wsy182
/
hook-frida
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: wsy182:358c51a054aa56ce5e19e6cf003f56104c35c1fe
Branches Tags
wsy182:master
..
compare: wsy182:deb6e8fb4c57bbcc0d7f2d7a9a57a450392ed987
Branches Tags
wsy182:master

3 Commits
358c51a054 ... deb6e8fb4c

Author SHA1 Message Date
wangsiyuan deb6e8fb4c 创建 navi.pcap 2023-10-16 18:38:23 +08:00
wangsiyuan fc56cd8c54 创建 hookssl.js 2023-10-16 18:38:21 +08:00
wangsiyuan 7dc4eb24fd 更新 hook_conversions.js 2023-10-16 18:38:20 +08:00
3 changed files with 472 additions and 89 deletions
Show Stats Expand all files Collapse all files

171
hook_conversions.js
View File

@ -1,101 +1,118 @@
console.log("Script loaded successfully");
// hook_okhttp_client()
if (Java.available) {
Java.perform(function() {
try {
var OkHttpClient = Java.use("okhttp3.OkHttpClient");
console.log("OkHttp detected in the app");
} catch (e) {
console.log("OkHttp not detected in the app");
}
});
Java.perform(function () {
console.log("start hook java.net.URL");
get_request_info()
var URL = Java.use('java.net.URL');
URL.$init.overload('java.lang.String').implementation = function (spec) {
if (spec.includes("appsflyer")) {
console.log("URL request: " + spec);
if (spec.includes("conversions")){
// check_conversion_loaded()
if (spec.includes("conversions")) {
var stackTrace = Java.use('java.lang.Exception').$new().getStackTrace().toString();
console.log(stackTrace);
}
}
return this.$init(spec);
};
// JSONObject.$init.overload('java.lang.String').implementation = function (jsonString) {
// var result = this.$init.overload('java.lang.String').call(this, jsonString);
// if (typeof result.toString !== "undefined") {
// console.log("result: " + result.toString())
// var msgData = jsonString.toString();
//
// if (msgData.contains("install_time") &&
// (msgData.contains("af_siteid") || msgData.contains("af_channel") ||
// msgData.contains("af_status") || msgData.contains("af_message")) &&
// (!msgData.contains("is_first_launch"))) {
// console.log("msgdata: " + msgData)
// }
// }
//
// return result;
// };
});
}
function check_conversion_loaded() {
Java.perform(function() {
var found = false;
Java.enumerateLoadedClasses({
onMatch: function(className) {
if (className.includes("AppsFlyer2dXConversionCallback")) {
console.log("Found: " + className);
found = true;
}
},
onComplete: function() {
if (!found) {
console.log("AppsFlyer2dXConversionCallback class not loaded.");
}
}
});
});
}
function get_request_info() {
console.log("start running get_request_info")
var HttpURLConnection = Java.use('java.net.HttpURLConnection');
var ByteArrayOutputStream = Java.use('java.io.ByteArrayOutputStream');
console.log(HttpURLConnection,ByteArrayOutputStream)
printMethods('java.net.HttpURLConnection');
printMethods('java.io.ByteArrayOutputStream');
HttpURLConnection.getRequestMethod.implementation = function () {
var url = this.getURL().toString();
var method = this.getRequestMethod();
console.log("URL: " + url + " | Request Method: " + method);
return method;
};
HttpURLConnection.setRequestProperty.implementation = function (key, value) {
if (this.getURL().toString().includes("conversions")){
console.log("Header: " + key + ": " + value);
}
return this.setRequestProperty(key, value);
};
HttpURLConnection.getOutputStream.implementation = function() {
var outputStream = this.getOutputStream();
var byteArrayOutputStream = ByteArrayOutputStream.$new();
var bytes = Java.array('byte', [1024]);
var len;
while ((len = outputStream.read(bytes)) != -1) {
byteArrayOutputStream.write(bytes, 0, len);
}
var requestBody = byteArrayOutputStream.toString();
if (this.getURL().toString().includes("conversions")) {
console.log("Request Body: " + requestBody);
}
return outputStream;
};
}
function printMethods(className) {
var jclass = Java.use(className);
var methods = jclass.class.getDeclaredMethods();
console.log("Printing methods of " + className + ":\n");
methods.forEach(function(method) {
methods.forEach(function (method) {
console.log(method);
});
}
function hook_okhttp_client() {
if (Java.available) {
Java.perform(function () {
try {
var OkHttpClient = Java.use("okhttp3.OkHttpClient");
OkHttpClient.newCall.overload('okhttp3.Request').implementation = function (request) {
console.log("OkHttp Request URL: " + request.url().toString());
console.log("OkHttp Request Headers: " + request.headers().toString());
if (request.method() == "POST") {
console.log("OkHttp Request Body: " + request.body().contentType().toString());
// Here you can further extract the request body if needed.
}
var response = this.newCall(request).execute();
console.log("OkHttp Response: " + response.body().string());
// Note: Calling response.body().string() consumes the response body.
// You might need to recreate the response if the app expects to read it again.
return this.newCall(request);
};
} catch (e) {
console.log("Error hooking OkHttp: " + e);
}
});
}
}
function hook_HttpURLConnection_stream() {
console.log("start hook_HttpURLConnection_stream")
if (Java.available) {
Java.perform(function () {
var HttpURLConnection = Java.use("java.net.HttpURLConnection");
HttpURLConnection.getOutputStream.implementation = function () {
var outputStream = this.getOutputStream();
var OutputStreamWrapper = Java.use("java.io.OutputStream");
var newOutputStream = Java.registerClass({
name: "CustomOutputStream",
superClass: OutputStreamWrapper,
methods: {
write: function (buffer, byteOffset, byteCount) {
var data = Array.prototype.slice.call(buffer.slice(byteOffset, byteOffset + byteCount));
console.log("Request data: " + String.fromCharCode.apply(null, data));
outputStream.write(buffer, byteOffset, byteCount);
}
}
});
return newOutputStream.$new(outputStream);
};
HttpURLConnection.getInputStream.implementation = function () {
var inputStream = this.getInputStream();
var InputStreamWrapper = Java.use("java.io.InputStream");
var newInputStream = Java.registerClass({
name: "CustomInputStream",
superClass: InputStreamWrapper,
methods: {
read: function (buffer, byteOffset, byteCount) {
var bytesRead = inputStream.read(buffer, byteOffset, byteCount);
if (bytesRead != -1) {
var data = Array.prototype.slice.call(buffer.slice(byteOffset, byteOffset + bytesRead));
console.log("Response data: " + String.fromCharCode.apply(null, data));
}
return bytesRead;
}
}
});
return newInputStream.$new(inputStream);
};
});
}
}

