Skip to content

Commit 84ff554

Browse files
author
郭钟
committed
add disable_sslpinning
1 parent c26a586 commit 84ff554

24 files changed

+1890
-1
lines changed

com.gotokeep.keep/activity_events.js

+170
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,170 @@
1+
function loadDexfile(dexfile) {
2+
Java.perform(function() {
3+
Java.openClassFile(dexfile).load();
4+
//console.log("load " + dexfile);
5+
});
6+
};
7+
8+
function checkLoadDex(className, dexfile) {
9+
Java.perform(function() {
10+
if (!classExists(className)) {
11+
Java.openClassFile(dexfile).load();
12+
//console.log("load " + dexfile);
13+
}
14+
});
15+
};
16+
17+
function classExists(className) {
18+
var exists = false;
19+
try {
20+
var clz = Java.use(className);
21+
exists = true;
22+
} catch(err) {
23+
//console.log(err);
24+
}
25+
return exists;
26+
};
27+
28+
function getClassName(obj) {
29+
if (obj.getClass) {
30+
return obj.getClass().getName();
31+
}
32+
var javaObject = Java.use("java.lang.Object");
33+
return Java.cast(obj, javaObject).getClass().getName();
34+
}
35+
36+
//str1是否包含str2,str2可用正则表示
37+
function contains(str1, str2) {
38+
var reg = RegExp(eval("/"+str2+"/"));
39+
if(str1 && str1.match && str1.match(reg)){
40+
return true;
41+
}else{
42+
return false;
43+
}
44+
};
45+
46+
//创建ArrayList对象用这个方法就好了
47+
function newArrayList() {
48+
var ArrayListClz = Java.use('java.util.ArrayList');
49+
return ArrayListClz.$new();
50+
}
51+
52+
//创建HashSet对象用这个方法就好了
53+
function newHashSet() {
54+
var HashSetClz = Java.use('java.util.HashSet');
55+
return HashSetClz.$new();
56+
}
57+
58+
//创建HashMap对象用这个方法就好了
59+
function newHashMap() {
60+
var HashMapClz = Java.use('java.util.HashMap');
61+
return HashMapClz.$new();
62+
}
63+
64+
function newMethodBeat(text, executor) {
65+
var threadClz = Java.use("java.lang.Thread");
66+
var androidLogClz = Java.use("android.util.Log");
67+
var exceptionClz = Java.use("java.lang.Exception");
68+
var currentThread = threadClz.currentThread();
69+
var beat = new Object();
70+
beat.invokeId = Math.random().toString(36).slice( - 8);
71+
beat.executor = executor;
72+
beat.threadId = currentThread.getId();
73+
beat.threadName = currentThread.getName();
74+
beat.text = text;
75+
beat.startTime = new Date().getTime();
76+
beat.stackInfo = androidLogClz.getStackTraceString(exceptionClz.$new()).substring(20);
77+
return beat;
78+
};
79+
80+
function printBeat(beat) {
81+
var str = ("------------startFlag:" + beat.invokeId + ",objectHash:"+beat.executor+",thread(id:" + beat.threadId +",name:" + beat.threadName + "),timestamp:" + beat.startTime+"---------------\n");
82+
str += beat.text + "\n";
83+
str += beat.stackInfo;
84+
str += ("------------endFlag:" + beat.invokeId + ",usedtime:" + (new Date().getTime() - beat.startTime) +"---------------\n");
85+
console.log(str);
86+
};
87+
88+
function log(str) {
89+
console.log(str);
90+
};
91+
92+
//虽然我们习惯用fastjson一行将对象转成json字符串,但是Android Library里面自带了一个gson可以做到 只是sdk没有暴露出来,很多人不知道。在frida中所有代码都是透明的,你随便调......
93+
function toJson(javaObject) {
94+
var gsonClz = Java.use("com.google.gson.Gson");
95+
var toJsonMethod = gsonClz.toJson.overload("java.lang.Object");
96+
return toJsonMethod.call(gsonClz.$new(),javaObject);
97+
};
98+
99+
function getBaseContext() {
100+
var currentApplication = Java.use('android.app.ActivityThread').currentApplication();
101+
var context = currentApplication.getApplicationContext();
102+
return context; //Java.scheduleOnMainThread(fn):
103+
};
104+
105+
function sleep(time) {
106+
var startTime = new Date().getTime() + parseInt(time, 10);
107+
while(new Date().getTime() < startTime) {}
108+
};
109+
110+
function fastTojson(javaObject) {
111+
var JSONClz = Java.use("gz.com.alibaba.fastjson.JSON");
112+
return JSONClz.toJSONString(javaObject);
113+
};
114+
115+
loadDexfile('/data/user/0/com.gotokeep.keep/radar.dex');
116+
117+
Java.perform(function() {
