更新 hookssl.js

hook.log

@@ -1,18 +0,0 @@
-     ____
-    / _  |   Frida 16.0.19 - A world-class dynamic instrumentation toolkit
-   | (_| |
-    > _  |   Commands:
-   /_/ |_|       help      -> Displays the help system
-   . . . .       object?   -> Display information about 'object'
-   . . . .       exit/quit -> Exit
-   . . . .
-   . . . .   More info at https://frida.re/docs/home/
-   . . . .
-   . . . .   Connected to Pixel 3 (id=89KX0AVQN)
-Spawning `com.naviapp`...
-Script loaded successfully
-Spawned `com.naviapp`. Resuming main thread!
-[Pixel 3::com.naviapp ]-> URL request: https://launches.appsflyer.com/api/v6.3/androidevent?app_id=com.naviapp&buildnumber=6.3.2
-URL request: https://inapps.appsflyer.com/api/v6.3/androidevent?app_id=com.naviapp&buildnumber=6.3.2
-
-[Pixel 3::com.naviapp ]-> 

hook_conversions.js

@@ -1,17 +0,0 @@
-console.log("Script loaded successfully");
-Java.perform(function() {
-    var URL = Java.use('java.net.URL');
-        URL.$init.overload('java.lang.String').implementation = function(spec) {
-            if (spec.includes("appsflyer")){
-                console.log("URL request: " + spec);
-            }
-        return this.$init(spec);
-    };
-});
-
-
-
-
-
-
-

main.py

@@ -1,32 +1,76 @@
 import frida
 import modules.command
+import modules.files_utils
+import sys
+import time
+
+
+FIRST_WRITE = True  # 全局变量，用于跟踪是否是首次写入
 
 def on_message(message, data):
     print(message)
+    # modules.files_utils.write_log(message)
+    # print(message)
+    # if message['type'] == 'send':
+    #     print(message['payload'])
 
-def main(attach_process_name,package_name):
+def attach_method(is_spawn):
+    if type(is_spawn) == bool:
+        if is_spawn:
+            return True
+        else:
+            return False
+    else:
+        print(f"is_spawn type error,please check is_spawn type.")
+
+
+def main(package_name,script_path,is_spawn):
+    # 从Python发送数据到Frida的JavaScript脚本
+    print(f"script_path: {script_path}")
+    js_code = modules.files_utils.read_javascript(script_path)
+    # print(js_code)
     modules.command.start_frida()
-    modules.command.clearCache(package_name)
+    # modules.command.clearCache(package_name)
     # 连接到USB设备
     device = frida.get_usb_device()
-    pid = 0
-    # 列出设备上的所有进程
-    processes = device.enumerate_processes()
-    for process in processes:
-        if process.name == attach_process_name:
-            pid = process.pid
-            print(process.pid, process.name)
-    # 如果你想附加到一个特定的进程并注入一个脚本：
-    session = device.attach(pid)
-    script = session.create_script("""
-        console.log("Hello from Frida!");
-    """)
-    script.on('message', on_message)
-    script.load()
+    print(device)
+    if attach_method(is_spawn):
+        pid = device.spawn(package_name)
+        print(f"进程pid: {pid}")
+        process = device.attach(pid)
+        script = process.create_script(js_code)
+        # script.on("message", on_message)
+        script.load()
+        # data_to_send = {'data': 'Hello from Python!'}
+        # script.post({'type': 'input_data', 'payload': data_to_send})
+        device.resume(pid)  # 加载完脚本后, 恢复进程运行
+        sys.stdin.read()
+    else:
+        # 列出设备上的所有进程
+        pid = None
+        processes = device.enumerate_processes()
+        for process in processes:
+            if process.name == attach_process_name:
+                pid = process.pid
+                print(f"pid: {process.pid},App Name: {process.name}")
+        # 如果你想附加到一个特定的进程并注入一个脚本：
+        if pid is not None:
+            session = device.attach(pid)
+            script = session.create_script(js_code)
+            script.on('message', on_message)
+            script.load()
+        else:
+            print(f"get process error")
 
 
 if __name__ == '__main__':
-    attach_process_name = "Navi"
-    package_name = "com.naviapp"
-    js_script =
-    main(attach_process_name,package_name)
+    # 是否以spawn模式运行
+    is_spawn = True
+    # 目标进程名
+    attach_process_name = "百度网盘"
+    # 目标包名
+    package_name = "com.baidu.netdisk"
+    # 注入的脚本路径
+    # script_path = "scripts/hook_conversions.js"
+    script_path = "scripts/baidunetdisk.js"
+    main(package_name,script_path, is_spawn)

