├── note.md
├── test.py
├── moji
    ├── uitest.py
    ├── LibArt.py
    ├── test1.js
    ├── test.js
    └── fangtianxia.js
├── README.md
├── eleme
    ├── debug.log
    ├── aaa.csv
    ├── bbb.csv
    ├── LibArt.py
    ├── ID数据去重后_harf.txt
    ├── testOpenPic.py
    ├── testSeleniumHtml.py
    ├── shoplist.py
    ├── testWebDriver1.py
    ├── testWebDriver.py
    ├── test.js
    ├── test1.js
    ├── test.html
    └── 剩余.txt
├── Native.py
├── alipay
    ├── collectEnergy.py
    └── collect.js
├── DexUnpack
    ├── LibArt.py
    ├── dump_dex_1.js
    ├── OpenMemory.js
    ├── dump_dex_3.js
    ├── dump_dex_2.js
    └── unpack.js
├── jd
    ├── LibArt.py
    └── libSo.js
├── BaiDuVIPHook.py
├── NativeDemo.js
├── HillClimb.py
├── BaiDuVIPHook.js
├── HillClimb.js
├── weibo
    ├── LibArt.py
    └── test.js
├── HookSO
    ├── LibArt.py
    └── test.js
├── haokan
    ├── LibArt.py
    ├── testWebDriver.py
    └── test.js
├── Wechat
    ├── test.py
    └── test.js
└── douban
    ├── test.py
    └── test.js


/note.md:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/test.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/moji/uitest.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # FridaPractice


--------------------------------------------------------------------------------
/eleme/debug.log:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vgyg/FridaPractice/HEAD/eleme/debug.log


--------------------------------------------------------------------------------
/eleme/aaa.csv:
--------------------------------------------------------------------------------
1 | http://s3plus-img.sankuai.com/skynet/020096F5C748BE150C7C45EFB6D907E2.jpeg%40600h%7Cwatermark%3D1%26align%3D1%26x%3D20%26object%3Dd2F0ZXJtYXJrLTIwMTYxMTEwMS5wbmc%3D%0A%26p%3D5%26t%3D15%26order%3D0?AWSAccessKeyId=c64763be32f940a49e91fac6670f2fff&Expires=1592022648&Signature=LTKkvyLFy8P5cSYAVqej%2Ft%2BRpvY%3D


--------------------------------------------------------------------------------
/Native.py:
--------------------------------------------------------------------------------
 1 | import frida,sys
 2 | 
 3 | 
 4 | jscode="""
 5 |  
 6 | """
 7 | 
 8 | 
 9 | 
10 | process = frida.get_usb_device().attach('com.fingersoft.hillclimb')
11 | print('[*] process')
12 | script = process.create_script(jscode)
13 | def on_message(message,data):
14 | 	print (message)
15 | script.on("message",on_message)
16 | script.load()
17 | sys.stdin.read()
18 | 
19 | 
20 | 
21 | 
22 | 


--------------------------------------------------------------------------------
/eleme/bbb.csv:
--------------------------------------------------------------------------------
 1 | 191842456
 2 | 169120568
 3 | 190720200
 4 | 98440497
 5 | 177499997
 6 | 189707829
 7 | 5402225
 8 | 95071585
 9 | 101013849
10 | 186867907
11 | 1664110178
12 | 193925241
13 | 157725290
14 | 79149742
15 | 1652232
16 | 316564
17 | 160272861
18 | 182139647
19 | 184041031
20 | 265131
21 | 193963943
22 | 1377797458
23 | 1941944581
24 | 182435473
25 | 160400813
26 | 187443587
27 | 95589893
28 | 193877532
29 | 159206731
30 | 686291413
31 | 188540508


--------------------------------------------------------------------------------
/alipay/collectEnergy.py:
--------------------------------------------------------------------------------
 1 | import frida,sys
 2 | def on_message(message, data):
 3 |     if message['type'] == 'send':
 4 |         print("[*] {0}".format(message['payload']))
 5 |     else:
 6 |         print(message)
 7 | device = frida.get_usb_device()
 8 | print(device)
 9 | packageName = "com.eg.android.AlipayGphone"
10 | pid = device.spawn(packageName)
11 | session =device.attach(pid)
12 | 
13 | 
14 | js=open("collect.js","r").read()
15 | script = session.create_script(js)
16 | script.on("message" , on_message)
17 | script.load()
18 | device.resume(pid)
19 | sys.stdin.read()


--------------------------------------------------------------------------------
/eleme/LibArt.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import frida
 3 | #
 4 | def on_message(message, data):
 5 |     if message['type'] == 'send':
 6 |         print("[*] {0}".format(message['payload']))
 7 |     else:
 8 |         print(message)
 9 | # packageName = "me.ele"
10 | packageName = "com.smile.gifmaker"
11 | process = frida.get_usb_device(1).attach(packageName)
12 | print('[*] process')
13 | js=open("test1.js","r", encoding='UTF-8').read()
14 | script = process.create_script(js)
15 | script.on("message",on_message)
16 | script.load()
17 | sys.stdin.read()
18 | 
19 | 
20 | 
21 | 
22 | 
23 | 
24 | 


--------------------------------------------------------------------------------
/DexUnpack/LibArt.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import frida
 3 | 
 4 | def on_message(message, data):
 5 |     if message['type'] == 'send':
 6 |         print("[*] {0}".format(message['payload']))
 7 |     else:
 8 |         print(message)
 9 | 
10 | device = frida.get_usb_device()
11 | print(device)
12 | # packageName = "com.wm.dmall"
13 | # packageName = "com.aigz.cloudgame"
14 | packageName = "com.next.netcraft.aligamet"
15 | pid = device.spawn(packageName)
16 | session =device.attach(pid)
17 | 
18 | 
19 | js=open("unpack.js","r").read()
20 | script = session.create_script(js)
21 | script.on("message" , on_message)
22 | script.load()
23 | device.resume(pid)
24 | sys.stdin.read()
25 | 
26 | 
27 | 


--------------------------------------------------------------------------------
/jd/LibArt.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import frida
 3 | 
 4 | def on_message(message, data):
 5 |     if message['type'] == 'send':
 6 |         print("[*] {0}".format(message['payload']))
 7 |     else:
 8 |         print(message)
 9 | 
10 | device = frida.get_remote_device()
11 | print(device)
12 | packageName = "com.ldzs.zhangxin"
13 | # packageName = "com.baidu.wenku"
14 | # packageName = "com.tuan800.tao800"
15 | # packageName = "com.wm.dmall"
16 | pid = device.spawn(packageName)
17 | session =device.attach(pid)
18 | js=open("dump_dex_3.js","r", encoding='UTF-8').read()
19 | script = session.create_script(js)
20 | script.on("message", on_message)
21 | script.load()
22 | device.resume(pid)
23 | sys.stdin.read()
24 | 
25 | 
26 | 


--------------------------------------------------------------------------------
/BaiDuVIPHook.py:
--------------------------------------------------------------------------------
 1 | import frida,sys
 2 | 
 3 | jscode = """
 4 | 
 5 | if(Java.available){
 6 |    Java.perform(function () {
 7 |        var a = Java.use("com.baidu.netdisk.account.io._.a");
 8 |        a._.implementation=function (a,b) {
 9 |           console.log("Hook Start...");
10 |         send('arg0: '+ a);
11 |         send('arg1: '+ b);
12 |          send('result: '+ this._(a,b));
13 |          return 2;
14 |        }
15 |    });
16 | }
17 | 
18 | """
19 | process = frida.get_usb_device().attach('com.baidu.netdisk')
20 | print('[*] process')
21 | script = process.create_script(jscode)
22 | def on_message(message,data):
23 | 	print (message)
24 | script.on("message",on_message)
25 | 
26 | script.load()
27 | sys.stdin.read()


--------------------------------------------------------------------------------
/NativeDemo.js:
--------------------------------------------------------------------------------
 1 | // setImmediate(function() {
 2 | //     console.log("[*]  Native Starting script");
 3 | //     var nativePointer = Module.findExportByName("libnative-lib.so","Java_ese_xposedtest_MainActivity_stringFromJNI");
 4 | //     send("nativePointer--->"+nativePointer);
 5 | //     Interceptor.attach(nativePointer,{
 6 | //         onEnter:function(args){
 7 | //             console.log("ok");
 8 | //             send("Sart arg-->"+args[0]+"  "+args[1]);
 9 | //         },
10 | //         onLeave:function(retval){
11 | //             send("return value:"+retval);
12 | //         }
13 | //     });
14 | // })
15 | 
16 | setImmediate(function () {
17 |     console.log("start...");
18 |     var nativeso = Module.load()
19 | 
20 | })
21 | 


--------------------------------------------------------------------------------
/HillClimb.py:
--------------------------------------------------------------------------------
 1 | import frida,sys
 2 | 
 3 | # gem lock 1,000,000
 4 | jscode="""
 5 | if(Java.available){
 6 |    Java.perform(function () {
 7 |        var InAppPurchaseStore = Java.use("com.fingersoft.game.InAppPurchaseStore");
 8 |        InAppPurchaseStore.getGems.implementation=function (a) {
 9 |            console.log("Hook Start..."); 
10 |             console.log("gem: "+InAppPurchaseStore.getGems(a)); 
11 |            return 1000000;
12 |        }
13 |    });
14 | }
15 | """
16 | 
17 | process = frida.get_usb_device().attach('com.fingersoft.hillclimb')
18 | print('[*] process')
19 | script = process.create_script(jscode)
20 | def on_message(message,data):
21 | 	print (message)
22 | script.on("message",on_message)
23 | 
24 | script.load()
25 | sys.stdin.read()
26 | 
27 | 
28 | 
29 | 
30 | 
31 | 
32 | 
33 | 


--------------------------------------------------------------------------------
/BaiDuVIPHook.js:
--------------------------------------------------------------------------------
 1 | // Java.perform(function () {
 2 | //   // Function to hook is defined here
 3 | //   var a = Java.use('com.baidu.netdisk.account.io._.a');
 4 | //   a._.implementation=function(){
 5 | //             return 2;
 6 | //         }
 7 | // });
 8 | //
 9 | // if(Java.available){
10 | //     Java.perform(function(){
11 | //         var MainActivity = Java.use("com.luoyesiqiu.crackme.MainActivity");
12 | //         MainActivity.isExcellent.overload("int","int").implementation=function(chinese,math){
13 | //             return this.isExcellent(95,96);
14 | //         }
15 | //     });
16 | //
17 | // }
18 | 
19 | if(Java.available){
20 |    Java.perform(function () {
21 |        var a = Java.use("com.baidu.netdisk.account.io._.a");
22 |        a._.implementation=function () {
23 |            print('[*] Running CTF');
24 |             console.log('[*] Running CTF ');
25 |            return 2;
26 |        }
27 |    });
28 | }


--------------------------------------------------------------------------------
/eleme/ID数据去重后_harf.txt:
--------------------------------------------------------------------------------
 1 | 桥福缘花甲粉（瓜瓜美食城店）,191842456,酒仙桥,
 2 | 杨八婆串串香,169120568,安贞,
 3 | 战粮快餐（和平街店）,190720200,安贞,
 4 | 京秦缘（六佰本广顺北大街店）,98440497,望京,
 5 | 牛街老爆肚满（雅宝路店）,177499997,朝外大街_世贸天阶,
 6 | 老乾杯（王府中环店）,189707829,王府井_东单,
 7 | 丽江庭院私宴,5402225,朝阳门,
 8 | 莫离麻辣烫,95071585,西直河_亦庄,
 9 | 川湘鲁家常菜（高碑店路店）,101013849,王四营,
10 | 董记煎饼,186867907,王四营,
11 | 星野日式料理,1664110178,三里屯_工体,
12 | 面饭香海鲜烧烤,193925241,朝阳大悦城,
13 | 金家活烤鳗鱼（北京店）,157725290,东坝,
14 | 牛B烤肉,79149742,双桥,
15 | 美山日本料理（亮马桥店）,1652232,朝阳公园,
16 | 王府茶楼养生宴（朝阳公园店）,316564,朝阳公园,
17 | 二小碳烤羊腿,160272861,劲松,
18 | 老坛酸菜米线,182139647,劲松,
19 | 紫燕百味鸡（大屯路店）,184041031,大屯,
20 | 阿森鲍鱼（亚运村店）,265131,大屯,
21 | 好利来（常营华联店）,193963943,常营,
22 | 九门炸鸡（常营店）,1377797458,常营,
23 | 西四包子铺（长楹天街店）,1941944581,常营,
24 | 铁瓷儿小馆,182435473,常营,
25 | 艾谱莉创意烤串（常营华联店）,160400813,常营,
26 | 熊成猫串串锅（新奥店）,187443587,鸟巢_水立方,
27 | 鸟巢海鲜自助餐厅（鸟巢店）,95589893,鸟巢_水立方,
28 | 果知（原麦山丘对面）,193877532,鸟巢_水立方,
29 | 立康烤鸭·淮扬菜（亚运村店）,159206731,对外经贸,
30 | 贡茶,686291413,对外经贸,
31 | 山西面食,188540508,对外经贸,


--------------------------------------------------------------------------------
/eleme/testOpenPic.py:
--------------------------------------------------------------------------------
 1 | from selenium import webdriver
 2 | import time
 3 | import win32api
 4 | import win32con
 5 | import os
 6 | 
 7 | list1 = open("bbb.csv", "r", encoding='UTF-8').readlines()
 8 | 
 9 | for i in range(0, len(list1)):
10 |     url = list1[i]
11 |     print(url)
12 |     driver = webdriver.Chrome()
13 |     driver.get(url)  # 模拟键盘操作
14 |     win32api.keybd_event(17, 0, 0, 0)  # 按下ctrl
15 |     win32api.keybd_event(65, 0, 0, 0)  # 按下a
16 |     win32api.keybd_event(65, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放a
17 |     win32api.keybd_event(83, 0, 0, 0)  # 按下s
18 |     win32api.keybd_event(83, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放s
19 |     win32api.keybd_event(17, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放ctrl
20 |     time.sleep(1)
21 |     win32api.keybd_event(13, 0, 0, 0)  # 按下enter
22 |     win32api.keybd_event(13, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放enter
23 |     # 预估下载时间，后期根据实际网速调整
24 |     time.sleep(2)
25 |     # 关闭webdriver
26 |     driver.close()
27 | 


--------------------------------------------------------------------------------
/HillClimb.js:
--------------------------------------------------------------------------------
 1 | if(Java.available){
 2 |    Java.perform(function () {
 3 |        var InAppPurchaseStore = Java.use("com.fingersoft.game.InAppPurchaseStore");
 4 |        InAppPurchaseStore.getCoins.implementation=function (a) {
 5 |            console.log("Hook Start...");
 6 |             console.log('arg0: '+ a);
 7 |              send('arg0: '+ a);
 8 |            return this.getCoins(a);
 9 |        }
10 |    });
11 | }
12 | 
13 | 
14 | if(Java.available){
15 |    Java.perform(function () {
16 |        var context = Java.use("android.content.Context");
17 |         console.log('Context is done');
18 |        context.getSharedPreferences.overload("java.lang.String","int").implementation=function () {
19 |     console.log("Hook Start...");
20 |         send('arg0: '+ a);
21 |         send('arg1: '+ b);
22 | 
23 |         send('result: '+ this.getSharedPreferences.overload("java.lang.String","int")(a,b));
24 |            return this.getSharedPreferencesoverload("java.lang.String","int")(a,b);
25 |        }
26 |    });
27 | }


--------------------------------------------------------------------------------
/weibo/LibArt.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import frida
 3 | 
 4 | def on_message(message, data):
 5 |     if message['type'] == 'send':
 6 |         print("[*] {0}".format(message['payload']))
 7 |     else:
 8 |         print(message)
 9 | 
10 | device = frida.get_remote_device()
11 | print(device)
12 | packageName = "com.jingdong.app.mall"
13 | pid = device.spawn(packageName)
14 | session =device.attach(pid)
15 | js=open("libSo.js","r", encoding='UTF-8').read()
16 | script = session.create_script(js)
17 | script.on("message", on_message)
18 | script.load()
19 | device.resume(pid)
20 | sys.stdin.read()
21 | 
22 | 
23 | 
24 | 
25 | #
26 | # device = frida.get_remote_device()
27 | # print(device)
28 | # packageName = "com.jingdong.app.mall"
29 | # process = frida.get_remote_device().attach(packageName)
30 | # print('[*] process')
31 | # js=open("test.js","r", encoding='UTF-8').read()
32 | # script = process.create_script(js)
33 | # def on_message(message,data):
34 | # 	print (message)
35 | # script.on("message",on_message)
36 | # script.load()
37 | # sys.stdin.read()
38 | 


--------------------------------------------------------------------------------
/moji/LibArt.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import frida
 3 | #
 4 | def on_message(message, data):
 5 |     if message['type'] == 'send':
 6 |         print("[*] {0}".format(message['payload']))
 7 |     else:
 8 |         print(message)
 9 | #
10 | # # device = frida.get_remote_device()
11 | # # print(device)
12 | # # packageName = "com.sina.weibo"
13 | # # pid = device.spawn(packageName)
14 | # # print(pid)
15 | # # session =device.attach(pid)
16 | # # js=open("test.js","r", encoding='UTF-8').read()
17 | # # script = session.create_script(js)
18 | # # script.on("message", on_message)
19 | # # script.load()
20 | # # # device.resume(pid)
21 | # # sys.stdin.read()
22 | # # #
23 | # # #
24 | #
25 | packageName = "com.sina.weibo"
26 | process = frida.get_remote_device().attach(packageName)
27 | print('[*] process')
28 | js=open("test.js","r", encoding='UTF-8').read()
29 | script = process.create_script(js)
30 | # def on_message(message,data):
31 | #     print (message)
32 | script.on("message",on_message)
33 | script.load()
34 | sys.stdin.read()
35 | 
36 | 
37 | 
38 | 
39 | 
40 | 
41 | 


--------------------------------------------------------------------------------
/HookSO/LibArt.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import frida
 3 | #
 4 | def on_message(message, data):
 5 |     if message['type'] == 'send':
 6 |         print("[*] {0}".format(message['payload']))
 7 |     else:
 8 |         print(message)
 9 | #
10 | # # device = frida.get_remote_device()
11 | # # print(device)
12 | # # packageName = "com.sina.weibo"
13 | # # pid = device.spawn(packageName)
14 | # # print(pid)
15 | # # session =device.attach(pid)
16 | # # js=open("test.js","r", encoding='UTF-8').read()
17 | # # script = session.create_script(js)
18 | # # script.on("message", on_message)
19 | # # script.load()
20 | # # # device.resume(pid)
21 | # # sys.stdin.read()
22 | # # #
23 | # # #
24 | #
25 | packageName = "com.sina.weibo"
26 | process = frida.get_remote_device().attach(packageName)
27 | print('[*] process')
28 | js=open("test.js","r", encoding='UTF-8').read()
29 | script = process.create_script(js)
30 | # def on_message(message,data):
31 | #     print (message)
32 | script.on("message",on_message)
33 | script.load()
34 | sys.stdin.read()
35 | 
36 | 
37 | 
38 | 
39 | 
40 | 
41 | 


--------------------------------------------------------------------------------
/haokan/LibArt.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import frida
 3 | #
 4 | def on_message(message, data):
 5 |     if message['type'] == 'send':
 6 |         print("[*] {0}".format(message['payload']))
 7 |     else:
 8 |         print(message)
 9 | #
10 | # # device = frida.get_remote_device()
11 | # # print(device)
12 | # # packageName = "com.sina.weibo"
13 | # # pid = device.spawn(packageName)
14 | # # print(pid)
15 | # # session =device.attach(pid)
16 | # # js=open("test.js","r", encoding='UTF-8').read()
17 | # # script = session.create_script(js)
18 | # # script.on("message", on_message)
19 | # # script.load()
20 | # # # device.resume(pid)
21 | # # sys.stdin.read()
22 | # # #
23 | # # #
24 | #
25 | packageName = "com.sina.weibo"
26 | process = frida.get_remote_device().attach(packageName)
27 | print('[*] process')
28 | js=open("test.js","r", encoding='UTF-8').read()
29 | script = process.create_script(js)
30 | # def on_message(message,data):
31 | #     print (message)
32 | script.on("message",on_message)
33 | script.load()
34 | sys.stdin.read()
35 | 
36 | 
37 | 
38 | 
39 | 
40 | 
41 | 


--------------------------------------------------------------------------------
/eleme/testSeleniumHtml.py:
--------------------------------------------------------------------------------
 1 | from selenium import webdriver
 2 | import time
 3 | 
 4 | options = webdriver.ChromeOptions()
 5 | options.add_argument('--save-page-as-mhtml')
 6 | # 设置chromedriver，并打开webdriver
 7 | driver = webdriver.Chrome(chrome_options=options)
 8 | get_html = "test.html"
 9 | # 打开文件，准备写入
10 | f = open(get_html, 'wb')
11 | url = 'https://meishi.meituan.com/i/certificate/foodsafety?mtId=96772281&f=android&token=owBCehCGJhqOWHy7FNUYDrDbOkAAAAAAQgoAAGKADLeGiP-GwlKooA-QA-v3JIr7I53-j-23hg8iPjYW0V58eCgWgK1Bg6kmUd4y9g&userid=290604810&lat=39.87494107082511&lng=116.68543279811433&utm_source=undefined&utm_medium=android&utm_term=1000060203&version_name=10.6.203&utm_content=862400048396856&utm_campaign=AgroupBgroupC0D200E243168466715547220197960310848290710313_a96772281_c5_e7734547612518489833Ghomepage_category2_1__a1__c-1024__gfood__hpoilist__i56&ci=1&msid=8624000483968561585628957294&uuid=000000000000090CAE6634A8D42948748FEBCC1557198A157954239667625851'  # 这里填你要保存的网页的网址
12 | driver.get(url)
13 | time.sleep(2)  # 保证浏览器响应成功后再进行下一步操作
14 | # 写入文件
15 | f.write(driver.page_source.encode("utf-8", "ignore"))  # 忽略非法字符
16 | print('写入成功')
17 | # 关闭文件
18 | f.close()
19 | 


--------------------------------------------------------------------------------
/DexUnpack/dump_dex_1.js:
--------------------------------------------------------------------------------
 1 | //frida -U -f com.min.app.sample -l ./src/script/dump_dex_1.js --no-pause
 2 | 
 3 | var openMemoryName = '_ZN3art7DexFile10OpenMemoryEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_10OatDexFileEPS9_';
 4 | 
 5 | Interceptor.attach(Module.findExportByName('libart.so', openMemoryName), {
 6 |   onEnter: function(args) {
 7 |     var begin = args[1];
 8 |     var address = parseInt(begin, 16) + 0x20;
 9 |     var dex_size = Memory.readInt(ptr(address));
10 | 
11 |     console.log("\n start dump dex: begin=" + begin + " , dex_size=" + dex_size);
12 |     //dump dex 到/data/data/pkg/目录下
13 |     var file = new File("/data/data/com.min.app.sample/" + dex_size + ".dex", "wb");
14 |     file.write(Memory.readByteArray(begin, dex_size));
15 |     file.flush();
16 |     file.close();
17 |     console.log("end dump dex");
18 |   },
19 |   onLeave: function(retval) {
20 |     if (retval.toInt32() > 0) {}
21 |   }
22 | });
23 | 
24 | function dump(pointer, len) {
25 |   var str = hexdump(pointer, {
26 |     offset: 0,
27 |     length: len,
28 |     header: true,
29 |     ansi: true
30 |   });
31 |   console.log(str)
32 | }
33 | 


--------------------------------------------------------------------------------
/weibo/test.js:
--------------------------------------------------------------------------------
 1 | // if (Java.available) {
 2 | //     Java.perform(function () {
 3 | //         var c = Java.use("com.sina.weibo.applicationInit.b.a.c");//com.sina.weibo.applicationInit.b.a.c.a
 4 | //         c.l.implementation = function (a) {
 5 | //             console.warn("Hook ...");
 6 | //             console.warn('a: ' + a);
 7 | //             console.warn('ret: ' + this.l(a));
 8 | //             return this.l(a);
 9 | //         };
10 | //
11 | //     });
12 |     if(Java.available){
13 |     Java.perform(function () {
14 |         var PatchProxy = Java.use("com.meituan.robust.PatchProxy");//com.sina.weibo.applicationInit.b.a.c.a
15 |         PatchProxy.isSupport.implementation = function (a) {
16 |             console.warn("Hook isSupport ...");
17 |             return this.isSupport(a);
18 |         };
19 | 
20 |     });
21 | }
22 | //
23 | //
24 | // var odule = Module.ensureInitialized("libutility.so");
25 | // var name = Module.getExportByName(null, "getDecryptionString");
26 | // Interceptor.attach(name, {
27 | //     onEnter: function (args) {
28 | //         console.log("arg[0]: ", args[0]);
29 | //
30 | //     },
31 | //     onLeave: function (retval) {
32 | //         console.log("retval: ", retval);
33 | //     }
34 | // });


--------------------------------------------------------------------------------
/Wechat/test.py:
--------------------------------------------------------------------------------
 1 | import frida,sys
 2 | 
 3 | jscode = """
 4 | 
 5 | if (Java.available) {
 6 |     Java.perform(function () {
 7 |         var SQLiteDatabase = Java.use("com.tencent.wcdb.database.SQLiteDatabase");
 8 |         var ContentValues = Java.use("android.content.ContentValues");
 9 |         SQLiteDatabase.insert.implementation = function (a, b, c) {
10 | 
11 |             console.warn("Hook Start...");
12 |             console.warn('arg0: ' + a);
13 |             console.warn('arg1: ' + b);
14 |             console.warn('arg2: ' + c);
15 |              var m_contentCalues = Java.cast(c,ContentValues)
16 |             console.warn('type: ' + m_contentCalues.getAsString("cre_name"));
17 |             console.warn('content: ' + m_contentCalues.getAsString("content"));
18 | 
19 |             return this.insert(a, b, c);
20 |         }
21 |           SQLiteDatabase.getLabel.implementation=function () {
22 |               console.warn('result: ' + this.getLable());
23 |              return this.getLabel();
24 |         }
25 |     });
26 | }
27 | 
28 | """
29 | process = frida.get_usb_device().attach('com.tencent.mm')
30 | print('[*] process')
31 | script = process.create_script(jscode)
32 | def on_message(message,data):
33 | 	print (message)
34 | script.on("message",on_message)
35 | script.load()
36 | sys.stdin.read()


