09.app各种hook脚本
1. hook- Map
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("识货")
scr = """
Java.perform(function () {
var TreeMap = Java.use('java.util.TreeMap');
var Map = Java.use("java.util.Map");
TreeMap.put.implementation = function (key,value) {
if(key=="data"){
console.log(key,value);
}
var res = this.put(key,value);
return res;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
案例
通过hook map操作,确认是不是走了这
data:加密数据->很有可能在app内部->map.put('data',xx.sign(数据))
我们可以尝试hook--map-->确认是不是这种思路
2. Hook StringBuilder
Note
没走map ,有可能走了 字符串拼接
StringBuilder sb =new StringBuilder();
sb.append('data')
sb.append('加密字符串')
sb.toString()
把它转成真正的字符串
通过hook StringBuilder 的toString 方法看看有没有走
2.1. python版本
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("识货")
scr = """
Java.perform(function () {
var StringBuilder = Java.use("java.lang.StringBuilder");
StringBuilder.toString.implementation = function () {
var res = this.toString();
console.log(res);
return res;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
2.2. 使用js的hook
// hook_stringbuilder.js
Java.perform(function () {
var StringBuilder = Java.use("java.lang.StringBuilder");
StringBuilder.toString.implementation = function () {
var res = this.toString();
console.log(res);
return res;
}
});
// frida -UF hook_stringbuilder.js -o string.txt
// 发现并没有输出到string.txt中
3. Hook-base64
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("识货")
scr = """
Java.perform(function () {
var Base64 = Java.use("android.util.Base64");
Base64.encodeToString.overload('[B', 'int').implementation = function (bArr,val) {
var res = this.encodeToString(bArr,val);
console.log("加密了-->",res);
return res;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
# 通过查看输出,那请求的数据搜索,发现hook到了
4. hook 拦截器
请求加密,返回的数据解密,很有可以能是在拦截器中完成处理,
- 走拦截器->请求加密
- 不走拦截器——>请求不加密(以此来判断是哪个拦截器)
然后去代码里面搜索拦截器相关代码
4.1. Js的hook拦截器,hook所有
// hook_Interceptor.js
Java.perform(function () {
var Builder = Java.use('okhttp3.OkHttpClient$Builder');
Builder.addInterceptor.implementation = function (inter) {
console.log(JSON.stringify(inter) );
return this.addInterceptor(inter);
};
})
//frida -Uf com.hupu.shihuo -l hook_Interceptor.js -o all_interceptor3.txt
4.2. 一个个尝试拦截器--查找
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("识货")
scr = """
Java.perform(function () {
var a = Java.use("cn.shihuo.modulelib.startup.core.c.a");
a.intercept.implementation = function (chain) {
var req = chain.request();
var httpUrl = req.url().toString();
if( httpUrl.indexOf("https://sh-gateway.shihuo.cn/v4/services/sh-goodsapi/app_swoole_shoe/preload/single") != -1 ){
console.log('执行前',httpUrl);
}
var res = this.intercept(chain); // 执行自己这个拦截器
return res;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("识货")
scr = """
Java.perform(function () {
var a = Java.use("cn.shihuo.modulelib.utils.f1.a$a");
a.intercept.implementation = function (chain) {
var req = chain.request();
var httpUrl = req.url().toString();
if( httpUrl.indexOf("https://sh-gateway.shihuo.cn/v4/services/sh-goodsapi/app_swoole_shoe/preload/single") != -1 ){
console.log('执行前',httpUrl);
}
// 不走自己的拦截器了,跳过该拦截器执行,继续执行下面的拦截器
var response = chain.proceed(req);
return response;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
// 这个拦截器找到了可以发送明文的地址
4.3. python直接发送请求获取详情
import requests
headers = {
'sk': '9MRYHxYzeIwT5VTCyBnbXFdf39hbCo06r1oTpaW4rnNvheJuLIckKkSUH2cpirlmXot9rIFBAvDP37nmOXBb7L5Drd1x',
'user-agent': 'Android 11 {Z29vZ2xl} CPU_ABI arm64-v8a CPU_ABI2 HARDWARE taimen MODEL {UGl4ZWwgMiBYTA} network/WIFI shihuo/7.20.1 sc({holder},myapp) minVersion(15670) sh-dv-sign[v1|10418e17bc015815ef161fc2a5029c0d0d2751f79b8da0aa]'
}
res = requests.get(
'https://sh-gateway.shihuo.cn/v4/services/sh-goodsapi/app_swoole_shoe/preload/single',
params={
'goods_id': '379112',
'v': '7.20.1',
},
verify=False, headers=headers)
print(res.json())