modules/command.py

@@ -76,7 +76,7 @@ def clearCache(package_name):
     if stopApp(package_name):
         output, status_code, error = run_adb_command(['adb', 'shell', 'pm', 'clear', package_name])
         if status_code == 0:
-            print(f"clear cache status_code: {status_code}\n output: {output}")
+            print(f"clear cache status_code: {status_code}\noutput: {output}")
             return True
         else:
             print(error)
@@ -89,7 +89,7 @@ def stopApp(package_name):
     print(f"强行停止{package_name}")
     output, status_code, error = run_adb_command(['adb', 'shell', 'am', 'force-stop', package_name])
     if status_code == 0:
-        print(f"status_code: {status_code}\n output: {output}")
+        print(f"status_code: {status_code}\noutput: {output}")
         return True
     else:
         print(error)

modules/files_utils.py

@@ -10,5 +10,14 @@ def get_path(script_name):
     return script_path
 
 def read_javascript(script_path):
-
-
+    with open(script_path, "r") as file:
+        script_code = file.read()
+        return script_code
+def write_log(messages):
+    global FIRST_WRITE
+    print(f"FIRST_WRITE: {FIRST_WRITE}")
+    with open("frida_log.log", "a") as log_file:
+        if FIRST_WRITE:  # 如果是首次写入
+            log_file.write("\n\n\n")  # 空出三行
+            FIRST_WRITE = False  # 更新状态，表明已经写过了
+        log_file.write(str(messages) + "\n")

scripts/baidunetdisk.js

@@ -0,0 +1,21 @@
+console.log("Script loaded successfully");
+
+Java.perform(function () {
+    var Request = Java.use("okhttp3.Request");
+
+    // Hook Request的toString方法
+    Request.toString.implementation = function () {
+        // 调用原始的toString方法并保存结果
+        var result = this.toString();
+
+        // 打印结果
+        console.log("Request.toString result: " + result);
+
+        // 返回原始方法调用的结果
+        return result;
+    };
+});
+
+
+
+

