forked from CrackerCat/frida_app_hook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
android_wechat.js
145 lines (137 loc) · 5.64 KB
/
android_wechat.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
// wechat com.tencent.mm 7.0.19
// frida -U -l android_wechat.js -f com.tencent.mm --no-pause
// 微信抓取用户信息,通过查找好友的方式
Java.perform(function () {
var this_obj;
var FTSAddFriendUI=Java.use("com.tencent.mm.plugin.fts.ui.FTSAddFriendUI");
// FTSAddFriendUI.a.overload('com.tencent.mm.plugin.fts.a.d.a.a', 'boolean').implementation=function(arg1, arg2){
// console.log("FTSAddFriendUI a Hook Start...");
// var result= this.a(arg1,arg2)
// return result
// }
// FTSAddFriendUI.cVU.overload().implementation=function(){
// console.log("FTSAddFriendUI cVU Hook Start...");
// var result= this.cVU()
// return result
// }
FTSAddFriendUI.alH.overload('java.lang.String').implementation=function(arg1){
this_obj = this;
console.log("FTSAddFriendUI alH Hook Start...");
console.log(arg1)
var result= this.alH(arg1)
return result
}
var z=Java.use("com.tencent.mm.platformtools.z");
FTSAddFriendUI.h.overload('com.tencent.mm.plugin.fts.ui.FTSAddFriendUI').implementation=function(arg1){
console.log("FTSAddFriendUI init Hook Start...");
console.log(arg1.rkX.value.GuF.value.getClass().getName())
console.log(z.a(arg1.rkX.value.GuF.value))
var result= this.h(arg1)
return result
}
var f=Java.use("com.tencent.mm.plugin.fts.ui.FTSAddFriendUI$5");
f.onSceneEnd.overload('int', 'int', 'java.lang.String', 'com.tencent.mm.ak.n').implementation=function(arg1,arg2,arg3,arg4){
console.log("f.onSceneEnd Hook Start...");
console.log(arg1)
console.log(arg2)
console.log(arg3)
var result= this.onSceneEnd(arg1,arg2,arg3,arg4)
return result
}
// //com.tencent.mm.plugin.profile.ui.ContactInfoUI 页面捕获。打印传递过来的bundle
// var ContactInfoUI=Java.use("com.tencent.mm.plugin.profile.ui.ContactInfoUI");
// ContactInfoUI.getIdentString.overload().implementation=function(arg1){
// var result = this.getIdentString()
// console.log("get---------"+result)
// return result
// }
// ContactInfoUI.onCreate.overload("android.os.Bundle").implementation=function(arg1){
// console.log("ContactSearchResultUI.onCreate");
// var bundle = this.getIntent().getExtras()
// var result = "{";
// var keyset = bundle.keySet();
// var it = keyset.iterator();
// while(it.hasNext()){
// var keystr = it.next().toString();
// var valuestr = bundle.getString(keystr);
// var map= "\""+keystr+"\":\""+valuestr+"\",";
// result+=map
// }
// console.log(result);
// var result= this.onCreate(arg1)
// return result
// }
// // 根据user_id 查询头像
// var g=Java.use("com.tencent.mm.al.g");
// g.eX.overload("java.lang.String").implementation=function(arg1){
// console.log("g.eX");
// console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
// console.log(arg1);
// var result= this.eX(arg1)
// return result
// }
// var g=Java.use("com.tencent.mm.al.g");
var k=Java.use("com.tencent.mm.model.k");
k.a.overload('android.content.Intent', 'com.tencent.mm.protocal.protobuf.cyw', 'int').implementation=function(arg1,arg2,arg3){
// 获取其他信息
var rel = this.a(arg1,arg2,arg3)
var bundle = arg1.getExtras()
var result = "{";
var keyset = bundle.keySet();
var it = keyset.iterator();
while(it.hasNext()){
var keystr = it.next().toString();
var valuestr = bundle.getString(keystr);
var map= "\""+keystr+"\":\""+valuestr+"\",";
result+=map
}
console.log(result);
return rel
}
// //日志函数
// var ae=Java.use("com.tencent.mm.sdk.platformtools.ae");
// ae.i.overload('java.lang.String', 'java.lang.String', '[Ljava.lang.Object;').implementation=function(arg1,arg2,arg3){
// if (arg1 == "MicroMsg.NetSceneSearchContact"){
// if (arg3 == null){
// console.log(arg1 + ">>>" +arg2 )
// }else{
// console.log(arg1 + ">>>" +arg2 + ">>>" +arg3)
// }
// }
//
// this.i(arg1,arg2,arg3)
// }
// var d=Java.use("com.tencent.mm.aj.d");
// d.b.overload('java.lang.String', 'boolean', 'int', 'com.tencent.mm.aj.b').implementation=function(arg1,arg2,arg3,arg4){
// send(arg1)
// send(arg2)
// send(arg3)
// var result= this.b(arg1,arg2,arg3,arg4)
// console.log(result == null)
// console.log("已经返回")
// return result
// }
// var e=Java.use("com.tencent.mm.aj.e");
// e.DA.overload("java.lang.String").implementation=function(arg1){
// console.log(this.hPt.value.hOQ.value.getClass().getName())
// var result= this.DA(arg1)
// return result
// }
//捕捉设置的图片
// var ah=Java.use("com.tencent.mm.sdk.platformtools.ah");
// ah.put.overload('java.lang.Object', 'java.lang.Object').implementation=function(arg1,arg2){
// console.log("map put")
// console.log(arg1.toString())
// console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
// var result= this.put(arg1,arg2)
// return result
// }
var j=Java.use("com.tencent.mm.aj.j");
j.b.overload('com.tencent.mm.aj.i').implementation=function(arg1){
// 小图和大图
console.log(arg1.aEG())
console.log(arg1.aEH())
var result= this.b(arg1)
return result
}
});