--------------------------------------------------------------------------------
/douban/test.py:
--------------------------------------------------------------------------------
 1 | import frida,sys
 2 | 
 3 | jscode = """
 4 | 
 5 | if (Java.available) {
 6 |     Java.perform(function () {
 7 |         var SQLiteDatabase = Java.use("com.tencent.wcdb.database.SQLiteDatabase");
 8 |         var ContentValues = Java.use("android.content.ContentValues");
 9 |         SQLiteDatabase.insert.implementation = function (a, b, c) {
10 | 
11 |             console.warn("Hook Start...");
12 |             console.warn('arg0: ' + a);
13 |             console.warn('arg1: ' + b);
14 |             console.warn('arg2: ' + c);
15 |              var m_contentCalues = Java.cast(c,ContentValues)
16 |             console.warn('type: ' + m_contentCalues.getAsString("cre_name"));
17 |             console.warn('content: ' + m_contentCalues.getAsString("content"));
18 | 
19 |             return this.insert(a, b, c);
20 |         }
21 |           SQLiteDatabase.getLabel.implementation=function () {
22 |               console.warn('result: ' + this.getLable());
23 |              return this.getLabel();
24 |         }
25 |     });
26 | }
27 | 
28 | """
29 | process = frida.get_usb_device().attach('com.tencent.mm')
30 | print('[*] process')
31 | script = process.create_script(jscode)
32 | def on_message(message,data):
33 | 	print (message)
34 | script.on("message",on_message)
35 | script.load()
36 | sys.stdin.read()


--------------------------------------------------------------------------------
/DexUnpack/OpenMemory.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | var liba =Module.findBaseAddress('libart.so');
 3 | Interceptor.attach(Module.findExportByName("libart.so", "_ZN3art7DexFile10OpenMemoryEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_10OatDexFileEPS9_"), {
 4 |     onEnter: function (args) {
 5 |         var begin = args[1]
 6 |         console.log("magic : " + Memory.readUtf8String(begin))
 7 |         var address = parseInt(begin, 16) + 0x20
 8 |         console.log("address : " + address)
 9 |         var dex_size = Memory.readInt(ptr(address))
10 |         console.log("dex_size :" + dex_size)
11 |         // console.log(hexdump(liba, {
12 |         //     offset: address,
13 |         //     length: 16,
14 |         //     header: false,
15 |         //     ansi: false
16 |         // }));
17 |         // hexdump dex to /data/data/pkg/dir
18 |         var packageName = "com.aigz.cloudgame"
19 |         var file = new File("/data/data/com.aigz.cloudgame/" + dex_size + ".dex", "wb+")
20 |         file.write(Memory.readByteArray(begin, dex_size))
21 |         console.log("finish !!")
22 |         file.flush()
23 |         file.close()
24 |     },
25 |     onLeave: function (retval) {
26 |         if (retval.toInt32() > 0) {
27 |             /* do something */
28 |         }
29 |     }
30 | });


--------------------------------------------------------------------------------
/Wechat/test.js:
--------------------------------------------------------------------------------
 1 | if (Java.available) {
 2 |     Java.perform(function () {
 3 |         var SQLiteDatabase = Java.use("com.tencent.wcdb.database.SQLiteDatabase");
 4 |         var ContentValues = Java.use("android.content.ContentValues");
 5 |         SQLiteDatabase.insert.implementation = function (a, b, c) {
 6 | 
 7 |             console.warn("Hook Start...");
 8 |             console.warn('arg0: ' + a);
 9 |             console.warn('arg1: ' + b);
10 |             console.warn('arg2: ' + c);
11 |              var m_contentCalues = Java.cast(obj,ContentValues)
12 |             console.warn('type: ' + m_contentCalues.getAsInteger("type"));
13 | 
14 |             return this.insert(a, b, c);
15 |         }
16 |         SQLiteDatabase.getLabel.implementation=function () {
17 |               console.warn('result: ' + this.getLable());
18 |              return this.getLabel();
19 |         }
20 |     });
21 | }
22 | 
23 | 
24 | 
25 | 
26 | if (Java.available) {
27 |     Java.perform(function () {
28 |         var SQLiteDatabase = Java.use("com.tencent.wcdb.database.SQLiteDatabase");
29 |         var ContentValues = Java.use("android.content.ContentValues");
30 |         SQLiteDatabase.openDatabase.overload('java.lang.String','[B','com.tencent.wcdb.database.SQLiteCipherSpec','com.tencent.wcdb.database.SQLiteDatabase$CursorFactory','int', 'com.tencent.wcdb.DatabaseErrorHandler', 'int' ).implementation = function (a, b, c,d,e,f,g) {
31 | 
32 |             console.warn("Hook Start...");
33 |             console.warn('arg0: ' + a);
34 |             console.warn('arg1: ' + b);
35 |             console.warn('arg2: ' + c);
36 |             return this.insert(a, b, c,d,e,f,g);
37 |         }
38 |     });
39 | }


--------------------------------------------------------------------------------
/douban/test.js:
--------------------------------------------------------------------------------
 1 | if (Java.available) {
 2 |     Java.perform(function () {
 3 |         var SQLiteDatabase = Java.use("com.tencent.wcdb.database.SQLiteDatabase");
 4 |         var ContentValues = Java.use("android.content.ContentValues");
 5 |         SQLiteDatabase.insert.implementation = function (a, b, c) {
 6 | 
 7 |             console.warn("Hook Start...");
 8 |             console.warn('arg0: ' + a);
 9 |             console.warn('arg1: ' + b);
10 |             console.warn('arg2: ' + c);
11 |              var m_contentCalues = Java.cast(obj,ContentValues)
12 |             console.warn('type: ' + m_contentCalues.getAsInteger("type"));
13 | 
14 |             return this.insert(a, b, c);
15 |         }
16 |         SQLiteDatabase.getLabel.implementation=function () {
17 |               console.warn('result: ' + this.getLable());
18 |              return this.getLabel();
19 |         }
20 |     });
21 | }
22 | 
23 | 
24 | 
25 | 
26 | if (Java.available) {
27 |     Java.perform(function () {
28 |         var SQLiteDatabase = Java.use("com.tencent.wcdb.database.SQLiteDatabase");
29 |         var ContentValues = Java.use("android.content.ContentValues");
30 |         SQLiteDatabase.openDatabase.overload('java.lang.String','[B','com.tencent.wcdb.database.SQLiteCipherSpec','com.tencent.wcdb.database.SQLiteDatabase$CursorFactory','int', 'com.tencent.wcdb.DatabaseErrorHandler', 'int' ).implementation = function (a, b, c,d,e,f,g) {
31 | 
32 |             console.warn("Hook Start...");
33 |             console.warn('arg0: ' + a);
34 |             console.warn('arg1: ' + b);
35 |             console.warn('arg2: ' + c);
36 |             return this.insert(a, b, c,d,e,f,g);
37 |         }
38 |     });
39 | }


--------------------------------------------------------------------------------
/moji/test1.js:
--------------------------------------------------------------------------------
 1 | if (Java.available) {
 2 |     Java.perform(function () {
 3 | 
 4 |         var b = Java.use("com.baidu.lbsapi.auth.b");
 5 |         var HashMap = Java.use("java.util.HashMap");
 6 |         var LBSAuthManager = Java.use("com.baidu.lbsapi.auth.LBSAuthManager");
 7 |         var auth_a = Java.use("com.baidu.lbsapi.auth.a");
 8 |         LBSAuthManager.a.overload('android.content.Context').implementation = function (a1) {
 9 |             console.warn("Hook reportWithUrl...");
10 |             console.warn("a: ", a1);
11 |             console.warn("mcode: ", b.a(a1));
12 |              // 57:A7:05:06:77:DA:E0:7F:22:1A:DD:60:9F:0F:12:77:97:55:A8:7D;com.soufun.app
13 |             //原版签名 3A:11:BC:F4:25:97:BB:A2:F6:26:0B:58:1B:4E:0D:E8:C7:F7:95:3A;com.soufun.app
14 |             return this.a(a1);
15 |         };
16 |         // HashMap.put.implementation = function (a1,b1) {
17 |         //     console.warn("Hook put...");
18 |         //     console.warn("a: ", a1);
19 |         //     console.warn("b1: ", b1);
20 |         //     return this.put(a1,b1);
21 |         // };
22 | 
23 |         LBSAuthManager.a.overload('boolean', 'java.lang.String', 'java.util.Hashtable', 'java.lang.String').implementation = function (a, b, c, d) {
24 |             console.warn("Hook a2...");
25 |             console.warn("a: ", a);
26 |             // console.warn("ret: ", this.a(a));
27 | 
28 |             return this.a(a, b, c, d);
29 |         };
30 |         auth_a.a.overload('java.lang.String').implementation = function (a) {
31 |             console.warn("Hook a3...");
32 |             console.warn("a: ", a);
33 | 
34 |             return this.a(a);
35 |         };
36 |     });
37 | }
38 | 
39 | 
40 | 


--------------------------------------------------------------------------------
/eleme/shoplist.py:
--------------------------------------------------------------------------------
 1 | from selenium import webdriver
 2 | import time
 3 | import win32api
 4 | import win32con
 5 | import os
 6 | offset = 0
 7 | # print(url)
 8 | for i in range(0, 10):
 9 |     print(offset)
10 |     url = "https://apimeishi.meituan.com/meishi/filter/v7/deal/select?wifi-name=Xiaomi_675D%08lsy0622%08401%08gehua01141610190072869%08&offset="+str(offset)+"&is_preload=1&ci=1&wifi-strength=-30%08-73%08-75%08-77%08&cityId=1&sort=solds&wifi-cur=0&isLocal=1&mypos=39.874932657330994%2C116.68540589919716&wifi-mac=34%3Ace%3A00%3A04%3A67%3A5e%0854%3Aa7%3A03%3A17%3Aab%3Afb%08d0%3Ac7%3Ac0%3A1b%3A7a%3Aae%08bc%3A14%3Aef%3Ac4%3Ad7%3A71%08&areaId=1472&cateId=1&hasGroup=true&metrics_start_time=162281963&newStyle=e&lat=39.874932657330994&lng=116.68540589919716"
11 |     offset=offset+25
12 |     driver = webdriver.Chrome()
13 |     driver.get(url)  # 模拟键盘操作
14 |     win32api.keybd_event(17, 0, 0, 0)  # 按下ctrl
15 |     win32api.keybd_event(65, 0, 0, 0)  # 按下a
16 |     win32api.keybd_event(65, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放a
17 |     win32api.keybd_event(83, 0, 0, 0)  # 按下s
18 |     win32api.keybd_event(83, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放s
19 |     win32api.keybd_event(17, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放ctrl
20 | 
21 |     time.sleep(1)
22 |     win32api.keybd_event(13, 0, 0, 0)  # 按下enter
23 |     win32api.keybd_event(13, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放enter
24 |     # 预估下载时间，后期根据实际网速调整
25 |     time.sleep(3)
26 |     # 关闭webdriver
27 |     driver.close()
28 |     path = 'C:/Users/11633/Downloads'
29 |     file = "select.json"
30 |     #
31 |     if file in os.listdir(path):
32 |         os.rename(os.path.join(path, file), os.path.join(path, "望京" + str(i) + ".json"))
33 | 
34 | 
35 | 
36 | 
37 | 


--------------------------------------------------------------------------------
/eleme/testWebDriver1.py:
--------------------------------------------------------------------------------
 1 | from selenium import webdriver
 2 | import time
 3 | import win32api
 4 | import win32con
 5 | import os
 6 | 
 7 | list1 = open("bbb.txt", "r", encoding='UTF-8').readlines()
 8 | 
 9 | for i in range(0, len(list1)):
10 |     list1[i] = list1[i].rstrip('\n')
11 |     id = list1[i].split(",")[1]
12 |     name = list1[i].split(",")[2]+"_"+list1[i].split(",")[0]+"_"+id
13 |     url = "https://meishi.meituan.com/i/certificate/foodsafety?mtId="+id+"&f=android&token=owBCehCGJhqOWHy7FNUYDrDbOkAAAAAAQgoAAGKADLeGiP-GwlKooA-QA-v3JIr7I53-j-23hg8iPjYW0V58eCgWgK1Bg6kmUd4y9g&userid=290604810&lat=39.874913286072044&lng=116.68539728948531&utm_source=undefined&utm_medium=android&utm_term=1000060203&version_name=10.6.203&utm_content=862400048396856&utm_campaign=AgroupBgroupC0D200E243168466715547220197960310848290710313_a168853584_c1_e4320249642646189019Ghomepage_category2_1__a1__c-1024__gfood__hpoilist__i1&ci=1&msid=8624000483968561585628957294&uuid=000000000000090CAE6634A8D42948748FEBCC1557198A157954239667625851"
14 |     print(url)
15 | 
16 |     # 打开另存为mhtml功能
17 |     options = webdriver.ChromeOptions()
18 |     options.add_argument('--save-page-as-mhtml')
19 |     # 设置chromedriver，并打开webdriver
20 |     driver = webdriver.Chrome(options=options)
21 |     driver.get(url)    # 模拟键盘操作
22 |     win32api.keybd_event(17, 0, 0, 0)  # 按下ctrl
23 |     win32api.keybd_event(65, 0, 0, 0)  # 按下a
24 |     win32api.keybd_event(65, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放a
25 |     win32api.keybd_event(83, 0, 0, 0)  # 按下s
26 |     win32api.keybd_event(83, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放s
27 |     win32api.keybd_event(17, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放ctrl
28 | 
29 |     time.sleep(1)
30 |     win32api.keybd_event(13, 0, 0, 0)  # 按下enter
31 |     win32api.keybd_event(13, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放enter
32 |     # 预估下载时间，后期根据实际网速调整
33 |     time.sleep(3)
34 |     # 关闭webdriver
35 |     driver.close()
36 | 
37 |     path = 'C:/Users/11633/Downloads'
38 |     file = "食品安全档案.mhtml"
39 | 
40 |     if file in os.listdir(path):
41 |         os.rename(os.path.join(path, file), os.path.join(path, name + ".mhtml"))
42 | 
43 | 
44 | 
45 | 
46 | 
47 | 


--------------------------------------------------------------------------------
/alipay/collect.js:
--------------------------------------------------------------------------------
 1 | if (Java.available) {
 2 |     Java.perform(function () {
 3 |         var H5RpcUtil = Java.use("com.alipay.mobile.nebulaappproxy.api.rpc.H5RpcUtil");
 4 |         var H5Page = Java.use("com.alipay.mobile.h5container.api.H5Page");
 5 |         var JSONObject = Java.use("com.alibaba.fastjson.JSONObject");
 6 |         var H5Response = Java.use("com.alipay.mobile.nebulaappproxy.api.rpc.H5Response");
 7 |         //rpcCall(String str, String str2, String str3, boolean z, JSONObject jSONObject,
 8 |         // String str4, boolean z2, H5Page h5Page, int i, String str5, boolean z3, int i2, String str6)
 9 |         H5RpcUtil.rpcCall.overload('java.lang.String', 'java.lang.String',
10 |             'java.lang.String', 'boolean', 'com.alibaba.fastjson.JSONObject',
11 |             'java.lang.String', 'boolean', 'com.alipay.mobile.h5container.api.H5Page',
12 |             'int', 'java.lang.String', 'boolean', 'int', 'java.lang.String').implementation = function (str, str2, str3, z, jSONObject,
13 |                                                                                                         str4, z2, h5Page, i, str5, z3, i2, str6) {
14 |             console.log("============");
15 |             console.log("1: " + str);
16 |             console.log("2: " + str2);
17 |             console.log("3: " + str3);
18 |             console.log("4: " + z);
19 |             console.log("5: " + jSONObject.toString());
20 |             console.log("6: " + str4);
21 |             console.log("7: " + z2);
22 |             console.log("9: " + i);
23 |             console.log("10: " + str5);
24 |             console.log("11: " + z3);
25 |             console.log("12: " + i2);
26 |             console.log("13: " + str6);
27 |             var result = this.rpcCall(str, str2, str3, z, jSONObject, str4, z2, h5Page, i, str5, z3, i2, str6).toString();
28 |             Java.cast(result,H5Response);
29 |             console.log("result->a: " +result.a );
30 |             // if(a.toString()==="alipay.antmember.forest.h5.queryNextAction"){
31 |             //     console.log("enter = ",a);
32 |             // }
33 | 
34 |             return this.rpcCall(str, str2, str3, z, jSONObject, str4, z2, h5Page, i, str5, z3, i2, str6);
35 |         }
36 |     });
37 | 
38 | }


--------------------------------------------------------------------------------
/haokan/testWebDriver.py:
--------------------------------------------------------------------------------
 1 | from selenium import webdriver
 2 | import time
 3 | import win32api
 4 | import win32con
 5 | import os
 6 | 
 7 | list1 = open("bbb.txt", "r", encoding='UTF-8').readlines()
 8 | total = len(list1)
 9 | 
10 | for i in range(0, total):
11 |     # list1[i] = list1[i].rstrip('\n')
12 |     id = list1[i].split(",")[1]
13 |     name = list1[i].split(",")[2]+"_"+id
14 |     url = "https://meishi.meituan.com/i/certificate/foodsafety?mtId="+id+"&f=android&token=owBCehCGJhqOWHy7FNUYDrDbOkAAAAAAQgoAAGKADLeGiP-GwlKooA-QA-v3JIr7I53-j-23hg8iPjYW0V58eCgWgK1Bg6kmUd4y9g&userid=290604810&lat=39.874913286072044&lng=116.68539728948531&utm_source=undefined&utm_medium=android&utm_term=1000060203&version_name=10.6.203&utm_content=862400048396856&utm_campaign=AgroupBgroupC0D200E243168466715547220197960310848290710313_a168853584_c1_e4320249642646189019Ghomepage_category2_1__a1__c-1024__gfood__hpoilist__i1&ci=1&msid=8624000483968561585628957294&uuid=000000000000090CAE6634A8D42948748FEBCC1557198A157954239667625851"
15 |     print(url)
16 | 	
17 | 	print("当前第"+str(i)+"条,共"+str(total))
18 | 	
19 |     # 打开另存为mhtml功能
20 |    # options = webdriver.ChromeOptions()
21 |    # options.add_argument('--save-page-as-mhtml')
22 | 
23 |     # 设置chromedriver，并打开webdriver
24 |    # driver = webdriver.Chrome(options=options)
25 |     driver = webdriver.Edge();
26 |     driver.get(url)    # 模拟键盘操作
27 | 	js1="document.documentElement.scrollTop=10000"
28 | 	driver.execute_script(js1)
29 | 	time.sleep(1)
30 | 	
31 |     win32api.keybd_event(17, 0, 0, 0)  # 按下ctrl
32 |     win32api.keybd_event(65, 0, 0, 0)  # 按下a
33 |     win32api.keybd_event(65, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放a
34 |     win32api.keybd_event(83, 0, 0, 0)  # 按下s
35 |     win32api.keybd_event(83, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放s
36 |     win32api.keybd_event(17, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放ctrl
37 | 
38 |     time.sleep(1)
39 |     win32api.keybd_event(13, 0, 0, 0)  # 按下enter
40 |     win32api.keybd_event(13, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放enter
41 |     # 预估下载时间，后期根据实际网速调整
42 |     time.sleep(2)
43 |     # 关闭webdriver
44 |     driver.close()
45 |     path = 'C:/Users/pxc/Downloads'
46 |     file = "食品安全档案.html"
47 |     filePackage = "食品安全档案_files"
48 | 
49 |     if file in os.listdir(path):
50 |         os.rename(os.path.join(path, file), os.path.join(path, name + ".html"))
51 | 
52 |     if filePackage in os.listdir(path):
53 |         os.rename(os.path.join(path, filePackage), os.path.join(path, name))
54 | 
55 | 
56 | 
57 | 
58 | 
59 | 


--------------------------------------------------------------------------------
/moji/test.js:
--------------------------------------------------------------------------------
 1 | if (Java.available) {
 2 |     Java.perform(function () {
 3 |         // var c = Java.use("com.sina.weibo.applicationInit.b.a.c");//com.sina.weibo.applicationInit.b.a.c.a
 4 |         // var PreferenceUtil = Java.use("com.sina.push.utils.PreferenceUtil");//com.sina.weibo.applicationInit.b.a.c.a
 5 |         // PreferenceUtil.getPushChannelType.implementation = function () {
 6 |         //     console.warn("Hook a...");
 7 |         //     console.warn('ret: ' + this.getPushChannelType());
 8 |         //     return this.getPushChannelType();
 9 |         // };
10 | 
11 | 
12 |         var b = Java.use("com.sina.weibo.net.carrier.Strategy.b");//com.sina.weibo.applicationInit.b.a.c.a
13 |         b.a.overload('java.lang.String', 'java.lang.String').implementation = function (a, b) {
14 |             console.warn("Hook isSupport ...");
15 |             return this.a(a, b);
16 |         };
17 |         //  var ad = Java.use("com.sina.weibo.ad");
18 |         // ad.a.overload('[B').implementation = function (c) {
19 |         //     console.warn("Hook add...");
20 |         //     console.warn("a: ",c);
21 |         //     return this.a(c);
22 |         // };
23 |         var ms = Module.enumerateExports(
24 |             {
25 |                 onMatch: function (exp) {
26 |                     // if (exp.name === "libutility.so")
27 |                     // console.warn("exp.name: ", exp.name);
28 |                 }
29 |                 ,
30 |                 onComplete: function () {
31 |                 }
32 |             }
33 |         );
34 | 
35 |         // console.warn("exp.name: ", ms[0].name);
36 | 
37 |         var baseAddr = Process.findModuleByName("libaccount.so");
38 |         console.warn("baseAddr: ", baseAddr);
39 |         baseAddr11 = Process.getModuleByAddress(0x25927);
40 |         console.warn("baseAddr11: ", baseAddr11);
41 | 
42 |         // var baseAddr = Module.findBaseAddress('libaccount.so');
43 |         // var baseAddr = Module.getExportByName
44 |         // console.warn("baseAddr: ", baseAddr);
45 |         // // var funcAddr = baseAddr.add(0x2400);
46 |         // var nativeP = Module.getExportByName("libaccount.so", "Java_com_sina_weibo_statistic_LogFeedbackActivity_encryptData");
47 |         // console.warn("nativeP", nativeP);
48 |         // var sub_2400 = new NativePointer(Module.findBaseAddress("libaccount.so")).add(0x2400 + 1);
49 |         // Interceptor.attach(sub_2400, {
50 |         //     onEnter: function (args) {
51 |         //         console.warn("a: ");
52 |         //     },
53 |         //     onLeave: function (retval) {
54 |         //         console.warn("retval: ", retval);
55 |         //     }
56 |         //
57 |         // });
58 | 
59 |     });
60 | }
61 | 
62 | 
63 | 


--------------------------------------------------------------------------------
/HookSO/test.js:
--------------------------------------------------------------------------------
 1 | if (Java.available) {
 2 |     Java.perform(function () {
 3 |         // var c = Java.use("com.sina.weibo.applicationInit.b.a.c");//com.sina.weibo.applicationInit.b.a.c.a
 4 |         // var PreferenceUtil = Java.use("com.sina.push.utils.PreferenceUtil");//com.sina.weibo.applicationInit.b.a.c.a
 5 |         // PreferenceUtil.getPushChannelType.implementation = function () {
 6 |         //     console.warn("Hook a...");
 7 |         //     console.warn('ret: ' + this.getPushChannelType());
 8 |         //     return this.getPushChannelType();
 9 |         // };
10 | 
11 | 
12 |         var b = Java.use("com.sina.weibo.net.carrier.Strategy.b");//com.sina.weibo.applicationInit.b.a.c.a
13 |         b.a.overload('java.lang.String', 'java.lang.String').implementation = function (a, b) {
14 |             console.warn("Hook isSupport ...");
15 |             return this.a(a, b);
16 |         };
17 |         //  var ad = Java.use("com.sina.weibo.ad");
18 |         // ad.a.overload('[B').implementation = function (c) {
19 |         //     console.warn("Hook add...");
20 |         //     console.warn("a: ",c);
21 |         //     return this.a(c);
22 |         // };
23 |         var ms = Module.enumerateExports(
24 |             {
25 |                 onMatch: function (exp) {
26 |                     // if (exp.name === "libutility.so")
27 |                     // console.warn("exp.name: ", exp.name);
28 |                 }
29 |                 ,
30 |                 onComplete: function () {
31 |                 }
32 |             }
33 |         );
34 | 
35 |         // console.warn("exp.name: ", ms[0].name);
36 | 
37 |         var baseAddr = Process.findModuleByName("libaccount.so");
38 |         console.warn("baseAddr: ", baseAddr);
39 |         baseAddr11 = Process.getModuleByAddress(0x25927);
40 |         console.warn("baseAddr11: ", baseAddr11);
41 | 
42 |         // var baseAddr = Module.findBaseAddress('libaccount.so');
43 |         // var baseAddr = Module.getExportByName
44 |         // console.warn("baseAddr: ", baseAddr);
45 |         // // var funcAddr = baseAddr.add(0x2400);
46 |         // var nativeP = Module.getExportByName("libaccount.so", "Java_com_sina_weibo_statistic_LogFeedbackActivity_encryptData");
47 |         // console.warn("nativeP", nativeP);
48 |         // var sub_2400 = new NativePointer(Module.findBaseAddress("libaccount.so")).add(0x2400 + 1);
49 |         // Interceptor.attach(sub_2400, {
50 |         //     onEnter: function (args) {
51 |         //         console.warn("a: ");
52 |         //     },
53 |         //     onLeave: function (retval) {
54 |         //         console.warn("retval: ", retval);
55 |         //     }
56 |         //
57 |         // });
58 | 
59 |     });
60 | }
61 | 
62 | 
63 | 


