1. frida

  1. //自吐
  2. Java.perform(function () {
  4.   function showStacks() {
  5.     console.log(
  6.       Java.use("android.util.Log")
  7.       .getStackTraceString(
  8.         Java.use("java.lang.Throwable").$new()
  9.       )
  10.     );
  11.   }
  13.   var ByteString = Java.use("com.android.okhttp.okio.ByteString");
  15.   function toBase64(tag, data) {
  16.     console.log(tag + " Base64: ", ByteString.of(data).base64());
  17.   }
  19.   function toHex(tag, data) {
  20.     console.log(tag + " Hex: ", ByteString.of(data).hex());
  21.   }
  23.   function toUtf8(tag, data) {
  24.     console.log(tag + " Utf8: ", ByteString.of(data).utf8());
  25.   }
  27.   // toBase64([48,49,50,51,52]);
  28.   // toHex([48,49,50,51,52]);
  29.   // toUtf8([48,49,50,51,52]);
  30.   //console.log(Java.enumerateLoadedClassesSync().join("\n"));
  32.   // MD5/SHA等
  33.   var messageDigest = Java.use("java.security.MessageDigest");
  34.   messageDigest.update.overload('byte').implementation = function (data) {
  35.     console.log("MessageDigest.update('byte') is called!");
  36.     return this.update(data);
  37.   }
  38.   messageDigest.update.overload('java.nio.ByteBuffer').implementation = function (data) {
  39.     console.log("MessageDigest.update('java.nio.ByteBuffer') is called!");
  40.     return this.update(data);
  41.   }
  42.   messageDigest.update.overload('[B').implementation = function (data) {
  43.     console.log("MessageDigest.update('[B') is called!");
  44.     var algorithm = this.getAlgorithm();
  45.     var tag = algorithm + " update data";
  46.     toUtf8(tag, data);
  47.     toHex(tag, data);
  48.     toBase64(tag, data);
  49.     console.log("=======================================================");
  50.     return this.update(data);
  51.   }
  52.   messageDigest.update.overload('[B', 'int', 'int').implementation = function (data, start, length) {
  53.     console.log("MessageDigest.update('[B', 'int', 'int') is called!");
  54.     var algorithm = this.getAlgorithm();
  55.     var tag = algorithm + " update data";
  56.     toUtf8(tag, data);
  57.     toHex(tag, data);
  58.     toBase64(tag, data);
  59.     console.log("=======================================================", start, length);
  60.     return this.update(data, start, length);
  61.   }
  62.   messageDigest.digest.overload().implementation = function () {
  63.     console.log("MessageDigest.digest() is called!");
  64.     var result = this.digest();
  65.     var algorithm = this.getAlgorithm();
  66.     var tag = algorithm + " digest result";
  67.     toHex(tag, result);
  68.     toBase64(tag, result);
  69.     console.log("=======================================================");
  70.     return result;
  71.   }
  72.   messageDigest.digest.overload('[B').implementation = function (data) {
  73.     console.log("MessageDigest.digest('[B') is called!");
  74.     var algorithm = this.getAlgorithm();
  75.     var tag = algorithm + " digest data";
  76.     toUtf8(tag, data);
  77.     toHex(tag, data);
  78.     toBase64(tag, data);
  79.     var result = this.digest(data);
  80.     var tags = algorithm + " digest result";
  81.     toHex(tags, result);
  82.     toBase64(tags, result);
  83.     console.log("=======================================================");
  84.     return result;
  85.   }
  86.   messageDigest.digest.overload('[B', 'int', 'int').implementation = function (data, start, length) {
  87.     console.log("MessageDigest.digest('[B', 'int', 'int') is called!");
  88.     var algorithm = this.getAlgorithm();
  89.     var tag = algorithm + " digest data";
  90.     toUtf8(tag, data);
  91.     toHex(tag, data);
  92.     toBase64(tag, data);
  93.     var result = this.digest(data, start, length);
  94.     var tags = algorithm + " digest result";
  95.     toHex(tags, result);
  96.     toBase64(tags, result);
  97.     console.log("=======================================================", start, length);
  98.     return result;
  99.   }
  101.   //Mac
  102.   var mac = Java.use("javax.crypto.Mac");
  103.   mac.init.overload('java.security.Key', 'java.security.spec.AlgorithmParameterSpec').implementation = function (key, AlgorithmParameterSpec) {
  104.     console.log("Mac.init('java.security.Key', 'java.security.spec.AlgorithmParameterSpec') is called!");
  105.     return this.init(key, AlgorithmParameterSpec);