scripts/hook_conversions.js

@@ -0,0 +1,197 @@
+log_info("Script loaded successfully");
+// hook_okhttp_client()
+if (Java.available) {
+    hook_json()
+    let class_name = "okhttp3.OkHttpClient"
+    if (check_class(class_name)){
+        hook_okhttp_client()
+    }
+    Java.perform(function () {
+        log_info("start hook java.net.URL");
+        var URL = Java.use('java.net.URL');
+        URL.$init.overload('java.lang.String').implementation = function (spec) {
+            // console.log("URL request:" + spec)
+            log_info("URL request: " + spec)
+            if (spec.includes("appsflyer")) {
+                // console.log("URL request: " + spec);
+                if (spec.includes("conversions")) {
+                    var stackTrace = Java.use('java.lang.Exception').$new().getStackTrace().toString();
+                    // console.log(stackTrace);
+                }
+            }
+            return this.$init(spec);
+        };
+    });
+}
+
+function printMethods(className) {
+    log_info("start print methods.")
+    var jclass = Java.use(className);
+    var methods = jclass.class.getDeclaredMethods();
+    console.log("Printing methods of " + className + ":\n");
+    methods.forEach(function (method) {
+        // console.log(method);
+        log_info("The methods under the class" + className + " are: " + method);
+    });
+}
+
+function hook_okhttp_client() {
+    if (Java.available) {
+        Java.perform(function () {
+            log_info("start hook_okhttp_client.")
+            try {
+                var OkHttpClient = Java.use("okhttp3.OkHttpClient");
+                OkHttpClient.newCall.overload('okhttp3.Request').implementation = function (request) {
+                    var requestUrl = request.url();
+                    if (requestUrl) {
+                        console.log("OkHttp Request URL: " + requestUrl.toString());
+                    } else {
+                        console.log("OkHttp Request URL is not available");
+                    }
+                    console.log("OkHttp Request Headers: " + request.headers().toString());
+
+                    if (request.method() == "POST") {
+                        console.log("OkHttp Request Body: " + request.body().contentType().toString());
+                    }
+                    var call = this.newCall(request);
+                    var response = call.execute();
+                    console.log("OkHttp Response: " + response.body().string());
+                    return call;
+                };
+
+            } catch (e) {
+                console.log("Error hooking OkHttp: " + e);
+            }
+        });
+    }
+}
+
+function hook_HttpURLConnection_stream() {
+    console.log("start hook_HttpURLConnection_stream")
+    if (Java.available) {
+        Java.perform(function () {
+            var HttpURLConnection = Java.use("java.net.HttpURLConnection");
+
+            HttpURLConnection.getOutputStream.implementation = function () {
+                var outputStream = this.getOutputStream();
+                var OutputStreamWrapper = Java.use("java.io.OutputStream");
+
+                var newOutputStream = Java.registerClass({
+                    name: "CustomOutputStream",
+                    superClass: OutputStreamWrapper,
+                    methods: {
+                        write: function (buffer, byteOffset, byteCount) {
+                            var data = Array.prototype.slice.call(buffer.slice(byteOffset, byteOffset + byteCount));
+                            console.log("Request data: " + String.fromCharCode.apply(null, data));
+                            outputStream.write(buffer, byteOffset, byteCount);
+                        }
+                    }
+                });
+
+                return newOutputStream.$new(outputStream);
+            };
+
+            HttpURLConnection.getInputStream.implementation = function () {
+                var inputStream = this.getInputStream();
+                var InputStreamWrapper = Java.use("java.io.InputStream");
+
+                var newInputStream = Java.registerClass({
+                    name: "CustomInputStream",
+                    superClass: InputStreamWrapper,
+                    methods: {
+                        read: function (buffer, byteOffset, byteCount) {
+                            var bytesRead = inputStream.read(buffer, byteOffset, byteCount);
+                            if (bytesRead != -1) {
+                                var data = Array.prototype.slice.call(buffer.slice(byteOffset, byteOffset + bytesRead));
+                                console.log("Response data: " + String.fromCharCode.apply(null, data));
+                            }
+                            return bytesRead;
+                        }
+                    }
+                });
+
+                return newInputStream.$new(inputStream);
+            };
+        });
+    }
+
+}
+
+
+function hook_retrofit() {
+    Java.perform(function () {
+        var retrofitBuilder = Java.use("retrofit2.Retrofit$Builder");
+        retrofitBuilder.build.implementation = function () {
+            var retrofit = this.build();
+            var httpClient = retrofit.callFactory().clone();
+            httpClient.interceptors().add(new Java.use('okhttp3.Interceptor')({
+                intercept: function (chain) {
+                    console.log("HTTP Request -> " + chain.request().toString())
+                    var response = chain.proceed(chain.request());
+                    console.log("HTTP Response -> " + response.toString());
+                    return response;
+                }
+            }))
+            return retrofit.newBuilder()
+                .callFactory(httpClient)
+                .build();
+        }
+    });
+}
+
+
+function hook_json() {
+    Java.perform(function () {
+        var JSONObject = Java.use('org.json.JSONObject');
+        JSONObject.toString.overload().implementation = function () {
+            var result = this.toString.call(this);
+            // get_conversions(result)
+            // log_info("Serialized JSONObject: " + result)
+            return result;
+        };
+    });
+}
+
+
+function log_info(messages) {
+    const now = new Date();
+    const year = now.getFullYear();
+    const month = String(now.getMonth() + 1).padStart(2, '0'); // Months are 0-based
+    const day = String(now.getDate()).padStart(2, '0');
+    const hours = String(now.getHours()).padStart(2, '0');
+    const minutes = String(now.getMinutes()).padStart(2, '0');
+    const seconds = String(now.getSeconds()).padStart(2, '0');
+    const milliseconds = String(now.getMilliseconds()).padStart(3, '0');
+
+    const timestamp = `${year}-${month}-${day} ${hours}:${minutes}:${seconds}:${milliseconds}`;
+
+    console.log(`${timestamp} - ${messages}`);
+    send(`${timestamp} - ${messages}`);
+}
+
+function check_class(class_name) {
+    var classFound = false; // 默认为未找到
+    Java.enumerateLoadedClasses({
+        onMatch: function(currentClassName) {
+            if (currentClassName === class_name) {
+                classFound = true; // 如果找到了类，则设置为true
+            }
+        },
+        onComplete: function() {
+            if (classFound) {
+                log_info(class_name + " has been loaded!");
+            } else {
+                log_info(class_name + " has not been loaded yet.");
+            }
+        }
+    });
+    return classFound;
+}
+
+recv('input_data', function(payload) {
+    console.log(typeof(payload))
+
+    console.log(JSON.stringify(payload))
+    console.log('Received data from Python: ' + payload.payload.data);
+});
+

