| // to speed up, I removed all data validation | |
| function MemoryBuffer(address, size) { | |
| this.base = address | |
| if (!size) { | |
| // const range = Process.findRangeByAddress(address) | |
| // if (!range) | |
| // throw new Error('invalid address: ' + address) |
| #include "enc_str.h" | |
| #include <cstdio> | |
| static_assert(next_prime<next_prime<4>> == next_prime<4> && next_prime<4> == 5, "??"); | |
| static constexpr auto j = "I love vvb2060 and she's my wife."_senc; | |
| static constexpr auto k = ".."_senc; | |
| static constexpr auto l = j + k; | |
| int main() { |
Most of the time, applications won't pin the certificate. Running mitmproxy and passing all Android traffic through it is as simple as adb connect <IP> && adb shell settings put global http_proxy <mitmproxy host>:<mitmproxy port> (or use Android's UI)
Some applications, however, pin the certificate and will refuse to do any network calls if using mitmproxy.
Luckily, Frida is here!
This assumes Android x86 is running in a VM, that you are a developer in Android (tap the build version enough times), adb debugging is enabled, and that android tools are installed on the host.
| import { log } from "./logger"; | |
| import { AssertionError } from "assert"; | |
| const libil2cpp = Process.getModuleByName("libil2cpp.so"); | |
| const libil2cppb = libil2cpp.base; | |
| const playerinfo_serialize = libil2cppb.add(0x6c2e30); | |
| const playerinfo_deserialize = libil2cppb.add(0x6c316c); | |
| console.log("Starting script.."); | |
| function readString(pointr:NativePointer){ |
| /** | |
| * run the script to a running app: frida -U "appName" -l flutter_ios.js --no-pause | |
| * start app direct with the script: frida -Uf bundleIdentifier -l flutter_ios.js --no-pause | |
| */ | |
| // ############################################# | |
| // HELPER SECTION START | |
| var colors = { | |
| "resetColor": "\x1b[0m", | |
| "green": "\x1b[32m", | |
| "yellow": "\x1b[33m", |
| Java.perform(function () { | |
| var act = Java.use("android.app.Activity"); | |
| act.getIntent.overload().implementation = function () { | |
| var intent = this.getIntent() | |
| var cp = intent.getComponent() | |
| console.log("Starting " + cp.getPackageName() + "/" + cp.getClassName()) | |
| var ext = intent.getExtras(); | |
| if (ext) { | |
| var keys = ext.keySet() | |
| var iterator = keys.iterator() |
| function get_url(url){ | |
| if(!url){ | |
| url = "http://www.baidu.com"; | |
| } | |
| Java.perform(function(){ | |
| console.log("==========================get_url Begin=========================="); | |
| var URL = Java.use("java.net.URL"); | |
| var objURL = URL.$new(url); | |
| var openstream = objURL.openStream(); | |
| var InputStream = Java.use("java.io.InputStream"); |
| var target_fn = "open" | |
| //target module can be set to null, but it will cause lower speed. | |
| var target_module = "libc.so" | |
| var callback_obj = | |
| { | |
| onEnter: function (args) { | |
| var path = Memory.readUtf8String(args[0]); | |
| path = path.replace("\n",""); |
| { | |
| console.log("SIMON TEST Begin!"); | |
| console.log("Java.available:" + Java.available); | |
| console.log("SIMON TEST End!"); | |
| if(Java.available){ | |
| Java.perform(function(){ | |
