├── frida-codeshare-scripts
├── tt__nextflow.js
├── test__Yommy.js
├── fa__lannblanchnee.js
├── test2__legik.js
├── tiktok__sunbird89629.js
├── hgfd__maqunjing.js
├── test1__jess2696alyn.js
├── test__Nriver.js
├── test-project__Experiya.js
├── test__p4nci.js
├── test__sdcampbell.js
├── only-ssl-by-t__Elpepe25456.js
├── asd1231__vumail159951.js
├── facebook__dlikemobile26.js
├── looking-for-security-analysts__bundamodelagency.js
├── sh__vumail159951.js
├── vipps-antijb__oleavr.js
├── get-android-security-provider-mstg-network-6__platix.js
├── youtube-ios-adblock__oleavr.js
├── bbox__AnonymousVip.js
├── vmate__AnonymousVip.js
├── free__AnonymousVip.js
├── free2__AnonymousVip.js
├── read-std-string-apple__mukeran.js
├── test2112__vu159951.js
├── anti-debug-bypass__kushjasrapuria.js
├── teste__tomax143.js
├── ios-sqlite3__xperylab.js
├── read-std-string__oleavr.js
├── tiktok-ios__Dorys221.js
├── force-open-wechat-xlog__dvdface.js
├── bypass-decrypted-rom-integrity-checks---frida__ibadfawa.js
├── localizacao__Rickpg2023.js
├── test-zza__miromiro11.js
├── app-context-bypass__raphc43.js
├── new-test__Saqibesya.js
├── chrome-url-interceptor__raphc43.js
├── conscrypt-ca__lolicon.js
├── killssl__SYM01.js
├── bypass-root-plugins-cyberkatze-iroot__0xshdax.js
├── he__vumail159951.js
├── android-location-spoofing__dzervas.js
├── screenshot-protection__eiliyakeshtkar0.js
├── ios-list-apps__xiaooojun.js
├── getchildpid__J-jaeyoung.js
├── c-list-function__X-Vector.js
├── substrate-unloader__mrmacete.js
├── android-debug-mode-bypass__Raphkitue.js
├── enum-packages-check__beyrakIn.js
├── ios-freerasp-bypass__0tax00.js
├── ios-list-apps__sdcampbell.js
├── load-from-asset-folder__jackkongjr.js
├── simple-android-toast__yodiaditya.js
├── stringcompare__dzonerzy.js
├── ios-change-location__xiaooojun.js
├── rr__eitguide.js
├── block-root-check__Neo-vortex.js
├── list-ios-apps__sdcampbell.js
├── 2__vumail159951.js
├── enum-file-check__beyrakIn.js
├── android-freerasp-bypass__luca-regne.js
├── classes-by-keywords__wrycaio.js
├── backtraces__InvictusNinja.js
├── tbdoool__abdolzx.js
├── 11__Malfarion.js
├── discover-java-random-usage__krue4954.js
├── sd__komoosdosk.js
├── ios-disable-ssl-check__SYM01.js
├── cordova---enable-webview-debugging__gameFace22.js
├── root-detection-bypass-for-cordova-plugin-devicecompile__damaidec.js
├── anti-frida-bypass__enovella.js
├── android-full-class-path__k7eon.js
├── firfirestore__Mo7amedFouad.js
├── ios-backtrace-http-req__SYM01.js
├── mlbb__GDTNguyen.js
├── piracy-checker-bypass__fopina.js
├── android-inspect-webviews__sdcampbell.js
├── anti-frida-bypass__kushjasrapuria.js
├── anti-frida-bypass__x90nopslide.js
├── sslpinningmine__AkhileshCh.js
├── scottyab-root-bypass__abrahem.js
├── teste4__BR92Bruno.js
├── sgsasg__vumail159951.js
├── logs-android-frida-ts__joaoviictorti.js
├── ios-trustkit-ssl-unpinning__platix.js
├── universal-android-ssl-pinning-bypass-2__sowdust.js
├── jailmonkey-root-detection-bypass__anubi5egypt.js
├── enum-root-file-check__beyrakIn.js
├── reveny-emulator-bypassjs__roopaks31051987-maker.js
├── android-native-log__luoyesiqiu.js
├── enumerate-library__InvictusNinja.js
├── stacktracing-activities__sknux.js
├── search-for-the-string-in-memory__DiegoCaridei.js
├── aes-decrypt-no-iv__azurda.js
├── ios-location-spoofing__securitytest3r.js
├── uiwebview-ssl-validation-killer__mrmacete.js
├── mac-mojave-ssl-bypass__minacrissdev.js
├── find-ios-app-by-display-name__dki.js
├── viber-26-6-4-0-ssl-pinning__YasarKah.js
├── bypass-react-native-emulator-detection__khantsithu1998.js
├── okhttp3-obfuscated---ssl-pinning-bypass__sahabrifki.js
├── hello-world__Fitblip.js
├── get-a-stack-trace-in-your-hook__razaina.js
├── android-ssl-pinning-bypass-2__ivan-sincek.js
├── sd__vutranHS.js
├── ibm-trusteer-ios-sdk-bypass__mgrela.js
├── debug-webview__lolicon.js
├── fgdgd__vumail159951.js
├── test__Legal1337228.js
├── supportsqlitestatement__marcohald.js
├── frida-okhttp3-tls__RadonCoding.js
├── uncrackable1-solution__sosacrazy126.js
├── 2__Malfarion.js
├── android-ssl-bypass__pbalmelle.js
├── okhttp-proxy-installator__0xbad0c0d3.js
├── okhttp__Malfarion.js
├── uncrackable-l1-passcode-extractor__dzulfiqois.js
├── universal-android-ssl-pinning-bypass__avltree9798.js
├── ios-16-location-spoofing__Rablidad.js
├── string__vumail159951.js
├── ios-ssl-key-steal2__atuncer.js
├── enum-code-exec__beyrakIn.js
├── android-certificate-pinning-bypass__segura2010.js
├── custom-phonegap-sslcertificatechecker-bypass__gchib297.js
├── android-okhttp3-logger__nneonneo.js
├── okhttp3-certificate-pinner-bypass__silva95gustavo.js
├── trace-android-binder-call-from-binderproxy__dvdface.js
├── ios-touch-id-bypass__ivan-sincek.js
├── murder-meta-bypass__log-cat.js
├── root-function__Raghav-Gupta99.js
├── print-params__InvictusNinja.js
├── pdf__komoosdosk.js
├── android-deep-link-observer__leolashkevych.js
├── cosmote-whatsup-certificate-pinning-bypass__stavros0.js
├── flutter-ssl-pinning-bypass__skytolfers.js
├── hook-javascript-interfaces__komen205.js
├── classloader__Hyupai.js
├── ios-location-spoofer__karim-moftah.js
├── nsurl--ios13__DuffyAPP-IT.js
├── advance__AnonymousVip.js
├── okhttp-hostname-verifier-bypass__federicodotta.js
├── https-stalker__lolicon.js
├── ios-proxy-detection-bypass__electrondefuser.js
├── pollo__FusionzBruhh.js
├── firebase-for-android-react-native-dumper__0x25CBFC4F.js
├── geopos-and-sensor-forgery-for-pacer__FixedOctocat.js
├── dump-ios-text-views__dki.js
├── advance2__AnonymousVip.js
├── ios-custom-keyboard-support__ay-kay.js
├── ios-jailmonkey-jailbreak-detection-bypass__darklotuskdb.js
├── bcryptdll-bcryptdecrypt__fhaag95.js
├── bypass-wi-fi-check-on-flutter-based-ios__zionspike.js
├── ios-wrapper-jailbreak-detection-bypass__darklotuskdb.js
├── hook-createvirtualdisplay__komen205.js
├── libcurl-proxy-enabler__TwizzyIndy.js
├── python-cli-tool-boilerplate__oleavr.js
├── android-ios-freerasp-bypass__DevTraleski.js
├── sad__komoosdosk.js
├── force-enable-strictmode__dvdface.js
├── onpixtv__Hyupai.js
├── macbook-charging-controls__oleavr.js
├── cplusplus-hookcustomfunction__X-Vector.js
├── android-codeshare-loader__sdcampbell.js
├── ios-nsurl__Computershik73.js
├── ios10-ssl-bypass__dki.js
├── intercept-android-apk-crypto-operations__fadeevab.js
├── ios-openurl__karim-moftah.js
├── show-ios-app-owned-classes__interference-security.js
├── unix-socket-peer-pid-observer__oleavr.js
├── react-native-firebase-remote-config__RohindhR.js
├── dumper__Hyupai.js
├── android-hook-notification-builder__sdcampbell.js
├── ios11-12-ssl-bypass__Sotam.js
├── block-toast-with-stacktrace__Neo-vortex.js
├── binder-stalker__lolicon.js
├── bypass-developermode-check-android__zionspike.js
├── inmemorydexclassloader-dump__cryptax.js
├── frinja---permissions__ninjadiary.js
├── android-query-provider__leolashkevych.js
├── ios-list-apps__oleavr.js
├── null-vector-cbcmode__padmadl.js
├── bypass-framgia-emulator-checker__latestnew1310.js
├── ios-pinning-disable__snooze6.js
├── ios-ssl-key-steal__atuncer.js
└── swift-symmetrickey-dump__rparviainen.js
└── .gitignore
/frida-codeshare-scripts/tt__nextflow.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:3712 @nextflow/tt
4 | tt
5 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
6 | //hash:3712 @nextflow/tt
7 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/test__Yommy.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:3556498 @Yommy/test
4 | test
5 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
6 | //hash:3556498 @Yommy/test
7 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/fa__lannblanchnee.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:97 @lannblanchnee/fa
4 | a
5 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
6 | //hash:97 @lannblanchnee/fa
7 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/test2__legik.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1392532082 @legik/test2
4 | //test
5 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
6 | //hash:1392532082 @legik/test2
7 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/tiktok__sunbird89629.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:3264 @sunbird89629/tiktok
4 | ff
5 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
6 | //hash:3264 @sunbird89629/tiktok
7 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/hgfd__maqunjing.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1633164631 @maqunjing/hgfd
4 | jhgfdxz
5 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
6 | //hash:-1633164631 @maqunjing/hgfd
7 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/test1__jess2696alyn.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:110251487 @jess2696alyn/test1
4 | test1
5 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
6 | //hash:110251487 @jess2696alyn/test1
7 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/test__Nriver.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1990671549 @Nriver/test
4 | function test(){
5 |
6 | }
7 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
8 | //hash:1990671549 @Nriver/test
9 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/test-project__Experiya.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:2079042193 @Experiya/test-project
4 | Print("1")
5 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
6 | //hash:2079042193 @Experiya/test-project
7 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/test__p4nci.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-2109748645 @p4nci/test
4 | Java.perform(function(){
5 |
6 | })
7 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
8 | //hash:-2109748645 @p4nci/test
9 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/test__sdcampbell.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:2075411820 @sdcampbell/test
4 | test Hello
5 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
6 | //hash:2075411820 @sdcampbell/test
7 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/only-ssl-by-t__Elpepe25456.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-416755409 @Elpepe25456/only-ssl-by-t
4 | /////////////////
5 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
6 | //hash:-416755409 @Elpepe25456/only-ssl-by-t
7 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/asd1231__vumail159951.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:412394471 @vumail159951/asd1231
4 | Java.perform(function() {
5 | var ver = Java.use('android.os.Build$VERSION');
6 |
7 | ver.SDK_INT.value = 15;
8 |
9 |
10 | });
11 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
12 | //hash:412394471 @vumail159951/asd1231
13 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/facebook__dlikemobile26.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1573384259 @dlikemobile26/facebook
4 | d40205e61b0396e9d3da0130521b21287ba6cd817d254dde498fb1f091418e8
5 |
6 | $ frida --codeshare akabe1/frida-multiple-unpinning -f YOUR_BINARY
7 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
8 | //hash:-1573384259 @dlikemobile26/facebook
9 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Build and Release Folders
2 | bin-debug/
3 | bin-release/
4 | [Oo]bj/
5 | [Bb]in/
6 |
7 | # Other files and folders
8 | .settings/
9 |
10 | # Executables
11 | *.swf
12 | *.air
13 | *.ipa
14 | *.apk
15 |
16 | # Project files, i.e. `.project`, `.actionScriptProperties` and `.flexProperties`
17 | # should NOT be excluded as they contain compiler settings and other important
18 | # information for Eclipse / Flash Builder.
19 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/looking-for-security-analysts__bundamodelagency.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-630893434 @bundamodelagency/looking-for-security-analysts
4 | i am looking for new security analysts for my agency , let me know when you are interested TG @enikolopoulos
5 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
6 | //hash:-630893434 @bundamodelagency/looking-for-security-analysts
7 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/sh__vumail159951.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1697723530 @vumail159951/sh
4 | Java.perform(function() {
5 | var RootBeer = Java.use("com.harrison.demo.autoairpay.ui.main.MainActivity");
6 |
7 |
8 | RootBeer.verifyInfo.overload().implementation = function() {
9 | return true;
10 | };
11 |
12 |
13 | });
14 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
15 | //hash:1697723530 @vumail159951/sh
16 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/vipps-antijb__oleavr.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-147782172 @oleavr/vipps-antijb
4 | 'use strict';
5 |
6 | var method = ObjC.classes.VPSUtils['+ isJailbroken'];
7 | method.implementation = ObjC.implement(method, function (handle, selector) {
8 | console.log('+[VPSUtils isJailbroken] => nope!');
9 | return false;
10 | });
11 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
12 | //hash:-147782172 @oleavr/vipps-antijb
13 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/get-android-security-provider-mstg-network-6__platix.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1091476162 @platix/get-android-security-provider-mstg-network-6
4 | Java.perform(function () {
5 | var Sec = Java.use("java.security.Security");
6 | var SecInstance = Sec.$new();
7 | console.log(SecInstance.getProviders());
8 |
9 | });
10 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
11 | //hash:-1091476162 @platix/get-android-security-provider-mstg-network-6
12 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/youtube-ios-adblock__oleavr.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1504812317 @oleavr/youtube-ios-adblock
4 | 'use strict';
5 |
6 | Module.ensureInitialized('Module_Framework');
7 |
8 | var isMonetized = ObjC.classes.YTIPlayerResponse['- isMonetized'];
9 | isMonetized.implementation = ObjC.implement(isMonetized, function () {
10 | return false;
11 | });
12 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
13 | //hash:1504812317 @oleavr/youtube-ios-adblock
14 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/bbox__AnonymousVip.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1856240326 @AnonymousVip/bbox
4 | Java.perform(function() {
5 | let HelperJNI = Java.use("cn.tongdun.android.shell.common.HelperJNI");
6 | HelperJNI.base64encode.implementation = function(bArr){
7 | let ret = this.base64encode(bArr);
8 | console.log(JSON.stringify(bArr));
9 | return ret;
10 | }
11 | });
12 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
13 | //hash:1856240326 @AnonymousVip/bbox
14 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/vmate__AnonymousVip.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:686678543 @AnonymousVip/vmate
4 | Java.perform(function() {
5 | let DecorativePacket = Java.use("com.ushareit.core.algo.DecorativePacket");
6 | DecorativePacket.b.overload('java.lang.String').implementation = function(ok){
7 | let ret = this.b(ok);
8 | console.log(ok);
9 | return ret;
10 | };
11 | });
12 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
13 | //hash:686678543 @AnonymousVip/vmate
14 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/free__AnonymousVip.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1299561551 @AnonymousVip/free
4 | Java.perform(function() {
5 | let BoxUtil = Java.use("cn.tongdun.android.shell.utils.BoxUtil");
6 | BoxUtil.limitBox.implementation = function(jSONObject, i){
7 | let ret = this.limitBox(jSONObject, i);
8 | console.log(JSON.stringify(ret));
9 | return ret;
10 | };
11 | });
12 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
13 | //hash:-1299561551 @AnonymousVip/free
14 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/free2__AnonymousVip.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:186059953 @AnonymousVip/free2
4 | Java.perform(function() {
5 | let BoxUtil = Java.use("cn.tongdun.android.shell.utils.BoxUtil");
6 | BoxUtil.limitBox.implementation = function(jSONObject, i){
7 | let ret = this.limitBox(jSONObject, i);
8 | console.log(JSON.stringify(jSONObject));
9 | return ret;
10 | };
11 | });
12 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
13 | //hash:186059953 @AnonymousVip/free2
14 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/read-std-string-apple__mukeran.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-228918199 @mukeran/read-std-string-apple
4 | function readStdStringForApple(str) {
5 | const isLong = (str.add(3 * Process.pointerSize - 1).readU8() & 0b10000000) === 0b10000000;
6 | if (isLong) {
7 | return str.readPointer().readUtf8String();
8 | }
9 |
10 | return str.readUtf8String();
11 | }
12 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
13 | //hash:-228918199 @mukeran/read-std-string-apple
14 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/test2112__vu159951.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1913816607 @vu159951/test2112
4 | Java.perform(function () {
5 |
6 | var genOTP = Java.use("com.fpt.fisplugin.fisplugin.FISPlugin");
7 | const genFunc = genOTP.b.overload("java.lang.String", "java.lang.String");
8 | console.log(genFunc);
9 | genFunc.call(genFunc, 'e24df920078c3dd4e7e8d2442f00e5c9a', '7595');
10 | });
11 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
12 | //hash:-1913816607 @vu159951/test2112
13 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/anti-debug-bypass__kushjasrapuria.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:784080548 @kushjasrapuria/anti-debug-bypass
4 | // Github: https://github.com/kushjasrapuria
5 |
6 | Java.perform(function() {
7 | var Debug = Java.use('android.os.Debug');
8 |
9 | console.log("\n");
10 |
11 | Debug.isDebuggerConnected.implementation = function() {
12 | return false;
13 | }
14 | });
15 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
16 | //hash:784080548 @kushjasrapuria/anti-debug-bypass
17 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/teste__tomax143.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:742655863 @tomax143/teste
4 | Java.perform(function() {
5 | var RequestMoneyRequestGatewayModel = Java.use("pt.sibs.android.mbway.core.gatewaymodels.transfer.RequestMoneyRequestGatewayModel");
6 |
7 | RequestMoneyRequestGatewayModel.getIdc.implementation = function() {
8 | console.log("Idc: teste");
9 | return this.getIdc();
10 | };
11 | });
12 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
13 | //hash:742655863 @tomax143/teste
14 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-sqlite3__xperylab.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-70845927 @xperylab/ios-sqlite3
4 | var func_sqlite3_prepare_v2 = Module.findExportByName('libsqlite3.dylib', 'sqlite3_prepare_v2');
5 |
6 | Interceptor.attach(func_sqlite3_prepare_v2, {
7 | onEnter: function(args) {
8 | var sqlite3_stmt = args[1];
9 | console.log('SQL: ' + sqlite3_stmt.readCString());
10 | },
11 |
12 | onLeave: function(retval) {}
13 |
14 | });
15 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
16 | //hash:-70845927 @xperylab/ios-sqlite3
17 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/read-std-string__oleavr.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-996202087 @oleavr/read-std-string
4 | /*
5 | * Note: Only compatible with libc++, though libstdc++'s std::string is a lot simpler.
6 | */
7 |
8 | function readStdString (str) {
9 | const isTiny = (str.readU8() & 1) === 0;
10 | if (isTiny) {
11 | return str.add(1).readUtf8String();
12 | }
13 |
14 | return str.add(2 * Process.pointerSize).readPointer().readUtf8String();
15 | }
16 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
17 | //hash:-996202087 @oleavr/read-std-string
18 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/tiktok-ios__Dorys221.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1882759995 @Dorys221/tiktok-ios
4 | Interceptor.attach(ObjC.classes.TTHttpTask["- skipSSLCertificateError"].implementation, {
5 | onEnter: function (args) {
6 |
7 | },
8 | onLeave: function (retval) {
9 | console.log('Overriding -> TTHttpTask skipSSLCertificateError : ');
10 | retval.replace(0x1)
11 | }
12 | });
13 |
14 |
15 | console.log('Successfully Initalized SSL Bypass...');
16 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
17 | //hash:-1882759995 @Dorys221/tiktok-ios
18 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/force-open-wechat-xlog__dvdface.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1608543866 @dvdface/force-open-wechat-xlog
4 | Java.perform(() => {
5 |
6 | Java.choose('com.tencent.mars.xlog.Xlog', {
7 |
8 | onMatch: function(instance) {
9 | console.log('set console xlog open')
10 | instance.setConsoleLogOpen(0, true)
11 | },
12 |
13 | onComplete: function() {
14 |
15 | }
16 |
17 | })
18 | })
19 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
20 | //hash:-1608543866 @dvdface/force-open-wechat-xlog
21 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/bypass-decrypted-rom-integrity-checks---frida__ibadfawa.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1600396960 @ibadfawa/bypass-decrypted-rom-integrity-checks---frida
4 | Java.perform(function() {
5 | var Storage = Java.use("android.os.storage.StorageManager");
6 | Storage.isEncrypted.overload()
7 | .implementation = function() {
8 | console.warn("isEncrypted:", this.isEncrypted());
9 | return true;
10 | }
11 | })
12 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
13 | //hash:1600396960 @ibadfawa/bypass-decrypted-rom-integrity-checks---frida
14 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/localizacao__Rickpg2023.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1159530035 @Rickpg2023/localizacao
4 | const lat = -23.6269477;
5 | const lng = -46.4701341;
6 |
7 | Java.perform(function () {
8 | var Location = Java.use("android.location.Location");
9 | Location.getLatitude.implementation = function() {
10 | send("Overwriting Lat to " + lat);
11 | return lat;
12 | }
13 | Location.getLongitude.implementation = function() {
14 | send("Overwriting Lng to " + lng);
15 | return lng;
16 | }
17 | })
18 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
19 | //hash:1159530035 @Rickpg2023/localizacao
20 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/test-zza__miromiro11.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1814578291 @miromiro11/test-zza
4 | Java.perform(function() {
5 | var array_list = Java.use("java.util.ArrayList");
6 | var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
7 |
8 | ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
9 | // console.log('Bypassing SSL Pinning');
10 | var k = array_list.$new();
11 | return k;
12 | }
13 | }, 0);
14 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
15 | //hash:1814578291 @miromiro11/test-zza
16 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/app-context-bypass__raphc43.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1301238455 @raphc43/app-context-bypass
4 | if (Java.available) {
5 | Java.perform(function() {
6 | Java.scheduleOnMainThread(function() {
7 | var WebView = Java.use("android.webkit.WebView");
8 | WebView.setWebContentsDebuggingEnabled(true);
9 | console.log(WebView);
10 | console.log("[+] WebView debug enabled successfully!");
11 | });
12 | });
13 | }
14 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
15 | //hash:-1301238455 @raphc43/app-context-bypass
16 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/new-test__Saqibesya.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1493291156 @Saqibesya/new-test
4 | Java.perform(function() {
5 |
6 | var array_list = Java.use("java.util.ArrayList");
7 | var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
8 |
9 | ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
10 | // console.log('Bypassing SSL Pinning');
11 | var k = array_list.$new();
12 | return k;
13 | }
14 |
15 | }, 0);
16 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
17 | //hash:1493291156 @Saqibesya/new-test
18 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/chrome-url-interceptor__raphc43.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:984451036 @raphc43/chrome-url-interceptor
4 | Java.perform(function () {
5 | let Tab = Java.use("org.chromium.chrome.browser.tab.Tab");
6 | let previousUrl = null;
7 |
8 | Tab["getUrl"].implementation = function () {
9 | let result = this["getUrl"]();
10 | if (result !== previousUrl) {
11 | console.log(`Current URL: ${result}`);
12 | previousUrl = result;
13 | }
14 | return result;
15 | };
16 | });
17 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
18 | //hash:984451036 @raphc43/chrome-url-interceptor
19 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/conscrypt-ca__lolicon.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1977654126 @lolicon/conscrypt-ca
4 | Java.perform(() => {
5 | const Log = Java.use('android.util.Log')
6 | const Exception = Java.use('java.lang.Exception')
7 | Java.use(
8 | 'com.android.org.conscrypt.ConscryptEngineSocket$2'
9 | ).checkServerTrusted.overloads.forEach((overload) => {
10 | overload.implementation = function (...args) {
11 | console.log(...args)
12 | }
13 | })
14 | })
15 |
16 | console.log(`ready to go`)
17 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
18 | //hash:-1977654126 @lolicon/conscrypt-ca
19 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/killssl__SYM01.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1069017775 @SYM01/killssl
4 | setImmediate(function() {
5 | var FBLigerConfig = ObjC.classes.FBLigerConfig;
6 | console.log(FBLigerConfig);
7 | // fake facebook ios ssl pinning
8 | Interceptor.attach(FBLigerConfig['- ligerEnabled'].implementation, {
9 | onEnter: function(args) {
10 | console.log(args)
11 | },
12 | onLeave: function (retval) {
13 | retval.replace(0);
14 | }
15 | });
16 | });
17 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
18 | //hash:-1069017775 @SYM01/killssl
19 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/bypass-root-plugins-cyberkatze-iroot__0xshdax.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1673970592 @0xshdax/bypass-root-plugins-cyberkatze-iroot
4 | // Author: 0xshdax
5 |
6 | Java.perform(function() {
7 | let IRoot = Java.use("de.cyberkatze.iroot.IRoot");
8 | IRoot["execute"].implementation = function(str, jSONArray, callbackContext) {
9 | this["execute"](str, jSONArray, callbackContext);
10 | console.log(`Bypass Root [!]`);
11 | return false;
12 | };
13 | });
14 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
15 | //hash:-1673970592 @0xshdax/bypass-root-plugins-cyberkatze-iroot
16 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/he__vumail159951.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1665705242 @vumail159951/he
4 | Java.perform(function() {
5 | const StringBuilder = Java.use('java.lang.StringBuilder');
6 | StringBuilder.toString.implementation = function() {
7 |
8 | var res = this.toString();
9 | //console.log(res);
10 | // var tmp = "";
11 | // if (res !== null) {
12 | // tmp = res.toString().replace("/n", "");
13 | // console.log(tmp);
14 | // }
15 | return res;
16 | };
17 |
18 | });
19 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
20 | //hash:1665705242 @vumail159951/he
21 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-location-spoofing__dzervas.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1397992229 @dzervas/android-location-spoofing
4 | const lat = 27.9864882;
5 | const lng = 33.7279001;
6 |
7 | Java.perform(function () {
8 | var Location = Java.use("android.location.Location");
9 | Location.getLatitude.implementation = function() {
10 | send("Overwriting Lat to " + lat);
11 | return lat;
12 | }
13 | Location.getLongitude.implementation = function() {
14 | send("Overwriting Lng to " + lng);
15 | return lng;
16 | }
17 | })
18 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
19 | //hash:1397992229 @dzervas/android-location-spoofing
20 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/screenshot-protection__eiliyakeshtkar0.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1001268971 @eiliyakeshtkar0/screenshot-protection
4 | Java.perform(function() {
5 | var Window = Java.use("android.view.Window");
6 | Window.setFlags.implementation = function(flags, mask) {
7 | var FLAG_SECURE = 0x2000;
8 | flags = flags & ~FLAG_SECURE;
9 | mask = mask & ~FLAG_SECURE;
10 | console.log("Bypassed FLAG_SECURE");
11 | return this.setFlags(flags, mask);
12 | };
13 | });
14 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
15 | //hash:1001268971 @eiliyakeshtkar0/screenshot-protection
16 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-list-apps__xiaooojun.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1408939508 @xiaooojun/ios-list-apps
4 | ObjC.schedule(ObjC.mainQueue, function() {
5 | var workspace = ObjC.classes.LSApplicationWorkspace.defaultWorkspace();
6 | var apps = workspace.allApplications();
7 | var appEnumerator = apps.objectEnumerator();
8 | var app;
9 | while ((app = appEnumerator.nextObject()) !== null) {
10 | console.log(app.localizedName().toString() + ": " + app.applicationIdentifier().toString());
11 | }
12 | });
13 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
14 | //hash:-1408939508 @xiaooojun/ios-list-apps
15 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/getchildpid__J-jaeyoung.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:727159401 @J-jaeyoung/getchildpid
4 | //[Usage] frida --codeshare J-jaeyoung/getchildpid [bash_pid]
5 |
6 | var fork = Module.findExportByName(null, "fork")
7 |
8 | Interceptor.attach(fork, {
9 | onEnter: function(args) {
10 | console.log("Start fork...")