  106.   }
  107.   mac.init.overload('java.security.Key').implementation = function (key) {
  108.     console.log("Mac.init('java.security.Key') is called!");
  109.     var algorithm = this.getAlgorithm();
  110.     var tag = algorithm + " init Key";
  111.     var keyBytes = key.getEncoded();
  112.     toUtf8(tag, keyBytes);
  113.     toHex(tag, keyBytes);
  114.     toBase64(tag, keyBytes);
  115.     console.log("=======================================================");
  116.     return this.init(key);
  117.   }
  118.   mac.update.overload('byte').implementation = function (data) {
  119.     console.log("Mac.update('byte') is called!");
  120.     return this.update(data);
  121.   }
  122.   mac.update.overload('java.nio.ByteBuffer').implementation = function (data) {
  123.     console.log("Mac.update('java.nio.ByteBuffer') is called!");
  124.     return this.update(data);
  125.   }
  126.   mac.update.overload('[B').implementation = function (data) {
  127.     console.log("Mac.update('[B') is called!");
  128.     var algorithm = this.getAlgorithm();
  129.     var tag = algorithm + " update data";
  130.     toUtf8(tag, data);
  131.     toHex(tag, data);
  132.     toBase64(tag, data);
  133.     console.log("=======================================================");
  134.     return this.update(data);
  135.   }
  136.   mac.update.overload('[B', 'int', 'int').implementation = function (data, start, length) {
  137.     console.log("Mac.update('[B', 'int', 'int') is called!");
  138.     var algorithm = this.getAlgorithm();
  139.     var tag = algorithm + " update data";
  140.     toUtf8(tag, data);
  141.     toHex(tag, data);
  142.     toBase64(tag, data);
  143.     console.log("=======================================================", start, length);
  144.     return this.update(data, start, length);
  145.   }
  146.   mac.doFinal.overload().implementation = function () {
  147.     console.log("Mac.doFinal() is called!");
  148.     var result = this.doFinal();
  149.     var algorithm = this.getAlgorithm();
  150.     var tag = algorithm + " doFinal result";
  151.     toHex(tag, result);
  152.     toBase64(tag, result);
  153.     console.log("=======================================================");
  154.     return result;
  155.   }
  157.   //cipher
  158.   var cipher = Java.use("javax.crypto.Cipher");
  159.   cipher.init.overload('int', 'java.security.cert.Certificate').implementation = function () {
  160.     console.log("Cipher.init('int', 'java.security.cert.Certificate') is called!");
  161.     return this.init.apply(this, arguments);
  162.   }
  163.   cipher.init.overload('int', 'java.security.Key', 'java.security.SecureRandom').implementation = function () {
  164.     console.log("Cipher.init('int', 'java.security.Key', 'java.security.SecureRandom') is called!");
  165.     return this.init.apply(this, arguments);
  166.   }
  167.   cipher.init.overload('int', 'java.security.cert.Certificate', 'java.security.SecureRandom').implementation = function () {
  168.     console.log("Cipher.init('int', 'java.security.cert.Certificate', 'java.security.SecureRandom') is called!");
  169.     return this.init.apply(this, arguments);
  170.   }
  171.   cipher.init.overload('int', 'java.security.Key', 'java.security.AlgorithmParameters', 'java.security.SecureRandom').implementation = function () {
  172.     console.log("Cipher.init('int', 'java.security.Key', 'java.security.AlgorithmParameters', 'java.security.SecureRandom') is called!");
  173.     return this.init.apply(this, arguments);
  174.   }
  175.   cipher.init.overload('int', 'java.security.Key', 'java.security.spec.AlgorithmParameterSpec', 'java.security.SecureRandom').implementation = function () {
  176.     console.log("Cipher.init('int', 'java.security.Key', 'java.security.spec.AlgorithmParameterSpec', 'java.security.SecureRandom') is called!");
  177.     return this.init.apply(this, arguments);
  178.   }
  179.   cipher.init.overload('int', 'java.security.Key', 'java.security.AlgorithmParameters').implementation = function () {
  180.     console.log("Cipher.init('int', 'java.security.Key', 'java.security.AlgorithmParameters') is called!");
  181.     return this.init.apply(this, arguments);
  182.   }
  184.   cipher.init.overload('int', 'java.security.Key').implementation = function () {
  185.     console.log("Cipher.init('int', 'java.security.Key') is called!");
