MCPcopy
hub / github.com/CreditTone/hooker

github.com/CreditTone/hooker @main sqlite

repository ↗ · DeepWiki ↗
306 symbols 667 edges 39 files 15 documented · 5%
README

⚠️ Disclaimer All contents of this project are intended solely for learning and technical exchange purposes. The goal is to help developers understand the structure and internal mechanisms of mobile applications.

This project does not contain any cracking operations or infringing content targeting specific applications. Some simple unpacking techniques related to certain apps are widely available on major technical forums and do not cause actual harm to the applications. This project is not intended to assist with any illegal activities, including but not limited to bypassing copyright protection, modifying app functionality, or accessing unauthorized data. Please ensure compliance with relevant laws and regulations when using the tools provided by this project, and use them only for personal learning or research purposes.

English | 简体中文

👋 Welcome to Hooker Reverse Engineering Toolkit

GitHub stars GitHub forks GitHub code size Python frida

Hooker is a reverse engineering toolkit based on Frida, designed to provide Android reverse engineers with a comfortable command-line interface,

A unified script package management system

Universal (通杀) scripts

Automated hook script generation

In-memory roaming for detecting Activity and Service components

A Frida-based implementation of JustTrustMe

Global app support for boringssl unpinning

One picture to prove why you need Hooker: gs_show.jpg

    1. A Frida-based implementation of JustTrustMe for universal SSL pinning bypass, with ongoing maintenance.
    1. An embedded webserver that can quickly expose in-app capabilities as HTTP endpoints for automation and API-style workflows.
    1. Automated Frida hook script generation with detailed, extensible templates.
    1. One-click SOCKS5 proxy setup without requiring third-party apps such as SocksDroid.
    1. A highly streamlined command-line workflow that makes daily reversing much more comfortable.

📚 Table of Contents

🚀 Quick Start

Ensure your device is rooted. No need to manually start frida-server or do any configuration—Hooker handles everything for you.

1. Clone the repository

stephen@ubuntu:~$ git clone https://github.com/CreditTone/hooker.git
stephen@ubuntu:~$ cd hooker

2. Install Python dependencies

stephen@ubuntu:~/hooker$ pip3 install -r requirements.txt

3. Connect your rooted device via USB

stephen@ubuntu:~/hooker$ adb devices
List of devices attached
FA77C0301476    device

4. Launch Hooker

stephen@ubuntu:~/hooker$ python3 hooker.py
hooker Let's enjoy reverse engineering together
-----------------------------------------------------------------------------------------------
PID     APP                     IDENTIFIER                          EXIST_REVERSE_DIRECTORY
0       全球上网                com.miui.virtualsim                 ❌
0       爱奇艺                 com.qiyi.video                      ❌
0       红手指云手机          com.redfinger.app                   ❌
0       Reqable                 com.reqable.android                 ❌
0       美团                  com.sankuai.meituan                 ✅
0       得物                  com.shizhuang.duapp                 ❌
0       某皮                   cxm.shxpxx.sg                          ✅
0       微博                  com.sina.weibo                      ❌
0       今日头条                com.ss.android.article.news         ✅
0       西瓜视频                com.ss.android.article.video        ✅
0       懂车帝                 com.ss.android.auto                 ✅
0       抖音火山版           com.ss.android.ugc.live             ✅
0       抖音精选                com.ss.android.yumme.video          ❌
0       淘宝                  com.taobao.taobao                   ✅
0       腾讯视频                com.tencent.qqlive                  ❌
0       Termux                  com.termux                          ❌
0       轻奢                  com.tm.bachelorparty                ✅
0       WiFi ADB                com.ttxapps.wifiadb                 ❌
0       VMOS Pro                com.vmos.pro                        ✅
0       游戏中心                com.xiaomi.gamecenter               ❌
0       小米商城                com.xiaomi.shop                     ❌
0       米家                  com.xiaomi.smarthome                ❌
0       小米有品                com.xiaomi.youpin                   ✅
0       小红书                 com.xingin.xhs                      ✅
0       运满满货主           com.xiwei.logistics.consignor       ✅
0       拼多多                 com.xunmeng.pinduoduo               ✅
0       EnvCheck                com.yimian.envcheck                 ✅
0       check_env               com.yuuki.check_env                 ❌
0       TikTok                  com.zhiliaoapp.musically            ❌
0       XPrivacyLua             eu.faircode.xlua                    ❌
0       imToken                 im.token.app                        ❌
0       SocksDroid              net.typeblog.socks                  ❌
0       F-Droid                 org.fdroid.fdroid                   ❌
0       ProxyDroid              org.proxydroid                      ❌
3457    手机管家                com.miui.securitycenter             ✅
3509    优信拍                 com.uxin.buyerphone                 ✅
18780   抖音                  com.ss.android.ugc.aweme            ✅
20174   应用商店                com.xiaomi.market                   ❌
20913   设置                  com.android.settings                ❌
30500   小爱同学                com.miui.voiceassist                ❌
32163   相机                  com.android.camera                  ✅
Please enter the identifier that needs to be reversed
hooker(Identifier):

