import frida
import sysrdev = frida.get_remote_device()
session = rdev.attach("xxx")scr = """
Java.perform(function () {var TreeMap = Java.use('java.util.TreeMap');var Map = Java.use("java.util.Map");TreeMap.put.implementation = function (key,value) {if(key=="data"){console.log(key,value);}var res = this.put(key,value);return res;}
});
"""
script = session.create_script(scr)def on_message(message, data):print(message, data)script.on("message", on_message)
script.load()

import frida
import sysrdev = frida.get_remote_device()
session = rdev.attach("xxx")scr = """
Java.perform(function () {var StringBuilder = Java.use("java.lang.StringBuilder");StringBuilder.toString.implementation = function () {var res = this.toString();console.log(res); return res;}});
"""
script = session.create_script(scr)def on_message(message, data):print(message, data)script.on("message", on_message)
script.load()
sys.stdin.read()

import frida
import sysrdev = frida.get_remote_device()
session = rdev.attach("xxx")scr = """
Java.perform(function () {var Base64 = Java.use("android.util.Base64");Base64.encodeToString.overload('[B', 'int').implementation = function (bArr,val) {var res = this.encodeToString(bArr,val);console.log("加密了-->",res);return res;}
});
"""
script = session.create_script(scr)def on_message(message, data):print(message, data)script.on("message", on_message)
script.load()
sys.stdin.read()# 通过查看输出，那请求的数据搜索，发现hook到了

// hook_Interceptor.js
Java.perform(function () {var Builder = Java.use('okhttp3.OkHttpClient$Builder');Builder.addInterceptor.implementation = function (inter) {console.log(JSON.stringify(inter) );return this.addInterceptor(inter);};
})//frida -Uf com.hupu.shihuo -l hook_Interceptor.js -o all_interceptor3.txt

import frida
import sysrdev = frida.get_remote_device()
session = rdev.attach("xxx")scr = """
Java.perform(function () {//1  找到那个so文件，libJNIEncrypt.so，第二个参数是要hook的函数名--》返回值是函数的内存地址var addr_func = Module.findExportByName("libJNIEncrypt.so", "AES_128_ECB_PKCS5Padding_Encrypt");//2 传入要hook的函数内存地址Interceptor.attach(addr_func, {onEnter: function(args){console.log("--------------------------执行函数--------------------------");console.log("参数1-v11：", args[0].readUtf8String());console.log("参数2-v8：", args[1].readUtf8String());},onLeave: function(retValue){console.log(":::", retValue.readUtf8String());}})});
"""script = session.create_script(scr)
def on_message(message, data):print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()

import frida
import sysrdev = frida.get_remote_device()
pid = rdev.spawn(["com.xxx"])
session = rdev.attach(pid)scr = """
Java.perform(function () {var dlopen = Module.findExportByName(null, "dlopen");var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");Interceptor.attach(dlopen, {onEnter: function (args) {var path_ptr = args[0];var path = ptr(path_ptr).readCString();console.log("[dlopen:]", path);},onLeave: function (retval) {}});Interceptor.attach(android_dlopen_ext, {onEnter: function (args) {var path_ptr = args[0];var path = ptr(path_ptr).readCString();console.log("[dlopen_ext:]", path);},onLeave: function (retval) {}});});
"""
script = session.create_script(scr)def on_message(message, data):print(message, data)script.on("message", on_message)
script.load()
rdev.resume(pid)
sys.stdin.read()

import frida
import sysrdev = frida.get_remote_device()
# session = rdev.attach("xxx")
session = rdev.attach("xxx")scr = """Java.perform(function () {var h = Java.use("xxx);h.t2.implementation = function(str){console.log("设置session",str);this.t2(str);//调用栈console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));};});
"""script = session.create_script(scr)script.load()
sys.stdin.read()'''
设置session 69a5568e29c5f5bb120901435e2bd98281c1969d
java.lang.Throwableat t3.a.i.b.i$j.onPrepared(BL:6)at tv.danmaku.ijk.media.player.AbstractMediaPlayer.notifyOnPrepared(BL:2)at tv.danmaku.ijk.media.player.IjkMediaPlayer$EventHandler.handleMessage(BL:107)at android.os.Handler.dispatchMessage(Handler.java:106)at android.os.Looper.loop(Looper.java:223)at android.app.ActivityThread.main(ActivityThread.java:7656)at java.lang.reflect.Method.invoke(Native Method)at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)'''

import frida
rdev = frida.get_remote_device()
session = rdev.attach("xxx")scr = """
rpc.exports = {   encrypt:function(a1,a2,a3){var res;Java.perform(function () { // 包.类var Crypt = Java.use("com.xxx.Crypt");// 类中的方法res = Crypt.encrypt_data(a1,a2,a3);});return res;}
}
"""script = session.create_script(scr)
script.load()# python 调用
sign = script.exports.encrypt(0, "abcdefg", 7)
print(sign)