0
点赞
收藏
分享

微信扫一扫

app逆向进行hook的常见脚本

伽马星系 08-20 06:00 阅读 22

hook--Map的put通用脚本

import frida
import sys

rdev = frida.get_remote_device()
session = rdev.attach("xxx")

scr = """
Java.perform(function () {
    var TreeMap = Java.use('java.util.TreeMap');
    var Map = Java.use("java.util.Map");

    TreeMap.put.implementation = function (key,value) {
        if(key=="data"){
            console.log(key,value);
        }
        var res = this.put(key,value);
        return res;
    }
});
"""
script = session.create_script(scr)


def on_message(message, data):
    print(message, data)


script.on("message", on_message)
script.load()

hook--StringBuilder

import frida
import sys

rdev = frida.get_remote_device()
session = rdev.attach("xxx")

scr = """
Java.perform(function () {
    var StringBuilder = Java.use("java.lang.StringBuilder");
    
    StringBuilder.toString.implementation = function () {
        var res = this.toString();
        console.log(res); 
        return res;
    }
   
});
"""
script = session.create_script(scr)


def on_message(message, data):
    print(message, data)


script.on("message", on_message)
script.load()
sys.stdin.read()

hook--Base64

import frida
import sys

rdev = frida.get_remote_device()
session = rdev.attach("xxx")

scr = """
Java.perform(function () {
    var Base64 = Java.use("android.util.Base64");

    Base64.encodeToString.overload('[B', 'int').implementation = function (bArr,val) {
        var res = this.encodeToString(bArr,val);
        console.log("加密了-->",res);
        return res;
    }
});
"""
script = session.create_script(scr)


def on_message(message, data):
    print(message, data)


script.on("message", on_message)
script.load()
sys.stdin.read()

# 通过查看输出,那请求的数据搜索,发现hook到了

hook--拦截器

// hook_Interceptor.js
Java.perform(function () {
    var Builder = Java.use('okhttp3.OkHttpClient$Builder');

    Builder.addInterceptor.implementation = function (inter) {

        console.log(JSON.stringify(inter) );
        return this.addInterceptor(inter);
    };
})

//frida -Uf com.hupu.shihuo -l hook_Interceptor.js -o all_interceptor3.txt



hook--so文件的函数

import frida
import sys

rdev = frida.get_remote_device()
session = rdev.attach("xxx")

scr = """
Java.perform(function () {
    //1  找到那个so文件,libJNIEncrypt.so,第二个参数是要hook的函数名--》返回值是函数的内存地址
    var addr_func = Module.findExportByName("libJNIEncrypt.so", "AES_128_ECB_PKCS5Padding_Encrypt");
    //2 传入要hook的函数内存地址
    Interceptor.attach(addr_func, {
        onEnter: function(args){
            console.log("--------------------------执行函数--------------------------");
            console.log("参数1-v11:", args[0].readUtf8String());
            console.log("参数2-v8:", args[1].readUtf8String());
        },
        onLeave: function(retValue){
            console.log(":::", retValue.readUtf8String());
        }

    })

});
"""


script = session.create_script(scr)
def on_message(message, data):
    print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()

遍历打印app运行时,加载了那些so文件

import frida
import sys

rdev = frida.get_remote_device()
pid = rdev.spawn(["com.xxx"])
session = rdev.attach(pid)

scr = """
Java.perform(function () {
    
    var dlopen = Module.findExportByName(null, "dlopen");
    var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
    
    Interceptor.attach(dlopen, {
        onEnter: function (args) {
            var path_ptr = args[0];
            var path = ptr(path_ptr).readCString();
            console.log("[dlopen:]", path);
        },
        onLeave: function (retval) {
    
        }
    });
    
    Interceptor.attach(android_dlopen_ext, {
        onEnter: function (args) {
            var path_ptr = args[0];
            var path = ptr(path_ptr).readCString();
            console.log("[dlopen_ext:]", path);
        },
        onLeave: function (retval) {
    
        }
    });
    

});
"""
script = session.create_script(scr)


def on_message(message, data):
    print(message, data)


script.on("message", on_message)
script.load()
rdev.resume(pid)
sys.stdin.read()

打印调用栈

import frida
import sys

rdev = frida.get_remote_device()
# session = rdev.attach("xxx")
session = rdev.attach("xxx")

scr = """
    Java.perform(function () {
    var h = Java.use("xxx);
    h.t2.implementation = function(str){
        console.log("设置session",str);
        this.t2(str);
        //调用栈
      console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    
    };
    
    });
"""

script = session.create_script(scr)

script.load()
sys.stdin.read()



'''
设置session 69a5568e29c5f5bb120901435e2bd98281c1969d
java.lang.Throwable
	at t3.a.i.b.i$j.onPrepared(BL:6)
	at tv.danmaku.ijk.media.player.AbstractMediaPlayer.notifyOnPrepared(BL:2)
	at tv.danmaku.ijk.media.player.IjkMediaPlayer$EventHandler.handleMessage(BL:107)
	at android.os.Handler.dispatchMessage(Handler.java:106)
	at android.os.Looper.loop(Looper.java:223)
	at android.app.ActivityThread.main(ActivityThread.java:7656)
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)

'''


rpc调用so文件函数

import frida
rdev = frida.get_remote_device()
session = rdev.attach("xxx")

scr = """
rpc.exports = {   
    encrypt:function(a1,a2,a3){
         var res;
         Java.perform(function () { 
            // 包.类
            var Crypt = Java.use("com.xxx.Crypt");
            // 类中的方法
            res = Crypt.encrypt_data(a1,a2,a3);
         });
         return res;
    }
}
"""


script = session.create_script(scr)
script.load()



# python 调用
sign = script.exports.encrypt(0, "abcdefg", 7)
print(sign)


举报

相关推荐

0 条评论