├── learn ├── cls.js ├── track.js ├── track-better.js ├── hookNative.js ├── DialogTrace.js ├── overload.js └── c-trace.js └── javascript-common.js /learn/cls.js: -------------------------------------------------------------------------------- 1 | //frida -U -p 6324 -l classes.js 2 | Java.perform(() => { 3 | const groups = Java.enumerateMethods('*!*') 4 | var file = new File('/sdcard/mobile.txt','wb+') 5 | var str = JSON.stringify(groups, null, 2) 6 | console.log(str); 7 | file.write(str) 8 | file.flush() 9 | file.close() 10 | }); 11 | -------------------------------------------------------------------------------- /learn/track.js: -------------------------------------------------------------------------------- 1 | Java.perform(function () { 2 | 3 | var ConnectionErrorMessages = Java.use("com.google.android.gms.common.internal.ConnectionErrorMessages"); 4 | ConnectionErrorMessages.getErrorMessage.overload('android.content.Context','int').implementation = function(mContext,mI){ 5 | 6 | console.log("gms i:"+ mI); 7 | 8 | var ret = this.getErrorMessage(mContext,mI); 9 | 10 | console.log("return:" + ret); 11 | 12 | var Exception = Java.use("Java.lang.Exception"); 13 | throw Exception.$new("getErrorMessage"); 14 | 15 | return ret; 16 | }; 17 | }); 18 | 19 | 20 | // logcat -s AndroidRuntime 21 | -------------------------------------------------------------------------------- /javascript-common.js: -------------------------------------------------------------------------------- 1 | //1、数组转16进制显示 2 | function Bytes2HexString(arrBytes) { 3 |   var str = ""; 4 |   for (var i = 0; i < arrBytes.length; i++) { 5 |     var tmp; 6 |     var num=arrBytes[i]; 7 |     if (num < 0) { 8 |      9 |       tmp =(255+num+1).toString(16); 10 |     } else { 11 |       tmp = num.toString(16); 12 |     } 13 |     if (tmp.length == 1) { 14 |       tmp = "0" + tmp; 15 |     } 16 |     str += tmp; 17 |   } 18 |   return str; 19 | } 20 | 21 | 22 | //2、数组转字符串 23 | function bin2String(array) { 24 | return String.fromCharCode.apply(String, array); 25 | } 26 | -------------------------------------------------------------------------------- /learn/track-better.js: -------------------------------------------------------------------------------- 1 | Java.perform(function () { 2 | var thread = Java.use('java.lang.Thread'); 3 | var instance = thread.$new(); 4 | 5 | function where(stack){ 6 | var at = "" 7 | for (var i = 0; i < stack.length; i++){ 8 | at += stack[i].toString() + "\n"; 9 | } 10 | 11 | return at; 12 | } 13 | 14 | var ConnectionErrorMessages = Java.use("com.google.android.gms.common.internal.ConnectionErrorMessages"); 15 | ConnectionErrorMessages.getErrorMessage.overload('android.content.Context','int').implementation = function(mContext,mI){ 16 | 17 | console.log("gms i:"+ mI); 18 | 19 | var ret = this.getErrorMessage(mContext,mI); 20 | 21 | console.log("return:" + ret); 22 | 23 | var stack = instance.currentThread().getStackTrace(); 24 | var full_call_stack = where(stack); 25 | 26 | console.log(full_call_stack); 27 | 28 | return ret; 29 | }; 30 | }); 31 | 32 | 33 | // logcat -s AndroidRuntime 34 | -------------------------------------------------------------------------------- /learn/hookNative.js: -------------------------------------------------------------------------------- 1 | // frida -U -l adc.js -f com.joom --no-pause 2 | 3 | function hookopen(){ 4 | var openPtr = Module.findExportByName("libcrypt-lib.so", ".open"); 5 | console.log("openPtr:",JSON.stringify(openPtr)); 6 | } 7 | 8 | function hookfopen(){ 9 | var fopenPtr = Module.findExportByName("libcrypt-lib.so", ".fopen"); 10 | console.log("fopenPtr:",JSON.stringify(fopenPtr)); 11 | } 12 | 13 | 14 | function hookOpen(){ 15 | var openPtr = Module.findExportByName("libc.so", "open"); 16 | var open = new NativeFunction(openPtr, 'int', ['pointer', 'int']); 17 | Interceptor.replace(openPtr, new NativeCallback(function (pathPtr, flags) { 18 | var path = Memory.readUtf8String(pathPtr); 19 | console.log("Opening '" + path + "'"); 20 | var fd = open(pathPtr, flags); 21 | console.log("Got fd: " + fd); 22 | return fd; 23 | }, 'int', ['pointer', 'int'])); 24 | } 25 | 26 | 27 | var libc=Module.findExportByName(null,"dlopen"); 28 | var find = 0; 29 | Interceptor.attach(libc,{ 30 | 31 | onEnter: function(args) { 32 | 33 | hookOpen(); 34 | 35 | var addr = args[0]; 36 | var str = Memory.readCString(addr); 37 | // console.log("dlopen ",str); 38 | if (str.indexOf("libcrypt-lib.so") > 0){ 39 | find = 1; 40 | }else{ 41 | find = 0; 42 | } 43 | }, 44 | onLeave:function(retval){ 45 | if (find > 0){ 46 | 47 | } 48 | } 49 | }); -------------------------------------------------------------------------------- /learn/DialogTrace.js: -------------------------------------------------------------------------------- 1 | // frida -U -l vechain.js -f com.vechain.thorwallet --no-pause 2 | 3 | Java.perform(function () { 4 | var thread = Java.use('java.lang.Thread'); 5 | var instance = thread.$new(); 6 | 7 | var Debug = Java.use('android.os.Debug'); 8 | var Log = Java.use('android.util.Log'); 9 | 10 | function where(stack){ 11 | var at = "" 12 | for (var i = 0; i < stack.length; i++){ 13 | at += stack[i].toString() + "\n"; 14 | } 15 | 16 | return at; 17 | } 18 | 19 | function showTrack(){ 20 | var stack = instance.currentThread().getStackTrace(); 21 | var full_call_stack = where(stack); 22 | 23 | console.log(full_call_stack); 24 | } 25 | 26 | // var Resources = Java.use('android.content.res.Resources'); 27 | // Resources.getString.overload('int').implementation = function(id){ 28 | // console.log("Resources id:"+ id); 29 | // showTrack(); 30 | // return this.getString(id); 31 | // }; 32 | 33 | // var Builder = Java.use('android.app.AlertDialog$Builder'); 34 | // Builder.setMessage.overload('int').implementation = function(id){ 35 | // console.log("Resources id:"+ id); 36 | // showTrack(); 37 | // return this.setMessage(id); 38 | // }; 39 | 40 | var Resources = Java.use('android.content.res.Resources'); 41 | Resources.getText.overload('int').implementation = function(id){ 42 | console.log("Resources id:"+ id); 43 | showTrack(); 44 | return this.getText(id); 45 | }; 46 | 47 | 48 | 49 | }); 50 | 51 | 52 | // logcat -s AndroidRuntime 53 | -------------------------------------------------------------------------------- /learn/overload.js: -------------------------------------------------------------------------------- 1 | // overload 是用于定位hook哪一个方法的 2 | 3 | .overload() 4 | .overload('java.lang.String') 5 | .overload('android.app.Activity') 6 | .overload('int') 7 | .overload('[B') // byte array 8 | .overload('float') 9 | .overload('android.content.Context') 10 | .overload('[C') 11 | .overload('android.content.Context', 'android.view.View') 12 | .overload('android.app.Activity', 'com.cherrypicks.hsbcpayme.model.object.PayMeNotification') 13 | .overload('android.content.Context', 'boolean') 14 | .overload('android.content.Context', 'int') 15 | .overload('android.content.Context', 'java.lang.String') 16 | .overload('android.app.Activity', 'int') 17 | .overload('java.lang.String', 'java.lang.String') 18 | .overload('android.content.Context', 'android.graphics.Bitmap') 19 | .overload('java.lang.String', 'java.io.File') 20 | .overload('android.content.Context', 'java.lang.String', 'java.util.List') 21 | .overload('java.lang.String', 'java.lang.String', 'java.lang.String') 22 | .overload('java.lang.String', '[B', '[B') 23 | .overload('java.lang.String', 'java.lang.String', 'android.content.Context') 24 | .overload('android.app.Activity', 'com.cherrypicks.hsbcpayme.model.object.PayMeNotification', 'int') 25 | .overload('[B', '[B', '[B') 26 | .overload('android.content.Context', 'java.lang.String', 'java.lang.String') 27 | .overload('android.app.Activity', 'int', 'int', 'int', 'boolean') 28 | 29 | 30 | // 一个列子 31 | Java.perform(function () { 32 | var AssetManager = Java.use("android.content.res.AssetManager"); 33 | var FileInputStream = Java.use("java.io.FileInputStream"); 34 | AssetManager.open.overload("java.lang.String").implementation = function(str) { 35 | send("hook asset") 36 | if(str.endsWith(".xxx")){ 37 | return FileInputStream.