启动脚本前要先启动Frida server
端口转发默认启动 默认端口
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time : 2021-04-19 22:38
# @Author : Nuonuo
# @Site :
# @File : run.py
# @Software: PyCharm
import os
import frida, sys
jscode = """
Java.perform(function() {
send("注入frida成功!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
send("注入frida成功!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
send("注入frida成功!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
send("注入frida成功!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
send("注入frida成功!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
function tongsha(){
var secretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');
secretKeySpec.$init.overload('[B','java.lang.String').implementation = function (a,b) {
var result = this.$init(a, b);
console.log("======================================");
console.log("算法名:" + b + "|Dec密钥:" + ByteToString(a));
console.log("算法名:" + b + "|Hex密钥:" +BytesToHex(a));
return result;
}
var mac = Java.use('javax.crypto.Mac');
mac.getInstance.overload('java.lang.String').implementation = function (a) {
var result = this.getInstance(a);
console.log("======================================");
console.log("算法名:" + a);
return result;
}
mac.update.overload('[B').implementation = function (a) {
this.update(a);
console.log("======================================");
console.log("update:" + ByteToString(a))
}
mac.update.overload('[B','int','int').implementation = function (a,b,c) {
this.update(a,b,c)
console.log("======================================");
console.log("update:" + ByteToString(a) + "|" + b + "|" + c);
}
mac.doFinal.overload().implementation = function () {
var result = this.doFinal();
console.log("======================================");
console.log("doFinal结果:" + BytesToHex(result));
console.log("doFinal结果:" +BytesToBase64(result));
return result;
}
mac.doFinal.overload('[B').implementation = function (a) {
var result = this.doFinal(a);
console.log("======================================");
console.log("doFinal参数:" + ByteToString(a));
console.log("doFinal结果:" + BytesToHex(result));
console.log("doFinal结果:" + BytesToBase64(result));
return result;
}
var md = Java.use('java.security.MessageDigest');
md.getInstance.overload('java.lang.String','java.lang.String').implementation = function (a,b) {
console.log("======================================");
console.log("算法名:" + a);
return this.getInstance(a, b);
}
md.getInstance.overload('java.lang.String').implementation = function (a) {
console.log("======================================");
console.log("算法名:" + a);
return this.getInstance(a);
}
md.update.overload('[B').implementation = function (a) {
console.log("======================================");
console.log("update:" + ByteToString(a))
return this.update(a);
}
md.update.overload('[B','int','int').implementation = function (a,b,c) {
console.log("======================================");
console.log("update:" + ByteToString(a) + "|" + b + "|" + c);
return this.update(a,b,c);
}
md.digest.overload().implementation = function () {
console.log("======================================");
var result = this.digest();
console.log("digest结果:" + BytesToHex(result));
//console.log("digest结果:" +ByteToString(result));
return result;
}
md.digest.overload('[B').implementation = function (a) {
console.log("======================================");
console.log("digest参数:" + ByteToString(a));
var result = this.digest(a);
console.log("digest结果:" + BytesToHex(result));
// console.log("digest结果:" + ByteToString(result));
return result;
}
var ivParameterSpec = Java.use('javax.crypto.spec.IvParameterSpec');
ivParameterSpec.$init.overload('[B').implementation = function (a) {
var result = this.$init(a);
console.log("======================================");
console.log("iv向量:" + ByteToString(a));
console.log("iv向量:" + BytesToHex(a));
return result;
}
var cipher = Java.use('javax.crypto.Cipher');
cipher.getInstance.overload('java.lang.String').implementation = function (a) {
var result = this.getInstance(a);
console.log("======================================");
console.log("模式填充:" + a);
return result;
}
cipher.update.overload('[B').implementation = function (a) {