scripts/hook_qqmusic.js

@@ -0,0 +1,40 @@
+log_info("Script loaded successfully");
+if (Java.available) {
+    hook_json()
+    Java.perform(function () {
+        log_info("start hook java.net.URL");
+        var URL = Java.use('java.net.URL');
+        URL.$init.overload('java.lang.String').implementation = function (spec) {
+            log_info("URL request: " + spec)
+            return this.$init(spec);
+        };
+    });
+}
+
+function log_info(messages) {
+    const now = new Date();
+    const year = now.getFullYear();
+    const month = String(now.getMonth() + 1).padStart(2, '0'); // Months are 0-based
+    const day = String(now.getDate()).padStart(2, '0');
+    const hours = String(now.getHours()).padStart(2, '0');
+    const minutes = String(now.getMinutes()).padStart(2, '0');
+    const seconds = String(now.getSeconds()).padStart(2, '0');
+    const milliseconds = String(now.getMilliseconds()).padStart(3, '0');
+
+    const timestamp = `${year}-${month}-${day} ${hours}:${minutes}:${seconds}:${milliseconds}`;
+
+    console.log(`${timestamp} - ${messages}`);
+    send(`${timestamp} - ${messages}`);
+}
+
+function hook_json() {
+    Java.perform(function () {
+        var JSONObject = Java.use('org.json.JSONObject');
+        JSONObject.toString.overload().implementation = function () {
+            var result = this.toString.call(this);
+            // get_conversions(result)
+            log_info("Serialized JSONObject: " + result)
+            return result;
+        };
+    });
+}