5. Enter the package name of the target app

hooker(Identifier): cxm.shxpxx.sg
✅ App cxm.shxpxx.sg is already in the foreground
Creating working directory: cxm.shxpxx.sg
Generating frida shortcut command...
Generating built-in frida script...
pull /data/app/cxm.shxpxx.sg-L8zkrpFVICv0-hOrtmPPxA==/base.apk to cxm.shxpxx.sg/ShopeeSG_3.43.40.apk successful
Working directory create successful
just_trust_me.js                                 empty.js                                         keystore_dump.js
edit_text.js                                     activity_events.js                               find_boringssl_custom_verify_func.js
ssl_log.js                                       hook_register_natives.js                         click.js
get_device_info.js                               apk_shell_scanner.js                             dump_dex.js
object_store.js                                  hook_artmethod_register.js                       replace_dlsym_get_pthread_create.js
just_trust_me_for_ios.js                         trace_initproc.js                                android_ui.js
jni_method_trace.js                         url.js                                           just_trust_me_okhttp_hook_finder_for_android.js
text_view.js                                     find_anit_frida_so.js
某皮 > 

hooker_enter_debug.gif


6. View help information

某皮 > help
h, help                                      show this help message
a, activitys                                 show the activity stack
s, services                                  show the service stack
o, object [object_id]                        show object info by object_id
v, view [view_id]                            show view info by view_id of view
gs, generatescript [class_name:method_name]  specify the class name and method name to generate a frida hook java script file. For example: generatescript
                                             okhttp3.Request$Builder:addHeader
p, proxy [socks5_proxy_server]               set up a socks5 proxy for this app. For example: proxy socks5://192.168.0.100:9998
up, unproxy                                  remove socks5 proxy for this app
trust, justtrustme                           quickly spawn just_trust_me.js script to kill all ssl pinning
ls                                           list all the frida scripts of the current app
attach [script_file_name]                    quickly execute a frida script, similar to executing the command "frida -U com.example.app -l xxx.js". For example: attach url.js
spawn [script_file_name]                     quickly spawn a frida script, similar to executing the command "frida -U -f -n com.example.app -l xxx.js". For example: spawn
                                             just_trust_me.js
restart                                      restart this app
pid                                          get pid of this app main process
uid                                          get pid of this app
exit                                         return to the previous level
某皮 > 

hooker_help.gif


7. Embedded webserver

Hooker can inject a lightweight webserver into the target app process. Once started, it launches an HTTP service inside the app. The default port is 8080. This service can expose both your custom patch controllers and a built-in set of debugging endpoints.