118+
var radarAndroidClz = Java.use("gz.radar.Android");
119+
var android_content_ContextWrapper_clz = Java.use('android.content.ContextWrapper');
120+
var android_content_ContextWrapper_clz_method_startActivity_r7jq = android_content_ContextWrapper_clz.startActivity.overload('android.content.Intent', 'android.os.Bundle');
121+
android_content_ContextWrapper_clz_method_startActivity_r7jq.implementation = function(v0, v1) {
122+
log("Intent>>>>>>>"+radarAndroidClz.getIntentProfile(v0));
123+
log("Bundle>>>>>>>"+radarAndroidClz.getBundleProfile(v1));
124+
var executor = this.hashCode();
125+
var beatText = 'public void android.content.ContextWrapper.startActivity(android.content.Intent,android.os.Bundle)';
126+
var beat = newMethodBeat(beatText, executor);
127+
android_content_ContextWrapper_clz_method_startActivity_r7jq.call(this, v0, v1);
128+
printBeat(beat);
129+
};
130+
var android_content_ContextWrapper_clz_method_startActivity_auep = android_content_ContextWrapper_clz.startActivity.overload('android.content.Intent');
131+
android_content_ContextWrapper_clz_method_startActivity_auep.implementation = function(v0) {
132+
log("Intent>>>>>>>"+radarAndroidClz.getIntentProfile(v0));
133+
var executor = this.hashCode();
134+
var beatText = 'public void android.content.ContextWrapper.startActivity(android.content.Intent)';
135+
var beat = newMethodBeat(beatText, executor);
136+
android_content_ContextWrapper_clz_method_startActivity_auep.call(this, v0);
137+
printBeat(beat);
138+
};
139+
var android_content_ContextWrapper_clz_method_startActivityAsUser_adh6 = android_content_ContextWrapper_clz.startActivityAsUser.overload('android.content.Intent', 'android.os.UserHandle');
140+
android_content_ContextWrapper_clz_method_startActivityAsUser_adh6.implementation = function(v0, v1) {
141+
log("Intent>>>>>>>"+radarAndroidClz.getIntentProfile(v0));
142+
var executor = this.hashCode();
143+
var beatText = 'public void android.content.ContextWrapper.startActivityAsUser(android.content.Intent,android.os.UserHandle)';
144+
var beat = newMethodBeat(beatText, executor);
145+
android_content_ContextWrapper_clz_method_startActivityAsUser_adh6.call(this, v0, v1);
146+
printBeat(beat);
147+
};
148+
var android_content_ContextWrapper_clz_method_startActivityAsUser_ilkk = android_content_ContextWrapper_clz.startActivityAsUser.overload('android.content.Intent', 'android.os.Bundle', 'android.os.UserHandle');
149+
android_content_ContextWrapper_clz_method_startActivityAsUser_ilkk.implementation = function(v0, v1, v2) {
150+
log("Intent>>>>>>>"+radarAndroidClz.getIntentProfile(v0));
151+
log("Bundle>>>>>>>"+radarAndroidClz.getBundleProfile(v1));
152+
var executor = this.hashCode();
153+
var beatText = 'public void android.content.ContextWrapper.startActivityAsUser(android.content.Intent,android.os.Bundle,android.os.UserHandle)';
154+
var beat = newMethodBeat(beatText, executor);
155+
android_content_ContextWrapper_clz_method_startActivityAsUser_ilkk.call(this, v0, v1, v2);
156+
printBeat(beat);
157+
};
158+
var android_app_Activity_clz = Java.use('android.app.Activity');
159+
var android_app_Activity_clz_method_startActivityForResult_6mkb = android_app_Activity_clz.startActivityForResult.overload('android.content.Intent', 'int', 'android.os.Bundle');
160+
android_app_Activity_clz_method_startActivityForResult_6mkb.implementation = function(v0, v1, v2) {
161+
log("Intent>>>>>>>"+radarAndroidClz.getIntentProfile(v0));
162+
log("Flags>>>>>>>"+v1);
163+
log("Bundle>>>>>>>"+radarAndroidClz.getBundleProfile(v2));
164+
var executor = this.hashCode();
165+
var beatText = 'public void android.app.Activity.startActivityForResult(android.content.Intent,int,android.os.Bundle)';
166+
var beat = newMethodBeat(beatText, executor);
167+
android_app_Activity_clz_method_startActivityForResult_6mkb.call(this, v0, v1, v2);
168+
printBeat(beat);
169+
};
170+
});