--------------------------------------------------------------------------------
/haokan/test.js:
--------------------------------------------------------------------------------
 1 | if (Java.available) {
 2 |     Java.perform(function () {
 3 |         // var c = Java.use("com.sina.weibo.applicationInit.b.a.c");//com.sina.weibo.applicationInit.b.a.c.a
 4 |         // var PreferenceUtil = Java.use("com.sina.push.utils.PreferenceUtil");//com.sina.weibo.applicationInit.b.a.c.a
 5 |         // PreferenceUtil.getPushChannelType.implementation = function () {
 6 |         //     console.warn("Hook a...");
 7 |         //     console.warn('ret: ' + this.getPushChannelType());
 8 |         //     return this.getPushChannelType();
 9 |         // };
10 | 
11 | 
12 |         var b = Java.use("com.sina.weibo.net.carrier.Strategy.b");//com.sina.weibo.applicationInit.b.a.c.a
13 |         b.a.overload('java.lang.String', 'java.lang.String').implementation = function (a, b) {
14 |             console.warn("Hook isSupport ...");
15 |             return this.a(a, b);
16 |         };
17 |         //  var ad = Java.use("com.sina.weibo.ad");
18 |         // ad.a.overload('[B').implementation = function (c) {
19 |         //     console.warn("Hook add...");
20 |         //     console.warn("a: ",c);
21 |         //     return this.a(c);
22 |         // };
23 |         var ms = Module.enumerateExports(
24 |             {
25 |                 onMatch: function (exp) {
26 |                     // if (exp.name === "libutility.so")
27 |                     // console.warn("exp.name: ", exp.name);
28 |                 }
29 |                 ,
30 |                 onComplete: function () {
31 |                 }
32 |             }
33 |         );
34 | 
35 |         // console.warn("exp.name: ", ms[0].name);
36 | 
37 |         var baseAddr = Process.findModuleByName("libaccount.so");
38 |         console.warn("baseAddr: ", baseAddr);
39 |         baseAddr11 = Process.getModuleByAddress(0x25927);
40 |         console.warn("baseAddr11: ", baseAddr11);
41 | 
42 |         // var baseAddr = Module.findBaseAddress('libaccount.so');
43 |         // var baseAddr = Module.getExportByName
44 |         // console.warn("baseAddr: ", baseAddr);
45 |         // // var funcAddr = baseAddr.add(0x2400);
46 |         // var nativeP = Module.getExportByName("libaccount.so", "Java_com_sina_weibo_statistic_LogFeedbackActivity_encryptData");
47 |         // console.warn("nativeP", nativeP);
48 |         // var sub_2400 = new NativePointer(Module.findBaseAddress("libaccount.so")).add(0x2400 + 1);
49 |         // Interceptor.attach(sub_2400, {
50 |         //     onEnter: function (args) {
51 |         //         console.warn("a: ");
52 |         //     },
53 |         //     onLeave: function (retval) {
54 |         //         console.warn("retval: ", retval);
55 |         //     }
56 |         //
57 |         // });
58 | 
59 |     });
60 | }
61 | 
62 | 
63 | 


--------------------------------------------------------------------------------
/eleme/testWebDriver.py:
--------------------------------------------------------------------------------
 1 | from selenium import webdriver
 2 | import time
 3 | import win32api
 4 | import win32con
 5 | import os
 6 | 
 7 | list1 = open("ID数据去重后_harf.txt", "r", encoding='UTF-8').readlines()
 8 | 
 9 | for i in range(0, len(list1)):
10 |     # list1[i] = list1[i].rstrip('\n')
11 |     id = list1[i].split(",")[1]
12 |     name = list1[i].split(",")[2] + "_" + id
13 |     # url = "https://meishi.meituan.com/i/certificate/foodsafety?mtId="+id+"&f=android&token=owBCehCGJhqOWHy7FNUYDrDbOkAAAAAAQgoAAGKADLeGiP-GwlKooA-QA-v3JIr7I53-j-23hg8iPjYW0V58eCgWgK1Bg6kmUd4y9g&userid=2906048234&lat=39.874913286072044&lng=116.68539728948531&utm_source=undefined&utm_medium=android&utm_term=1000060203&version_name=10.6.203&utm_content=862400048396856&utm_campaign=AgroupBgroupC0D200E243168466715547220197960310848290710313_a168853584_c1_e4320249642646189019Ghomepage_category2_1__a1__c-1024__gfood__hpoilist__i1&ci=1&msid=8624000483968561585628957294&uuid=000000000000090CAE6634A8D42948748FEBCC1557198A157954239667625851"
14 |     url = "https://meishi.meituan.com/i/certificate/foodsafety?mtId=" + id + "&f=android&token=owBCehCGJhqOWHy7FNUYDrDbOkAAAAAAQgoAAGKADL"
15 |     # url = "https://meishi.meituan.com/i/certificate/foodsafety?mtId="+id+"&f=android"
16 |     print(url)
17 | 
18 |     # 打开另存为mhtml功能
19 |     # options = webdriver.ChromeOptions()
20 |     # options.add_argument('--save-page-as-mhtml')
21 | 
22 |     # 设置chromedriver，并打开webdriver
23 |     # driver = webdriver.Chrome(options=options)
24 |     driver = webdriver.Chrome()
25 |     driver.get(url)  # 模拟键盘操作
26 |     win32api.keybd_event(17, 0, 0, 0)  # 按下ctrl
27 |     win32api.keybd_event(65, 0, 0, 0)  # 按下a
28 |     win32api.keybd_event(65, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放a
29 |     win32api.keybd_event(83, 0, 0, 0)  # 按下s
30 |     win32api.keybd_event(83, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放s
31 |     win32api.keybd_event(17, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放ctrl
32 | 
33 |     time.sleep(1)
34 |     win32api.keybd_event(13, 0, 0, 0)  # 按下enter
35 |     win32api.keybd_event(13, 0, win32con.KEYEVENTF_KEYUP, 0)  # 释放enter
36 |     # 预估下载时间，后期根据实际网速调整
37 |     time.sleep(2)
38 |     # 关闭webdriver
39 |     driver.close()
40 |     path = 'C:/Users/11633/Downloads'
41 |     file = "食品安全档案.html"
42 |     filePackage = "食品安全档案_files"
43 | 
44 |     if file in os.listdir(path):
45 |         os.rename(os.path.join(path, file), os.path.join(path, name + ".html"))
46 |     if filePackage in os.listdir(path):
47 |         os.rename(os.path.join(path, filePackage), os.path.join(path, name))
48 |     file = "验证中心.html"
49 |     filePackage = "验证中心_files"
50 |     if file in os.listdir(path):
51 |         os.rename(os.path.join(path, file), os.path.join(path, "验证中心_" +id+ ".html"))
52 |     if filePackage in os.listdir(path):
53 |         os.rename(os.path.join(path, filePackage), os.path.join(path, "验证中心_" +id))
54 | 


--------------------------------------------------------------------------------
/eleme/test.js:
--------------------------------------------------------------------------------
 1 | if (Java.available) {
 2 |     Java.perform(function () {
 3 |         // var QualificationViewHolder = Java.use("me.ele.shopping.ui.shop.info.ShopInfoViewHolder$QualificationViewHolder");//com.sina.weibo.applicationInit.b.a.c.a
 4 |         // QualificationViewHolder.a.implementation = function (a1) {
 5 |         //     console.warn("Hook a ...");
 6 |         //     return this.a(a1);
 7 |         // };
 8 |         var h = Java.use("me.ele.shopping.biz.model.co$h");//com.sina.weibo.applicationInit.b.a.c.a
 9 |         h.a.implementation = function () {
10 |             console.warn("h_b :", this.a());
11 |             return this.a();
12 |         };
13 |         var h = Java.use("me.ele.shopping.biz.model.co$h");//com.sina.weibo.applicationInit.b.a.c.a
14 |         h.b.implementation = function () {
15 |             console.warn("h_b :", this.b());
16 |             return this.b();
17 |         };
18 |         var WVApiPlugin = Java.use("android.taobao.windvane.jsbridge.WVApiPlugin");//com.sina.weibo.applicationInit.b.a.c.a
19 |         WVApiPlugin.executeSafe.implementation = function (a, b, c) {
20 |             console.warn("executeSafe :", a);
21 |             console.warn("executeSafe :", b);
22 |             console.warn("executeSafe :", this.executeSafe(a, b, c));
23 |             return this.executeSafe(a, b, c);
24 |         };
25 |         var TaoLog = Java.use("android.taobao.windvane.util.TaoLog");//com.sina.weibo.applicationInit.b.a.c.a
26 |         TaoLog.i.overload('java.lang.String', 'java.lang.String').implementation = function (a, b) {
27 |             console.warn("TaoLog.i :", a);
28 |             console.warn("TaoLog.i :", b);
29 |             return this.i(a, b);
30 |         };
31 |         TaoLog.v.overload('java.lang.String', 'java.lang.String').implementation = function (a, b) {
32 |             console.warn("TaoLog.v :", a);
33 |             console.warn("TaoLog.v :", b);
34 |             return this.v(a, b);
35 |         };
36 |         TaoLog.e.overload('java.lang.String', 'java.lang.String').implementation = function (a, b) {
37 |             console.warn("TaoLog.e :", a);
38 |             console.warn("TaoLog.e :", b);
39 |             return this.e(a, b);
40 |         };
41 |         TaoLog.d.overload('java.lang.String', 'java.lang.String').implementation = function (a, b) {
42 |             console.warn("TaoLog.d :", a);
43 |             console.warn("TaoLog.d :", b);
44 |             return this.d(a, b);
45 |         };
46 |         // var ag = Java.use("com.uc.sdk_glue.ag");//com.sina.weibo.applicationInit.b.a.c.a
47 |         // ag.b.implementation = function (a) {
48 |         //     console.warn("ag.b :", a);
49 |         //     console.warn("ag.b :", this.b(a));
50 |         //     return this.b(a);
51 |         // };
52 |         // var ErisEntry = Java.use("me.ele.uis.eris.ErisEntry");//com.sina.weibo.applicationInit.b.a.c.a
53 |         // ErisEntry.sneer.implementation = function (a,b,c,d) {
54 |         //     console.warn("sneer a:",a);
55 |         //     console.warn("sneer b:",b);
56 |         //     console.warn("sneer c:",c);
57 |         //     console.warn("sneer d:",d);
58 |         //     console.warn("sneer res:",this.sneer(a,b,c,d));
59 |         //     return this.sneer(a,b,c,d);
60 |         // };
61 |         var PasswordLoginView = Java.use("com.alipay.user.mobile.login.view.PasswordLoginView");//com.sina.weibo.applicationInit.b.a.c.a
62 |         PasswordLoginView.trustLoginWithExtLoginParam.implementation = function () {
63 |             console.warn("trustLoginWithExtLoginParam res:", this.trustLoginWithExtLoginParam());
64 |             return this.trustLoginWithExtLoginParam();
65 |         };
66 |         var h = Java.use("me.ele.android.enet.h");//com.sina.weibo.applicationInit.b.a.c.a
67 |         var h_a = Java.use("me.ele.android.enet.h$a");//com.sina.weibo.applicationInit.b.a.c.a
68 |         h.$init.implementation = function (a) {
69 |             // console.warn(" b:", b);
70 |             var ha = Java.cast(a, h_a);
71 |             console.warn(" b:", ha.b);
72 |             console.warn(" c:", ha.c);
73 |             console.warn(" d:", ha.d);
74 |             console.warn(" f3128a:", ha.f3128a);
75 |             console.warn(" g:", ha.g);
76 |             console.warn(" h:", ha.h);
77 |             console.warn(" i:", ha.i);
78 |             console.warn(" j:", ha.j);
79 |             return this.$init(a);
80 |         };
81 | 
82 |     });
83 | }
84 | 
85 | 
86 | 


--------------------------------------------------------------------------------
/DexUnpack/dump_dex_3.js:
--------------------------------------------------------------------------------
  1 | //frida -U -f com.min.app.sample -l ./src/script/hook.js --no-pause
  2 | 
  3 | // var packageName = 'com.min.app.sample';
  4 | var packageName = 'com.ldzs.zhangxin';
  5 | 
  6 | 
  7 | var DEX_MAGIC = 0x0A786564;
  8 | var placeHolderArray;
  9 | var dexrec = [];
 10 | 
 11 | // Interceptor.attach(Module.findExportByName('libart.so', '_ZN3art7DexFile10OpenMemoryEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_10OatDexFileEPS9_'), {
 12 | Interceptor.attach(Module.findExportByName('libart.so', '_ZN3art7DexFile10OpenMemoryEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_7OatFileEPS9_'), {
 13 |   onEnter: function(args) {
 14 |     if (Memory.readU32(args[1]) === DEX_MAGIC) {
 15 |       dexrec.push(args[1]);
 16 |     }
 17 |   },
 18 |   onLeave: function(retval) {}
 19 | });
 20 | 
 21 | Java.performNow(function() {
 22 |   var Application = Java.use("android.app.Application");
 23 |   Application.onCreate.implementation = function() {
 24 |     this.onCreate();
 25 |     console.log('find application : ' + this);
 26 |     if (this.toString().indexOf(packageName) < 0) { //防止加壳后的app，两次调用到onCreate
 27 |       return;
 28 |     }
 29 |     var classloader = this.getClassLoader(); // 获取classloader
 30 |     Java.classFactory.loader = classloader; //替换classloader
 31 |     loadAllClass();
 32 |     dumpDex();
 33 |   }
 34 | });
 35 | 
 36 | function loadAllClass() {
 37 |   placeHolderArray = Java.array("java.lang.Object", []);
 38 | 
 39 |   var classLoaderObj = Java.classFactory.loader;
 40 |   var pathListObj = getPathListObj(classLoaderObj);
 41 |   var JavaArray = Java.use("java.lang.reflect.Array");
 42 |   var dexElementsObj = getDexElementsObj(pathListObj);
 43 | 
 44 |   for (var i = 0; i < JavaArray.getLength(dexElementsObj); i++) {
 45 |     var dexElement = JavaArray.get(dexElementsObj, i);
 46 |     var dexFileObj = getDexFileObj(dexElement);
 47 |     console.log('handle dexFile : ' + dexFileObj);
 48 | 
 49 |     var enumerations = getMethod("dalvik.system.DexFile", "entries").invoke(dexFileObj, placeHolderArray);
 50 |     var hasMoreElementsMethod = getMethod("java.util.Enumeration", "hasMoreElements");
 51 |     while (true) {
 52 |       var flag = hasMoreElementsMethod.invoke(enumerations, placeHolderArray);
 53 |       if (flag.toString() === 'false') {
 54 |         break;
 55 |       }
 56 |       var nextElementMethod = getMethod("java.util.Enumeration", "nextElement");
 57 |       var clazzName = nextElementMethod.invoke(enumerations, placeHolderArray).toString();
 58 |       if (startWith(clazzName, "android.") || startWith(clazzName, "androidx.") || startWith(clazzName, "dalvik.")) {
 59 |         continue;
 60 |       }
 61 |       try {
 62 |         console.log("load " + Java.classFactory.loader.loadClass(clazzName));
 63 |       } catch (e) {
 64 |         console.log(e);
 65 |       }
 66 |     }
 67 |   }
 68 | }
 69 | 
 70 | function dumpDex() {
 71 |   for (var i = 0; i < dexrec.length; i++) {
 72 |     if (Memory.readU32(dexrec[i]) === DEX_MAGIC) {
 73 |       var beginPtr = dexrec[i];
 74 |       var dexLengthPtr = beginPtr.add(0x20);
 75 |       var dexLength = Memory.readInt(dexLengthPtr);
 76 |       console.log("\nfind dex ,beginAddress = " + beginPtr + " , dexLength = " + dexLength);
 77 |       dump(beginPtr, 64);
 78 | 
 79 |       console.log("start dump dex ....");
 80 |       var filePath = "/data/data/" + packageName + "/" + dexLength + ".dex";
 81 |       var file = new File(filePath, "wb");
 82 |       file.write(Memory.readByteArray(beginPtr, dexLength));
 83 |       file.flush();
 84 |       file.close();
 85 |       console.log("end dump dex ...." + filePath+"\n");
 86 |     }
 87 |   }
 88 | }
 89 | 
 90 | function getMethod(className, methodName) {
 91 |   var method = Java.use(className).class.getDeclaredMethod(methodName, placeHolderArray);
 92 |   return method;
 93 | }
 94 | 
 95 | function getPathListObj(obj) {
 96 |   var field = Java.use("dalvik.system.BaseDexClassLoader").class.getDeclaredField("pathList");
 97 |   field.setAccessible(true);
 98 |   return field.get(obj);
 99 | }
100 | 
101 | function getDexElementsObj(obj) {
102 |   var field = Java.use("dalvik.system.DexPathList").class.getDeclaredField("dexElements");
103 |   field.setAccessible(true);
104 |   return field.get(obj);
105 | }
106 | 
107 | function getDexFileObj(obj) {
108 |   var field = Java.use("dalvik.system.DexPathList$Element").class.getDeclaredField("dexFile");
109 |   field.setAccessible(true);
110 |   return field.get(obj);
111 | }
112 | 
113 | function startWith(str, prefix) {
114 |   return str.slice(0, prefix.length) === prefix;
115 | }
116 | 
117 | function dump(pointer, len) {
118 |   var str = hexdump(pointer, {
119 |     offset: 0,
120 |     length: len,
121 |     header: true,
122 |     ansi: true
123 |   });
124 |   console.log(str)
125 | }
126 | 


--------------------------------------------------------------------------------
/moji/fangtianxia.js:
--------------------------------------------------------------------------------
  1 | if (Java.available) {
  2 |     Java.perform(function () {
  3 |         var av = Java.use("com.eguan.monitor.av");//com.sina.weibo.applicationInit.b.a.c.a
  4 |         var am = Java.use("com.eguan.monitor.am");//com.sina.weibo.applicationInit.b.a.c.a
  5 |         var mJSONObject = Java.use("org.json.JSONObject");//com.sina.weibo.applicationInit.b.a.c.a
  6 |         // av.a.overload('[B', 'java.lang.String').implementation = function (a, b) {
  7 |         //     console.warn("Hook [B', 'java.lang.String' ...");
  8 |         //     console.warn("a: ",a);
  9 |         //     console.warn("b: ",b);
 10 |         //     console.warn("res: ",this.a(a,b));
 11 |         //     return this.a(a,b);
 12 |         // };
 13 |         //  var mArray = Java.use("java.lang.reflect.Array");
 14 |         // av.a.overload('[B').implementation = function (a) {
 15 |         //     console.warn("Hook [B ...");
 16 |         //     console.warn("a: ",mArray.get(a));
 17 |         //     console.warn("res: ",this.a(a));
 18 |         //     return this.a(a);
 19 |         // };
 20 |         var mBase64 = Java.use("android.util.Base64");
 21 |         var mSignature = Java.use("android.content.pm.Signature");
 22 |         var mArray = Java.use("java.lang.reflect.Array");
 23 |         var DeviceConfig = Java.use("com.umeng.commonsdk.statistics.common.DeviceConfig");
 24 |         // DeviceConfig.getAppHashKey.implementation = function (a) {
 25 |         //     console.warn("Hook getAppHashKey ...");
 26 |         //     console.warn("a: ", a);
 27 |         //     console.warn("res: ", this.getAppHashKey(a));
 28 |         //     return this.getAppHashKey(a);
 29 |         // };
 30 |         // DeviceConfig.getAppSHA1Key.implementation = function (a) {
 31 |         //     console.warn("Hook getAppSHA1Key ...");
 32 |         //     console.warn("a: ", a);
 33 |         //     console.warn("res: ", this.getAppSHA1Key(a));
 34 |         //     return this.getAppSHA1Key(a);
 35 |         // };
 36 |         // DeviceConfig.getAppMD5Signature.implementation = function (a) {
 37 |         //     console.warn("Hook getAppMD5Signature ...");
 38 |         //     console.warn("a: ", a);
 39 |         //     console.warn("res: ", this.getAppMD5Signature(a));
 40 |         //     return this.getAppMD5Signature(a);
 41 |         // };
 42 | 
 43 |         var CommonUtil = Java.use("cn.com.mma.mobile.tracking.util.CommonUtil");
 44 |         var Countly_4 = Java.use("cn.com.mma.mobile.tracking.api.Countly$4");
 45 | 
 46 |         CommonUtil.getSignature.implementation = function (a, b, c, d) {
 47 |             console.warn("Hook getSignature ...");
 48 |             console.warn("a: ", a);
 49 |             console.warn("b: ", b);
 50 |             console.warn("c: ", c);
 51 |             console.warn("d: ", d);
 52 |             console.warn("res: ", this.getSignature(a, b, c, d));
 53 |             return this.getSignature(a, b, c, d);
 54 |         };
 55 |         Countly_4.onEventPresent.implementation = function (a) {
 56 |             console.warn("Hook getSignature ...");
 57 |             console.warn("a: ", a);
 58 |             console.warn("res: ", this.onEventPresent(a));
 59 |             return this.onEventPresent(a);
 60 |         };
 61 |         var utils_e = Java.use("com.bytedance.sdk.openadsdk.utils.e");
 62 | 
 63 |         utils_e.a.overload('android.content.Context').implementation = function (a) {
 64 |             console.warn("Hook utils_e.a ...");
 65 |             console.warn("a: ", a);
 66 |             console.warn("res: ", this.a(a));
 67 |             return this.a(a);
 68 |         };
 69 |         var Process = Java.use("android.os.Process");
 70 | 
 71 |         Process.killProcess.implementation = function (a) {
 72 |             console.warn("Hook killProcess...");
 73 |             console.warn("a: ", a);
 74 |             console.warn("res: ", this.killProcess(a));
 75 |             return this.killProcess(a);
 76 |         };
 77 | 
 78 | 
 79 |         // am.a.overload('android.content.Context').implementation = function (a) {
 80 |         //     console.warn("Hook aContext ...");
 81 |         //     console.warn("a: ", a);
 82 |         //     // var aaa = Java.cast(this.a(a), mJSONObject);
 83 |         //     // console.warn("res: ", aaa.toString());
 84 |         //     var sig = a.getPackageManager().getPackageInfo(a.getPackageName(), 64);
 85 |         //     console.warn('sig: ' + sig);
 86 |         //     var signatures = sig.class.getDeclaredField("signatures");
 87 |         //     signatures.setAccessible(true);
 88 |         //     var value = signatures.get(sig);
 89 |         //     var abc = value.getClass().isArray();
 90 |         //     console.warn('abc: ' + abc);
 91 |         //     console.warn('value: ' + value);
 92 |         //     console.warn('value1: ' + mArray.get(value, 0));
 93 |         //     var sid = Java.cast(mArray.get(value, 0), mSignature);
 94 |         //     console.warn('value2: ' + sid.toByteArray());
 95 |         //     var sids = mBase64.encodeToString(sid.toByteArray(), 0);
 96 |         //
 97 |         //     console.warn('sids: ' + sids);
 98 |         //     return this.a(a);
 99 |         // };
100 | 
101 | 
102 |         var aa = Java.use("com.pgl.sys.ces.a");
103 |         var ces_c = Java.use("com.pgl.sys.ces.c");
104 |         var mString = Java.use("java.lang.String");
105 |         var a_d = Java.use("com.sijla.i.a.d");
106 | 
107 |         // aa.njss.overload('int', 'java.lang.Object').implementation = function (a, b) {
108 |         //     console.warn("Hook njss ...");
109 |         //     console.warn("a: ", a);
110 |         //     console.warn("b: ", b);
111 |         //     // console.warn("res: ", this.njss(137, b).toString());
112 |         //     return this.njss(a, b);
113 |         // };
114 |         // a_d.a.overload('java.lang.String').implementation = function (a) {
115 |         //     console.warn("Hook E ...");
116 |         //     console.warn("a: ", a);
117 |         //     console.warn("res: ", this.a(a));
118 |         //     return this.a(a);
119 |         // };
120 |         // ces_c.a.overload('java.lang.String').implementation = function (a) {
121 |         //     console.warn("Hook ces_c2 ...");
122 |         //     console.warn("a: ", a);
123 |         //     // var aaa= Java.cast(this.njss(a.b),mString);
124 |         //     console.warn("res2: ", this.a(a));
125 |         //     return this.a(a);
126 |         // };
127 |         // ces_c.a.overload().implementation = function () {
128 |         //     console.warn("Hook ces_c1 ...");
129 |         //     // var aaa= Java.cast(this.njss(a.b),mString);
130 |         //     console.warn("res1: ", this.a());
131 |         //     return this.a();
132 |         // };
133 |     });
134 | }
135 | 
136 | 
137 | 


