frida hook 得到某东app的签名

前提：

电脑安装了夜神模拟器

电脑安装了frida-tool

模拟器安装了某东app

模拟器安装了firda-server

1、新建python文件，代码如下（其中body_string的格式非常关键，不能包含 \ 符号，否则得到的签名是错误的）：

from pydoc import cli
import frida
import json
 
rpc_sign = """
rpc.exports = {
    getsign: function(function_id, body_string, uuid, client, clientversion){
      var sig = "";
      Java.perform(
        function(){
            //拿到context上下文
            var currentApplication = Java.use('android.app.ActivityThread').currentApplication();
            var context = currentApplication.getApplicationContext();
            var BitmapkitUtils = Java.use('com.jingdong.common.utils.BitmapkitUtils');
            sig = BitmapkitUtils.getSignFromJni(context, function_id, body_string, uuid, client, clientversion);
            //console.log(context, uuid)
        } 
      )
       return sig;
    }
};
 
"""
 
 
def get_sign(function_id, body_string, uuid, client, clientversion):
    process = frida.get_remote_device().attach('com.jingdong.app.mall')
    script = process.create_script(rpc_sign)
    script.load()
    sign = script.exports.getsign(function_id, body_string, uuid, client, clientversion)
    return sign
 
 
if __name__ == '__main__':
    body_string = '{"category":"9987;653;655","isCurrentSku":false,"isFirstRequest":true,"num":"10","offset":"1","pictureCommentType":"A","shadowMainSku":"0","shieldCurrentComment":"1","shopType":"0","sku":"100026667858","sortType":"5","tagId":"","tagType":"","type":"0"}'
    #此处 body_string 不能包含类似 \" 的符号，具体格式可看fiddler的body参数的格式
    function_id = 'getCommentListWithCard'
    uuid = '请输入自己的uuid'
    client = 'android'
    clientversion = '10.0.2'
    sign = get_sign(function_id, body_string, uuid, client, clientversion)
    print(sign)

2、启动模拟器

3、连接模拟器，启动frida-server。

adb connect 127.0.0.1:62001

adb forward tcp:27042 tcp:27042

adb shell

cd /data/local/tmp/

./frida-server-15.0.0

4、打开cmd，执行脚本， python jd_sign_hook.py,得到结果

5、替换掉fiddler中的st，sign，sv的值，能正常返回结果，说明签名正确。