com.gotokeep.keep/android_ui.js

+194
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,194 @@
1+
function loadDexfile(dexfile) {
2+
Java.perform(function() {
3+
Java.openClassFile(dexfile).load();
4+
});
5+
};
6+
7+
function checkLoadDex(className, dexfile) {
8+
Java.perform(function() {
9+
if (!classExists(className)) {
10+
Java.openClassFile(dexfile).load();
11+
//console.log("load " + dexfile);
12+
}
13+
});
14+
};
15+
loadDexfile('/data/user/0/com.gotokeep.keep/radar.dex');
16+
function classExists(className) {
17+
var exists = false;
18+
try {
19+
var clz = Java.use(className);
20+
exists = true;
21+
} catch(err) {
22+
//console.log(err);
23+
}
24+
return exists;
25+
};
26+
27+
function getClassName(obj) {
28+
if (obj.getClass) {
29+
return obj.getClass().getName();
30+
}
31+
var javaObject = Java.use("java.lang.Object");
32+
return Java.cast(obj, javaObject).getClass().getName();
33+
}
34+
35+
//str1是否包含str2,str2可用正则表示
36+
function contains(str1, str2) {
37+
var reg = RegExp(eval("/" + str2 + "/"));
38+
if (str1 && str1.match && str1.match(reg)) {
39+
return true;
40+
} else {
41+
return false;
42+
}
43+
};
44+
45+
//创建ArrayList对象用这个方法就好了
46+
function newArrayList() {
47+
var ArrayListClz = Java.use('java.util.ArrayList');
48+
return ArrayListClz.$new();
49+
}
50+
51+
//创建HashSet对象用这个方法就好了
52+
function newHashSet() {
53+
var HashSetClz = Java.use('java.util.HashSet');
54+
return HashSetClz.$new();
55+
}
56+
57+
//创建HashMap对象用这个方法就好了
58+
function newHashMap() {
59+
var HashMapClz = Java.use('java.util.HashMap');
60+
return HashMapClz.$new();
61+
}
62+
63+
function log(str) {
64+
console.log(str);
65+
};
66+
67+
//虽然我们习惯用fastjson一行将对象转成json字符串,但是Android Library里面自带了一个gson可以做到 只是sdk没有暴露出来,很多人不知道。在frida中所有代码都是透明的,你随便调......
68+
function toJson(javaObject) {
69+
var gsonClz = Java.use("com.google.gson.Gson");
70+
var toJsonMethod = gsonClz.toJson.overload("java.lang.Object");
71+
return toJsonMethod.call(gsonClz.$new(), javaObject);
72+
};
73+
74+
function getBaseContext() {
75+
var currentApplication = Java.use('android.app.ActivityThread').currentApplication();
76+
var context = currentApplication.getApplicationContext();
77+
return context; //Java.scheduleOnMainThread(fn):
78+
};
79+
80+
function sleep(time) {
81+
var startTime = new Date().getTime() + parseInt(time, 10);
82+
while (new Date().getTime() < startTime) {}
83+
};
84+
85+
function fastTojson(javaObject) {
86+
var JSONClz = Java.use("gz.com.alibaba.fastjson.JSON");
87+
return JSONClz.toJSONString(javaObject);
88+
};
89+
90+
function findViewById(viewId) {
91+
var report = "";
92+
Java.perform(function() {
93+
var radarAndroidClz = Java.use("gz.radar.Android");
94+
var viewInfo = radarAndroidClz.getViewInfo(viewId + "");
95+
if (!viewInfo) {
96+
report += "Not Found View."
97+
return;
98+
}
99+
report += ("------------------View--------------------") + "\n";
100+
report += ("View Id: " + viewInfo.getViewId()) + "\n";
101+
report += ("View IdName: " + viewInfo.getViewIdName()) + "\n";