--------------------------------------------------------------------------------
/eleme/test1.js:
--------------------------------------------------------------------------------
  1 | if (Java.available) {
  2 |     Java.perform(function () {
  3 | 
  4 | 
  5 |         // var m0 = Java.use("h.a.a.m0");//com.sina.weibo.applicationInit.b.a.c.a
  6 |         // m0.a.overload('java.lang.String').implementation = function (a) {
  7 |         //     console.warn("------------ m0.a------------");
  8 |         //     console.warn(a, ",ret: ", this.a(a));
  9 |         //     return this.a(a);
 10 |         // };
 11 |         // var h = Java.use("h.a.x.h");//com.sina.weibo.applicationInit.b.a.c.a
 12 |         // h.a.implementation = function (a, b, c) {
 13 |         //     console.warn("------------h.a------------");
 14 |         //     console.warn(a, ",", b, ",", c);
 15 |         //     return this.a(a, b, c);
 16 |         // };
 17 |         // var Pair = Java.use("android.util.Pair");//com.sina.weibo.applicationInit.b.a.c.a
 18 |         // Pair.$init.implementation = function (a,b) {
 19 |         //     console.warn("------------Pair.$init------------");
 20 |         //     console.warn(a, ",", b);
 21 |         //     return this.$init(a,b);
 22 |         // };
 23 |         //2205057699d853d6fef4cf4b68b3f2ffcdfae9af5e
 24 |         //2205057689d89453942fa4df33d4b9ec0160352f0b
 25 |         // var JSONObject = Java.use("org.json.JSONObject");//com.sina.weibo.applicationInit.b.a.c.a
 26 |         // JSONObject.put.overload('java.lang.String', 'java.lang.Object').implementation = function (a, b) {
 27 |         //     console.warn("------------JSONObject.put------------");
 28 |         //     console.warn(a, ",", b);
 29 |         //     return this.put(a, b);
 30 |         // };
 31 |         var f = Java.use("com.kuaishou.android.security.f");//com.sina.weibo.applicationInit.b.a.c.a
 32 |         // f.a.overload('java.lang.String', 'boolean').implementation = function (a, b) {
 33 |         //     console.warn("------------f.a------------");
 34 |         //     console.warn(a, ",", b);
 35 |         //     console.warn("f.a_res:", this.a(a, b));
 36 |         //     return this.a(a, b);
 37 |         // };
 38 |         var KSecurity = Java.use("com.kuaishou.android.security.KSecurity");//com.sina.weibo.applicationInit.b.a.c.a
 39 |         // KSecurity.atlasSign.overload('java.lang.String').implementation = function (a) {
 40 |         //     console.warn("------------atlasSign------------");
 41 |         //     console.warn(a, ",", this.atlasSign(a));
 42 |         //     return this.atlasSign(a);
 43 |         // };
 44 |         KSecurity.isInitialize.implementation = function () {
 45 |             console.warn("------------isInitialize------------");
 46 |             console.warn(this.isInitialize());
 47 |             return true;
 48 |         };
 49 | // ----getWbKey---
 50 | // lD6We1E8i
 51 | 
 52 | 
 53 |         // i.j.overload().implementation = function () {
 54 |         //     console.warn("----i.j---");
 55 |         //     console.warn(this.j());
 56 |         //     return this.j();
 57 |         // };
 58 |         //contex:com.yxcorp.gifshow.App@4f3754e
 59 |         var security_i = Java.use("com.kuaishou.android.security.i");//com.sina.weibo.applicationInit.b.a.c.a
 60 |         // security_i.a.overload('android.content.Context').implementation = function (a) {
 61 |         //     console.warn("----security_i.a(Context)---");
 62 |         //     console.warn("a:", a);
 63 |         //     console.warn("a(Context)res:", this.a(a));
 64 |         //     return this.a(a);
 65 |         // };
 66 |         var mBase64 = Java.use("android.util.Base64");
 67 | 
 68 |         //a:MjIwNDYzMzg5OWQ4OWI2MGFkMmNlZGFkMGY3NzA5YWQ2MjEyMWY2ZGRk
 69 |         // var c_i = Java.use("com.kuaishou.android.security.kfree.c.i");//com.sina.weibo.applicationInit.b.a.c.a
 70 |         // c_i.c.overload('[B').implementation = function (a) {
 71 |         //     console.warn("----c_i.c---");
 72 |         //     var sids = mBase64.encodeToString(a, 0);
 73 |         //     console.warn("a:", sids);
 74 |         //     return this.c(a);
 75 |         // };
 76 | 
 77 | 
 78 |         // security_i.a.overload('java.lang.String').implementation = function (a) {
 79 |         //     console.warn("----security_i.a(String)---");
 80 |         //     console.warn("a:", a);
 81 |         //     // var f20565c = security_i.getDeclaredField("f20565c");
 82 |         //     // f20565c.setAccessible(true);
 83 |         //     console.warn("f20565c:", this.f20565c);
 84 |         //     console.warn("a(String)res:", this.a(a));
 85 |         //     return this.a(a);
 86 |         // };
 87 |         // security_i.$init.implementation = function (a) {
 88 |         //     console.warn("----security_i.$init---");
 89 |         //     console.warn("a:", a);
 90 |         //     console.warn(this.$init(a));
 91 |         //     return this.$init(a);
 92 |         // };
 93 |         // var b_a = Java.use("com.kuaishou.android.security.kfree.b.a");//com.sina.weibo.applicationInit.b.a.c.a
 94 |         // b_a.$init.overload('java.lang.String').implementation = function (a) {
 95 |         //     console.warn("----b.a$init---");
 96 |         //     console.warn("a:", a);
 97 |         //     console.warn("b.a$initres:", this.$init(a));
 98 |         //     return this.$init(a);
 99 |         // };
100 |         // security_i.b.overload().implementation = function () {
101 |         //     console.warn("----security_i.b---");
102 |         //     console.warn(this.b());
103 |         //     return this.b();
104 |         // };
105 |         // var KSecurityContext = Java.use("com.kuaishou.android.security.adapter.common.KSecurityContext");//com.sina.weibo.applicationInit.b.a.c.a
106 |         // KSecurityContext.getWbKey.implementation = function () {
107 |         //     console.warn("----getWbKey---");
108 |         //     console.warn(this.getWbKey());
109 |         //     return this.getWbKey();
110 |         // };
111 |         var Charset = Java.use("java.nio.charset.Charset");//com.sina.weibo.applicationInit.b.a.c.a
112 |         var CPU = Java.use("com.yxcorp.gifshow.util.CPU");//com.sina.weibo.applicationInit.b.a.c.a
113 |         var aa = Java.use("m0.a.b.a.b.a");//com.sina.weibo.applicationInit.b.a.c.a
114 |         var clazz = Java.use("java.lang.Class");
115 |         var mString = Java.use("java.lang.String");
116 |         CPU.a.implementation = function (a, b, c) {
117 |             console.warn("----CPU.a---");
118 |             // var aIns = aa.$new.overload("java.nio.charset.Charset").call(aa,"");
119 |              var sids = mBase64.encodeToString(b, 0);
120 |             console.warn("b:", sids, "c:", c, "res:", this.a(a, b, c));
121 | 
122 | 
123 |             var Charset_a = Java.cast(aa.class, clazz).getDeclaredField("a");
124 |             Charset_a.setAccessible(true);
125 |             // var  mchar = Charset_a.$new();
126 |             // var forName = Java.cast(Charset.class, clazz).getDeclaredMethod("forName");
127 |             // var forName = Charset.getDeclaredMethod("forName");
128 |             // forName.setAccessible(true);
129 |             // var  ch = forName.invoke(null,"UTF-8");
130 |             // Charset.forName(null, "UTF-8");
131 | 
132 |             // var  aaa = Charset_a.get(aIns);
133 | 
134 |             var str = mString.$new.overload("[B","java.nio.charset.Charset").call(mString,b,Charset_a.get(Charset));
135 | 
136 |             console.warn("str:", str);
137 |             return this.a(a, b, c);
138 |         };
139 | 
140 | 
141 |     });
142 | }
143 | 
144 | 
145 | 


--------------------------------------------------------------------------------
/DexUnpack/dump_dex_2.js:
--------------------------------------------------------------------------------
  1 | var DEX_MAGIC = 0x0A786564;
  2 | var dexrec = [];
  3 | 
  4 | var openmemory = Module.findExportByName("libart.so", "_ZN3art7DexFile10OpenMemoryEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_10OatDexFileEPS9_");
  5 | if(openmemory != undefined) {
  6 | 	console.log("openmemory at" + openmemory);
  7 | 	Interceptor.attach(openmemory, {
  8 | 		onEnter: function (args) {
  9 | 			if(Memory.readU32(args[1]) == DEX_MAGIC) {
 10 | 				dexrec.push(args[1]);
 11 | 			}
 12 | 		},
 13 | 		onLeave: function (retval) {
 14 | 
 15 | 		}
 16 | 	});
 17 | }
 18 | 
 19 | if(Java.available) {
 20 | 	Java.performNow(function(){
 21 | 
 22 | 		var dexBase64 = "ZGV4CjAzNQCjsh5+52qOBRMl1aMHk33QkLmfsSbOla5wDwAAcAAAAHhWNBIAAAAAAAAAAKAOAABpAAAAcAAAABwAAAAUAgAAGgAAAIQCAAABAAAAvAMAACUAAADEAwAAAQAAAOwEAABkCgAADAUAAAwFAAAPBQAAEgUAABcFAAAfBQAAIwUAADgFAABGBQAASQUAAE0FAABSBQAAVQUAAFkFAABeBQAAYwUAAHcFAACXBQAAtgUAAM8FAADiBQAA+AUAABEGAAAoBgAATAYAAG4GAACCBgAAlgYAALEGAADIBgAA4wYAAP4GAAAaBwAAMQcAAEgHAABzBwAAjAcAAKUHAADSBwAA6AcAAPoHAAD/BwAAAggAAAYIAAAKCAAADQgAABEIAAAlCAAAOggAAE8IAABsCAAAcQgAAHkIAACGCAAAlQgAAKAIAACnCAAAqggAALcIAADKCAAA0wgAANYIAADaCAAA4wgAAPEIAAD5CAAAAAkAAAsJAAAQCQAAGgkAACwJAABDCQAAVQkAAGkJAAB0CQAAfQkAAI0JAACgCQAArwkAAMAJAADJCQAAzAkAANQJAADeCQAA7AkAAPoJAAAFCgAADQoAABYKAAAcCgAAJgoAACwKAAA5CgAAQQoAAEcKAABQCgAAWgoAAGsKAABzCgAAggoAAIgKAACOCgAAlwoAAKAKAACqCgAAwAoAAAcAAAAOAAAADwAAABAAAAARAAAAEgAAABQAAAAVAAAAFgAAABcAAAAYAAAAGQAAABoAAAAbAAAAHAAAAB0AAAAeAAAAHwAAACIAAAAjAAAAJQAAACYAAAAoAAAAKwAAAC0AAAAuAAAALwAAADAAAAAHAAAAAAAAAAAAAAAIAAAAAAAAAMgKAAAJAAAAAAAAAAgLAAAKAAAABQAAAAAAAAALAAAABQAAAOgKAAAKAAAACgAAAAAAAAALAAAACgAAAMgKAAAMAAAACgAAANAKAAANAAAACgAAANgKAAANAAAACgAAAOAKAAAKAAAACwAAAAAAAAALAAAADAAAAOgKAAALAAAADwAAAOgKAAALAAAAEQAAAPAKAAAKAAAAEwAAAAAAAAAKAAAAFAAAAAAAAAAoAAAAFgAAAAAAAAApAAAAFgAAAPAKAAApAAAAFgAAAPgKAAAqAAAAFgAAAAALAAArAAAAFwAAAAAAAAAsAAAAFwAAAMgKAAAKAAAAGAAAAAAAAAALAAAAGQAAABALAAALAAAAGgAAAPAKAAAKAAAAGwAAAAAAAAACAAsAJwAAAAEAAgA3AAAAAgAQAAMAAAACAA0ARAAAAAIAGABFAAAAAgAIAEoAAAACABEAUwAAAAQADgA9AAAABQAMAEYAAAAFABkARwAAAAUACgBJAAAABQADAEwAAAAGAAQAVAAAAAgAEABfAAAACQAQAF8AAAAKABAAAwAAAAoAAwBDAAAACwAVAD8AAAAMABAAAwAAAAwACwAyAAAADAAKAGYAAAAOAAcAQgAAAA4AAQBIAAAADwAGAEIAAAAPABMAYQAAABAACgBJAAAAEAAWAEsAAAAQAAkAUAAAABEAEAADAAAAEQAVADEAAAARAA8AUQAAABEAAABiAAAAEQAXAGUAAAASABIAYwAAABMAFABNAAAAEwAFAFoAAAAUABQATgAAABQABQBZAAAAAgAAAAEAAAAKAAAAAAAAAAUAAAA8CwAAhA4AABYLAAABKAABKQADLS0+AAY8aW5pdD4AAj47ABNFbnVtZXJhdGVDbGFzcy5qYXZhAAxGUmlEQV9VTlBBQ0sAAUkAAklMAANJTEwAAUwAAkxMAANMTEkAA0xMTAASTGFuZHJvaWQvdXRpbC9Mb2c7AB5MY29tL3NtYXJ0ZG9uZS9FbnVtZXJhdGVDbGFzczsAHUxkYWx2aWsvYW5ub3RhdGlvbi9TaWduYXR1cmU7ABdMZGFsdmlrL3N5c3RlbS9EZXhGaWxlOwARTGphdmEvbGFuZy9DbGFzczsAFExqYXZhL2xhbmcvQ2xhc3M8Kj47ABdMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwAVTGphdmEvbGFuZy9FeGNlcHRpb247ACJMamF2YS9sYW5nL0lsbGVnYWxBY2Nlc3NFeGNlcHRpb247ACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwASTGphdmEvbGFuZy9PYmplY3Q7ABJMamF2YS9sYW5nL1N0cmluZzsAGUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsAFUxqYXZhL2xhbmcvVGhyb3dhYmxlOwAZTGphdmEvbGFuZy9yZWZsZWN0L0FycmF5OwAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsAFUxqYXZhL3V0aWwvQXJyYXlMaXN0OwAVTGphdmEvdXRpbC9BcnJheUxpc3Q8AClMamF2YS91dGlsL0FycmF5TGlzdDxMamF2YS9sYW5nL1N0cmluZzs+OwAXTGphdmEvdXRpbC9Db2xsZWN0aW9uczsAF0xqYXZhL3V0aWwvRW51bWVyYXRpb247ACtMamF2YS91dGlsL0VudW1lcmF0aW9uPExqYXZhL2xhbmcvU3RyaW5nOz47ABRMamF2YS91dGlsL0l0ZXJhdG9yOwAQTGphdmEvdXRpbC9MaXN0OwADVEFHAAFWAAJWTAACVloAAVoAAlpMABJbTGphdmEvbGFuZy9DbGFzczsAE1tMamF2YS9sYW5nL09iamVjdDsAE1tMamF2YS9sYW5nL1N0cmluZzsAG1tMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwADYWRkAAZhcHBlbmQAC2NsYXNzTG9hZGVyAA1jbGFzc05hbWVMaXN0AAljbGFzc2xpc3QABWNsYXp6AAFkAAtkZXhFbGVtZW50cwARZGV4RWxlbWVudHNMZW5ndGgAB2RleEZpbGUAAWUAAmUyAAdlbnRyaWVzAAxlbnVtZXJhdGlvbnMABmVxdWFscwAFZmllbGQACWZpZWxkTmFtZQADZ2V0AAhnZXRDbGFzcwAQZ2V0Q2xhc3NOYW1lTGlzdAAVZ2V0Q2xhc3NOYW1lTGlzdEFycmF5ABBnZXREZWNsYXJlZEZpZWxkABJnZXREZWNsYXJlZE1ldGhvZHMACWdldExlbmd0aAAHZ2V0TmFtZQAOZ2V0T2JqZWN0RmllbGQAEWdldFBhcmFtZXRlclR5cGVzAA1nZXRTdXBlcmNsYXNzAA9oYXNNb3JlRWxlbWVudHMAB2hhc05leHQAAWkABmludm9rZQAIaXRlcmF0b3IADGxvYWQgY2xhc3M6IAAMbG9hZEFsbENsYXNzAAlsb2FkQ2xhc3MABm1ldGhvZAAHbWV0aG9kcwAEbmFtZQAIbmFtZWxpc3QABG5leHQAC25leHRFbGVtZW50AAZvYmplY3QABG9ianMAB3Bhcm1sZW4ACHBhdGhMaXN0AA9wcmludFN0YWNrVHJhY2UABnJldHZhbAANc2V0QWNjZXNzaWJsZQAEc2l6ZQAEc29ydAAHc3VjY2VzcwAHdG9BcnJheQAIdG9TdHJpbmcAFHRyeSB0byBsb2FkIG1ldGhvZDogAAV2YWx1ZQAAAQAAAAoAAAACAAAACgAAAAIAAAAKAAsAAgAAAAoAGQABAAAACwAAAAEAAAAGAAAAAQAAABUAAAABAAAAFwAAAAIAAAALAAsAAQAAABkAARcGAgMBaBwGFwAXFBcBFyAXGRcEAAAAAAAAAAAAAQAAABkLAAAAAAAAAAAAAAEAAAAAAAAAAgAAADQLAAAOAA4AJAE0DlsEADUSIsMDATkLSwMCOgEdAwNQAS3/BAQ/FCVpoQUEQgUBBQIFAxwfPAA1ATQOSwQAWRIiaQMBYRs8ABMCXEIOSwMANwYBEBBLAwFBEEtdBQEeAwE9CTsFARkeAwE8CjxNBQEfAD0BNA5LBAA2EiL/AwJYDEsEAzcGFEsDBFccARoPaQMHVhFaAwheAS0DCV0aASYPSwJ7dwUHBQgFCUIFAgUDBQQgBQAbIAABAAEAAQAAAFQLAAAEAAAAcBAOAAAADgAHAAEAAgABAFgLAABBAAAAIgARAHAQGwAAABoBXgBxIAQAFgAMARoCOABxIAQAIQAMAXEQFQABAAoCEgM1IyUAcSAUADEADAQaBToAcSAEAFQADAQfBAQAbhAGAAQADARyECEABAAKBTgFDAByECIABAAMBR8FCwBuIBwAUAAo8dgDAwEo3CgCDQFxECAAAAARAAAABQAAADIAAQABAQc8AwABAAIAAACHCwAADgAAAHEQAgACAAwAbhAeAAAACgEjERoAbiAfABAAEQEFAAIAAgABAJgLAAAxAAAAbhAPAAMADABuEAkAAAAMARwCCgBuEAkAAgAMAm4gEAAhAAoBOQEdAG4gBwBAAAwBEhJuIBcAIQBuIBYAMQAMAhECDQFuEAwAAQAoCQ0BbhANAAEAbhAKAAAADAAo1hIBEQEAABQAAAAMAAEAAQIJJgghAAAOAAEAAwABAMILAAB7AAAAcRACAA0ADABuEB0AAAAMAXIQIwABAAoCOAJsAHIQJAABAAwCHwILAG4gCwAtAAwDbhAIAAMADAQaBQYAIgYMAHAQEQAGABoHUgBuIBIAdgBuEAkAAwAMB24gEgB2AG4QEwAGAAwGcSAAAGUAIUUSBjVWPwBGBwQGbhAZAAcADAghiCOJGQAaCgYAIgsMAHAQEQALABoMZwBuIBIAywBuEAkAAwAMDG4gEgDLABoMAgBuIBIAywBuEBgABwAMDG4gEgDLAG4QEwALAAwLcSAAALoAEgpuMBoApwkaCgYAGgtkAHEgAAC6ANgGBgEowiiRKAINAA4AAAAAAAAAdAABAAEBDXkBAAUAABoBgYAEiBgBCaAYAQnAGQEJ7BkBCfAaEQAAAAAAAAABAAAAAAAAAAEAAABpAAAAcAAAAAIAAAAcAAAAFAIAAAMAAAAaAAAAhAIAAAQAAAABAAAAvAMAAAUAAAAlAAAAxAMAAAYAAAABAAAA7AQAAAIgAABpAAAADAUAAAEQAAAKAAAAyAoAAAUgAAABAAAAFgsAAAQgAAABAAAAGQsAAAMQAAADAAAALAsAAAYgAAABAAAAPAsAAAMgAAAFAAAAVAsAAAEgAAAFAAAACAwAAAAgAAABAAAAhA4AAAAQAAABAAAAoA4AAA==";
 23 | 		var application = Java.use("android.app.Application");
 24 | 		var BaseDexClassLoader = Java.use("dalvik.system.BaseDexClassLoader");
 25 | 		var Base64 = Java.use("android.util.Base64");
 26 | 		var FileOutputStream = Java.use("java.io.FileOutputStream");
 27 | 		var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
 28 | 
 29 | 		var reflectField = Java.use("java.lang.reflect.Field");
 30 | 		var reflectMethod = Java.use("java.lang.reflect.Method");
 31 | 		var reflectObject = Java.use("java.lang.Object");
 32 | 		var reflectClass = Java.use("java.lang.Class");
 33 | 		var reflectString = Java.use("java.lang.String");
 34 | 		var reflectClassloader = Java.use("java.lang.ClassLoader");
 35 | 
 36 |     console.log('start dump...')
 37 | 		if(application != undefined) {
 38 | 			application.attachBaseContext.overload('android.content.Context').implementation = function(context) {
 39 |         // console.log('find application :'+this);
 40 | 				// var result = this.attach(context);
 41 |         this.attachBaseContext(context);
 42 |         console.log("find application :",this);
 43 |         if(this.toString().indexOf('com.min.app.sample')<0){
 44 |           return;
 45 |         }
 46 | 				var classloader = context.getClassLoader();
 47 | 				var filesDir = context.getFilesDir();
 48 | 				var codeCacheDir = context.getCodeCacheDir();
 49 | 				console.log("files dir: " + filesDir);
 50 | 				console.log("code cache dir: " + codeCacheDir);
 51 | 				if(classloader != undefined) {
 52 | 					var casedloader = Java.cast(classloader, BaseDexClassLoader);
 53 | 					var dexbytes = Base64.decode(dexBase64, 0);
 54 | 					var dexpath = filesDir + "/emmm.dex";
 55 | 					var fout = FileOutputStream.$new(dexpath);
 56 | 					fout.write(dexbytes, 0, dexbytes.length);
 57 | 					fout.close();
 58 | 					console.log("write dex to " + dexpath);
 59 | 
 60 | 					var dexstr = dexpath.toString();
 61 | 					var cachestr = codeCacheDir.toString();
 62 | 
 63 | 					var dyndex = DexClassLoader.$new(dexstr, cachestr, cachestr, classloader);
 64 | 					console.log(dyndex.toString());
 65 | 					var EnumerateClass = dyndex.loadClass("com.smartdone.EnumerateClass");
 66 | 					var castedEnumerateClass = Java.cast(EnumerateClass, reflectClass);
 67 | 					var methods = castedEnumerateClass.getDeclaredMethods();
 68 | 					// loadAllClass
 69 | 					var loadAllClass = undefined;
 70 | 					for(var i in methods) {
 71 | 						console.log(methods[i].getName());
 72 | 						if(methods[i].getName() == "loadAllClass") {
 73 | 							console.log("find loadAllClass");
 74 | 							loadAllClass = methods[i];
 75 | 						}
 76 | 					}
 77 | 					if(loadAllClass != undefined) {
 78 | 						console.log("loadAllClass: " + loadAllClass.toString());
 79 | 						var args = Java.array('Ljava.lang.Object;',[classloader]);
 80 | 						var classlist = loadAllClass.invoke(null , args);
 81 | 						console.log("start dump dex ");
 82 | 						for(var i in dexrec) {
 83 | 							if(Memory.readU32(dexrec[i]) == DEX_MAGIC) {
 84 | 								var dex_len = Memory.readU32(dexrec[i].add(0x20));
 85 | 								var dumppath = filesDir.toString() + "/" + dex_len.toString(0x10) + ".dex";
 86 | 								console.log(dumppath);
 87 | 								var dumpdexfile = new File(dumppath, "wb");
 88 | 								dumpdexfile.write(Memory.readByteArray(dexrec[i], dex_len));
 89 | 								dumpdexfile.close();
 90 | 								console.log("write file to " + dumppath);
 91 | 							}
 92 | 						}
 93 | 					}
 94 | 
 95 | 
 96 | 				} else {
 97 | 					console.error("unable get classloader");
 98 | 				}
 99 | 				return result;
100 | 			}
101 | 		}
102 | 	});
103 | }
104 | 


