Loading

Frida-RPC调用

Python Frida RPC 调用示例

JS_CODE

var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',
    base64DecodeChars = new Array((-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), 62, (-1), (-1), (-1), 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, (-1), (-1), (-1), (-1), (-1), (-1), (-1), 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, (-1), (-1), (-1), (-1), (-1), (-1), 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, (-1), (-1), (-1), (-1), (-1));

function bytesToBase64(e) {
    var r, a, c, h, o, t;
    for (c = e.length, a = 0, r = ''; a < c;) {
        if (h = 255 & e[a++], a == c) {
            r += base64EncodeChars.charAt(h >> 2),
                r += base64EncodeChars.charAt((3 & h) << 4),
                r += '==';
            break
        }
        if (o = e[a++], a == c) {
            r += base64EncodeChars.charAt(h >> 2),
                r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
                r += base64EncodeChars.charAt((15 & o) << 2),
                r += '=';
            break
        }
        t = e[a++],
            r += base64EncodeChars.charAt(h >> 2),
            r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
            r += base64EncodeChars.charAt((15 & o) << 2 | (192 & t) >> 6),
            r += base64EncodeChars.charAt(63 & t)
    }
    return r
}
function base64ToString(e) {
    var r, a, c, h, o, t, d;
    for (t = e.length, o = 0, d = ''; o < t;) {
        do
            r = base64DecodeChars[255 & e.charCodeAt(o++)];
        while (o < t && r == -1);
        if (r == -1)
            break;
        do
            a = base64DecodeChars[255 & e.charCodeAt(o++)];
        while (o < t && a == -1);
        if (a == -1)
            break;
        d += String.fromCharCode(r << 2 | (48 & a) >> 4);
        do {
            if (c = 255 & e.charCodeAt(o++), 61 == c)
                return d;
            c = base64DecodeChars[c]
        } while (o < t && c == -1);
        if (c == -1)
            break;
        d += String.fromCharCode((15 & a) << 4 | (60 & c) >> 2);
        do {
            if (h = 255 & e.charCodeAt(o++), 61 == h)
                return d;
            h = base64DecodeChars[h]
        } while (o < t && h == -1);
        if (h == -1)
            break;
        d += String.fromCharCode((3 & c) << 6 | h)
    }
    return d
};


function bytesToString(arr) {
    var str = '';
    arr = new Uint8Array(arr);
    for (var i = 0; i < str.length; i++) {
        str += String.fromCharCode(arr[i]);
    }
    str = bytesToBase64(arr);
    str = base64ToString(str);
    return str;
}

function siua(message) {
    return new Promise(resolve => {
        Java.perform(function () {
            const j_string = Java.use('java.lang.String');
            const MTGuard = Java.use('com.meituan.android.common.mtguard.MTGuard');
            const data_jni = Java.use('com.meituan.android.common.datacollection.DataCollectionJni');
            // let result = Java.array('byte', b);
            let result = j_string.$new(message).getBytes('UTF-8')
            let ua = data_jni.packData(MTGuard.appContext.value, result, result.length)
            resolve(bytesToString(ua))
        })
    })
}

function sign(message) {

    return new Promise(resolve => {
        Java.perform(function () {
            const j_string = Java.use('java.lang.String');
            const MTGuard = Java.use('com.meituan.android.common.mtguard.MTGuard');
            const candy_jni = Java.use('com.meituan.android.common.candy.CandyJni');

            // string to byte[]
            let result = j_string.$new(message).getBytes('UTF-8')

            let ua = candy_jni.getCandyDataWithKey(MTGuard.appContext.value, result, 'CandyKey')

            resolve(ua)
        })
    })
}

rpc.exports = {
    sign: sign,
    siua: siua,
}

Python Code

# -*- coding: utf-8 -*-
# @Time     : 2021/6/23 14:34
# @Author   : xiaowei
# @File     : rpc_sign.py
# @Software : PyCharm
import os

import frida

JS_CODE = """JS代码"""


def message_header(message, payload):
    message_type = message['type']
    if message_type == 'send':
        print('[* message]', message['payload'])

    elif message_type == 'error':
        stack = message['stack']
        print('[* error]', stack)

    else:
        print(message)


def rpc_fun(pack_name):
    """
    启动函数
    :return:
    """
    # 1. 转发frida端口
    os.system("adb forward tcp:27042 tcp:27042")
    # 2. 获取远程设备
    # frida.get_usb_device()
    # device = frida.get_remote_device()
    device = frida.get_usb_device(30)
    # 3. 获取当前活动进程PID
    # pid = device.get_frontmost_application()
    # 4. 创建进程会话
    # 可以是进程ID 可以是包名称
    # spawn 方式
    session = device.attach(pack_name)
    # device.resume(pid)
    # device.spawn()
    # import time
    # time.sleep(0.5)
    # 5. 添加js脚本
    script = session.create_script(JS_CODE, runtime='v8')
    # 6. 消息监听
    script.on('message', message_header)

    # 7. 加载会话
    script.load()
    return script


script = rpc_fun('com.sankuai.meituan')

if __name__ == '__main__':

    def signs():

        sign = script.exports.sign(
            'GET http://apimeishi.meituan.com/meishi/poi/v2/poi/base/165084283 __reqTraceID=1836cb6d-3edf-4c81-a5db-669c800f55c6&__skck=6a375bce8c66a0dc293860dfa83833ef&__skno=53fa4673-9aaf-482e-a569-e8dfe841628c&__sksc=http&__skts=1624419415750&__skua=ad833c2aaae30d998fd1c17f0fa985bd&app=0&ci=10&lat=31.16323257273488&lng=121.39788326303479&msid=3525300824877941624417771385&partner=126&platform=4&userid=-1&utm_campaign=AgroupBgroupC0E219588781363871559889360393454496506688_a165084283_c0_e2890024514451550478Ghomepage_category2_1__a1__c-1024__gfood__hpoilist__i0&utm_content=352530082487794&utm_medium=android&utm_source=baidumobile&utm_term=666&uuid=000000000000087B47731EC5345FD9BDEC496780BAF59A162335056595179683&uuid=000000000000087B47731EC5345FD9BDEC496780BAF59A162335056595179683&version=9.6.6&version_name=9.6.6')
        print(sign)


    from concurrent.futures import ThreadPoolExecutor

    pool = ThreadPoolExecutor(max_workers=1000)

    for _ in range(1000):
        pool.submit(signs)

    pool.shutdown(wait=True)

posted @ 2021-07-06 11:25  小伟哥哥~  阅读(1521)  评论(0编辑  收藏  举报