LMLPHP后院

夜神模拟器安装系统根证书技术

maybe yes 发表于 2022-11-25 16:07

安卓7.0之后,更加严格,这将导致一个结果,就是,你的手机,只是一个手机而已,而你几乎无法控制它。

其实作为一个开源的系统,真的不应该这样,因为,你是开源的,总会有办法。

其实,7.0 之后的安卓,用户证书变的没有意义。而目前的抓包工具,不论是 Charles 或者 是 Fiddler 几乎都是不能用的节奏。

下面讲一讲 Charles 抓取 https 数据接口。

Help -> SSL proxying -> Save Charles Root Certificate。下载完成后。点击 Install Charles Root Certificate On a Mobile Device or Remote Browser,在这个弹出窗能看到代理的 ip 和 port。

Charles 这边结束了。

然后看看证书转换:

下面是 openssl 证书格式转换

pem证书转.cer证书
openssl x509 -outform der -in demo.pem -out demo.cer
cer证书转.pem证书
openssl x509 -inform der -in demo.cer -out demo.pem

我这里测试下载后无需转换,因为就是 pem 格式的证书,如果需要转换使用上面的命令。

接下来看看实战,看是如何实现安装系统证书的,安装好了系统证书就可以抓取 https 请求,这时候就能看到原始数据了,而如果没有系统证书,则是一般看不到的。

C:\Program Files (x86)\Nox\bin> .\nox_adb.exe devices
List of devices attached
127.0.0.1:62001 device

PS C:\Program Files (x86)\Nox\bin> .\nox_adb.exe root
PS C:\Program Files (x86)\Nox\bin> .\adb.exe remount
remount succeeded
PS C:\Program Files (x86)\Nox\bin> .\adb.exe push adfefd67.0/system/etc/security/cacerts/
Android Debug Bridge version 1.0.36
Revision 0e9850346394-android

 -a                            - directs adb to listen on all interfaces for a connection
 -d                            - directs command to the only connected USB device
                                 returns an error if more than one USB device is present.
 -e                            - directs command to the only running emulator.
                                 returns an error if more than one emulator is running.
 -s <specific device>          - directs command to the device or emulator with the given
                                 serial number or qualifier. Overrides ANDROID_SERIAL
                                 environment variable.
 -p <product name or path>     - simple product name like 'sooner', or
                                 a relative/absolute path to a product
                                 out directory like 'out/target/product/sooner'.
                                 If -p is not specified, the ANDROID_PRODUCT_OUT
                                 environment variable is used, which must
                                 be an absolute path.
 -H                            - Name of adb server host (default: localhost)
 -P                            - Port of adb server (default: 5037)
 devices [-l]                  - list all connected devices
                                 ('-l' will also list device qualifiers)
 connect <host>[:<port>]       - connect to a device via TCP/IP
                                 Port 5555 is used by default if no port number is specified.
 disconnect [<host>[:<port>]]  - disconnect from a TCP/IP device.
                                 Port 5555 is used by default if no port number is specified.
                                 Using this command with no additional arguments
                                 will disconnect from all connected TCP/IP devices.