var result = this.update(a);
console.log("======================================");
console.log("update:" + ByteToString(a));
return result;
}
cipher.update.overload('[B','int','int').implementation = function (a,b,c) {
var result = this.update(a,b,c);
console.log("======================================");
console.log("update:" + ByteToString(a) + "|" + b + "|" + c);
return result;
}
cipher.doFinal.overload().implementation = function () {
var result = this.doFinal();
console.log("======================================");
console.log("doFinal结果:" + BytesToHex(result));
console.log("doFinal结果:" + BytesToBase64(result));
return result;
}
cipher.doFinal.overload('[B').implementation = function (a) {
var result = this.doFinal(a);
console.log("======================================");
console.log("doFinal参数:" + ByteToString(a));
console.log("doFinal结果:" + BytesToHex(result));
console.log("doFinal结果:" + BytesToBase64(result));
return result;
}
var x509EncodedKeySpec = Java.use('java.security.spec.X509EncodedKeySpec');
x509EncodedKeySpec.$init.overload('[B').implementation = function (a) {
var result = this.$init(a);
console.log("======================================");
console.log("RSA密钥:" + BytesToBase64(a));
return result;
}
var rSAPublicKeySpec = Java.use('java.security.spec.RSAPublicKeySpec');
rSAPublicKeySpec.$init.overload('java.math.BigInteger','java.math.BigInteger').implementation = function (a,b) {
var result = this.$init(a,b);
console.log("======================================");
//send("RSA密钥:" + bytesToBase64(a));
console.log("RSA密钥N:" + a.toString(16));
console.log("RSA密钥E:" + b.toString(16));
return result;
}
}
function showStacks(){
//var stack = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());
var stack = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new());
console.log(stack);}
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',
base64DecodeChars = new Array((-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), 62, (-1), (-1), (-1), 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, (-1), (-1), (-1), (-1), (-1), (-1), (-1), 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, (-1), (-1), (-1), (-1), (-1), (-1), 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, (-1), (-1), (-1), (-1), (-1));
function StringToBase64(e) {
var r,a,c,h,o,t;
for (c = e.length, a = 0, r = ''; a < c; ) {
if (h = 255 & e.charCodeAt(a++), a == c) {
r += base64EncodeChars.charAt(h >> 2),
r += base64EncodeChars.charAt((3 & h) << 4),
r += '==';
break
}
if (o = e.charCodeAt(a++), a == c) {
r += base64EncodeChars.charAt(h >> 2),
r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
r += base64EncodeChars.charAt((15 & o) << 2),
r += '=';
break
}
t = e.charCodeAt(a++),
r += base64EncodeChars.charAt(h >> 2),
r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
r += base64EncodeChars.charAt((15 & o) << 2 | (192 & t) >> 6),
r += base64EncodeChars.charAt(63 & t)
}
return r
}
function Base64ToString(e) {
var r,a,c,h,o,t,d;
for (t = e.length, o = 0, d = ''; o < t; ) {
do
r = base64DecodeChars[255 & e.charCodeAt(o++)];
while (o < t && r == -1);
if (r == -1)
break;
do
a = base64DecodeChars[255 & e.charCodeAt(o++)];
while (o < t && a == -1);
if (a == -1)
break;
d += String.fromCharCode(r << 2 | (48 & a) >> 4);
do {
if (c = 255 & e.charCodeAt(o++), 61 == c)
return d;
c = base64DecodeChars[c]
} while (o < t && c == -1);
if (c == -1)
break;
d += String.fromCharCode((15 & a) << 4 | (60 & c) >> 2);
do {
if (h = 255 & e.charCodeAt(o++), 61 == h)
return d;
h = base64DecodeChars[h]
} while (o < t && h == -1);
if (h == -1)
break;
d += String.fromCharCode((3 & c) << 6 | h)
}
return d
}
function HexToBytes(str) {
var pos = 0;
var len = str.length;
if (len % 2 != 0) {
return null;
}
len /= 2;
var hexA = new Array();
for (var i = 0; i < len; i++) {
var s = str.substr(pos, 2);
var v = parseInt(s, 16);
hexA.push(v);
pos += 2;
}
return hexA;
}
function BytesToHex(arr) {
var str = '';
var k,j;
for(var i = 0; i<arr.length; i++) {
k = arr[i];
j = k;
if (k < 0) {
j = k + 256;
}
if (j < 16) {
str += "0";
}
str += j.toString(16);
}
return str;
}
function StringToHex(str) {
var val = "";