11 | },
12 | onLeave: function(retval) {
13 | var pid = parseInt(retval.toString(16), 16)
14 | console.log("[child pid] ", pid)
15 | console.log("End fork...")
16 | }
17 | })
18 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
19 | //hash:727159401 @J-jaeyoung/getchildpid
20 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/c-list-function__X-Vector.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:359952596 @X-Vector/c-list-function
4 | var moduleName = "Project1.exe"; // Change this if needed
5 |
6 | setTimeout(function() {
7 | var symbols = Module.enumerateSymbols(moduleName);
8 | console.log("[*] Listing functions in " + moduleName);
9 |
10 | symbols.forEach(function(symbol) {
11 | if (symbol.type === "function") {
12 | console.log("[+] Function: " + symbol.name + " at " + symbol.address);
13 | }
14 | });
15 | }, 1000);
16 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
17 | //hash:359952596 @X-Vector/c-list-function
18 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/substrate-unloader__mrmacete.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1370406505 @mrmacete/substrate-unloader
4 | var dlopen = new NativeFunction(
5 | Module.findExportByName(null, 'dlopen'),
6 | 'pointer', ['pointer', 'int']);
7 |
8 | Interceptor.replace(dlopen, new NativeCallback(function(path, mode) {
9 | var name = Memory.readUtf8String(path);
10 | if (name !== null && name.indexOf('SubstrateLoader') !== -1) {
11 | return NULL;
12 | }
13 | return dlopen(path, mode);
14 | }, 'pointer', ['pointer', 'int']));
15 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
16 | //hash:1370406505 @mrmacete/substrate-unloader
17 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-debug-mode-bypass__Raphkitue.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:841137279 @Raphkitue/android-debug-mode-bypass
4 | setTimeout(function() {
5 | Java.perform(function() {
6 | console.log("");
7 | console.log("[.] Debug check bypass");
8 |
9 | var Debug = Java.use('android.os.Debug');
10 | Debug.isDebuggerConnected.implementation = function() {
11 | //console.log('isDebuggerConnected Bypassed !');
12 | return false;
13 | }
14 |
15 |
16 | });
17 | }, 0);
18 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
19 | //hash:841137279 @Raphkitue/android-debug-mode-bypass
20 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/enum-packages-check__beyrakIn.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1716019321 @beyrakIn/enum-packages-check
4 | Java.perform(function() {
5 | console.log("\nFrida app running...");
6 |
7 | var PackageManager = Java.use("android.app.ApplicationPackageManager");
8 |
9 | PackageManager.getPackageInfo.overload('java.lang.String', 'int').implementation = function(pname, flags) {
10 | console.log("[+] " + pname);
11 | return this.getPackageInfo.overload('java.lang.String', 'int').call(this, pname, flags);
12 | };
13 | });
14 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
15 | //hash:-1716019321 @beyrakIn/enum-packages-check
16 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-freerasp-bypass__0tax00.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-592759538 @0tax00/ios-freerasp-bypass
4 | /*
5 | GitHub: https://github.com/0tax00/ios-freerasp-bypass
6 | Usage: frida -U -f -l freerasp-bypass-ios.js
7 | */
8 |
9 | console.log("[+] freerasp-bypass-ios");
10 | if (ObjC.available) {
11 | const cls = ObjC.classes.FreeraspReactNative;
12 | const method = cls['- talsecStart:withResolver:withRejecter:'];
13 | if (method) {
14 | method.implementation = new NativeCallback(() => {}, 'void', []);
15 | }
16 | }
17 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
18 | //hash:-592759538 @0tax00/ios-freerasp-bypass
19 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-list-apps__sdcampbell.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1632332887 @sdcampbell/ios-list-apps
4 | /* Lists all installed apps on iOS
5 | Example:
6 |
7 | ObjC.schedule(ObjC.mainQueue, function() {
8 | var workspace = ObjC.classes.LSApplicationWorkspace.defaultWorkspace();
9 | var apps = workspace.allApplications();
10 | var appEnumerator = apps.objectEnumerator();
11 | var app;
12 | while ((app = appEnumerator.nextObject()) !== null) {
13 | console.log(app.applicationIdentifier().toString() + ": " + app.localizedName().toString());
14 | }
15 | });
16 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
17 | //hash:1632332887 @sdcampbell/ios-list-apps
18 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/load-from-asset-folder__jackkongjr.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:108282083 @jackkongjr/load-from-asset-folder
4 | //Load js files when asset folder has been encrypted on a cordova mobile app
5 |
6 | Java.perform(function() {
7 |
8 | var webView = Java.use("android.webkit.WebView");
9 | webView.loadUrl.overload("java.lang.String").implementation = function(url) {
10 |
11 | var file_path = 'file:///android_asset/www/scripts/index.js'; // path to file to load on webview
12 | this.loadUrl.overload("java.lang.String").call(this, file_path);
13 |
14 | }
15 | });
16 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
17 | //hash:108282083 @jackkongjr/load-from-asset-folder
18 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/simple-android-toast__yodiaditya.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:876924166 @yodiaditya/simple-android-toast
4 | /*
5 | Simple Android Toast
6 | https://www.yodiw.com/frida-android-make-toast-non-rooted-device/
7 | */
8 |
9 | Java.perform(function() {
10 | var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext();
11 |
12 | Java.scheduleOnMainThread(function() {
13 | var toast = Java.use("android.widget.Toast");
14 | toast.makeText(context, Java.use("java.lang.String").$new("This is works!"), 1).show();
15 | });
16 |
17 | });
18 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
19 | //hash:876924166 @yodiaditya/simple-android-toast
20 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/stringcompare__dzonerzy.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1722589289 @dzonerzy/stringcompare
4 | Java.perform(function() {
5 |
6 | var str = Java.use('java.lang.String');
7 |
8 | str.equals.overload('java.lang.Object').implementation = function(obj) {
9 | var response = str.equals.overload('java.lang.Object').call(this, obj);
10 | if (obj) {
11 | if (obj.toString().length > 10) {
12 |
13 | send("Is " + str.toString.call(this) + " == " + obj.toString() + "? " + response);
14 | }
15 | }
16 | return response;
17 | }
18 |
19 | });
20 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
21 | //hash:1722589289 @dzonerzy/stringcompare
22 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-change-location__xiaooojun.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1668390170 @xiaooojun/ios-change-location
4 | /**
5 | eg: changeLocation(30.616347, 103.992081)
6 | */
7 | function changeLocation(newLat, newLong) {
8 | var clLocation = ObjC.classes["CLLocation"]["- coordinate"];
9 | Interceptor.attach(clLocation.implementation, {
10 | onLeave: (curLocation) => {
11 | var newLocation = new ObjC.Object(curLocation)[
12 | "- initWithLatitude:longitude:"
13 | ](newLat, newLong);
14 | curLocation.replace(newLocation);
15 | },
16 | });
17 | }
18 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
19 | //hash:1668390170 @xiaooojun/ios-change-location
20 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/rr__eitguide.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:190756445 @eitguide/rr
4 | Interceptor.attach(Module.findExportByName(null, "strcmp"), {
5 | onEnter: function(args) {
6 | if (args[0].isNull()) {
7 | return;
8 | }
9 |
10 | if (args[1].isNull()) {
11 | return;
12 | }
13 |
14 | var s1 = Memory.readUtf8String(args[0]);
15 | var s2 = Memory.readUtf8String(args[1]);
16 |
17 | if (s1.includes("embeded") || s1.includes("provision") || s2.includes("embeded") || s2.includes("provision")) {
18 | console.log(`strcmp(${s1}, ${s2})`);
19 | }
20 | }
21 | })
22 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
23 | //hash:190756445 @eitguide/rr
24 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/block-root-check__Neo-vortex.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1379271819 @Neo-vortex/block-root-check
4 | Java.perform(function () {
5 | var cls = Java.use("o.applyHelperParams$cancelAll");
6 | var overload = cls['_$$a'].overload('android.content.Context', 'long', 'long');
7 | var orig = overload.implementation;
8 |
9 | // replace with our hook
10 | overload.implementation = function (context, j1, j2) {
11 | console.log("[HOOK] _$$a called - context:", context, "j1:", j1, "j2:", j2);
12 |
13 | //return orig.apply(this, arguments);
14 | };
15 |
16 | console.log("[+] Hook installed for _$$a");
17 | });
18 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
19 | //hash:1379271819 @Neo-vortex/block-root-check
20 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/list-ios-apps__sdcampbell.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-961174881 @sdcampbell/list-ios-apps
4 | /* Lists all installed apps on iOS
5 | Example: frida --codeshare sdcampbell/list-ios-apps -U -n SpringBoard
6 | */
7 |
8 | ObjC.schedule(ObjC.mainQueue, function() {
9 | var workspace = ObjC.classes.LSApplicationWorkspace.defaultWorkspace();
10 | var apps = workspace.allApplications();
11 | var appEnumerator = apps.objectEnumerator();
12 | var app;
13 | while ((app = appEnumerator.nextObject()) !== null) {
14 | console.log(app.applicationIdentifier().toString() + ": " + app.localizedName().toString());
15 | }
16 | });
17 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
18 | //hash:-961174881 @sdcampbell/list-ios-apps
19 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/2__vumail159951.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-342135627 @vumail159951/2
4 | Java.perform(function() {
5 | var res2 = Java.use('com.android.okhttp.Response$Builder');
6 | res2.build.implementation = function() {
7 |
8 | var response = this.build();
9 | var base64 = Java.use('android.util.Base64');
10 |
11 | console.log(response.headers())
12 | console.log(response.message())
13 | console.log("## REQ ### ");
14 | console.log(response.request());
15 | console.log(response.request().headers());
16 |
17 |
18 |
19 | console.log("## -REQ- ### ");
20 | return response;
21 | };
22 |
23 |
24 | });
25 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
26 | //hash:-342135627 @vumail159951/2
27 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/enum-file-check__beyrakIn.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-219348888 @beyrakIn/enum-file-check
4 | Java.perform(function() {
5 | console.log("[*] Frida script started for detect root binaries...");
6 |
7 |
8 | try {
9 | // Additional root detection bypass for common checks
10 | var File = Java.use("java.io.File");
11 | File.exists.implementation = function() {
12 | var path = this.getAbsolutePath();
13 | console.log("[+] " + path);
14 | return this.exists();
15 | };
16 | } catch (e) {
17 | console.log("[!] Error hooking root detection: " + e);
18 | }
19 |
20 |
21 | });
22 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
23 | //hash:-219348888 @beyrakIn/enum-file-check
24 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-freerasp-bypass__luca-regne.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1686920056 @luca-regne/android-freerasp-bypass
4 | Java.perform(function() {
5 | var Intent = Java.use("android.content.Intent");
6 | Intent.getStringExtra.overload('java.lang.String').implementation = function(str) {
7 | let extra = this.getStringExtra(str);
8 | let action = this.getAction();
9 | if (action == "TALSEC_INFO") {
10 | console.log(`[+] Hooking getStringExtra("${str}") from ${action}`);
11 | console.log(`\t Bypassing ${extra} detection`);
12 | extra = "";
13 | }
14 | return extra;
15 | };
16 | });
17 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
18 | //hash:-1686920056 @luca-regne/android-freerasp-bypass
19 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/classes-by-keywords__wrycaio.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1440674564 @wrycaio/classes-by-keywords
4 | // script.js
5 | var keywords = ["Security", "Encryption", "Interceptor", "intercept", "ssl"];
6 | var loadedClasses = [];
7 |
8 | Java.perform(function() {
9 | var classLoaded = Java.enumerateLoadedClassesSync();
10 | classLoaded.forEach(function(className) {
11 | keywords.forEach(function(keyword) {
12 | if (!loadedClasses.includes(className) && className.includes(keyword)) {
13 | loadedClasses.push("[+] Dumped: " + className + "\n");
14 | }
15 | });
16 | });
17 | console.log(loadedClasses);
18 | });
19 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
20 | //hash:-1440674564 @wrycaio/classes-by-keywords
21 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/backtraces__InvictusNinja.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1121660162 @InvictusNinja/backtraces
4 | const membase = Module.findBaseAddress('libhwui.so');
5 | const funcs = [ '0x77716205f8'];
6 | for (var i in funcs) {
7 | var funcPtr = memAddress(membase, '0x0', funcs[i]);
8 | var handler = (function() {
9 | var name = funcs[i];
10 | return function(args) {
11 | console.log(name + ': ');
12 | var trace = Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress);
13 | for (var j in trace)
14 | console.log(trace[j]);
15 | };
16 | })();
17 | Interceptor.attach(funcPtr, {onEnter: handler});
18 | }
19 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
20 | //hash:-1121660162 @InvictusNinja/backtraces
21 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/tbdoool__abdolzx.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:8162746 @abdolzx/tbdoool
4 | Java.perform(function () {
5 | var ProtectedApp = Java.use("mobi.foo.sama.ProtectedApp");
6 |
7 | // Hook the onCreate method to bypass the protection
8 | ProtectedApp.onCreate.implementation = function () {
9 | console.log("Bypassing ProtectedApp.onCreate");
10 | // Do not call the original method to prevent the exception
11 | };
12 |
13 | // Hook the AsfG method (if it's part of the protection mechanism)
14 | ProtectedApp.AsfG.implementation = function () {
15 | console.log("Bypassing ProtectedApp.AsfG");
16 | return 0; // Return a safe value to prevent the exception
17 | };
18 | });
19 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
20 | //hash:8162746 @abdolzx/tbdoool
21 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/11__Malfarion.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-795527273 @Malfarion/11
4 | function hook_okhttp3() {
5 | // 1. frida Hook java层的代码必须包裹在Java.perform中,Java.perform会将Hook Java相关API准备就绪。
6 | Java.perform(function () {
7 |
8 |
9 | // 2. 准备相应类库,用于后续调用,前两个库是Android自带类库,后三个是使用Okhttp网络库的情况下才有的类
10 | var ByteString = Java.use("com.android.okhttp.okio.ByteString");
11 | var Buffer = Java.use("com.android.okhttp.okio.Buffer");
12 | var Interceptor = Java.use("okhttp3.Interceptor");
13 | var ArrayList = Java.use("java.util.ArrayList");
14 | var OkHttpClient = Java.use("okhttp3.OkHttpClient");
15 |
16 |
17 | console.log("hook_okhttp3...");
18 | });
19 | }
20 |
21 |
22 | hook_okhttp3();
23 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
24 | //hash:-795527273 @Malfarion/11
25 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/discover-java-random-usage__krue4954.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1483709372 @krue4954/discover-java-random-usage
4 | Java.perform(
5 | function() {
6 | var javaRandom = Java.use("java.util.Random");
7 | console.log("[!] Found random loaded");
8 | javaRandom.nextInt.overload("int").implementation = function(a) {
9 | var ret = this.nextInt(a);
10 | console.log("[*] The random number: " + ret.toString());
11 | Java.perform(function() {
12 | console.log("[*] Calling method:" + Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()))
13 | });
14 | return ret;
15 | }
16 | }
17 | );
18 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
19 | //hash:1483709372 @krue4954/discover-java-random-usage
20 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/sd__komoosdosk.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1519350927 @komoosdosk/sd
4 | if (ObjC.available) {
5 | console.log("✅ Ultimate Tinder Jailbreak Bypass Loaded");
6 |
7 | // Hook and block mmap()
8 | var mmap = Module.findExportByName(null, "mmap");
9 | if (mmap) {
10 | Interceptor.attach(mmap, {
11 | onEnter: function(args) {
12 | console.log("🔥 mmap() called – Blocking!");
13 | retval.replace(ptr(-1)); // Return error
14 | },
15 | onLeave: function(retval) {
16 | retval.replace(ptr(-1)); // Return error again just in case
17 | }
18 | });
19 | }
20 |
21 | console.log("✅ mmap() Fully Blocked! Tinder can't scan memory now.");
22 | }
23 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
24 | //hash:1519350927 @komoosdosk/sd
25 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-disable-ssl-check__SYM01.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:905631581 @SYM01/ios-disable-ssl-check
4 | ObjC.schedule(ObjC.mainQueue, function() {
5 | var version = ObjC.classes.UIDevice.currentDevice()
6 | .systemVersion()
7 | .toString();
8 | var mainVersion = parseInt(version.split(".")[0]);
9 | var fname = "nw_tls_create_peer_trust";
10 | if (mainVersion < 11) {
11 | fname = "tls_helper_create_peer_trust";
12 | }
13 | var hookFunction = Module.findExportByName(null, fname);
14 |
15 | Interceptor.attach(hookFunction, {
16 | onLeave: function(retval) {
17 | retval.replace(0);
18 | },
19 | });
20 | });
21 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
22 | //hash:905631581 @SYM01/ios-disable-ssl-check
23 | pts QQGroup: 143824179 .