  186.     var algorithm = this.getAlgorithm();
  187.     var tag = algorithm + " init Key";
  188.     var className = JSON.stringify(arguments[1]);
  189.     if (className.indexOf("OpenSSLRSAPrivateKey") === -1) {
  190.       var keyBytes = arguments[1].getEncoded();
  191.       toUtf8(tag, keyBytes);
  192.       toHex(tag, keyBytes);
  193.       toBase64(tag, keyBytes);
  194.     }
  195.     console.log("=======================================================");
  196.     return this.init.apply(this, arguments);
  197.   }
  198.   cipher.init.overload('int', 'java.security.Key', 'java.security.spec.AlgorithmParameterSpec').implementation = function () {
  199.     console.log("Cipher.init('int', 'java.security.Key', 'java.security.spec.AlgorithmParameterSpec') is called!");
  200.     var algorithm = this.getAlgorithm();
  201.     var tag = algorithm + " init Key";
  202.     var keyBytes = arguments[1].getEncoded();
  203.     toUtf8(tag, keyBytes);
  204.     toHex(tag, keyBytes);
  205.     toBase64(tag, keyBytes);
  206.     var tags = algorithm + " init iv";
  207.     var iv = Java.cast(arguments[2], Java.use("javax.crypto.spec.IvParameterSpec"));
  208.     var ivBytes = iv.getIV();
  209.     toUtf8(tags, ivBytes);
  210.     toHex(tags, ivBytes);
  211.     toBase64(tags, ivBytes);
  212.     console.log("=======================================================");
  213.     return this.init.apply(this, arguments);
  214.   }
  216.   cipher.doFinal.overload('java.nio.ByteBuffer', 'java.nio.ByteBuffer').implementation = function () {
  217.     console.log("Cipher.doFinal('java.nio.ByteBuffer', 'java.nio.ByteBuffer') is called!");
  218.     showStacks();
  219.     return this.doFinal.apply(this, arguments);
  220.   }
  221.   cipher.doFinal.overload('[B', 'int').implementation = function () {
  222.     console.log("Cipher.doFinal('[B', 'int') is called!");
  223.     showStacks();
  224.     return this.doFinal.apply(this, arguments);
  225.   }
  226.   cipher.doFinal.overload('[B', 'int', 'int', '[B').implementation = function () {
  227.     console.log("Cipher.doFinal('[B', 'int', 'int', '[B') is called!");
  228.     showStacks();
  229.     return this.doFinal.apply(this, arguments);
  230.   }
  231.   cipher.doFinal.overload('[B', 'int', 'int', '[B', 'int').implementation = function () {
  232.     console.log("Cipher.doFinal('[B', 'int', 'int', '[B', 'int') is called!");
  233.     showStacks();
  234.     return this.doFinal.apply(this, arguments);
  235.   }
  236.   cipher.doFinal.overload().implementation = function () {
  237.     console.log("Cipher.doFinal() is called!");
  238.     showStacks();
  239.     return this.doFinal.apply(this, arguments);
  240.   }
  242.   cipher.doFinal.overload('[B').implementation = function () {
  243.     console.log("Cipher.doFinal('[B') is called!");
  244.     showStacks();
  245.     var algorithm = this.getAlgorithm();
  246.     var tag = algorithm + " doFinal data";
  247.     var data = arguments[0];
  248.     toUtf8(tag, data);
  249.     toHex(tag, data);
  250.     toBase64(tag, data);
  251.     var result = this.doFinal.apply(this, arguments);
  252.     var tags = algorithm + " doFinal result";
  253.     toHex(tags, result);
  254.     toBase64(tags, result);
  255.     console.log("=======================================================");
  256.     return result;
  257.   }
  258.   cipher.doFinal.overload('[B', 'int', 'int').implementation = function () {
  259.     console.log("Cipher.doFinal('[B', 'int', 'int') is called!");
  260.     showStacks();
  261.     var algorithm = this.getAlgorithm();
  262.     var tag = algorithm + " doFinal data";
  263.     var data = arguments[0];
  264.     toUtf8(tag, data);
  265.     toHex(tag, data);
  266.     toBase64(tag, data);
  267.     var result = this.doFinal.apply(this, arguments);
  268.     var tags = algorithm + " doFinal result";
  269.     toHex(tags, result);
  270.     toBase64(tags, result);
  271.     console.log("=======================================================", arguments[1], arguments[2]);
  272.     return result;
  273.   }
  275.   //signature
  276.   var signature = Java.use("java.security.Signature");
  277.   signature.update.overload('byte').implementation = function (data) {
  278.     console.log("Signature.update('byte') is called!");
  279.     return this.update(data);
  280.   }
