Python
python
import frida
import sys
import json
from datetime import datetime
def on_message(message, data):
if message['type'] == 'send':
try:
payload = message['payload']
timestamp = datetime.fromtimestamp(payload['timestamp']/1000).strftime('%Y-%m-%d %H:%M:%S')
print("\n" + "="*50)
print(f"[{timestamp}] 收到消息:")
if payload['type'] == 'getLocalId_result':
print(f"函数: getLocalId 结果")
print(f"输入参数: {payload['input']}")
print(f"返回结果: {payload['result']}")
elif payload['type'] == 'getMsgUiDataContent':
print(f"函数: getMsgUiDataContent")
msg = payload['message']
print(f"发送者: {msg.get('nickname', '')}")
print(f"内容类型: {msg.get('content_type', '')}")
content = msg.get('content', '')
if content:
try:
content_json = json.loads(content)
if 'link' in content_json:
print(f"链接: {content_json['link']}")
else:
print(f"内容: {content}")
except:
print(f"内容: {content}")
else:
link = msg.get('link', '')
if link:
print(f"链接: {link}")
else:
print(f"内容: {content}")
elif payload['type'] == 'error':
print(f"[!] 错误类型: {payload['error']}")
print(f"错误详情: {payload['error_detail']}")
if 'raw_message' in payload:
print(f"原始消息: {payload['raw_message']}")
except Exception as e:
print(f"[!] 处理消息时出错: {str(e)}")
print(f"原始消息: {message}")
elif message['type'] == 'error':
print(f"[!] Frida错误: {message['stack']}")
try:
# 连接到目标进程
device = frida.get_usb_device()
pid = device.spawn(["com.xingin.xhs"])
session = device.attach(pid)
# 加载JS脚本,使用UTF-8编码打开文件
with open(r"C:\Users\xie__\Desktop\小红书测试.js", encoding='utf-8') as f:
script = session.create_script(f.read())
script.on('message', on_message)
script.load()
device.resume(pid)
print("[*] Hook已加载,等待消息...")
sys.stdin.read()
except Exception as e:
print(f"[!] 发生错误: {str(e)}")JS
javascript
Java.perform(function() {
// Hook MsgConvertUtils
try {
var MsgConvertUtils = Java.use('com.xingin.chatbase.bean.convert.MsgConvertUtils');
MsgConvertUtils.getLocalId.overload('java.lang.String').implementation = function(msgContent) {
console.log('\n[+] MsgConvertUtils.getLocalId 被调用');
// 发送数据到Python
send({
type: "getLocalId",
input: msgContent,
timestamp: new Date().getTime()
});
// 调用原始方法
var result = this.getLocalId(msgContent);
// 发送结果到Python
send({
type: "getLocalId_result",
input: msgContent,
result: result,
timestamp: new Date().getTime()
});
return result;
};
// Hook getMsgUiDataContent 方法
MsgConvertUtils.getMsgUiDataContent.overload('java.lang.String').implementation = function(msgContent) {
try {
var msgJson = JSON.parse(msgContent);
// 发送完整消息到Python
send({
type: "getMsgUiDataContent",
message: msgJson,
timestamp: new Date().getTime()
});
} catch(e) {
send({
type: "error",
error: "解析消息内容失败",
raw_message: msgContent,
error_detail: String(e),
timestamp: new Date().getTime()
});
}
// 调用原始方法并返回结果
var result = this.getMsgUiDataContent(msgContent);
return result;
};
} catch(e) {
send({
type: "error",
error: "Hook MsgConvertUtils 失败",
error_detail: String(e),
timestamp: new Date().getTime()
});
}
});