for (var i = 0; i < str.length; i++) {
if (val == "")
val = str.charCodeAt(i).toString(16);
else
val += str.charCodeAt(i).toString(16);
}
return val
}
function StringToBytes(str) {
var ch, st, re = [];
for (var i = 0; i < str.length; i++ ) {
ch = str.charCodeAt(i);
st = [];
do {
st.push( ch & 0xFF );
ch = ch >> 8;
}
while ( ch );
re = re.concat( st.reverse() );
}
return re;
}
function ByteToString(arr) {
if (typeof arr === 'string') {
return arr;
}
var str = '',
_arr = arr;
for (var i = 0; i < _arr.length; i++) {
var one = _arr[i].toString(2),
v = one.match(/^1+?(?=0)/);
if (v && one.length == 8) {
var bytesLength = v[0].length;
var store = _arr[i].toString(2).slice(7 - bytesLength);
for (var st = 1; st < bytesLength; st++) {
store += _arr[st + i].toString(2).slice(2);
}
str += String.fromCharCode(parseInt(store, 2));
i += bytesLength - 1;
} else {
str += String.fromCharCode(_arr[i]);
}
}
return str;
};
function BytesToBase64(e){
var r,a,c,h,o,t;
for (c = e.length, a = 0, r = ''; a < c; ) {
if (h = 255 & e[a++], a == c) {
r += base64EncodeChars.charAt(h >> 2),
r += base64EncodeChars.charAt((3 & h) << 4),
r += '==';
break
}
if (o = e[a++], a == c) {
r += base64EncodeChars.charAt(h >> 2),
r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
r += base64EncodeChars.charAt((15 & o) << 2),
r += '=';
break
}
t = e[a++],
r += base64EncodeChars.charAt(h >> 2),
r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
r += base64EncodeChars.charAt((15 & o) << 2 | (192 & t) >> 6),
r += base64EncodeChars.charAt(63 & t)
}
return r
}
function Base64ToBytes(e){
var r,a,c,h,o,t,d;
for (t = e.length, o = 0, d = []; o < t; ) {
do
r = base64DecodeChars[255 & e.charCodeAt(o++)];
while (o < t && r == -1);
if (r == -1)
break;
do
a = base64DecodeChars[255 & e.charCodeAt(o++)];
while (o < t && a == -1);
if (a == -1)
break;
d.push(r << 2 | (48 & a) >> 4);
do {
if (c = 255 & e.charCodeAt(o++), 61 == c)
return d;
c = base64DecodeChars[c]
} while (o < t && c == -1);
if (c == -1)
break;
d.push((15 & a) << 4 | (60 & c) >> 2);
do {
if (h = 255 & e.charCodeAt(o++), 61 == h)
return d;
h = base64DecodeChars[h]
} while (o < t && h == -1);
if (h == -1)
break;
d.push((3 & c) << 6 | h)
}
return d
}
///
function zhixie(){
var nuo = Java.use("com/up366/common/StringUtils");
nuo.getUt.implementation=function(a,b){
console.log(" ");
console.log(" ");
console.log(" ");
console.log("a:"+a);
console.log("b:"+b);
console.log("=================***自设hook开始***=================");
var data=this.getUt(a,b);//切记修改函数名
console.log("结果:"+data);
console.log("=================***自设hook结束***=================");
showStacks();
console.log("=================***调用堆栈打印***=================");
return data;
}
}
//调用函数
tongsha();
//zhixie();
});
"""
adb获取包名=os.popen('adb shell pm list packages -3').read().split("\n")
for i in adb获取包名:
if i=='':
adb获取包名.remove(i)
#print(adb获取包名)
app序号=0
for i in adb获取包名:
print(app序号,i[8:])
app序号+=1
注入包名=input("输入注入包名下标:")
App包名=adb获取包名[int(注入包名)][8:]
print(App包名)
while(True):
boolen=False
os.system('frida-ps -Uai')
检测设置运行进程=os.popen('frida-ps -U').read().split("\n")
#print('总进程数量:',len(检测设置运行进程))
for i in 检测设置运行进程:
if len(i.split(" "))>1 and i.split(" ")[1]==App包名:
print("=======================================")
print("注入进程正在运行中可以正常注入")
print(i)
boolen=True
if boolen :
break
else:
print("没有检测要注入到设备的进程!!!")
yy =input("1:继续检测 2:直接注入 3:退出:")
if yy=='1':
print("重新检测进程!")
if yy=='2':
break
if yy=='3':
print("退出!!!!!!!!!!!!!!!!!!!!!!!!!!")
exit()
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
#启动frida server
#cd .//data/local/tmp/server14.2.15
#配置端口转发
#adb forward tcp:27043 tcp:27043
#adb forward tcp:27042 tcp:27042
os.system("adb forward tcp:27042 tcp:27042")
# 查找USB设备并附加到目标进程
#rdev = frida.get_usb_device()//废弃
rdev=frida.get_remote_device()
print("连接~~~~~~~~模拟器*手机~~~~~~~~~设备:",rdev)
print('=======================================')
process = rdev.attach(App包名)
# 在目标进程里创建脚本
script = process.create_script(jscode)
# 注册消息回调
script.on('message', on_message)
# 加载创建好的javascript脚本
script.load()
# 读取系统输入
sys.stdin.read()
![ERROR: Could not find com.android.support:design:25.4.0.[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)