24 | //hash:-1972218842 @SYM01/ios-disable-ssl-check
25 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/cordova---enable-webview-debugging__gameFace22.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-608405739 @gameFace22/cordova---enable-webview-debugging
4 | // Usage : frida -U -f bundle_id -l enable_debug.js --no-pause
5 | // Blog link to be added
6 | // Written by @67616d654661636 and @sunnyrockzzs
7 |
8 | Java.perform(function() {
9 | var Webview = Java.use("android.webkit.WebView")
10 | Webview.loadUrl.overload("java.lang.String").implementation = function(url) {
11 | console.log("\n[+]Loading URL from", url);
12 | console.log("[+]Setting the value of setWebContentsDebuggingEnabled() to TRUE");
13 | this.setWebContentsDebuggingEnabled(true);
14 | this.loadUrl.overload("java.lang.String").call(this, url);
15 | }
16 | });
17 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
18 | //hash:-608405739 @gameFace22/cordova---enable-webview-debugging
19 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/root-detection-bypass-for-cordova-plugin-devicecompile__damaidec.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1321633083 @damaidec/root-detection-bypass-for-cordova-plugin-devicecompile
4 | Java.perform(function(){
5 | try {
6 | var Root = Java.use("cordova.plugin.devicecompile.devicecompile");
7 |
8 | if (Root) {
9 | console.log("cordova.plugin.devicecompile detected");
10 | Root.IsDrived.overload().implementation = function(){
11 | return false;
12 | };
13 | } else {
14 | console.log("cordova.plugin.devicecompile Not detected");
15 | }
16 | } catch (error) {
17 | console.error("An error occurred:", error);
18 | }
19 | });
20 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
21 | //hash:-1321633083 @damaidec/root-detection-bypass-for-cordova-plugin-devicecompile
22 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/anti-frida-bypass__enovella.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:799399861 @enovella/anti-frida-bypass
4 | Interceptor.attach(Module.findExportByName("libc.so", "strstr"), {
5 |
6 | onEnter: function(args) {
7 |
8 | this.haystack = args[0];
9 | this.needle = args[1];
10 | this.frida = Boolean(0);
11 |
12 | haystack = Memory.readUtf8String(this.haystack);
13 | needle = Memory.readUtf8String(this.needle);
14 |
15 | if (haystack.indexOf("frida") !== -1 || haystack.indexOf("xposed") !== -1) {
16 | this.frida = Boolean(1);
17 | }
18 | },
19 |
20 | onLeave: function(retval) {
21 |
22 | if (this.frida) {
23 | retval.replace(0);
24 | }
25 | return retval;
26 | }
27 | });
28 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
29 | //hash:799399861 @enovella/anti-frida-bypass
30 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-full-class-path__k7eon.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1596004930 @k7eon/android-full-class-path
4 | // u can change 'Headers' and 'okhttp' as u wish
5 |
6 | // example of output:
7 |
8 | // com.android.okhttp.internal.http.OkHeaders$1
9 | // com.android.okhttp.Headers
10 | // com.android.okhttp.internal.http.OkHeaders
11 | // okhttp3.Headers$Builder
12 |
13 | // then u can do: var Build = Java.use("okhttp3.Headers$Builder");
14 | // and change any method as u want here
15 |
16 | Java.enumerateLoadedClasses({
17 | onMatch: function(classname) {
18 | if (classname.indexOf('Headers') !== -1 &&
19 | classname.indexOf('okhttp') !== -1) {
20 | console.log(classname);
21 | }
22 | },
23 | onComplete: function() {}
24 | });
25 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
26 | //hash:-1596004930 @k7eon/android-full-class-path
27 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/firfirestore__Mo7amedFouad.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1698511102 @Mo7amedFouad/firfirestore
4 | var documentWithPath = ObjC.classes.FIRCollectionReference["- documentWithPath:"];
5 | var collectionWithPath = ObjC.classes.FIRFirestore["- collectionWithPath:"];
6 |
7 | Interceptor.attach(documentWithPath.implementation, {
8 | onEnter: function(args) {
9 | var message = ObjC.Object(args[2]);
10 | console.log("\n[FIRCollectionReference documentWithPath:@\"" + message.toString() + "\"]");
11 | }
12 | });
13 | Interceptor.attach(collectionWithPath.implementation, {
14 | onEnter: function(args) {
15 | var message = ObjC.Object(args[2]);
16 | console.log("\n[FIRFireStore collectionWithPath:@\"" + message.toString() + "\"]");
17 | }
18 | });
19 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
20 | //hash:-1698511102 @Mo7amedFouad/firfirestore
21 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-backtrace-http-req__SYM01.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1929613706 @SYM01/ios-backtrace-http-req
4 | var resolver = new ApiResolver('objc');
5 |
6 | resolver.enumerateMatches('-[* initWithURL*]', {
7 | onMatch: function(match) {
8 | Interceptor.attach(ptr(match.address), {
9 | onEnter: function(args) {
10 | var url = new ObjC.Object(args[2]);
11 | console.log('New req to ' + url.toString() + ':\n' +
12 | Thread.backtrace(this.context, Backtracer.ACCURATE)
13 | .map(DebugSymbol.fromAddress).join('\n') + '\n');
14 | }
15 | });
16 | console.log('[i] ' + match.name + ' hooked.');
17 | },
18 | onComplete: function() { /* MUST NOT be omitted */ }
19 | });
20 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
21 | //hash:1929613706 @SYM01/ios-backtrace-http-req
22 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/mlbb__GDTNguyen.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1799658334 @GDTNguyen/mlbb
4 | function startTLSKeyLogger(SSL_CTX_new, SSL_CTX_set_keylog_callback) {
5 | function keyLogger(ssl, line) {
6 | console.log(new NativePointer(line).readCString());
7 | }
8 | const keyLogCallback = new NativeCallback(keyLogger, 'void', ['pointer', 'pointer']);
9 |
10 | Interceptor.attach(SSL_CTX_new, {
11 | onLeave: function(retval) {
12 | const ssl = new NativePointer(retval);
13 |
14 | if (!ssl.isNull()) {
15 | const SSL_CTX_set_keylog_callbackFn = new NativeFunction(SSL_CTX_set_keylog_callback, 'void', ['pointer', 'pointer']);
16 | SSL_CTX_set_keylog_callbackFn(ssl, keyLogCallback);
17 | }
18 | }
19 | });
20 | }
21 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
22 | //hash:-1799658334 @GDTNguyen/mlbb
23 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/piracy-checker-bypass__fopina.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1253016008 @fopina/piracy-checker-bypass
4 | /*
5 | Android piracy checker bypass
6 |
7 | Bypass implemented based on https://stackoverflow.com/a/37540163/432152
8 | */
9 |
10 | Java.perform(function() {
11 | var PackageManager = Java.use("android.app.ApplicationPackageManager");
12 |
13 | var loaded_classes = Java.enumerateLoadedClassesSync();
14 |
15 | send("Loaded " + loaded_classes.length + " classes!");
16 |
17 | PackageManager.getInstallerPackageName.implementation = function(pname) {
18 | var original = this.getInstallerPackageName.call(this, pname);
19 | send("Bypass INSTALLER check for package: " + original + " " + pname);
20 | return 'com.android.vending';
21 | };
22 | });
23 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
24 | //hash:1253016008 @fopina/piracy-checker-bypass
25 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-inspect-webviews__sdcampbell.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1038092699 @sdcampbell/android-inspect-webviews
4 | Java.perform(function () {
5 | var WebView = Java.use('android.webkit.WebView');
6 |
7 | // Hook the loadUrl() method to capture URLs being loaded in WebViews
8 | WebView.loadUrl.overload('java.lang.String').implementation = function (url) {
9 | console.log("Loading URL: " + url);
10 | return this.loadUrl(url);
11 | };
12 |
13 | // Hook loadUrl() with additional params
14 | WebView.loadUrl.overload('java.lang.String', 'java.util.Map').implementation = function (url, additionalHttpHeaders) {
15 | console.log("Loading URL with headers: " + url);
16 | return this.loadUrl(url, additionalHttpHeaders);
17 | };
18 | });
19 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
20 | //hash:1038092699 @sdcampbell/android-inspect-webviews
21 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/anti-frida-bypass__kushjasrapuria.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-2091356319 @kushjasrapuria/anti-frida-bypass
4 | // Github: https://github.com/kushjasrapuria
5 |
6 | var fgetsPtr = Module.findExportByName("libc.so", "fgets");
7 | var fgets = new NativeFunction(fgetsPtr, 'pointer', ['pointer', 'int', 'pointer']);
8 |
9 | Interceptor.replace(fgetsPtr, new NativeCallback(function (buffer, size, fp) {
10 | var retval = fgets(buffer, size, fp);
11 | var bufstr = Memory.readUtf8String(buffer);
12 | if (bufstr.indexOf("frida") > -1) {
13 | Memory.writeUtf8String(buffer, "ByeByeFrida:\t0");
14 | }
15 | if (bufstr.indexOf("xposed") > -1) {
16 | Memory.writeUtf8String(buffer, "ByeByeXposed:\t0");
17 | }
18 | return retval;
19 | }, 'pointer', ['pointer', 'int', 'pointer']));
20 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
21 | //hash:-2091356319 @kushjasrapuria/anti-frida-bypass
22 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/anti-frida-bypass__x90nopslide.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1006277021 @x90nopslide/anti-frida-bypass
4 | // Github: https://github.com/kushjasrapuria
5 |
6 | var fgetsPtr = Module.findExportByName("libc.so", "fgets");
7 | var fgets = new NativeFunction(fgetsPtr, 'pointer', ['pointer', 'int', 'pointer']);
8 |
9 | Interceptor.replace(fgetsPtr, new NativeCallback(function(buffer, size, fp) {
10 | var retval = fgets(buffer, size, fp);
11 | var bufstr = Memory.readUtf8String(buffer);
12 | if (bufstr.indexOf("frida") > -1) {
13 | Memory.writeUtf8String(buffer, "ByeByeFrida:\t0");
14 | }
15 | if (bufstr.indexOf("xposed") > -1) {
16 | Memory.writeUtf8String(buffer, "ByeByeXposed:\t0");
17 | }
18 | return retval;
19 | }, 'pointer', ['pointer', 'int', 'pointer']));
20 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
21 | //hash:1006277021 @x90nopslide/anti-frida-bypass
22 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/sslpinningmine__AkhileshCh.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:303557466 @AkhileshCh/sslpinningmine
4 | setTimeout(function() {
5 | Java.perform(function() {
6 |
7 | var array_list = Java.use("java.util.ArrayList");
8 | var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
9 |
10 | ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
11 | // console.log('Bypassing SSL Pinning');
12 | var k = array_list.$new();
13 | return k;
14 | }
15 | var CommonUtils = Java.use('l.a.a.a.o.b.i');
16 | CommonUtils.i.overload('android.content.Context').implementation = function(context) {
17 | console.log("[+] bypassRootDetection");
18 | return false;
19 | }
20 | });
21 | }, 0);
22 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
23 | //hash:303557466 @AkhileshCh/sslpinningmine
24 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/scottyab-root-bypass__abrahem.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1539574155 @abrahem/scottyab-root-bypass
4 | Java.perform(function () {
5 | setTimeout(function () {
6 | // List all loaded modules
7 | var modules = Process.enumerateModules();
8 | modules.forEach(function(module) {
9 | console.log("Loaded module:", module.name);
10 | });
11 |
12 | // Find the base address of the target module
13 | var targetModule = Process.getModuleByName("libtoolChecker.so");
14 | if (targetModule) {
15 | console.log("Found libtoolChecker.so at:", targetModule.base);
16 | } else {
17 | console.log("Failed to find libtoolChecker.so.");
18 | }
19 | }, 2000); // Wait for 2 seconds before trying to access the modules
20 | });
21 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
22 | //hash:1539574155 @abrahem/scottyab-root-bypass
23 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/teste4__BR92Bruno.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1632874755 @BR92Bruno/teste4
4 | Java.perform(function() {
5 |
6 | console.log("teste1");
7 |
8 | var clazz = Java.use('br.com.mobileexploitation.a003variables.MobileExploitationData');
9 | clazz.setData.implementation = function() {
10 |
11 | //
12 |
13 | console.log("teste2");
14 |
15 | var b1 = Java.use("java.lang.Boolean").$new("True");
16 | return b1;
17 | //return clazz.setData.apply(this, arguments);
18 | }
19 | });
20 |
21 | /*
22 | Java.perform(function() {
23 | var clazz = Java.use('br.com.mobileexploitation.a003variables.MobileExploitationData');
24 | clazz.setData3.implementation = function() {
25 |
26 | //
27 |
28 | return clazz.setData3.apply(this, arguments);
29 | }
30 | });
31 | */
32 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
33 | //hash:-1632874755 @BR92Bruno/teste4
34 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/sgsasg__vumail159951.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1172280059 @vumail159951/sgsasg
4 | Java.perform(function() {
5 | const System = Java.use('java.lang.System');
6 | const Runtime = Java.use('java.lang.Runtime');
7 | const SystemLoad_2 = System.loadLibrary.overload('java.lang.String');
8 | const VMStack = Java.use('dalvik.system.VMStack');
9 |
10 | SystemLoad_2.implementation = function(library) {
11 | console.log("Loading dynamic library => " + library);
12 | try {
13 | const loaded = Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), library);
14 | if(library.includes("taInterface")) {
15 | // do stuff
16 | }
17 | return loaded;
18 | } catch(ex) {
19 | console.log(ex);
20 | }
21 | };
22 | });
23 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
24 | //hash:-1172280059 @vumail159951/sgsasg
25 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/logs-android-frida-ts__joaoviictorti.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-48956416 @joaoviictorti/logs-android-frida-ts
4 | Java.perform(function() {
5 | var log = Java.use("android.util.Log");
6 |
7 | var logLevels = ['e', 'd', 'v', 'i', 'w', 'wtf'];
8 |
9 | logLevels.forEach(function(level) {
10 | log[level].overload('java.lang.String', 'java.lang.String').implementation = function(key, value) {
11 | console.log(`${key} | ${value}`);
12 | return this[level](key, value);
13 | }
14 |
15 | log[level].overload('java.lang.String', 'java.lang.String', 'java.lang.Throwable').implementation = function(key, value, throwable) {
16 | console.log(`${key} | ${value} | ${throwable}`);
17 | return this[level](key, value, throwable);
18 | }
19 | });
20 | });
21 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
22 | //hash:-48956416 @joaoviictorti/logs-android-frida-ts
23 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-trustkit-ssl-unpinning__platix.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1578831295 @platix/ios-trustkit-ssl-unpinning
4 | if (ObjC.available) {
5 | console.log("SSLUnPinning Enabled");
6 | for (var className in ObjC.classes) {
7 | if (ObjC.classes.hasOwnProperty(className)) {
8 | if (className == "TrustKit") {
9 | console.log("Found our target class : " + className);
10 | var hook = ObjC.classes.TrustKit["+ initSharedInstanceWithConfiguration:"];
11 | Interceptor.replace(hook.implementation, new NativeCallback(function() {
12 | console.log("Hooking TrustKit");
13 | return;
14 | }, 'int', []));
15 | }
16 | }
17 | }
18 | } else {
19 | console.log("Objective-C Runtime is not available!");
20 | }
21 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
22 | //hash:-1578831295 @platix/ios-trustkit-ssl-unpinning
23 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/universal-android-ssl-pinning-bypass-2__sowdust.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1155153502 @sowdust/universal-android-ssl-pinning-bypass-2
4 | /*
5 | Universal Android SSL Pinning Bypass
6 | by Mattia Vinci and Maurizio Agazzini
7 |
8 | $ frida -U -f org.package.name -l universal-ssl-check-bypass.js --no-pause
9 |
10 | https://techblog.mediaservice.net/2018/11/universal-android-ssl-check-bypass-2/
11 | */
12 |
13 | Java.perform(function() {
14 |
15 | var array_list = Java.use("java.util.ArrayList");
16 | var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
17 |
18 | ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
19 | // console.log('Bypassing SSL Pinning');
20 | var k = array_list.$new();
21 | return k;
22 | }
23 |
24 | }, 0);
25 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
26 | //hash:1155153502 @sowdust/universal-android-ssl-pinning-bypass-2
27 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/jailmonkey-root-detection-bypass__anubi5egypt.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:69491175 @anubi5egypt/jailmonkey-root-detection-bypass
4 | /**
5 | Root detection bypass script for Gantix JailMoney
6 | https://github.com/GantMan/jail-monkey
7 | **/
8 | Java.perform(() => {
9 | const klass = Java.use("com.gantix.JailMonkey.JailMonkeyModule");
10 | const hashmap_klass = Java.use("java.util.HashMap");
11 | const false_obj = Java.use("java.lang.Boolean").FALSE.value;
12 |
13 | klass.getConstants.implementation = function() {
14 | var h = hashmap_klass.$new();
15 | h.put("isJailBroken", false_obj);
16 | h.put("hookDetected", false_obj);
17 | h.put("canMockLocation", false_obj);
18 | h.put("isOnExternalStorage", false_obj);
19 | h.put("AdbEnabled", false_obj);
20 | return h;
21 | };
22 | });
23 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
24 | //hash:69491175 @anubi5egypt/jailmonkey-root-detection-bypass
25 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/enum-root-file-check__beyrakIn.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-80694091 @beyrakIn/enum-root-file-check
4 | Java.perform(function() {
5 | console.log("[*] Frida script started for detect root binaries...");
6 |
7 |
8 | try {
9 | var File = Java.use("java.io.File");
10 | File.exists.implementation = function() {
11 | var path = this.getAbsolutePath();
12 | if (path.includes("/su") || path.includes("/magisk") || path.includes("Superuser") || path.includes("frida") || path.includes("gdb") || path.includes("daemonsu") || path.includes("busybox")) {
13 | console.log("[+] " + path);
14 | // return false;
15 | }
16 | return this.exists();
17 | };
18 | } catch (e) {
19 | console.log("[!] Error hooking root detection: " + e);
20 | }
21 |
22 |
23 | });
24 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
25 | //hash:-80694091 @beyrakIn/enum-root-file-check
26 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/reveny-emulator-bypassjs__roopaks31051987-maker.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:629707450 @roopaks31051987-maker/reveny-emulator-bypassjs
4 | /*
5 | I developed a custom Frida script to bypass emulator detection in the
6 | Reveny Android Emulator Detection project emulator-detection-demo-v1.5.0.apk (https://github.com/reveny/Android-Emulator-Detection).
7 |
8 | By reverse-engineering the native library, identifying its detection flow,
9 | and intercepting critical return values, I crafted a targeted Frida hook
10 | that successfully bypasses all checks.
11 | */
12 |
13 | Java.perform(function () {
14 | var emuDetectorClass = Java.use("com.reveny.emulatordetector.plugin.EmulatorDetection");
15 |
16 | emuDetectorClass.isDetected.implementation = function () {
17 | console.log("Bypassed isDetected()");
18 | return false;
19 | };
20 | });
21 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
22 | //hash:629707450 @roopaks31051987-maker/reveny-emulator-bypassjs
23 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-native-log__luoyesiqiu.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1345724263 @luoyesiqiu/android-native-log
4 | function native_log(type,tag,msg){
5 | var tag_new = Memory.allocUtf8String(tag)
6 | var msg_new = Memory.allocUtf8String(msg)
7 | var param_type_list = ["int","pointer","pointer","..."]
8 | var print_ptr = Module.getExportByName("liblog.so","__android_log_print")
9 | const print = new NativeFunction(print_ptr, 'int', param_type_list)
10 | print(type,tag_new,msg_new)
11 | }
12 |
13 | function logv(tag,msg){
14 | native_log(2,tag,msg)
15 | }
16 |
17 | function logd(tag,msg){
18 | native_log(3,tag,msg)
19 | }
20 |
21 | function logi(tag,msg){
22 | native_log(4,tag,msg)
23 | }
24 |
25 | function logw(tag,msg){
26 | native_log(5,tag,msg)
27 | }
28 |
29 | function loge(tag,msg){
30 | native_log(6,tag,msg)
31 | }
32 |
33 | function logf(tag,msg){
34 | native_log(7,tag,msg)
35 | }
36 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
37 | //hash:1345724263 @luoyesiqiu/android-native-log
38 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/enumerate-library__InvictusNinja.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-320800175 @InvictusNinja/enumerate-library
4 | Module.enumerateExports("libhwui.so", {
5 | onMatch: function(e) {
6 | if (e.type == 'function') {
7 | console.log("name of function = " + e.name);
8 |
9 | if (e.name == "Java_example_decrypt") {
10 | console.log("Function Decrypt recognized by name");
11 | Interceptor.attach(e.address, {
12 | onEnter: function(args) {
13 | console.log("Interceptor attached onEnter...");
14 | },
15 | onLeave: function(retval) {
16 | console.log("Interceptor attached onLeave...");
17 | }
18 | });
19 | }
20 | }
21 | },
22 | onComplete: function() {}
23 | });
24 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
25 | //hash:-320800175 @InvictusNinja/enumerate-library
26 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/stacktracing-activities__sknux.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:381485456 @sknux/stacktracing-activities
4 | Java.perform(function() {
5 | var currentActivity;
6 |
7 | // Intercept the call to the 'onCreate' method of all the Activities
8 | var Activity = Java.use('android.app.Activity');
9 | Activity.onCreate.overload('android.os.Bundle').implementation = function(savedInstanceState) {
10 |
11 | // Save the reference to the current activity
12 | this.onCreate.overload('android.os.Bundle').call(this, savedInstanceState);
13 |
14 | currentActivity = this;
15 | console.log("The current Activity is: " + currentActivity.getClass().getName());
16 |
17 | var stack = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new())
18 | console.log("Here is your stacktrace: " + stack);
19 | }
20 |
21 | });
22 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
23 | //hash:381485456 @sknux/stacktracing-activities
24 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/search-for-the-string-in-memory__DiegoCaridei.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-2083268189 @DiegoCaridei/search-for-the-string-in-memory
4 | function stringToBytesHex(str) {
5 | var bytes = [];
6 | for (var i = 0; i < str.length; i++) {
7 | var byteHex = str.charCodeAt(i).toString(16).toUpperCase();
8 | if (byteHex.length === 1) {
9 | byteHex = '0' + byteHex;
10 | }
11 | bytes.push(byteHex);
12 | }
13 | return bytes.join(' ');
14 | }
15 |
16 | function findString(string, indexModule) {
17 | // You need to provide the index of the module
18 | var m = Process.enumerateModules()[indexModule];
19 | var pattern = stringToBytesHex(string)
20 | var results = Memory.scanSync(m.base, m.size, pattern);
21 | console.log(hexdump(ptr(results[0].address)))
22 | }
23 |
24 | //Usage example
25 | //findString("password",43)
26 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
27 | //hash:-2083268189 @DiegoCaridei/search-for-the-string-in-memory
28 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/aes-decrypt-no-iv__azurda.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-485201022 @azurda/aes-decrypt-no-iv
4 | /*
5 | Parse javax.crypto.Cipher.doFinal
6 | @entdark_
7 | */
8 | function byteArrayToString(arrayBuffer) {
9 | return String.fromCharCode.apply(null, new Uint8Array(arrayBuffer));
10 | }
11 |
12 | Java.perform(() => {
13 | const secretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');
14 | secretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function(key, algo) {
15 | console.log('key:' + byteArrayToString(key));
16 | console.log('algo:' + algo);
17 | return this.$init(key, algo);
18 | };
19 |
20 | const cipher = Java.use('javax.crypto.Cipher')['doFinal'].overload('[B').implementation = function(byteArray) {
21 | console.log('encode:' + byteArrayToString(byteArray));
22 | return this.doFinal(byteArray);
23 | };
24 | });
25 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
26 | //hash:-485201022 @azurda/aes-decrypt-no-iv
27 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-location-spoofing__securitytest3r.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1744523822 @securitytest3r/ios-location-spoofing
4 | /*
5 | Author: Divya Mudgal
6 | LinkedIn: https://www.linkedin.com/in/divya-mudgal
7 | Twitter: https://twitter.com/divya_mudgal
8 | Apple Documentation: https://developer.apple.com/documentation/corelocation/cllocation
9 | */
10 | function spoof_location(spoof_latitude, spoof_longitude)
11 | {
12 | var hook_cllocation = ObjC.classes["CLLocation"]["- coordinate"]
13 | Interceptor.attach(hook_cllocation.implementation, {
14 | onLeave: function(return_value) {
15 | //console.log(new ObjC.Object(return_value))
16 | var spoofed_return_value = (new ObjC.Object(return_value)).initWithLatitude_longitude_(spoof_latitude, spoof_longitude)
17 | return_value.replace(spoofed_return_value)
18 | }
19 | });
20 | }
21 | //Mention latitude and longitude in below function call
22 | //spoof_location(27.1753336,78.0417905)
23 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
24 | //hash:-1744523822 @securitytest3r/ios-location-spoofing
25 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/uiwebview-ssl-validation-killer__mrmacete.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1929274684 @mrmacete/uiwebview-ssl-validation-killer
4 | function killUIWebViewSSL() {
5 | Interceptor.attach(ObjC.classes.UIWebView["- webView:resource:canAuthenticateAgainstProtectionSpace:forDataSource:"].implementation, {
6 | onLeave: function(retval) {
7 | retval.replace(ptr('0x1'));
8 | }
9 | });
10 |
11 | Interceptor.attach(ObjC.classes.UIWebView["- webView:resource:didReceiveAuthenticationChallenge:fromDataSource:"].implementation, {
12 | onEnter: function(args) {
13 | const chall = new ObjC.Object(args[4]);
14 | const sender = chall.sender();
15 | const cred = ObjC.classes.NSURLCredential.credentialForTrust_(chall.protectionSpace().serverTrust());
16 | sender.useCredential_forAuthenticationChallenge_(cred, chall);
17 | }
18 | });
19 | }
20 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
21 | //hash:-1929274684 @mrmacete/uiwebview-ssl-validation-killer
22 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/mac-mojave-ssl-bypass__minacrissdev.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-455154755 @minacrissdev/mac-mojave-ssl-bypass
4 | var tls_helper_create_peer_trust;
5 |
6 |
7 |
8 | /* OSStatus nw_tls_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
9 | tls_helper_create_peer_trust = new NativeFunction(
10 | Module.findExportByName(null, "nw_tls_create_peer_trust"),
11 | 'int', ['pointer', 'bool', 'pointer']
12 | );
13 |
14 | var errSecSuccess = 0;
15 |
16 | function bypassSSL() {
17 | Interceptor.replace(tls_helper_create_peer_trust, new NativeCallback(function(hdsk, server, trustRef) {
18 | return errSecSuccess;
19 | }, 'int', ['pointer', 'bool', 'pointer']));
20 | console.log("SSL certificate validation bypass active");
21 | }
22 |
23 | function revertSSL() {
24 | Interceptor.revert(tls_helper_create_peer_trust);
25 | console.log("SSL certificate validation bypass disabled");
26 | }
27 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
28 | //hash:-455154755 @minacrissdev/mac-mojave-ssl-bypass
29 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/find-ios-app-by-display-name__dki.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1475345776 @dki/find-ios-app-by-display-name
4 | 'use strict';
5 |
6 | // usage: frida -U --codeshare dki/find-ios-app-by-display-name Springboard
7 |
8 | function find(name) {
9 | var ws = ObjC.classes.LSApplicationWorkspace.defaultWorkspace();
10 | var apps = ws.allInstalledApplications();
11 | for (var i = 0; i < apps.count(); i++) {
12 | var proxy = apps.objectAtIndex_(i);
13 | if (proxy.localizedName().toString() == name) {
14 | var out = {};
15 | out["bundleIdentifier"] = proxy.bundleIdentifier().toString();
16 | out["bundleURL"] = proxy.bundleContainerURL().toString();
17 | out["dataURL"] = proxy.dataContainerURL().toString();
18 | out["executable"] = [proxy.bundleURL().toString(), proxy.bundleExecutable().toString()].join('/');
19 | return out;
20 | }
21 | }
22 | }
23 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
24 | //hash:1475345776 @dki/find-ios-app-by-display-name
25 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/viber-26-6-4-0-ssl-pinning__YasarKah.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1019414376 @YasarKah/viber-26-6-4-0-ssl-pinning
4 | /*
5 | Android Viber 26.6.4.0 SSL certificate pinning
6 | by Yasar Kahramaner
7 |
8 | Run with:
9 | frida -U -f com.viber.voip -l viber-26-6-4-0-ssl-pinning.js
10 | */
11 |
12 | Java.perform(() => {
13 | const B = Java.use('org.chromium.net.impl.CronetEngineBuilderImpl');
14 | B.addPublicKeyPins.overloads.forEach(o => {
15 | o.implementation = function(host, set, enforce, date) {
16 | console.log('skip pins for', host);
17 | return this;
18 | };
19 | });
20 |
21 | B.enablePublicKeyPinningBypassForLocalTrustAnchors
22 | .overload('boolean')
23 | .implementation = function(_) {
24 | console.log('force bypass local trust anchors');
25 | return this.enablePublicKeyPinningBypassForLocalTrustAnchors(true);
26 | };
27 | });
28 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
29 | //hash:1019414376 @YasarKah/viber-26-6-4-0-ssl-pinning
30 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/bypass-react-native-emulator-detection__khantsithu1998.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-794915247 @khantsithu1998/bypass-react-native-emulator-detection
4 | /*
5 | Bypass react-native-device-info emulator detection
6 | $ frida --codeshare khantsithu1998/bypass-react-native-emulator-detection -U -f
7 | By Khant Si Thu (https://twitter.com/KhantZero)
8 | */
9 |
10 | if (Java.available) {
11 | Java.perform(function() {
12 | try {
13 | var Activity = Java.use("com.learnium.RNDeviceInfo.RNDeviceModule");
14 | Activity.isEmulator.implementation = function() {
15 | Promise.resolve(false)
16 | }
17 | } catch (error) {
18 | console.log("[-] Error Detected");
19 | console.log((error.stack));
20 | }
21 | });
22 | } else {
23 | console.log("")
24 | console.log("[-] Java is Not available");
25 | }
26 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
27 | //hash:-794915247 @khantsithu1998/bypass-react-native-emulator-detection
28 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/okhttp3-obfuscated---ssl-pinning-bypass__sahabrifki.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1854403828 @sahabrifki/okhttp3-obfuscated---ssl-pinning-bypass
4 | Java.perform(function() {
5 |
6 | let Pin_a = Java.use("okhttp3.CertificatePinner$Pin");
7 | Pin_a["a"].overload('java.lang.String').implementation = function(hostname) {
8 | //console.log(`Pin.a is called: hostname=${hostname}`);
9 | let result = this["a"](hostname);
10 | //console.log(`Pin.a result=${result}`);
11 | return false;
12 | };
13 |
14 |
15 |
16 | let CertificatePinner = Java.use("okhttp3.CertificatePinner");
17 | CertificatePinner["equals"].implementation = function(obj) {
18 | //console.log(`CertificatePinner.equals is called: obj=${obj}`);
19 | let result = this["equals"](obj);
20 | //console.log(`CertificatePinner.equals result=${result}`);
21 | return true;
22 | };
23 |
24 |
25 | });
26 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
27 | //hash:-1854403828 @sahabrifki/okhttp3-obfuscated---ssl-pinning-bypass
28 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/hello-world__Fitblip.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-2019094961 @Fitblip/hello-world
4 | console.log(' /$$ /$$ /$$ /$$ /$$ /$$ /$$ /$$ /$$');
5 | console.log('| $$ | $$ | $$| $$ | $$ /$ | $$ | $$ | $$| $$');
6 | console.log('| $$ | $$ /$$$$$$ | $$| $$ /$$$$$$ | $$ /$$$| $$ /$$$$$$ /$$$$$$ | $$ /$$$$$$$| $$');
7 | console.log('| $$$$$$$$ /$$__ $$| $$| $$ /$$__ $$ | $$/$$ $$ $$ /$$__ $$ /$$__ $$| $$ /$$__ $$| $$');
8 | console.log('| $$__ $$| $$$$$$$$| $$| $$| $$ \\ $$ | $$$$_ $$$$| $$ \\ $$| $$ \\__/| $$| $$ | $$|__/');
9 | console.log('| $$ | $$| $$_____/| $$| $$| $$ | $$ | $$$/ \\ $$$| $$ | $$| $$ | $$| $$ | $$ ');
10 | console.log('| $$ | $$| $$$$$$$| $$| $$| $$$$$$/ | $$/ \\ $$| $$$$$$/| $$ | $$| $$$$$$$ /$$');
11 | console.log('|__/ |__/ \\_______/|__/|__/ \\______/ |__/ \\__/ \\______/ |__/ |__/ \\_______/|__/');
12 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
13 | //hash:-2019094961 @Fitblip/hello-world
14 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/get-a-stack-trace-in-your-hook__razaina.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-2066478028 @razaina/get-a-stack-trace-in-your-hook
4 | Java.performNow(function(){
5 | var target = Java.use("com.pacakge.myClass")
6 | var threadef = Java.use('java.lang.Thread')
7 | var threadinstance = ThreadDef.$new()
8 |
9 | function Where(stack){
10 | var at = ""
11 | for(var i = 0; i < stack.length; ++i){
12 | at += stack[i].toString() + "\n"
13 | }
14 | return at
15 | }
16 |
17 | target.foo.overload("java.lang.String").implementation = function(obfuscated_str){
18 | var ret = this.foo(obfuscated_str)
19 | var stack = threadinstance.currentThread().getStackTrace()
20 | var full_call_stack = Where(stack)
21 | send("Deobfuscated " + ret + " @ " + stack[3].toString() + "\n\t Full call stack:" + full_call_stack)
22 | return ret
23 | }
24 | })
25 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
26 | //hash:-2066478028 @razaina/get-a-stack-trace-in-your-hook
27 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-ssl-pinning-bypass-2__ivan-sincek.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1822327618 @ivan-sincek/android-ssl-pinning-bypass-2
4 | /************************************************************************
5 | * Name: Android SSL Pinning Bypass 2
6 | * OS: Android
7 | * Author: sowdust (Credits to the author!)
