import frida, sys
jscode = """
//字符串转换byte[]的方法
function stringToBytes(str) {
var ch, st, re = [];
for (var i = 0; i < str.length; i++ ) {
ch = str.charCodeAt(i);
st = [];
do {
st.push( ch & 0xFF );
ch = ch >> 8;
}
while ( ch );
re = re.concat( st.reverse() );
}
return re;
}
//将byte[]转成String的方法
function byteToString(arr) {
if(typeof arr === 'string') {
return arr;
}
var str = '',
_arr = arr;
for(var i = 0; i < _arr.length; i++) {
var one = _arr[i].toString(2),
v = one.match(/^1+?(?=0)/);
if(v && one.length == 8) {
var bytesLength = v[0].length;
var store = _arr[i].toString(2).slice(7 - bytesLength);
for(var st = 1; st < bytesLength; st++) {
store += _arr[st + i].toString(2).slice(2);
}
str += String.fromCharCode(parseInt(store, 2));
i += bytesLength - 1;
} else {
str += String.fromCharCode(_arr[i]);
}
}
return str;
}
Java.perform(function () {
var launcherActivity = Java.use('de.fraunhofer.sit.premiumapp.LauncherActivity');
var mainActivity = Java.use('de.fraunhofer.sit.premiumapp.MainActivity')
launcherActivity.getKey.implementation = function () {
send("Hook Start...");
var main = mainActivity.$new();
var res = this.getMac();
var bres = stringToBytes(res);
send(bres);
var bresponse = stringToBytes('LICENSEKEYOK');
send(bresponse);
var bkey = main.xor(bres,bresponse);
send(bkey);
var result = byteToString(bkey);
send(result);
send("Success!");
return result;
}
launcherActivity.verifyClick.implementation = function (v) {
this.showPremium(v);
}
//00:81:5b:22:4b:38
//LICENSEKEYOK
});
"""
def message(message, data):
if message["type"] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_remote_device().attach('de.fraunhofer.sit.premiumapp')
script= process.create_script(jscode)
script.on("message", message)
script.load()
sys.stdin.read()