{"id":1395,"date":"2024-04-29T18:59:54","date_gmt":"2024-04-29T10:59:54","guid":{"rendered":"http:\/\/www.xiaosuigu.top\/?p=1395"},"modified":"2024-04-29T18:59:54","modified_gmt":"2024-04-29T10:59:54","slug":"%e8%af%81%e4%b9%a6%e6%a3%80%e6%b5%8b","status":"publish","type":"post","link":"https:\/\/www.xiaosuigu.top\/index.php\/2024\/04\/29\/%e8%af%81%e4%b9%a6%e6%a3%80%e6%b5%8b\/","title":{"rendered":"\u8bc1\u4e66\u68c0\u6d4b"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">\u5355\u5411\u68c0\u6d4b<\/h2>\n\n\n\n<div  class='collapse-block shadow-sm collapse-block-transparent collapsed hide-border-left'><div class='collapse-block-title'><span class='collapse-block-title-inner'>\u5c06https\u6539\u4e3ahttp<\/span><i class='collapse-icon fa fa-angle-down'><\/i><\/div><div class='collapse-block-body' style='display:none;'><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>function tryGetClass(className) {\n    var clz = undefined;\n    try {\n        clz = Java.use(className);\n    } catch(e) {}\n    return clz;\n}\n\nfunction newMethodBeat(text, executor) {\n    var threadClz = Java.use(\"java.lang.Thread\");\n    var androidLogClz = Java.use(\"android.util.Log\");\n    var exceptionClz = Java.use(\"java.lang.Exception\");\n    var currentThread = threadClz.currentThread();\n    var beat = new Object();\n    beat.invokeId = Math.random().toString(36).slice( - 8);\n    beat.executor = executor;\n    beat.threadId = currentThread.getId();\n    beat.threadName = currentThread.getName();\n    beat.text = text;\n    beat.startTime = new Date().getTime();\n    beat.stackInfo = androidLogClz.getStackTraceString(exceptionClz.$new()).substring(20);\n    return beat;\n};\n\nfunction printBeat(beat) {\n    var str = (\"------------startFlag:\" + beat.invokeId + \",objectHash:\" + beat.executor + \",thread(id:\" + beat.threadId + \",name:\" + beat.threadName + \"),timestamp:\" + beat.startTime + \"---------------\\n\");\n    str += beat.text + \"\\n\";\n    str += beat.stackInfo;\n    str += (\"------------endFlag:\" + beat.invokeId + \",usedtime:\" + (new Date().getTime() - beat.startTime) + \"---------------\\n\");\n    console.log(str);\n};\n\nvar containRegExps = new Array()\n\nvar notContainRegExps = new Array(RegExp(\/\\.jpg\/), RegExp(\/\\.png\/))\n\nfunction check(str) {\n    str = str.toString();\n    if (! (str &amp;&amp; str.match)) {\n        return false;\n    }\n    for (var i = 0; i &lt; containRegExps.length; i++) {\n        if (!str.match(containRegExps&#091;i])) {\n            return false;\n        }\n    }\n    for (var i = 0; i &lt; notContainRegExps.length; i++) {\n        if (str.match(notContainRegExps&#091;i])) {\n            return false;\n        }\n    }\n    return true;\n}\n\nJava.perform(function() {\n    var uriParseClz = Java.use('java.net.URI');\n    var uriParseClzConstruct = uriParseClz.$init.overload(\"java.lang.String\");\n    uriParseClzConstruct.implementation = function(url) {\n        var result = uriParseClzConstruct.call(this, url);\n        var executor = this.hashCode();\n        var beatText = \"url:\" + url + \"\\npublic java.net.URI(String)\";\n        var beat = newMethodBeat(beatText, executor);\n        if (check(url)) {\n            printBeat(beat);\n        }\n        return result;\n    };\n\n    \/\/ URL\n    var URLClz = Java.use('java.net.URL');\n    var androidLogClz = Java.use(\"android.util.Log\");\n    var exceptionClz = Java.use(\"java.lang.Exception\");\n    var urlConstruct = URLClz.