazz = Java.use("java.lang.Class"); 6 | // var hclass = Java.use("okhttp3.HttpUrl"); 7 | 8 | var clazz = Java.use("java.lang.Class"); 9 | var hclass = Java.use("com.*.CryptoUtil"); 10 | // hook encryptdata 11 | hclass.encryptDataWithSM.implementation = function (a,b,c) { 12 | send(arguments[1]) 13 | var op = recv(function(value) { 14 | console.log("[*] js recv encryptdata content: " + value); 15 | b = value; 16 | }); 17 | op.wait(); 18 | return this.encryptDataWithSM(a,b,c); 19 | }; 20 | 21 | // hook decryptdata 22 | hclass.decryptDataWithSM.implementation = function(a,b,c){ 23 | var getVal = this.decryptDataWithSM(a,b,c) 24 | send(getVal) 25 | var op = recv(function(value){ 26 | console.log("[*] js recv decryptdata content: "+value); 27 | getVal = value; 28 | }); 29 | op .wait(); 30 | return getVal; 31 | 32 | }; 33 | }); -------------------------------------------------------------------------------- /tracer.py: -------------------------------------------------------------------------------- 1 | from flask import request, Flask, jsonify 2 | import json 3 | 4 | app = Flask(__name__) 5 | app.config['JSON_AS_ASCII'] = False 6 | 7 | 8 | @app.route('/test', methods=['POST']) 9 | def post_Data(): 10 | payload = json.loads(request.data) 11 | return jsonify(payload), 201 12 | 13 | 14 | if __name__ == '__main__': 15 | app.run(debug=False, host='0.0.0.0', port=8888) --------------------------------------------------------------------------------