├── README.md
├── frida_main.py
└── scripts
    └── tinyapp.js


/README.md:
--------------------------------------------------------------------------------
1 | # AlipayTinyAppCrack
2 | 破解支付宝小程序ssl验证，实现代理抓包
3 | 
4 | # 使用方法
5 | 启动支付宝小程序后，运行frida_main.py
6 | 


--------------------------------------------------------------------------------
/frida_main.py:
--------------------------------------------------------------------------------
 1 | import frida
 2 | import sys
 3 | 
 4 | # script = 'verify_name.js'
 5 | script = 'tinyapp.js'
 6 | 
 7 | with open('scripts/' + script) as fp:
 8 |     jscode = ''.join(fp)
 9 | 
10 | 
11 | def on_message(msg, data):
12 |     print(msg)
13 | 
14 | 
15 | # pid = frida.get_usb_device().spawn('com.eg.android.AlipayGphone')
16 | # process = frida.get_usb_device().attach(pid)
17 | # frida.get_usb_device().resume(pid)
18 | 
19 | process = frida.get_usb_device().attach('com.eg.android.AlipayGphone:lite1')
20 | 
21 | script = process.create_script(jscode)
22 | script.on('message', on_message)
23 | print('Connected')
24 | script.load()
25 | sys.stdin.read()
26 | process.detach()
27 | 


--------------------------------------------------------------------------------
/scripts/tinyapp.js:
--------------------------------------------------------------------------------
 1 | /*
 2 | 支付宝小程序hook脚本 alipay v10.1.75
 3 |  */
 4 | 
 5 | Java.perform(function () {
 6 |     // webview 证书绑定
 7 |     const H5WebViewClient = Java.use('com.alipay.mobile.nebulacore.web.H5WebViewClient');
 8 |     const SslErrorHandler = Java.use("android.webkit.SslErrorHandler");
 9 |     H5WebViewClient.onReceivedSslError.implementation = function(webview, sslHandler, sslError){
10 |         console.log('H5WebViewClient onReceivedSslError called, proceed');
11 |         var handler = Java.cast(sslHandler, SslErrorHandler);
12 |         handler.proceed();
13 |     };
14 |     // h5小程序 log
15 |     const H5Log = Java.use("com.alipay.mobile.nebula.util.H5Log");
16 |     H5Log.d.overload("java.lang.String", "java.lang.String").implementation = function (tag, msg) {
17 |         console.log("debug: [", tag, "] - ", msg);
18 | 
19 |     };
20 | 
21 |     // disable ssl hostname check
22 |     const AbstractVerifier = Java.use("org.apache.http.conn.ssl.AbstractVerifier");
23 |     AbstractVerifier.verify.overload('java.lang.String', '[Ljava.lang.String;', '[Ljava.lang.String;', 'boolean').implementation=function(a,b,c,d){
24 |         console.log('HostnameVerifier wants to verify ', a, ' disabled');
25 |         return;
26 |     };
27 | 
28 |     console.log('injected');
29 | });


--------------------------------------------------------------------------------