8 | * Source: https://codeshare.frida.re/@sowdust/universal-android-ssl-pinning-bypass-2
9 | * Edited: https://github.com/ivan-sincek/android-penetration-testing-cheat-sheet/blob/main/scripts/android-ssl-pinning-bypass-2.js
10 | ************************************************************************/
11 | setTimeout(function() {
12 | Java.perform(function() {
13 | var ArrayList = Java.use("java.util.ArrayList");
14 | var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
15 | console.log("Running Android SSL Pinning Bypass...");
16 | TrustManagerImpl.checkTrustedRecursive.implementation = function(a, b, c, d, e, f) {
17 | return ArrayList.$new();
18 | };
19 | });
20 | }, 0);
21 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
22 | //hash:1822327618 @ivan-sincek/android-ssl-pinning-bypass-2
23 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/sd__vutranHS.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:494167519 @vutranHS/sd
4 | setTimeout(function() {
5 | Java.perform(function() {
6 | console.log('')
7 | console.log("# OkHTTP proxy");
8 | var OkHttpClient = Java.use("okhttp3.OkHttpClient");
9 | var OkHttpBuilder = Java.use("okhttp3.OkHttpClient$Builder");
10 | var Proxy = Java.use("java.net.Proxy");
11 | var ProxyType = Java.use("java.net.Proxy$Type");
12 | var InetSocketAddress = Java.use("java.net.InetSocketAddress");
13 |
14 | var proxy = Proxy.$new(ProxyType.HTTP.value, InetSocketAddress.createUnresolved("192.168.100.100", 8888));
15 |
16 | OkHttpClient.newBuilder.overload().implementation = function() {
17 | return OkHttpBuilder.$new();
18 | }
19 | OkHttpBuilder.build.overload().implementation = function() {
20 | console.log('[+] Installing proxy');
21 | this.proxy(proxy);
22 | return this.build();
23 | }
24 | })
25 |
26 | }, 0)
27 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
28 | //hash:494167519 @vutranHS/sd
29 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ibm-trusteer-ios-sdk-bypass__mgrela.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1978278215 @mgrela/ibm-trusteer-ios-sdk-bypass
4 | if (ObjC.available)
5 | {
6 | try {
7 |
8 | const Tas = ObjC.classes.Tas;
9 |
10 | //
11 | // The TasDraGetRiskItem count is the key function to hook as it returns the number of "risk factors" for an app.
12 | // If there are no risk factors, welp ;).
13 | //
14 | // Reference: http://public.dhe.ibm.com/partnerworld/pub/certify/ibm_security_trusteer_mobile_sdk_developers_guide_ios.pdf
15 | const TasDraGetRiskItemCount = Tas['- TasDraGetRiskItemCount:'];
16 | TasDraGetRiskItemCount.implementation = ObjC.implement(TasDraGetRiskItemCount, function(handle, selector, arg1) {
17 | console.log(`Called TasDraGetRiskItemCount`);
18 | arg1 = 0;
19 | return 0;
20 | })
21 |
22 | } catch(err) {
23 | console.log("[!] Exception while hooking: " + err.message);
24 | }
25 | } else {
26 | console.log("Objective-C Runtime is not available!");
27 | }
28 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
29 | //hash:1978278215 @mgrela/ibm-trusteer-ios-sdk-bypass
30 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/debug-webview__lolicon.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1700355088 @lolicon/debug-webview
4 | Java.perform(() => {
5 | const WebView = Java.use('android.webkit.WebView')
6 | const Log = Java.use('android.util.Log')
7 | const Exception = Java.use('java.lang.Exception')
8 |
9 | WebView.setWebContentsDebuggingEnabled.implementation = function(
10 | ...args
11 | ) {
12 | const exception = Exception.$new(
13 | `WebView.setWebContentsDebuggingEnabled(${args})`
14 | )
15 | Log.e('natsuki', `setWebContentsDebuggingEnabled:${args}`, exception)
16 |
17 | console.log(
18 | `WebView.setWebContentsDebuggingEnabled: `,
19 | ...args,
20 | Log.getStackTraceString(exception)
21 | )
22 |
23 | return this.setWebContentsDebuggingEnabled(true)
24 | }
25 |
26 | Java.scheduleOnMainThread(() => {
27 | Log.e('natsuki', 'initialized to true')
28 | WebView.setWebContentsDebuggingEnabled(true)
29 | })
30 | })
31 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
32 | //hash:-1700355088 @lolicon/debug-webview
33 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/fgdgd__vumail159951.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1780135977 @vumail159951/fgdgd
4 | /* Android ssl certificate pinning bypass script for various methods
5 | by Maurizio Siddu
6 |
7 | Run with:
8 | frida -U -f [APP_ID] -l frida_multiple_unpinning.js --no-pause
9 | */
10 |
11 | setTimeout(function() {
12 | Java.perform(function() {
13 | //const StringBuilder = Java.use('com.viviet.login.KeystoreUtil');
14 | //const emulator = Java.use('com.viviet.utils.EmulatorDetector');
15 |
16 |
17 |
18 | var ver = Java.use('android.os.Build$VERSION');
19 | //console.log("Version before: "+ver.SDK_INT.value);
20 | ver.SDK_INT.value = 15;
21 | //console.log("Version after: "+ver.SDK_INT.value);
22 |
23 | // emulator.detect.overload().implementation = function () {
24 | //return false;
25 | // }
26 |
27 |
28 | // StringBuilder.sign.implementation = function (x, y) {
29 | // console.log("original call: " + x + " ----------------- " + y + " -------------");
30 | // return this.sign(x, y);
31 | // };
32 |
33 | });
34 |
35 | }, 0);
36 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
37 | //hash:1780135977 @vumail159951/fgdgd
38 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/test__Legal1337228.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1606498452 @Legal1337228/test
4 | // bypass_debug.js
5 | Java.perform(function () {
6 | var Debug = Java.use('android.os.Debug');
7 | Debug.isDebuggerConnected.implementation = function() {
8 | console.log("Bypassing Debug.isDebuggerConnected()");
9 | return false;
10 | };
11 |
12 | var DebugFlags = Java.use('android.os.Debug$DebugFlags');
13 | DebugFlags.DEBUG_ENABLE_DEBUGGER = 0;
14 |
15 | var System = Java.use('java.lang.System');
16 | System.getenv.overload('java.lang.String').implementation = function(name) {
17 | console.log("Bypassing System.getenv(" + name + ")");
18 | if (name === 'debug') {
19 | return null;
20 | }
21 | return this.getenv(name);
22 | };
23 |
24 | var ActivityThread = Java.use('android.app.ActivityThread');
25 | ActivityThread.currentApplication().getApplicationContext().getApplicationInfo().flags.value = 0;
26 |
27 | console.log("Bypassing complete");
28 | });
29 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
30 | //hash:-1606498452 @Legal1337228/test
31 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/supportsqlitestatement__marcohald.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:664766103 @marcohald/supportsqlitestatement
4 | let SupportSQLiteDatabase = Java.use("androidx.sqlite.db.SupportSQLiteDatabase");
5 | SupportSQLiteDatabase["delete"].implementation = function (str, str2, objArr) {
6 | console.log(`SupportSQLiteDatabase.delete is called: str=${str}, str2=${str2}, objArr=${objArr}`);
7 | let result = this["delete"](str, str2, objArr);
8 | console.log(`SupportSQLiteDatabase.delete result=${result}`);
9 | return result;
10 | };
11 |
12 |
13 | SupportSQLiteDatabase["execSQL"].overload('java.lang.String').implementation = function (str) {
14 | console.log(`SupportSQLiteDatabase.execSQL is called: str=${str}`);
15 | this["execSQL"](str);
16 | };
17 |
18 |
19 | SupportSQLiteDatabase["execSQL"].overload('java.lang.String', '[Ljava.lang.Object;').implementation = function (str, objArr) {
20 | console.log(`SupportSQLiteDatabase.execSQL is called: str=${str}, objArr=${objArr}`);
21 | this["execSQL"](str, objArr);
22 | };
23 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
24 | //hash:664766103 @marcohald/supportsqlitestatement
25 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/frida-okhttp3-tls__RadonCoding.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-352152994 @RadonCoding/frida-okhttp3-tls
4 | // @RadonCoding
5 | // 20/04/2025
6 |
7 | Java.perform(function () {
8 | const OkHttpClient = Java.use("okhttp3.OkHttpClient");
9 | const originalNewCall = OkHttpClient.newCall.overload("okhttp3.Request");
10 |
11 | OkHttpClient.newCall.overload("okhttp3.Request").implementation = function (
12 | request
13 | ) {
14 | const url = request.url();
15 |
16 | console.log("[Intercepted] URL:", url.toString());
17 |
18 | const redirect = "https://tls.peet.ws/api/all";
19 |
20 | const builder = request.newBuilder();
21 | const redirected = builder.url(redirect).build();
22 |
23 | const call = originalNewCall.call(this, redirected);
24 |
25 | const response = call.execute();
26 | const body = response.body().string();
27 |
28 | console.log(`[Redirected] TLS Fingerprint for ${url.toString()}:`);
29 | console.log(body);
30 |
31 | return originalNewCall.call(this, request);
32 | };
33 | });
34 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
35 | //hash:-352152994 @RadonCoding/frida-okhttp3-tls
36 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/uncrackable1-solution__sosacrazy126.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:634311665 @sosacrazy126/uncrackable1-solution
4 | // frida -U -f sg.vantagepoint.uncrackable1 --no-pause -l your_script.js
5 |
6 | Java.perform(function() {
7 | var MainActivity = Java.use('sg.vantagepoint.uncrackable1.MainActivity');
8 |
9 | // Disable root detection
10 | MainActivity.a.implementation = function(str) {
11 | console.log('[Root Bypass] Root detection bypassed.');
12 | return;
13 | };
14 |
15 | // Disable debuggable check
16 | MainActivity.onCreate.overload('android.os.Bundle').implementation = function(bundle) {
17 | console.log('[Debuggable Bypass] Debuggable check bypassed.');
18 | this.onCreate(bundle);
19 | return;
20 | };
21 |
22 | // Disable exit on button click
23 | MainActivity.verify.overload('android.view.View').implementation = function(view) {
24 | console.log('[Exit Bypass] Exit on button click bypassed.');
25 | this.verify(view);
26 | return;
27 | };
28 | });
29 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
30 | //hash:634311665 @sosacrazy126/uncrackable1-solution
31 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/2__Malfarion.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1950106730 @Malfarion/2
4 | Java.perform(function() {
5 | // Invalidate the certificate pinner set up
6 | var OkHttpClient = Java.use("com.squareup.okhttp3.OkHttpClient");
7 | OkHttpClient.setCertificatePinner.implementation = function(certificatePinner) {
8 | // do nothing
9 | console.log("Called!");
10 | return this;
11 | };
12 |
13 | // Invalidate the certificate pinnet checks (if "setCertificatePinner" was called before the previous invalidation)
14 | var CertificatePinner = Java.use("com.squareup.okhttp3.CertificatePinner");
15 | CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function(p0, p1) {
16 | // do nothing
17 | console.log("Called! [Certificate]");
18 | return;
19 | };
20 | CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(p0, p1) {
21 | // do nothing
22 | console.log("Called! [List]");
23 | return;
24 | };
25 | });
26 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
27 | //hash:1950106730 @Malfarion/2
28 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-ssl-bypass__pbalmelle.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:294157097 @pbalmelle/android-ssl-bypass
4 | Java.perform(function () {
5 | /* Invalidate the certificate pinner set up
6 | var httpClient = Java.use("okhttp3.OkHttpClient");
7 | httpClient.builder.certificatePinner.implementation = function(certificatePinner){
8 | // do nothing
9 | console.log("Called!");
10 | return this;
11 | };*/
12 |
13 | // Invalidate the certificate pinnet checks (if "setCertificatePinner" was called before the previous invalidation)
14 | var CertificatePinner = Java.use("okhttp3.CertificatePinner");
15 | CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function(p0, p1){
16 | // do nothing
17 | console.log("Called! [Certificate]");
18 | return;
19 | };
20 | CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(p0, p1){
21 | // do nothing
22 | console.log("Called! [List]");
23 | return;
24 | };
25 | });
26 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
27 | //hash:294157097 @pbalmelle/android-ssl-bypass
28 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/okhttp-proxy-installator__0xbad0c0d3.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1340287402 @0xbad0c0d3/okhttp-proxy-installator
4 | setTimeout(function() {
5 | Java.perform(function() {
6 | console.log('')
7 | console.log("# OkHTTP proxy");
8 | var OkHttpClient = Java.use("okhttp3.OkHttpClient");
9 | var OkHttpBuilder = Java.use("okhttp3.OkHttpClient$Builder");
10 | var Proxy = Java.use("java.net.Proxy");
11 | var ProxyType = Java.use("java.net.Proxy$Type");
12 | var InetSocketAddress = Java.use("java.net.InetSocketAddress");
13 |
14 | var proxy = Proxy.$new(ProxyType.HTTP.value, InetSocketAddress.createUnresolved("1.2.3.4", 5678));
15 |
16 | OkHttpClient.newBuilder.overload().implementation = function() {
17 | return OkHttpBuilder.$new();
18 | }
19 | OkHttpBuilder.build.overload().implementation = function() {
20 | console.log('[+] Installing proxy');
21 | this.proxy(proxy);
22 | return this.build();
23 | }
24 | })
25 |
26 | }, 0)
27 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
28 | //hash:-1340287402 @0xbad0c0d3/okhttp-proxy-installator
29 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/okhttp__Malfarion.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:20129951 @Malfarion/okhttp
4 | Java.perform(function() {
5 | // Invalidate the certificate pinner set up
6 | var OkHttpClient = Java.use("com.squareup.okhttp.OkHttpClient");
7 | OkHttpClient.setCertificatePinner.implementation = function(certificatePinner) {
8 | // do nothing
9 | console.log("Called!");
10 | return this;
11 | };
12 |
13 | // Invalidate the certificate pinnet checks (if "setCertificatePinner" was called before the previous invalidation)
14 | var CertificatePinner = Java.use("com.squareup.okhttp3.CertificatePinner");
15 | CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function(p0, p1) {
16 | // do nothing
17 | console.log("Called! [Certificate]");
18 | return;
19 | };
20 | CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(p0, p1) {
21 | // do nothing
22 | console.log("Called! [List]");
23 | return;
24 | };
25 | });
26 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
27 | //hash:20129951 @Malfarion/okhttp
28 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/uncrackable-l1-passcode-extractor__dzulfiqois.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1858889191 @dzulfiqois/uncrackable-l1-passcode-extractor
4 | function bin2string(array) {
5 | var result = "";
6 | for (var index = 0; index < array.length; index++) {
7 | result += String.fromCharCode(array[index]);
8 | }
9 | return result;
10 | }
11 |
12 | Java.perform(function () {
13 | //hooking root detection class on MainActivity for root bypassing
14 | var rootBypassing = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
15 | rootBypassing.a.implementation = function () {
16 | console.log("Root Bypassed");
17 |
18 | //hooking class that handling secret passcode encryption
19 | var passcode = Java.use("sg.vantagepoint.a.a");
20 | passcode.a.implementation = function (x1, x2) {
21 | var passcodeFunctionCall = [];
22 | passcodeFunctionCall = this.a(x1, x2);
23 | var output = bin2string(passcodeFunctionCall);
24 | console.log("Passcode : " + output);
25 | return passcodeFunctionCall;
26 | };
27 | };
28 | });
29 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
30 | //hash:-1858889191 @dzulfiqois/uncrackable-l1-passcode-extractor
31 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/universal-android-ssl-pinning-bypass__avltree9798.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1806275829 @avltree9798/universal-android-ssl-pinning-bypass
4 | /*
5 | Universal Android SSL Pinning Bypass
6 | by Anthony Viriya (@avltree9798)
7 |
8 | $ frida -U -f org.package.name -l universal-ssl-check-bypass.js --no-pause
9 | */
10 |
11 | Java.perform(function() {
12 | var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
13 | var ArrayList = Java.use("java.util.ArrayList");
14 | TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain,
15 | host, clientAuth, ocspData, tlsSctData) {
16 | console.log("[+] Bypassing TrustManagerImpl->verifyChain()");
17 | return untrustedChain;
18 | }
19 | TrustManagerImpl.checkTrustedRecursive.implementation = function(certs, host, clientAuth, untrustedChain,
20 | trustAnchorChain, used) {
21 | console.log("[+] Bypassing TrustManagerImpl->checkTrustedRecursive()");
22 | return ArrayList.$new();
23 | };
24 | });
25 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
26 | //hash:-1806275829 @avltree9798/universal-android-ssl-pinning-bypass
27 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-16-location-spoofing__Rablidad.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1470177408 @Rablidad/ios-16-location-spoofing
4 | // written in typescript
5 | function spoofLocation(newLat: number, newLong: number) {
6 | function offsetLocation(lat: number, long: number) {
7 | var randLat = lat + (Math.random() - 0.5) * 0.01;
8 | var randLong = long + (Math.random() - 0.5) * 0.01;
9 | return {
10 | randLat,
11 | randLong
12 | };
13 | }
14 |
15 | var clLocation = ObjC.classes["CLLocation"]["- coordinate"];
16 | Interceptor.attach(clLocation.implementation, {
17 | onLeave: (curLocation) => {
18 | const {
19 | randLat,
20 | randLong
21 | } = offsetLocation(
22 | newLat,
23 | newLong
24 | );
25 | var newLocation = new ObjC.Object(curLocation)[
26 | "- initWithLatitude:longitude:"
27 | ](randLat, randLong);
28 | curLocation.replace(newLocation);
29 | },
30 | });
31 | }
32 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
33 | //hash:1470177408 @Rablidad/ios-16-location-spoofing
34 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/string__vumail159951.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:658473834 @vumail159951/string
4 | function hookOverloads(className, func) {
5 | var clazz = Java.use(className);
6 | var overloads = clazz[func].overloads;
7 | for (var i in overloads) {
8 | if (overloads[i].hasOwnProperty('argumentTypes')) {
9 | var parameters = [];
10 |
11 | var curArgumentTypes = overloads[i].argumentTypes, args = [], argLog = '[';
12 | for (var j in curArgumentTypes) {
13 | var cName = curArgumentTypes[j].className;
14 | parameters.push(cName);
15 | argLog += "'(" + cName + ") ' + v" + j + ",";
16 | args.push('v' + j);
17 | }
18 | argLog += ']';
19 |
20 | var script = "var ret = this." + func + '(' + args.join(',') + ") || '';\n"
21 | + "console.log(JSON.stringify(" + argLog + "));\n"
22 | + "return ret;"
23 |
24 | args.push(script);
25 | clazz[func].overload.apply(this, parameters).implementation = Function.apply(null, args);
26 | }
27 | }
28 | }
29 |
30 | Java.perform(function() {
31 | hookOverloads('java.lang.StringBuilder', '$init');
32 | })
33 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
34 | //hash:658473834 @vumail159951/string
35 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-ssl-key-steal2__atuncer.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:953314208 @atuncer/ios-ssl-key-steal2
4 | var CALLBACK_OFFSET = 0x2b8; //ios 14
5 |
6 | // Logging function, reads null terminated string from address in line
7 | function key_logger(ssl, line) {
8 | console.log(new NativePointer(line).readCString());
9 | }
10 |
11 | // Wrap key_logger JS function in NativeCallback
12 | var key_log_callback = new NativeCallback(key_logger, 'void', ['pointer', 'pointer']);
13 |
14 | /*
15 | * SSL_CTX_set_keylog_callback isn't implemented in iOS version of boringssl
16 | *
17 | * Hook SSL_CTX_set_info_callback as it can access SSL_CTX and
18 | * directly set SSL_CTX->keylog_callback to address of logging callback above
19 | */
20 | var SSL_CTX_set_info_callback = Module.findExportByName("libboringssl.dylib", "SSL_CTX_set_info_callback");
21 |
22 | Interceptor.attach(SSL_CTX_set_info_callback, {
23 | onEnter: function(args) {
24 | var ssl = new NativePointer(args[0]);
25 | var callback = new NativePointer(ssl).add(CALLBACK_OFFSET);
26 |
27 | callback.writePointer(key_log_callback);
28 | }
29 | });
30 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
31 | //hash:953314208 @atuncer/ios-ssl-key-steal2
32 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/enum-code-exec__beyrakIn.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1443971859 @beyrakIn/enum-code-exec
4 | Java.perform(function() {
5 | console.log("\n[*] Frida script started for enumerating cmd runs...");
6 |
7 | var Runtime = Java.use("java.lang.Runtime");
8 | var ProcessBuilder = Java.use('java.lang.ProcessBuilder');
9 |
10 |
11 | try {
12 | Runtime.exec.overload("java.lang.String").implementation = function(cmd) {
13 | console.log("[+] Runtime.exec called with: " + cmd);
14 | return this.exec(cmd);
15 |
16 | }
17 |
18 |
19 | ProcessBuilder.start.implementation = function() {
20 | var cmd = this.command.call(this); // Get the command list
21 | // Convert the command list to a readable string
22 | var cmdString = Java.use('java.lang.String').valueOf(cmd);
23 | console.log("[+] ProcessBuilder.start called with: " + cmdString);
24 |
25 | return this.start.call(this); // Proceed with the original method
26 | };
27 | } catch (e) {
28 | console.log("[!] Error hooking func: " + e);
29 | }
30 |
31 | });
32 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
33 | //hash:-1443971859 @beyrakIn/enum-code-exec
34 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-certificate-pinning-bypass__segura2010.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1902146048 @segura2010/android-certificate-pinning-bypass
4 | Java.perform(function () {
5 | // Invalidate the certificate pinner set up
6 | var OkHttpClient = Java.use("com.squareup.okhttp.OkHttpClient");
7 | OkHttpClient.setCertificatePinner.implementation = function(certificatePinner){
8 | // do nothing
9 | console.log("Called!");
10 | return this;
11 | };
12 |
13 | // Invalidate the certificate pinnet checks (if "setCertificatePinner" was called before the previous invalidation)
14 | var CertificatePinner = Java.use("com.squareup.okhttp.CertificatePinner");
15 | CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function(p0, p1){
16 | // do nothing
17 | console.log("Called! [Certificate]");
18 | return;
19 | };
20 | CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(p0, p1){
21 | // do nothing
22 | console.log("Called! [List]");
23 | return;
24 | };
25 | });
26 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
27 | //hash:1902146048 @segura2010/android-certificate-pinning-bypass
28 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/custom-phonegap-sslcertificatechecker-bypass__gchib297.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1421946648 @gchib297/custom-phonegap-sslcertificatechecker-bypass
4 | /* Script start */
5 |
6 | Java.perform(function x() {
7 |
8 | var SSLCertificateChecker = Java.use("nl.xservices.plugins.SSLCertificateChecker");
9 | SSLCertificateChecker.execute.implementation = function(str, jSONArray, callbackContext) {
10 | console.log('execute is called');
11 |
12 | Java.choose("org.apache.cordova.CallbackContext", {
13 | onMatch: function(instance) { //This function will be called for every instance found by frida
14 | console.log("Found instance: " + instance);
15 | console.log("Sending success");
16 | instance.success('CONNECTION_SECURE');
17 | },
18 | onComplete: function() {}
19 | });
20 |
21 | //var ret = this.execute(str, jSONArray, callbackContext); // Return value before modification
22 | var ret = true
23 | //console.log('execute ret value is ' + ret);
24 | return ret;
25 | };
26 | });
27 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
28 | //hash:-1421946648 @gchib297/custom-phonegap-sslcertificatechecker-bypass
29 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-okhttp3-logger__nneonneo.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:578622555 @nneonneo/android-okhttp3-logger
4 | Java.perform(function() {
5 | var OkHttpClient = Java.use("okhttp3.OkHttpClient");
6 | var RealCall = Java.use("okhttp3.RealCall");
7 | var Buffer = Java.use("okio.Buffer");
8 | var StandardCharsets = Java.use("java.nio.charset.StandardCharsets");
9 |
10 | RealCall.getResponseWithInterceptorChain.implementation = function() {
11 | var response = this.getResponseWithInterceptorChain()
12 | var request = response.request()
13 | console.log("REQUEST:", request)
14 | console.log(request.headers())
15 | var body = ""
16 | if (request.headers().get("content-type") === "application/x-www-form-urlencoded") {
17 | var buffer = Buffer.$new()
18 | request.body().writeTo(buffer)
19 | body = buffer.readString(StandardCharsets.UTF_8.value)
20 | }
21 | console.log(body)
22 | console.log("RESPONSE:", response)
23 | console.log(response.headers())
24 | return response
25 | }
26 | console.log("okhttp3 intercepted")
27 | });
28 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
29 | //hash:578622555 @nneonneo/android-okhttp3-logger
30 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/okhttp3-certificate-pinner-bypass__silva95gustavo.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-535077919 @silva95gustavo/okhttp3-certificate-pinner-bypass
4 | Java.perform(function() {
5 | var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
6 | var ArrayList = Java.use("java.util.ArrayList");
7 | TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain,
8 | host, clientAuth, ocspData, tlsSctData) {
9 | console.log("[+] Bypassing TrustManagerImpl->verifyChain()");
10 | return untrustedChain;
11 | }
12 | TrustManagerImpl.checkTrustedRecursive.implementation = function(certs, host, clientAuth, untrustedChain,
13 | trustAnchorChain, used) {
14 | console.log("[+] Bypassing TrustManagerImpl->checkTrustedRecursive()");
15 | return ArrayList.$new();
16 | };
17 | var CertificatePinner = Java.use('okhttp3.CertificatePinner');
18 | console.log("[+] Bypassing CertificatePinner->check()");
19 | CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(hostname, peerCertificates) {
20 | return;
21 | }
22 | });
23 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
24 | //hash:-535077919 @silva95gustavo/okhttp3-certificate-pinner-bypass
25 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/trace-android-binder-call-from-binderproxy__dvdface.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1404779212 @dvdface/trace-android-binder-call-from-binderproxy
4 | // used to show which binder call did callers made instead of just showing binder transaction/reply in perfetto trace
5 | Java.perform(() => {
6 |
7 | // used to add trace
8 | const Trace = Java.use('android.os.Trace');
9 | // used to get callstack
10 | const Thread = Java.use('java.lang.Thread');
11 | // used to hook binder call from binder proxy
12 | const BinderProxy = Java.use('android.os.BinderProxy');
13 | // hook transact of BinderProxy
14 | BinderProxy.transact.implementation = function(...args) {
15 |
16 | // get callstacks
17 | const stacktrace = Thread.currentThread().getStackTrace();
18 | // the binder call is in the 4th line
19 | const callingStack = stacktrace[3];
20 | // begin trace
21 | Trace.beginSection(callingStack.toString());
22 | // call
23 | var result = this.transact(...args);
24 | // end trace
25 | Trace.endSection();
26 | // return
27 | return result;
28 |
29 | };
30 | })
31 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
32 | //hash:-1404779212 @dvdface/trace-android-binder-call-from-binderproxy
33 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-touch-id-bypass__ivan-sincek.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1261720875 @ivan-sincek/ios-touch-id-bypass
4 | /************************************************************************
5 | * Name: iOS Touch ID Bypass
6 | * OS: iOS
7 | * Author: @FSecureLABS (Credits to the author!)
