├── README.md └── byteDance.js /README.md: -------------------------------------------------------------------------------- 1 | # FridaScripts 2 | 一些frida脚本 3 | 4 | * [字节系列app的通用抓包方案](byteDance.js) -------------------------------------------------------------------------------- /byteDance.js: -------------------------------------------------------------------------------- 1 | function patch(address) { 2 | Memory.protect(address, 4, 'rwx'); 3 | Memory.writeByteArray(address, [0x00, 0x00, 0x80, 0x52]); 4 | } 5 | 6 | // function onLoad(name, callback) { 7 | // var Runtime = Java.use('java.lang.Runtime'); 8 | // var System = Java.use('java.lang.System'); 9 | // var VMStack = Java.use('dalvik.system.VMStack'); 10 | // var VERSION = Java.use('android.os.Build$VERSION'); 11 | // System.loadLibrary.overload('java.lang.String').implementation = function (libName) { 12 | // if (VERSION.SDK_INT.value >= 29) { 13 | // Runtime.getRuntime().loadLibrary0(Java.use('sun.reflect.Reflection').getCallerClass(), libName); 14 | // } else if (VERSION.SDK_INT.value >= 24) { 15 | // Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), libName); 16 | // } else { 17 | // Runtime.getRuntime().loadLibrary(libName, VMStack.getCallingClassLoader()); 18 | // } 19 | // if (libName.includes(name)) { 20 | // callback();//无法执行到这里 21 | // } 22 | // }; 23 | // } 24 | 25 | //参考: https://www.jianshu.com/p/4291ee42c412 26 | function onLoad(name, callback) { 27 | //void* android_dlopen_ext(const char* filename, int flag, const android_dlextinfo* extinfo);//原型 28 | const android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext"); 29 | if (android_dlopen_ext != null) { 30 | Interceptor.attach(android_dlopen_ext, { 31 | onEnter: function (args) { 32 | if (args[0].readCString().indexOf(name) !== -1) { 33 | this.hook = true; 34 | } 35 | }, onLeave: function (retval) { 36 | if (this.hook) { 37 | callback(); 38 | } 39 | } 40 | }); 41 | } 42 | } 43 | 44 | function main() { 45 | Java.perform(function () { 46 | //28.4.0 47 | const soName = 'libsscronet.so'; 48 | //方法1, 内存搜索 49 | // onLoad(soName, function () { 50 | // let libsscronet = Process.getModuleByName(soName); 51 | // const verifyCertMatches = Memory.scanSync(libsscronet.base, libsscronet.size, "E0 E3 00 91 C1 14 80 12"); 52 | // verifyCertMatches.forEach(function (result) { 53 | // let verifyCert = result.address.add(0xC); 54 | // if (Instruction.parse(verifyCert).toString() === "mov w0, #1") { 55 | // // 设置可读可写可执行 56 | // Memory.protect(verifyCert, 4, 'rwx'); 57 | // // 修改为 mov w0, #0 58 | // Memory.writeByteArray(verifyCert, [0x00, 0x00, 0x80, 0x52]); 59 | // } 60 | // 61 | // let handleVerifyInstruction = Instruction.parse(result.address.add(0x1A4)); 62 | // if (Instruction.parse(result.address.add(0x1A0)).toString() === "mov x0, x19" && handleVerifyInstruction.mnemonic === "bl") { 63 | // let handleVerifyResult = new NativePointer(handleVerifyInstruction.opStr.replace('#', '')); 64 | // Interceptor.attach(handleVerifyResult, { 65 | // onLeave: function (retval) { 66 | // if (retval > 0x0) retval.replace(0x0); 67 | // } 68 | // }); 69 | // } 70 | // }); 71 | // }); 72 | 73 | //方法2, 直接patch 74 | // onLoad(soName, function () { 75 | // let libsscronet = Module.getBaseAddress(soName); 76 | // let verifyCert = libsscronet.add(0x3700F0); 77 | // let handleVerifyResult1 = libsscronet.add(0x370448); 78 | // let handleVerifyResult2 = libsscronet.add(0x370494); 79 | // console.log("修改前: " + Instruction.parse(verifyCert), Instruction.parse(handleVerifyResult1), Instruction.parse(handleVerifyResult2)); 80 | // patch(verifyCert); 81 | // patch(handleVerifyResult1); 82 | // patch(handleVerifyResult2); 83 | // console.log("修改后: " + Instruction.parse(verifyCert), Instruction.parse(handleVerifyResult1), Instruction.parse(handleVerifyResult2)); 84 | // }) 85 | 86 | 87 | //方法3, hook SSL_CTX_set_custom_verify, 基本通杀 88 | onLoad(soName, () => { 89 | // void SSL_CTX_set_custom_verify(SSL_CTX *ctx, int mode, enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) { 90 | // ctx->verify_mode = mode; 91 | // ctx->custom_verify_callback = callback; 92 | // }//原型 93 | let SSL_CTX_set_custom_verify = Module.getExportByName(soName, 'SSL_CTX_set_custom_verify'); 94 | if (SSL_CTX_set_custom_verify != null) { 95 | Interceptor.attach(SSL_CTX_set_custom_verify, { 96 | onEnter: function (args) { 97 | Interceptor.attach(args[2], { 98 | onLeave: function (retval) { 99 | // enum ssl_verify_result_t BORINGSSL_ENUM_INT { 100 | // ssl_verify_ok, 101 | // ssl_verify_invalid, 102 | // ssl_verify_retry, 103 | // }; 104 | //全部替换成 ssl_verify_ok 105 | if (retval > 0x0) retval.replace(0x0); 106 | } 107 | }); 108 | } 109 | }); 110 | } 111 | }); 112 | 113 | //只需要选择其中一种即可, 推荐使用方法3 114 | }); 115 | } 116 | 117 | setImmediate(main); 118 | // setTimeout(main, 3000); 119 | // frida -U -f com.ss.android.ugc.aweme -l Android/byteDance.js --------------------------------------------------------------------------------