scripts/hookssl.js

@@ -0,0 +1,362 @@
+console.log("Script loaded successfully");
+Java.perform(function() {
+
+/*
+hook list:
+1.SSLcontext
+2.okhttp
+3.webview
+4.XUtils
+5.httpclientandroidlib
+6.JSSE
+7.network\_security\_config (android 7.0+)
+8.Apache Http client (support partly)
+9.OpenSSLSocketImpl
+10.TrustKit
+11.Cronet
+*/
+
+	// Attempts to bypass SSL pinning implementations in a number of
+	// ways. These include implementing a new TrustManager that will
+	// accept any SSL certificate, overriding OkHTTP v3 check()
+	// method etc.
+	var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
+	var HostnameVerifier = Java.use('javax.net.ssl.HostnameVerifier');
+	var SSLContext = Java.use('javax.net.ssl.SSLContext');
+	var quiet_output = false;
+
+	// Helper method to honor the quiet flag.
+
+	function quiet_send(data) {
+
+		if (quiet_output) {
+
+			return;
+		}
+
+		send(data)
+	}
+
+
+	// Implement a new TrustManager
+	// ref: https://gist.github.com/oleavr/3ca67a173ff7d207c6b8c3b0ca65a9d8
+	// Java.registerClass() is only supported on ART for now(201803). 所以android 4.4以下不兼容,4.4要切换成ART使用.
+	/*
+06-07 16:15:38.541 27021-27073/mi.sslpinningdemo W/System.err: java.lang.IllegalArgumentException: Required method checkServerTrusted(X509Certificate[], String, String, String) missing
+06-07 16:15:38.542 27021-27073/mi.sslpinningdemo W/System.err:     at android.net.http.X509TrustManagerExtensions.<init>(X509TrustManagerExtensions.java:73)
+        at mi.ssl.MiPinningTrustManger.<init>(MiPinningTrustManger.java:61)
+06-07 16:15:38.543 27021-27073/mi.sslpinningdemo W/System.err:     at mi.sslpinningdemo.OkHttpUtil.getSecPinningClient(OkHttpUtil.java:112)
+        at mi.sslpinningdemo.OkHttpUtil.get(OkHttpUtil.java:62)
+        at mi.sslpinningdemo.MainActivity$1$1.run(MainActivity.java:36)
+*/
+	var X509Certificate = Java.use("java.security.cert.X509Certificate");
+	var TrustManager;
+	try {
+		TrustManager = Java.registerClass({
+			name: 'org.wooyun.TrustManager',
+			implements: [X509TrustManager],
+			methods: {
+				checkClientTrusted: function(chain, authType) {},
+				checkServerTrusted: function(chain, authType) {},
+				getAcceptedIssuers: function() {
+					// var certs = [X509Certificate.$new()];
+					// return certs;
+					return [];
+				}
+			}
+		});
+	} catch (e) {
+		quiet_send("registerClass from X509TrustManager >>>>>>>> " + e.message);
+	}
+	// Prepare the TrustManagers array to pass to SSLContext.init()
+	var TrustManagers = [TrustManager.$new()];
+
+	try {
+		// Prepare a Empty SSLFactory
+		var TLS_SSLContext = SSLContext.getInstance("TLS");
+		TLS_SSLContext.init(null, TrustManagers, null);
+		var EmptySSLFactory = TLS_SSLContext.getSocketFactory();
+	} catch (e) {
+		quiet_send(e.message);
+	}
+
+	send('Custom, Empty TrustManager ready');
+
+	// Get a handle on the init() on the SSLContext class
+	var SSLContext_init = SSLContext.init.overload(
+		'[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');
+
+	// Override the init method, specifying our new TrustManager
+	SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {
+
+		quiet_send('Overriding SSLContext.init() with the custom TrustManager');
+
+		SSLContext_init.call(this, null, TrustManagers, null);
+	};
+
+	/*** okhttp3.x unpinning ***/
+
+
+	// Wrap the logic in a try/catch as not all applications will have
+	// okhttp as part of the app.
+	try {
+
+		var CertificatePinner = Java.use('okhttp3.CertificatePinner');
+
+		quiet_send('OkHTTP 3.x Found');
+
+		CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function() {
+
+			quiet_send('OkHTTP 3.x check() called. Not throwing an exception.');
+		}
+
+	} catch (err) {
+
+		// If we dont have a ClassNotFoundException exception, raise the
+		// problem encountered.
+		if (err.message.indexOf('ClassNotFoundException') === 0) {
+
+			throw new Error(err);
+		}
+	}
+
+	// Appcelerator Titanium PinningTrustManager
+
+	// Wrap the logic in a try/catch as not all applications will have
+	// appcelerator as part of the app.
+	try {
+
+		var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
+
+		send('Appcelerator Titanium Found');
+
+		PinningTrustManager.checkServerTrusted.implementation = function() {
+
+			quiet_send('Appcelerator checkServerTrusted() called. Not throwing an exception.');
+		}
+
+	} catch (err) {
+
+		// If we dont have a ClassNotFoundException exception, raise the
+		// problem encountered.
+		if (err.message.indexOf('ClassNotFoundException') === 0) {
+
+			throw new Error(err);
+		}
+	}
+
+	/*** okhttp unpinning ***/
+
+
+	try {
+		var OkHttpClient = Java.use("com.squareup.okhttp.OkHttpClient");
+		OkHttpClient.setCertificatePinner.implementation = function(certificatePinner) {
+			// do nothing
+			quiet_send("OkHttpClient.setCertificatePinner Called!");
+			return this;
+		};
+
+		// Invalidate the certificate pinnet checks (if "setCertificatePinner" was called before the previous invalidation)
+		var CertificatePinner = Java.use("com.squareup.okhttp.CertificatePinner");
+		CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function(p0, p1) {
+			// do nothing
+			quiet_send("okhttp Called! [Certificate]");
+			return;
+		};
+		CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(p0, p1) {
+			// do nothing
+			quiet_send("okhttp Called! [List]");
+			return;
+		};
+	} catch (e) {
+		quiet_send("com.squareup.okhttp not found");
+	}
+
+	/*** WebView Hooks ***/
+
+	/* frameworks/base/core/java/android/webkit/WebViewClient.java */
+	/* public void onReceivedSslError(Webview, SslErrorHandler, SslError) */
+	var WebViewClient = Java.use("android.webkit.WebViewClient");
+
+	WebViewClient.onReceivedSslError.implementation = function(webView, sslErrorHandler, sslError) {
+		quiet_send("WebViewClient onReceivedSslError invoke");
+		//执行proceed方法
+		sslErrorHandler.proceed();
+		return;
+	};
+
+	WebViewClient.onReceivedError.overload('android.webkit.WebView', 'int', 'java.lang.String', 'java.lang.String').implementation = function(a, b, c, d) {
+		quiet_send("WebViewClient onReceivedError invoked");
+		return;
+	};
+
+	WebViewClient.onReceivedError.overload('android.webkit.WebView', 'android.webkit.WebResourceRequest', 'android.webkit.WebResourceError').implementation = function() {
+		quiet_send("WebViewClient onReceivedError invoked");