8 | * Source: https://github.com/FSecureLABS/needle/blob/master/needle/modules/hooking/frida/script_touch-id-bypass.py
9 | * Edited: https://github.com/ivan-sincek/ios-penetration-testing-cheat-sheet/blob/main/scripts/ios-touch-id-bypass.js
10 | ************************************************************************/
11 | setTimeout(function(){
12 | if (ObjC.available) {
13 | var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"];
14 | Interceptor.attach(hook.implementation, {
15 | onEnter: function(args) {
16 | console.log("Trying to bypass touch ID...");
17 | var block = new ObjC.Block(args[4]);
18 | const callback = block.implementation;
19 | block.implementation = function(error, value) {
20 | console.log("Touch ID has been bypassed successfully!");
21 | return callback(true, null);
22 | };
23 | }
24 | });
25 | } else {
26 | console.log("Objective-C Runtime is not available!");
27 | }
28 | }, 0);
29 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
30 | //hash:1261720875 @ivan-sincek/ios-touch-id-bypass
31 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/murder-meta-bypass__log-cat.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1781063384 @log-cat/murder-meta-bypass
4 | // https://github.com/logosred/murder-meta-bypass
5 | // Simple script to bypass SSL pinning in Instagram.
6 | Java.perform(function() {
7 | console.log("--- Murder Meta Bypass Loaded ---");
8 | console.log("--- Targeting the core 'verify' method ---");
9 |
10 | try {
11 | const CertificateVerifier = Java.use("com.facebook.mobilenetwork.internal.certificateverifier.CertificateVerifier");
12 |
13 | CertificateVerifier.verify.overload(
14 | '[Ljava.security.cert.X509Certificate;',
15 | 'java.lang.String',
16 | 'boolean'
17 | ).implementation = function(certChain, hostname, someBoolean) {
18 | console.log(`[+] Bypassed CertificateVerifier.verify(certChain, "${hostname}", ${someBoolean}). Certificate chain is now trusted.`);
19 | return;
20 | };
21 |
22 | console.log("[+] Hook on CertificateVerifier.verify with correct signature is active.");
23 |
24 | } catch (e) {
25 | console.error("[-] Failed to hook CertificateVerifier.verify(). Error:");
26 | console.error(e);
27 | }
28 | });
29 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
30 | //hash:-1781063384 @log-cat/murder-meta-bypass
31 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/root-function__Raghav-Gupta99.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1827566684 @Raghav-Gupta99/root-function
4 | Java.perform(function () {
5 | // Hooking the isRooted function to always return false
6 | var RootCheckClass = Java.use("com.yourpackage.name.RootCheck"); // Replace with actual class name
7 | RootCheckClass.isRooted.implementation = function () {
8 | console.log("isRooted() was called, returning false.");
9 | return false; // Bypass root check by always returning false
10 | };
11 |
12 | // Hooking the isDebuggerAttached function to always return false
13 | RootCheckClass.isDebuggerAttached.implementation = function () {
14 | console.log("isDebuggerAttached() was called, returning false.");
15 | return false; // Bypass debugger check by always returning false
16 | };
17 |
18 | // Optionally hook getDeviceState if required
19 | RootCheckClass.getDeviceState.implementation = function () {
20 | console.log("getDeviceState() was called, modifying return value.");
21 | var originalResult = this.getDeviceState();
22 | return originalResult & ~1 & ~4; // Remove any flags for rooted or debugger detection
23 | };
24 | });
25 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
26 | //hash:-1827566684 @Raghav-Gupta99/root-function
27 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/print-params__InvictusNinja.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1777650135 @InvictusNinja/print-params
4 | Interceptor.attach(Module.findExportByName("libhwui.so", "_ZN8SkBitmap14tryAllocPixelsEPNS_9AllocatorE"), {
5 | onEnter: function (args) {
6 | // var keySize = args[2].toInt32();
7 | // var keyDump = Memory.readByteArray(args[1], keySize);
8 | console.log('args found at ' + args[1]);
9 | console.log('arg[2] = ' + args[2].toInt32());
10 | console.log('arg[3]= ' + args[3].toInt32());
11 | console.log('arg[4] = ' + args[4].toInt32());
12 | console.log('arg[5] = ' + args[5].toInt32());
13 | console.log('arg[6] = ' + args[6].toInt32());
14 | console.log('arg[7] = ' + args[7].toInt32());
15 | console.log('arg[8] = ' + args[8].toInt32());
16 | console.log('arg[9] = ' + args[9].toInt32());
17 | console.log('arg[10] = ' + args[10].toInt32());
18 | console.log('arg[11] = ' + args[11].toInt32());
19 | // console.log('HMAC Key size = ' + keySize);
20 | // console.log(hexdump(keyDump, { offset: 0, length: keySize, header: false, ansi: false }));
21 | }
22 | });
23 |
24 | //_ZN8SkBitmap13HeapAllocator13allocPixelRefEPS_
25 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
26 | //hash:-1777650135 @InvictusNinja/print-params
27 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/pdf__komoosdosk.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1431833481 @komoosdosk/pdf
4 | // Stealth Frida Injection for Tinder
5 | // This script bypasses Tinder's Frida detection by hiding the Frida process
6 |
7 | Java.perform(function () {
8 | console.log("[+] Stealth Frida Hook Loaded");
9 |
10 | // Hook sysctl to prevent Frida detection
11 | var sysctl = Module.findExportByName(null, "sysctl");
12 | if (sysctl) {
13 | Interceptor.attach(sysctl, {
14 | onEnter: function (args) {
15 | console.log("[Blocked] sysctl call detected");
16 | this.skip = true;
17 | },
18 | onLeave: function (retval) {
19 | if (this.skip) retval.replace(-1);
20 | }
21 | });
22 | }
23 |
24 | // Hook ptrace to prevent anti-debugging
25 | var ptrace = Module.findExportByName(null, "ptrace");
26 | if (ptrace) {
27 | Interceptor.attach(ptrace, {
28 | onEnter: function (args) {
29 | console.log("[Blocked] ptrace anti-debugging");
30 | args[0] = 31; // Prevents PTRACE_TRACEME
31 | }
32 | });
33 | }
34 |
35 | console.log("[+] Frida Hooks Applied - Tinder Should Now Be Accessible");
36 | });
37 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
38 | //hash:1431833481 @komoosdosk/pdf
39 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-deep-link-observer__leolashkevych.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1441511277 @leolashkevych/android-deep-link-observer
4 | Java.perform(function() {
5 | var Intent = Java.use("android.content.Intent");
6 | Intent.getData.implementation = function() {
7 | var action = this.getAction() !== null ? this.getAction().toString() : false;
8 | if (action) {
9 | console.log("[*] Intent.getData() was called");
10 | console.log("[*] Activity: " + this.getComponent().getClassName());
11 | console.log("[*] Action: " + action);
12 | var uri = this.getData();
13 | if (uri !== null) {
14 | console.log("\n[*] Data");
15 | uri.getScheme() && console.log("- Scheme:\t" + uri.getScheme() + "://");
16 | uri.getHost() && console.log("- Host:\t\t/" + uri.getHost());
17 | uri.getQuery() && console.log("- Params:\t" + uri.getQuery());
18 | uri.getFragment() && console.log("- Fragment:\t" + uri.getFragment());
19 | console.log("\n\n");
20 | } else {
21 | console.log("[-] No data supplied.");
22 | }
23 | }
24 | return this.getData();
25 | }
26 | });
27 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
28 | //hash:-1441511277 @leolashkevych/android-deep-link-observer
29 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/cosmote-whatsup-certificate-pinning-bypass__stavros0.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1308807581 @stavros0/cosmote-whatsup-certificate-pinning-bypass
4 | /*
5 | Bypassing certificate pinning in COSMOTE What's Up 4.7.1 (Android 9)
6 | Made with love by Stavros Mekesis (https://suumcuique.org)
7 |
8 | $ frida -U -f gr.cosmote.whatsup -l cosmote-whatsup.js --no-pause
9 | */
10 |
11 | Java.perform(function() {
12 | try {
13 | var Pinner = Java.use("l.h$a");
14 | Pinner.a.overload('java.lang.String', '[Ljava.lang.String;').implementation = function(a, b) {
15 | console.log('Disabling pin for ' + a);
16 | return this;
17 | };
18 | } catch (err) {
19 | console.log('CertificatePinner not found');
20 | }
21 |
22 | try {
23 | var ConscryptFileDescriptorSocket = Java.use('com.android.org.conscrypt.ConscryptFileDescriptorSocket');
24 | ConscryptFileDescriptorSocket.verifyCertificateChain.implementation = function(a, b) {
25 | console.log('Disabling pin for verifyCertificateChain()');
26 | return;
27 | };
28 | } catch (err) {
29 | console.log('ConscryptFileDescriptorSocket.verifyCertificateChain() not found');
30 | }
31 | }, 0);
32 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
33 | //hash:-1308807581 @stavros0/cosmote-whatsup-certificate-pinning-bypass
34 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/flutter-ssl-pinning-bypass__skytolfers.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1422147281 @skytolfers/flutter-ssl-pinning-bypass
4 | setTimeout(function() {
5 |
6 | var libraryModule = Process.findModuleByName("libflutter.so");
7 |
8 | var pattern = "55 41 57 41 56 41 55 41 54 53 50 49 89 fe 48 8b 1f 48 8b 43 30 4c 8b b8 d0 01 00 00 4d 85 ff 74 12 4d 8b a7 90 00 00 00 4d 85 e4 74 4a 49 8b 04 24 eb 46";
9 |
10 | var ranges = libraryModule.enumerateRanges('r-x');
11 |
12 | ranges.forEach(range => {
13 |
14 | Memory.scan(range.base, range.size, pattern, {
15 | onMatch: function(address, size) {
16 | var ssl_verify_peer_cert_offset = address.sub(libraryModule.base).toString(16);
17 | console.log("ssl_verify_peer_cert function offset:" + ssl_verify_peer_cert_offset);
18 | hook_ssl_verify(address);
19 | }
20 | })
21 |
22 | });
23 |
24 | function hook_ssl_verify(address) {
25 | Interceptor.replace(address, new NativeCallback((pathPtr, flags) => {
26 | console.log("ssl_verify hooked");
27 | return 0;
28 | }, 'int', ['pointer', 'int']));
29 | }
30 | }, 1000);
31 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
32 | //hash:1422147281 @skytolfers/flutter-ssl-pinning-bypass
33 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/hook-javascript-interfaces__komen205.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-765431226 @komen205/hook-javascript-interfaces
4 | Java.perform(function() {
5 |
6 | var webView = Java.use('android.webkit.WebView');
7 | var webSettings = Java.use('android.webkit.WebSettings');
8 | webSettings.setJavaScriptEnabled.implementation = function(allow) {
9 | console.log('[!] Java Script Enabled:' + allow);
10 | return this.setJavaScriptEnabled(allow);
11 |
12 | }
13 | webView.addJavascriptInterface.implementation = function(object, name) {
14 | console.log('[i] Javascript interface detected:' + object.$className + ' instatiated as: ' + name);
15 | this.addJavascriptInterface(object, name);
16 | }
17 |
18 |
19 | webView.evaluateJavascript.implementation = function(script, resultCallback) {
20 | console.log('WebView Client: ' + this.getWebViewClient());
21 | console.log('[i] evaluateJavascript called with the following script: ' + script);
22 | this.evaluateJavascript(script, resultCallback);
23 | }
24 | webView.removeJavascriptInterface.implementation = function(name) {
25 | console.log('The ' + name + ' Javascript interface removed');
26 | this.removeJavascriptInterface(name);
27 | }
28 | });
29 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
30 | //hash:-765431226 @komen205/hook-javascript-interfaces
31 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/classloader__Hyupai.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:739303218 @Hyupai/classloader
4 | Java.perform(function () {
5 |
6 | // Verificando ro.preinstall.vendorid para identificar o fornecedor
7 | var Build = Java.use("android.os.Build");
8 | var SystemProperties = Java.use("android.os.SystemProperties");
9 |
10 | var vendorId = SystemProperties.get("ro.preinstall.vendorid");
11 | console.log("Vendor ID: " + vendorId);
12 | if (vendorId && vendorId.includes("stb_vendor")) {
13 | console.log("Dispositivo é um Set-Top Box!");
14 | }
15 |
16 | // Verificando debug.second-display.pkg para identificar a presença de uma TV/monitor externo
17 | var secondDisplayPkg = SystemProperties.get("debug.second-display.pkg");
18 | console.log("Second Display Package: " + secondDisplayPkg);
19 | if (secondDisplayPkg) {
20 | console.log("Dispositivo tem suporte para TV ou segundo display!");
21 | }
22 |
23 | // Verificando ro.product.firmware para identificar o firmware de STB
24 | var firmware = SystemProperties.get("ro.product.firmware");
25 | console.log("Firmware: " + firmware);
26 | if (firmware && firmware.includes("stb_firmware")) {
27 | console.log("Dispositivo possui firmware para Set-Top Box!");
28 | }
29 |
30 |
31 |
32 | });
33 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
34 | //hash:739303218 @Hyupai/classloader
35 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-location-spoofer__karim-moftah.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:890855523 @karim-moftah/ios-location-spoofer
4 | // Base coordinates
5 | var spoof_latitude = 46.211275;
6 | var spoof_longitude = 2.368013;
7 |
8 | function spoof_location(lat, lon) {
9 | var hook_cllocation = ObjC.classes["CLLocation"]["- coordinate"];
10 | Interceptor.attach(hook_cllocation.implementation, {
11 | onLeave: function (ret) {
12 | var spoofed = (new ObjC.Object(ret)).initWithLatitude_longitude_(lat, lon);
13 | ret.replace(spoofed);
14 | }
15 | });
16 | }
17 |
18 | // Convert meters to degrees (approx)
19 | function metersToDegrees(m) {
20 | return m / 111111; // ~111.111 km per degree latitude
21 | }
22 |
23 | function right(m = 50) {
24 | spoof_longitude += metersToDegrees(m);
25 | spoof_location(spoof_latitude, spoof_longitude);
26 | }
27 |
28 | function left(m = 50) {
29 | spoof_longitude -= metersToDegrees(m);
30 | spoof_location(spoof_latitude, spoof_longitude);
31 | }
32 |
33 | function up(m = 50) {
34 | spoof_latitude += metersToDegrees(m);
35 | spoof_location(spoof_latitude, spoof_longitude);
36 | }
37 |
38 | function down(m = 50) {
39 | spoof_latitude -= metersToDegrees(m);
40 | spoof_location(spoof_latitude, spoof_longitude);
41 | }
42 |
43 | // Initial spoof
44 | spoof_location(spoof_latitude, spoof_longitude);
45 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
46 | //hash:890855523 @karim-moftah/ios-location-spoofer
47 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/nsurl--ios13__DuffyAPP-IT.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1037111912 @DuffyAPP-IT/nsurl--ios13
4 | console.log('Listening For Requests...');
5 |
6 | if (ObjC.available) {
7 |
8 | try {
9 |
10 | var className = "NSURLSession";
11 | var funcName = "- dataTaskWithRequest:completionHandler:";
12 |
13 | var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]');
14 |
15 | Interceptor.attach(hook.implementation, {
16 |
17 |
18 | onEnter: function(args)
19 | {
20 | console.log('REQUEST TYPE ->' + ObjC.Object(args[2]).HTTPMethod() );
21 | console.log('URL -> ' + ObjC.Object(args[2]).URL() )
22 |
23 | var httpbody_nsdata = ObjC.Object(args[2]).HTTPBody();
24 | var httpbody_nsstring = ObjC.classes.NSString.alloc().initWithData_encoding_(httpbody_nsdata, 4);
25 |
26 | console.log ('string is -> ' + httpbody_nsstring);
27 | if (httpbody_nsstring += null) {
28 | console.log("BODY -> " + httpbody_nsstring);
29 | } else{
30 | console.log("BODY EMPTY");
31 | }
32 | },
33 |
34 | });
35 |
36 | }
37 | catch(error)
38 | {
39 | console.log("[!] Exception: " + error.message);
40 | }
41 | }
42 |
43 | else {
44 |
45 | console.log("Objective-C Runtime is not available!");
46 |
47 | }
48 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
49 | //hash:1037111912 @DuffyAPP-IT/nsurl--ios13
50 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/advance__AnonymousVip.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1752233496 @AnonymousVip/advance
4 | Java.perform(function() {
5 | let cuf = Java.use("bc.cuf");
6 | cuf.a.overload('[B', '[B').implementation = function(bArr, bArr2) {
7 | let ret = this.a(bArr, bArr2);
8 | console.log("-" + JSON.stringify(bArr));
9 | console.log("+" + JSON.stringify(bArr2));
10 | console.log("=" + JSON.stringify(ret));
11 | return ret;
12 | };
13 | let cuk = Java.use("bc.cuk");
14 | cuk.a.overload('[B', 'java.lang.String').implementation = function(bArr, str) {
15 | let ret = this.a(bArr, str);
16 | console.log("--" + JSON.stringify(bArr));
17 | console.log("-+" + str);
18 | return ret;
19 | };
20 | let Utils = Java.use("com.ushareit.core.utils.Utils");
21 | Utils.a.overload('int').implementation = function(i) {
22 | let ret = this.a(i);
23 | console.log("-+-" + i);
24 | console.log("-+-+" + JSON.stringify(ret));
25 | return ret;
26 | };
27 |
28 | let cug = Java.use("bc.cug");
29 | cug.a.overload('[B').implementation = function(bArr) {
30 | let ret = this.a(bArr);
31 | console.log("+!!" + JSON.stringify(bArr));
32 | console.log("=!!" + JSON.stringify(ret));
33 | return ret;
34 | };
35 | });
36 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
37 | //hash:-1752233496 @AnonymousVip/advance
38 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/okhttp-hostname-verifier-bypass__federicodotta.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-79556905 @federicodotta/okhttp-hostname-verifier-bypass
4 | /*
5 | * Description: OkHttp Hostname Verifier bypass
6 | * Authors: @apps3c
7 | */
8 |
9 | setTimeout(function() {
10 |
11 | Java.perform(function() {
12 |
13 | var HostnameVerifierInterface = Java.use('javax.net.ssl.HostnameVerifier')
14 | const MyHostnameVerifier = Java.registerClass({
15 | name: 'org.dummyPackage.MyHostnameVerifier',
16 | implements: [HostnameVerifierInterface],
17 | methods: {
18 | verify: [{
19 | returnType: 'boolean',
20 | argumentTypes: ['java.lang.String', 'javax.net.ssl.SSLSession'],
21 | implementation(hostname, session) {
22 | console.log('[+] Hostname verification bypass');
23 | return true;
24 | }
25 | }],
26 | }
27 | });
28 |
29 | var hostnameVerifierRef = Java.use('okhttp3.OkHttpClient')['hostnameVerifier'].overload();
30 | hostnameVerifierRef.implementation = function() {
31 | return MyHostnameVerifier.$new();
32 | }
33 | console.log("[+] Hostname verifier replaced")
34 |
35 | });
36 |
37 | }, 0);
38 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
39 | //hash:-79556905 @federicodotta/okhttp-hostname-verifier-bypass
40 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/https-stalker__lolicon.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1782110778 @lolicon/https-stalker
4 | Java.perform(() => {
5 | const Log = Java.use('android.util.Log')
6 | const Exception = Java.use('java.lang.Exception')
7 | const String = Java.use('java.lang.String')
8 |
9 | function trace(...args) {
10 | console.log(...args)
11 | }
12 | const SSLOutputStream = Java.use(
13 | 'com.android.org.conscrypt.ConscryptEngineSocket$SSLOutputStream'
14 | )
15 |
16 | SSLOutputStream.write.overload('[B', 'int', 'int').implementation = function(
17 | ...args
18 | ) {
19 | const [bytes, offset, len] = args
20 | const plain = String.$new(bytes, offset, len)
21 | Log.e('trace<---', plain, Exception.$new())
22 | trace('trace<---', plain)
23 | return this.write(...args)
24 | }
25 |
26 | const SSLInputStream = Java.use(
27 | 'com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream'
28 | )
29 | SSLInputStream.read.overload('[B', 'int', 'int').implementation = function(
30 | ...args
31 | ) {
32 | const [bytes, offset, len] = args
33 | const plain = String.$new(bytes, offset, len)
34 | Log.e('trace--->', plain, Exception.$new())
35 | trace('trace--->', plain)
36 | return this.read(...args)
37 | }
38 | })
39 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
40 | //hash:1782110778 @lolicon/https-stalker
41 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-proxy-detection-bypass__electrondefuser.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1211731708 @electrondefuser/ios-proxy-detection-bypass
4 | /*
5 | Author: Vineet Nair (electrondefuser), Siddharth Saxena (s1dds)
6 | Organization: XYSec Labs (Appknox)
7 | */
8 |
9 | const CFNetwork = Module.getExportByName('CFNetwork', 'CFNetworkCopySystemProxySettings');
10 | console.log("[+] Found CFNetwork as " + ptr(CFNetwork))
11 |
12 | Interceptor.attach(CFNetwork, {
13 | onEnter(args) {
14 | console.log("[+] Detected Proxy Check");
15 | },
16 |
17 | onLeave(retval) {
18 | var NSDict = ObjC.classes.NSMutableDictionary.alloc().init();
19 | var data = getDefaultNetworkingConfig();
20 | var keys = Object.keys(data);
21 |
22 | for (var i = 0; i < keys.length; i++) {
23 | NSDict.setObject_forKey_(keys[0], data[keys[0]]);
24 | }
25 |
26 | console.log("[+] Bypassing with iOS default networking values")
27 | retval.replace(NSDict)
28 | }
29 | });
30 |
31 | function getDefaultNetworkingConfig() {
32 | var config = {
33 | "FTPPassive": "1",
34 | "ExceptionsList": "(\"*.local\", \"169.254/16\")",
35 | "__SCOPED__": "{ en0 = {ExceptionsList = (\"*.local\", \"169.254/16\"); FTPPassive = 1; }; }"
36 | }
37 |
38 | return config
39 | }
40 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
41 | //hash:1211731708 @electrondefuser/ios-proxy-detection-bypass
42 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/pollo__FusionzBruhh.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:21729068 @FusionzBruhh/pollo
4 | // Hook BoringSSL native cert verification
5 | Interceptor.attach(Module.findExportByName(null, "SSL_CTX_set_custom_verify"), {
6 | onEnter: function (args) {
7 | console.log("[*] Bypassing SSL_CTX_set_custom_verify");
8 | // args[1] = mode, args[2] = callback
9 | args[1] = 0; // SSL_VERIFY_NONE
10 | args[2] = ptr(0); // null callback
11 | }
12 | });
13 |
14 | // Optional: Patch SSL_get_verify_result to always succeed
15 | Interceptor.attach(Module.findExportByName(null, "SSL_get_verify_result"), {
16 | onLeave: function (retval) {
17 | console.log("[*] Patching SSL_get_verify_result return value");
18 | retval.replace(0x0); // X509_V_OK
19 | }
20 | });
21 |
22 | // Optional: Hook SSL_read to see decrypted traffic (debug only)
23 | Interceptor.attach(Module.findExportByName(null, "SSL_read"), {
24 | onEnter: function (args) {
25 | this.ssl = args[0];
26 | this.buf = args[1];
27 | },
28 | onLeave: function (retval) {
29 | if (retval.toInt32() > 0) {
30 | var buf = Memory.readByteArray(this.buf, retval.toInt32());
31 | console.log("[*] SSL_read data:\n" + hexdump(buf, { offset: 0, length: retval.toInt32(), header: true, ansi: true }));
32 | }
33 | }
34 | });
35 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
36 | //hash:21729068 @FusionzBruhh/pollo
37 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/firebase-for-android-react-native-dumper__0x25CBFC4F.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-169133718 @0x25CBFC4F/firebase-for-android-react-native-dumper
4 | /*
5 | Obviously only works on application start.