$init.overload(\"java.lang.String\");\n    urlConstruct.implementation = function(url) {\n        url = url.replace(\"https\", \"http\");\n        var result = urlConstruct.call(this, url);\n        var executor = this.hashCode();\n        var beatText = \"url:\" + url + \"\\npublic java.net.URL(String)\";\n        var beat = newMethodBeat(beatText, executor);\n        if (check(url)) {\n            printBeat(beat);\n        }\n        return result;\n    };\n\n    \/\/ok\u7cfb\u7edf\u539f\u751f\u652f\u6301\n    var sysBuilderClz = tryGetClass('com.android.okhttp.Request$Builder');\n    if (sysBuilderClz) {\n        sysBuilderClz.build.implementation = function() {\n            var okRequestResult = this.build();\n            var httpUrl = okRequestResult.url();\n            var url = httpUrl.toString();\n            var executor = this.hashCode();\n            var beatText = \"url:\" + url + \"\\ncom.android.okhttp.Request.Builder.build()\";\n            var beat = newMethodBeat(beatText, executor);\n            if (check(url)) {\n                printBeat(beat);\n            }\n            return okRequestResult\n        };\n    }\n\n    \/\/ok\u672c\u5730\u4f9d\u8d56\n    var builderClz = tryGetClass('okhttp3.Request$Builder');\n    if (builderClz) {\n        var buildFunc = builderClz.build.overload();\n        buildFunc.implementation = function() {\n            var okRequestResult = buildFunc.call(this);\n            var httpUrl = okRequestResult.url();\n            var url = httpUrl.toString();\n            var executor = this.hashCode();\n            var beatText = \"url:\" + url + \"\\nokhttp3.Request.Builder.build()\";\n            var beat = newMethodBeat(beatText, executor);\n            if (check(url)) {\n                printBeat(beat);\n            }\n            return okRequestResult\n        };\n    }\n\n    var android_net_Uri_clz = Java.use('android.net.Uri');\n    var android_net_Uri_clz_method_parse_u5rj = android_net_Uri_clz.parse.overload('java.lang.String');\n    android_net_Uri_clz_method_parse_u5rj.implementation = function(url) {\n        var executor = 'Class';\n        var beatText = url + '\\npublic static android.net.Uri android.net.Uri.parse(java.lang.String)';\n        var beat = newMethodBeat(beatText, executor);\n        var ret = android_net_Uri_clz_method_parse_u5rj.call(android_net_Uri_clz, url);\n        if (check(url)) {\n            printBeat(beat);\n        }\n        return ret;\n    };\n});\n\n \/\/ frida -Uf package --no-pause -l find_url.js\n\n<\/code><\/pre>\n\n\n\n<p><\/div><\/div>\n\n\n\n<div  class='collapse-block shadow-sm collapse-block-transparent collapsed hide-border-left'><div class='collapse-block-title'><span class='collapse-block-title-inner'>\u8986\u76d6\u68c0\u6d4b<\/span><i class='collapse-icon fa fa-angle-down'><\/i><\/div><div class='collapse-block-body' style='display:none;'><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/WooyunDota\/DroidSSLUnpinning\/tree\/master\">GitHub &#8211; WooyunDota\/DroidSSLUnpinning: Android certificate pinning disable tools<\/a><\/p>\n\n\n\n<p><\/div><\/div>\n\n\n\n<p><strong>\u4f7f\u7528\u547d\u4ee4<\/strong><\/p>\n\n\n\n<p><code>frida -Uf package --no-pause -l hook\u811a\u672c\u540d\u79f0.js<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u53cc\u5411\u68c0\u6d4b<\/h2>\n\n\n\n<div  class='collapse-block shadow-sm collapse-block-transparent collapsed hide-border-left'><div class='collapse-block-title'><span class='collapse-block-title-inner'>\u4eceapk\u4e2d\u83b7\u53d6\u8bc1\u4e66<\/span><i class='collapse-icon fa fa-angle-down'><\/i><\/div><div class='collapse-block-body' style='display:none;'><\/p>\n\n\n\n<p>\u5c06apk\u540e\u7f00\u6539\u4e3azip\uff0c\u89e3\u538b\u540e\u6709\u4e9b\u662f\u5b58\u5728.p12\u7684\u8bc1\u4e66\u6587\u4ef6\u7684<\/p>\n\n\n\n<p><\/div><\/div>\n\n\n\n<div  class='collapse-block shadow-sm collapse-block-transparent collapsed hide-border-left'><div class='collapse-block-title'><span class='collapse-block-title-inner'>\u811a\u672c\u4e0b\u8f7d\u8bc1\u4e66<\/span><i class='collapse-icon fa