Python Frida RPC 调用示例
JS_CODE
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',
base64DecodeChars = new Array((-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), 62, (-1), (-1), (-1), 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, (-1), (-1), (-1), (-1), (-1), (-1), (-1), 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, (-1), (-1), (-1), (-1), (-1), (-1), 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, (-1), (-1), (-1), (-1), (-1));
function bytesToBase64(e) {
var r, a, c, h, o, t;
for (c = e.length, a = 0, r = ''; a < c;) {
if (h = 255 & e[a++], a == c) {
r += base64EncodeChars.charAt(h >> 2),
r += base64EncodeChars.charAt((3 & h) << 4),
r += '==';
break
}
if (o = e[a++], a == c) {
r += base64EncodeChars.charAt(h >> 2),
r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
r += base64EncodeChars.charAt((15 & o) << 2),
r += '=';
break
}
t = e[a++],
r += base64EncodeChars.charAt(h >> 2),
r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
r += base64EncodeChars.charAt((15 & o) << 2 | (192 & t) >> 6),
r += base64EncodeChars.charAt(63 & t)
}
return r
}
function base64ToString(e) {
var r, a, c, h, o, t, d;
for (t = e.length, o = 0, d = ''; o < t;) {
do
r = base64DecodeChars[255 & e.charCodeAt(o++)];
while (o < t && r == -1);
if (r == -1)
break;
do
a = base64DecodeChars[255 & e.charCodeAt(o++)];
while (o < t && a == -1);
if (a == -1)
break;
d += String.fromCharCode(r << 2 | (48 & a) >> 4);
do {
if (c = 255 & e.charCodeAt(o++), 61 == c)
return d;
c = base64DecodeChars[c]
} while (o < t && c == -1);
if (c == -1)
break;
d += String.fromCharCode((15 & a) << 4 | (60 & c) >> 2);
do {
if (h = 255 & e.charCodeAt(o++), 61 == h)
return d;
h = base64DecodeChars[h]
} while (o < t && h == -1);
if (h == -1)
break;
d += String.fromCharCode((3 & c) << 6 | h)
}
return d
};
function bytesToString(arr) {
var str = '';
arr = new Uint8Array(arr);
for (var i = 0; i < str.length; i++) {
str += String.fromCharCode(arr[i]);
}
str = bytesToBase64(arr);
str = base64ToString(str);
return str;
}
function siua(message) {
return new Promise(resolve => {
Java.perform(function () {
const j_string = Java.use('java.lang.String');
const MTGuard = Java.use('com.meituan.android.common.mtguard.MTGuard');
const data_jni = Java.use('com.meituan.android.common.datacollection.DataCollectionJni');
// let result = Java.array('byte', b);
let result = j_string.$new(message).getBytes('UTF-8')
let ua = data_jni.packData(MTGuard.appContext.value, result, result.length)
resolve(bytesToString(ua))
})
})
}
function sign(message) {
return new Promise(resolve => {
Java.perform(function () {
const j_string = Java.use('java.lang.String');
const MTGuard = Java.use('com.meituan.android.common.mtguard.MTGuard');
const candy_jni = Java.use('com.meituan.android.common.candy.CandyJni');
// string to byte[]
let result = j_string.$new(message).getBytes('UTF-8')
let ua = candy_jni.getCandyDataWithKey(MTGuard.appContext.value, result, 'CandyKey')
resolve(ua)
})
})
}
rpc.exports = {
sign: sign,
siua: siua,
}
Python Code
# -*- coding: utf-8 -*-
# @Time : 2021/6/23 14:34
# @Author : xiaowei
# @File : rpc_sign.py
# @Software : PyCharm
import os
import frida
JS_CODE = """JS代码"""
def message_header(message, payload):
message_type = message['type']
if message_type == 'send':
print('[* message]', message['payload'])
elif message_type == 'error':
stack = message['stack']
print('[* error]', stack)
else:
print(message)
def rpc_fun(pack_name):
"""
启动函数
:return:
"""
# 1. 转发frida端口
os.system("adb forward tcp:27042 tcp:27042")
# 2. 获取远程设备
# frida.get_usb_device()
# device = frida.get_remote_device()
device = frida.get_usb_device(30)
# 3. 获取当前活动进程PID
# pid = device.get_frontmost_application()
# 4. 创建进程会话
# 可以是进程ID 可以是包名称
# spawn 方式
session = device.attach(pack_name)
# device.resume(pid)
# device.spawn()
# import time
# time.sleep(0.5)
# 5. 添加js脚本
script = session.create_script(JS_CODE, runtime='v8')
# 6. 消息监听
script.on('message', message_header)
# 7. 加载会话
script.load()
return script
script = rpc_fun('com.sankuai.meituan')
if __name__ == '__main__':
def signs():
sign = script.exports.sign(
'GET http://apimeishi.meituan.com/meishi/poi/v2/poi/base/165084283 __reqTraceID=1836cb6d-3edf-4c81-a5db-669c800f55c6&__skck=6a375bce8c66a0dc293860dfa83833ef&__skno=53fa4673-9aaf-482e-a569-e8dfe841628c&__sksc=http&__skts=1624419415750&__skua=ad833c2aaae30d998fd1c17f0fa985bd&app=0&ci=10&lat=31.16323257273488&lng=121.39788326303479&msid=3525300824877941624417771385&partner=126&platform=4&userid=-1&utm_campaign=AgroupBgroupC0E219588781363871559889360393454496506688_a165084283_c0_e2890024514451550478Ghomepage_category2_1__a1__c-1024__gfood__hpoilist__i0&utm_content=352530082487794&utm_medium=android&utm_source=baidumobile&utm_term=666&uuid=000000000000087B47731EC5345FD9BDEC496780BAF59A162335056595179683&uuid=000000000000087B47731EC5345FD9BDEC496780BAF59A162335056595179683&version=9.6.6&version_name=9.6.6')
print(sign)
from concurrent.futures import ThreadPoolExecutor
pool = ThreadPoolExecutor(max_workers=1000)
for _ in range(1000):
pool.submit(signs)
pool.shutdown(wait=True)