更新 frida抓包.md

frida抓包.md

@@ -57,3 +57,9 @@ python3 r0capture/r0capture.py -U com.vmall.client -p com.vmall.client.pcap
 pip install hexdump
 ```
 
+# hook appsflyer conversions
+
+```
+frida -U -l <jshook代码> -f <packageName>
+```
+

hook.log

@@ -0,0 +1,18 @@
+     ____
+    / _  |   Frida 16.0.19 - A world-class dynamic instrumentation toolkit
+   | (_| |
+    > _  |   Commands:
+   /_/ |_|       help      -> Displays the help system
+   . . . .       object?   -> Display information about 'object'
+   . . . .       exit/quit -> Exit
+   . . . .
+   . . . .   More info at https://frida.re/docs/home/
+   . . . .
+   . . . .   Connected to Pixel 3 (id=89KX0AVQN)
+Spawning `com.naviapp`...
+Script loaded successfully
+Spawned `com.naviapp`. Resuming main thread!
+[Pixel 3::com.naviapp ]-> URL request: https://launches.appsflyer.com/api/v6.3/androidevent?app_id=com.naviapp&buildnumber=6.3.2
+URL request: https://inapps.appsflyer.com/api/v6.3/androidevent?app_id=com.naviapp&buildnumber=6.3.2
+
+[Pixel 3::com.naviapp ]-> 

hook_conversions.js

@@ -0,0 +1,17 @@
+console.log("Script loaded successfully");
+Java.perform(function() {
+    var URL = Java.use('java.net.URL');
+        URL.$init.overload('java.lang.String').implementation = function(spec) {
+            if (spec.includes("appsflyer")){
+                console.log("URL request: " + spec);
+            }
+        return this.$init(spec);
+    };
+});
+
+
+
+
+
+
+

main.py

@@ -0,0 +1,32 @@
+import frida
+import modules.command
+
+def on_message(message, data):
+    print(message)
+
+def main(attach_process_name,package_name):
+    modules.command.start_frida()
+    modules.command.clearCache(package_name)
+    # 连接到USB设备
+    device = frida.get_usb_device()
+    pid = 0
+    # 列出设备上的所有进程
+    processes = device.enumerate_processes()
+    for process in processes:
+        if process.name == attach_process_name:
+            pid = process.pid
+            print(process.pid, process.name)
+    # 如果你想附加到一个特定的进程并注入一个脚本：
+    session = device.attach(pid)
+    script = session.create_script("""
+        console.log("Hello from Frida!");
+    """)
+    script.on('message', on_message)
+    script.load()
+
+
+if __name__ == '__main__':
+    attach_process_name = "Navi"
+    package_name = "com.naviapp"
+    js_script =
+    main(attach_process_name,package_name)

modules/command.py

@@ -0,0 +1,98 @@
+import subprocess
+import logging
+import time
+import json
+from modules.files_utils import get_path
+
+
+def run_adb_command(command_list):
+    process = subprocess.Popen(command_list, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    stdout, stderr = process.communicate()
+    output = stdout.decode().strip()
+    status_code = process.returncode
+    error = stderr.decode().strip()
+    return output, status_code, error
+def start_frida():
+    if is_frida_running():
+        return
+    else:
+        output, status_code, error = run_adb_command(['adb', 'shell', 'su', '-c', '/data/local/tmp/frica'])
+        if status_code == 0:
+            print(output)
+            logging.info(f"start frida output: {output}")
+            return True
+        else:
+            print(error)
+            logging.error(f"start error,error:{error}")
+            return False
+
+def is_frida_running():
+    output, status_code, error = run_adb_command(['adb', 'shell', 'ps', '|', 'grep', 'frica'])
+    print(output)
+    return 'frica' in output
+
+
+def get_main_activity_for_package(package_name):
+    output, status_code, error = run_adb_command(['adb', 'shell', 'dumpsys', 'package', package_name])
+    if status_code != 0:
+        print(f"Error getting main activity: {error}")
+        return None
+    else:
+        # print(f"output: {output},output type: {type(output)}")
+        return find_mainActivity(output,package_name)
+
+
+def find_mainActivity(output,package_name):
+    activity = []
+    start_append = False
+    lines = [line.strip() for line in output.split("\n")]
+    for line in lines:
+        if "Activity Resolver Table:" in line:
+            activity.append(line)
+        if "Non-Data Actions:" in line:
+            activity.append(line)
+            start_append = True
+        elif "android.intent.category.LAUNCHER" in line:
+            activity.append(line)
+            break
+        elif start_append == True:
+            activity.append(line)
+    for main_ac in activity:
+        if package_name in main_ac:
+            tmp = main_ac.split()
+            print(tmp[1])
+            return tmp[1]
+    #     lines = output.split('\n')
+    #     print(f"lines: \n{lines},lines type: {type(lines)}")
+    #     last_line_indent = 0
+    #     for line in lines:
+    #         stripped = line.lstrip()
+    #         indent = len(line) - len(stripped)
+    #         print(indent)
+
+
+
+def clearCache(package_name):
+    if stopApp(package_name):
+        output, status_code, error = run_adb_command(['adb', 'shell', 'pm', 'clear', package_name])
+        if status_code == 0:
+            print(f"clear cache status_code: {status_code}\n output: {output}")
+            return True
+        else:
+            print(error)
+            print(f"clear cache error: {error}")
+            return False
+    else:
+        print("stopApp error")
+
+def stopApp(package_name):
+    print(f"强行停止{package_name}")
+    output, status_code, error = run_adb_command(['adb', 'shell', 'am', 'force-stop', package_name])
+    if status_code == 0:
+        print(f"status_code: {status_code}\n output: {output}")
+        return True
+    else:
+        print(error)
+        logging.error(f"stop APP error: {error}")
+        return False
+

modules/files_utils.py

@@ -0,0 +1,14 @@
+import os
+
+# 获取当前Python脚本的绝对路径
+def get_path(script_name):
+    script_directory = os.path.dirname(os.path.abspath(__file__))
+    parent_directory = os.path.dirname(script_directory)
+    # 使用os.path.join构建hook_conversions.js的完整路径
+    script_path = os.path.join(parent_directory,script_name)
+    print(script_path)
+    return script_path
+
+def read_javascript(script_path):
+
+

test.py

@@ -1,23 +0,0 @@
-import frida
-
-def list_devices():
-    devices = frida.enumerate_devices()
-    for device in devices:
-        print(device)
-
-list_devices()
-
-def connect_to_device(device_id):
-    device = frida.get_device(id=device_id, timeout=10)
-    print(device)
-
-# Connect to the Pixel 3 device
-connect_to_device("8C1X1H1YG")
-
-def on_message(message, data):
-    print(message)
-
-
-
-
-