  281.   signature.update.overload('java.nio.ByteBuffer').implementation = function (data) {
  282.     console.log("Signature.update('java.nio.ByteBuffer') is called!");
  283.     return this.update(data);
  284.   }
  285.   signature.update.overload('[B', 'int', 'int').implementation = function (data, start, length) {
  286.     console.log("Signature.update('[B', 'int', 'int') is called!");
  287.     var algorithm = this.getAlgorithm();
  288.     var tag = algorithm + " update data";
  289.     toUtf8(tag, data);
  290.     toHex(tag, data);
  291.     toBase64(tag, data);
  292.     console.log("=======================================================", start, length);
  293.     return this.update(data, start, length);
  294.   }
  295.   signature.sign.overload('[B', 'int', 'int').implementation = function () {
  296.     console.log("Signature.sign('[B', 'int', 'int') is called!");
  297.     return this.sign.apply(this, arguments);
  298.   }
  299.   signature.sign.overload().implementation = function () {
  300.     console.log("Signature.sign() is called!");
  301.     var result = this.sign();
  302.     var algorithm = this.getAlgorithm();
  303.     var tag = algorithm + " sign result";
  304.     toHex(tag, result);
  305.     toBase64(tag, result);
  306.     console.log("=======================================================");
  307.     return result;
  308.   }
  310. });
  1. /**
  2. * Java层标准算法hook
  3. */
  5. Java.perform(function () {
  6.   /**
  7.   打印堆栈
  8.   */
  9.   function showStack() {
  10.     let Throwable = Java.use("java.lang.Throwable");
  11.     let stackTraceString = Java.use("android.util.Log").getStackTraceString(Throwable.$new())
  12.     console.log(stackTraceString);
  13.   }
  15.   let ByteString = Java.use("com.android.okhttp.okio.ByteString");
  17.   /**
  18.   * 字节数组转为Base64
  19.   */
  20.   function toBase64(tag, data) {
  21.     console.log(tag + " Base64:" + ByteString.of(data).base64());
  22.   }
  24.   /**
  25.   * 字节数组转为16进制
  26.   */
  27.   function toHex(tag, data) {
  28.     console.log(tag + " Hex:" + ByteString.of(data).hex());
  29.   }
  31.   /**
  32.   * 字节数组转为明文
  33.   */
  34.   function toUtf8(tag, data) {
  35.     console.log(tag + " Utf8:" + ByteString.of(data).utf8());
  36.   }
  38.   /**
  39.   * 打印字节数组对应的输出数据
  40.   */
  41.   function printData(tag, data) {
  42.     toBase64(tag, data);
  43.     toHex(tag, data);
  44.     toUtf8(tag, data);
  45.   }
  48.   /***
  49.   * 消息摘要算法hook
  50.   * update 压入数据
  51.   * digest 返回加密结果
  52.   */
  53.   function hookMessageDigest() {
  54.     let MessageDigest = Java.use("java.security.MessageDigest");
  55.     MessageDigest.update.overload('byte').implementation = function (b) {
  56.       showStack();
  57.       console.log("MessageDigest.update.overload('byte') is called!");
  58.       let result = this.update.apply(this, arguments);
  59.       let algorithm = this.getAlgorithm();
  60.       printData(algorithm + " update param", Java.array('byte', [b]))
  61.       console.log("============================================================");
  62.       return result;
  63.     }
  64.     MessageDigest.update.overload('[B').implementation = function (byteArr) {
  65.       showStack();
  66.       console.log("MessageDigest.update.overload('[B') is called!");
  67.       let result = this.update.apply(this, arguments);
  68.       let algorithm = this.getAlgorithm();
  69.       printData(algorithm + " update param", byteArr);
  70.       console.log("============================================================");
  71.       return result;
  72.     }
  73.     MessageDigest.digest.overload().implementation = function () {
  74.       showStack();
  75.       console.log("MessageDigest.digest.overload() is called!");
  76.       let result = this.digest.apply(this, arguments);
  77.       let algorithm = this.getAlgorithm();
  78.       printData(algorithm + " digest result", result);
  79.       console.log("============================================================");
  80.       return result;
  81.     }
  82.     MessageDigest.digest.overload('[B').implementation = function (byteArr) {
  83.       showStack();
  84.       console.log("MessageDigest.digest.overload('[B') is called!");
  85.       let result = this.digest.apply(this, arguments);
  86.       let algorithm = this.getAlgorithm();
