SeeFlowerX

#! /bin/sh
#进程名字可修改
#脚本逻辑 -> 存在端口 pass 不存在则检查小红书在不在 在就注入 否则-f启动或者点击方式启动 然后循环
#用frida加载androidAsync.dex在APP跑了个http服务对外提供接口，PORT是http服务监听的端口，用的是frida-inject注入js
#如果是frida-server那么可以改为用ps判断frida-server在不在
#启动命令 sh -T- /data/local/tmp/daemon.sh

PORT=45459
CURRENT_WINDOW_COUNT=0
PRO_NAME=com.xingin.xhs

SeeFlowerX

ctx_pointer.getPointer(0x484) 取偏移0x484处的值，将其作为指针返回

ctx_pointer.share(0x484L) 偏移0x484，将其作为指针返回

SeeFlowerX

// https://www.cnblogs.com/c-x-a/p/15192821.html
function main(){
    write_file1()
    write_File2()
}
function write_file1(){
    //使用firda的自带api
    var file = new File("/data/local/tmp/mytest.dat")
    file.write("1234");
    file.flush();

SeeFlowerX

Java.perform(function() {
    const System = Java.use('java.lang.System');
    const Runtime = Java.use('java.lang.Runtime');
    const SystemLoad_2 = System.loadLibrary.overload('java.lang.String');
    const VMStack = Java.use('dalvik.system.VMStack');

    SystemLoad_2.implementation = function(library) {
        send("Loading dynamic library => " + library);
        try {
            const loaded = Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), library);

SeeFlowerX

function hook_libc(){
    let fgets_ptr = Module.findExportByName("libc.so", "fgets");
    let fgets = new NativeFunction(fgets_ptr, "pointer", ["pointer", "int", "pointer"]);
    let popen_addr = Module.findExportByName("libc.so", "popen");
    console.log(`popen_addr => ${popen_addr}`);
    Interceptor.attach(popen_addr, {
        onEnter: function(args){
            let command = args[0].readUtf8String();
            let mode = args[1].readUtf8String();
            console.log(`[popen] [onEnter] command=${command} mode=${mode}`)

SeeFlowerX

# (HTTP and SOCKS5 in one port)
mixed-port: 7890
# RESTful API for clash
external-controller: 127.0.0.1:9090
allow-lan: false
mode: global
log-level: info
#bind-address:*
dns:
    enable: true

SeeFlowerX

function readStdString(str: NativePointer) {
    const isTiny = (str.readU8() & 1) === 0;
    if (isTiny) {
        return str.add(1).readUtf8String();
    }
    return str.add(2 * Process.pointerSize).readPointer().readUtf8String();
}

function get_PrettyMethod(){
    let PrettyMethod_ptr =  Module.findExportByName("libart.so", "_ZN3art9ArtMethod12PrettyMethodEPS0_b");

SeeFlowerX

简要说明：

将定义为std::string ArtMethod::PrettyMethod(ArtMethod* m, bool with_signature)的方法

通过NativeFunction绑定，将返回值设为单个pointer，尝试读取对应的string内容

发现对返回的pointer分步读取（即打印readPointer结果）的值会产生变化

---

SeeFlowerX

https://pastebin.com/eYeUt5X8

SeeFlowerX

#!/usr/bin/python3

'''
author: ceres-c
usage: ./frida-extract-keystore.py
       Once the keystore(s) have been exported you have to convert them to PKCS12 using keytool
'''

import frida, sys, time