102+
report += ("View Class: " + viewInfo.getName()) + "\n";
103+
report += ("View SuperClass: " + viewInfo.getSuperClazz()) + "\n";
104+
report += ("View ImplementInterfaces: " + viewInfo.getImplementInterfaces()) + "\n";
105+
var androidApkFields = viewInfo.getAndroidApkFields();
106+
report += ("View Fields: " + androidApkFields.length) + "\n";
107+
for (var j = 0; j < androidApkFields.length; j++) {
108+
report += ("\t" + androidApkFields[j].toLine()) + "\n";
109+
}
110+
var methods = viewInfo.methods();
111+
report += ("View Methods: " + methods.length) + "\n";
112+
for (var j = 0; j < methods.length; j++) {
113+
report += ("\t" + methods[j]) + "\n";
114+
}
115+
});
116+
log(report);
117+
}
118+
119+
function startActivity(activityName) {
120+
Java.perform(function() {
121+
var androidUIClz = Java.use("gz.radar.AndroidUI");
122+
androidUIClz.startActivity(activityName);
123+
});
124+
}
125+
126+
function contextStartActivity(activityName) {
127+
Java.perform(function() {
128+
var androidUIClz = Java.use("gz.radar.AndroidUI");
129+
androidUIClz.contextStartActivity(activityName);
130+
});
131+
}
132+
133+
function contextStartActivityForNewTask(activityName) {
134+
Java.perform(function() {
135+
var androidUIClz = Java.use("gz.radar.AndroidUI");
136+
androidUIClz.contextStartActivityForNewTask(activityName);
137+
});
138+
}
139+
140+
function topActivityStartActivity(activityName) {
141+
Java.perform(function() {
142+
var androidUIClz = Java.use("gz.radar.AndroidUI");
143+
androidUIClz.topActivityStartActivity(activityName);
144+
});
145+
}
146+
147+
function home() {
148+
Java.perform(function() {
149+
var androidUIClz = Java.use("gz.radar.AndroidUI");
150+
androidUIClz.home();
151+
});
152+
}
153+
154+
function back() {
155+
Java.perform(function() {
156+
var androidUIClz = Java.use("gz.radar.AndroidUI");
157+
androidUIClz.back();
158+
});
159+
}
160+
161+
function finishCurrentActivity() {
162+
Java.perform(function() {
163+
var androidUIClz = Java.use("gz.radar.AndroidUI");
164+
androidUIClz.finishCurrentActivity();
165+
});
166+
}
167+
168+
function clickByText(text) {
169+
Java.perform(function() {
170+
var androidUIClz = Java.use("gz.radar.AndroidUI");
171+
log(androidUIClz.clickByText(text));
172+
});
173+
}
174+
175+
function clickById(id) {
176+
Java.perform(function() {
177+
var androidUIClz = Java.use("gz.radar.AndroidUI");
178+
log(androidUIClz.clickById(id));
179+
});
180+
}
181+
182+
function hover(x,y,upStepLength) {
183+
Java.perform(function() {
184+
var androidui = Java.use("gz.radar.AndroidUI");
185+
androidui.hover(x,y,upStepLength);
186+
});
187+
}
188+
189+
function viewTree() {
190+
Java.perform(function() {
191+
var androidUIClz = Java.use("gz.radar.AndroidUI");
192+
log(androidUIClz.viewTree());
193+
});
194+
}

com.gotokeep.keep/attach

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
#!/bin/bash
2+
HOOKER_DRIVER=$(cat ../.hooker_driver)
3+
frida $HOOKER_DRIVER -l $1 com.gotokeep.keep

0 commit comments

Comments
 (0)