|
构造完整脚本如下:
- import frida, sys
-
- def on_message(message, data):
- if message['type'] == 'send':
- print("[*] {0}".format(message['payload']))
- else:
- print(message)
-
- jscode = """
- Java.perform(function () {
- var HttpClientSslHelper = Java.use('com.frankzhu.androidhttpsdemo.HttpClientSslHelper');
- var Log = Java.use('android.util.Log');
- HttpClientSslHelper.getSslContextByCustomTrustManager.implementation = function () {
- var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
- var SSLContext = Java.use('javax.net.ssl.SSLContext');
- var TrustManager = Java.registerClass({
- name: 'com.frankzhu.androidhttpsdemo.test',
- implements: [X509TrustManager],
- methods: {
- checkClientTrusted: function (chain, authType) {
- },
- checkServerTrusted: function (chain, authType) {
- Log.d("Frida Hook checkServerTrusted()", "Success!!!");
- send("Frida Hook checkServerTrusted() Success!!!");
- },
- getAcceptedIssuers: function () {
- return [];
- }
- }
- });
- // Prepare the TrustManagers array to pass to HttpClientSslHelper.sslContext.init()
- var TrustManagers = [TrustManager.$new()];
- send("Custom, Empty TrustManager ready");
- // Override the init method, specifying our new TrustManager
- var sslContext = SSLContext.getInstance("TLS");
- sslContext.init(null, TrustManagers, null);
- //return的值类型必须与原来的相同,否则会出现Error: Implementation for getSslContextByCustomTrustManager expected return value compatible with 'javax.net.ssl.SSLContext',同时导致应用崩溃
- //源码里有private static SSLContext sslContext = null;如果想通过this.sslContext使用该变量,一定要注意Hook的时机,要在sslContext变为对象后再Hook,这样就不会出现应用异常崩溃
- return sslContext;
- }
- });
- """
-
- process = frida.get_remote_device().attach('com.frankzhu.androidhttpsdemo')
- script = process.create_script(jscode)
- script.on('message', on_message)
- script.load()
- sys.stdin.read()
(编辑:泰州站长网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
