安卓应用层抓包通杀脚本

Overview

r0capture

安卓应用层抓包通杀脚本

简介

  • 仅限安卓平台,测试安卓7、8、9、10、11 可用 ;
  • 无视所有证书校验或绑定,不用考虑任何证书的事情;
  • 通杀TCP/IP四层模型中的应用层中的全部协议;
  • 通杀协议包括:Http,WebSocket,Ftp,Xmpp,Imap,Smtp,Protobuf等等、以及它们的SSL版本;
  • 通杀所有应用层框架,包括HttpUrlConnection、Okhttp1/3/4、Retrofit/Volley等等;
  • 无视加固,不管是整体壳还是二代壳或VMP,不用考虑加固的事情;
  • 如果有抓不到的情况欢迎提issue,或者直接加vx:r0ysue,进行反馈~

January.14th 2021 update:增加几个辅助功能

  • 增加App收发包函数定位功能
  • 增加App客户端证书导出功能
  • 新增host连接方式“-H”,用于Frida-server监听在非标准端口时的连接

用法

切记仅限安卓平台7、8、9、10、11 可用 ,禁止使用模拟器。

  • Spawn 模式:

$ python3 r0capture.py -U -f com.qiyi.video -v

  • Attach 模式,抓包内容保存成pcap文件供后续分析:

$ python3 r0capture.py -U com.qiyi.video -v -p iqiyi.pcap

建议使用Attach模式,从感兴趣的地方开始抓包,并且保存成pcap文件,供后续使用Wireshark进行分析。

  • 收发包函数定位:Spawnattach模式均默认开启;

可以使用python r0capture.py -U -f cn.soulapp.android -v >> soul3.txt这样的命令将输出重定向至txt文件中稍后过滤内容

  • 客户端证书导出功能:默认开启;必须以Spawm模式运行;

运行脚本之前必须手动给App加上存储卡读写权限;

并不是所有App都部署了服务器验证客户端的机制,只有配置了的才会在Apk中包含客户端证书

导出后的证书位于/sdcard/Download/包名xxx.p12路径,导出多次,每一份均可用,密码默认为:r0ysue,推荐使用keystore-explorer打开查看证书。

  • 新增host连接方式“-H”,用于Frida-server监听在非标准端口时的连接。有些App会检测Frida标准端口,因此frida-server开在非标准端口可以绕过检测。

感谢爱吃菠菜巨巨总结的本项目知识点

PS:

这个项目基于frida_ssl_logger,之所以换个名字,只是侧重点不同。 原项目的侧重点在于抓ssl和跨平台,本项目的侧重点是抓到所有的包。

局限:部分开发实力过强的大厂或框架,采用的是自身的SSL框架,比如WebView、小程序或Flutter,这部分目前暂未支持。部分融合App本质上已经不属于安卓App,没有使用安卓系统的框架,无法支持。当然这部分App也是少数。暂不支持HTTP/2、或HTTP/3,该部分API在安卓系统上暂未普及或布署,为App自带,无法进行通用hook。各种模拟器架构、实现、环境较为复杂,建议珍爱生命、使用真机。暂未添加多进程支持,比如:service或:push等子进程,可以使用Frida的Child-gating来支持一下。支持多进程之后要考虑pcap文件的写入锁问题,可以用frida-tool的Reactor线程锁来支持一下。

以下是原项目的简介:

https://github.com/BigFaceCat2017/frida_ssl_logger

frida_ssl_logger

ssl_logger based on frida for from https://github.com/google/ssl_logger

修改内容

  1. 优化了frida的JS脚本,修复了在新版frida上的语法错误;
  2. 调整JS脚本,使其适配iOS和macOS,同时也兼容了Android;
  3. 增加了更多的选项,使其能在多种情况下使用;

Usage

  python3 ./ssl_logger.py  -U -f com.bfc.mm
  python3 ./ssl_logger.py -v  -p test.pcap  6666
Comments
  • TypeError: not a function

    TypeError: not a function

    r0capture最新版 frida 14.2.3

    {'columnNumber': 1, 'description': 'TypeError: not a function', 'fileName': '/script1.js', 'lineNumber': 353, 'stack': 'TypeError: not a function\n' ' at (/script1.js:353)\n' ' at apply (native)\n' ' at ne ' '(frida/node_modules/frida-java-bridge/lib/class-factory.js:613)\n' ' at ' '(frida/node_modules/frida-java-bridge/lib/class-factory.js:592)', 'type': 'error'}

    opened by tmxd09887 6
  • 这样的抓取是正常的吗?还需要自己解密?还有报异常了

    这样的抓取是正常的吗?还需要自己解密?还有报异常了

    0000000: 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 00000010: 0A 53 65 72 76 65 72 3A 20 54 65 6E 67 69 6E 65 .Server: Tengine 00000020: 0D 0A 44 61 74 65 3A 20 54 75 65 2C 20 30 39 20 ..Date: Tue, 09 00000030: 4D 61 72 20 32 30 32 31 20 30 33 3A 32 35 3A 34 Mar 2021 03:25:4 00000040: 31 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 74 2D 54 1 GMT..Content-T 00000050: 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E ype: application 00000060: 2F 6F 63 74 65 74 2D 73 74 72 65 61 6D 0D 0A 43 /octet-stream..C 00000070: 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 ontent-Length: 0 00000080: 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 ..Connection: ke 00000090: 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A ep-alive.... java.lang.Throwable at com.android.org.conscrypt.OpenSSLSocketImpl$SSLInputStream.read(Native Method) at com.android.okhttp.okio.Okio$2.read(Okio.java:136) at com.android.okhttp.okio.AsyncTimeout$2.read(AsyncTimeout.java:211) at com.android.okhttp.okio.RealBufferedSource.indexOf(RealBufferedSource.java:306) at com.android.okhttp.okio.RealBufferedSource.indexOf(RealBufferedSource.java:300) at com.android.okhttp.okio.RealBufferedSource.readUtf8LineStrict(RealBufferedSource.java:196) at com.android.okhttp.internal.http.HttpConnection.readResponse(HttpConnection.java:191) at com.android.okhttp.internal.http.HttpTransport.readResponseHeaders(HttpTransport.java:80) at com.android.okhttp.internal.http.HttpEngine.readNetworkResponse(HttpEngine.java:906) at com.android.okhttp.internal.http.HttpEngine.readResponse(HttpEngine.java:782) at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:463) at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:405) at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:521) at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:105) at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java) at com.wuba.wmda.d.a.a(HttpManager.java:66) at com.wuba.wmda.d.a.a(HttpManager.java:26) at com.wuba.wmda.g.a.a(EventStrategy.java:472) at com.wuba.wmda.g.a.L(EventStrategy.java:282) at com.wuba.wmda.g.a.a(EventStrategy.java:32) at com.wuba.wmda.g.a$a.handleMessage(EventStrategy.java:534) at android.os.Handler.dispatchMessage(Handler.java:102) at android.os.Looper.loop(Looper.java:154) at android.os.HandlerThread.run(HandlerThread.java:61)

    SSL Session: 057943A69D0620F74ABD0A4B7341C4A41C8D0B1DB63D1929098ECAA18E141B91 [SSL_read] 123.206.235.144:443 --> 172.16.1.15:45415 00000000: 00 01 0D 01 04 00 00 00 05 88 76 85 DE 5A A6 35 ..........v..Z.5 00000010: 45 61 96 DF 69 7E 94 03 EA 68 1D 8A 08 02 0A 80 Ea..i~...h...... 00000020: 66 E0 9B B8 D0 54 C5 A3 7F 5F 8B 1D 75 D0 62 0D f....T.....u.b. 00000030: 26 3D 4C 74 41 EA 00 04 76 61 72 79 8B 84 84 2D &=LtA...vary...- 00000040: 69 5B 05 44 3C 86 AA 6F 00 8E 1F 4E B1 58 54 56 i[.D<..o...N.XTV 00000050: 7A 90 58 90 5B 3B 96 CF 90 4F 44 F9 0B AE AC CB z.X.[;...OD..... 00000060: 4B 3E 05 DB 78 E8 5C F6 4D 00 8F 1F 4E B1 58 54 K>..x..M...N.XT 00000070: 56 7A 90 58 BB 96 C4 18 F5 7F 86 69 76 D7 6D C5 Vz.X.......iv.m. 00000080: C1 00 8B 21 EA 49 6A 4A C5 A8 87 90 D5 4D 83 9B ...!.IjJ.....M.. 00000090: D9 AB 00 87 41 52 B1 0E 7E A6 2F C7 34 8D BD 01 ....AR..~./.4... 000000A0: 5E 76 CE B8 AE E2 72 CE 4E 6B 14 B9 B5 E0 EF D2 ^v....r.Nk...... 000000B0: 19 A0 83 ED 42 F9 AC D6 15 10 6F 9E DF A5 00 FA ....B.....o..... 000000C0: DA 07 62 C2 65 40 33 70 4D DC 68 2A 62 D1 BF ED [email protected]b... 000000D0: 49 0F 48 CD 54 03 AB A5 BD 4A B9 0F 4F DA 95 8D I.H.T....J..O... 000000E0: 33 C0 C7 00 03 70 33 70 AD AC F4 18 9E AC 2C B0 3....p3p......,. 000000F0: 7F 2C 78 64 8C 56 CD 6B F9 A6 8F E7 E9 4B DA E0 .,xd.V.k.....K.. 00000100: FE 6F 70 DA A4 37 F4 29 AB 86 D5 34 EA DA A6 ED .op..7.)...4.... 00000110: F0 A9 A7 25 FF E7 00 1B 29 00 00 00 00 00 05 1F ...%....)....... 00000120: 8B 08 00 00 00 00 00 02 03 ED BD 79 73 1B C7 B5 ...........ys... 00000130: F7 FF 56 58 AA E2 AD DF AF 2A 94 7A 9B 5E 52 95 ..VX......z.^R. 00000140: BA 0F 20 82 A6 2D 9A 04 65 46 34 73 EF 2D D5 6C .. ..-..eF4s.-.l 00000150: 10 B8 60 28 83 04 45 32 4F AA A4 24 8A E4 D8 92 ..(..E2O..$.... 00000160: EC 44 91 AC 58 B6 E2 DD 37 89 B5 78 89 28 C9 96 .D..X...7..x.(.. 00000170: DE 0C 01 92 7F E5 2D 3C A7 7B 06 E0 0C 40 82 E0 ......-<.{...@.. 00000180: 2E 48 48 4C 01 98 AD 67 BA 7B 66 FA 7B 3E 7D CE .HHL...g.{f.{>}. 00000190: F9 F5 91 99 59 7B B6 34 73 E4 E7 47 D0 91 9F 1D ....Y{.4s..G.... 000001A0: 29 CC 9C 81 6F D3 93 F0 B5 E8 BF 55 F2 67 66 47 )...o......U.gfG 000001B0: C6 0B 3E 2C C2 4C C2 32 CF 9E B5 8F FC FC D7 47 ..>,.L.2.......G 000001C0: 66 A7 67 ED 29 58 4A 2C 58 98 B7 67 4E 17 A6 8B f.g.)XJ,X..gN... 000001D0: 66 2B F8 39 35 3E 33 7B E4 E7 FF F5 EB 23 67 8B f+.95>3{.....#g. 000001E0: D3 67 FD E2 EC 82 DE C1 B1 67 7C FD 39 EE C1 56 .g.......g|.9..V 000001F0: 96 45 89 14 98 70 A6 F7 9E 2E CD F8 A7 CD 72 2C .E...p........r, 00000200: 19 96 D4 52 98 21 45 2D A1 0F 56 3B 39 FD 63 7C ...R.!E-..V;9.c| 00000210: C6 2E B9 B3 E3 D3 01 FC FE F5 7F 1F 71 A7 C6 DD ............q... 00000220: C9 D3 A5 E2 D4 7F 1F F9 F9 7F 1F C9 CF CE 9E 9D ................ 00000230: F9 F9 B1 63 53 FE 99 E9 1E B3 EA A8 1D 4C 94 26 ...cS........L.& 00000240: FD A3 EE 74 E1 D8 44 A9 70 F6 3F 67 ED E2 19 7F ...t..D.p.?g.... 00000250: F6 17 67 7F 75 6E 0C FD 2A 98 9A 59 7C EB 95 57 ..g.un..*..Y|..W 00000260: E7 4E A6 0B 67 4E 4C CE E4 B3 B9 5F 66 84 33 B3 .N..gNL...._f.3. 00000270: 50 18 C8 A6 0A B4 34 31 38 3C D3 AF BC 6C 7E F0 P.....418<...l~. 00000280: 54 76 A2 6F B4 94 F6 D2 A5 7E 67 78 66 A1 6F B4 Tv.o.....~gxf.o. 00000290: B8 90 E5 41 3F EF 09 F2 A5 9E 20 D3 8B 8B 13 BD ...A?..... ..... 000002A0: 5E D0 3F 42 83 89 CC 40 B1 1F CD 05 23 BD 27 82 ^.?B...@....#.'. 000002B0: 7E 35 06 7F 38 0B FB 64 27 46 86 02 3C 38 00 DB ~5..8..d'F..<8.. 000002C0: 0E 65 F1 C8 E4 48 BF 33 10 4C 8C 9C 08 C6 27 87 .e...H.3.L....'. 000002D0: 83 C9 DE C5 60 62 10 8F F4 F7 CE 05 FD 83 8B D9 ....b.......... 000002E0: D1 11 9C 9D E8 C5 70 BC 13 C5 8C 48 65 16 BD 13 ......p....He... 000002F0: 83 62 E4 54 66 F0 95 99 99 37 C7 A7 46 8B 67 FB .b.Tf....7..F.g. 00000300: D2 6F 9C 75 73 6F 2C B8 3D 6F A4 F9 6B C5 3C 3F .o.uso,.=o..k.<? 00000310: 35 3E F0 FA 68 1F 76 72 67 27 7A 7A 5E C1 F9 69 5>..h.vrg'zz^..i 00000320: 32 93 1F 7D 6D F4 F8 68 09 CA C8 F4 0E 8F 64 7A 2..}m..h......dz 00000330: 17 47 FA D1 58 80 7B BD EC 84 8B 83 94 3B 50 9C .G..X.{......;P. 00000340: 28 8D 16 53 05 38 CF 60 2E 3B EA 0E 64 27 D4 58 (..S.8..;..d'.X 00000350: B1 7F 64 AE 38 01 E5 8F 8E 0C 65 55 EF DC 88 DE ..d.8.....eU.... 00000360: B7 5F 0D 65 E7 0A C3 85 FE 00 CF 2C 64 7B 0A FD ._.e.......,d{.. 00000370: 0A EA A3 40 83 45 2F 9D CD F7 E5 67 FA 0B 93 D9 [email protected]/....g.... 00000380: B9 BE 7C 01 97 9C 20 5F F0 60 BF E1 00 17 E6 82 ..|... _....... 00000390: 51 34 56 84 3A 84 EB 58 0C 46 0B 43 D9 89 0C 1C Q4V.:..X.F.C.... 000003A0: AB 17 8E 5D 58 CC E2 0C CD F6 8F 0C 15 27 32 34 ...]X........'24 000003B0: C0 C1 64 30 3A 78 02 CA D2 7F A7 CC E7 C2 90 F7 ..d0:x.......... 000003C0: CB D4 24 9C 5B 66 72 66 D4 1D 0B 6C 3A 9C 4D D3 ..$.[frf...l:.M. 000003D0: 45 38 36 D4 DD C8 09 38 CE 69 38 EF 13 6F 0E 8C E86....8.i8..o.. 000003E0: C1 36 23 93 50 B7 E1 27 D4 7D 76 B2 77 32 8B 1D .6#.P..'.}v.w2.. 000003F0: 2F 98 78 75 B4 64 7B 3D 50 97 43 33 FD 99 C5 C2 /.xu.d{=P.C3.... 00000400: 42 E1 54 31 95 19 0A 16 C7 86 83 D1 0C B4 0B 9A B.T1............ 00000410: 2C 42 DB C0 39 C2 F1 32 50 A6 78 ED EC 98 C8 0C ,B..9..2P.x..... 00000420: 8E E8 32 DC C9 6C 7F 70 3A 18 ED 9D CB 2E 42 1B ..2..l.p:.....B. 00000430: 4D C0 35 C2 75 D5 CE 2B DF 97 2E 4E 38 73 C1 5C M.5.u..+...N8s.
    00000440: EF 70 B6 BF CF C9 E2 93 F9 6C E6 BF 8F FC EC BF .p.......l...... 00000450: 8F F8 C1 EC F8 EC 02 F4 66 D3 25 EB FB B3 D9 64 ........f.%....d 00000460: 36 5A 89 84 B2 90 70 BD 1E 9F 61 D5 C3 88 9D EB 6Z....p...a..... 00000470: 91 9E A2 3D 98 30 D8 16 29 85 A5 65 76 88 FA BC ...=.0..)..ev... 00000480: D9 89 20 64 96 CD 4C 4F 9C 1E 0F 72 D3 B0 F0 D7 .. d..LO...r.... 00000490: A6 D4 E2 C2 E9 99 E9 52 D1 F5 CD 66 7D C5 E9 C2 .......R...f}... 000004A0: 69 7D FB 9D D6 37 E3 69 CF CF D9 A5 A9 59 B3 67 i}...7.i.....Y.g 000004B0: 4E AF AA 9E 9F 59 02 DB 4D F8 EE 6C 75 E1 7A 11 N....Y..M..lu.z. 000004C0: FA 70 A7 67 17 CE FA B1 8D F3 67 D7 97 90 F0 F4 .p.g......g..... 000004D0: E6 63 DB 20 FD BF 70 77 DF 2E BA F9 F5 55 B9 F1 .c. ..pw.....U.. 000004E0: A9 59 BF 68 56 9D 29 45 45 29 DF 61 AE AF 6C DB .Y.hV.)EE).a..l. 000004F0: 26 44 B8 AE 4F 78 4E 11 49 A9 9F 73 73 32 E7 CB &D..OxN.I..ss2.. 00000500: FF 3E F2 9B DF E8 67 C0 FA 99 44 0F 02 A8 E4 29 .>....g...D....) 00000510: FD BD 72 E3 7E E5 F2 B3 7F FF F8 EE CA 57 E7 57 ..r.~........W.W 00000520: DF 79 50 7E F7 F1 BF 7F BC B0 BC 74 69 F5 E9 D3 .yP~.......ti... 00000530: F2 A3 67 E5 DB 8F D7 6E FD 7E F5 D9 FB B0 41 E5 ..g....n.~....A. 00000540: C6 A5 F2 95 BF 96 2F FE 73 ED CB 3F E8 ED BF 7D ....../.s..?...} 00000550: BA FA D9 45 0A 3B 93 F2 95 7F C0 11 DD B0 D9 E0 ...E.;.......... 00000560: 98 4C E9 9F D3 85 42 29 A8 2D C3 88 72 02 4D A2 .L....B).-..r.M. 00000570: 57 39 C5 E9 49 BF 08 CB E1 A9 F4 5F 47 18 55 8A W9..I......G.U. 00000580: 50 EB C8 FF C0 B3 31 AC E5 D3 67 F3 D3 B3 D3 B0 P.....1...g..... 00000590: 53 F5 81 74 76 DC C5 47 ED 89 C9 F1 C2 19 F3 28 S..tv..G.......( 000005A0: F2 C6 67 CE 4E D9 0B C7 60 D1 B1 1C 81 76 A6 8A ..g.N...`....v.. 000005B0: 53 9F 71 82 B9 ED 4A DF F3 94 EB 21 41 88 C7 B1 S.q...J....!A... 000005C0: 3C C6 19 9A 67 04 B9 47 27 CE 9E F9 CF D9 5F E8 <...g..G'...... 000005D0: C7 6D 30 7D 7A 66 FC 4C B0 B7 E5 10 CC E6 B1 C5 .m0}zf.L........ 000005E0: E3 E5 CC DA 67 CC 25 96 FF 7C 61 F5 FB AF CB F7 ....g.%..|a..... 000005F0: AF 41 F5 C2 E2 95 47 17 CA 57 AE 96 6F DF AF DC .A....G..W..o... 00000600: FD 01 7E AE 5D BC 52 FE E2 66 E5 F2 7B 2B 7F B8 ..~.].R..f..{+.. 00000610: A3 6B C1 76 66 E1 A5 71 3A 37 35 7D 2E AC 3B 7D .k.vf..q:75}..;} 00000620: A4 73 FA 29 1D 3B D5 42 FC D1 9C B7 C7 8F CD D8 .s.).;.B........ 00000630: 53 FE B1 D4 FA 7B E1 D8 7F D6 9E F5 BF D0 AF 25 S....{.........% 00000640: 7B 76 B6 38 EE 94 66 CD 3B E4 6C 71 DC D5 AD 4F {v.8..f.;.lq...O 00000650: 88 5E 55 9C 86 0E 1D 94 0A B0 80 9A 97 D1 D4 54 .^U............T 00000660: F4 93 E8 A2 A7 C7 A7 FC D9 D8 02 7B EE CC E9 EA ...........{.... 00000670: 01 B0 A0 44 EF 63 17 7D 3B DA 04 13 51 7B 27 D9 ...D.c.};...Q{'. 00000680: 67 4C 29 08 AB F2 A3 EF 61 E9 74 71 1C EE 34 58 gL).....a.tq..4X 00000690: 54 BE 72 B3 FC EE 4D 58 92 1B 9F 2D C0 A2 D3 81 T.r...MX...-.... 000006A0: 6D DE 91 61 AF 5A 7E 76 57 AF 9A 9A 9E 2E EA 77 m..a.Z~vW......w 000006B0: 5D F5 FB E9 29 7F CE D7 95 B0 F6 8F 0F CA 0F 7E ]...)..........~ 000006C0: FB FF 95 2F 3E 10 F0 F9 FF C3 7A 5D 58 D4 BB 2B .../>.....z]X..+ 000006D0: B7 EE AE 9D FF EB F2 4F D7 CA 77 2F C6 D6 9C F6 .......O..w/.... 000006E0: A3 D3 D3 A7 31 07 DD 6F 16 6E BB 05 B8 C5 C2 0A ....1..o.n...... 000006F0: 86 AE 0A EF 6A 73 C7 47 1B E5 7D 7B 76 3C 38 13 ....js.G..}{v<8. 00000700: BD D5 75 77 1E 9F 99 81 DA 3C ED 4E 97 CE C2 87 ..uw.....<.N.... 00000710: 5D 98 2E 99 6B 09 AB 70 0A 4A 98 87 DE 32 1E 84 ]...k..p.J...2.. 00000720: 07 3C 6B 07 D3 45 BB 70 3A BA C0 68 BB EA 0B FD .<k..E.p:..h.... 00000730: B4 AE B0 5A 65 05 FE 39 5D 55 81 0B 8F A0 D9 05 ...Ze..9]U...... 00000740: 73 5F A2 23 BF D1 57 6D 9F D1 CD A5 87 07 73 E3 s
    .#..Wm......s. 00000750: 9E 3F 5D 7B 8B 9F 3E 53 B2 8B 76 30 EB FB EB 8B .?]{..>S..v0.... 00000760: A6 EC C0 9B 9A 2E 7A E6 89 E5 7B 51 89 B0 C2 2B ......z...{Q...+ 00000770: D9 53 70 D6 45 7F 7D 51 D4 33 4E 8F BB 66 28 10 .Sp.E.}Q.3N..f(. 00000780: 1D 61 1E 1E 88 76 ED 92 61 81 3B 3D 35 05 0F B6 .a...v..a.;=5... 00000790: EA 82 C0 8B 76 AB 76 6C AC FB 2B 6C 37 9B 9B A8 ....v.vl..+l7... 000007A0: 5E 20 5C B6 EE AA A7 ED EA 30 A3 BA 70 DC 8B 6F ^ ......0..p..o 000007B0: 12 35 56 54 CE 9C 6E 8E 49 FF 34 B4 F2 E4 FA 52 .5VT..n.I.4....R 000007C0: A7 34 33 1E F8 33 33 A7 67 26 4B B1 A5 53 36 8C .43..33.g&K..S6. 000007D0: 59 CE 4C 4F 79 7E B0 BE B4 56 B1 2E FC 3B 9E 1B Y.LOy~...V...;.. 000007E0: 77 ED 59 BF A1 22 6A 35 E4 8D 17 63 97 35 73 3A w.Y.."j5...c.5s: 000007F0: 57 82 2E 0F 9D 22 DC 31 3C EF DA 81 C7 A1 E7 6D W....".1<......m 00000800: 7C 82 FE BC EB 43 05 41 F7 35 DD 7D 7D 85 AE A2 |....C.A.5.}}... 00000810: BC 7F 7A E6 EC F4 6C FC 48 7E 61 1C 3A 5E DD B6 ..z...l.H~a.:^.. 00000820: 51 A5 9F 86 33 DA A0 2D AB 37 5A B5 DD C2 5E A2 Q...3..-.7Z...^. 00000830: 3B 4C DD 61 F2 70 AD D3 F0 0E 0B B7 A8 F6 A0 B3 ;L.a.p.......... 00000840: D3 FA E5 65 CF 9A 6E C2 31 16 F0 10 E3 2A D9 9F ...e..n.1...... 00000850: 63 6F 05 DD D1 A6 C6 73 B3 D1 4F F3 56 34 23 D7 co.....s..O.V4#. 00000860: E8 01 12 35 FC AF 37 EF 6E F5 B7 16 DD F8 DE 4A ...5..7.n......J 00000870: 96 13 BF D5 E0 A4 75 D7 99 33 6F 0E B7 DA 83 C2 ......u..3o..... 00000880: C7 C9 6C 78 3B 44 CF 8A F2 DD B7 D7 CE BF AD AF ..lx;D.......... 00000890: BE 10 3E 67 6A 8F 71 F8 39 13 3D 1F F5 E8 77 DC ..>gj.q.9.=...w. 000008A0: 35 4F 49 38 42 71 66 7C D6 3F 66 9F 3D 7B 2C 5C 5OI8Bqf|.?f.={,
    000008B0: AB BF F9 33 B9 F0 1D AF 4B 3B 6D 07 F3 25 3B D0 ...3....K;m..%;. 000008C0: 15 FC 7F E8 FC D1 B3 70 52 7A C8 5E 9C 3C BD EF .......pRz.^.<.. 000008D0: 85 F8 33 EE E9 EA 5B B9 FA 7B A6 E4 C4 97 E5 FD ..3...[..{...... 000008E0: F1 33 79 53 69 1C 7E 9D 1B F7 66 F3 BA 8A 4D A5 .3ySi.~...f...M. 000008F0: 99 5E 37 05 F7 4B F5 19 07 1D 30 EA 6B 61 BD FD .^7..K....0.ka.. 00000900: 57 AD E2 2A 5F DE 2E 5F F9 CB 1E 57 9C 03 7D D8 W..
    .....W..}. 00000910: B3 83 7D AC B5 A8 84 D3 FA C0 7B 51 6F 58 1E F9 ..}.......{QoX.. 00000920: 0D 3C BE 72 D0 F9 4A 45 BF FA 4C FB 9F 6A 67 83 .<.r..JE..L..jg. 00000930: 87 0E 3C FF 0A F0 B4 32 F2 2B FA 5A 7D 51 85 B7 ..<....2.+.Z}Q.. 00000940: 90 59 B2 7E 2B E9 E5 BF 81 B6 D0 52 69 FD 01 08 .Y.~+......Ri... 00000950: 0F A6 20 BC 26 A8 00 BD EA D8 8C 0F D7 E3 99 62 .. .&..........b 00000960: A2 EF 30 C0 9C B5 C7 E1 19 44 FE F3 2C 3C D8 0B ..0......D..,<.. 00000970: 33 BF E8 16 E9 6E 42 6A 8F B5 71 0F 7E 75 D3 14 3....nBj..q.~u..

    opened by tiefeiniu 4
  • 请教下这是什么错误

    请教下这是什么错误

    {'columnNumber': 1, 'description': "Error: java.lang.ClassNotFoundException: Didn't find class " '"java.net.SocketOutputStream" on path: DexPathList[[zip file ' '"/data/app/com.ysw.app-1/base.apk"],nativeLibraryDirectories=[/data/app/com.ysw.app-1/lib/arm, ' '/data/app/com.ysw.app-1/base.apk!/lib/armeabi-v7a, ' '/vendor/lib, /system/lib]]', 'fileName': 'frida/node_modules/frida-java-bridge/lib/env.js', 'lineNumber': 126, 'stack': "Error: java.lang.ClassNotFoundException: Didn't find class " '"java.net.SocketOutputStream" on path: DexPathList[[zip file ' '"/data/app/com.ysw.app-1/base.apk"],nativeLibraryDirectories=[/data/app/com.ysw.app-1/lib/arm, ' '/data/app/com.ysw.app-1/base.apk!/lib/armeabi-v7a, /vendor/lib, ' '/system/lib]]\n' ' at frida/node_modules/frida-java-bridge/lib/env.js:126\n' ' at ' 'frida/node_modules/frida-java-bridge/lib/class-factory.js:459\n' ' at ' 'frida/node_modules/frida-java-bridge/lib/class-factory.js:840\n' ' at ' 'frida/node_modules/frida-java-bridge/lib/class-factory.js:128\n' ' at ' 'frida/node_modules/frida-java-bridge/lib/class-factory.js:83\n' ' at /script1.js:193\n' ' at frida/node_modules/frida-java-bridge/lib/vm.js:11\n' ' at frida/node_modules/frida-java-bridge/index.js:446\n' ' at frida/node_modules/frida-java-bridge/index.js:395', 'type': 'error'} Terminated: 15

    opened by renwfy 4
  • Windows 运行报错,是缺少什么环境吗?能不能出个从零到一的教程?

    Windows 运行报错,是缺少什么环境吗?能不能出个从零到一的教程?

    Traceback (most recent call last):
      File "r0capture.py", line 63, in <module>
        import frida
    ModuleNotFoundError: No module named 'frida'
    
    opened by wuweijian1997 4
  • Instragram无法抓包

    Instragram无法抓包

    Package        Version
    -------------- -------
    colorama       0.4.4
    frida          14.1.2
    frida-tools    9.0.1
    hexdump        3.3
    pip            18.1
    prompt-toolkit 3.0.8
    Pygments       2.7.2
    setuptools     40.6.2
    wcwidth        0.2.5
    
    --------------------------------------------------------------------------------------------
               .oooo.                                      .
              d8P'`Y8b                                   .o8
    oooo d8b 888    888  .ooooo.   .oooo.   oo.ooooo.  .o888oo oooo  oooo  oooo d8b  .ooooo.
    `888""8P 888    888 d88' `"Y8 `P  )88b   888' `88b   888   `888  `888  `888""8P d88' `88b
     888     888    888 888        .oP"888   888   888   888    888   888   888     888ooo888
     888     `88b  d88' 888   .o8 d8(  888   888   888   888 .  888   888   888     888    .o
    d888b     `Y8bd8P'  `Y8bod8P' `Y888""8o  888bod8P'   "888"  `V88V"V8P' d888b    `Y8bod8P'
                                             888
                                            o888o
                        https://github.com/r0ysue/r0capture
    --------------------------------------------------------------------------------------------
    
    attach
    Traceback (most recent call last):
      File "r0capture.py", line 346, in <module>
        ssl_log(int(parsed.process) if parsed.process.isdigit() else parsed.process, parsed.pcap, parsed.verbose, isUsb=parsed.isUsb, isSpawn=parsed.isSpawn, ssllib=parsed.ssl, wait=parsed.wait)
      File "r0capture.py", line 256, in ssl_log
        session = device.attach(process)
      File "/Users/esingtse/.pyenv/versions/frida/lib/python3.6/site-packages/frida/core.py", line 26, in wrapper
        return f(*args, **kwargs)
      File "/Users/esingtse/.pyenv/versions/frida/lib/python3.6/site-packages/frida/core.py", line 156, in attach
        return Session(self._impl.attach(self._pid_of(target)))
    frida.TransportError: the connection is closed
    

    Instrgram在抓包开始前运行python r0capture.py -U com.instagram.android -p ins.pcap,程序会直接闪退,重新打开程序的时候报错

    opened by esingtse 3
  • 经测试,抓不到包

    经测试,抓不到包

    {'columnNumber': 1,
     'description': "Error: java.lang.ClassNotFoundException: Didn't find class "
                    '"java.net.SocketOutputStream" on path: DexPathList[[zip file '
                    '"/data/app/com.test.vc-2/base.apk"],nativeLibraryDirectories=[/data/app/com.test.vc-2/lib/arm, '
                    '/data/app/com.test.vc-2/base.apk!/lib/armeabi-v7a, '
                    '/vendor/lib, /system/lib]]',
     'fileName': 'frida/node_modules/frida-java-bridge/lib/env.js',
     'lineNumber': 124,
     'stack': "Error: java.lang.ClassNotFoundException: Didn't find class "
              '"java.net.SocketOutputStream" on path: DexPathList[[zip file '
              '"/data/app/com.test.vc-2/base.apk"],nativeLibraryDirectories=[/data/app/com.test.vc-2/lib/arm, '
              '/data/app/com.test.vc-2/base.apk!/lib/armeabi-v7a, /vendor/lib, '
              '/system/lib]]\n'
              '    at <anonymous> '
              '(frida/node_modules/frida-java-bridge/lib/env.js:124)\n'
              '    at <anonymous> '
              '(frida/node_modules/frida-java-bridge/lib/class-factory.js:443)\n'
              '    at value '
              '(frida/node_modules/frida-java-bridge/lib/class-factory.js:812)\n'
              '    at _make '
              '(frida/node_modules/frida-java-bridge/lib/class-factory.js:112)\n'
              '    at use '
              '(frida/node_modules/frida-java-bridge/lib/class-factory.js:63)\n'
              '    at use (frida/node_modules/frida-java-bridge/index.js:245)\n'
              '    at <anonymous> (/script1.js:190)\n'
              '    at <anonymous> '
              '(frida/node_modules/frida-java-bridge/lib/vm.js:12)\n'
              '    at _performPendingVmOps '
              '(frida/node_modules/frida-java-bridge/index.js:237)\n'
              '    at <anonymous> '
              '(frida/node_modules/frida-java-bridge/index.js:212)\n'
              '    at <anonymous> '
              '(frida/node_modules/frida-java-bridge/lib/vm.js:12)\n'
              '    at _performPendingVmOpsWhenReady '
              '(frida/node_modules/frida-java-bridge/index.js:231)\n'
              '    at perform (frida/node_modules/frida-java-bridge/index.js:191)\n'
              '    at <eval> (/script1.js:222)',
     'type': 'error'}
    
    opened by mickeystone 3
  • 附加报错

    附加报错

    $ python .\r0capture.py -U com.tencent.mobileqq:MSF -v -p qq.pcap


           .oooo.                                      .
          d8P'`Y8b                                   .o8
    

    oooo d8b 888 888 .ooooo. .oooo. oo.ooooo. .o888oo oooo oooo oooo d8b .ooooo. 888""8P 888 888 d88'"Y8 P )88b 888'88b 888 888888 888""8P d88'88b 888 888 888 888 .oP"888 888 888 888 888 888 888 888ooo888 888 88b d88' 888 .o8 d8( 888 888 888 888 . 888 888 888 888 .o d888bY8bd8P' Y8bod8P'Y888""8o 888bod8P' "888" V88V"V8P' d888bY8bod8P' 888 o888o

                    https://github.com/r0ysue/r0capture
    

    attach Press Ctrl+C to stop logging. 2022-07-30 11:03:07.209 | INFO | main:on_message:218 - {'type': 'error', 'description': "TypeError: cannot read property 'getLocalAddress' of null", 'stack': "TypeError: cannot read property 'getLocalAddress' of null\n at (/script1.js:281)\n at apply (native)\n at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:620)\n at (frida/node_modules/frida-java-bridge/lib/class-factory.js:598)", 'fileName': '/script1.js', 'lineNumber': 281, 'columnNumber': 1}

    opened by sst4rb0y 2
  • More than one match found for *libssl*!SSL_read

    More than one match found for *libssl*!SSL_read

    当我用这个框架想去hook淘宝的时候,他抱错了,其中的内容是

    {'description': 'More than one match found for libssl!SSL_read: ' '/apex/com.android.conscrypt/lib/libssl.so!SSL_read@0xd1fe38a5, ' '/data/app/com.taobao.taobao-XVnyJTItLkVOsWMi8aqRLw==/lib/arm/libssl.1.0.2.so!SSL_read@0x998ae658', 'type': 'error'}

    似乎是因为淘宝使用了多个libssl.so 所以现在我需要如何通过改r0capture源代码解决这个问提呢?

    opened by Miscf 2
  • NameError: name 'hexdump' is not defined

    NameError: name 'hexdump' is not defined

    Traceback (most recent call last): File "D:\python\lib\site-packages\frida\core.py", line 383, in _on_message callback(message, data) File "D:\javaby\gongju\r0capture\r0capture.py", line 239, in on_message hexdump.hexdump(data) NameError: name 'hexdump' is not defined SSL Session: 833A98DD38DCA4E3FAA733B177DE922A6B10A0958B473301799FA91CAEF1ACF3 [SSL_read] 115.159.231.144:443 --> 172.16.1.15:54395 Traceback (most recent call last): File "D:\python\lib\site-packages\frida\core.py", line 383, in _on_message callback(message, data) File "D:\javaby\gongju\r0capture\r0capture.py", line 239, in on_message hexdump.hexdump(data) NameError: name 'hexdump' is not defined SSL Session: B5FEB6A8BFF0EDC0B2C09F0DC545B9A217E1DC4A95790CA1A4DB932EE3D859B0 [SSL_read] 123.206.235.144:443 --> 172.16.1.15:47914 Traceback (most recent call last): File "D:\python\lib\site-packages\frida\core.py", line 383, in _on_message callback(message, data) File "D:\javaby\gongju\r0capture\r0capture.py", line 239, in on_message hexdump.hexdump(data) NameError: name 'hexdump' is not defined SSL Session: D4E416C3AE4F321FFA8196616BC8C251E7E3954DCD3D200138309E67CCA1DFF5 [SSL_read] 123.206.235.145:443 --> 172.16.1.15:34207 Traceback (most recent call last): File "D:\python\lib\site-packages\frida\core.py", line 383, in _on_message callback(message, data) File "D:\javaby\gongju\r0capture\r0capture.py", line 239, in on_message hexdump.hexdump(data) NameError: name 'hexdump' is not defined SSL Session: DD9542DD18D63C80C062E26EC2673A637E9B085103A342B444166EC196021C89 [SSL_read] 123.206.235.144:443 --> 172.16.1.15:47912 Traceback (most recent call last): File "D:\python\lib\site-packages\frida\core.py", line 383, in _on_message callback(message, data) File "D:\javaby\gongju\r0capture\r0capture.py", line 239, in on_message hexdump.hexdump(data) NameError: name 'hexdump' is not defined SSL Session: [HTTP_send] 172.16.1.15:33222 --> 14.22.7.140:80 Traceback (most recent call last): File "D:\python\lib\site-packages\frida\core.py", line 383, in _on_message callback(message, data) File "D:\javaby\gongju\r0capture\r0capture.py", line 239, in on_message hexdump.hexdump(data) NameError: name 'hexdump' is not defined SSL Session: [HTTP_recv] 14.22.7.140:80 --> 172.16.1.15:33222 Traceback (most recent call last): File "D:\python\lib\site-packages\frida\core.py", line 383, in _on_message callback(message, data) File "D:\javaby\gongju\r0capture\r0capture.py", line 239, in on_message hexdump.hexdump(data) NameError: name 'hexdump' is not defined

    opened by tiefeiniu 2
  • NameError: name 'hexdump' is not defined

    NameError: name 'hexdump' is not defined

    运行:报错,且没有导出客户端证书,(App已添加存储权限) python r0capture.py -H 192.168.50.153:8888 -f xxx.xxx.xxx.xxx -v