$new("/data/local/tmp/xxxxx"); 38 | } 39 | return this.open(str) 40 | } 41 | }); -------------------------------------------------------------------------------- /learn/c-trace.js: -------------------------------------------------------------------------------- 1 | // frida -U -l adc.js -f com.joom --no-pause 2 | 3 | function hookopen(){ 4 | var openPtr = Module.findExportByName("libcrypt-lib.so", ".open"); 5 | console.log("openPtr:",JSON.stringify(openPtr)); 6 | } 7 | 8 | function hookfopen(){ 9 | var crypt = Process.findModuleByName("libcrypt-lib.so"); 10 | console.log("crypt:",JSON.stringify(crypt)); 11 | var baseStr = crypt.base+""; 12 | baseStr = baseStr.substring(2); 13 | var baseAddr = parseInt(baseStr,16); 14 | var fopenAddr = baseAddr + 293520; 15 | var target = new NativePointer("0x"+fopenAddr.toString(16)); 16 | console.log(JSON.stringify(target)); 17 | 18 | var fopen = new NativeFunction(target,'pointer',['pointer','pointer']); 19 | Interceptor.replace(target,new NativeCallback(function(path,flags){ 20 | var pathStr = Memory.readUtf8String(path); 21 | console.log("path:" + pathStr); 22 | 23 | return fopen(path,flags); 24 | 25 | }),'pointer',['pointer','pointer'] 26 | ); 27 | 28 | // Interceptor.attach(target,{ 29 | // onEnter: function(args) { 30 | // var path = Memory.readCString(args[0]); 31 | // console.log("path:"+path); 32 | // }, 33 | // onLeave:function(retval){ 34 | 35 | // } 36 | // }); 37 | 38 | 39 | 40 | // var fopenPtr = Module.findExportByName("libcrypt-lib.so", ".fopen"); 41 | 42 | // console.log("fopenPtr:",JSON.stringify(fopenPtr)); 43 | } 44 | 45 | 46 | 47 | var openFile = new File("/sdcard/openFile.txt","a+"); 48 | function hookOpen(){ 49 | var openPtr = Module.findExportByName("libc.so", "open"); 50 | var open = new NativeFunction(openPtr, 'int', ['pointer', 'int']); 51 | Interceptor.replace(openPtr, new NativeCallback(function (pathPtr, flags) { 52 | var path = Memory.readUtf8String(pathPtr); 53 | 54 | var fd = open(pathPtr, flags); 55 | // console.log("Got fd: " + fd); 56 | 57 | var trace = Thread.backtrace(this.context,Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n"); 58 | if (trace.indexOf("libcrypt-lib.so") > 0){ 59 | console.log("trace:"+trace); 60 | console.log("Opening '" + path + "'"); 61 | 62 | openFile.write(path+"\n"); 63 | openFile.flush(); 64 | } 65 | 66 | return fd; 67 | }, 'int', ['pointer', 'int'])); 68 | } 69 | 70 | 71 | function hookFopen(){ 72 | var target = Module.findExportByName(null, 'fopen'); 73 | Interceptor.attach(target,{ 74 | onEnter: function(args) { 75 | var trace = Thread.backtrace(this.context,Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n"); 76 | if (trace.indexOf("libcrypt-lib.so") > 0){ 77 | console.log("trace:"+trace); 78 | var path = Memory.readCString(args[0]); 79 | console.log("file path:"+path); 80 | 81 | openFile.write(path+"\n"); 82 | openFile.flush(); 83 | } 84 | 85 | }, 86 | onLeave:function(retval){ 87 | 88 | } 89 | }); 90 | } 91 | 92 | 93 | var libc=Module.findExportByName(null,"dlopen"); 94 | var find = 0; 95 | Interceptor.attach(libc,{ 96 | 97 | onEnter: function(args) { 98 | 99 | // hookOpen(); 100 | 101 | var addr = args[0]; 102 | var str = Memory.readCString(addr); 103 | // console.log("dlopen ",str); 104 | if (str.indexOf("libcrypt-lib.so") > 0){ 105 | find = 1; 106 | }else{ 107 | find = 0; 108 | } 109 | }, 110 | onLeave:function(retval){ 111 | if (find > 0){ 112 | hookOpen(); 113 | hookFopen(); 114 | } 115 | } 116 | }); --------------------------------------------------------------------------------