6 | Start your app via frida -U -f --codeshare 0x25CBFC4F/firebase-for-react-native-dumper
7 | And wait a bit.
8 | */
9 |
10 | let AppModuleInstance = null;
11 |
12 | Java.perform(() => {
13 | const c = "io.invertase.firebase.app.ReactNativeFirebaseAppModule";
14 | let ReactNativeFirebaseAppModule = Java.use(c);
15 | ReactNativeFirebaseAppModule["$init"].implementation = function(bridgeAppContext) {
16 | console.log("\nCaught instance ReactNativeFirebaseAppModule: " + this);
17 | AppModuleInstance = Java.retain(this);
18 | return this["$init"](bridgeAppContext);
19 | }
20 | });
21 |
22 | setTimeout(function() {
23 | Java.perform(() => {
24 | console.log("Got appmodule: " + AppModuleInstance);
25 | console.log("getConstants() -> ");
26 | let constants = AppModuleInstance.getConstants();
27 |
28 | var keys = constants.keySet();
29 | var iterator = keys.iterator();
30 | while (iterator.hasNext()) {
31 | var k = iterator.next();
32 | console.log(k + " : " + constants.get(k));
33 | }
34 | });
35 | }, 1000);
36 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
37 | //hash:-169133718 @0x25CBFC4F/firebase-for-android-react-native-dumper
38 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/geopos-and-sensor-forgery-for-pacer__FixedOctocat.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1904477196 @FixedOctocat/geopos-and-sensor-forgery-for-pacer
4 | //https://www.gpsvisualizer.com/draw/
5 | //https://www.maps.ie/map-my-route/
6 |
7 | Java.perform(function() {
8 | var Location = Java.use("android.location.Location");
9 |
10 | var lat_c = 0;
11 | var lat_flag = 0;
12 | var lng_c = 0;
13 | var lng_flag = 0;
14 |
15 | const lat = [];
16 | const lng = [];
17 |
18 | function getRandomArbitrary(min, max) {
19 | return Math.random() * (max - min) + min;
20 | }
21 |
22 | let r_steps = getRandomArbitrary(3987, 5782);
23 | d["e"].implementation = function() {
24 | let result = this["e"]();
25 | this.w.value = r_steps;
26 | return result;
27 | };
28 |
29 | Location.getLatitude.implementation = function() {
30 | lat_flag += 1;
31 |
32 | if (lat_flag == 40) {
33 | lat_flag = 1;
34 | lat_c = (lat_c + 1) % 32;
35 | }
36 |
37 | return lat[lat_c];
38 | }
39 | Location.getLongitude.implementation = function() {
40 | lng_flag += 1;
41 |
42 | if (lng_flag == 40) {
43 | lng_flag = 1;
44 | lng_c = (lng_c + 1) % 32;
45 | }
46 |
47 | return lng[lng_c];
48 | }
49 | })
50 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
51 | //hash:1904477196 @FixedOctocat/geopos-and-sensor-forgery-for-pacer
52 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/dump-ios-text-views__dki.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1849606965 @dki/dump-ios-text-views
4 | 'use strict';
5 |
6 | /* small script to dump UITextField and UITextView attributes for a view
7 | * (keyWindow by default if invoked with no arg)
8 | *
9 | * primarily to see the autocorrectType setting without dumping the whole UI
10 | */
11 |
12 | var UITextAutocorrectionType = ["default", "no", "yes"]
13 |
14 | function dumpUIText(view) {
15 | if (!view) {
16 | view = ObjC.classes.UIWindow.keyWindow();
17 | }
18 |
19 | var subviews = view.subviews();
20 | var count = subviews.count();
21 | for (var i = 0; i < count; i++) {
22 | var x = subviews.objectAtIndex_(i);
23 | if (x.isKindOfClass_(ObjC.classes.UITextField) || x.isKindOfClass_(ObjC.classes.UITextView)) {
24 | console.log("<" + x.$className + ": " + x.handle + ">");
25 | console.log(" autocorrectionType: " + UITextAutocorrectionType[x.autocorrectionType()]);
26 | if (x.text() != "") {
27 | console.log(" content: " + x.text());
28 | }
29 | // this may not always work, i'm making some assumptions about subviews
30 | } else if (x.isKindOfClass_(ObjC.classes.UITextFieldLabel)) {
31 | console.log(" Label: " + x.text());
32 | }
33 | dumpUIText(x);
34 | }
35 | }
36 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
37 | //hash:-1849606965 @dki/dump-ios-text-views
38 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/advance2__AnonymousVip.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:2107167860 @AnonymousVip/advance2
4 | Java.perform(function() {
5 | let cuf = Java.use("bc.cuf");
6 | cuf.a.overload('[B', '[B').implementation = function(bArr, bArr2) {
7 | let ret = this.a(bArr, bArr2);
8 | console.log("-" + JSON.stringify(bArr));
9 | console.log("+" + JSON.stringify(bArr2));
10 | console.log("=" + JSON.stringify(ret));
11 | return ret;
12 | };
13 | let cuk = Java.use("bc.cuk");
14 | cuk.a.overload('[B', 'java.lang.String').implementation = function(bArr, str) {
15 | let ret = this.a(bArr, str);
16 | console.log("--" + JSON.stringify(bArr));
17 | console.log("-+" + str);
18 | console.log("-->" + JSON.stringify(ret));
19 | return ret;
20 | };
21 | let Utils = Java.use("com.ushareit.core.utils.Utils");
22 | Utils.a.overload('int').implementation = function(i) {
23 | let ret = this.a(i);
24 | console.log("-+-" + i);
25 | console.log("-+-+" + JSON.stringify(ret));
26 | return ret;
27 | };
28 |
29 | let cug = Java.use("bc.cug");
30 | cug.a.overload('[B').implementation = function(bArr) {
31 | let ret = this.a(bArr);
32 | console.log("+!!" + JSON.stringify(bArr));
33 | console.log("=!!" + JSON.stringify(ret));
34 | return ret;
35 | };
36 | });
37 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
38 | //hash:2107167860 @AnonymousVip/advance2
39 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-custom-keyboard-support__ay-kay.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1024221781 @ay-kay/ios-custom-keyboard-support
4 | function areThirdPartyKeyboardsAllowed() {
5 | var UIApplication = ObjC.classes.UIApplication.sharedApplication();
6 | var shouldAllowKeyboardExtension = true;
7 | var isDelegateImplemented = false;
8 | try {
9 | shouldAllowKeyboardExtension = UIApplication.delegate().application_shouldAllowExtensionPointIdentifier_(UIApplication, "com.apple.keyboard-service");
10 | isDelegateImplemented = true;
11 | console.log("App delegate implements application:shouldAllowExtensionPointIdentifier:");
12 | } catch (e) {
13 | if (e instanceof TypeError) {
14 | console.log("App delegate has no application:shouldAllowExtensionPointIdentifier:, default behaviour applies:");
15 | }
16 | }
17 |
18 | if (shouldAllowKeyboardExtension) {
19 | console.log("-> Third-party keyboards are allowed.")
20 | } else {
21 | console.log("-> Third-party keyboards are NOT allowed.")
22 | }
23 |
24 | if (shouldAllowKeyboardExtension && isDelegateImplemented) {
25 | console.log("\nNote: App delegate is implemented but is configured to allow third-party keyboards.");
26 | console.log(" Review the implementation to check if third-party keyboard support is configurable.");
27 | }
28 | }
29 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
30 | //hash:1024221781 @ay-kay/ios-custom-keyboard-support
31 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-jailmonkey-jailbreak-detection-bypass__darklotuskdb.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-221880480 @darklotuskdb/ios-jailmonkey-jailbreak-detection-bypass
4 | console.warn(`[+] JailMonkey JailBreak Detection Bypass`);
5 | /**
6 | * [*] Twitter: @DarkLotusKDB (Kamaldeep Bhati)
7 | * [*] DM for credit, then i will update.
8 | */
9 | console.warn(`################################################`);
10 |
11 | if (ObjC.available) {
12 | try {
13 | var className = "JailMonkey";
14 | var funcName = "- isJailBroken";
15 | var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]');
16 | Interceptor.attach(hook.implementation, {
17 | onLeave: function(retval) {
18 | console.log("[*] Class Name: " + className);
19 | console.log("[*] Method Name: " + funcName);
20 | console.log("\t[-] Type of return value: " + typeof retval);
21 | console.log("\t[-] Original Return Value: " + retval);
22 | var newretval = ptr("0x0")
23 | retval.replace(newretval)
24 | console.log("\t[-] New Return Value: " + newretval)
25 | }
26 | });
27 | } catch (err) {
28 | console.log("[!] Exception2: " + err.message);
29 | }
30 | } else {
31 | console.log("Objective-C Runtime is not available!");
32 | }
33 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
34 | //hash:-221880480 @darklotuskdb/ios-jailmonkey-jailbreak-detection-bypass
35 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/bcryptdll-bcryptdecrypt__fhaag95.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-107710863 @fhaag95/bcryptdll-bcryptdecrypt
4 | //Details on the function available here: https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptdecrypt
5 | var bcryptdecrypt = Module.getExportByName("bcrypt.dll", "BCryptDecrypt");
6 | Interceptor.attach(bcryptdecrypt, {
7 | onEnter: function(args) {
8 | this.plaintextPointer = args[6];
9 | this.plaintextSizeVal = args[7];
10 | if (this.plaintextPointer.isNull()) {
11 | this.abort = true;
12 | return;
13 | }
14 |
15 | try {
16 | this.plaintextSize = this.plaintextSizeVal.readU64();
17 | } catch (err) {
18 | //Enable for Debugging purposes
19 | //console.log('Error in onEnter: ' + err);
20 | }
21 | },
22 | onLeave: function(retval) {
23 | if (this.abort || this.plaintextSize == 0) {
24 | return;
25 | }
26 |
27 | try {
28 | let plaintext = this.plaintextPointer.readCString(this.plaintextSize);
29 | if (plaintext != null) {
30 | console.log('Obtained cleartext is: ' + plaintext);
31 | }
32 | } catch (err) {
33 | //Enable for Debugging purposes
34 | //console.log('Error in onLeave: ' + err);
35 | }
36 | }
37 | });
38 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
39 | //hash:-107710863 @fhaag95/bcryptdll-bcryptdecrypt
40 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/bypass-wi-fi-check-on-flutter-based-ios__zionspike.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-407941760 @zionspike/bypass-wi-fi-check-on-flutter-based-ios
4 | // e.g. bypass_connectivity_plus_byHookSearch("exports:connectivity_plus!*current*Type*");
5 | function bypass_connectivity_plus_byHookSearch(searchstring) {
6 | var type = "module";
7 | var res = new ApiResolver(type);
8 | var matches = res.enumerateMatchesSync(searchstring);
9 | var targets = uniqBy(matches, JSON.stringify);
10 |
11 | var target = targets[0];
12 | console.log("[!] Found at address: " + target.address + ", name: " + target.name);
13 | Interceptor.attach(target.address, {
14 | onEnter: function(args) {
15 | console.log("[!] Hook: " + target.address + ", name: " + target.name);
16 | },
17 | onLeave: function(retval) {
18 | console.log("\t[!] retval: " + retval);
19 | if (retval == 0x3) {
20 | retval.replace(0x3); // 0x0 = none, 0x1 = ethernet, 0x2 = wifi, 0x3 = mobile
21 | console.log("\t\t[+] Wi-Fi check bypassed");
22 | }
23 | }
24 | });
25 | }
26 |
27 | // usage examples
28 | if (ObjC.available) {
29 | bypass_connectivity_plus_byHookSearch("exports:connectivity_plus!*current*Type*");
30 | } else {
31 | send("error: Objective-C Runtime is not available!");
32 | }
33 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
34 | //hash:-407941760 @zionspike/bypass-wi-fi-check-on-flutter-based-ios
35 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-wrapper-jailbreak-detection-bypass__darklotuskdb.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:651667721 @darklotuskdb/ios-wrapper-jailbreak-detection-bypass
4 | console.warn(`[+] JailBreak Bypass Via WrapperUtil Class`);
5 | console.warn(`[*] Twitter: @DarkLotusKDB (Kamaldeep Bhati)`);
6 | /**
7 | * SIG <3
8 | */
9 | console.warn(`################################################`);
10 |
11 |
12 | if (ObjC.available) {
13 | try {
14 | var className = "WrapperUtil";
15 | var funcName = "+ isJailbroken";
16 | var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]');
17 |
18 | Interceptor.attach(hook.implementation, {
19 | onLeave: function(retval) {
20 | console.log("[*] Class Name: " + className);
21 |
22 | console.log("[*] Method Name: " + funcName);
23 | console.log("\t[-] Type of return value: " + typeof retval);
24 | console.log("\t[-] Original Return Value: " + retval);
25 |
26 | var newretval = ptr("0x0")
27 | retval.replace(newretval)
28 |
29 | console.log("\t[-] New Return Value: " + newretval)
30 | }
31 | });
32 | } catch (err) {
33 | console.log("[!] Exception2: " + err.message);
34 | }
35 | } else {
36 | console.log("Objective-C Runtime is not available!");
37 | }
38 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
39 | //hash:651667721 @darklotuskdb/ios-wrapper-jailbreak-detection-bypass
40 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/hook-createvirtualdisplay__komen205.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1635769986 @komen205/hook-createvirtualdisplay
4 | Java.perform(function() {
5 |
6 | var DisplayManager = Java.use('android.hardware.display.DisplayManager');
7 |
8 | // Hooking the createVirtualDisplay method with the provided overloads
9 | var overloadCount = DisplayManager.createVirtualDisplay.overloads.length;
10 | for (var i = 0; i < overloadCount; i++) {
11 | DisplayManager.createVirtualDisplay.overloads[i].implementation = function() {
12 | var args = arguments;
13 | var methodName = 'createVirtualDisplay';
14 | var signature = '(';
15 | for (var j = 0; j < args.length; j++) {
16 | signature += typeof args[j];
17 | if (j < args.length - 1) {
18 | signature += ', ';
19 | }
20 | }
21 | signature += ')';
22 |
23 | console.log(methodName + signature + ' called');
24 |
25 | // Log or manipulate parameters here
26 | for (var k = 0; k < args.length; k++) {
27 | console.log('Argument ' + k + ': ' + args[k]);
28 | }
29 |
30 | // Call the original method
31 | return this.createVirtualDisplay.apply(this, args);
32 | };
33 | }
34 | });
35 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
36 | //hash:-1635769986 @komen205/hook-createvirtualdisplay
37 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/libcurl-proxy-enabler__TwizzyIndy.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:273757828 @TwizzyIndy/libcurl-proxy-enabler
4 | /*
5 | libcurl proxy enabler v0.1
6 | Github: https://github.com/TwizzyIndy/libcurl-proxy-enabler
7 |
8 | frida -n SomeApp.exe -l index.js
9 | */
10 |
11 | var curl_easy_setopt = Module.findExportByName("libcurl.dll", "curl_easy_setopt");
12 | console.log(curl_easy_setopt);
13 |
14 | var curl_easy_perform = Module.findExportByName("libcurl.dll", "curl_easy_perform");
15 | console.log(curl_easy_perform);
16 |
17 | // in my case, it was Fiddler
18 | const PROXY_ADDRESS = 'https://127.0.0.1:8888'
19 | const CURLOPT_PROXY = 10004
20 |
21 | Interceptor.attach(curl_easy_perform, {
22 | onEnter: function(args) {
23 | console.log('curl_easy_perform: ');
24 | console.log('arg0: ' + args[0].toString());
25 |
26 | var curl_easy_setoptCall = new NativeFunction(
27 | curl_easy_setopt, 'int', ['pointer', 'uint32', 'uint32']
28 | );
29 |
30 | const proxyAddr = Memory.allocAnsiString(PROXY_ADDRESS);
31 |
32 | // 43 = CURLE_BAD_FUNCTION_ARGUMENT
33 | // 0 = CURLE_OK
34 | var result = curl_easy_setoptCall(
35 | args[0], CURLOPT_PROXY, proxyAddr.toInt32()
36 | );
37 |
38 | console.log('result : ' + result.toString());
39 | console.log('');
40 | }
41 | })
42 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
43 | //hash:273757828 @TwizzyIndy/libcurl-proxy-enabler
44 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/python-cli-tool-boilerplate__oleavr.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-95780373 @oleavr/python-cli-tool-boilerplate
4 | import codecs
5 | from frida.application import ConsoleApplication
6 |
7 | class MyApp(ConsoleApplication):
8 | def __init__(self):
9 | ConsoleApplication.__init__(self)
10 |
11 | def _usage(self):
12 | return "usage: %prog [options] target"
13 |
14 | def _initialize(self, parser, options, args):
15 | pass
16 |
17 | def _needs_target(self):
18 | return True
19 |
20 | def _start(self):
21 | # If you want to use V8 instead of Duktape
22 | #self._session.enable_jit()
23 | with codecs.open('agent.js', 'r', 'utf-8') as f:
24 | source = f.read()
25 | self._script = self._session.create_script(source)
26 | self._script.on('message', self._on_message)
27 | self._script.load()
28 | # If you want to call a method you exported through https://www.frida.re/docs/javascript-api/#rpc
29 | #self._update_status("Initializing...")
30 | #self._script.exports.init()
31 | self._update_status("Ready")
32 |
33 | def _on_message(self, message, data):
34 | if message['type'] == 'send':
35 | print(message['payload'])
36 | else:
37 | print('on_message:', message)
38 |
39 |
40 | if __name__ == '__main__':
41 | app = MyApp()
42 | app.run()
43 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
44 | //hash:-95780373 @oleavr/python-cli-tool-boilerplate
45 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-ios-freerasp-bypass__DevTraleski.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:985738484 @DevTraleski/android-ios-freerasp-bypass
4 | /*
5 | Android/iOS freeRASP Bypass by DevTraleski (Based on rodolfomarianocy/ios-freerasp-react-native-bypass )
6 | frida -U -f --codeshare DevTraleski/android-ios-freerasp-bypass
7 | https://github.com/rodolfomarianocy/iOS-freeRASP-React-Native-Bypass
8 | https://github.com/rodolfomarianocy/Tricks-Pentest-Android-and-iOS-Applications
9 | */
10 | //In case of class not found, use JADX to find the path
11 | console.warn("[+] Android/iOS freeRASP React Native Bypass...")