fa-angle-down'><\/i><\/div><div class='collapse-block-body' style='display:none;'><\/p>\n\n\n\n<p><strong>\u5173\u95ed\u6293\u5305\u5de5\u5177\uff0c\u542f\u52a8\u4ee5\u4e0b\u811a\u672c<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/\u5728https\u53cc\u5411\u8ba4\u8bc1\u7684\u60c5\u51b5\u4e0b\uff0cdump\u5ba2\u6237\u7aef\u8bc1\u4e66\u4e3ap12. \u8bc1\u4e66\u5bc6\u7801: hooker\nvar password = \"hooker\";\n\n\nfunction dateFormat(fmt, date) {\n    let ret;\n    const opt = {\n        \"Y+\": date.getFullYear().toString(),\n        \/\/ \u5e74\n        \"m+\": (date.getMonth() + 1).toString(),\n        \/\/ \u6708\n        \"d+\": date.getDate().toString(),\n        \/\/ \u65e5\n        \"H+\": date.getHours().toString(),\n        \/\/ \u65f6\n        \"M+\": date.getMinutes().toString(),\n        \/\/ \u5206\n        \"S+\": date.getSeconds().toString() \/\/ \u79d2\n    };\n    for (let k in opt) {\n        ret = new RegExp(\"(\" + k + \")\").exec(fmt);\n        if (ret) {\n            fmt = fmt.replace(ret&#091;1], (ret&#091;1].length == 1) ? (opt&#091;k]) : (opt&#091;k].padStart(ret&#091;1].length, \"0\")))\n        }\n    }\n    return fmt;\n}\n\nfunction random(min, max) {\n    return Math.floor(Math.random() * (max - min)) + min;\n}\n\nfunction getNowTime() {\n    return dateFormat(\"YYYY_mm_dd_HH_MM_SS\", new Date()) + \"_\" + random(1, 100);\n}\n\nfunction newMethodBeat(text, executor) {\n    var threadClz = Java.use(\"java.lang.Thread\");\n    var androidLogClz = Java.use(\"android.util.Log\");\n    var exceptionClz = Java.use(\"java.lang.Exception\");\n    var processClz = Java.use(\"android.os.Process\");\n    var currentThread = threadClz.currentThread();\n    var beat = new Object();\n    beat.invokeId = Math.random().toString(36).slice( - 8);\n    beat.executor = executor;\n    beat.myPid = processClz.myPid();\n    beat.threadId = currentThread.getId();\n    beat.threadName = currentThread.getName();\n    beat.text = text;\n    beat.startTime = new Date().getTime();\n    beat.stackInfo = androidLogClz.getStackTraceString(exceptionClz.$new()).substring(20);\n    return beat;\n}\n\nfunction printBeat(beat) {\n    var str = (\"------------pid:\" + beat.myPid + \",startFlag:\" + beat.invokeId + \",objectHash:\"+beat.executor+\",thread(id:\" + beat.threadId +\",name:\" + beat.threadName + \"),timestamp:\" + beat.startTime+\"---------------\\n\");\n    str += beat.text + \"\\n\";\n    str += beat.stackInfo;\n    str += (\"------------endFlag:\" + beat.invokeId + \",usedtime:\" + (new Date().getTime() - beat.startTime) +\"---------------\\n\");\n\tconsole.log(str);\n}\n\nfunction dump2sdcard(pri, p7, filePath) {\n    console.log(\"dump:\" + filePath);\n    var X509CertificateClass = Java.use(\"java.security.cert.X509Certificate\");\n    var myX509 = Java.cast(p7, X509CertificateClass);\n    var chain = Java.array(\"java.security.cert.X509Certificate\", &#091;myX509]);\n    var ks = Java.use(\"java.security.KeyStore\").getInstance(\"PKCS12\", \"BC\");\n    ks.load(null, null);\n    ks.setKeyEntry(\"client\", pri, Java.use('java.lang.String').$new(password).toCharArray(), chain);\n    try {\n        var out = Java.use(\"java.io.FileOutputStream\").$new(filePath);\n        ks.store(out, Java.use('java.lang.String').