366
hookssl.js Normal file
View File

@ -0,0 +1,366 @@
Java.perform(function() {
/*
hook list:
1.SSLcontext
2.okhttp
3.webview
4.XUtils
5.httpclientandroidlib
6.JSSE
7.network\_security\_config (android 7.0+)
8.Apache Http client (support partly)
9.OpenSSLSocketImpl
10.TrustKit
11.Cronet
*/
// Attempts to bypass SSL pinning implementations in a number of
// ways. These include implementing a new TrustManager that will
// accept any SSL certificate, overriding OkHTTP v3 check()
// method etc.
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var HostnameVerifier = Java.use('javax.net.ssl.HostnameVerifier');
var SSLContext = Java.use('javax.net.ssl.SSLContext');
var quiet_output = false;
// Helper method to honor the quiet flag.
function quiet_send(data) {
if (quiet_output) {
return;
}
send(data)
}
// Implement a new TrustManager
// ref: https://gist.github.com/oleavr/3ca67a173ff7d207c6b8c3b0ca65a9d8
// Java.registerClass() is only supported on ART for now(201803). 所以android 4.4以下不兼容,4.4要切换成ART使用.
/*
06-07 16:15:38.541 27021-27073/mi.sslpinningdemo W/System.err: java.lang.IllegalArgumentException: Required method checkServerTrusted(X509Certificate[], String, String, String) missing
06-07 16:15:38.542 27021-27073/mi.sslpinningdemo W/System.err: at android.net.http.X509TrustManagerExtensions.<init>(X509TrustManagerExtensions.java:73)
at mi.ssl.MiPinningTrustManger.<init>(MiPinningTrustManger.java:61)
06-07 16:15:38.543 27021-27073/mi.sslpinningdemo W/System.err: at mi.sslpinningdemo.OkHttpUtil.getSecPinningClient(OkHttpUtil.java:112)
at mi.sslpinningdemo.OkHttpUtil.get(OkHttpUtil.java:62)
at mi.sslpinningdemo.MainActivity$1$1.run(MainActivity.java:36)
*/
var X509Certificate = Java.use("java.security.cert.X509Certificate");
var TrustManager;
try {
TrustManager = Java.registerClass({
name: 'org.wooyun.TrustManager',
implements: [X509TrustManager],
methods: {
checkClientTrusted: function(chain, authType) {},
checkServerTrusted: function(chain, authType) {},
getAcceptedIssuers: function() {
// var certs = [X509Certificate.$new()];
// return certs;
return [];
}
}
});
} catch (e) {
quiet_send("registerClass from X509TrustManager >>>>>>>> " + e.message);
}
// Prepare the TrustManagers array to pass to SSLContext.init()
var TrustManagers = [TrustManager.$new()];
try {
// Prepare a Empty SSLFactory
var TLS_SSLContext = SSLContext.getInstance("TLS");
TLS_SSLContext.init(null, TrustManagers, null);
var EmptySSLFactory = TLS_SSLContext.getSocketFactory();
} catch (e) {
quiet_send(e.message);
}
send('Custom, Empty TrustManager ready');
// Get a handle on the init() on the SSLContext class
var SSLContext_init = SSLContext.init.overload(
'[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');
// Override the init method, specifying our new TrustManager
SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {
quiet_send('Overriding SSLContext.init() with the custom TrustManager');
SSLContext_init.call(this, null, TrustManagers, null);
};
/*** okhttp3.x unpinning ***/
// Wrap the logic in a try/catch as not all applications will have
// okhttp as part of the app.
try {
var CertificatePinner = Java.use('okhttp3.CertificatePinner');
quiet_send('OkHTTP 3.x Found');
CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function() {
quiet_send('OkHTTP 3.x check() called. Not throwing an exception.');
}
} catch (err) {
// If we dont have a ClassNotFoundException exception, raise the
// problem encountered.
if (err.message.indexOf('ClassNotFoundException') === 0) {
throw new Error(err);
}
}
// Appcelerator Titanium PinningTrustManager
// Wrap the logic in a try/catch as not all applications will have
// appcelerator as part of the app.
try {
var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
send('Appcelerator Titanium Found');
PinningTrustManager.checkServerTrusted.implementation = function() {
