{"id":13484198,"url":"https://github.com/r0ysue/r0capture","last_synced_at":"2025-05-14T07:09:39.223Z","repository":{"id":37371832,"uuid":"316899719","full_name":"r0ysue/r0capture","owner":"r0ysue","description":"安卓应用层抓包通杀脚本","archived":false,"fork":false,"pushed_at":"2023-10-20T11:59:50.000Z","size":7546,"stargazers_count":6912,"open_issues_count":23,"forks_count":1427,"subscribers_count":91,"default_branch":"main","last_synced_at":"2025-04-11T02:51:34.838Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/r0ysue.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-11-29T07:37:06.000Z","updated_at":"2025-04-10T07:59:52.000Z","dependencies_parsed_at":"2023-02-16T16:30:55.896Z","dependency_job_id":"77af558b-5fe6-4292-948f-61e6f1505a22","html_url":"https://github.com/r0ysue/r0capture","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r0ysue%2Fr0capture","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r0ysue%2Fr0capture/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r0ysue%2Fr0capture/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r0ysue%2Fr0capture/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/r0ysue","download_url":"https://codeload.github.com/r0ysue/r0capture/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254092787,"owners_count":22013290,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T17:01:20.512Z","updated_at":"2025-05-14T07:09:34.212Z","avatar_url":"https://github.com/r0ysue.png","language":"Python","funding_links":[],"categories":["Python","Python (1887)","安卓Android"],"sub_categories":["网络服务_其他"],"readme":"# r0capture\n\n安卓应用层抓包通杀脚本\n\n## 简介\n\n- 仅限安卓平台，测试安卓7、8、9、10、11、12、13、14 可用 ；\n- 无视所有证书校验或绑定，不用考虑任何证书的事情；\n- 通杀TCP/IP四层模型中的应用层中的全部协议；\n- 通杀协议包括：Http,WebSocket,Ftp,Xmpp,Imap,Smtp,Protobuf等等、以及它们的SSL版本；\n- 通杀所有应用层框架，包括HttpUrlConnection、Okhttp1/3/4、Retrofit/Volley等等；\n- 无视加固，不管是整体壳还是二代壳或VMP，不用考虑加固的事情；\n- 如果有抓不到的情况欢迎提issue，或者直接加vx：r0ysue，进行反馈~\n\n### June.18th 2023 update：测试Pixel4/安卓13/KernelSU/Frida16 功能工作正常 正常抓包 导出证书\n\n### January.14th 2021 update：增加几个辅助功能\n\n- 增加App收发包函数定位功能\n- 增加App客户端证书导出功能\n- 新增host连接方式“-H”，用于Frida-server监听在非标准端口时的连接\n\n## 用法\n\n- 推荐环境：[https://github.com/r0ysue/AndroidSecurityStudy/blob/master/FRIDA/A01/README.md](https://github.com/r0ysue/AndroidSecurityStudy/blob/master/FRIDA/A01/README.md)\n\n切记仅限安卓平台7、8、9、10、11 可用 ，禁止使用模拟器。\n\n- Spawn 模式：\n\n`$ python3 r0capture.py -U -f com.coolapk.market -v`\n\n- Attach 模式，抓包内容保存成pcap文件供后续分析： \n\n`$ python3 r0capture.py -U 酷安 -v -p iqiyi.pcap` \n\n建议使用`Attach`模式，从感兴趣的地方开始抓包，并且保存成`pcap`文件，供后续使用Wireshark进行分析。\n\u003e 老版本Frida使用包名，新版本Frida使用APP名。APP名必须是点开app后，frida-ps -U显示的那个app名字。\n\n![](pic/Sample.PNG)\n\n- 收发包函数定位：`Spawn`和`attach`模式均默认开启；\n\n\u003e 可以使用`python r0capture.py -U -f cn.soulapp.android -v  \u003e\u003e soul3.txt`这样的命令将输出重定向至txt文件中稍后过滤内容\n\n![](pic/locator.png)\n\n- 客户端证书导出功能：默认开启；必须以Spawm模式运行；\n\n\u003e 运行脚本之前必须手动给App加上存储卡读写权限；\n\n\u003e 并不是所有App都部署了服务器验证客户端的机制，只有配置了的才会在Apk中包含客户端证书\n\n\u003e 导出后的证书位于/sdcard/Download/包名xxx.p12路径，导出多次，每一份均可用，密码默认为：r0ysue，推荐使用[keystore-explorer](http://keystore-explorer.org/)打开查看证书。\n\n![](pic/clientcer.png)\n\n- 新增host连接方式“-H”，用于Frida-server监听在非标准端口时的连接。有些App会检测Frida标准端口，因此frida-server开在非标准端口可以绕过检测。\n\n![](pic/difport.png)\n\n## 感谢[爱吃菠菜](https://bbs.pediy.com/user-760871.htm)巨巨总结的本项目知识点\n\n![](pic/summary1.jpg)\n![](pic/summary2.jpg)\n\n\nPS：\n\n\u003e 这个项目基于[frida_ssl_logger](https://github.com/BigFaceCat2017/frida_ssl_logger)，之所以换个名字，只是侧重点不同。 原项目的侧重点在于抓ssl和跨平台，本项目的侧重点是抓到所有的包。\n\n\u003e 局限：部分开发实力过强的大厂或框架，采用的是自身的SSL框架，比如WebView、小程序或Flutter，这部分目前暂未支持。部分融合App本质上已经不属于安卓App，没有使用安卓系统的框架，无法支持。当然这部分App也是少数。暂不支持HTTP/2、或HTTP/3，该部分API在安卓系统上暂未普及或布署，为App自带，无法进行通用hook。各种模拟器架构、实现、环境较为复杂，建议珍爱生命、使用真机。暂未添加多进程支持，比如:service或:push等子进程，可以使用Frida的Child-gating来支持一下。支持多进程之后要考虑pcap文件的写入锁问题，可以用frida-tool的Reactor线程锁来支持一下。\n\n## 以下是原项目的简介：\n\n[https://github.com/BigFaceCat2017/frida_ssl_logger](https://github.com/BigFaceCat2017/frida_ssl_logger)\n\n### frida_ssl_logger\nssl_logger based on frida\nfor from https://github.com/google/ssl_logger\n\n### 修改内容\n1. 优化了frida的JS脚本，修复了在新版frida上的语法错误；\n2. 调整JS脚本，使其适配iOS和macOS，同时也兼容了Android；\n3. 增加了更多的选项，使其能在多种情况下使用；\n\n### 安装依赖\n```\nPython版本\u003e=3.6\npip install loguru\npip install click\n```\n### Usage\n  ```shell\n    python3 ./ssl_logger.py  -U -f com.bfc.mm\n    python3 ./ssl_logger.py -v  -p test.pcap  6666\n  ````\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fr0ysue%2Fr0capture","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fr0ysue%2Fr0capture","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fr0ysue%2Fr0capture/lists"}