+		return;
+	};
+
+	/*** JSSE Hooks ***/
+
+	/* libcore/luni/src/main/java/javax/net/ssl/TrustManagerFactory.java */
+	/* public final TrustManager[] getTrustManager() */
+	/* TrustManagerFactory.getTrustManagers maybe cause X509TrustManagerExtensions error  */
+	// var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
+	// TrustManagerFactory.getTrustManagers.implementation = function(){
+	//     quiet_send("TrustManagerFactory getTrustManagers invoked");
+	//     return TrustManagers;
+	// }
+
+	var HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
+	/* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
+	/* public void setDefaultHostnameVerifier(HostnameVerifier) */
+	HttpsURLConnection.setDefaultHostnameVerifier.implementation = function(hostnameVerifier) {
+		quiet_send("HttpsURLConnection.setDefaultHostnameVerifier invoked");
+		return null;
+	};
+	/* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
+	/* public void setSSLSocketFactory(SSLSocketFactory) */
+	HttpsURLConnection.setSSLSocketFactory.implementation = function(SSLSocketFactory) {
+		quiet_send("HttpsURLConnection.setSSLSocketFactory invoked");
+		return null;
+	};
+	/* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
+	/* public void setHostnameVerifier(HostnameVerifier) */
+	HttpsURLConnection.setHostnameVerifier.implementation = function(hostnameVerifier) {
+		quiet_send("HttpsURLConnection.setHostnameVerifier invoked");
+		return null;
+	};
+
+	/*** Xutils3.x hooks ***/
+	//Implement a new HostnameVerifier
+	var TrustHostnameVerifier;
+	try {
+		TrustHostnameVerifier = Java.registerClass({
+			name: 'org.wooyun.TrustHostnameVerifier',
+			implements: [HostnameVerifier],
+			method: {
+				verify: function(hostname, session) {
+					return true;
+				}
+			}
+		});
+
+	} catch (e) {
+		//java.lang.ClassNotFoundException: Didn't find class "org.wooyun.TrustHostnameVerifier"
+		quiet_send("registerClass from hostnameVerifier >>>>>>>> " + e.message);
+	}
+
+	try {
+		var RequestParams = Java.use('org.xutils.http.RequestParams');
+		RequestParams.setSslSocketFactory.implementation = function(sslSocketFactory) {
+			sslSocketFactory = EmptySSLFactory;
+			return null;
+		}
+
+		RequestParams.setHostnameVerifier.implementation = function(hostnameVerifier) {
+			hostnameVerifier = TrustHostnameVerifier.$new();
+			return null;
+		}
+
+	} catch (e) {
+		quiet_send("Xutils hooks not Found");
+	}
+
+	/*** httpclientandroidlib Hooks ***/
+	try {
+		var AbstractVerifier = Java.use("ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier");
+		AbstractVerifier.verify.overload('java.lang.String', '[Ljava.lang.String', '[Ljava.lang.String', 'boolean').implementation = function() {
+			quiet_send("httpclientandroidlib Hooks");
+			return null;
+		}
+	} catch (e) {
+		quiet_send("httpclientandroidlib Hooks not found");
+	}
+
+	/***
+android 7.0+ network_security_config TrustManagerImpl hook
+apache httpclient partly
+***/
+	var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
+	// try {
+	//     var Arrays = Java.use("java.util.Arrays");
+	//     //apache http client pinning maybe baypass
+	//     //https://github.com/google/conscrypt/blob/c88f9f55a523f128f0e4dace76a34724bfa1e88c/platform/src/main/java/org/conscrypt/TrustManagerImpl.java#471
+	//     TrustManagerImpl.checkTrusted.implementation = function (chain, authType, session, parameters, authType) {
+	//         quiet_send("TrustManagerImpl checkTrusted called");
+	//         //Generics currently result in java.lang.Object
+	//         return Arrays.asList(chain);
+	//     }
+	//
+	// } catch (e) {
+	//     quiet_send("TrustManagerImpl checkTrusted nout found");
+	// }
+
+	try {
+		// Android 7+ TrustManagerImpl
+		TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
+			quiet_send("TrustManagerImpl verifyChain called");
+			// Skip all the logic and just return the chain again :P
+			//https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/bypassing-androids-network-security-configuration/
+			// https://github.com/google/conscrypt/blob/c88f9f55a523f128f0e4dace76a34724bfa1e88c/platform/src/main/java/org/conscrypt/TrustManagerImpl.java#L650
+			return untrustedChain;
+		}
+	} catch (e) {
+		quiet_send("TrustManagerImpl verifyChain nout found below 7.0");
+	}
+	// OpenSSLSocketImpl
+	try {
+		var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
+		OpenSSLSocketImpl.verifyCertificateChain.implementation = function(certRefs, authMethod) {
+			quiet_send('OpenSSLSocketImpl.verifyCertificateChain');
+		}
+
+		quiet_send('OpenSSLSocketImpl pinning')
+	} catch (err) {
+		quiet_send('OpenSSLSocketImpl pinner not found');
+	}
+	// Trustkit
+	try {
+		var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier");
+		Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function(str) {
+			quiet_send('Trustkit.verify1: ' + str);
+			return true;
+		};
+		Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function(str) {
+			quiet_send('Trustkit.verify2: ' + str);
+			return true;
+		};
+
+		quiet_send('Trustkit pinning')
+	} catch (err) {
+		quiet_send('Trustkit pinner not found')
+	}
+
+	try {
+		//cronet pinner hook
+		//weibo don't invoke
+
+		var netBuilder = Java.use("org.chromium.net.CronetEngine$Builder");
+
+		//https://developer.android.com/guide/topics/connectivity/cronet/reference/org/chromium/net/CronetEngine.Builder.html#enablePublicKeyPinningBypassForLocalTrustAnchors(boolean)
+		netBuilder.enablePublicKeyPinningBypassForLocalTrustAnchors.implementation = function(arg) {
+
+			//weibo not invoke
+			console.log("Enables or disables public key pinning bypass for local trust anchors = " + arg);
+
+			//true to enable the bypass, false to disable.
+			var ret = netBuilder.enablePublicKeyPinningBypassForLocalTrustAnchors.call(this, true);
+			return ret;
+		};
+
+		netBuilder.addPublicKeyPins.implementation = function(hostName, pinsSha256, includeSubdomains, expirationDate) {
+			console.log("cronet addPublicKeyPins hostName = " + hostName);
+
+			//var ret = netBuilder.addPublicKeyPins.call(this,hostName, pinsSha256,includeSubdomains, expirationDate);
+			//this 是调用 addPublicKeyPins 前的对象吗? Yes,CronetEngine.Builder
+			return this;
+		};
+
+	} catch (err) {
+		console.log('[-] Cronet pinner not found')
+	}
+});

