1直接Hook大法
废话不多说咱们直接开始咱们这次的版本是9.5.1.0
请出我们的老朋友frida直接干
Java.perform(function() {
var className = "com.bytedance.frameworks.baselib.network.http.NetworkParams"; // 修改为类名
var methodName = "tryAddSecurityFactor"; // 修改为方法名
var hook = Java.use(className);
hook[methodName].overload('java.lang.String', 'java.util.Map').implementation = function(str, map) {
console.log("Hooking " + methodName + "...");
console.log("str: " + str);
// 遍历 HashMap 的键值对
var keys = map.keySet().toArray();
for (var i = 0; i < keys.length; i++) {
var key = keys[i];
var value = map.get(key);
console.log("Key: " + key + ", Value: " + value);
}
// 或者直接访问特定键对应的值
// var value = map.get("key");
// console.log("Value: " + value);
var result = this[methodName](str, map);
console.log("Result: " + result);
return result;
};
});
这一套下来X------参数全都有了,但是作为调用来说,还差点意思,每次都要启动一台机器来跑很麻烦,还担心app会挂掉。
2掏出我们的ExAndroidNativeEmu
还是废话不多说上代码
def get_sign(url, header_str):
g_vfs_path = "%s/vfs" % os.path.dirname(os.path.abspath(__file__))
emulator = Emulator(vfs_root=posixpath.join(posixpath.dirname(__file__), g_vfs_path), muti_task=True)
vfs_path = emulator.get_vfs_root()
libcm = emulator.load_library("%s/system/lib/libc.so" % vfs_path)
libml = emulator.load_library("%s/data/data/com.ss.android.ugc.aweme/libmetasec_ml.so" % vfs_path, do_init=False)
emulator.java_classloader.add_class(ms_bd_c_k)
emulator.java_classloader.add_class(ms_bd_c_a0)
emulator.java_classloader.add_class(MS)
emulator.java_classloader.add_class(java_lang_Thread)
emulator.call_symbol(libml, 'JNI_OnLoad', emulator.java_vm.address_ptr, 0x00)
url_addr = emulator.call_symbol(libcm, 'malloc', len(url) + 1)
header_str_addr = emulator.call_symbol(libcm, 'malloc', len(header_str) + 1)
memory_helpers.write_utf8(emulator.mu, url_addr, url)
memory_helpers.write_utf8(emulator.mu, header_str_addr, header_str)
result_addr = emulator.call_native(libml.base + v:Dyfwsdy + 1, url_addr, header_str_addr)
result = memory_helpers.read_utf8(emulator.mu, result_addr)
sign = result.replace('\n', '@@@@').replace('\r', '')
sign_list = sign.split('@@@@')
json_sign = {
sign_list[0]: sign_list[1],
sign_list[2]: sign_list[3],
sign_list[4]: sign_list[5],
sign_list[6]: sign_list[7],
sign_list[8]: sign_list[9],
sign_list[10]: sign_list[11],
}
return json_sign
这一套下来拿捏