quiet_send('Appcelerator checkServerTrusted() called. Not throwing an exception.');
}
} catch (err) {
// If we dont have a ClassNotFoundException exception, raise the
// problem encountered.
if (err.message.indexOf('ClassNotFoundException') === 0) {
throw new Error(err);
}
}
/*** okhttp unpinning ***/
try {
var OkHttpClient = Java.use("com.squareup.okhttp.OkHttpClient");
OkHttpClient.setCertificatePinner.implementation = function(certificatePinner) {
// do nothing
quiet_send("OkHttpClient.setCertificatePinner Called!");
return this;
};
// Invalidate the certificate pinnet checks (if "setCertificatePinner" was called before the previous invalidation)
var CertificatePinner = Java.use("com.squareup.okhttp.CertificatePinner");
CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function(p0, p1) {
// do nothing
quiet_send("okhttp Called! [Certificate]");
return;
};
CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(p0, p1) {
// do nothing
quiet_send("okhttp Called! [List]");
return;
};
} catch (e) {
quiet_send("com.squareup.okhttp not found");
}
/*** WebView Hooks ***/
/* frameworks/base/core/java/android/webkit/WebViewClient.java */
/* public void onReceivedSslError(Webview, SslErrorHandler, SslError) */
var WebViewClient = Java.use("android.webkit.WebViewClient");
WebViewClient.onReceivedSslError.implementation = function(webView, sslErrorHandler, sslError) {
quiet_send("WebViewClient onReceivedSslError invoke");
//执行proceed方法
sslErrorHandler.proceed();
return;
};
WebViewClient.onReceivedError.overload('android.webkit.WebView', 'int', 'java.lang.String', 'java.lang.String').implementation = function(a, b, c, d) {
quiet_send("WebViewClient onReceivedError invoked");
return;
};
WebViewClient.onReceivedError.overload('android.webkit.WebView', 'android.webkit.WebResourceRequest', 'android.webkit.WebResourceError').implementation = function() {
quiet_send("WebViewClient onReceivedError invoked");
return;
};
/*** JSSE Hooks ***/
/* libcore/luni/src/main/java/javax/net/ssl/TrustManagerFactory.java */
/* public final TrustManager[] getTrustManager() */
/* TrustManagerFactory.getTrustManagers maybe cause X509TrustManagerExtensions error */
// var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
// TrustManagerFactory.getTrustManagers.implementation = function(){
// quiet_send("TrustManagerFactory getTrustManagers invoked");
// return TrustManagers;
// }
var HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
/* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
/* public void setDefaultHostnameVerifier(HostnameVerifier) */
HttpsURLConnection.setDefaultHostnameVerifier.implementation = function(hostnameVerifier) {
quiet_send("HttpsURLConnection.setDefaultHostnameVerifier invoked");
return null;
};
/* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
/* public void setSSLSocketFactory(SSLSocketFactory) */
HttpsURLConnection.setSSLSocketFactory.implementation = function(SSLSocketFactory) {
quiet_send("HttpsURLConnection.setSSLSocketFactory invoked");
return null;
};
/* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
/* public void setHostnameVerifier(HostnameVerifier) */
HttpsURLConnection.setHostnameVerifier.implementation = function(hostnameVerifier) {
quiet_send("HttpsURLConnection.setHostnameVerifier invoked");
return null;
};
/*** Xutils3.x hooks ***/
//Implement a new HostnameVerifier
var TrustHostnameVerifier;
try {
TrustHostnameVerifier = Java.registerClass({
name: 'org.wooyun.TrustHostnameVerifier',
implements: [HostnameVerifier],
method: {
verify: function(hostname, session) {
return true;
}
}
});
} catch (e) {
//java.lang.ClassNotFoundException: Didn't find class "org.wooyun.TrustHostnameVerifier"
quiet_send("registerClass from hostnameVerifier >>>>>>>> " + e.message);
}
try {
var RequestParams = Java.use('org.xutils.http.RequestParams');
RequestParams.setSslSocketFactory.implementation = function(sslSocketFactory) {