scripts/monitor_request.js

@@ -0,0 +1,32 @@
+log_info("Script loaded successfully");
+Java.perform(function () {
+  var OkHttpClient = Java.use('okhttp3.OkHttpClient');
+  var Request = Java.use('okhttp3.Request');
+
+  OkHttpClient.newCall.implementation = function (request) {
+    var url = request.url().toString();
+    var method = request.method();
+    var body = request.body();
+    var size = body != null ? body.contentLength() / 1024 : 0;
+    console.log("Method: " + method + "\nURL: " + url + "\nSize: " + size + " kb");
+
+    return this.newCall(request);
+  };
+});
+
+
+function log_info(messages) {
+    const now = new Date();
+    const year = now.getFullYear();
+    const month = String(now.getMonth() + 1).padStart(2, '0'); // Months are 0-based
+    const day = String(now.getDate()).padStart(2, '0');
+    const hours = String(now.getHours()).padStart(2, '0');
+    const minutes = String(now.getMinutes()).padStart(2, '0');
+    const seconds = String(now.getSeconds()).padStart(2, '0');
+    const milliseconds = String(now.getMilliseconds()).padStart(3, '0');
+
+    const timestamp = `${year}-${month}-${day} ${hours}:${minutes}:${seconds}:${milliseconds}`;
+
+    console.log(`${timestamp} - ${messages}`);
+    send(`${timestamp} - ${messages}`);
+}

