效果展示
环境
雷电模拟器Android版本: 7.1.2
Android Studio版本: 4.1.2
jadx-gui版本: 1.2.0
流程
用autojs打包app, 安装到雷电模拟器
用jadx-gui查看app, 主要是查看包名类名
执行frida的hook命令, hook可疑的类, 主要是包含decrypt的类名
打印可疑decrypt方法的参数和返回值, 脚本内容就直接出来了
autojs的测试代码
- main.js
engines.execScriptFile("./dog.js");
- dog.js
let result = “dog is running!”;
toastLog(result);
frida的Hook代码
- hook.js
Java.perform(function () {
var String = Java.use(“java.lang.String”);
var clazz5 = Java.use(“com.stardust.autojs.engine.encryption.ScriptEncryption”);
clazz5.decrypt.implementation = function (a, b, c) {
console.log(“com.stardust.autojs.engine.encryption.ScriptEncryption”);
console.log(“a =”);
console.log(a);
console.log(“b =”);
console.log(b);
console.log(“c =”);
console.log©;
let result = this.decrypt(a, b, c);
let s = String.$new(result);
console.log(“s ====================”);
console.log(s);
return result;
};
});
- 打印方法堆栈
function trace() {
var throwable = Java.use(“java.lang.Throwable”);
send(
“Backtrace:\n\t” +
throwable
.$new()
.getStackTrace()
.map((traceElement) => traceElement.toString() + “\n\t”)
.join("")
);
}
- 方法堆栈
com.stardust.autojs.engine.encryption.ScriptEncryption.decrypt(Native Method)
com.stardust.autojs.engine.encryption.ScriptEncryption
C
o
m
p
a
n
i
o
n
.
d
e
c
r
y
p
t
(
)
c
o
m
.
s
t
a
r
d
u
s
t
.
a
u
t
o
j
s
.
e
n
g
i
n
e
.
e
n
c
r
y
p
t
i
o
n
.
S
c
r
i
p
t
E
n
c
r
y
p
t
i
o
n
Companion.decrypt() com.stardust.autojs.engine.encryption.ScriptEncryption
Companion.decrypt()com.stardust.autojs.engine.encryption.ScriptEncryptionCompanion.decrypt$default()
d.g.c.o.g.a.b(:4)
d.g.c.o.g.a.doExecution(:2)
com.stardust.autojs.engine.JavaScriptEngine.execute()
com.stardust.autojs.engine.LoopBasedJavaScriptEngine.access$001()
d.g.c.n.c.run(:2)
android.os.Handler.handleCallback(Handler.java:751)
android.os.Handler.dispatchMessage(Handler.java:95)
android.os.Looper.loop(Looper.java:154)
com.stardust.autojs.engine.LoopBasedJavaScriptEngine.execute()
com.stardust.autojs.engine.LoopBasedJavaScriptEngine.execute()
com.stardust.autojs.execution.LoopedBasedJavaScriptExecution.doExecution()
com.stardust.autojs.execution.RunnableScriptExecution.execute()
com.stardust.autojs.execution.RunnableScriptExecution.execute()
com.stardust.autojs.execution.RunnableScriptExecution.run()
java.lang.Thread.run(Thread.java:761)
- 可疑类, 用jadx搜索关键词 decrypt
com.stardust.autojs.engine.encryption.ScriptEncryption.decrypt(byte[], int, int)
com.stardust.autojs.engine.encryption.ScriptEncryption.decrypt
d
e
f
a
u
l
t
(
S
c
r
i
p
t
E
n
c
r
y
p
t
i
o
n
s
c
r
i
p
t
E
n
c
r
y
p
t
i
o
n
,
b
y
t
e
[
]
b
A
r
r
,
i
n
t
i
2
,
i
n
t
i
3
,
i
n
t
i
4
,
O
b
j
e
c
t
o
b
j
)
c
o
m
.
s
t
a
r
d
u
s
t
.
a
u
t
o
j
s
.
e
n
g
i
n
e
.
e
n
c
r
y
p
t
i
o
n
.
S
c
r
i
p
t
E
n
c
r
y
p
t
i
o
n
.
d
e
c
r
y
p
t
(
b
y
t
e
[
]
b
A
r
r
,
i
n
t
i
2
,
i
n
t
i
3
)
c
o
m
.
s
t
a
r
d
u
s
t
.
a
u
t
o
j
s
.
p
r
o
j
e
c
t
.
P
r
o
j
e
c
t
C
o
n
f
i
g
.
S
c
r
i
p
t
E
n
c
r
y
p
t
i
o
n
default(ScriptEncryption scriptEncryption, byte[] bArr, int i2, int i3, int i4, Object obj) com.stardust.autojs.engine.encryption.ScriptEncryption.decrypt(byte[] bArr, int i2, int i3) com.stardust.autojs.project.ProjectConfig.ScriptEncryption
default(ScriptEncryptionscriptEncryption,byte[]bArr,inti2,inti3,inti4,Objectobj)com.stardust.autojs.engine.encryption.ScriptEncryption.decrypt(byte[]bArr,inti2,inti3)com.stardust.autojs.project.ProjectConfig.ScriptEncryptionCompanion.decrypt(byte[] bArr, int i2, int i3)
总结
脚本打包使用离线加密的时候, javascript脚本本身应该先混淆一遍, 然后再用离线打包,
或者, 直接使用自带的离线Dex加密 或者 离线Snapshot加密
- List item