forked from CrackerCat/frida_app_hook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hangluzhonghen.js
73 lines (71 loc) · 4.05 KB
/
hangluzhonghen.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
// 航旅纵横 6.0.6 加密等位到 UmeJni.sub_0515
// frida -U -l hangluzhonghen.js -f com.umetrip.android.msky.app --no-pause
// frida hook Android签名 this.f.value.getPackageManager().getPackageInfo("com.umetrip.android.msky.app",0x00000040).signatures.value
function javaHook(){
Java.perform(function () {
var XlogUtil=Java.use("com.umetrip.android.msky.lib_xlog.XlogUtil");
XlogUtil.a.overload('java.lang.String', 'int', 'java.lang.String', '[Ljava.lang.Object;').implementation=function(arg1,arg2,arg3,arg4){
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
console.log(arg1)
console.log(arg2)
console.log(arg3)
this.a(arg1,arg2,arg3,arg4)
}
send("Success!")
var UmeRequestManager = Java.use('com.umetrip.android.umehttp.utils.UmeRequestManager');
UmeRequestManager.a.overload('android.app.Application', 'java.lang.String', 'com.umetrip.android.umehttp.listener.ILoadingProvider', 'com.umetrip.android.umehttp.listener.IErrorHandler').implementation = function (arg1,arg2,arg3,arg4) {
send("Hook show Start.. ffff.");
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
return this.a(arg1,arg2,arg3,arg4);
}
var RequestBodyBuilder = Java.use('com.umetrip.android.umehttp.RequestBodyBuilder');
RequestBodyBuilder.a.overload('java.lang.Object', 'java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function (arg1,arg2,arg3,arg4) {
send("Hook onCreate Start.. ffff.");
console.log(this.f.value.getClass().getName())
console.log(this.f.value.getPackageManager().getClass().getName())
console.log(this.f.value.getPackageManager().getPackageInfo("com.umetrip.android.msky.app",0x00000040).getClass().getName())
var info = this.f.value.getPackageManager().getPackageInfo("com.umetrip.android.msky.app",0x00000040).signatures.value
console.log(info[0].toCharsString())
return this.a(arg1,arg2,arg3,arg4);
}
});
}
javaHook();
function soHook(){
var base_address=Module.findBaseAddress('libumejni.so');
if (base_address!=null){
console.log("soHook start");
var str;
Java.perform(function () {
str = Java.use("java.lang.String");
});
Interceptor.attach(base_address.add(0xc445), {
onEnter: function (args) {
console.log("hook onEnter")
// console.log("param1>>>>>>>" + args[0].readCString());
// console.log("param1>>>>>>>" + Memory.readUtf16String(args[0]));
// readAnsiString
},
onLeave: function (retval) {
console.log("hook onLeave")
}
});
Interceptor.attach(base_address.add(0xc534), {
onEnter: function (args) {
console.log("hook 0xc534 onEnter")
// console.log("param1>>>>>>>" + args[0].readCString());
// console.log("param1>>>>>>>" + Memory.readUtf16String(args[0]));
// readAnsiString
},
onLeave: function (retval) {
console.log("hook 0xc534 onLeave")
}
});
}
}
// soHook();
/*
[RegisterNatives] java_class: com.umetrip.android.umehttp.security.UmeJni name: sub_0515 sig: (Ljava/lang/Object;Ljava/lang/String;)Ljava/lang/String; fnPtr: 0x9df52445 module_name: libumejni.so module_base: 0x9df46000 offset: 0xc445
[RegisterNatives] java_class: com.umetrip.android.umehttp.security.UmeJni name: sub_0516 sig: (Ljava/lang/Object;Ljava/lang/String;)Ljava/lang/String; fnPtr: 0x9df5243d module_name: libumejni.so module_base: 0x9df46000 offset: 0xc43d
[RegisterNatives] java_class: com.umetrip.android.umehttp.security.UmeJni name: sub_0517 sig: (Ljava/lang/Object;Ljava/lang/String;)Ljava/lang/String; fnPtr: 0x9df5c331 module_name: libumejni.so module_base: 0x9df46000 offset: 0x16331
*/