此贴针对没有加密、以及较旧版本的auto.js的脚本代码
思路
1.下载 auto.js 在 github 开源的代码,地址这里就不贴了,自行去搜索;
2.跟踪源码,分析解密入口,既然JavaScript引擎最终是要解析未加密的文档的,是不是有一个地方是解密的,直接hook解密的地方,取解完密的内容;
3.将解密之后的内容保存到本地即可;
核心代码如下:
Class encry = lpparam.classLoader.loadClass("com.stardust.autojs.engine.encryption.ScriptEncryption");
XposedHelpers.findAndHookMethod(encry, "decrypt", byte[].class, int.class, int.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
byte[] b = (byte[]) param.getResult();
getFile(b, "/sdcard/", lpparam.packageName + "_hook_hex16.js");
String result = new String((byte[]) param.getResult());
// XposedBridge.log("result:" + result);
}
});
final Class ct = lpparam.classLoader.loadClass("org.mozilla.javascript.Context");
XposedHelpers.findAndHookMethod(ct, "compileReader", Reader.class, String.class, int.class, Object.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
Object ret = param.getResult();
Method method = ct.getMethod("decompileScript", lpparam.classLoader.loadClass("org.mozilla.javascript.Script"), int.class);
String decompStr = (String) method.invoke(param.thisObject, ret, 0);
byte[] b = decompStr.getBytes();
getFile(b, "/sdcard/", lpparam.packageName + "_hook.js");
XposedBridge.log("decompStr:" + decompStr);
}
});
注:新版本或者加密之后,不行 | 
发表于 2021-2-28 12:34