12 | if (ObjC.available) {
13 | try {
14 | Interceptor.replace(
15 | ObjC.classes.FreeraspReactNative['- talsecStart:withResolver:withRejecter:'].implementation,
16 | new NativeCallback(function() {}, 'void', [])
17 | );
18 | } catch (error) {
19 | console.log(error.message);
20 | }
21 | } else if (Java.available) {
22 | Java.perform(function() {
23 | try {
24 | Interceptor.replace(
25 | Java.use("com.freerasp.FreeraspNativeModule").talsecStart.implementation,
26 | new NativeCallback(function() {}, 'void', [])
27 | );
28 | } catch (error) {
29 | console.log(error.message);
30 | }
31 | });
32 | } else {
33 | console.log("[-] ObjC/Java Runtime unavailable");
34 | }
35 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
36 | //hash:985738484 @DevTraleski/android-ios-freerasp-bypass
37 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/sad__komoosdosk.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:2076612082 @komoosdosk/sad
4 | // Hide DYLD_INSERT_LIBRARIES
5 | Interceptor.attach(Module.findExportByName(null, "getenv"), {
6 | onEnter: function(args) {
7 | var name = Memory.readUtf8String(args[0]);
8 | if (name === "DYLD_INSERT_LIBRARIES") {
9 | console.log("[🔥] getenv() called for DYLD_INSERT_LIBRARIES — Hiding it!");
10 | this.replace = true;
11 | args[0] = Memory.allocUtf8String("FAKE_ENV");
12 | }
13 | },
14 | onLeave: function(retval) {
15 | if (this.replace) {
16 | retval.replace(0);
17 | }
18 | }
19 | });
20 |
21 | // Block task_for_pid (used for anti-debugging)
22 | Interceptor.attach(Module.findExportByName("libSystem.B.dylib", "task_for_pid"), {
23 | onEnter: function(args) {
24 | console.log("[🔥] task_for_pid() detected — Blocking it!");
25 | args[1] = ptr(0);
26 | },
27 | onLeave: function(retval) {
28 | retval.replace(1);
29 | }
30 | });
31 |
32 | // Block sysctl (another method Tinder uses to check for debugger/frida)
33 | Interceptor.attach(Module.findExportByName("libSystem.B.dylib", "sysctl"), {
34 | onEnter: function(args) {
35 | console.log("[🔥] sysctl() called — Faking response.");
36 | this.replace = true;
37 | },
38 | onLeave: function(retval) {
39 | if (this.replace) {
40 | retval.replace(0);
41 | }
42 | }
43 | });
44 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
45 | //hash:2076612082 @komoosdosk/sad
46 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/force-enable-strictmode__dvdface.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:254969739 @dvdface/force-enable-strictmode
4 | Java.perform(function() {
5 |
6 | // Looper, Handler, Runnable to enable StrictMode on mainthread
7 | const looperClz = Java.use('android.os.Looper')
8 | const handlerClz = Java.use('android.os.Handler')
9 | const runnableIntf = Java.use('java.lang.Runnable')
10 |
11 | // StrictMode and related classes to turn on StrictMode
12 | const strictmode = Java.use('android.os.StrictMode')
13 | const tpBuilder = Java.use('android.os.StrictMode$ThreadPolicy$Builder')
14 | const vmpBuilder = Java.use('android.os.StrictMode$VmPolicy$Builder')
15 |
16 | var mainLooper = looperClz.getMainLooper()
17 | var handler = handlerClz.$new(mainLooper)
18 |
19 | // register new Runnable class to enable StrictMode
20 | // if "Error: java.io.IOException: Permission denied" happens, adb shell setenforce 0 to turn off selinux
21 | var runnableClz = Java.registerClass({
22 | name: 'EnforceStrictModeRunnable',
23 | implements: [runnableIntf],
24 | methods: {
25 | run: function() {
26 |
27 | const tp = tpBuilder.$new().detectAll().penaltyLog().penaltyFlashScreen().build()
28 | const vmp = vmpBuilder.$new().detectAll().penaltyLog().build()
29 | strictmode.setThreadPolicy(tp)
30 | strictmode.setVmPolicy(vmp)
31 | }
32 | }
33 | });
34 |
35 | // post runnable class to main looper to enable strictmode
36 | handler.post(runnableClz.$new());
37 | })
38 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
39 | //hash:254969739 @dvdface/force-enable-strictmode
40 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/onpixtv__Hyupai.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1897925710 @Hyupai/onpixtv
4 | Java.perform(function() {
5 | console.log("[*] Hooking TextView.setText()...");
6 |
7 | // Pegue a classe TextView
8 | var TextView = Java.use("android.widget.TextView");
9 |
10 | // Intercepte o método setText(CharSequence)
11 | TextView.setText.overload('java.lang.CharSequence').implementation = function(text) {
12 | try {
13 | // Pegue o nome do campo de texto e verifique se é o desejado
14 | var id = this.getId();
15 | var name = this.getResources().getResourceEntryName(id); // Pega o nome do recurso
16 |
17 | // Cheque se o nome do recurso corresponde a 'tv_trial_days'
18 | if (name === "tv_trial_days") {
19 | console.log("[*] setText chamado para TextView com nome 'tv_trial_days'");
20 |
21 | // Processamento para pegar apenas a data
22 | var processedText = text.toString().replace(/Data de expiração:\n/, '').trim();
23 |
24 | // Exibir a data extraída
25 | console.log(" Data extraída: " + processedText);
26 | }
27 | } catch (err) {
28 | console.error("[!] Erro ao verificar ID: " + err);
29 | }
30 |
31 | // Chame o método original para garantir que o texto seja atualizado
32 | return this.setText(text);
33 | };
34 |
35 | console.log("[*] Hook de TextView.setText() completo.");
36 | });
37 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
38 | //hash:1897925710 @Hyupai/onpixtv
39 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/macbook-charging-controls__oleavr.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1562211095 @oleavr/macbook-charging-controls
4 | /*
5 | * Inject into PowerUIAgent (SIP must be disabled)
6 | */
7 |
8 | const {
9 | NSAutoreleasePool,
10 | PowerUISmartChargeManager,
11 | } = ObjC.classes;
12 |
13 | let onComplete;
14 |
15 | function forceDesktopMode() {
16 | withManager(manager => {
17 | manager.setDesktopMode_withHandler_('DesktopMode', onComplete);
18 | console.log('Forced desktop mode');
19 | });
20 | }
21 |
22 | function resetDesktopMode() {
23 | withManager(manager => {
24 | manager.resetDesktopModeWithHandler_(onComplete);
25 | console.log('Reset desktop mode');
26 | });
27 | }
28 |
29 | onComplete = new ObjC.Block({
30 | retType: 'void',
31 | argTypes: ['int64'],
32 | implementation(result) {
33 | console.log(`onComplete() result=${result}`);
34 | }
35 | });
36 |
37 | function enableCharging() {
38 | withManager(manager => {
39 | manager.enableCharging();
40 | console.log('Enabled charging');
41 | });
42 | }
43 |
44 | function disableCharging() {
45 | withManager(manager => {
46 | manager.disableCharging();
47 | console.log('Disabled charging');
48 | });
49 | }
50 |
51 | function withManager(work) {
52 | const pool = NSAutoreleasePool.alloc().init();
53 | try {
54 | const manager = PowerUISmartChargeManager.manager();
55 | ObjC.schedule(manager.queue(), () => {
56 | work(manager);
57 | });
58 | } finally {
59 | pool.release();
60 | }
61 | }
62 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
63 | //hash:1562211095 @oleavr/macbook-charging-controls
64 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/cplusplus-hookcustomfunction__X-Vector.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1528208859 @X-Vector/cplusplus-hookcustomfunction
4 | var moduleName = "Project1.exe"; // Replace this with your actual Module/EXE File
5 | var functionName = "add"; // Replace this with your actual mangled function name
6 |
7 | setTimeout(function() {
8 | var funcAddr = Module.findExportByName(moduleName, functionName);
9 | if (!funcAddr) {
10 | console.log("[-] Function not found. Trying all symbols...");
11 | var symbols = Module.enumerateSymbols(moduleName);
12 | for (var i = 0; i < symbols.length; i++) {
13 | if (symbols[i].name.includes("add")) {
14 | funcAddr = symbols[i].address;
15 | console.log("[+] Found possible match: " + symbols[i].name + " at " + funcAddr);
16 | break;
17 | }
18 | }
19 | }
20 |
21 | if (funcAddr) {
22 | console.log("[*] Hooking add() at: " + funcAddr);
23 | Interceptor.attach(funcAddr, {
24 | onEnter: function(args) {
25 | console.log("[+] add() called with a = " + args[0].toInt32() + ", b = " + args[1].toInt32());
26 | },
27 | onLeave: function(retval) {
28 |
29 | console.log("[+] add() returned: " + retval.toInt32());
30 | retval.replace(1); // update the return value
31 |
32 | }
33 | });
34 | } else {
35 | console.log("[-] Could not find add() function!");
36 | }
37 | }, 1000);
38 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
39 | //hash:-1528208859 @X-Vector/cplusplus-hookcustomfunction
40 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-codeshare-loader__sdcampbell.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1360068977 @sdcampbell/android-codeshare-loader
4 | // android-codeshare-loader.js
5 | function loadCodeshareScript(scriptName) {
6 | return new Promise((resolve, reject) => {
7 | try {
8 | Java.perform(() => { // For Android
9 | const codeshare = require('frida-codeshare');
10 | codeshare.load(scriptName)
11 | .then(() => {
12 | console.log(`[+] Loaded codeshare script: ${scriptName}`);
13 | resolve();
14 | })
15 | .catch(error => {
16 | console.log(`[!] Error loading ${scriptName}: ${error.message}`);
17 | reject(error);
18 | });
19 | });
20 | } catch(error) {
21 | reject(error);
22 | }
23 | });
24 | }
25 |
26 | // List your codeshare scripts here
27 | const codeshareScripts = [
28 | 'sdcampbell/script1',
29 | 'sdcampbell/script2',
30 | 'sdcampbell/script3'
31 | ];
32 |
33 | // Load all scripts sequentially
34 | async function loadAllScripts() {
35 | for (const script of codeshareScripts) {
36 | try {
37 | await loadCodeshareScript(script);
38 | } catch(error) {
39 | console.log(`[!] Failed to load ${script}: ${error.message}`);
40 | }
41 | }
42 | console.log('[+] Finished loading all codeshare scripts');
43 | }
44 |
45 | loadAllScripts();
46 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
47 | //hash:1360068977 @sdcampbell/android-codeshare-loader
48 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-nsurl__Computershik73.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:868493252 @Computershik73/ios-nsurl
4 | console.log('Listening For Requests...');
5 |
6 | if (ObjC.available) {
7 |
8 | try {
9 |
10 | var className = "NSURLSession";
11 | var funcName = "- dataTaskWithRequest:completionHandler:";
12 |
13 | var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]');
14 |
15 | Interceptor.attach(hook.implementation, {
16 |
17 |
18 | onEnter: function(args) {
19 | console.log('REQUEST TYPE ->' + ObjC.Object(args[2]).HTTPMethod());
20 | console.log('URL -> ' + ObjC.Object(args[2]).URL())
21 |
22 | var httpbody_nsdata = ObjC.Object(args[2]).HTTPBody();
23 | var httpbody_nsstring = ObjC.classes.NSString.alloc().initWithData_encoding_(httpbody_nsdata, 4);
24 | var httpbody_nsheaders = ObjC.Object(args[2]).allHTTPHeaderFields();
25 | console.log('headers are' + httpbody_nsheaders);
26 |
27 | console.log('string is -> ' + httpbody_nsstring);
28 | if (httpbody_nsstring += null) {
29 | console.log("BODY -> " + httpbody_nsstring);
30 | } else {
31 | console.log("BODY EMPTY");
32 | }
33 | },
34 |
35 | });
36 |
37 | } catch (error) {
38 | console.log("[!] Exception: " + error.message);
39 | }
40 | } else {
41 |
42 | console.log("Objective-C Runtime is not available!");
43 |
44 | }
45 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
46 | //hash:868493252 @Computershik73/ios-nsurl
47 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios10-ssl-bypass__dki.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-12884885 @dki/ios10-ssl-bypass
4 | // translation of https://github.com/nabla-c0d3/ssl-kill-switch2/blob/master/SSLKillSwitch/SSLKillSwitch.m for iOS 10/11
5 |
6 | var tls_helper_create_peer_trust;
7 | var version = ObjC.classes.UIDevice.currentDevice().systemVersion().toString();
8 |
9 | if (version.startsWith("11.")) { // iOS 11
10 | /* OSStatus nw_tls_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
11 | tls_helper_create_peer_trust = new NativeFunction(
12 | Module.findExportByName(null, "nw_tls_create_peer_trust"),
13 | 'int', ['pointer', 'bool', 'pointer']
14 | );
15 | } else if (version.startsWith("10.")) { // iOS 10
16 | /* OSStatus tls_helper_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
17 | tls_helper_create_peer_trust = new NativeFunction(
18 | Module.findExportByName(null, "tls_helper_create_peer_trust"),
19 | 'int', ['pointer', 'bool', 'pointer']
20 | );
21 | } else {
22 | console.log("Unsupported OS version!");
23 | }
24 |
25 | var errSecSuccess = 0;
26 |
27 | function bypassSSL() {
28 | Interceptor.replace(tls_helper_create_peer_trust, new NativeCallback(function(hdsk, server, trustRef) {
29 | return errSecSuccess;
30 | }, 'int', ['pointer', 'bool', 'pointer']));
31 | console.log("SSL certificate validation bypass active");
32 | }
33 |
34 | function revertSSL() {
35 | Interceptor.revert(tls_helper_create_peer_trust);
36 | console.log("SSL certificate validation bypass disabled");
37 | }
38 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
39 | //hash:-12884885 @dki/ios10-ssl-bypass
40 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/intercept-android-apk-crypto-operations__fadeevab.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-29985094 @fadeevab/intercept-android-apk-crypto-operations
4 | function bin2ascii(array) {
5 | var result = [];
6 |
7 | for (var i = 0; i < array.length; ++i) {
8 | result.push(String.fromCharCode( // hex2ascii part
9 | parseInt(
10 | ('0' + (array[i] & 0xFF).toString(16)).slice(-2), // binary2hex part
11 | 16
12 | )
13 | ));
14 | }
15 | return result.join('');
16 | }
17 |
18 | function bin2hex(array, length) {
19 | var result = "";
20 |
21 | length = length || array.length;
22 |
23 | for (var i = 0; i < length; ++i) {
24 | result += ('0' + (array[i] & 0xFF).toString(16)).slice(-2);
25 | }
26 | return result;
27 | }
28 |
29 | Java.perform(function() {
30 | Java.use('javax.crypto.spec.SecretKeySpec').$init.overload('[B', 'java.lang.String').implementation = function(key, spec) {
31 | console.log("KEY: " + bin2hex(key) + " | " + bin2ascii(key));
32 | return this.$init(key, spec);
33 | };
34 |
35 | Java.use('javax.crypto.Cipher')['getInstance'].overload('java.lang.String').implementation = function(spec) {
36 | console.log("CIPHER: " + spec);
37 | return this.getInstance(spec);
38 | };
39 |
40 | Java.use('javax.crypto.Cipher')['doFinal'].overload('[B').implementation = function(data) {
41 | console.log("Gotcha!");
42 | console.log(bin2ascii(data));
43 | return this.doFinal(data);
44 | };
45 | });
46 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
47 | //hash:-29985094 @fadeevab/intercept-android-apk-crypto-operations
48 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-openurl__karim-moftah.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:806619367 @karim-moftah/ios-openurl
4 | if (ObjC.available) {
5 | var UIApplication = ObjC.classes.UIApplication;
6 |
7 | function tryAttach(methodName, label) {
8 | var m = UIApplication[methodName];
9 | if (!m) {
10 | console.log('[*] ' + methodName + ' not found on UIApplication');
11 | return;
12 | }
13 | Interceptor.attach(m.implementation, {
14 | onEnter: function(args) {
15 | try {
16 | // args[0] = self, args[1] = _cmd, args[2] = NSURL *
17 | if (args[2].isNull()) {
18 | console.log(label + ' called with NULL url');
19 | return;
20 | }
21 | var url = new ObjC.Object(args[2]);
22 | // absoluteString is the most reliable readable form
23 | var s = (typeof url.absoluteString === 'function') ? url.absoluteString().toString() : url.toString();
24 | console.log(label + ' -> ' + s);
25 | } catch (e) {
26 | console.log(label + ' -> error reading url: ' + e);
27 | }
28 | }
29 | });
30 | console.log('[*] Attached to UIApplication ' + methodName);
31 | }
32 |
33 | tryAttach('- openURL:', '[openURL:]');
34 | tryAttach('- openURL:options:completionHandler:', '[openURL:options:completionHandler:]');
35 |
36 | } else {
37 | console.log('Objective-C runtime is not available!');
38 | }
39 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
40 | //hash:806619367 @karim-moftah/ios-openurl
41 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/show-ios-app-owned-classes__interference-security.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-51152661 @interference-security/show-ios-app-owned-classes
4 | //Credit: PassionFruit (https://github.com/chaitin/passionfruit/blob/master/agent/app/classdump.js)
5 | //Twitter: https://twitter.com/xploresec
6 | //GitHub: https://github.com/interference-security
7 | function run_show_app_classes_only()
8 | {
9 | console.log("[*] Started: Find App's Classes")
10 | var free = new NativeFunction(Module.findExportByName(null, 'free'), 'void', ['pointer'])
11 | var copyClassNamesForImage = new NativeFunction(Module.findExportByName(null, 'objc_copyClassNamesForImage'), 'pointer', ['pointer', 'pointer'])
12 | var p = Memory.alloc(Process.pointerSize)
13 | Memory.writeUInt(p, 0)
14 | var path = ObjC.classes.NSBundle.mainBundle().executablePath().UTF8String()
15 | var pPath = Memory.allocUtf8String(path)
16 | var pClasses = copyClassNamesForImage(pPath, p)
17 | var count = Memory.readUInt(p)
18 | var classesArray = new Array(count)
19 | for (var i = 0; i < count; i++)
20 | {
21 | var pClassName = Memory.readPointer(pClasses.add(i * Process.pointerSize))
22 | classesArray[i] = Memory.readUtf8String(pClassName)
23 | console.log(classesArray[i])
24 | }
25 | free(pClasses)
26 | console.log("\n[*] App Classes found: " + count);
27 | console.log("[*] Completed: Find App's Classes")
28 | }
29 |
30 | function show_app_classes_only()
31 | {
32 | setImmediate(run_show_app_classes_only)
33 | }
34 |
35 | show_app_classes_only()
36 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
37 | //hash:-51152661 @interference-security/show-ios-app-owned-classes
38 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/unix-socket-peer-pid-observer__oleavr.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1535818017 @oleavr/unix-socket-peer-pid-observer
4 | 'use strict';
5 |
6 | var pids = {};
7 |
8 | Interceptor.attach(Module.findExportByName(null, 'accept'), {
9 | onLeave: function (retval) {
10 | var fd = retval.toInt32();
11 | if (fd !== -1)
12 | onFileDescriptorActivity(fd);
13 | }
14 | });
15 |
16 | ['read', 'write', 'recv', 'recvfrom', 'send', 'sendto'].forEach(function (name) {
17 | Interceptor.attach(Module.findExportByName(null, name), {
18 | onEnter: function (args) {
19 | var fd = args[0].toInt32();
20 | onFileDescriptorActivity(fd);
21 | }
22 | });
23 | });
24 |
25 | function onFileDescriptorActivity (fd) {
26 | if (Socket.type(fd) !== 'unix:stream')
27 | return;
28 |
29 | var pid = tryGetPeerPid(fd);
30 | if (pid === null)
31 | return;
32 | if (pids[pid] === undefined) {
33 | pids[pid] = true;
34 | console.log('New peer PID: ' + pid);
35 | }
36 | }
37 |
38 | var SOL_LOCAL = 0;
39 | var LOCAL_PEERPID = 2;
40 |
41 | var getsockopt = new SystemFunction(
42 | Module.findExportByName(null, 'getsockopt'),
43 | 'int',
44 | ['int', 'int', 'int', 'pointer', 'pointer']);
45 |
46 | function tryGetPeerPid (fd) {
47 | var buf = Memory.alloc(8);
48 |
49 | var pidPtr = buf;
50 |
51 | var sizePtr = buf.add(4);
52 | Memory.writeU32(sizePtr, 4);
53 |
54 | const result = getsockopt(fd, SOL_LOCAL, LOCAL_PEERPID, pidPtr, sizePtr);
55 | if (result.value !== 0)
56 | return null;
57 |
58 | return Memory.readU32(pidPtr);
59 | }
60 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
61 | //hash:-1535818017 @oleavr/unix-socket-peer-pid-observer
62 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/react-native-firebase-remote-config__RohindhR.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:684361578 @RohindhR/react-native-firebase-remote-config
4 | // Author: Rohindh
5 | // Github: https://github.com/RohindhR
6 | // Date: 11/03/2024
7 | // Version: 1.0
8 | // Description: Frida script to list all the firebase remote config values
9 | // Tested and developed for @react-native-firebase/app version 19.0.1 (https://www.npmjs.com/package/@react-native-firebase/app/v/19.0.1) and Frida version 16.2.1
10 | // Usage: frida -U -f com.example.appname --codeshare RohindhR/react-native-firebase-remote-config
11 | // Note: This script is for educational purposes only. Do not use it for illegal activities.
12 | // I am not responsible for any damage done by this script.
13 | // Use this script at your own risk.
14 |
15 | Java.perform(function() {
16 | var remoteConfigClass = Java.use("io.invertase.firebase.config.UniversalFirebaseConfigModule");
17 | remoteConfigClass.getAllValuesForApp.implementation = function(appName) {
18 | var result = this.getAllValuesForApp(appName);
19 | var HashMapNode = Java.use('java.util.HashMap$Node');
20 | var iterator = result.entrySet().iterator();
21 | var count = 1;
22 | while (iterator.hasNext()) {
23 | var entry = Java.cast(iterator.next(), HashMapNode);
24 | console.log("Entry: " + count++);
25 | console.log(entry.getKey());
26 | console.log(entry.getValue());
27 | console.log("\n ____________ \n")
28 | }
29 | return result;
30 | }
31 | })
32 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
33 | //hash:684361578 @RohindhR/react-native-firebase-remote-config
34 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/dumper__Hyupai.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1404958967 @Hyupai/dumper
4 | Java.perform(function() {
5 | try {
6 | // Hookeando todas as classes do pacote
7 | var classes = Java.enumerateClassesSync('com.mm.droid.livetv*'); // Wildcard para pegar qualquer classe do pacote
8 | classes.forEach(function(className) {
9 | try {
10 | var clazz = Java.use(className);
11 | console.log('Hookeando métodos da classe: ' + className);
12 |
13 | // Hookeando todos os métodos da classe
14 | var methods = clazz.class.getDeclaredMethods();
15 | methods.forEach(function(method) {
16 | try {
17 | var methodName = method.getName();
18 | console.log('Método encontrado: ' + methodName);
19 | clazz[methodName].implementation = function() {
20 | console.log('Método chamado: ' + methodName);
21 | return this[methodName].apply(this, arguments); // Chama o método original
22 | };
23 | } catch (e) {
24 | console.log('Erro ao hookear o método: ' + e);
25 | }
26 | });
27 | } catch (e) {
28 | console.log('Erro ao hookear a classe: ' + e);
29 | }
30 | });
31 | } catch (e) {
32 | console.log('Erro ao listar classes: ' + e);
33 | }
34 | });
35 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
36 | //hash:1404958967 @Hyupai/dumper
37 | eshare-scripts QQGroup: 143824179 .