  87.       printData(algorithm + " digest param", byteArr);
  88.       printData(algorithm + " digest result", result);
  89.       console.log("============================================================");
  90.       return result;
  91.     }
  93.     MessageDigest.digest.overload('[B', 'int', 'int').implementation = function (byteArr, start, length) {
  94.       showStack();
  95.       console.log("MessageDigest.digest.overload('[B', 'int', 'int') is called!");
  96.       let result = this.digest.apply(this, arguments);
  97.       let algorithm = this.getAlgorithm();
  98.       printData(algorithm + " digest param", byteArr);
  99.       printData(algorithm + " digest result", result);
  100.       console.log("============================================================" + "开始位置:" + start + " 截取长度:" + length);
  101.       return result;
  102.     }
  103.   }
  105.   /**
  106.   * Mac算法hook
  107.   * 1.init 初始化,秘钥
  108.   * 2.update 压入数据
  109.   * 3.doFinal 加密
  110.   */
  111.   function hookMac() {
  112.     let Mac = Java.use("javax.crypto.Mac");
  114.     Mac.init.overload('java.security.Key').implementation = function (key) {
  115.       showStack();
  116.       console.log("Mac.init.overload('java.security.Key') is called!");
  117.       let result = this.init.apply(this, arguments);
  118.       let algorithm = this.getAlgorithm();
  119.       printData(algorithm + " init key", key.getEncoded())
  120.       console.log("============================================================");
  121.       return result;
  122.     }
  124.     Mac.update.overload('byte').implementation = function (b) {
  125.       showStack();
  126.       console.log("Mac.update.overload('byte') is called!");
  127.       let result = this.update.apply(this, arguments);
  128.       let algorithm = this.getAlgorithm();
  129.       printData(algorithm + " update param", Java.array('byte', [b]))
  130.       console.log("============================================================");
  131.       return result;
  132.     }
  133.     Mac.update.overload('[B').implementation = function (byteArr) {
  134.       showStack();
  135.       console.log("Mac.update.overload('[B') is called!");
  136.       let result = this.update.apply(this, arguments);
  137.       let algorithm = this.getAlgorithm();
  138.       printData(algorithm + " update param", byteArr)
  139.       console.log("============================================================");
  140.       return result;
  141.     }
  142.     Mac.update.overload('[B', 'int', 'int').implementation = function (byteArr, start, length) {
  143.       showStack();
  144.       console.log("Mac.update.overload('[B', 'int', 'int') is called!");
  145.       let result = this.update.apply(this, arguments);
  146.       let algorithm = this.getAlgorithm();
  147.       printData(algorithm + " update param", byteArr)
  148.       console.log("============================================================" + "开始位置:" + start + " 截取长度:" + length);
  149.       return result;
  150.     }
  151.     Mac.doFinal.overload().implementation = function () {
  152.       showStack();
  153.       console.log("Mac.doFinal.overload() is called!");
  154.       let result = this.doFinal.apply(this, arguments);
  155.       let algorithm = this.getAlgorithm();
  156.       printData(algorithm + " doFinal result", result)
  157.       console.log("============================================================");
  158.       return result;
  159.     }
  160.   }
  162.   /**
  163.   * DES,DESEde,AES,RSA
  164.   * 1.init 加密类型,key,iv
  165.   * 2.donFinal压入数据,得到结果 update压入结果有问题
  166.   */
  167.   function hookCipher() {
  168.     function printResult(cipherObj, result, args) {
  169.       let algorithm = cipherObj.getAlgorithm();
  170.       let mode;
  172.       if (cipherObj.opmode.value === 1) {
  173.         mode = "加密";
  174.       } else {
  175.         mode = "解密";
  176.       }
  178.       console.log(algorithm + " mode:", mode);
  179.       if (cipherObj.getParameters() != null) {
  180.         printData(algorithm + " key", cipherObj.getParameters().getEncoded());
  181.         printData(algorithm + " iv", cipherObj.getIV());
  182.       }
  183.       printData(algorithm + " doFinal param", args[0]);
  184.       printData(algorithm + " doFinal result", result);
  185.       console.log("============================================================");