sslSocketFactory = EmptySSLFactory;
return null;
}
RequestParams.setHostnameVerifier.implementation = function(hostnameVerifier) {
hostnameVerifier = TrustHostnameVerifier.$new();
return null;
}
} catch (e) {
quiet_send("Xutils hooks not Found");
}
/*** httpclientandroidlib Hooks ***/
try {
var AbstractVerifier = Java.use("ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier");
AbstractVerifier.verify.overload('java.lang.String', '[Ljava.lang.String', '[Ljava.lang.String', 'boolean').implementation = function() {
quiet_send("httpclientandroidlib Hooks");
return null;
}
} catch (e) {
quiet_send("httpclientandroidlib Hooks not found");
}
/***
android 7.0+ network_security_config TrustManagerImpl hook
apache httpclient partly
***/
var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
// try {
// var Arrays = Java.use("java.util.Arrays");
// //apache http client pinning maybe baypass
// //https://github.com/google/conscrypt/blob/c88f9f55a523f128f0e4dace76a34724bfa1e88c/platform/src/main/java/org/conscrypt/TrustManagerImpl.java#471
// TrustManagerImpl.checkTrusted.implementation = function (chain, authType, session, parameters, authType) {
// quiet_send("TrustManagerImpl checkTrusted called");
// //Generics currently result in java.lang.Object
// return Arrays.asList(chain);
// }
//
// } catch (e) {
// quiet_send("TrustManagerImpl checkTrusted nout found");
// }
try {
// Android 7+ TrustManagerImpl
TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
quiet_send("TrustManagerImpl verifyChain called");
// Skip all the logic and just return the chain again :P
//https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/bypassing-androids-network-security-configuration/
// https://github.com/google/conscrypt/blob/c88f9f55a523f128f0e4dace76a34724bfa1e88c/platform/src/main/java/org/conscrypt/TrustManagerImpl.java#L650
return untrustedChain;
}
} catch (e) {
quiet_send("TrustManagerImpl verifyChain nout found below 7.0");
}
// OpenSSLSocketImpl
try {
var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
OpenSSLSocketImpl.verifyCertificateChain.implementation = function(certRefs, authMethod) {
quiet_send('OpenSSLSocketImpl.verifyCertificateChain');
}
quiet_send('OpenSSLSocketImpl pinning')
} catch (err) {
quiet_send('OpenSSLSocketImpl pinner not found');
}
// Trustkit
try {
var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier");
Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function(str) {
quiet_send('Trustkit.verify1: ' + str);
return true;
};
Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function(str) {
quiet_send('Trustkit.verify2: ' + str);
return true;
};
quiet_send('Trustkit pinning')
} catch (err) {
quiet_send('Trustkit pinner not found')
}
try {
//cronet pinner hook
//weibo don't invoke
var netBuilder = Java.use("org.chromium.net.CronetEngine$Builder");
//https://developer.android.com/guide/topics/connectivity/cronet/reference/org/chromium/net/CronetEngine.Builder.html#enablePublicKeyPinningBypassForLocalTrustAnchors(boolean)
netBuilder.enablePublicKeyPinningBypassForLocalTrustAnchors.implementation = function(arg) {
//weibo not invoke
console.log("Enables or disables public key pinning bypass for local trust anchors = " + arg);
//true to enable the bypass, false to disable.
var ret = netBuilder.enablePublicKeyPinningBypassForLocalTrustAnchors.call(this, true);
return ret;
};
netBuilder.addPublicKeyPins.implementation = function(hostName, pinsSha256, includeSubdomains, expirationDate) {
console.log("cronet addPublicKeyPins hostName = " + hostName);
//var ret = netBuilder.addPublicKeyPins.call(this,hostName, pinsSha256,includeSubdomains, expirationDate);
//this 是调用 addPublicKeyPins 前的对象吗? Yes,CronetEngine.Builder
return this;
};
} catch (err) {
console.log('[-] Cronet pinner not found')
}
});

BIN
navi.pcap Normal file
View File

Binary file not shown.