--------------------------------------------------------------------------------
/DexUnpack/unpack.js:
--------------------------------------------------------------------------------
 1 | var DEX_MAGIC = 0x0A786564;
 2 | var dexrec = [];
 3 | 
 4 | var openmemory = Module.findExportByName("libart.so", "_ZN3art7DexFile10OpenMemoryEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_10OatDexFileEPS9_");
 5 | if (openmemory != undefined) {
 6 |     console.log("openmemory at" + openmemory);
 7 |     Interceptor.attach(openmemory, {
 8 |         onEnter: function (args) {
 9 |             if (Memory.readU32(args[1]) == DEX_MAGIC) {
10 |                 dexrec.push(args[1]);
11 |             }
12 |         },
13 |         onLeave: function (retval) {
14 | 
15 |         }
16 |     });
17 | }
18 | 
19 | if (Java.available) {
20 |     Java.perform(function () {
21 |         var dexBase64 = "ZGV4CjAzNQCjsh5+52qOBRMl1aMHk33QkLmfsSbOla5wDwAAcAAAAHhWNBIAAAAAAAAAAKAOAABpAAAAcAAAABwAAAAUAgAAGgAAAIQCAAABAAAAvAMAACUAAADEAwAAAQAAAOwEAABkCgAADAUAAAwFAAAPBQAAEgUAABcFAAAfBQAAIwUAADgFAABGBQAASQUAAE0FAABSBQAAVQUAAFkFAABeBQAAYwUAAHcFAACXBQAAtgUAAM8FAADiBQAA+AUAABEGAAAoBgAATAYAAG4GAACCBgAAlgYAALEGAADIBgAA4wYAAP4GAAAaBwAAMQcAAEgHAABzBwAAjAcAAKUHAADSBwAA6AcAAPoHAAD/BwAAAggAAAYIAAAKCAAADQgAABEIAAAlCAAAOggAAE8IAABsCAAAcQgAAHkIAACGCAAAlQgAAKAIAACnCAAAqggAALcIAADKCAAA0wgAANYIAADaCAAA4wgAAPEIAAD5CAAAAAkAAAsJAAAQCQAAGgkAACwJAABDCQAAVQkAAGkJAAB0CQAAfQkAAI0JAACgCQAArwkAAMAJAADJCQAAzAkAANQJAADeCQAA7AkAAPoJAAAFCgAADQoAABYKAAAcCgAAJgoAACwKAAA5CgAAQQoAAEcKAABQCgAAWgoAAGsKAABzCgAAggoAAIgKAACOCgAAlwoAAKAKAACqCgAAwAoAAAcAAAAOAAAADwAAABAAAAARAAAAEgAAABQAAAAVAAAAFgAAABcAAAAYAAAAGQAAABoAAAAbAAAAHAAAAB0AAAAeAAAAHwAAACIAAAAjAAAAJQAAACYAAAAoAAAAKwAAAC0AAAAuAAAALwAAADAAAAAHAAAAAAAAAAAAAAAIAAAAAAAAAMgKAAAJAAAAAAAAAAgLAAAKAAAABQAAAAAAAAALAAAABQAAAOgKAAAKAAAACgAAAAAAAAALAAAACgAAAMgKAAAMAAAACgAAANAKAAANAAAACgAAANgKAAANAAAACgAAAOAKAAAKAAAACwAAAAAAAAALAAAADAAAAOgKAAALAAAADwAAAOgKAAALAAAAEQAAAPAKAAAKAAAAEwAAAAAAAAAKAAAAFAAAAAAAAAAoAAAAFgAAAAAAAAApAAAAFgAAAPAKAAApAAAAFgAAAPgKAAAqAAAAFgAAAAALAAArAAAAFwAAAAAAAAAsAAAAFwAAAMgKAAAKAAAAGAAAAAAAAAALAAAAGQAAABALAAALAAAAGgAAAPAKAAAKAAAAGwAAAAAAAAACAAsAJwAAAAEAAgA3AAAAAgAQAAMAAAACAA0ARAAAAAIAGABFAAAAAgAIAEoAAAACABEAUwAAAAQADgA9AAAABQAMAEYAAAAFABkARwAAAAUACgBJAAAABQADAEwAAAAGAAQAVAAAAAgAEABfAAAACQAQAF8AAAAKABAAAwAAAAoAAwBDAAAACwAVAD8AAAAMABAAAwAAAAwACwAyAAAADAAKAGYAAAAOAAcAQgAAAA4AAQBIAAAADwAGAEIAAAAPABMAYQAAABAACgBJAAAAEAAWAEsAAAAQAAkAUAAAABEAEAADAAAAEQAVADEAAAARAA8AUQAAABEAAABiAAAAEQAXAGUAAAASABIAYwAAABMAFABNAAAAEwAFAFoAAAAUABQATgAAABQABQBZAAAAAgAAAAEAAAAKAAAAAAAAAAUAAAA8CwAAhA4AABYLAAABKAABKQADLS0+AAY8aW5pdD4AAj47ABNFbnVtZXJhdGVDbGFzcy5qYXZhAAxGUmlEQV9VTlBBQ0sAAUkAAklMAANJTEwAAUwAAkxMAANMTEkAA0xMTAASTGFuZHJvaWQvdXRpbC9Mb2c7AB5MY29tL3NtYXJ0ZG9uZS9FbnVtZXJhdGVDbGFzczsAHUxkYWx2aWsvYW5ub3RhdGlvbi9TaWduYXR1cmU7ABdMZGFsdmlrL3N5c3RlbS9EZXhGaWxlOwARTGphdmEvbGFuZy9DbGFzczsAFExqYXZhL2xhbmcvQ2xhc3M8Kj47ABdMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwAVTGphdmEvbGFuZy9FeGNlcHRpb247ACJMamF2YS9sYW5nL0lsbGVnYWxBY2Nlc3NFeGNlcHRpb247ACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwASTGphdmEvbGFuZy9PYmplY3Q7ABJMamF2YS9sYW5nL1N0cmluZzsAGUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsAFUxqYXZhL2xhbmcvVGhyb3dhYmxlOwAZTGphdmEvbGFuZy9yZWZsZWN0L0FycmF5OwAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsAFUxqYXZhL3V0aWwvQXJyYXlMaXN0OwAVTGphdmEvdXRpbC9BcnJheUxpc3Q8AClMamF2YS91dGlsL0FycmF5TGlzdDxMamF2YS9sYW5nL1N0cmluZzs+OwAXTGphdmEvdXRpbC9Db2xsZWN0aW9uczsAF0xqYXZhL3V0aWwvRW51bWVyYXRpb247ACtMamF2YS91dGlsL0VudW1lcmF0aW9uPExqYXZhL2xhbmcvU3RyaW5nOz47ABRMamF2YS91dGlsL0l0ZXJhdG9yOwAQTGphdmEvdXRpbC9MaXN0OwADVEFHAAFWAAJWTAACVloAAVoAAlpMABJbTGphdmEvbGFuZy9DbGFzczsAE1tMamF2YS9sYW5nL09iamVjdDsAE1tMamF2YS9sYW5nL1N0cmluZzsAG1tMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwADYWRkAAZhcHBlbmQAC2NsYXNzTG9hZGVyAA1jbGFzc05hbWVMaXN0AAljbGFzc2xpc3QABWNsYXp6AAFkAAtkZXhFbGVtZW50cwARZGV4RWxlbWVudHNMZW5ndGgAB2RleEZpbGUAAWUAAmUyAAdlbnRyaWVzAAxlbnVtZXJhdGlvbnMABmVxdWFscwAFZmllbGQACWZpZWxkTmFtZQADZ2V0AAhnZXRDbGFzcwAQZ2V0Q2xhc3NOYW1lTGlzdAAVZ2V0Q2xhc3NOYW1lTGlzdEFycmF5ABBnZXREZWNsYXJlZEZpZWxkABJnZXREZWNsYXJlZE1ldGhvZHMACWdldExlbmd0aAAHZ2V0TmFtZQAOZ2V0T2JqZWN0RmllbGQAEWdldFBhcmFtZXRlclR5cGVzAA1nZXRTdXBlcmNsYXNzAA9oYXNNb3JlRWxlbWVudHMAB2hhc05leHQAAWkABmludm9rZQAIaXRlcmF0b3IADGxvYWQgY2xhc3M6IAAMbG9hZEFsbENsYXNzAAlsb2FkQ2xhc3MABm1ldGhvZAAHbWV0aG9kcwAEbmFtZQAIbmFtZWxpc3QABG5leHQAC25leHRFbGVtZW50AAZvYmplY3QABG9ianMAB3Bhcm1sZW4ACHBhdGhMaXN0AA9wcmludFN0YWNrVHJhY2UABnJldHZhbAANc2V0QWNjZXNzaWJsZQAEc2l6ZQAEc29ydAAHc3VjY2VzcwAHdG9BcnJheQAIdG9TdHJpbmcAFHRyeSB0byBsb2FkIG1ldGhvZDogAAV2YWx1ZQAAAQAAAAoAAAACAAAACgAAAAIAAAAKAAsAAgAAAAoAGQABAAAACwAAAAEAAAAGAAAAAQAAABUAAAABAAAAFwAAAAIAAAALAAsAAQAAABkAARcGAgMBaBwGFwAXFBcBFyAXGRcEAAAAAAAAAAAAAQAAABkLAAAAAAAAAAAAAAEAAAAAAAAAAgAAADQLAAAOAA4AJAE0DlsEADUSIsMDATkLSwMCOgEdAwNQAS3/BAQ/FCVpoQUEQgUBBQIFAxwfPAA1ATQOSwQAWRIiaQMBYRs8ABMCXEIOSwMANwYBEBBLAwFBEEtdBQEeAwE9CTsFARkeAwE8CjxNBQEfAD0BNA5LBAA2EiL/AwJYDEsEAzcGFEsDBFccARoPaQMHVhFaAwheAS0DCV0aASYPSwJ7dwUHBQgFCUIFAgUDBQQgBQAbIAABAAEAAQAAAFQLAAAEAAAAcBAOAAAADgAHAAEAAgABAFgLAABBAAAAIgARAHAQGwAAABoBXgBxIAQAFgAMARoCOABxIAQAIQAMAXEQFQABAAoCEgM1IyUAcSAUADEADAQaBToAcSAEAFQADAQfBAQAbhAGAAQADARyECEABAAKBTgFDAByECIABAAMBR8FCwBuIBwAUAAo8dgDAwEo3CgCDQFxECAAAAARAAAABQAAADIAAQABAQc8AwABAAIAAACHCwAADgAAAHEQAgACAAwAbhAeAAAACgEjERoAbiAfABAAEQEFAAIAAgABAJgLAAAxAAAAbhAPAAMADABuEAkAAAAMARwCCgBuEAkAAgAMAm4gEAAhAAoBOQEdAG4gBwBAAAwBEhJuIBcAIQBuIBYAMQAMAhECDQFuEAwAAQAoCQ0BbhANAAEAbhAKAAAADAAo1hIBEQEAABQAAAAMAAEAAQIJJgghAAAOAAEAAwABAMILAAB7AAAAcRACAA0ADABuEB0AAAAMAXIQIwABAAoCOAJsAHIQJAABAAwCHwILAG4gCwAtAAwDbhAIAAMADAQaBQYAIgYMAHAQEQAGABoHUgBuIBIAdgBuEAkAAwAMB24gEgB2AG4QEwAGAAwGcSAAAGUAIUUSBjVWPwBGBwQGbhAZAAcADAghiCOJGQAaCgYAIgsMAHAQEQALABoMZwBuIBIAywBuEAkAAwAMDG4gEgDLABoMAgBuIBIAywBuEBgABwAMDG4gEgDLAG4QEwALAAwLcSAAALoAEgpuMBoApwkaCgYAGgtkAHEgAAC6ANgGBgEowiiRKAINAA4AAAAAAAAAdAABAAEBDXkBAAUAABoBgYAEiBgBCaAYAQnAGQEJ7BkBCfAaEQAAAAAAAAABAAAAAAAAAAEAAABpAAAAcAAAAAIAAAAcAAAAFAIAAAMAAAAaAAAAhAIAAAQAAAABAAAAvAMAAAUAAAAlAAAAxAMAAAYAAAABAAAA7AQAAAIgAABpAAAADAUAAAEQAAAKAAAAyAoAAAUgAAABAAAAFgsAAAQgAAABAAAAGQsAAAMQAAADAAAALAsAAAYgAAABAAAAPAsAAAMgAAAFAAAAVAsAAAEgAAAFAAAACAwAAAAgAAABAAAAhA4AAAAQAAABAAAAoA4AAA==";
22 |         var application = Java.use("android.app.Application");
23 |         var BaseDexClassLoader = Java.use("dalvik.system.BaseDexClassLoader");
24 |         var Base64 = Java.use("android.util.Base64");
25 |         var FileOutputStream = Java.use("java.io.FileOutputStream");
26 |         var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
27 | 
28 |         var reflectField = Java.use("java.lang.reflect.Field");
29 |         var reflectMethod = Java.use("java.lang.reflect.Method");
30 |         var reflectObject = Java.use("java.lang.Object");
31 |         var reflectClass = Java.use("java.lang.Class");
32 |         var reflectString = Java.use("java.lang.String");
33 |         var reflectClassloader = Java.use("java.lang.ClassLoader");
34 | 
35 | 
36 |         // hexdump dex to /data/data/pkg/dir
37 | 
38 |         if(application != undefined) {
39 |         	application.attach.overload('android.content.Context').implementation = function(context) {
40 |         		var result = this.attach(context);
41 |         		var classloader = context.getClassLoader();
42 |         		var filesDir = context.getFilesDir();
43 |         		var codeCacheDir = context.getCodeCacheDir();
44 |         		console.log("files dir: " + filesDir);
45 |         		console.log("code cache dir: " + codeCacheDir);
46 |         		if(classloader != undefined) {
47 |         			var casedloader = Java.cast(classloader, BaseDexClassLoader);
48 |         			var dexbytes = Base64.decode(dexBase64, 0);
49 |         			var dexpath = filesDir + "/emmm.dex";
50 |         			var fout = FileOutputStream.$new(dexpath);
51 |         			fout.write(dexbytes, 0, dexbytes.length);
52 |         			fout.close();
53 |         			console.log("write dex to " + dexpath);
54 |                     //
55 |         			var dexstr = dexpath.toString();
56 |         			var cachestr = codeCacheDir.toString();
57 | 
58 |         			var dyndex = DexClassLoader.$new(dexstr, cachestr, cachestr, classloader);
59 |         			console.log(dyndex.toString());
60 |         			var EnumerateClass = dyndex.loadClass("com.smartdone.EnumerateClass");
61 |         			var castedEnumerateClass = Java.cast(EnumerateClass, reflectClass);
62 |         			var methods = castedEnumerateClass.getDeclaredMethods();
63 |         			// loadAllClass
64 |         			var loadAllClass = undefined;
65 |         			for(var i in methods) {
66 |         				console.log(methods[i].getName());
67 |         				if(methods[i].getName() == "loadAllClass") {
68 |         					console.log("find loadAllClass");
69 |         					loadAllClass = methods[i];
70 |         				}
71 |         			}
72 |         			if(loadAllClass != undefined) {
73 |         				console.log("loadAllClass: " + loadAllClass.toString());
74 |         				var args = Java.array('Ljava.lang.Object;',[classloader]);
75 |         				var classlist = loadAllClass.invoke(null , args);
76 |         				console.log("start dump dex ");
77 |         				for(var i in dexrec) {
78 |         					if(Memory.readU32(dexrec[i]) == DEX_MAGIC) {
79 |         						var dex_len = Memory.readU32(dexrec[i].add(0x20));
80 |         						var dumppath = filesDir.toString() + "/" + dex_len.toString(0x10) + ".dex";
81 |         						console.log(dumppath);
82 |         						var dumpdexfile = new File(dumppath, "wb");
83 |         						dumpdexfile.write(Memory.readByteArray(dexrec[i], dex_len));
84 |         						dumpdexfile.close();
85 |         						console.log("write file to " + dumppath);
86 |         					}
87 |         				}
88 |         			}
89 | 
90 | 
91 |         		} else {
92 |         			console.error("unable get classloader");
93 |         		}
94 |         		return result;
95 |         	}
96 |         }
97 |     });
98 | }


--------------------------------------------------------------------------------
/jd/libSo.js:
--------------------------------------------------------------------------------
  1 | var DEX_MAGIC = 0x0A786564;
  2 | var dexrec = [];
  3 | 
  4 | var openmemory = Module.findExportByName("libart.so", "_ZN3art7DexFile10OpenMemoryEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_7OatFileEPS9_");
  5 | if (openmemory !== undefined) {
  6 |     console.log("openmemory at" + openmemory);
  7 |     Interceptor.attach(openmemory, {
  8 |         onEnter: function (args) {
  9 |             console.log('args[0] : ' + Memory.readU32(args[0]));
 10 |             console.log('DEX_MAGIC : ' + DEX_MAGIC);
 11 |             if (Memory.readU32(args[0]) === DEX_MAGIC) {
 12 |                 dexrec.push(args[0]);
 13 |             }
 14 |         },
 15 |         onLeave: function (retval) {
 16 | 
 17 |         }
 18 |     });
 19 | }
 20 |  console.log('===' );
 21 | if (Java.available) {
 22 | 	console.log('2' );
 23 |     Java.perform(function () {
 24 |     	console.log('3' );
 25 |         var dexBase64 = "ZGV4CjAzNQCjsh5+52qOBRMl1aMHk33QkLmfsSbOla5wDwAAcAAAAHhWNBIAAAAAAAAAAKAOAABpAAAAcAAAABwAAAAUAgAAGgAAAIQCAAABAAAAvAMAACUAAADEAwAAAQAAAOwEAABkCgAADAUAAAwFAAAPBQAAEgUAABcFAAAfBQAAIwUAADgFAABGBQAASQUAAE0FAABSBQAAVQUAAFkFAABeBQAAYwUAAHcFAACXBQAAtgUAAM8FAADiBQAA+AUAABEGAAAoBgAATAYAAG4GAACCBgAAlgYAALEGAADIBgAA4wYAAP4GAAAaBwAAMQcAAEgHAABzBwAAjAcAAKUHAADSBwAA6AcAAPoHAAD/BwAAAggAAAYIAAAKCAAADQgAABEIAAAlCAAAOggAAE8IAABsCAAAcQgAAHkIAACGCAAAlQgAAKAIAACnCAAAqggAALcIAADKCAAA0wgAANYIAADaCAAA4wgAAPEIAAD5CAAAAAkAAAsJAAAQCQAAGgkAACwJAABDCQAAVQkAAGkJAAB0CQAAfQkAAI0JAACgCQAArwkAAMAJAADJCQAAzAkAANQJAADeCQAA7AkAAPoJAAAFCgAADQoAABYKAAAcCgAAJgoAACwKAAA5CgAAQQoAAEcKAABQCgAAWgoAAGsKAABzCgAAggoAAIgKAACOCgAAlwoAAKAKAACqCgAAwAoAAAcAAAAOAAAADwAAABAAAAARAAAAEgAAABQAAAAVAAAAFgAAABcAAAAYAAAAGQAAABoAAAAbAAAAHAAAAB0AAAAeAAAAHwAAACIAAAAjAAAAJQAAACYAAAAoAAAAKwAAAC0AAAAuAAAALwAAADAAAAAHAAAAAAAAAAAAAAAIAAAAAAAAAMgKAAAJAAAAAAAAAAgLAAAKAAAABQAAAAAAAAALAAAABQAAAOgKAAAKAAAACgAAAAAAAAALAAAACgAAAMgKAAAMAAAACgAAANAKAAANAAAACgAAANgKAAANAAAACgAAAOAKAAAKAAAACwAAAAAAAAALAAAADAAAAOgKAAALAAAADwAAAOgKAAALAAAAEQAAAPAKAAAKAAAAEwAAAAAAAAAKAAAAFAAAAAAAAAAoAAAAFgAAAAAAAAApAAAAFgAAAPAKAAApAAAAFgAAAPgKAAAqAAAAFgAAAAALAAArAAAAFwAAAAAAAAAsAAAAFwAAAMgKAAAKAAAAGAAAAAAAAAALAAAAGQAAABALAAALAAAAGgAAAPAKAAAKAAAAGwAAAAAAAAACAAsAJwAAAAEAAgA3AAAAAgAQAAMAAAACAA0ARAAAAAIAGABFAAAAAgAIAEoAAAACABEAUwAAAAQADgA9AAAABQAMAEYAAAAFABkARwAAAAUACgBJAAAABQADAEwAAAAGAAQAVAAAAAgAEABfAAAACQAQAF8AAAAKABAAAwAAAAoAAwBDAAAACwAVAD8AAAAMABAAAwAAAAwACwAyAAAADAAKAGYAAAAOAAcAQgAAAA4AAQBIAAAADwAGAEIAAAAPABMAYQAAABAACgBJAAAAEAAWAEsAAAAQAAkAUAAAABEAEAADAAAAEQAVADEAAAARAA8AUQAAABEAAABiAAAAEQAXAGUAAAASABIAYwAAABMAFABNAAAAEwAFAFoAAAAUABQATgAAABQABQBZAAAAAgAAAAEAAAAKAAAAAAAAAAUAAAA8CwAAhA4AABYLAAABKAABKQADLS0+AAY8aW5pdD4AAj47ABNFbnVtZXJhdGVDbGFzcy5qYXZhAAxGUmlEQV9VTlBBQ0sAAUkAAklMAANJTEwAAUwAAkxMAANMTEkAA0xMTAASTGFuZHJvaWQvdXRpbC9Mb2c7AB5MY29tL3NtYXJ0ZG9uZS9FbnVtZXJhdGVDbGFzczsAHUxkYWx2aWsvYW5ub3RhdGlvbi9TaWduYXR1cmU7ABdMZGFsdmlrL3N5c3RlbS9EZXhGaWxlOwARTGphdmEvbGFuZy9DbGFzczsAFExqYXZhL2xhbmcvQ2xhc3M8Kj47ABdMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwAVTGphdmEvbGFuZy9FeGNlcHRpb247ACJMamF2YS9sYW5nL0lsbGVnYWxBY2Nlc3NFeGNlcHRpb247ACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwASTGphdmEvbGFuZy9PYmplY3Q7ABJMamF2YS9sYW5nL1N0cmluZzsAGUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsAFUxqYXZhL2xhbmcvVGhyb3dhYmxlOwAZTGphdmEvbGFuZy9yZWZsZWN0L0FycmF5OwAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsAFUxqYXZhL3V0aWwvQXJyYXlMaXN0OwAVTGphdmEvdXRpbC9BcnJheUxpc3Q8AClMamF2YS91dGlsL0FycmF5TGlzdDxMamF2YS9sYW5nL1N0cmluZzs+OwAXTGphdmEvdXRpbC9Db2xsZWN0aW9uczsAF0xqYXZhL3V0aWwvRW51bWVyYXRpb247ACtMamF2YS91dGlsL0VudW1lcmF0aW9uPExqYXZhL2xhbmcvU3RyaW5nOz47ABRMamF2YS91dGlsL0l0ZXJhdG9yOwAQTGphdmEvdXRpbC9MaXN0OwADVEFHAAFWAAJWTAACVloAAVoAAlpMABJbTGphdmEvbGFuZy9DbGFzczsAE1tMamF2YS9sYW5nL09iamVjdDsAE1tMamF2YS9sYW5nL1N0cmluZzsAG1tMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwADYWRkAAZhcHBlbmQAC2NsYXNzTG9hZGVyAA1jbGFzc05hbWVMaXN0AAljbGFzc2xpc3QABWNsYXp6AAFkAAtkZXhFbGVtZW50cwARZGV4RWxlbWVudHNMZW5ndGgAB2RleEZpbGUAAWUAAmUyAAdlbnRyaWVzAAxlbnVtZXJhdGlvbnMABmVxdWFscwAFZmllbGQACWZpZWxkTmFtZQADZ2V0AAhnZXRDbGFzcwAQZ2V0Q2xhc3NOYW1lTGlzdAAVZ2V0Q2xhc3NOYW1lTGlzdEFycmF5ABBnZXREZWNsYXJlZEZpZWxkABJnZXREZWNsYXJlZE1ldGhvZHMACWdldExlbmd0aAAHZ2V0TmFtZQAOZ2V0T2JqZWN0RmllbGQAEWdldFBhcmFtZXRlclR5cGVzAA1nZXRTdXBlcmNsYXNzAA9oYXNNb3JlRWxlbWVudHMAB2hhc05leHQAAWkABmludm9rZQAIaXRlcmF0b3IADGxvYWQgY2xhc3M6IAAMbG9hZEFsbENsYXNzAAlsb2FkQ2xhc3MABm1ldGhvZAAHbWV0aG9kcwAEbmFtZQAIbmFtZWxpc3QABG5leHQAC25leHRFbGVtZW50AAZvYmplY3QABG9ianMAB3Bhcm1sZW4ACHBhdGhMaXN0AA9wcmludFN0YWNrVHJhY2UABnJldHZhbAANc2V0QWNjZXNzaWJsZQAEc2l6ZQAEc29ydAAHc3VjY2VzcwAHdG9BcnJheQAIdG9TdHJpbmcAFHRyeSB0byBsb2FkIG1ldGhvZDogAAV2YWx1ZQAAAQAAAAoAAAACAAAACgAAAAIAAAAKAAsAAgAAAAoAGQABAAAACwAAAAEAAAAGAAAAAQAAABUAAAABAAAAFwAAAAIAAAALAAsAAQAAABkAARcGAgMBaBwGFwAXFBcBFyAXGRcEAAAAAAAAAAAAAQAAABkLAAAAAAAAAAAAAAEAAAAAAAAAAgAAADQLAAAOAA4AJAE0DlsEADUSIsMDATkLSwMCOgEdAwNQAS3/BAQ/FCVpoQUEQgUBBQIFAxwfPAA1ATQOSwQAWRIiaQMBYRs8ABMCXEIOSwMANwYBEBBLAwFBEEtdBQEeAwE9CTsFARkeAwE8CjxNBQEfAD0BNA5LBAA2EiL/AwJYDEsEAzcGFEsDBFccARoPaQMHVhFaAwheAS0DCV0aASYPSwJ7dwUHBQgFCUIFAgUDBQQgBQAbIAABAAEAAQAAAFQLAAAEAAAAcBAOAAAADgAHAAEAAgABAFgLAABBAAAAIgARAHAQGwAAABoBXgBxIAQAFgAMARoCOABxIAQAIQAMAXEQFQABAAoCEgM1IyUAcSAUADEADAQaBToAcSAEAFQADAQfBAQAbhAGAAQADARyECEABAAKBTgFDAByECIABAAMBR8FCwBuIBwAUAAo8dgDAwEo3CgCDQFxECAAAAARAAAABQAAADIAAQABAQc8AwABAAIAAACHCwAADgAAAHEQAgACAAwAbhAeAAAACgEjERoAbiAfABAAEQEFAAIAAgABAJgLAAAxAAAAbhAPAAMADABuEAkAAAAMARwCCgBuEAkAAgAMAm4gEAAhAAoBOQEdAG4gBwBAAAwBEhJuIBcAIQBuIBYAMQAMAhECDQFuEAwAAQAoCQ0BbhANAAEAbhAKAAAADAAo1hIBEQEAABQAAAAMAAEAAQIJJgghAAAOAAEAAwABAMILAAB7AAAAcRACAA0ADABuEB0AAAAMAXIQIwABAAoCOAJsAHIQJAABAAwCHwILAG4gCwAtAAwDbhAIAAMADAQaBQYAIgYMAHAQEQAGABoHUgBuIBIAdgBuEAkAAwAMB24gEgB2AG4QEwAGAAwGcSAAAGUAIUUSBjVWPwBGBwQGbhAZAAcADAghiCOJGQAaCgYAIgsMAHAQEQALABoMZwBuIBIAywBuEAkAAwAMDG4gEgDLABoMAgBuIBIAywBuEBgABwAMDG4gEgDLAG4QEwALAAwLcSAAALoAEgpuMBoApwkaCgYAGgtkAHEgAAC6ANgGBgEowiiRKAINAA4AAAAAAAAAdAABAAEBDXkBAAUAABoBgYAEiBgBCaAYAQnAGQEJ7BkBCfAaEQAAAAAAAAABAAAAAAAAAAEAAABpAAAAcAAAAAIAAAAcAAAAFAIAAAMAAAAaAAAAhAIAAAQAAAABAAAAvAMAAAUAAAAlAAAAxAMAAAYAAAABAAAA7AQAAAIgAABpAAAADAUAAAEQAAAKAAAAyAoAAAUgAAABAAAAFgsAAAQgAAABAAAAGQsAAAMQAAADAAAALAsAAAYgAAABAAAAPAsAAAMgAAAFAAAAVAsAAAEgAAAFAAAACAwAAAAgAAABAAAAhA4AAAAQAAABAAAAoA4AAA==";
 26 |         var application = Java.use("android.app.Application");
 27 |         var BaseDexClassLoader = Java.use("dalvik.system.BaseDexClassLoader");
 28 |         var Base64 = Java.use("android.util.Base64");
 29 |         var FileOutputStream = Java.use("java.io.FileOutputStream");
 30 |         var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
 31 | 
 32 |         var reflectField = Java.use("java.lang.reflect.Field");
 33 |         var reflectMethod = Java.use("java.lang.reflect.Method");
 34 |         var reflectObject = Java.use("java.lang.Object");
 35 |         var reflectClass = Java.use("java.lang.Class");
 36 |         var reflectString = Java.use("java.lang.String");
 37 |         var reflectClassloader = Java.use("java.lang.ClassLoader");
 38 | 
 39 | 
 40 |         if (application !== undefined) {
 41 |             application.attach.overload('android.content.Context').implementation = function (context) {
 42 |                 var result = this.attach(context);
 43 |                 var classloader = context.getClassLoader();
 44 |                 var filesDir = context.getFilesDir();
 45 |                 var codeCacheDir = context.getCodeCacheDir();
 46 |                 console.log("files dir: " + filesDir);
 47 |                 console.log("code cache dir: " + codeCacheDir);
 48 |                 if (classloader !== undefined) {
 49 |                     var casedloader = Java.cast(classloader, BaseDexClassLoader);
 50 |                     var dexbytes = Base64.decode(dexBase64, 0);
 51 |                     var dexpath = filesDir + "/emmm.dex";
 52 |                     var fout = FileOutputStream.$new(dexpath);
 53 |                     fout.write(dexbytes, 0, dexbytes.length);
 54 |                     fout.close();
 55 |                     console.log("write dex to " + dexpath);
 56 | 
 57 |                     var dexstr = dexpath.toString();
 58 |                     var cachestr = codeCacheDir.toString();
 59 | 
 60 |                     var dyndex = DexClassLoader.$new(dexstr, cachestr, cachestr, classloader);
 61 |                     console.log(dyndex.toString());
 62 |                     var EnumerateClass = dyndex.loadClass("com.smartdone.EnumerateClass");
 63 |                     var castedEnumerateClass = Java.cast(EnumerateClass, reflectClass);
 64 |                     var methods = castedEnumerateClass.getDeclaredMethods();
 65 |                     // loadAllClass
 66 |                     var loadAllClass = undefined;
 67 |                     for (var i in methods) {
 68 |                         console.log(methods[i].getName());
 69 |                         if (methods[i].getName() == "loadAllClass") {
 70 |                             console.log("find loadAllClass");
 71 |                             loadAllClass = methods[i];
 72 |                         }
 73 |                     }
 74 |                     if (loadAllClass != undefined) {
 75 |                         console.log("loadAllClass: " + loadAllClass.toString());
 76 |                         var args = Java.array('Ljava.lang.Object;', [classloader]);
 77 |                         var classlist = loadAllClass.invoke(null, args);
 78 |                         console.log("start dump dex ");
 79 |                         for (var i in dexrec) {
 80 |                             if (Memory.readU32(dexrec[i]) === DEX_MAGIC) {
 81 |                                 var dex_len = Memory.readU32(dexrec[i].add(0x20));
 82 |                                 var dumppath = filesDir.toString() + "/" + dex_len.toString(0x10) + ".dex";
 83 |                                 console.log(dumppath);
 84 |                                 var dumpdexfile = new File(dumppath, "wb");
 85 |                                 dumpdexfile.write(Memory.readByteArray(dexrec[i], dex_len));
 86 |                                 dumpdexfile.close();
 87 |                                 console.log("write file to " + dumppath);
 88 |                             }
 89 |                         }
 90 |                     }
 91 | 
 92 | 
 93 |                 } else {
 94 |                     console.error("unable get classloader");
 95 |                 }
 96 |                 return result;
 97 |             }
 98 |         } else {
 99 | 
100 |             console.log("false ");
101 |         }
102 |     });
103 | }