$new(password).toCharArray());\n    } catch(error) {\n        console.log(error);\n    }\n}\n\nvar logic = function() {\n    console.log(\"\u5728https\u53cc\u5411\u8ba4\u8bc1\u7684\u60c5\u51b5\u4e0b\uff0cdump\u5ba2\u6237\u7aef\u8bc1\u4e66\u4e3ap12. \u5b58\u50a8\u4f4d\u7f6e:\/data\/user\/0\/{packageName}\/client_keystore_{nowtime}.p12 \u8bc1\u4e66\u5bc6\u7801: hooker\");\n    Java.use(\"java.security.KeyStore$PrivateKeyEntry\").getPrivateKey.implementation = function() {\n        var executor = this.hashCode();\n        var beatText = 'public java.security.cert.Certificate java.security.KeyStore$PrivateKeyEntry.getPrivateKey()';\n        var beat = newMethodBeat(beatText, executor);\n        var result = this.getPrivateKey();\n        var packageName = Java.use(\"android.app.ActivityThread\").currentApplication().getApplicationContext().getPackageName();\n        let filePath = '\/data\/user\/0\/' + packageName + \"\/client_keystore_\" + \"_\" + getNowTime() + '.p12';\n        dump2sdcard(this.getPrivateKey(), this.getCertificate(), filePath);\n        printBeat(beat);\n        return result;\n    }\n    Java.use(\"java.security.KeyStore$PrivateKeyEntry\").getCertificateChain.implementation = function() {\n        var executor = this.hashCode();\n        var beatText = 'public java.security.cert.Certificate java.security.KeyStore$PrivateKeyEntry.getCertificate()';\n        var beat = newMethodBeat(beatText, executor);\n        var result = this.getCertificateChain();\n        var packageName = Java.use(\"android.app.ActivityThread\").currentApplication().getApplicationContext().getPackageName();\n        let filePath = '\/data\/user\/0\/' + packageName + \"\/client_keystore_\" + getNowTime() + '.p12';\n        dump2sdcard(this.getPrivateKey(), this.getCertificate(), filePath);\n        return result;\n    }\n    \/\/SSLpinning helper \u5e2e\u52a9\u5b9a\u4f4d\u8bc1\u4e66\u7ed1\u5b9a\u7684\u5173\u952e\u4ee3\u7801\n    Java.use(\"java.io.File\").$init.overload('java.io.File', 'java.lang.String').implementation = function (file, cert) {\n      var result = this.$init(file, cert);\n    \/\/   console.log(\"1--File path: \", cert);\n      if (((file.getPath().indexOf(\"\/data\/user\") > -1) || (file.getPath().indexOf(\"\/data\/data\") > -1))){\n          var stack = Java.use(\"android.util.Log\").getStackTraceString(Java.use(\"java.lang.Throwable\").$new());\n          if (cert.indexOf(\"cacert\") >= 0 || file.getPath().indexOf(\"cacert\") >= 0 || stack.indexOf(\"X509TrustManagerExtensions.checkServerTrusted\") >= 0) {\n            console.log(\"find \", \"SSLpinning position locator => \" + file.getPath() + \" \" + cert);\n            console.log(stack);\n          }else if ((cert.indexOf(\".\") > -1) &amp;&amp; (cert.indexOf(\".xml\") === -1) &amp;&amp; (cert.indexOf(\".db\") === -1)){\n              if (cert.split(\".\").length &lt; 3){\n                    console.log(\"find file1 = \", file.getPath() + \"\/\" + cert);\n              }\n          }\n      }\n      return result;\n    }\n    Java.use(\"java.io.File\").$init.overload('java.lang.String').implementation = function (cert) {\n      var result = this.$init(cert);\n    \/\/   console.log(\"2--File path: \", cert);\n      if (((cert.indexOf(\"\/data\/user\") > -1) || (cert.indexOf(\"\/data\/data\") > -1))) {\n          var stack = Java.use(\"android.util.Log\").getStackTraceString(Java.use(\"java.lang.Throwable\").$new());\n          if (cert.indexOf(\"cacert\") >= 0 || stack.indexOf(\"X509TrustManagerExtensions.checkServerTrusted\") >= 0) {\n              console.log(\"find \", \"SSLpinning position locator => \" + cert);\n              console.log(stack);\n          } else if ((cert.indexOf(\".\") > -1) &amp;&amp; (cert.indexOf(\".xml\") === -1) &amp;&amp; (cert.indexOf(\".db\") === -1)) {\n              if (cert.split(\".