38 | //hash:-1581263712 @Hyupai/dumper
39 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-hook-notification-builder__sdcampbell.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1907795315 @sdcampbell/android-hook-notification-builder
4 | Java.perform(function () {
5 | var classHooked = false; // Flag to prevent re-hooking
6 |
7 | // Function to attempt hooking
8 | function tryHooking() {
9 | if (classHooked) return; // Avoid re-hooking
10 |
11 | try {
12 | // Attempt to use the class
13 | var NotificationCompatBuilder = Java.use('androidx.core.app.NotificationCompat$Builder');
14 |
15 | // Hook the setContentTitle method
16 | NotificationCompatBuilder.setContentTitle.overload('java.lang.CharSequence').implementation = function (title) {
17 | console.log('setContentTitle called with:', title);
18 | return this.setContentTitle(title);
19 | };
20 |
21 | // Hook the setContentText method
22 | NotificationCompatBuilder.setContentText.overload('java.lang.CharSequence').implementation = function (text) {
23 | console.log('setContentText called with:', text);
24 | return this.setContentText(text);
25 | };
26 |
27 | console.log('Successfully hooked NotificationCompat$Builder methods');
28 | classHooked = true; // Set flag to prevent re-hooking
29 | } catch (e) {
30 | // Class not yet loaded, retry after a delay
31 | setTimeout(tryHooking, 1000); // Retry every 1 second
32 | }
33 | }
34 |
35 | // Start the hooking attempt
36 | tryHooking();
37 | });
38 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
39 | //hash:1907795315 @sdcampbell/android-hook-notification-builder
40 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios11-12-ssl-bypass__Sotam.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1231973966 @Sotam/ios11-12-ssl-bypass
4 | // translation of https://github.com/nabla-c0d3/ssl-kill-switch2/blob/master/SSLKillSwitch/SSLKillSwitch.m for iOS 10/11
5 |
6 | var tls_helper_create_peer_trust;
7 | var version = ObjC.classes.UIDevice.currentDevice().systemVersion().toString();
8 |
9 | if (version.startsWith("11.") || version.startsWith("12.")) { // iOS 11 or 12
10 | /* OSStatus nw_tls_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
11 | tls_helper_create_peer_trust = new NativeFunction(
12 | Module.findExportByName(null, "nw_tls_create_peer_trust"),
13 | 'int', ['pointer', 'bool', 'pointer']
14 | );
15 | } else if (version.startsWith("10.")) { // iOS 10
16 | /* OSStatus tls_helper_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
17 | tls_helper_create_peer_trust = new NativeFunction(
18 | Module.findExportByName(null, "tls_helper_create_peer_trust"),
19 | 'int', ['pointer', 'bool', 'pointer']
20 | );
21 | } else {
22 | console.log("Unsupported OS version!");
23 | }
24 |
25 | var errSecSuccess = 0;
26 |
27 | function bypassSSL() {
28 | Interceptor.replace(tls_helper_create_peer_trust, new NativeCallback(function(hdsk, server, trustRef) {
29 | return errSecSuccess;
30 | }, 'int', ['pointer', 'bool', 'pointer']));
31 | console.log("SSL certificate validation bypass active");
32 | }
33 |
34 | function revertSSL() {
35 | Interceptor.revert(tls_helper_create_peer_trust);
36 | console.log("SSL certificate validation bypass disabled");
37 | }
38 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
39 | //hash:1231973966 @Sotam/ios11-12-ssl-bypass
40 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/block-toast-with-stacktrace__Neo-vortex.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:321945923 @Neo-vortex/block-toast-with-stacktrace
4 | Java.perform(function() {
5 | var Toast = Java.use("android.widget.Toast");
6 | var Thread = Java.use("java.lang.Thread");
7 |
8 | var originalMakeText = Toast.makeText.overload('android.content.Context', 'java.lang.CharSequence', 'int');
9 |
10 | Toast.makeText.overload('android.content.Context', 'java.lang.CharSequence', 'int').implementation = function(context, text, duration) {
11 | var toastText = text.toString();
12 |
13 | if (toastText.includes("امکان باز کردن")) {
14 | console.log("[!] TARGET TOAST CREATED - BLOCKING: " + toastText);
15 | var stackTrace = Thread.currentThread().getStackTrace();
16 | console.log("=== CALL STACK ===");
17 | for (var i = 3; i < Math.min(stackTrace.length, 15); i++) {
18 | var frame = stackTrace[i];
19 | console.log(" -> " + frame.getClassName() + "." + frame.getMethodName());
20 | }
21 |
22 | var fakeToast = originalMakeText.call(this, context, text, duration);
23 |
24 | fakeToast.show.implementation = function() {
25 | console.log("[!] Blocked target toast from showing: " + toastText);
26 | return;
27 | };
28 |
29 | return fakeToast;
30 | }
31 |
32 | return originalMakeText.call(this, context, text, duration);
33 | };
34 |
35 | console.log("[*] Targeted Toast blocker active for 'امکان باز کردن'");
36 | });
37 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
38 | //hash:321945923 @Neo-vortex/block-toast-with-stacktrace
39 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/binder-stalker__lolicon.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-748911325 @lolicon/binder-stalker
4 | Java.perform(() => {
5 | const Log = Java.use('android.util.Log')
6 | const BinderProxy = Java.use('android.os.BinderProxy')
7 | const Binder = Java.use('android.os.Binder')
8 | const Thread = Java.use('java.lang.Thread')
9 | const TAG = 'natsuki'
10 | function log(message) {
11 | Log.i(TAG, message)
12 | }
13 | function trace(...message) {
14 | console.log(...message)
15 | }
16 |
17 | function catching(block) {
18 | try {
19 | block()
20 | } catch (e) {
21 | console.error(e)
22 | }
23 | }
24 |
25 | // outgoing
26 | BinderProxy.transact.implementation = function (...args) {
27 | const callingStack = Thread.currentThread().getStackTrace()[3]
28 | catching(() => {
29 | const [code] = args
30 | const method = callingStack.getMethodName()
31 | const message = `----> (${
32 | this.getInterfaceDescriptor() || `?${callingStack.getClassName()}`
33 | }:${method})`
34 | log(message)
35 | trace(message)
36 | })
37 | return this.transact(...args)
38 | }
39 |
40 | // incoming
41 | Binder.execTransactInternal.implementation = function (...args) {
42 | catching(() => {
43 | const [code, , , , callingUid] = args
44 | const transactionName = this.getTransactionName(code) || `c${code}`
45 | const descriptor = this.getInterfaceDescriptor() || '?'
46 | const message = `<---- (${descriptor}:${transactionName}:u${callingUid})`
47 | log(message)
48 | trace(message)
49 | })
50 | return this.execTransactInternal(...args)
51 | }
52 | })
53 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
54 | //hash:-748911325 @lolicon/binder-stalker
55 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/bypass-developermode-check-android__zionspike.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1476262186 @zionspike/bypass-developermode-check-android
4 | function bypass_developerMode_check() {
5 | var settingSecure = Java.use('android.provider.Settings$Secure');
6 | settingSecure.getInt.overload('android.content.ContentResolver', 'java.lang.String', 'int').implementation = function(cr, name, flag) {
7 | console.log("[!] settingSecure.getInt(cr,name) : " + name);
8 | console.log('[+] 1.Secure.getInt(' + name + ') Bypassed');
9 | return 0;
10 | }
11 | settingSecure.getInt.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
12 | console.log("[!] settingSecure.getInt(cr,name) : " + name);
13 | console.log('[+] 2.Secure.getInt(' + name + ') Bypassed');
14 | return 0;
15 | }
16 | var settingGlobal = Java.use('android.provider.Settings$Global');
17 | settingGlobal.getInt.overload('android.content.ContentResolver', 'java.lang.String', 'int').implementation = function(cr, name, flag) {
18 | console.log("[!] settingGlobal.getInt(cr,name) : " + name);
19 | console.log('[+] 1.Global.getInt(' + name + ') Bypassed');
20 | return 0;
21 | }
22 | settingGlobal.getInt.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
23 | console.log("[!] settingGlobal.getInt(cr,name) : " + name);
24 | console.log('[+] 2.Global.getInt(' + name + ') Bypassed');
25 | return 0;
26 | }
27 | }
28 |
29 | // Main
30 | Java.perform(function() {
31 | bypass_developerMode_check();
32 | });
33 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
34 | //hash:-1476262186 @zionspike/bypass-developermode-check-android
35 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/inmemorydexclassloader-dump__cryptax.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1256020336 @cryptax/inmemorydexclassloader-dump
4 | 'use strict';
5 |
6 | console.log("[*] In Memory Dex Dump v0.1 - @cryptax");
7 |
8 | Java.perform(function() {
9 | var memoryclassLoader = Java.use("dalvik.system.InMemoryDexClassLoader");
10 | memoryclassLoader.$init.overload('java.nio.ByteBuffer', 'java.lang.ClassLoader').implementation = function(dexbuffer, loader) {
11 | console.log("[*] Hooking InMemoryDexClassLoader");
12 | var object = this.$init(dexbuffer, loader);
13 |
14 | /* dexbuffer is a Java ByteBuffer
15 | you cannot dump to /sdcard unless the app has rights to
16 | */
17 | var remaining = dexbuffer.remaining();
18 | const filename = '/data/data/YOUR-PACKAGE-NAME/dump.dex';
19 |
20 | console.log("[*] Opening file name=" + filename + " to write " + remaining + " bytes");
21 | const f = new File(filename, 'wb');
22 | var buf = new Uint8Array(remaining);
23 | for (var i = 0; i < remaining; i++) {
24 | buf[i] = dexbuffer.get();
25 | //debug: console.log("buf["+i+"]="+buf[i]);
26 | }
27 | console.log("[*] Writing " + remaining + " bytes...");
28 | f.write(buf);
29 | f.close();
30 |
31 | // checking
32 | remaining = dexbuffer.remaining();
33 | if (remaining > 0) {
34 | console.log("[-] Error: There are " + remaining + " remaining bytes!");
35 | } else {
36 | console.log("[+] Dex dumped successfully in " + filename);
37 | }
38 |
39 | return object;
40 | }
41 |
42 |
43 | });
44 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
45 | //hash:-1256020336 @cryptax/inmemorydexclassloader-dump
46 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/frinja---permissions__ninjadiary.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1835343083 @ninjadiary/frinja---permissions
4 | /*
5 | Author: secretdiary.ninja
6 | License: (CC BY-SA 4.0)
7 | * */
8 |
9 | setImmediate(function() {
10 | Java.perform(function() {
11 |
12 | var context = Java.use("android.app.ContextImpl");
13 |
14 | context.checkSelfPermission.overload('java.lang.String').implementation = function (var0) {
15 | console.log("[*] ContextImpl.checkSelfPermission called: " + var0 +"\n");
16 | return this.checkSelfPermission;
17 | };
18 |
19 | var contextCompat = Java.use("android.support.v4.content.ContextCompat");
20 |
21 | contextCompat.checkSelfPermission.overload('android.content.Context', 'java.lang.String').implementation = function (var0, var1) {
22 | console.log("[*] ContextCompat.checkSelfPermission called: " + var1 +"\n");
23 | return this.checkSelfPermission;
24 | };
25 |
26 | var permissionChecker = Java.use("android.support.v4.content.PermissionChecker");
27 |
28 | permissionChecker.checkSelfPermission.overload('android.content.Context', 'java.lang.String').implementation = function (var0, var1) {
29 | console.log("[*] PermissionChecker.checkSelfPermission called: " + var1 +"\n");
30 | return this.checkSelfPermission;
31 | };
32 |
33 | var activityCompat = Java.use("android.support.v4.app.ActivityCompat");
34 |
35 | // void requestPermissions (Activity activity, String[] permissions, int requestCode)
36 | activityCompat.requestPermissions.overload('android.app.Activity', '[Ljava.lang.String;', 'int').implementation = function (var0, var1, var2) {
37 | console.log("[*] ActivityCompat.requestPermissions called. Permissions: " + var1 +"\n");
38 | this.requestPermissions(var0, var1, var2);
39 | }
40 | });
41 | });
42 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
43 | //hash:1835343083 @ninjadiary/frinja---permissions
44 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/android-query-provider__leolashkevych.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:198603021 @leolashkevych/android-query-provider
4 | /*
5 | * Android Query Content Provider
6 | *
7 | * Usage: frida -U --codeshare leolashkevych/android-query-provider -f com.android.systemui
8 | * queryProvider(URI);
9 | * queryProvider(URI, selection);
10 | *
11 | * To query a provider that is not exported, launch the script within a target application.
12 | *
13 | * frida -U --codeshare leolashkevych/android-query-provider -f com.targetapp
14 | * queryProvider('content://com.targetapp.ProviderAuthoruty/path/', 'login=\'root\' OR id=1');
15 | */
16 |
17 | function queryProvider(contentUri, sel) {
18 | Java.perform(function() {
19 | var Uri = Java.use("android.net.Uri");
20 | var Cursor = Java.use("android.database.Cursor");
21 | var DbUtils = Java.use("android.database.DatabaseUtils");
22 |
23 | var uri = Uri.parse(contentUri);
24 | var cxt = getContext();
25 | if (cxt) {
26 | var resolver = cxt.getContentResolver();
27 | var query = resolver.query.overload('android.net.Uri', '[Ljava.lang.String;', 'java.lang.String', '[Ljava.lang.String;', 'java.lang.String');
28 | if (typeof sel !== 'undefined') {
29 | var cursor = query.call(resolver, uri, null, sel, null, null);
30 |
31 | } else {
32 | var cursor = query.call(resolver, uri, null, null, null, null);
33 | }
34 | console.log(DbUtils.dumpCursorToString(cursor));
35 | }
36 |
37 | });
38 | }
39 |
40 | function getContext() {
41 | return Java.use('android.app.ActivityThread').currentApplication().getApplicationContext();
42 | }
43 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
44 | //hash:198603021 @leolashkevych/android-query-provider
45 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-list-apps__oleavr.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:2048531307 @oleavr/ios-list-apps
4 | /*
5 | * Usage: frida -U -n itunesstored --codeshare oleavr/ios-list-apps
6 | *
7 | * Then:
8 | * list()
9 | */
10 |
11 | 'use strict';
12 |
13 | var NSAutoreleasePool = ObjC.classes.NSAutoreleasePool;
14 | var NSNumber = ObjC.classes.NSNumber;
15 | var SoftwareLibraryLookupOperation = ObjC.classes.SoftwareLibraryLookupOperation;
16 |
17 | function list () {
18 | var pool = NSAutoreleasePool.alloc().init();
19 | try {
20 | var op = SoftwareLibraryLookupOperation.alloc().initWithBundleIdentifiers_(NULL);
21 | op.autorelease();
22 | op.run();
23 | return nsArrayMap(op.softwareLibraryItems(), parseSoftwareLibraryItem);
24 | } finally {
25 | pool.release();
26 | }
27 | }
28 |
29 | function parseSoftwareLibraryItem (item) {
30 | var result = {};
31 | nsDictionaryForEach(item.$ivars._propertyValues, function (key, value) {
32 | var parsedValue;
33 | if (value.isKindOfClass_(NSNumber)) {
34 | parsedValue = value.doubleValue();
35 | } else {
36 | parsedValue = value.toString();
37 | }
38 | result[key] = parsedValue;
39 | });
40 | return result;
41 | }
42 |
43 | function nsArrayMap (array, callback) {
44 | var result = [];
45 | var count = array.count().valueOf();
46 | for (var index = 0; index !== count; index++)
47 | result.push(callback(array.objectAtIndex_(index)));
48 | return result;
49 | }
50 |
51 | function nsDictionaryForEach (dict, callback) {
52 | var keys = dict.allKeys();
53 | var count = keys.count().valueOf();
54 | for (var i = 0; i !== count; i++) {
55 | var key = keys.objectAtIndex_(i);
56 | var value = dict.objectForKey_(key);
57 | callback(key.toString(), value);
58 | }
59 | }
60 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
61 | //hash:2048531307 @oleavr/ios-list-apps
62 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/null-vector-cbcmode__padmadl.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1592974393 @padmadl/null-vector-cbcmode
4 | //python3 frida -f com.test.sampleiOS -U -l ~/Downloads/null.js
5 |
6 | const libraryName = "libcommonCrypto.dylib";
7 | const functionName = "CCCrypt";
8 |
9 | const CCCryptCreatePtr = Module.findExportByName(libraryName, functionName);
10 |
11 | if (CCCryptCreatePtr !== null) {
12 | console.log("[*] Hooking " + functionName);
13 |
14 | Interceptor.attach(CCCryptCreatePtr, {
15 | onEnter: function(args) {
16 | this.op = args[0].toInt32(); // 0 = Encrypt, 1 = Decrypt
17 | this.dataIn = args[6];
18 | this.dataInLength = args[7].toInt32();
19 | this.dataOut = args[8];
20 | console.log("[*] Intercepted CCCryptCreate");
21 | //console.log(args[1].toInt32());
22 | //console.log(args[2].toInt32());
23 | if (args[1].toInt32() == 0){
24 | if (args[2].toInt32() == 1 || args[2].toInt32() == 3 ) {
25 | var iv = Memory.readByteArray(args[5], 16);
26 | if (iv == null) {
27 | //console.log(args[2].toInt32());
28 | console.log("mode is kCCOptionPKCS7Padding of CBC used and iv is null");
29 |
30 | }
31 | }
32 | }
33 |
34 | },
35 | onLeave: function(retval) {
36 | console.log("[*] CCCryptorCreate returned:", retval);
37 | if (this.op === 0) {
38 | // Encrypting - we capture plaintext input
39 | var plaintext = Memory.readByteArray(this.dataIn, this.dataInLength);
40 | console.log("Plaintext input:", hexdump(plaintext));
41 | }
42 | }
43 | });
44 | } else {
45 | console.log("[-] Unable to find " + functionName + " function to hook.");
46 | }
47 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
48 | //hash:1592974393 @padmadl/null-vector-cbcmode
49 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/bypass-framgia-emulator-checker__latestnew1310.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-726999466 @latestnew1310/bypass-framgia-emulator-checker
4 | /** This script create by Shino, member of ReUTD sercurity team. */
5 |
6 | Java.perform(function () {
7 | console.log("[.] Test bypass Emulator Detect");
8 | var EmulatorDetector = Java.use('com.framgia.android.emulator.EmulatorDetector');
9 | EmulatorDetector.detect.implementation = function () {
10 | return false;
11 | };
12 | EmulatorDetector.checkBasic.implementation = function () {
13 | return false;
14 | };
15 | EmulatorDetector.checkAdvanced.implementation = function () {
16 | return false;
17 | };
18 | EmulatorDetector.checkPackageName.implementation = function () {
19 | return false;
20 | };
21 | EmulatorDetector.checkTelephony.implementation = function () {
22 | return false;
23 | };
24 | EmulatorDetector.checkPhoneNumber.implementation = function () {
25 | return false;
26 | };
27 | EmulatorDetector.checkDeviceId.implementation = function () {
28 | return false;
29 | };
30 | EmulatorDetector.checkImsi.implementation = function () {
31 | return false;
32 | };
33 | EmulatorDetector.checkOperatorNameAndroid.implementation = function () {
34 | return false;
35 | };
36 | EmulatorDetector.checkQEmuDrivers.implementation = function () {
37 | return false;
38 | };
39 | EmulatorDetector.checkFiles.implementation = function () {
40 | return false;
41 | };
42 | EmulatorDetector.checkQEmuProps.implementation = function () {
43 | return false;
44 | };
45 | EmulatorDetector.checkIp.implementation = function () {
46 | return false;
47 | };
48 | EmulatorDetector.isSupportTelePhony.implementation = function () {
49 | return true;
50 | };
51 | });
52 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
53 | //hash:-726999466 @latestnew1310/bypass-framgia-emulator-checker
54 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-pinning-disable__snooze6.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1959880329 @snooze6/ios-pinning-disable
4 | /*
5 | https://kov4l3nko.github.io/blog/2018-05-27-sll-pinning-hook-sectrustevaluate/
6 |
7 | ****************************************
8 | killSSL.js Frida script
9 | by Dima Kovalenko
10 | ****************************************
11 |
12 | Usage:
13 |
14 | 1. Run Viber on the device
15 |
16 | 2. Inject the script to the process:
17 | $ frida -U -n Viber -l path/to/killSSL.js
18 |
19 | 3. SSL pinning in Viber HTTPs is
20 | disabled. Now you can intercept
21 | Viber HTTPs requests, e.g. with
22 | mitmproxy.
23 | */
24 |
25 | function disable_SecTrustEvaluate() {
26 | // Are we debugging it?
27 | DEBUG = true;
28 |
29 | // Get SecTrustEvaluate address
30 | var SecTrustEvaluate_prt = Module.findExportByName("Security", "SecTrustEvaluate");
31 | if (SecTrustEvaluate_prt == null) {
32 | console.log("[!] Security!SecTrustEvaluate(...) not found!");
33 | return;
34 | }
35 |
36 | // Create native function wrappers for SecTrustEvaluate
37 | var SecTrustEvaluate = new NativeFunction(SecTrustEvaluate_prt, "int", ["pointer", "pointer"]);
38 |
39 | // Hook SecTrustEvaluate
40 | Interceptor.replace(SecTrustEvaluate_prt, new NativeCallback(function(trust, result) {
41 | // Show "hit!" message if we are in debugging mode
42 | if (DEBUG) console.log("[*] SecTrustEvaluate(...) hit!");
43 | // Call original function
44 | var osstatus = SecTrustEvaluate(trust, result);
45 | // Change the result to kSecTrustResultProceed
46 | Memory.writeU8(result, 1);
47 | // Return errSecSuccess
48 | return 0;
49 | }, "int", ["pointer", "pointer"]));
50 | // It's done!
51 | console.log("[*] SecTrustEvaluate(...) hooked. SSL should be pinning disabled.");
52 | }
53 |
54 | // Run the script
55 | // disable_SecTrustEvaluate();
56 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
57 | //hash:1959880329 @snooze6/ios-pinning-disable
58 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/ios-ssl-key-steal__atuncer.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:-1413627481 @atuncer/ios-ssl-key-steal
4 | /*
5 | * This is based on https://codeshare.frida.re/@andydavies/ios-tls-keylogger/
6 | * but does not require the binary to use `SSL_CTX_set_info_callback` etc.
7 | * Instead it directly hooks `SSL_CTX_new` to find the pointer to each
8 | * SSL_CTX and then directly calls `SSL_CTX_set_keylog_callback`.
9 | * This method requires that you can find the the pointers to both
10 | * `SSL_CTX_new` and `SSL_CTX_set_keylog_callback` which might not
11 | * always be possible.
12 | *
13 | * This is based on work by Andy Davies
14 | * Copyright (c) 2019 Andy Davies, @andydavies, http://andydavies.me
15 | *
16 | * The rest is his work
17 | * Copyright (c) 2020 Hugo Tunius, @k0nserv, https://hugotunius.se
18 | *
19 | * Andy's original code is released under MIT License and my modifications
20 | * are likewise MIT licensed.
21 | *
22 | * A full writeup is available on my blog
23 | * https://hugotunius.se/2020/08/07/stealing-tls-sessions-keys-from-ios-apps.html
24 | */
25 |
26 | function startTLSKeyLogger(SSL_CTX_new, SSL_CTX_set_keylog_callback) {
27 | function keyLogger(ssl, line) {
28 | console.log(new NativePointer(line).readCString());
29 | }
30 | const keyLogCallback = new NativeCallback(keyLogger, 'void', ['pointer', 'pointer']);
31 |
32 | Interceptor.attach(SSL_CTX_new, {
33 | onLeave: function(retval) {
34 | const ssl = new NativePointer(retval);
35 |
36 | if (!ssl.isNull()) {
37 | const SSL_CTX_set_keylog_callbackFn = new NativeFunction(SSL_CTX_set_keylog_callback, 'void', ['pointer', 'pointer']);
38 | SSL_CTX_set_keylog_callbackFn(ssl, keyLogCallback);
39 | }
40 | }
41 | });
42 | }
43 | startTLSKeyLogger();
44 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
45 | //hash:-1413627481 @atuncer/ios-ssl-key-steal
46 |
--------------------------------------------------------------------------------
/frida-codeshare-scripts/swift-symmetrickey-dump__rparviainen.js:
--------------------------------------------------------------------------------
1 |
2 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
3 | //hash:1547817958 @rparviainen/swift-symmetrickey-dump
4 | /*
5 | Code to dump symmetric key bytes from Swift apps on iOS using SymmetricKey (https://developer.apple.com/documentation/cryptokit/symmetrickey) by hooking the constructor
6 |
7 | Only tested on two apps.
8 |
9 | https://github.com/rparviainen/frida-scripts-ios/
10 |
11 | */
12 |
13 |
14 | var someFunc = Module.findExportByName(null, "$s9CryptoKit12SymmetricKeyV4dataACx_tc10Foundation15ContiguousBytesRzlufC");
15 |
16 | if (someFunc) {
17 | console.log("[+] Found $s9CryptoKit12SymmetricKeyV4dataACx_tc10Foundation15ContiguousBytesRzlufC");
18 | Interceptor.attach(someFunc, {
19 | onEnter: hooksymmetrickeyenter,
20 | onLeave: hooksymmetrickeyleave
21 | });
22 | }
23 |
24 |
25 | function hooksymmetrickeyenter(args) {
26 | console.log("enter")
27 | }
28 |
29 |
30 | function hooksymmetrickeyleave(args) {
31 | console.log("leave $s9CryptoKit12SymmetricKeyV4dataACx_tc10Foundation15ContiguousBytesRzlufC")
32 | //console.log(JSON.stringify(this.context))
33 |
34 | console.log(hexdump(this.context.x0, { offset: 0, length: 64, header: true,ansi: false}));
35 | var p2 = this.context.x0.add(8);
36 | var len = p2.readU16();
37 | console.log("key length (bytes): " + len);
38 | if (len == 8 || len == 16 || len == 32) {
39 | var p2 = this.context.x0.add(24);
40 | var data = new Uint8Array(p2.readByteArray(32));
41 | console.log("key in hex: " + bytesToHex2(data, 32));
42 | } else {
43 | console.log("probably not a key in a recognized format");
44 | }
45 | }
46 |
47 | function bytesToHex2(bytes, len) {
48 | for (var hex = [], i = 0; i < len; i++) {
49 | hex.push((bytes[i] >>> 4).toString(16));
50 | hex.push((bytes[i] & 0xF).toString(16));
51 | }
52 | return hex.join("");
53 | }
54 | //https://github.com/zengfr/frida-codeshare-scripts QQGroup: 143824179 .
55 | //hash:1547817958 @rparviainen/swift-symmetrickey-dump
56 |
--------------------------------------------------------------------------------