--------------------------------------------------------------------------------
/eleme/test.html:
--------------------------------------------------------------------------------
 1 | <html class="ratio--1" style="font-size: 50px;"><head><meta charset="utf-8"><meta name="for" content="meituan.com"><title>食品安全档案</title><meta name="lx:category" content="meishi"><meta name="lx:appnm" content="imt"><meta name="lx:cid" content="c_WOFK5"><meta name="lx:autopv" content="off"><link rel="dns-prefetch" href="//analytics.meituan.net"><link rel="shortcut icon" href="/i/favicon.ico" type="image/x-icon"><script async="" src="https://s1.meituan.net/bs/js/?f=mta-js:mta.min.js"></script><script>
 2 |         "use strict";!function(){var e=0<arguments.length&&void 0!==arguments[0]?arguments[0]:"_Owl_",a=window;a[e]||(a[e]={isRunning:!1,isReady:!1,preTasks:[],dataSet:[],pageData:[],disableMutaObserver:!1,observer:null,use:function(e,t){this.isReady&&a.Owl&&a.Owl[e](t),this.preTasks.push({api:e,data:[t]})},add:function(e){this.dataSet.push(e)},run:function(){var t=this;if(!this.isRunning){this.isRunning=!0;var e=a.onerror;a.onerror=function(){this.isReady||this.add({type:"jsError",data:arguments}),e&&e.apply(a,arguments)}.bind(this),(a.addEventListener||a.attachEvent)("error",function(e){t.isReady||t.add({type:"resError",data:[e]})},!0);var i=window.MutationObserver||window.WebKitMutationObserver||window.MozMutationObserver,r=window.performance||window.WebKitPerformance;if(i&&r){var n=-1,s=window.navigator.userAgent;if(-1<s.indexOf("compatible")&&-1<s.indexOf("MSIE")?(new RegExp("MSIE (\d+\.\d+);").test(s),n=parseFloat(RegExp.$1)):-1<s.indexOf("Trident")&&-1<s.indexOf("rv:11.0")&&(n=11),-1!==n&&n<=11)return void(this.disableMutaObserver=!0);try{this.observer=new i(function(e){t.pageData.push({mutations:e,startTime:r.now()})}),this.observer.observe(document,{childList:!0,subtree:!0})}catch(e){console.log("mutationObserver err")}}else this.disableMutaObserver=!0}}},a[e].run())}();
 3 |         </script><script>  (function() {  var ua = window && window.navigator && window.navigator.userAgent;  if (!ua) return;  var text, scale = 1.0; window.ratio = 1;  if (/(ipad|iphone|ipod)/i.exec(ua)) {  if (window.devicePixelRatio >= 2 && !false && window.__wxjs_environment !== 'miniprogram') {  scale *= 0.5;  window.ratio *= 2;  }  }  text = '<meta name="viewport" content="initial-scale=' + scale + ',' +  'maximum-scale=' + scale +', minimum-scale=' + scale + ',' +  'width=device-width, height=device-height, user-scalable=no" />';   document.write(text);  if (window.ratio) {  document.documentElement.style.fontSize = 50*window.ratio + "px";  function CalcRem(){  if(false){  var defaultWidth = window.ratio === 2 ? 750 : 375;  var docEl = document.documentElement;  var winWidth = docEl.clientWidth || defaultWidth;  if(winWidth <= 414 * window.ratio){  document.documentElement.style.fontSize =  (winWidth / defaultWidth) * (50* (window.ratio || 1)) + 'px';  }  }  }  CalcRem();  window.addEventListener('resize', CalcRem, false);  document.documentElement.classList.add('ratio--' + window.ratio)  }  })();  </script><meta name="viewport" content="initial-scale=1,maximum-scale=1, minimum-scale=1,width=device-width, height=device-height, user-scalable=no"><script>
 4 |       !(function (win, doc, ns) {
 5 |       var cacheFunName = '_MeiTuanALogObject';
 6 |       win[cacheFunName] = ns;
 7 |       if (!win[ns]) {
 8 |           var _LX = function () {
 9 |               _LX.q.push(arguments);
10 |               return _LX;
11 |           };
12 |           _LX.q = _LX.q || [];
13 |           _LX.l = +new Date();
14 |           win[ns] = _LX;
15 |       }
16 |       })(window, document, 'LXAnalytics');
17 |       ;(function(){
18 |         var ua = window && window.navigator && window.navigator.userAgent;
19 |         var medium = 'Android';
20 |         if (ua && /(ipad|iphone|ipod)/i.exec(ua)) {
21 |           medium = 'iPhone';
22 |         }
23 |         var environment = {
24 |           uuid: '000000000000090CAE6634A8D42948748FEBCC1557198A157954239667625851',
25 |           userid: '0',
26 |           os: medium,
27 |           cityid: "1"
28 |         }
29 |         var valLab = {} || null;
30 |         LXAnalytics('pageView', valLab, environment, 'c_WOFK5');
31 |       })();
32 |       </script><script>
33 |         !function(e,t,n){function s(){var e=t.createElement("script");e.async=!0,e.src="https://s1.meituan.net/bs/js/?f=mta-js:mta.min.js";var n=t.getElementsByTagName("script")[0];n.parentNode.insertBefore(e,n)}if(e.MeituanAnalyticsObject=n,e[n]=e[n]||function(){(e[n].q=e[n].q||[]).push(arguments)},"complete"===t.readyState)s();else{var r="addEventListener",i="attachEvent";if(e[r])e[r]("load",s,!1);else if(e[i])e[i]("onload",s);else{var a=e.onload;e.onload=function(){s(),a&&a()}}}}(window,document,"mta"),function(e,t,n){if(t&&!("_mta"in t)){t._mta=!0;var s=e.location.protocol;if("file:"!==s){var r=e.location.host,i=t.prototype.open;t.prototype.open=function(t,n,a,o,h){if(this._method="string"==typeof t?t.toUpperCase():null,n){if(0===n.indexOf("http://")||0===n.indexOf("https://")||0===n.indexOf("//"))this._url=n;else if(0===n.indexOf("/"))this._url=s+"//"+r+n;else{var l=s+"//"+r+e.location.pathname;l=l.substring(0,l.lastIndexOf("/")+1),this._url=l+n}var u=this._url.indexOf("?");-1!==u?(this._searchLength=this._url.length-1-u,this._url=this._url.substring(0,u)):this._searchLength=0}else this._url=null,this._searchLength=0;return this._startTime=(new Date).getTime(),i.apply(this,arguments)};var a="onreadystatechange",o="addEventListener",h=t.prototype.send;t.prototype.send=function(t){function n(n,r){if(0!==n._url.indexOf(s+"//frep.meituan.net/_.gif")){for(var i="browser.ajax",a=[98,114,111,119,115,101,114,46,97,106,97,120],o=0,h=i.length;h>o;o++)if(i.charCodeAt(o)!==a[o])return;var l;if(n.response)switch(n.responseType){case"json":l=JSON&&JSON.stringify(n.response).length;break;case"blob":case"moz-blob":l=n.response.size;break;case"arraybuffer":l=n.response.byteLength;case"document":l=n.response.documentElement&&n.response.documentElement.innerHTML&&n.response.documentElement.innerHTML.length+28;break;default:l=n.response.length}e.mta("send",i,{url:n._url,method:n._method,error:!(0===n.status.toString().indexOf("2")||304===n.status),responseTime:(new Date).getTime()-n._startTime,requestSize:n._searchLength+(t?t.length:0),responseSize:l||0})}}if(o in this){var r=function(e){n(this,e)};this[o]("load",r),this[o]("error",r),this[o]("abort",r)}else{var i=this[a];this[a]=function(t){i&&i.apply(this,arguments),4===this.readyState&&e.mta&&n(this,t)}}return h.apply(this,arguments)}}}}(window,window.XMLHttpRequest,"mta");
34 |         mta("create","57eccef521215c6492427c9d");
35 |         mta("config", "beaconImage", "https://frep.meituan.com/_.gif");
36 |         mta("send","page");
37 |         </script><link href="//s1.meituan.net/bs/cssm?f=meis/meishi.mobile:page/certificate/foodsafety/index.css@057a516" type="text/css" rel="stylesheet"><script src="//www.dpfile.com/app/dp-logan-web/logan_1.12.16.js"></script><script type="text/javascript" charset="utf-8" async="" src="https://s1.meituan.net/bs/knb/v1.6.5/./chunk/mtnb.7d62dd1ad32687abfc21.js"></script><script type="text/javascript" charset="utf-8" async="" crossorigin="anonymous" src="//www.dpfile.com/app/dp-logan-web/envchecker.1623c9eb520386e4eb9f.js"></script><script type="text/javascript" charset="utf-8" async="" crossorigin="anonymous" src="//www.dpfile.com/app/dp-logan-web/savelog.608e01d520f25005c84f.js"></script><script type="text/javascript" charset="utf-8" async="" crossorigin="anonymous" src="//www.dpfile.com/app/dp-logan-web/aes.486d277202ebfec74be2.js"></script></head><body><div id="app"><div class="main-content" data-reactroot="" data-reactid="1" data-react-checksum="315167077"><div class="content-wrapper" data-reactid="2" style="min-height: 889px; margin-bottom: 0px;"><div class="wrapper" data-reactid="3"><div class="food-safety-title" data-reactid="4">食品安全档案</div><div class="food-safety" data-reactid="5"><div class="food-safety-info" data-reactid="6"><div class="food-safety-info-item" style="display:block;" data-reactid="7"><h4 data-reactid="8">食品安全监督公示</h4><div class="food-safety-item-detail" data-reactid="9"><div data-reactid="10"><div class="item-detail" data-reactid="11"><span class="newline" data-reactid="12">量化分级：</span><div class="" data-reactid="13">C2</div></div></div><div data-reactid="14"><div class="item-detail" data-reactid="15"><span class="newline" data-reactid="16">单位名称：</span><div class="" data-reactid="17">北京龙腾溢香餐饮服务有限公司</div></div></div><div data-reactid="18"><div class="item-detail" data-reactid="19"><span class="newline" data-reactid="20">许可证号：</span><div class="" data-reactid="21">JY21112060440775</div></div></div><div data-reactid="22"><div class="item-detail" data-reactid="23"><span class="" data-reactid="24">法定代表人：</span><div class="" data-reactid="25">甄申敏</div></div></div><div data-reactid="26"><div class="item-detail" data-reactid="27"><span class="newline" data-reactid="28">经营地址：</span><div class="" data-reactid="29">北京市通州区群芳南街129号</div></div></div><div data-reactid="30"></div><div data-reactid="31"><div class="item-detail" data-reactid="32"><span class="newline" data-reactid="33">经营范围：</span><div class="" data-reactid="34">热食类食品制售；冷食类食品制售；自制饮品制售，限普通饮品；预包装食品销售，含冷藏冷冻食品***</div></div></div><div data-reactid="35"></div></div></div><h4 data-reactid="36">商家资质信息公示</h4><ul data-reactid="37"><div style="" class="food-safety-info-item" data-reactid="38"><li><img src="//s3plus-img.sankuai.com/skynet/BD53FB47205AB7D1A9A1E68F0069F5D8.jpeg%40600h%7Cwatermark%3D1%26align%3D1%26x%3D20%26object%3Dd2F0ZXJtYXJrLTIwMTYxMTEwMS5wbmc%3D%0A%26p%3D5%26t%3D15%26order%3D0?AWSAccessKeyId=c64763be32f940a49e91fac6670f2fff&amp;Expires=1590943663&amp;Signature=s4tnpxBWs3iHBpF%2BHpnwjE9%2BSck%3D" class="img"></li></div><div style="" class="food-safety-info-item" data-reactid="39"><li><img src="//s3plus-img.sankuai.com/skynet/A06B802BBA59CDA50BEBC82F95EDAD37.jpeg%40600h%7Cwatermark%3D1%26align%3D1%26x%3D20%26object%3Dd2F0ZXJtYXJrLTIwMTYxMTEwMS5wbmc%3D%0A%26p%3D5%26t%3D15%26order%3D0?AWSAccessKeyId=c64763be32f940a49e91fac6670f2fff&amp;Expires=1590943663&amp;Signature=CiZzsDJ4hhAERb0rsVzsVmjOGjc%3D" class="img"></li></div></ul><div class="img-preview" data-reactid="40"></div></div></div></div></div><!-- react-text: 41 --><!-- /react-text --><div class="meishi-msg-toast" style="display:none;" data-reactid="42"><div class="meishi-msg-toast-content" data-reactid="43"></div></div></div></div><script>window.domLoadedTime = new Date().valueOf();</script><script src="//www.dpfile.com/app/owl/static/owl_1.8.15.js" crossorigin="anonymous"></script><script>
38 |         Owl.start({ devMode: false, project: 'com.sankuai.meishi.fe.i', pageUrl: window.location.href, page: { sample: 1, sensoryIndex: true, disableSensoryImageIndex: true, interactToStopObserver: true, getFirstScreenTime90: true, auto: true }, metric: { sample: 1, combo: false }, resource: { sampleApi: 1 }, logan: { enable: true } });
39 |         </script><script></script><script crossorigin="anonymous" src="//s1.meituan.net/bs/jsm?f=meis/meishi.mobile:vendor/core.min.js,vendor/fastclick.js@057a516"></script><script crossorigin="anonymous" src="//awp-assets.meituan.net/hfe/hfe-assets/ravenjs/1.3.0/raven.min.js"></script><script src="//s1.meituan.net/bs/knb/v1.6.5/knb.js" crossorigin="anonymous"></script><script crossorigin="anonymous"></script><script src="//s1.meituan.net/bs/jsm?f=meis/meishi.mobile:page/common.js@057a516" crossorigin="anonymous"></script><script crossorigin="anonymous">window.appConfig={"buildservice":{"repo":"meis/meishi.mobile","host":"s1.meituan.net/bs","hash":"057a516","folder":"static"},"isDebug":false,"isOnline":true}</script><script crossorigin="anonymous">window._appState = {"$meta":{"knbJS":"//s1.meituan.net/bs/knb/v1.6.5/knb.js","adunionJS":"//h5.dianping.com/app/adu-track/adunion-track.js","catJs":"//www.dpfile.com/app/owl/static/owl_1.8.15.js","catDevMode":false,"uuid":"000000000000090CAE6634A8D42948748FEBCC1557198A157954239667625851","userId":"0","cityId":"1","userName":"","scene":"meituan","pageId":"c_WOFK5","title":"食品安全档案"},"title":"食品安全档案","pageId":"c_WOFK5","foodsafetyData":{"poiId":96772281,"ratingStar":"C2","name":"北京龙腾溢香餐饮服务有限公司","code":"JY21112060440775","owner":"甄申敏","location":"北京市通州区群芳南街129号","yetai":"","category":"热食类食品制售；冷食类食品制售；自制饮品制售，限普通饮品；预包装食品销售，含冷藏冷冻食品***","validEnd":"","yyzzPicUrl":"//s3plus-img.sankuai.com/skynet/BD53FB47205AB7D1A9A1E68F0069F5D8.jpeg%40600h%7Cwatermark%3D1%26align%3D1%26x%3D20%26object%3Dd2F0ZXJtYXJrLTIwMTYxMTEwMS5wbmc%3D%0A%26p%3D5%26t%3D15%26order%3D0?AWSAccessKeyId=c64763be32f940a49e91fac6670f2fff&Expires=1590943663&Signature=s4tnpxBWs3iHBpF%2BHpnwjE9%2BSck%3D","xkzPicUrl":"//s3plus-img.sankuai.com/skynet/A06B802BBA59CDA50BEBC82F95EDAD37.jpeg%40600h%7Cwatermark%3D1%26align%3D1%26x%3D20%26object%3Dd2F0ZXJtYXJrLTIwMTYxMTEwMS5wbmc%3D%0A%26p%3D5%26t%3D15%26order%3D0?AWSAccessKeyId=c64763be32f940a49e91fac6670f2fff&Expires=1590943663&Signature=CiZzsDJ4hhAERb0rsVzsVmjOGjc%3D"}};</script><script src="//s1.meituan.net/bs/jsm?f=meis/meishi.mobile:page/certificate/foodsafety/index.js@057a516" crossorigin="anonymous"></script><script crossorigin="anonymous">if (!window._turboClasses) {
40 |                     console.error("turbo class not found");
41 |                 } else {
42 |                     var PageClass = window._turboClasses['client/page/certificate/foodsafety1'];
43 |                     if (PageClass) {
44 |                       window._turboRoot = (window.ReactDOM || window.React).render(React.createElement(PageClass), document.getElementById('app'));
45 |                     }
46 |                 }</script><script src="//analytics.meituan.net/analytics.js" type="text/javascript" charset="utf-8" async="" crossorigin="anonymous"></script><script src="//h5.dianping.com/app/adu-track/adunion-track.js" crossorigin="anonymous"></script></body></html>