  • Start the built-in webserver
某音火山版 > webserver start
Http server port: 8080
Http server: http://10.112.101.249:8080

After the built-in webserver starts, open the root page in a browser to see all registered APIs. Common built-in capabilities include:

  • Service management: / shows the welcome page and API list, and /stop stops the current webserver.
  • UI automation: /hooker/ui/... provides view clicking, text-based clicking, coordinate tapping, setting EditText values, triggering Back/Home, launching activities, querying screen info, swiping pagers, scrolling RecyclerView, and dismissing dialogs.
  • UI hierarchy export: /hooker/uiauto/dump, /hooker/uiauto/window_dump.xml, and /hooker/uiauto/window_dump.json export the current window hierarchy for inspection and control discovery.
  • Screenshot capture: /hooker/screencap/screenshot uses the system screencap command, while /hooker/mediaprojection/... supports MediaProjection permission flow and full-screen PNG capture.
  • App information: /hooker/appinfo, /hooker/appinfo/shared_prefs, /hooker/appinfo/databases, and /hooker/appinfo/read_table let you inspect package metadata, permissions, signatures, shared preferences, database schemas, and table rows.
  • Class and object helpers: /hooker/classhelper/invoke_static_method and /hooker/classhelper/invoke_method let you invoke static methods or stored object methods over HTTP.
  • File serving: /file?filename=... returns an absolute-path file or a file generated in the webserver cache directory.
  • MCP-style UI tools: /hooker/mcp/ui/tools and /hooker/mcp/ui/call package common UI actions into a consistent tool interface for external scripts or agents.

  • Start a custom webserver

某宝 > webserver start taxbax-patch.jar
Converting taxbax-patch.jar to taxbax-patch.dex...
Successfully converted to taxbax-patch.dex (7160 bytes)
push file OK /data/user/0/com.taxbax.taxbax/hooker_server.dex
Http server port: 2026
Http server: http://10.112.101.249:2026

Here taxbax-patch.jar is essentially a business plugin running inside the target app process. Hooker converts the jar to dex, injects it into the app, scans annotated classes, and registers them as HTTP routes.

Custom webservers are useful for:

  • Exposing app-internal business capabilities such as search, comments, product details, signatures, encryption/decryption, user profiles, or live-stream APIs.
  • Reusing the target app's own login state, networking stack, environment values, and in-memory objects instead of rebuilding protocol details externally.
  • Wrapping asynchronous callbacks, observables, listeners, or page-object calls into synchronous HTTP endpoints that return JSON or plain text.

Patch projects typically define endpoints like this:

  • Use @HookerWebServerConfiguration(port = 2026) to specify the port. If omitted, the default is 8080.
  • Use @HookerController("/taobao") or @HookerController("/douyin") to define the route prefix.
  • Use @HookerRequestMapping(path = "/getProductDetail") to expose concrete endpoints.
  • Use @HookerRequestParam and `@HookerRe

Core symbols most depended-on inside this repo

_0x487b
called by 432
js/just_trust_me.js
_0xb76c
called by 252
js/get_device_info.js
methodInBeat
called by 50
js/cipher.js
run_su_command
called by 37
hooker.py
_0x3253
called by 37
js/apk_shell_scanner.js
showStacks
called by 33
js/hook_encryption_algo2.js
bytesToString
called by 22
js/hook_encryption_algo.js
toBase64
called by 21
js/hook_encryption_algo2.js

Shape

Function 301
Method 3
Class 2

Languages

TypeScript64%
Python36%

Modules by API surface

hooker.py109 symbols
js/android_ui.js25 symbols
js/just_trust_me.js24 symbols
js/activity_events.js15 symbols
js/param_hook.js14 symbols
js/hook_encryption_algo.js12 symbols
js/get_device_info.js11 symbols
js/_hook_js_enhance.js11 symbols
js/object_store.js9 symbols
js/rpc.js8 symbols
js/r0capture.js7 symbols
js/keystore_dump.js7 symbols

Dependencies from manifests, versioned

adbutils1.2.11 · 1×
androguard3.3.5 · 1×
frida16.7.19 · 1×
frida-tools13.7.1 · 1×
jsbeautifier1.15.4 · 1×

For agents

$ claude mcp add hooker \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact