Last active
January 1, 2023 18:01
-
-
Save T31M/09bae4899e96a82980497c91179a7fd5 to your computer and use it in GitHub Desktop.
Revisions
-
T31M revised this gist
Oct 12, 2016 . 1 changed file with 99 additions and 16 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,34 +1,117 @@ #Hooking SafetyNet stuff for fun (no profit tho :( ) #Several Functions just uncomment to use or modify :) #by T31M import frida import sys PACKAGE_NAME = "com.nianticlabs.pokemongo" process = frida.get_usb_device().attach(PACKAGE_NAME) print("Attached") script = process.create_script(""" /* Java.enumerateLoadedClasses({ onMatch: function(match) { if(match.indexOf("safetynet") !== -1) send("Enumerate: " + match ); Java.perform(function () { var TM = Java.use(match); TM.init.implementation = function (args) { send(args); } }); }, onComplete: function() { } }); */ /* var module = Process.findModuleByName("libcrypto.so"); //var exports = Module.enumerateExportsSync("libc.so"); //Process.enumerateModulesSync().forEach(function (module) { //send(module); Module.enumerateExportsSync(module.name).forEach(function (exp) { //send("Hook: " + exp.name + " in: " + module.name + " at: " + ptr(exp.address)); try { Interceptor.attach(ptr(exp.address), { onEnter: function (args) { send("Called: "+ exp.name); } }); } catch (e) { send("Error: " + e + " at F: " + exp.name + "in M: " + module.name); } }); //}); */ Java.perform(function () { //var TM = Java.use("com.google.android.gms.safetynet.SafetyNetApi"); var TM = Java.use("com.nianticlabs.nia.platform.SafetyNetService"); TM.checkResult.implementation = function (result) { this.result = result; send("Debug: checkResult() got called! Let's call the original implementation"); send("Hook: Result: " + result); orig = this.checkResult(result); send("Original Returned: " + orig); return orig; }; }); Java.perform(function () { var TM = Java.use("com.nianticlabs.nia.platform.SafetyNetService"); TM.nativeAttestResponse.implementation = function (nonce, result) { send("Debug: NativeAttestResponse() got called! Let's call the original implementation"); send("Hook: Nonce: " + nonce); send("Hook: Result: " + result); //send("Original Returned: " + this.nativeAttestResponse(nonce, this.result)); //return True; }; }); /* Java.perform(function () { var TM = Java.use("com.nianticlabs.nia.platform.SafetyNetService"); TM.attestResponse.implementation = function (nonce, result) { send("Debug: attestResponse() got called! Let's call the original implementation"); send("Hook: Nonce: " + nonce); send("Hook: Result: " + result); send("Original Returned: " + this.attestResponse(nonce, this.result)); //return True; }; }); */ Java.perform(function() { var TM = Java.use("java.lang.StringBuilder"); TM.append.overload("java.lang.String").implementation = function (add) { if(add.indexOf("rmn") == -1 && add != "" && add != ":" && add.indexOf("Thread") && add.length > 5) { send(add); } return (this.append(add)); }; }); """) def get_messages(message, data): if message['type'] == 'send': payload = message['payload'] print(payload); else: print (message) script.on('message',get_messages) script.load() print("Script Loaded") sys.stdin.read() -
Oct 11, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,34 @@ #THIS IS NOT WORKING CURRENTLY #Trying to hook Safetynet attestation function #by T31M import frida import sys PACKAGE_NAME = "" process = frida.get_usb_device().attach(PACKAGE_NAME) print("Attached") script = process.create_script(""" setTimeout(function(){ Dalvik.perform(function () { var TM = Dalvik.use("com.google.android.gms.safetynet.SafetyNetApi"); TM.attest.implementation = function (v) { send("Attestation called"); send(this.attest()); } }); },0); """) def get_messages(message, data): print(message) print (message['payload']) script.on('message',get_messages) script.load() print("Script Loaded") sys.stdin.read()