--------------------------------------------------------------------------------
/eleme/剩余.txt:
--------------------------------------------------------------------------------
  1 | 多斯鲁克新疆餐厅,150374267,双桥,
  2 | 西少爷肉夹馍（十里堡店）,150597077,八里庄,
  3 | 渝是乎（慈云寺店）,81068016,八里庄,
  4 | 嘉和一品粥（十里堡店）,305331,八里庄,
  5 | Mr.马小烫东南亚风味麻辣烫,193170579,双桥,
  6 | 二道沟小串烧烤供销社,192860861,八里庄,
  7 | 撮儿,157380031,双桥,
  8 | 星系私房菜,169119412,八里庄,
  9 | 鸿运天马家常菜,1658745,双桥,
 10 | 贝果（八里庄店）,164967493,八里庄,
 11 | 赵小厨,194792822,双桥,
 12 | 山雨鸡汤（远洋国际中心店）,193580406,八里庄,
 13 | 伐木累炸串卷饼·拌烧饼·炒饭（臻食尚美食城店）,194443376,双桥,
 14 | 中国兰州马艾萨牛肉面（十里堡店）,84090183,八里庄,
 15 | 天津包子王,266778,八里庄,
 16 | 鲁九爷肉烧饼,184018756,双桥,
 17 | 静莲斋素食（慈云寺店）,263076,八里庄,
 18 | 好旺饺京味家常菜（八里庄店）,111642166,八里庄,
 19 | 比格自助比萨（欢乐谷店）,1095867,北京欢乐谷,
 20 | 有肉食（朝阳大悦城伍台店）,177952834,朝阳大悦城,
 21 | 昭阳湘菜（朝阳北路店）,516237,八里庄,
 22 | 覌悦新京菜,194340594,北京欢乐谷,
 23 | 聚点串吧（朝阳路店）,6656408,八里庄,
 24 | 虾吃虾涮（欢乐谷店）,69348689,北京欢乐谷,
 25 | 我的鱼棠,95199339,八里庄,
 26 | 老胡同铜锅涮肉（酷车小镇店）,163926877,北京欢乐谷,
 27 | 巴依老爷新疆美食（未来汇店）,94466642,八里庄,
 28 | 吉野家（金蝉西路店）,330193,北京欢乐谷,
 29 | 田螺姑娘螺蛳粉专门店,1709938372,八里庄,
 30 | 亿诣蝎府羊蝎子火锅（酷车小镇店）,168839486,北京欢乐谷,
 31 | 疆小粉（朝阳路店）,155802788,八里庄,
 32 | 王老六铁锅炖鱼（北工大店）,990461909,北京欢乐谷,
 33 | 饭局·铜锅涮肉 炙子烤肉,166802777,八里庄,
 34 | 桥边围炉烤肉,194754455,北京欢乐谷,
 35 | 潮谷·潮汕砂锅粥（国美第一城店）,65095076,朝阳大悦城,
 36 | 正一味（远洋未来汇店）,75755638,八里庄,
 37 | 金麒麟海鲜自助餐厅,160403251,北京欢乐谷,
 38 | 好利来（八里庄店）,266313,八里庄,
 39 | 百仕利蛋糕房（十里河店）,118915053,十里河,
 40 | 呷哺呷哺（远洋未来汇店）,193947535,八里庄,
 41 | 老碗盛（慈云寺店）,164433889,八里庄,
 42 | 春陽茶事（慈云寺店）,194707127,八里庄,
 43 | 韩时烤肉（苏宁生活广场店）,76161295,八里庄,
 44 | NUAGE CAFÉ 观云,6010500,八里庄,
 45 | 味多美（农民日报社店）,1652377,八里庄,
 46 | 一期一会蛋糕烘焙,90827311,八里庄,
 47 | 云之南（八里庄店）,276299,八里庄,
 48 | 顺哥小面（十里堡店）,40541280,八里庄,
 49 | 和府捞面（慈云寺远洋未来汇店）,192708116,八里庄,
 50 | 生日蛋糕,93170322,朝阳大悦城,
 51 | 幸福密码生日蛋糕,42513915,八里庄,
 52 | 鮨风寿司,160354924,朝阳大悦城,
 53 | 鑫顺斋羊蝎子火锅,75028145,八里庄,
 54 | 一麻一辣麻辣香锅（未来汇店）,5372883,八里庄,
 55 | 爱尚大盘鸡拌面（第7档口+顺民易美食城店）,1913245106,八里庄,
 56 | 铁串功锦州地摊烧烤（十里堡店）,150632577,八里庄,
 57 | 魏家凉皮（八里庄店）,1651877,八里庄,
 58 | POMONA西餐厅,1704476563,八里庄,
 59 | 巴黎贝甜（苏宁店）,74548907,八里庄,
 60 | 唐炖小馆（十里堡店）,90299268,八里庄,
 61 | 汉堡王（未来汇店）,108486712,八里庄,
 62 | 文火烤鸡架（朝阳路店）,189403769,八里庄,
 63 | 亚米亚米鸡米花（未来汇二店）,61852755,八里庄,
 64 | 悠茗棠,582269258,八里庄,
 65 | 兔家小馆,1312868387,八里庄,
 66 | 0452烤场,158767583,朝阳大悦城,
 67 | THE MAKI手卷专门店（慈云寺店）,195800645,八里庄,
 68 | 杨家酱酱货（八里庄店）,81358495,八里庄,
 69 | 阳坊涮肉（周庄嘉园店）,2742005,十里河,
 70 | 肯德基（慈云寺店）,5845015,八里庄,
 71 | 捕肉侠日式烧肉饭,1779343519,鸟巢_水立方,
 72 | 芒果姐姐烘焙花园（金台路店）,151153166,八里庄,
 73 | 草原兴发小羔羊（吕家营店）,306664,十里河,
 74 | 烤猪蹄烤鸡架共享食光,175280174,八里庄,
 75 | 必胜客（十里堡店）,263774,八里庄,
 76 | 和合谷（慈云寺店）,71230798,八里庄,
 77 | 味多美（慈云寺桥东店）,3284831,八里庄,
 78 | 潮州菜馆,1653133,十里河,
 79 | 味多美（十里堡店）,4779709,八里庄,
 80 | 梅你不渴（新奥购物中心店）,105668659,鸟巢_水立方,
 81 | Better Me倍米轻食（慈云寺店）,1404751908,八里庄,
 82 | 领鲜汇水果超市,98627837,八里庄,
 83 | 蝎王府羊蝎子（潘家园店）,1648964,潘家园,
 84 | 山城辣妹子重庆火锅（松榆西里十分店）,2390316,潘家园,
 85 | 汉拿山（潘家园店）,286341,潘家园,
 86 | 都来烫串串香（住邦2000店）,886504157,八里庄,
 87 | 韩香村烧烤城,279757,潘家园,
 88 | 好嫂子（潘家园店）,1875508074,潘家园,
 89 | 巴依老爷新疆美食（潘家园店）,40174607,潘家园,
 90 | 火锅林,858861876,潘家园,
 91 | 吉野家（松榆北路店）,1648865,潘家园,
 92 | 假如在成都（潘家园店）,190566095,潘家园,
 93 | 西部马华牛肉面（潘家园店）,6633910,潘家园,
 94 | 远来客•给你们•烤鸡架（潘家园店）,1008663062,潘家园,
 95 | 鲜牛记潮汕牛肉火锅（潘家园店）,89594708,潘家园,
 96 | 大话小腰（松榆里店）,1997102956,潘家园,
 97 | 呷哺呷哺（铭泽广场店）,6315415,十里河,
 98 | 三月茶花（华威桥店）,160412010,潘家园,
 99 | 西部马华牛肉面（十里河店）,66190232,潘家园,
100 | 那兰酒楼（潘家园总店）,159310702,潘家园,
101 | 合家乐烤鸭,1648350,潘家园,
102 | 东东市井串串香火锅（潘家园店）,195184630,潘家园,
103 | 雅克西食府,332360,潘家园,
104 | 西安小厨,4152630,潘家园,
105 | 宜兰餐厅,112864986,潘家园,
106 | 森记羊蝎子火锅（南新园店）,195917987,潘家园,
107 | 木炭头沈阳大众烧烤,1543892502,十里河,
108 | 和枫の宴（潘家园店）,95229386,潘家园,
109 | 金家老三饭庄（潘家园店）,195932264,潘家园,
110 | 香巴佬烤全鱼（武圣路店）,6995663,潘家园,
111 | 呷哺呷哺（双龙店）,78435044,潘家园,
112 | 护国寺小吃店（潘家园店）,6431684,潘家园,
113 | 金百万烤鸭店（劲松店）,4870509,潘家园,
114 | 韩景台烧烤城（潘家园店）,171561165,潘家园,
115 | 牛街黑记炙子烤肉涮肉（潘家园店）,155794203,潘家园,
116 | 金鸭都烤鸭店（华威路店）,174955449,潘家园,
117 | 熊大爺饺子云吞（潘家园店）,193789357,潘家园,
118 | 峨嵋酒家（十里河店）,150393987,潘家园,
119 | 百果园（美景东方店）,96980130,潘家园,
120 | 芝根芝底,159787881,朝阳大悦城,
121 | 马路边边串串香（东坝荣耀店）,192738270,东坝,
122 | 黄门老灶火锅（东坝店）,165500715,东坝,
123 | 吉野家（金隅嘉品mall店）,69047346,东坝,
124 | 405烤场（松榆里店）,186939544,潘家园,
125 | 槐店王婆大虾（东坝店）,165093565,东坝,
126 | 王记羊汤（K酷时尚广场店）,41552915,北苑家园,
127 | 牛乃奶奶（潘家园店）,179121490,潘家园,
128 | 好伦哥新航母店（东坝店）,158647014,东坝,
129 | 优优尚品蛋糕（十里河店）,6112346,潘家园,
130 | 木辛水水冰煮羊（东坝店）,174897560,东坝,
131 | 花漾焙初,93360721,潘家园,
132 | 李连贵熏肉大饼（金隅嘉品MALL店）,159415769,东坝,
133 | 清真·三喜牛肉面,801078674,潘家园,
134 | 巫山烤鱼,195916827,潘家园,
135 | 一味一诚·重庆烤鱼（东坝店）,4344056,东坝,
136 | 味多美(立水桥南店),366798,北苑家园,
137 | 健将一品（松榆东里店）,2566800,潘家园,
138 | 祥记（河南大厦店）,178062527,潘家园,
139 | 金凤成祥（华威桥店）,304208,潘家园,
140 | 宫颐府（松榆里店）,161652552,潘家园,
141 | 成都九佰碗家常菜,306920,潘家园,
142 | 来一锅麻辣香锅,163903983,立水桥_北苑家园,
143 | 冰城串吧（松榆里店）,530278,潘家园,
144 | 姥姥春饼（潘家园店）,180660387,潘家园,
145 | 刀削面家常菜,68829516,北苑家园,
146 | 绿波廊（京瑞店）,263855,潘家园,
147 | 山城火锅莊,315606,潘家园,
148 | 摩卡空间·烘焙工坊,116985833,潘家园,
149 | 快吉客中式快餐连锁（十里河店）,189263295,十里河,
150 | 庆丰包子铺（武圣路店）,289341,潘家园,
151 | 金鸭都铜锅涮肉,869663180,潘家园,
152 | 燕回楼,179126623,北苑家园,
153 | 清真·鸦儿李记·肉铺（武圣路店）,1437486975,潘家园,
154 | 85度C（北京松榆南路店）,2438066,潘家园,
155 | 晓芹海参（肿瘤医院店）,1373618124,潘家园,
156 | 阿滋猫比萨,191194421,潘家园,
157 | 福大·海鲜烧烤（十里河店）,182401276,十里河,
158 | 东方宫中国兰州牛肉拉面（来广营店）,41320538,北苑家园,
159 | 阳坊胜利涮羊肉（北苑家园店）,1659069,北苑家园,
160 | 椒少原鲜自焖锅,1570880790,十里河,
161 | 米分是家（北苑店）,193625097,北苑家园,
162 | 料理一番石锅拌饭,188417639,十里河,
163 | 鱼你在一起（红军营物美店）,193880410,北苑家园,
164 | OMY咖喱（十里河店）,188408682,十里河,
165 | 花漾焙初手感烘焙坊,169030291,潘家园,
166 | 山西刀削面（潘家园店）,164040869,潘家园,
167 | 晋食味刀削面,193304871,北苑家园,
168 | 门框胡同百年卤煮,179586211,十里河,
169 | 萝卜青菜（望京店）,185040223,北苑家园,
170 | 巴小馋麻辣烫,180635934,十里河,
171 | 河间人家驴肉火烧,185929154,北苑家园,
172 | 徽知味徽菜馆（潘家园店）,99809866,潘家园,
173 | 清真·鸦儿李记（武圣路店）,189167203,潘家园,
174 | 麦乐基（潘家园店）,184049162,潘家园,
175 | 傻子烧鸡（松榆里店）,5532793,潘家园,
176 | 红岩海鲜美食广场,193813383,潘家园,
177 | 妈妈手,163968831,潘家园,
178 | 山东大煎饼（阿毛家美食城店）,181394883,潘家园,
179 | 珍海肴海鲜自助餐厅,193275249,潘家园,
180 | 曼玲粥店（A10档口天融美食城店）,169439260,北苑家园,
181 | 地瓜烤吧,182066931,潘家园,
182 | 门框胡同百年卤煮,190504058,潘家园,
183 | 京川婆婆骨汤麻辣烫（松榆里店）,5356278,潘家园,
184 | 老北京锅贴（华威西里店）,97467965,潘家园,
185 | 爱丽斯花园厨房,188490824,十里河,
186 | 雅堂小超,159368347,潘家园,
187 | 肯德基（潘家园店）,1648287,潘家园,
188 | 贡茶（潘家园店）,164493977,潘家园,
189 | 肯德基（松榆里店）,6091624,潘家园,
190 | 北京稻香村（潘家园店）,193430927,潘家园,
191 | 蟠桃妞小龙虾（十里河店）,194626798,十里河,
192 | 协盛火锅,159717199,潘家园,
193 | 京川婆婆骨汤麻辣烫,1731016241,十里河,
194 | 蟹庄缘阳澄湖大闸蟹（朝阳店）,179725220,潘家园,
195 | 冠飨苑烤鸭店（潘家园店）,152361725,潘家园,
196 | 麦特派炸鸡汉堡（大羊坊店）,168981946,十里河,
197 | 五环大酒店,188656454,潘家园,
198 | 和合谷（松榆南路店）,3268903,潘家园,
199 | 味多美（法宝店）,2585148,潘家园,
200 | 夜更生居酒屋,160722867,四惠,
201 | 欢乐牧人（四惠店）,511777,四惠,
202 | 小麦面馆,165573387,十里河,
203 | 红焱坊烤鸭店（四惠店）,6126352,四惠,
204 | 哈尔滨独一处鲜饺子,193461954,十里河,
205 | 喵先生·猫主题咖啡厅·猫咖（四惠店）,194334876,四惠,
206 | 好利来（四惠店）,3279740,四惠,
207 | 元宏祥生煎馆（四惠店）,96353311,四惠,
208 | 聚·居酒屋,2562380,四惠,
209 | 甘州小巷,194538442,四惠,
210 | HAPPY FRIDAY生日蛋糕,864005291,四惠,
211 | 传统东北饺子,185460335,十里河,
212 | 稻香村（地铁四惠站店）,156599536,四惠,
213 | 小贤家千层榴莲蛋糕（四惠店）,40270582,四惠,
214 | 关中印象,158899063,四惠,
215 | 和合谷（四惠店）,161813585,四惠,
216 | 韩香,165242552,四惠,
217 | 金香缘云南过桥米线（四惠店）,177446241,四惠,
218 | 美味多汉堡,162315433,十里河,
219 | 中国兰州拉面（四惠地铁口店）,42302376,四惠,
220 | 4大园烤鸭店,93378690,四惠,
221 | 湘香米粉（四惠店）,194986868,四惠,
222 | 川湘小馆,195012647,十里河,
223 | 永和大王（四惠店）,4504332,四惠,
224 | 四季甜品,160340624,四惠,
225 | 时光串场,179991580,四惠,
226 | 南城香（住邦2000店）,841235807,四惠,
227 | 甘粮（四惠店）,165622453,四惠,
228 | 威海银滩小海鲜（四惠店）,157254842,四惠,
229 | 呼伦贝尔品质火锅,113228479,四惠东,
230 | 珍巴奴毛肚牛肉小火锅（四惠店）,165870447,四惠东,
231 | 银滩金汤·密味（四惠店）,321342,四惠东,
232 | 胡桃里音乐酒馆（高碑店）,42254830,四惠东,
233 | 第1佳大鸡排（四惠东地铁站店）,41668024,四惠东,
234 | 书山小馆·川湘菜（四惠店）,6782370,四惠东,
235 | 先生下厨旗舰店,160471929,四惠东,
236 | 喜酒亭居酒屋,162924284,四惠东,
237 | 百果园（惠生园店）,160398717,四惠东,
238 | 老张春饼,171863697,四惠东,
239 | 醉得意（四惠东店）,5882605,四惠东,
240 | 大同云中削面馆,87854490,四惠东,
241 | 甘粮（四惠东店）,72273608,四惠东,
242 | 吉野家（华堂商场店）,266096,对外经贸,
243 | 京八珍（和平东桥店）,6185972,对外经贸,
244 | 马路边边串串香（对外经贸大学荣耀店）,186233650,对外经贸,
245 | 前后涮羊肉（对外经贸店）,189469107,对外经贸,
246 | 大同江朝鲜料理,170599131,对外经贸,
247 | 辣婆婆（惠新西街店）,1517232,对外经贸,
248 | 骨珍香·老城一锅（芍药居店）,355267,对外经贸,
249 | 淙淙那年川味火锅（华堂商场店）,1312445826,对外经贸,
250 | 新云南皇冠假日酒店·长街西餐厅,83450599,对外经贸,
251 | 村上一屋（惠新东街店）,162923347,对外经贸,
252 | 桃花里音乐串吧,1169364223,对外经贸,
253 | 太熟悉烤鸭·鱼头泡饼（惠新店）,267184,对外经贸,
254 | 又一湘（惠新东桥店）,116937852,对外经贸,
255 | 熊成猫串串锅（新奥店）,187443587,鸟巢_水立方,
256 | 沱江小镇（惠新里店）,159545651,对外经贸,
257 | 食牛族（惠新里店）,50513939,对外经贸,
258 | 鼎鲜渔掌门养生火锅,41754360,对外经贸,
259 | 阳美江韩国料理,277316,对外经贸,
260 | 问渔鲜魚现烤（化工大学店）,175350491,对外经贸,
261 | 皖南水乡（惠新西街店）,363631,对外经贸,
262 | 渝鼎沸（伊藤洋华堂店）,810191768,对外经贸,
263 | 嘉和一品粥（芍药居店）,335023,对外经贸,
264 | 正院大宅门（亚运村总店）,32270,对外经贸,
265 | 立康烤鸭·淮扬菜（亚运村店）,159206731,对外经贸,
266 | 老广酒楼（安贞店）,264236,对外经贸,
267 | 南门四季涮肉（太阳宫芍药居店）,6371661,对外经贸,
268 | 炙子花开（对外经贸店）,99560771,对外经贸,
269 | 森味花园（伊藤洋华堂亚运村店）,188864552,对外经贸,
270 | 全牛匠.川小馆（惠新东街店）,1564007748,对外经贸,
271 | 涮香香火锅串串,193377166,对外经贸,
272 | CoCo都可（华堂店）,168930547,对外经贸,
273 | 花家怡园（惠新东街店）,2424379,对外经贸,
274 | 熊小胖烤肉,1652551,对外经贸,
275 | 贵人相厨,40179262,对外经贸,
276 | 东来顺饭庄（惠新店）,159839642,对外经贸,
277 | 兄弟川菜（元大都店）,1512815,对外经贸,
278 | DIVO Bakery 工匠烘焙,1347355976,对外经贸,
279 | 唇辣号重庆老火锅（对外经贸店）,88206917,对外经贸,
280 | 百易·兰州素拉面（元大都店）,112639159,对外经贸,
281 | 金豆角焖面鲜鱼馆（对外经贸大学店）,40657278,对外经贸,
282 | 邓家菜（惠新东街店）,190668020,对外经贸,
283 | 蜗牛小馆（惠新西里店）,101443726,对外经贸,
284 | 果榛农（芍药居店）,1537981818,对外经贸,
285 | 红炉焱火焰石板烧烤肉（对外经贸店）,52955528,对外经贸,
286 | 虾吃虾涮（市长之家店）,101728848,对外经贸,
287 | 新云南皇冠酒店·彩云天云南餐厅,79079144,对外经贸,
288 | 贵州大厦贵州厅,264093,对外经贸,
289 | 巴黎贝甜（亚运村华堂店）,356509,对外经贸,
290 | 东桥铜锅涮肉,192751873,对外经贸,
291 | 满满元气枣糕（华堂商场店）,174928529,对外经贸,
292 | 鲜芋仙（华堂商场店）,168915751,对外经贸,
293 | 吉祥馄饨（和平西桥北店）,116012315,对外经贸,
294 | 清和传家水饺（华堂商场店）,169091679,对外经贸,
295 | 黄金周,289766,对外经贸,
296 | 渝是乎酸菜小鱼（华堂商场店）,157203754,对外经贸,
297 | 我的面川菜江湖菜,872168650,对外经贸,
298 | 湘渝家常菜（对外经贸大学店）,2441204,对外经贸,
299 | 海味小馆烤生蚝扇贝,193549375,对外经贸,
300 | 云尊府云南菜（华堂店）,170616248,对外经贸,
301 | 熊大爺饺子云吞（芍药居店）,194678368,对外经贸,
302 | 谷田稻香（伊藤洋华堂店）,187540648,对外经贸,
303 | 自贡盐帮菜·玩辣主题餐厅（樱花园西街店）,350819,对外经贸,
304 | 小渝箩,161412842,对外经贸,
305 | 徽味大班（惠新东桥店）,193209942,对外经贸,
306 | 我们一起去成都（经贸大学店）,160438050,对外经贸,
307 | 水中鲜灶台鱼,5265168,对外经贸,
308 | 滇菌王,312203,对外经贸,
309 | 三村串坊烤羊腿羊蝎子（芍药居北里店）,85037323,对外经贸,
310 | COSTA COFFEE（住总大厦店）,165002160,对外经贸,
311 | 嘛尚班麻辣拌一切,195883496,对外经贸,
312 | 泊月湾（惠新东街三号店）,77364827,对外经贸,
313 | 奥芝驿站,75516478,对外经贸,
314 | 宥间围鑪,195884237,对外经贸,
315 | 真友火锅,354508,对外经贸,
316 | 布司蛋糕 booth’s cake（华堂商场店）,169032428,对外经贸,
317 | 秦唐味道（和平街店）,2754103,对外经贸,
318 | 老潼关肉夹馍,1663731032,对外经贸,
319 | 大亨小馆,263928,对外经贸,
320 | 罗私服疆派米粉（对外经贸大学店）,180590219,对外经贸,
321 | 日昌餐馆（惠新东街店）,1654435,对外经贸,
322 | 黑泷太郎KUROTAKI（和平街店）,191169553,对外经贸,
323 | 小花蓉·蓉串串（对外经贸店）,159770956,对外经贸,
324 | 蒋老头重庆小面（和平西桥店）,194971179,对外经贸,
325 | 翼客空间,186870295,对外经贸,
326 | 金凤成祥（经贸大学店）,1653072,对外经贸,
327 | underground The Tavern倔脾气精酿啤酒地下酒馆,6182915,对外经贸,
328 | 天和晟烤鸭店（市长之家店）,84692513,对外经贸,
329 | 鹿角巷The Alley,185026777,对外经贸,
330 | 栗栗家（和平东桥店）,190773759,对外经贸,
331 | STRASBOURG思特堡（华堂商场店）,169291500,对外经贸,
332 | 金凤成祥（罗马店）,1043620,对外经贸,
333 | 书伴年华西餐厅,1441745026,对外经贸,
334 | 北平楼（惠新里店）,530852,对外经贸,
335 | 赛百味（经贸大学店）,289761,对外经贸,
336 | 园空间咖啡（北服店）,51222522,对外经贸,
337 | 毕派克咖啡,1636007501,对外经贸,
338 | 秦门·馍饭厨房（中日医院店）,6049005,对外经贸,
339 | 渝都家厨（安贞店）,1647220466,对外经贸,
340 | 无敌家拉面（华堂商场店）,168935755,对外经贸,
341 | 上京串烧工房（外经贸店）,280269,对外经贸,
342 | 徽州小镇（惠新东街店）,4329382,对外经贸,
343 | 搞点儿事手工私房茶,169315134,对外经贸,
344 | 森味花园（惠新西街店）,194902855,对外经贸,
345 | 川香人家（芍药居店）,1654086,对外经贸,
346 | 南城香（和平东桥店）,190140242,对外经贸,
347 | 馨筷子家宴,75327641,对外经贸,
348 | 麻尚聚麻辣香锅（惠新店）,164936572,对外经贸,
349 | 肯德基（樱花园东街店）,5454988,对外经贸,
350 | 全球旅行家咖啡Globetrekker Cafe,42697838,对外经贸,
351 | Salud.欧洲冻酸奶（华堂商场店）,170638381,对外经贸,
352 | 龙门花甲（宏顺帅川美食城店）,182048976,对外经贸,
353 | 點卯豆制品,190891784,对外经贸,
354 | 那记猪手（对外经贸店）,593224985,对外经贸,
355 | 竹鱼坊（外经贸店）,727248,对外经贸,
356 | 味多美（和平西桥店）,313150,对外经贸,
357 | 新疆美食村（惠新店）,156790522,对外经贸,
358 | 瓷（经贸大学店）,1576841316,对外经贸,
359 | 鸿毛饺子（太阳宫店）,353470,对外经贸,
360 | 杨国福麻辣烫（对外经贸店）,1995738900,对外经贸,
361 | 老诚一锅（惠新西街店）,278459,对外经贸,
362 | 第1佳大鸡排（汤泉美味美食城店）,5245443,对外经贸,
363 | 京味人家家常菜,5104895,对外经贸,
364 | 马艾萨中国兰州传统牛肉面,108098911,对外经贸,
365 | 刘记朝天椒酒家,121939762,对外经贸,
366 | 大亨酒家,264473,对外经贸,
367 | 京家缘饭庄,263675,对外经贸,
368 | 行军锅餐厅,52988290,对外经贸,
369 | 雪峻烤鸭店,265202,对外经贸,
370 | 老北京炸酱面（芍药居店）,4077016,对外经贸,
371 | 玩儿串串（华堂商场店）,1291789653,对外经贸,
372 | 玩儿串串（惠新西街物美店）,195206609,对外经贸,
373 | 沸腾鱼乡（蓝色港湾店）,291788,团结湖_朝阳公园,
374 | 东方宫兰州拉面（对外经贸店）,68121,对外经贸,
375 | 渝悦情（对外经贸大学店）,187413243,对外经贸,
376 | 山川麦时（对外经贸店）,1040665247,对外经贸,
377 | 凤凰禧咖啡,4756719,对外经贸,
378 | 藤说酒窖,68350602,对外经贸,
379 | 姚记手工水饺,106969268,团结湖_朝阳公园,
380 | 重庆小面（对外经贸店）,171818289,对外经贸,
381 | 左右手中西意面工坊（经贸西门店）,161826807,对外经贸,
382 | 老李面馆,192112250,对外经贸,
383 | 哞哞小花牛鲜奶屋,168115810,对外经贸,
384 | 水临天玥,274611,三里屯_工体,
385 | 大鸭梨烤鸭店（亚运村店）,264282,鸟巢_水立方,
386 | 牛排家（朝阳公园蓝色港湾店）,164213677,团结湖_朝阳公园,
387 | 盘古七星酒店·聚福园自助餐厅,298505,鸟巢_水立方,
388 | 松子日本料理（朝阳北路店）,707595,团结湖_朝阳公园,
389 | AmazingThai正泰餐厅（新奥购物中心店）,195889326,鸟巢_水立方,
390 | 蝎王府羊蝎子（朝阳北路店）,358701,团结湖_朝阳公园,
391 | 吉野家（新奥购物中心店）,1655507,鸟巢_水立方,
392 | 烹然四季椰子鸡火锅（高和萃东三环北路店）,2421652,团结湖_朝阳公园,
393 | 眉州东坡（国奥村店）,375596,鸟巢_水立方,
394 | 静·居酒屋,104897905,团结湖_朝阳公园,
395 | 老诚一锅（团结湖直营店）,343636,团结湖_朝阳公园,
396 | 眉州小吃（国奥村店）,6057284,鸟巢_水立方,
397 | 湘味小碗菜,166010840,三里屯_工体,
398 | 比格比萨自助（林萃路店）,1657497,鸟巢_水立方,
399 | 松子日本料理（白家庄店）,262588,团结湖_朝阳公园,
400 | 纽约客美式餐厅（新奥购物中心店）,1655956,鸟巢_水立方,
401 | 小吊梨汤（团结湖店）,1142005,团结湖_朝阳公园,
402 | 食客想念,42067594,团结湖_朝阳公园,
403 | 小淮娘鸭血粉丝汤&锅贴（新奥购物中心店）,179167438,鸟巢_水立方,
404 | 山城小馆,156635344,三里屯_工体,
405 | 亮健容天羊蝎火锅（长虹桥店）,165189340,团结湖_朝阳公园,
406 | 北京奥林匹克塔空中餐厅,185115859,鸟巢_水立方,
407 | 紫光园（团结湖店）,264163,团结湖_朝阳公园,
408 | 粥多鲜（团结湖店）,1644365638,团结湖_朝阳公园,
409 | 古井桂鱼乡（湘行记店）,90730941,首都机场,
410 | 我们六3班串串香,193263339,首都机场,
411 | 小成都,162046134,首都机场,
412 | 味彩日本料理,6573297,首都机场,
413 | 鱼图腾·好吃的鱼头泡饼（亚运村店）,160117946,鸟巢_水立方,
414 | 柿子树碳烤羊腿（首都机场店）,4939537,首都机场,
415 | 肯德基精选（T2航站楼一店）,158822777,首都机场,
416 | 堡莱士汉堡炸鸡（首都机场店）,1282701200,首都机场,
417 | 蝎王府羊蝎子（甘露园店）,89953063,十里堡,
418 | 天成烤鸭店（十里堡店）,192247691,十里堡,
419 | 丽景湾国际酒店六福轩中餐厅,41378495,十里堡,
420 | 港记老香港蛋糕（团结湖店）,193999915,团结湖_朝阳公园,
421 | 柠檬不酸,652919108,十里堡,