  187.     }
  189.     let Cipher = Java.use("javax.crypto.Cipher");
  190.     // 不常用重载,打印调用即可,根据堆栈信息在具体去看
  191.     // init暂时注释
  192.     Cipher.init.overload('int', 'java.security.cert.Certificate', 'java.security.SecureRandom').implementation = function (key) {
  193.       showStack();
  194.       console.log("Cipher.init.overload('int', 'java.security.cert.Certificate', 'java.security.SecureRandom') is called!");
  195.       let result = this.apply(this, arguments);
  196.       return result;
  197.     }
  198.     Cipher.init.overload('int', 'java.security.Key', 'java.security.AlgorithmParameters', 'java.security.SecureRandom').implementation = function (key) {
  199.       showStack();
  200.       console.log("Cipher.init.overload('int', 'java.security.Key', 'java.security.AlgorithmParameters', 'java.security.SecureRandom') is called!");
  201.       let result = this.apply(this, arguments);
  202.       return result;
  203.     }
  205.     // ECB模式,不带iv
  206.     Cipher.init.overload('int', 'java.security.Key', 'java.security.SecureRandom').implementation = function () {
  207.       showStack();
  208.       console.log("Cipher.init.overload('int', 'java.security.Key', 'java.security.SecureRandom') is called!");
  209.       let result = this.init.apply(this, arguments);
  210.       let algorithm = this.getAlgorithm();
  211.       let mode;
  212.       if (arguments[0] === 1) {
  213.         mode = "加密";
  214.       } else {
  215.         mode = "解密";
  216.       }
  217.       console.log(algorithm + " init mode:" + mode);
  218.       try {
  219.         // RSA使用私钥调用getEncoded() 会报错,异常捕获,具体逻辑,根据堆栈,去APP分析
  220.         printData(algorithm + " init key", arguments[1].getEncoded());
  221.       } catch (e) {
  222.         console.log(e);
  223.       }
  224.       console.log("============================================================");
  225.       return result;
  226.     }
  228.     // CBC模式,带iv
  229.     Cipher.init.overload('int', 'java.security.Key', 'java.security.spec.AlgorithmParameterSpec', 'java.security.SecureRandom').implementation = function () {
  230.       showStack();
  231.       console.log("Cipher.init.overload('int', 'java.security.Key', 'java.security.spec.AlgorithmParameterSpec', 'java.security.SecureRandom') is called!");
  232.       let result = this.init.apply(this, arguments);
  233.       let algorithm = this.getAlgorithm();
  234.       let ivParameterSpecObj = Java.cast(arguments[2], Java.use("javax.crypto.spec.IvParameterSpec"));
  235.       let mode;
  236.       if (arguments[0] === 1) {
  237.         mode = "加密";
  238.       } else {
  239.         mode = "解密";
  240.       }
  241.       console.log(algorithm + " init mode:" + mode);
  242.       printData(algorithm + " init key", arguments[1].getEncoded());
  243.       printData(algorithm + " init iv", ivParameterSpecObj.getIV());
  244.       console.log("============================================================");
  245.       return result;
  246.     }
  248.     Cipher.doFinal.overload().implementation = function () {
  249.       showStack();
  250.       console.log("Cipher.doFinal.overload() is called!");
  251.       let result = this.doFinal.apply(this, arguments);
  252.       printResult(this, result, arguments);
  253.       return result;
  254.     }
  255.     Cipher.doFinal.overload('[B').implementation = function () {
  256.       showStack();
  257.       console.log("Cipher.doFinal.overload('[B') is called!");
  258.       let result = this.doFinal.apply(this, arguments);
  259.       printResult(this, result, arguments);
  260.       return result;
  261.     }
  262.     Cipher.doFinal.overload('[B', 'int').implementation = function () {
  263.       showStack();
  264.       console.log("Cipher.doFinal.overload('[B', 'int') is called!");
  265.       let result = this.doFinal.apply(this, arguments);
  266.       printResult(this, result, arguments);
  267.       return result;
  268.     }
  269.     Cipher.doFinal.overload('[B', 'int', 'int').implementation = function () {
  270.       showStack();
  271.       console.log("Cipher.doFinal.overload('[B', 'int', 'int') is called!");
  272.       let result = this.doFinal.apply(this, arguments);
  273.       printResult(this, result, arguments);
  274.       return result;
  275.     }
  276.     Cipher.doFinal.overload('[B', 'int', 'int', '[B').implementation = function () {