device commands:
  adb push <local>... <remote>
                               - copy files/dirs to device
  adb pull [-a] <remote>... <local>
                               - copy files/dirs from device
                                 (-a preserves file timestamp and mode)
  adb sync [ <directory> ]     - copy host->device only if changed
                                 (-l means list but don't copy)
  adb shell [-e escape] [-n] [-Tt] [-x] [command]
                               - run remote shell command (interactive shell if no command given)
                                 (-e: choose escape character, or "none"; default '~')
                                 (-n: don't read from stdin)
                                 (-T: disable PTY allocation)
                                 (-t: force PTY allocation)
                                 (-x: disable remote exit codes and stdout/stderr separation)
  adb emu <command>            - run emulator console command
  adb logcat [ <filter-spec> ] - View device log
  adb forward --list           - list all forward socket connections.
                                 the format is a list of lines with the following format:
                                    <serial> " " <local> " " <remote> "\n"
  adb forward <local> <remote> - forward socket connections
                                 forward specs are one of:
                                   tcp:<port>
                                   localabstract:<unix domain socket name>
                                   localreserved:<unix domain socket name>
                                   localfilesystem:<unix domain socket name>
                                   dev:<character device name>
                                   jdwp:<process pid> (remote only)
  adb forward --no-rebind <local> <remote>
                               - same as 'adb forward <local> <remote>' but fails
                                 if <local> is already forwarded
  adb forward --remove <local> - remove a specific forward socket connection
  adb forward --remove-all     - remove all forward socket connections
  adb reverse --list           - list all reverse socket connections from device
  adb reverse <remote> <local> - reverse socket connections
                                 reverse specs are one of:
                                   tcp:<port>
                                   localabstract:<unix domain socket name>
                                   localreserved:<unix domain socket name>
                                   localfilesystem:<unix domain socket name>
  adb reverse --no-rebind <remote> <local>
                               - same as 'adb reverse <remote> <local>' but fails
                                 if <remote> is already reversed.
  adb reverse --remove <remote>
                               - remove a specific reversed socket connection
  adb reverse --remove-all     - remove all reversed socket connections from device
  adb jdwp                     - list PIDs of processes hosting a JDWP transport
  adb install [-lrtsdg] <file>
                               - push this package file to the device and install it
                                 (-l: forward lock application)
                                 (-r: replace existing application)
                                 (-t: allow test packages)
                                 (-s: install application on sdcard)
                                 (-d: allow version code downgrade (debuggable packages only))
                                 (-g: grant all runtime permissions)
  adb install-multiple [-lrtsdpg] <file...>
                               - push this package file to the device and install it
                                 (-l: forward lock application)
                                 (-r: replace existing application)
                                 (-t: allow test packages)
                                 (-s: install application on sdcard)
                                 (-d: allow version code downgrade (debuggable packages only))
                                 (-p: partial application install)
                                 (-g: grant all runtime permissions)
  adb uninstall [-k] <package> - remove this app package from the device
                                 ('-k' means keep the data and cache directories)
  adb bugreport [<path>]       - return all information from the device that should be included in a zipped bug report.
                                 If <path> is a file, the bug report will be saved as that file.
                                 If <path> is a directory, the bug report will be saved in that directory with the name provided by the device.
                                 If <path> is omitted, the bug report will be saved in the current directory with the name provided by the device.
                                 NOTE: if the device does not support zipped bug reports, the bug report will be output on stdout.
  adb backup [-f <file>] [-apk|-noapk] [-obb|-noobb] [-shared|-noshared] [-all] [-system|-nosystem] [<packages...>]
                               - write an archive of the device's data to <file>.
                                 If no -f option is supplied then the data is written
                                 to "backup.ab" in the current directory.
                                 (-apk|-noapk enable/disable backup of the .apks themselves
                                    in the archive; the default is noapk.)
                                 (-obb|-noobb enable/disable backup of any installed apk expansion
                                    (aka .obb) files associated with each application; the default
                                    is noobb.)
                                 (-shared|-noshared enable/disable backup of the device's
                                    shared storage / SD card contents; the default is noshared.)
                                 (-all means to back up all installed applications)
                                 (-system|-nosystem toggles whether -all automatically includes
                                    system applications; the default is to include system apps)
                                 (<packages...> is the list of applications to be backed up.  If
                                    the -all or -shared flags are passed, then the package
                                    list is optional.  Applications explicitly given on the
                                    command line will be included even if -nosystem would
                                    ordinarily cause them to be omitted.)

  adb restore <file>           - restore device contents from the <file> backup archive

  adb disable-verity           - disable dm-verity checking on USERDEBUG builds
  adb enable-verity            - re-enable dm-verity checking on USERDEBUG builds
  adb keygen <file>            - generate adb public/private key. The private key is stored in <file>,
                                 and the public key is stored in <file>.pub. Any existing files
                                 are overwritten.
  adb help                     - show this help message
  adb version                  - show version num

scripting:
  adb wait-for[-<transport>]-<state>
                               - wait for device to be in the given state:
                                 device, recovery, sideload, or bootloader
                                 Transport is: usb, local or any [default=any]
  adb start-server             - ensure that there is a server running
  adb kill-server              - kill the server if it is running
  adb get-state                - prints: offline | bootloader | device
  adb get-serialno             - prints: <serial-number>
  adb get-devpath              - prints: <device-path>
  adb remount                  - remounts the /system, /vendor (if present) and /oem (if present) partitions on the device read-write
  adb reboot [bootloader|recovery]
                               - reboots the device, optionally into the bootloader or recovery program.
  adb reboot sideload          - reboots the device into the sideload mode in recovery program (adb root required).
  adb reboot sideload-auto-reboot
                               - reboots into the sideload mode, then reboots automatically after the sideload regardless of the result.
  adb sideload <file>          - sideloads the given package
  adb root                     - restarts the adbd daemon with root permissions
  adb unroot                   - restarts the adbd daemon without root permissions
  adb usb                      - restarts the adbd daemon listening on USB
  adb tcpip <port>             - restarts the adbd daemon listening on TCP on the specified port

networking:
  adb ppp <tty> [parameters]   - Run PPP over USB.
 Note: you should not automatically start a PPP connection.
 <tty> refers to the tty for PPP stream. Eg. dev:/dev/omap_csmi_tty1
 [parameters] - Eg. defaultroute debug dump local notty usepeerdns

adb sync notes: adb sync [ <directory> ]
  <localdir> can be interpreted in several ways:

  - If <directory> is not specified, /system, /vendor (if present), /oem (if present) and /data partitions will be updated.

  - If it is "system", "vendor", "oem" or "data", only the corresponding partition
    is updated.

internal debugging:
  adb reconnect                  Kick current connection from host side and make it reconnect.
  adb reconnect device           Kick current connection from device side and make it reconnect.
environment variables:
  ADB_TRACE                    - Print debug information. A comma separated list of the following values
                                 1 or all, adb, sockets, packets, rwx, usb, sync, sysdeps, transport, jdwp
  ANDROID_SERIAL               - The serial number to connect to. -s takes priority over this if given.
  ANDROID_LOG_TAGS             - When used with the logcat option, only these debug tags are printed.
PS C:\Program Files (x86)\Nox\bin> .\adb.exe push C:\Users\lin\adfefd67.0 /system/etc/security/cacerts/
[100%] /system/etc/security/cacerts/adfefd67.0
PS C:\Program Files (x86)\Nox\bin>
2024-12-27 09:37:39 1735263459 0.017616