422 | 丽景湾国际酒店水岸西餐厅,307116,十里堡,
423 | 西少爷肉夹馍（朝阳门店）,107580489,悠唐生活广场,
424 | 松鹤楼（悠唐店）,1457354,悠唐生活广场,
425 | 西贝莜面村（悠唐购物中心店）,4994012,悠唐生活广场,
426 | 宁味夏语（丰联广场店）,115853091,悠唐生活广场,
427 | 艎海传奇海鲜自助火锅（丰联广场店）,40512067,悠唐生活广场,
428 | 桐记小灶儿牛板筋火锅（悠唐购物中心店）,77736278,悠唐生活广场,
429 | DQ（悠唐购物中心店）,304497,悠唐生活广场,
430 | 玫瑰花园自助烤肉（青年路店）,1528027,朝阳大悦城,
431 | 大渔铁板烧（朝阳大悦城店）,1163772,朝阳大悦城,
432 | 左庭右院鲜牛肉火锅（朝阳大悦城店）,103789789,朝阳大悦城,
433 | 蛙小侠（朝阳大悦城店）,179122039,朝阳大悦城,
434 | 比格比萨自助（朝阳大悦城店）,5451106,朝阳大悦城,
435 | 吉野家（朝阳大悦城店）,5157010,朝阳大悦城,
436 | 越打星YuetDaSing（朝阳大悦城店）,160141653,朝阳大悦城,
437 | 马路边边串串香（朝阳大悦城荣耀店）,188445936,朝阳大悦城,
438 | HI辣火锅（大悦城店）,5184112,朝阳大悦城,
439 | 七星园蒸汽海鲜,160826476,朝阳大悦城,
440 | 南锣肥猫·麻辣烤鱼（朝阳大悦城店）,1654233,朝阳大悦城,
441 | 温野菜日本涮涮锅（朝阳大悦城店）,160232581,朝阳大悦城,
442 | 街头烤牛肉（青年路店）,186331770,朝阳大悦城,
443 | 赤坂亭·M9和牛放题（大悦城店）,175015059,朝阳大悦城,
444 | 北京全聚德（朝阳北路店）,1381636,朝阳大悦城,
445 | 六丁火木炭烤肉（青年路店）,113660013,朝阳大悦城,
446 | 眉州东坡酒楼（泛海店）,1171228,朝阳大悦城,
447 | 苏帮袁Sue Cuisine（朝阳大悦城店）,156771175,朝阳大悦城,
448 | 火炉火烤肉·芝士排骨（朝阳大悦城店）,65349592,朝阳大悦城,
449 | 蝎王府羊蝎子（八里庄店）,4831500,朝阳大悦城,
450 | 者火·善造,159048450,朝阳大悦城,
451 | 攀成钢小郡肝串串香（朝阳大悦城店）,194019178,朝阳大悦城,
452 | 韩景台休闲烤肉餐厅（青年路店）,178122761,朝阳大悦城,
453 | 局气（大悦城店）,158380158,朝阳大悦城,
454 | 权金城（大悦城店）,1467810,朝阳大悦城,
455 | 爸爸炒料牛排老火锅（青年路店）,728594166,朝阳大悦城,
456 | 雕爷牛腩（朝阳大悦城店）,2444523,朝阳大悦城,
457 | 新辣道鱼火锅（朝阳大悦城店）,1654180,朝阳大悦城,
458 | 季小满车轮饼（青年汇店）,789917182,朝阳大悦城,
459 | 棒约翰比萨（甘露园尚街店）,305984,朝阳大悦城,
460 | 紫光园（十里堡店）,264290,朝阳大悦城,
461 | 滇草香云南原生态汤火锅（朝阳大悦城店）,4456933,朝阳大悦城,
462 | 京味斋·银锭观山·北京牡丹烤鸭（十里堡店）,192086467,朝阳大悦城,
463 | 池田寿司（朝阳大悦城店）,1654182,朝阳大悦城,
464 | 长安記•酒肆（朝阳大悦城店）,189904109,朝阳大悦城,
465 | 京味缘烤鸭店（国美第一城店）,100612766,朝阳大悦城,
466 | 黄仕秀吃火锅中心（朝阳大悦城店）,195936321,朝阳大悦城,
467 | 胡椒厨房（朝阳大悦城店）,2435853,朝阳大悦城,
468 | 马路江湖炭火烤肉,1903207238,朝阳大悦城,
469 | 晚枫亭日式料理（石佛营店）,282536,朝阳大悦城,
470 | 大鸭梨烤鸭店（石佛营店）,5736292,朝阳大悦城,
471 | 钢管厂五区小郡肝串串香（国美店）,193318638,朝阳大悦城,
472 | 真功夫（青年路店）,152719293,朝阳大悦城,
473 | 明伙计烤鱼,195613401,朝阳大悦城,
474 | 呷哺呷哺（朝阳大悦城店）,348773,朝阳大悦城,
475 | 新元素（朝阳大悦城店）,110991599,朝阳大悦城,
476 | 权味石锅拌饭（朝阳大悦城店）,50145786,朝阳大悦城,
477 | 杨记兴·臭鳜鱼（朝阳大悦城店）,158886522,朝阳大悦城,
478 | jazzya爵士屋（大悦城店）,40346068,朝阳大悦城,
479 | 靠铺烤肉酒场（青年汇店）,195838624,朝阳大悦城,
480 | 西贝莜面村（朝阳大悦城店）,1654228,朝阳大悦城,
481 | 徽廷食府（四季星河店）,182572920,朝阳大悦城,
482 | 将太无二（朝阳大悦城店）,334113,朝阳大悦城,
483 | 阿芮烤鸡爪（朝阳大悦城店）,164996404,朝阳大悦城,
484 | 眉州小吃（尚街店）,99990113,朝阳大悦城,
485 | 波記打邊爐,1715123280,朝阳大悦城,
486 | 村上一屋日料寿司（青年路店）,159056489,朝阳大悦城,
487 | 鲜芋仙Meet Fresh（朝阳大悦城店）,2401080,朝阳大悦城,
488 | 老诚一锅羊蝎子（国美第一城店）,1921992833,朝阳大悦城,
489 | 赛丽麦牛肉面（大屯路店）,187285072,鸟巢_水立方,
490 | 正泰餐厅AmazingThai（蓝色港湾店）,169038746,团结湖_朝阳公园,
491 | 紫燕百味鸡（十里堡店）,179124465,朝阳大悦城,
492 | 辣家私厨&耍牛欢串串香（石佛营店）,5340771,朝阳大悦城,
493 | 井格（新奥天虹店）,168932231,鸟巢_水立方,
494 | 坦坦大炉（蓝色港湾店）,597918342,团结湖_朝阳公园,
495 | 莆合記（亚运村店）,114177075,鸟巢_水立方,
496 | 渝最重庆火锅自助餐（甜水园店）,179102358,团结湖_朝阳公园,
497 | 泉寿司,40992895,团结湖_朝阳公园,
498 | 拿渡麻辣香锅（新奥购物中心店）,183983808,鸟巢_水立方,
499 | 眉州东坡（团结湖店）,41169004,团结湖_朝阳公园,
500 | 巴比功夫鲜包,187864372,团结湖_朝阳公园,
501 | 老城一锅（安翔里旗舰店）,78338125,鸟巢_水立方,
502 | 速度披萨（蓝色港湾店）,6068697,团结湖_朝阳公园,
503 | 小肥羊（北京鸟巢店）,165519334,鸟巢_水立方,
504 | 京味斋·北京牡丹烤鸭（团结湖店）,164479506,团结湖_朝阳公园,
505 | 以琳泉餐厅,42051410,立水桥_北苑家园,
506 | 安徽板面,1645642230,团结湖_朝阳公园,
507 | 优渥·炭火烤鱼（新奥购物中心店）,98588674,鸟巢_水立方,
508 | 杨家火锅（亮马桥店）,179277883,团结湖_朝阳公园,
509 | 围裙妈妈饺子馆,159017461,立水桥_北苑家园,
510 | 禾绿回转寿司（新奥购物中心店）,1655477,鸟巢_水立方,
511 | 鲜芋仙（蓝色港湾店）,42868247,团结湖_朝阳公园,
512 | 云海肴云南菜&边境东南亚小吃（新奥店）,4947844,鸟巢_水立方,
513 | 德仁居（甜水园店）,195846040,团结湖_朝阳公园,
514 | 粉囧鱼粉（天虹商场店）,152818590,鸟巢_水立方,
515 | 和彩放题（蓝港店）,113658232,团结湖_朝阳公园,
516 | 万顺福山东饺子,1255843130,团结湖_朝阳公园,
517 | 阿诚潮粥小馆（金台路店）,159530176,团结湖_朝阳公园,
518 | 谢蟹浓·肉蟹煲（新奥店）,153649997,鸟巢_水立方,
519 | 张氏望京小腰（立水桥店）,5939966,立水桥_北苑家园,
520 | 新濠彩澳门打边炉,194785687,团结湖_朝阳公园,
521 | 过锅瘾三汁焖锅（新奥购物中心店）,99170517,鸟巢_水立方,
522 | 紫腾轩清真涮羊肉（团结湖店）,115197805,团结湖_朝阳公园,
523 | 呷哺呷哺（新奥购物中心店）,6213153,鸟巢_水立方,
524 | 予果君&优康便利店（嘉盛SOHO店）,40247417,团结湖_朝阳公园,
525 | 利昂法式铁板主题餐厅（新奥购物中心店）,1460350,鸟巢_水立方,
526 | 村上一屋（棕榈泉店）,101742839,团结湖_朝阳公园,
527 | 馅老满（北辰店）,194041925,鸟巢_水立方,
528 | 旺顺阁鱼头泡饼（棕榈泉店）,168876774,团结湖_朝阳公园,
529 | 裕学面包坊,195408054,立水桥_北苑家园,
530 | CoCo都可（新奥工美店）,1007212586,鸟巢_水立方,
531 | 紫燕百味鸡（姚家园店）,40923768,团结湖_朝阳公园,
532 | 京川婆婆骨汤麻辣烫（新奥购物中心）,940697001,鸟巢_水立方,
533 | 郭林家常菜（团结湖店）,264287,团结湖_朝阳公园,
534 | 合利屋（新奥店）,1520029,鸟巢_水立方,
535 | 豪尚豪牛排馆（新奥购物中心店）,5668918,鸟巢_水立方,
536 | 小禅久美家,821836087,团结湖_朝阳公园,
537 | 香鼎坊江西菜（国奥店）,52385163,鸟巢_水立方,
538 | 李嘉嘉串串香（长虹桥店）,6196341,团结湖_朝阳公园,
539 | 湘悦楼·纯正湘菜（鸟巢店）,40524145,鸟巢_水立方,
540 | 川公川婆麻辣烫,185285545,立水桥_北苑家园,
541 | 京吧儿·烤鸭春饼,160423490,鸟巢_水立方,
542 | 笑米乐串烧居酒屋,1239188082,团结湖_朝阳公园,
543 | 鼎玥烤鸭店,90192866,鸟巢_水立方,杨国福麻辣烫（立水桥店）
544 | ,195815905,立水桥_北苑家园,
545 | 京八珍（团结湖一店）,1648817,团结湖_朝阳公园,
546 | 韩国설빙雪冰（新奥店）,106752368,鸟巢_水立方,
547 | COSTA COFFEE（新奥购物中心店）,6317952,鸟巢_水立方,
548 | 来吧小屋（团结湖店）,40069803,团结湖_朝阳公园,
549 | 百碗香饭店（立水桥店）,51098185,立水桥_北苑家园,
550 | 咖啡工场（新奥购物中心店）,1655481,鸟巢_水立方,
551 | CAKE BOSS 蛋糕老板（亚运村新奥购物中心店）,162906341,鸟巢_水立方,
552 | 奉茶茶恋花（天虹商场店）,1934532342,鸟巢_水立方,
553 | 张亮麻辣烫（金源雨林店）,92422522,立水桥_北苑家园,
554 | 刀小蛮半只鸡过桥米线（新奥购物中心店）,119089991,鸟巢_水立方,
555 | 单县羊肉汤,154462379,立水桥_北苑家园,
556 | 鼎极轩海鲜自助烤肉（小营店）,6570878,小营,
557 | 黑松白鹿（远洋店）,2431419,小营,
558 | 绿茶餐厅（远洋未来店）,183973925,小营,
559 | 辣尚瘾（未来广场店）,2434322,小营,
560 | 旺顺阁鱼头泡饼（小营店）,290756,小营,
561 | 北城老四季涮肉（一分店）,89136656,小营,
562 | 门框胡同百年卤煮（霄云路店）,194766329,霄云路,
563 | 百果园（芳园里店）,96142677,霄云路,
564 | 阿甘锅盔（后现代城店）,189738756,北京东站,
565 | 小木凳怀旧火锅,79595995,高碑店,
566 | 乡村驴肉馆羊蝎子,265340,鸟巢_水立方,
567 | 阮味轩,84825925,高碑店,
568 | 赫哲渔部落,330221,高碑店,
569 | 徽州八號,84872838,高碑店,
570 | 面江湖（高碑店店）,165879120,高碑店,
571 | 小院儿·私房菜（传媒大学店）,180051078,高碑店,
572 | 西北楼牛肉面（东亿产业园店）,1141755168,高碑店,
573 | 蒸蒸日鲜,119793326,高碑店,
574 | 一伍一拾（传媒大学店）,163401912,高碑店,
575 | 本格寿司（朝阳公园店）,42753518,团结湖_朝阳公园,
576 | 老吉堂上海私房菜（霄云路店）,1188544345,三元桥,
577 | 阿含泰,93063009,鸟巢_水立方,
578 | 巴山雨麻辣餐厅（鸟巢店）,159271402,鸟巢_水立方,
579 | 恒来源牛肉面（北沙滩店）,572898571,鸟巢_水立方,
580 | 时间轴餐厅（国奥村店）,2409380,鸟巢_水立方,
581 | 藜粥小钵（新奥购物中心店）,99921182,鸟巢_水立方,
582 | 赛百味（新奥购物中心店）,1655953,鸟巢_水立方,
583 | 隐厨（三里屯通盈中心店）,97263324,三里屯_工体,
584 | 茶太良品·奶茶研究所（新奥店）,1333450695,鸟巢_水立方,
585 | 电台巷火锅（三里屯店）,181499961,三里屯_工体,
586 | 川菜新概念@优渥（新奥店）,195034999,鸟巢_水立方,
587 | 妖艳儿·小面冒菜,187170570,鸟巢_水立方,
588 | 沪小二铜炉蛙锅（三里屯店）,186554729,三里屯_工体,
589 | 吉野家（东直门银座mall店）,277279,三里屯_工体,
590 | 白色精品黄金脆皮臭豆腐（天虹百货店）,179751798,鸟巢_水立方,
591 | M Sweetie Cake（三里屯店）,161103149,三里屯_工体,
592 | 聚关中陕菜·秦味,41686436,鸟巢_水立方,
593 | 沸腾鱼乡小宴,765794796,三里屯_工体,
594 | 便宜坊烤鸭店（亚运村鸟巢店）,289749,鸟巢_水立方,
595 | 汕头八合里海记牛肉店（工体店）,1330695471,三里屯_工体,
596 | 吾悦厨房（新奥店）,5261144,鸟巢_水立方,
597 | 小龍行江湖老火锅（三里屯总店）,170581856,三里屯_工体,
598 | 骨珍香老城一锅（北沙滩店）,1605651679,鸟巢_水立方,
599 | 老吉堂上海私房菜（工体店）,162814807,三里屯_工体,
600 | 嚮茶（新奥店）,1612729965,鸟巢_水立方,
601 | 巴蜀名门（三里屯店）,194820145,三里屯_工体,
602 | 秦唐味道（新奥店）,51411516,鸟巢_水立方,
603 | 行运打边炉（工体店）,170978068,三里屯_工体,
604 | 老北京门框百年卤煮（奥林匹克店）,164851746,鸟巢_水立方,
605 | 悠航鲜啤 Slow Boat Brewery（三里屯店）,89912561,三里屯_工体,
606 | COSTA COFFEE（盘古大观店）,1399238,鸟巢_水立方,
607 | 牛排家（三里屯店）,92686369,三里屯_工体,
608 | 海天饺子城,5765965,鸟巢_水立方,
609 | 鹤一烤肉主题餐厅（东三环博瑞店）,6719379,三里屯_工体,
610 | 福海居·烤鸭店（安翔路店）,369475,鸟巢_水立方,
611 | Q Mex Bar & Grill库迈墨西哥餐吧（三里屯店）,1647975,三里屯_工体,
612 | 望京小腰（健翔桥店）,179454775,鸟巢_水立方,
613 | 渝公主酸菜小鱼（工美店）,159203372,鸟巢_水立方,
614 | 张记平娃三宝（三里屯店）,276645,三里屯_工体,
615 | 虾吃虾涮（新奥天虹商场店）,1370957543,鸟巢_水立方,
616 | 大渔铁板烧（工体店）,282561,三里屯_工体,
617 | 真功夫（甜水园店）,281518,团结湖_朝阳公园,
618 | 东方宫.中国兰州牛肉拉面（春平广场店）,4381848,三里屯_工体,
619 | 觅唐有机茶·粤菜（奥运村店）,1140080,鸟巢_水立方,
620 | 渔芙南（三里屯店）,177802913,三里屯_工体,
621 | 渝州家厨（安翔路店）,1654835,鸟巢_水立方,
622 | HAN JIMMY芝士铁板鸡（三里屯店）,73659221,三里屯_工体,
623 | 四味方舟火锅川湘家常菜,89763886,鸟巢_水立方,
624 | 葫芦娃一家人火锅（三里屯店）,99622756,三里屯_工体,
625 | 金凤成祥（北沙滩二店）,40787002,鸟巢_水立方,
626 | 辣府（三里屯店）,40582820,三里屯_工体,
627 | 德泓居烤鸭店（林萃店）,267267,鸟巢_水立方,
628 | 火之墷·和牛烧肉,195811732,三里屯_工体,
629 | 赛百味（盘古大观店）,2503581,鸟巢_水立方,
630 | 比格比萨自助（东直门店）,1038214,三里屯_工体,
631 | DQ（湖景东路）,1655957,鸟巢_水立方,
632 | 筑底食堂（三里屯一店）,160289821,三里屯_工体,
633 | 盘古七星酒店因缘庭,302082,鸟巢_水立方,
634 | 马路边边串串香（三里屯荣耀店）,194937544,三里屯_工体,
635 | 门框胡同百年卤煮（大屯路店）,153970740,鸟巢_水立方,
636 | 墨纪Mojí墨西哥餐厅（三里屯店）,180568903,三里屯_工体,
637 | 杨国福麻辣烫（北沙滩桥东店）,51584970,鸟巢_水立方,
638 | 新桥烧肉居酒屋,72360472,团结湖_朝阳公园,
639 | 牛串门串串香（三里屯店）,179371742,三里屯_工体,
640 | 尚台楼,308857,鸟巢_水立方,
641 | 耍盆友•重庆江湖菜,1265072474,三里屯_工体,
642 | 御质贡茶（奥林匹克公园店）,150453699,鸟巢_水立方,
643 | 鹿港小镇（三里屯店）,1648023,三里屯_工体,
644 | 盘古七星酒店乐满堂,89158728,鸟巢_水立方,
645 | 南大门米糕（三里屯店）,192390847,三里屯_工体,
646 | 国家会议中心大酒店聚香阁,60886752,鸟巢_水立方,
647 | 老金私家涮肉家常菜（三里屯春秀路店）,80419904,三里屯_工体,
648 | 中国蘭州牛肉拉面（新奥工美店）,72497385,鸟巢_水立方,
649 | 分米鸡DM Chicken（三里屯3.3大厦店）,1325822580,三里屯_工体,
650 | 古早芙海绵蛋糕,883749228,鸟巢_水立方,
651 | 街头烤肉（三里屯店）,1125077344,三里屯_工体,
652 | 胡同儿老北京涮肉,2742480,团结湖_朝阳公园,
653 | 御可冰淇淋,69875480,鸟巢_水立方,
654 | Cafe Ruhe 如何餐厅（盈科中心店）,139321555,三里屯_工体,
655 | 畅福轩通讯录烤吧,91434727,团结湖_朝阳公园,
656 | 布鲁豪斯欢乐家庭餐厅,177601480,鸟巢_水立方,
657 | 龍珠二段丼,186976616,三里屯_工体,
658 | 莎莎●Salsa（三里屯店）,111812823,三里屯_工体,
659 | 郭林家常菜（创业大厦店）,4998275,鸟巢_水立方,
660 | 繁花川菜,193579247,三里屯_工体,
661 | 庆丰包子铺（林萃路店）,40302897,鸟巢_水立方,
662 | 富贵牛杂（三里屯店）,1157652583,三里屯_工体,
663 | 庆丰包子铺（新奥购物中心店）,1655948,鸟巢_水立方,
664 | 汉拿山（东直门东方银座店）,297755,三里屯_工体,
665 | 凯迪克格兰云天大酒店,1654739,鸟巢_水立方,
666 | 漫巷•辣蟹,195596121,三里屯_工体,
667 | 禾谷渔粉,1244660301,鸟巢_水立方,
668 | 太平洋咖啡（三里屯店）,1171967,三里屯_工体,
669 | 老张牛肉面（三里屯店）,187965875,三里屯_工体,
670 | 赞 烧肉酒场,132599546,三里屯_工体,
671 | 阿芮烤鸡爪（新奥天虹店）,182028137,鸟巢_水立方,
672 | 悦發港式火锅（三里屯店）,193284770,三里屯_工体,
673 | 阿甘锅盔（新奥店）,182035320,鸟巢_水立方,
674 | 桥底辣蟹（工体店）,186704137,三里屯_工体,
675 | 虾吃虾涮（三里屯至尊店）,75102150,三里屯_工体,
676 | 晋来福手擀面,193006315,鸟巢_水立方,
677 | 厚鲤甲赫,194724567,三里屯_工体,
678 | 湘宴老饭铺,191741455,三里屯_工体,
679 | 小花小甲花甲粉（新奥店）,547595966,鸟巢_水立方,
680 | M小买,90063772,三里屯_工体,
681 | 加加游（奥森公园店）,2727335,鸟巢_水立方,
682 | 義公子冰煮羊火锅（三里屯店）,192668129,三里屯_工体,
683 | 京八珍（朝阳医院店）,165880354,三里屯_工体,
684 | 日进一片海（三里屯总店）,374435,三里屯_工体,
685 | 森BAR,164151347,鸟巢_水立方,
686 | 南京大牌档（三里屯世茂店）,1144876,三里屯_工体,
687 | 大男孩面馆,182490955,鸟巢_水立方,
688 | 陈记老北京铜锅涮肉（慈云寺店）,72213797,团结湖_朝阳公园,
689 | 黑松白鹿（世贸工三店）,191287426,三里屯_工体,
690 | 蜀味集地道川菜成都火锅,165110974,鸟巢_水立方,
691 | 投脾气炭火烤肉（工体店）,40763734,三里屯_工体,
692 | 台湘情台湾卤肉饭（国家会议中心店）,89001039,鸟巢_水立方,
693 | 丰泽园（工体店）,1266690581,三里屯_工体,
694 | 武圣羊杂割（奥体中心店）,99462880,鸟巢_水立方,
695 | 泰合小馆·北京菜（三里屯店）,125922118,三里屯_工体,
696 | 红蕃茄（鸟巢店）,263885,鸟巢_水立方,
697 | 魔王猪蹄（三里屯店）,150094231,三里屯_工体,
698 | 品蘭·不只是牛肉面（新奥店）,160142389,鸟巢_水立方,
699 | 钢管厂五区小郡肝火锅串串香（工体店）,165813267,三里屯_工体,
700 | 晋香城刀削面,174859628,鸟巢_水立方,
701 | 味多美（金台路店）,304236,团结湖_朝阳公园,
702 | 小珺柑串串香（工体店）,51800487,三里屯_工体,
703 | 精品沙县（新奥工美店）,193863665,鸟巢_水立方,
704 | 汗巴巴餐厅（三里屯店）,94679,三里屯_工体,
705 | 尚渔味时尚烤鱼（天虹商场店）,159860792,鸟巢_水立方,
706 | 鸟屯,1647255,三里屯_工体,
707 | 朵颐河鲜,1534791,鸟巢_水立方,
708 | 云海肴云南菜（东直门银座mall店）,97229367,三里屯_工体,
709 | 劉記酱骨飯,177990174,鸟巢_水立方,
710 | 法兰之吻蛋糕（三里屯店）,110108323,三里屯_工体,
711 | 西四包子铺（鸟巢店）,1471662532,鸟巢_水立方,
712 | WALA蛙辣火锅（工体店）,160719340,三里屯_工体,
713 | 哞哞小花牛鲜奶屋（科荟路店）,42277783,鸟巢_水立方,
714 | 春秋宴语（新粤菜）,180602854,三里屯_工体,
715 | 原麦山丘（新奥购物中心店）,159143693,鸟巢_水立方,
716 | 倚林私房菜,313003,鸟巢_水立方,
717 | 三公潮汕鲜牛肉火锅（三里屯店）,94211542,三里屯_工体,
718 | 玲珑咖啡,98621862,鸟巢_水立方,
719 | 金百万（奥北天香店）,1476117973,鸟巢_水立方,
720 | 盘古七星酒店文奇美食汇,300756,鸟巢_水立方,
721 | 京都怀石花传日餐厅,296599,鸟巢_水立方,
722 | 雁舍 湘食·茶点（三里屯店）,116774563,三里屯_工体,
723 | 吉吉熊比萨（亚运村店）,72106796,鸟巢_水立方,
724 | 简粤·猪肘饭（鸟巢店）,746005721,鸟巢_水立方,
725 | 咕咕蒸鸡（三里屯店）,165764507,三里屯_工体,
726 | 吉祥馄饨（华创生活广场店）,160378813,鸟巢_水立方,
727 | 嗨番茄番茄酸汤鱼（新奥店）,179948242,鸟巢_水立方,
728 | 肯德基（天辰东路店）,6136607,鸟巢_水立方,
729 | 鸿毛饺子（盘古店）,1711150398,鸟巢_水立方,
730 | 味多美（新奥天虹店）,1655485,鸟巢_水立方,
731 | 兰特伯爵西餐厅（奥运村店）,374273,鸟巢_水立方,
732 | 目易欧式西餐,164420270,鸟巢_水立方,
733 | 喵不乖SWEET LAB（喵不乖天虹店）,1725045385,鸟巢_水立方,
734 | 渝味小厨,41949694,鸟巢_水立方,
735 | 玲珑小馆,1655604,鸟巢_水立方,
736 | Salud欧洲冻酸奶,1600738922,鸟巢_水立方,
737 | 贡茶（大屯路店）,157333337,鸟巢_水立方,
738 | 頭壹號·大油条·老汤牛肉面（北辰店）,185120448,鸟巢_水立方,
739 | 全聚德（北沙滩桥店）,97999414,鸟巢_水立方,
740 | 本宫的茶（新奥天虹店）,1222578530,鸟巢_水立方,
741 | 虾吃虾涮,1941026204,鸟巢_水立方,
742 | 慕语水吧,168990766,三里屯_工体,
743 | 大长腿狂野美式海鲜,93578462,三里屯_工体,
744 | 倔强和牛烧肉专门店,161997474,三里屯_工体,
745 | 顺口溜西北美食（三里屯店）,1647066,三里屯_工体,
746 | 大闵排档·潜江小龙虾海鲜烧烤,179553622,三里屯_工体,
747 | 烧烤英雄·户外烧烤食材半成品仓储店,99176333,团结湖_朝阳公园,
748 | 京易达餐厅,5120880,团结湖_朝阳公园,
749 | 山雨泉水鸡火锅（团结湖店）,120436033,团结湖_朝阳公园,
750 | 明旺饺子馆川湘家常菜,157375251,团结湖_朝阳公园,
751 | La Rucola意大利餐厅,115868596,团结湖_朝阳公园,
752 | 新疆阿迪力（吉市口东路店）,2861294,三里屯_工体,
753 | 旺顺阁鱼头泡饼（东直门店）,274960,三里屯_工体,
754 | 金牛果园,192047123,三里屯_工体,
755 | 24H马路牙子地桌烤肉（工体店）,157096398,三里屯_工体,
756 | 脑馋粉儿（三里屯店）,41471741,三里屯_工体,
757 | 大懒龙（工体店）,81322830,三里屯_工体,
758 | 成都快冒菜,165905148,三里屯_工体,
759 | 隐庐烤肉（隐庐炭火烤肉三里屯店）,174892773,三里屯_工体,
760 | 渝佳宴烧烤,175478857,酒仙桥,
761 | 厉家菜（金宝街店）,296579,王府井_东单,
762 | 绮妙冰淇淋Gelato Miao（王府井店）,187983902,王府井_东单,
763 | XBEK小北饵块&饵丝之滇（财富金融中心店）,100619260,朝外大街_世贸天阶,
764 | 熔食鱼蛙面屋·烤鱼·麻辣香锅（望京旗舰店）,189446287,望京,
765 | 一品粥店（生活惠家美食城店）,182447004,亮马桥,
766 | 黄门水煮辣头牛,1756599950,望京,
767 | 鲜品萃mini回转寿司（凯德MALL望京店）,4077895,望京,
768 | FireWorks美式扒房·手工啤酒（麒麟社店）,194317622,望京,
769 | The Alley鹿角巷（望京万科时代中心店）,190007004,望京,
770 | 裕食坊私家湘菜（望京店）,6719242,望京,
771 | 街边儿吉林牛肉串（望京店）,165562466,望京,
772 | 福吉运进口食品超市,182995968,望京,
773 | 九將烧肉放题自助专门店,187877317,酒仙桥,
774 | 杨铭宇黄焖鸡（望京店）,172879031,望京,
775 | 低卡食堂健身轻食餐（望京店）,101129734,望京,
776 | 美都波八爪鱼（望京店）,108505529,望京,
777 | 彼德墨西哥餐厅,164917453,望京,
778 | 恋暖初茶（新东安店）,93055829,朝阳门,
779 | 味美千层榴莲蛋糕,89519140,朝阳门,
780 | 和绚庭·日本料理,186245186,马泉营,
781 | 雪芙舒芙蕾松饼（合生麒麟新天地店）,613671808,望京,
782 | 广东顺德公烧鹅,185334558,望京,
783 | 谷大白鱼粉面,187856219,劲松,
784 | 李氏金草帽烤肉酒场·仙牛仙浓汤（望京西园三区soho店）,1839107406,望京,
785 | 山谷咖啡,929879017,酒仙桥,
786 | 阿甘锅盔（劲松店）,1792180149,劲松,
787 | 箩箩贵州酸汤鱼（大屯店）,340860,大屯,
788 | FATBURGER特富客汉堡（望京万科时代中心店）,159390411,望京,
789 | Blueglass （温特莱店）,92262381,大望路,
790 | Blueglass（华贸商业街店）,84332027,大望路,
791 | REMICONE冰淇淋&鲜奶店（SKP店）,1657324100,大望路,
792 | 东川麻辣香锅（常营天街店）,41520950,常营,
793 | 湊湊火锅·茶憩（长楹天街店）,184716691,常营,
794 | 秋樱（安贞店）,288934,安贞,
795 | 潇湘四季湖南菜（亮马桥店）,1167588,燕莎,
796 | 小江南汤包私家菜,2573765,燕莎,
797 | 四葉寿司（燕莎店）,97285342,燕莎,
798 | 北平盛世烤鸭店（劲松店）,103175789,劲松,
799 | 茗味地带主题餐厅（光明桥店）,195910321,劲松,
800 | 乐娃三宝·烧烤·民间菜（农光里店）,194535078,劲松,
801 | 鞑子碳烤羊腿（北花园店）,166782690,传媒大学,
802 | 圆蛋糕CircleCake,1033825637,朝阳大悦城,
803 | 精品美食,1621260991,北苑家园,
804 | 西树泡芙（伊藤洋华堂亚运村店）,169020923,对外经贸,
805 | 千岛湖鱼味馆,164780398,对外经贸,
806 | 牛铁日式烧肉酒场 GYU.TETSU,189777615,团结湖_朝阳公园,


--------------------------------------------------------------------------------