scripts/test.js

@@ -0,0 +1,20 @@
+Java.perform(function() {
+    var ByteArrayOutputStream = Java.use('java.io.ByteArrayOutputStream');
+    var HttpsURLConnection = Java.use('javax.net.ssl.HttpsURLConnection');
+
+    HttpsURLConnection.getOutputStream.implementation = function() {
+        var outputStream = this.getOutputStream();
+
+        // 创建一个新的 ByteArrayOutputStream 实例，以便于我们读取数据。
+        var byteArrayOutputStream = ByteArrayOutputStream.$new();
+
+        outputStream.write.overload('[B').implementation = function(buffer) {
+            byteArrayOutputStream.write(buffer);
+            console.log("[*] Data written to URL:", this.getURL().toString());
+            console.log("[*] Data:", byteArrayOutputStream.toString('UTF-8'));
+            return outputStream.write(buffer);
+        };
+
+        return outputStream;
+    };
+});

scripts/url_request.js

@@ -0,0 +1,82 @@
+Java.perform(function() {
+    var URL = Java.use("java.net.URL");
+    var HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
+    var HttpURLConnection = Java.use("java.net.HttpURLConnection");
+    var OutputStreamWriter = Java.use("java.io.OutputStreamWriter");
+    var BufferedReader = Java.use("java.io.BufferedReader");
+    var InputStreamReader = Java.use("java.io.InputStreamReader");
+    var OutputStream = Java.use('java.io.OutputStream');
+    var OkHttpClient = Java.use('okhttp3.OkHttpClient');
+
+    URL.$init.overload('java.lang.String').implementation = function(url) {
+        console.log("[*] URL init:", url.toString());
+        return this.$init(url);
+    };
+
+    HttpsURLConnection.setDoOutput.implementation = function(value) {
+        console.log("[*]HttpsURLConnection setDoOutput:", value);
+        return this.setDoOutput(value);
+    };
+
+    HttpsURLConnection.setRequestProperty.implementation = function(key, value) {
+        console.log("[*] setRequestProperty:", key, value);
+        return this.setRequestProperty(key, value);
+    };
+
+
+    HttpsURLConnection.getOutputStream.implementation = function() {
+        console.log("[*] getOutputStream");
+        return this.getOutputStream();
+    };
+
+
+
+    HttpURLConnection.setRequestProperty.implementation = function(key, value) {
+        console.log("[*] setRequestProperty:", key, value);
+        return this.setRequestProperty(key, value);
+    };
+
+    HttpURLConnection.setDoOutput.implementation = function(value) {
+        console.log("[*]HttpURLConnection setDoOutput:", value);
+        return this.setDoOutput(value);
+    };
+
+    // HttpURLConnection.getOutputStream.implementation = function() {
+    //     console.log("[*] getOutputStream");
+    //     var outputStream = this.getOutputStream();
+    //
+    //     outputStream.write.overload('[B').implementation = function(buffer) {
+    //         console.log("[*] Data written:", Java.array('byte', buffer).toString());
+    //         return this.write(buffer);
+    //     };
+    //     return outputStream;
+    // };
+
+    // OutputStream.write.overload('[B').implementation = function(buffer) {
+    //     console.log("[*] Data written:", Java.array('byte', buffer).toString());
+    //     return this.write(buffer);
+    // };
+
+    BufferedReader.readLine.overload().implementation = function() {
+        var line = this.readLine();
+        // console.log("[*] BufferedReader.readLine:", line);
+        return line;
+    };
+
+    InputStreamReader.$init.overload('java.io.InputStream').implementation = function(stream) {
+        console.log("[*] InputStreamReader.init:", stream);
+        return this.$init(stream);
+    };
+
+    OkHttpClient.newCall.overload('okhttp3.Request').implementation = function(request) {
+        console.log("[*] Request URL:", request.url().toString());
+        console.log("[*] Request Headers:", request.headers().toString());
+
+        if (request.method() == "POST") {
+            console.log("[*] Request Body:", request.body().toString());
+        }
+
+        return this.newCall(request);
+    };
+});
+

test.py

@@ -0,0 +1,11 @@
+import frida,sys
+import modules.files_utils
+
+js_code = modules.files_utils.read_javascript("scripts/hook_conversions.js")
+device = frida.get_usb_device()
+pid = device.spawn(["com.naviapp"])    # 以挂起方式创建进程
+process = device.attach(pid)
+script = process.create_script(js_code)
+script.load()
+device.resume(pid)  # 加载完脚本, 恢复进程运行
+sys.stdin.read()