\").length &lt; 3) {\n                  console.log(\"find file2 = \", file.getPath() + \"\/\" + cert);\n              }\n          }\n      }\n      return result;\n    }\n}\n\n\nJava.perform(function (){\n    var application = Java.use(\"android.app.Application\");\n    application.attach.overload('android.content.Context').implementation = function(context) {\n        var result = this.attach(context); \/\/ \u5148\u6267\u884c\u539f\u6765\u7684attach\u65b9\u6cd5\n        Java.classFactory.loader = context.getClassLoader(); \/\/ \u83b7\u53d6classloader\n        logic();\n        console.log(\"hook over\");\n        return result;\n    }\n\n    logic();\n    console.log(\"hook over\");\n})\n\n\n\/\/ frida -Uf com.mmzztt.app --no-pause -l keystore_dump.js<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\"><li>\u542f\u52a8\u811a\u672c\uff1a<code>frida -Uf \u5305\u540d --no-pause -l keystore_dump.js<\/code>\u3002<\/li><li>\u5feb\u901f\u8bbf\u95ee\u63a5\u53e3\uff0c\u5982\u75af\u72c2\u4e0b\u62c9\u5217\u8868\u9875\uff0c\u811a\u672c\u4f1a\u6253\u5370\u5bfc\u51fa\u8bc1\u4e66\u7684\u540d\u79f0\u548c\u4f4d\u7f6e\u3002<\/li><li>\u53ef\u4ee5\u5c06\u8bc1\u4e66\u79fb\u52a8\u5230<code>\/sdcard\/Download\/<\/code>\u76ee\u5f55\u4e0b\u3002\u8fd9\u6837\u624d\u6709\u6743\u9650\u8fdb\u884c\u5bfc\u51fa\u3002<code>mv client_keystore__xxxxxxx.p12 \/sdcard\/Download\/<\/code><\/li><li>\u5bfc\u51fa\u8bc1\u4e66\uff1a<code>adb pull \/sdcard\/Download\/client_keystore__xxxxxxx.p12 D:\\xxxx<\/code><\/li><li>\u6293\u5305\u5de5\u5177\u914d\u7f6e\u8bc1\u4e66(charles)\uff1aproxy&#8211;&gt;SSl proxy settings&#8211;&gt;client certificates&#8211;&gt;add&#8211;&gt;import P12&#8211;&gt;\u586b\u5165\u5bc6\u7801(\u5728\u4e0a\u9762\u7684\u811a\u672c\u4e2d)<\/li><\/ol>\n\n\n\n<p><\/div><\/div>\n\n\n\n<div  class='collapse-block shadow-sm collapse-block-transparent collapsed hide-border-left'><div class='collapse-block-title'><span class='collapse-block-title-inner'>python\u4f7f\u7528\u8bc1\u4e66\u8bf7\u6c42<\/span><i class='collapse-icon fa fa-angle-down'><\/i><\/div><div class='collapse-block-body' style='display:none;'><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import requests\nfrom requests_pkcs12 import Pkcs12Adapter\n\nfrom Crypto.Cipher import AES\n\nheaders = {\n    \"User-Agent\": \"api-client\/1 com.douban.frodo\/7.18.0(230) Android\/28 product\/d2que vendor\/samsung model\/SM-G9810 brand\/samsung  rom\/android  network\/wifi  udid\/3c3e5fed2abad61570d760a7cdf0312edda6a78e  platform\/mobile\",\n    \"Host\": \"frodo.douban.com\"\n}\n\nsession = requests.session()\nurl = \"\"\n# \u6307\u5b9a\u53cc\u5411\u8ba4\u8bc1\u7f51\u7ad9\u7684pfx\u8bc1\u4e66\u6587\u4ef6\uff0c\u5e76\u9644\u5e26\u8bc1\u4e66\u7684\u5bc6\u7801\nsession.mount(url, Pkcs12Adapter(pkcs12_filename='.\/client_keystore__xxxx.p12', pkcs12_password=\"hooker\"))\n# \u4f7f\u7528session\u8c03\u7528get\/post\u65b9\u6cd5\nresponse = session.get(url, headers=headers, verify=False)\nprint(response.status_code)\nprint(response.text)\n<\/code><\/pre>\n\n\n\n<p><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u5355\u5411\u68c0\u6d4b \u4f7f\u7528\u547d\u4ee4 frida -Uf package &#8211;no-pause -l hook\u811a\u672c\u540d\u79f0.js \u53cc [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1395","post","type-post","status-publish","format-standard","hentry","category-android"],"_links":{"self":[{"href":"https:\/\/www.xiaosuigu.top\/index.php\/wp-json\/wp\/v2\/posts\/1395","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xiaosuigu.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xiaosuigu.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xiaosuigu.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xiaosuigu.top\/index.php\/wp-json\/wp\/v2\/comments?post=1395"}],"version-history":[{"count":0,"href":"https:\/\/www.xiaosuigu.top\/index.php\/wp-json\/wp\/v2\/posts\/1395\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.xiaosuigu.top\/index.php\/wp-json\/wp\/v2\/media?parent=1395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xiaosuigu.top\/index.php\/wp-json\/wp\/v2\/categories?post=1395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xiaosuigu.top\/index.php\/wp-json\/wp\/v2\/tags?post=1395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}