字节系app通用抓包脚本

已测试某音(28.4.0), 某茄小说(6.0.5.32)

原理

获取SSL_CTX_set_custom_verify的参数3(回调函数)

void SSL_CTX_set_custom_verify(SSL_CTX *ctx, int mode, enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) {    ctx->verify_mode = mode;    ctx->custom_verify_callback = callback;}

enum ssl_verify_result_t BORINGSSL_ENUM_INT {    ssl_verify_ok,    ssl_verify_invalid,    ssl_verify_retry,};

代码编写

function main() {    Java.perform(function () {        let SSL_CTX_set_custom_verify = Module.getExportByName('libsscronet.so', 'SSL_CTX_set_custom_verify');    }}setImmediate(main);

1. setTimeout(main, 3000);延时执行函数
2. hook系统函数, 监听so加载

function onLoad(name, callback) {    //void* android_dlopen_ext(const char* filename, int flag, const android_dlextinfo* extinfo);//原型    const android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");    if (android_dlopen_ext != null) {        Interceptor.attach(android_dlopen_ext, {            onEnter: function (args) {                if (args[0].readCString().indexOf(name) !== -1) {                    this.hook = true;                }            },             onLeave: function (retval) {                if (this.hook) {                    callback();                }            }        });    }}
onLoad(soName, () => {    let SSL_CTX_set_custom_verify = Module.getExportByName('libsscronet.so', 'SSL_CTX_set_custom_verify');    if (SSL_CTX_set_custom_verify != null) {        Interceptor.attach(SSL_CTX_set_custom_verify, {            onEnter: function (args) {                Interceptor.attach(args[2], {                    onLeave: function (retval) {                        if (retval > 0x0) retval.replace(0x0);                    }                });            }        });    }});

效果图

完整代码已经上传至github

https://github.com/LanBaiCode/FridaScripts

作者：Slimu原文：https://www.52pojie.cn/thread-1879263-1-1.html