-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathflag_secure.js
28 lines (21 loc) · 1.07 KB
/
flag_secure.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
//https://serializethoughts.com/2018/10/07/bypassing-android-flag_secure-using-frida/
Java.perform(function() {
var surface_view = Java.use('android.view.SurfaceView');
var set_secure = surface_view.setSecure.overload('boolean');
set_secure.implementation = function(flag){
console.log("setSecure() flag called with args: " + flag);
set_secure.call(false);
};
var window = Java.use('android.view.Window');
var set_flags = window.setFlags.overload('int', 'int');
var window_manager = Java.use('android.view.WindowManager');
var layout_params = Java.use('android.view.WindowManager$LayoutParams');
set_flags.implementation = function(flags, mask){
//console.log(Object.getOwnPropertyNames(window.__proto__).join('\n
console.log("flag secure: " + layout_params.FLAG_SECURE.value);
console.log("before setflags called flags: "+ flags);
flags =(flags.value & ~layout_params.FLAG_SECURE.value);
console.log("after setflags called flags: "+ flags);
set_flags.call(this, flags, mask);
};
});