    NameError: name 'hexdump' is not defined SSL Session: 71A92366608A0A253692FADF47DCC8377D374F83C20B8B7C345E360D9D3272BB [SSL_read] 120.83.147.111:443 --> 192.168.50.153:37088 Traceback (most recent call last): File "/root/miniconda3/envs/py380/lib/python3.8/site-packages/frida/core.py", line 383, in _on_message callback(message, data) File "r0capture.py", line 239, in on_message hexdump.hexdump(data) NameError: name 'hexdump' is not defined SSL Session: 71A92366608A0A253692FADF47DCC8377D374F83C20B8B7C345E360D9D3272BB [SSL_read] 120.83.147.111:443 --> 192.168.50.153:37088

    Traceback (most recent call last): File "/root/miniconda3/envs/py380/lib/python3.8/site-packages/frida/core.py", line 383, in _on_message callback(message, data) File "r0capture.py", line 239, in on_message hexdump.hexdump(data) NameError: name 'hexdump' is not defined SSL Session: 71A92366608A0A253692FADF47DCC8377D374F83C20B8B7C345E360D9D3272BB [SSL_read] 120.83.147.111:443 --> 192.168.50.153:37088 Traceback (most recent call last): File "/root/miniconda3/envs/py380/lib/python3.8/site-packages/frida/core.py", line 383, in _on_message callback(message, data) File "r0capture.py", line 239, in on_message hexdump.hexdump(data) NameError: name 'hexdump' is not defined SSL Session: 71A92366608A0A253692FADF47DCC8377D374F83C20B8B7C345E360D9D3272BB [SSL_read] 120.83.147.111:443 --> 192.168.50.153:37088 Traceback (most recent call last): File "/root/miniconda3/envs/py380/lib/python3.8/site-packages/frida/core.py", line 383, in _on_message callback(message, data) File "r0capture.py", line 239, in on_message hexdump.hexdump(data) NameError: name 'hexdump' is not defined ^CYou have stoped logging. ^C^C^C^C^CYou have stoped logging.

    opened by 03128crz 2
  • 证书错误?

    证书错误?

    请问这个问题我应该怎样做呢 SSLpinning position locator => /system/etc/security/cacerts 929ec953.0 java.lang.Throwable at java.io.File.(Native Method) at android.security.net.config.DirectoryCertificateSource.findCerts(DirectoryCertificateSource.java:147) at android.security.net.config.DirectoryCertificateSource.findAllByIssuerAndSignature(DirectoryCertificateSource.java:118) at android.security.net.config.SystemCertificateSource.findAllByIssuerAndSignature(SystemCertificateSource.java:27) at android.security.net.config.CertificatesEntryRef.findAllCertificatesByIssuerAndSignature(CertificatesEntryRef.java:65) at android.security.net.config.NetworkSecurityConfig.findAllCertificatesByIssuerAndSignature(NetworkSecurityConfig.java:146) at android.security.net.config.TrustedCertificateStoreAdapter.findAllIssuers(TrustedCertificateStoreAdapter.java:46) at com.android.org.conscrypt.TrustManagerImpl.findAllTrustAnchorsByIssuerAndSignature(TrustManagerImpl.java:917) at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:548) at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:495) at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:321) at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:113) at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:131) at java.lang.reflect.Method.invoke(Native Method) at android.net.http.X509TrustManagerExtensions.checkServerTrusted(X509TrustManagerExtensions.java:102) at bcai.a(SourceFile:3) at org.chromium.net.X509Util.a(SourceFile:69) at org.chromium.net.AndroidNetworkLibrary.verifyServerCertificates(SourceFile:8)

    opened by zhoukangg 2
  • SSL在高版本上的实现机制有区别

    SSL在高版本上的实现机制有区别

    脚本判断了大于安卓8的时候,hook的类是 com.android.org.conscrypt.ConscryptFileDescriptorSocket$SSLOutputStream 本人安卓12 + 红米k30 pro 根据堆栈发现的类是: com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream 堆栈如下:

    at java.net.SocketInputStream.socketRead0(Native Method)
    at java.net.SocketInputStream.socketRead(SocketInputStream.java:119)
    at java.net.SocketInputStream.read(SocketInputStream.java:176)
    at java.net.SocketInputStream.read(SocketInputStream.java:144)
    at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.readFromSocket(ConscryptEngineSocket.java:945)
    at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:909)
    at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.readUntilDataAvailable(ConscryptEngineSocket.java:824)
    at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.read(ConscryptEngineSocket.java:797)
    at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.read(Native Method)
    at com.android.okhttp.okio.Okio$2.read(Okio.java:138)
    at com.android.okhttp.okio.AsyncTimeout$2.read(AsyncTimeout.java:213)
    at com.android.okhttp.okio.RealBufferedSource.indexOf(RealBufferedSource.java:307)
    at com.android.okhttp.okio.RealBufferedSource.indexOf(RealBufferedSource.java:301)
    at com.android.okhttp.okio.RealBufferedSource.readUtf8LineStrict(RealBufferedSource.java:197)
    at com.android.okhttp.internal.http.Http1xStream.readResponse(Http1xStream.java:188)
    at com.android.okhttp.internal.http.Http1xStream.readResponseHeaders(Http1xStream.java:129)
    at com.android.okhttp.internal.http.HttpEngine.readNetworkResponse(HttpEngine.java:750)
    at com.android.okhttp.internal.http.HttpEngine.readResponse(HttpEngine.java:622)
    at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:475)
    at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:411)
    at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:542)
    at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:106)
    at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:30)
    at com.inmobi.media.gv.b(NetworkConnection.java:169)
    at com.inmobi.media.gv.a(NetworkConnection.java:75)
    at com.inmobi.media.ha.a(SyncNetworkTask.java:18)
    at com.inmobi.media.fw.a(ConfigNetworkClient.java:134)
    at com.inmobi.media.fw.run(ConfigNetworkClient.java:3037)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
    at java.lang.Thread.run(Thread.java:920)
    
    
    opened by ZipperCode 0
Owner
またあした
null