  277.       showStack();
  278.       console.log("Cipher.doFinal.overload('[B', 'int', 'int', '[B') is called!");
  279.       let result = this.doFinal.apply(this, arguments);
  280.       printResult(this, result, arguments);
  281.       return result;
  282.     }
  283.     Cipher.doFinal.overload('[B', 'int', 'int', '[B', 'int').implementation = function () {
  284.       showStack();
  285.       console.log("Cipher.doFinal.overload('[B', 'int', 'int', '[B', 'int') is called!");
  286.       let result = this.doFinal.apply(this, arguments);
  287.       printResult(this, result, arguments);
  288.       return result;
  289.     }
  290.   }
  292.   /**
  293.   * 签名算法hook
  294.   * 私钥
  295.   */
  296.   function hookSignature() {
  297.     let Signature = Java.use("java.security.Signature");
  298.     Signature.initSign.overload('java.security.PrivateKey').implementation = function () {
  299.       showStack();
  300.       console.log("Signature.initSign.overload('java.security.PrivateKey') is called!");
  301.       let result = this.initSign.apply(this, arguments);
  302.       let algorithm = this.getAlgorithm();
  303.       try {
  304.         // RSA使用Hex编码的私钥调用getEncoded() 会报错,异常捕获,具体逻辑,根据堆栈,去APP分析
  305.         printData(algorithm + " init key", arguments[0].getEncoded());
  306.       } catch (e) {
  307.         console.log(JSON.stringify(arguments[0]) + "|" + e);
  308.       }
  309.       console.log("============================================================");
  310.       return result;
  311.     }
  312.     Signature.update.overload('byte').implementation = function () {
  313.       showStack();
  314.       console.log("Signature.update.overload('byte') is called!");
  315.       let result = this.update.apply(this, arguments);
  316.       let algorithm = this.getAlgorithm();
  317.       printData(algorithm + " update param", Java.array('byte', [b]))
  318.       console.log("============================================================");
  319.       return result;
  320.     }
  321.     Signature.update.overload('[B', 'int', 'int').implementation = function () {
  322.       showStack();
  323.       console.log("Signature.update.overload('[B', 'int', 'int') is called!");
  324.       let result = this.update.apply(this, arguments);
  325.       let algorithm = this.getAlgorithm();
  326.       printData(algorithm + " update param", arguments[0]);
  327.       console.log("============================================================");
  328.       return result;
  329.     }
  330.     Signature.sign.overload().implementation = function () {
  331.       showStack();
  332.       console.log("Signature.sign.overload() is called!");
  333.       let result = this.sign.apply(this, arguments);
  334.       let algorithm = this.getAlgorithm();
  335.       printData(algorithm + " sign result", result);
  336.       console.log("============================================================");
  337.       return result;
  338.     }
  339.     Signature.sign.overload('[B', 'int', 'int').implementation = function () {
  340.       showStack();
  341.       console.log("Signature.sign.overload('[B', 'int', 'int') is called!");
  342.       let result = this.sign.apply(this, arguments);
  343.       let algorithm = this.getAlgorithm();
  344.       printData(algorithm + " sign param", arguments[0]);
  345.       printData(algorithm + " sign result", result);
  346.       console.log("============================================================");
  347.       return result;
  348.     }
  349.   }
  351.   /**
  352.   * Base64hook
  353.   */
  354.   function hookBase64() {
  355.     let Base64 = Java.use("android.util.Base64");
  356.     Base64.encodeToString.overload('[B', 'int').implementation = function () {
  357.       let result = this.encodeToString.apply(this, arguments);
  358.       printData("Base64 param", arguments[0]);
  359.       console.log("-------------------------------");
  360.       console.log("Base64 result:" + result);
  361.       console.log("============================================================");
  362.       return result;
  363.     }
  364.   }
  366.   // 消息摘要算法hook
  367.   hookMessageDigest();
  368.   // Mac算法hook
  369.   hookMac();
  370.   // hookCipher
  371.   hookCipher();
  372.   // 数据签名算法hook
  373.   hookSignature();
  374.   // hookBase64编码
  375.   hookBase64();
  377. })