package com.github.androiddemo.Activity;
import android.content.Intent;
public class FridaActivity7 extends BaseFridaActivity {
private boolean next;
@Override // com.github.androiddemo.Activity.BaseFridaActivity
public String getNextCheckTitle() {
return "当前第7关";
}
public FridaActivity7() {
this.next = true;
this.next = false;
}
@Override // com.github.androiddemo.Activity.BaseFridaActivity
public void onCheck() {
if (this.next) {
CheckSuccess();
startActivity(new Intent(this, FridaActivity8.class));
finishActivity(0);
return;
}
super.CheckFailed();
}
}
由源码可知,构造函数FridaActivity7设置next为true,就可以跳转到下一关。
因此,这里需要hook构造函数,用到了$init.implementation。
function hook_MainActivity() {
Java.perform(function() {
var MainActivity = Java.use("com.example.androiddemo.MainActivity");
//frida -U --no-pause -f com.example.androiddemo -l hook.js
//--no-pause -f apk启动之前就把frida的脚本注入进apk进程里
var System = Java.use("java.lang.System");
System.getenv.overload('java.lang.String').implementation = function(name) {
var env = this.getenv(name);
if (name == "USER") {
env = "flag";
}
console.log("getenv:", name, env);
return env;
}
var FridaActivity7 = Java.use("com.github.androiddemo.Activity.FridaActivity7");
//hook 构造函数
FridaActivity7.$init.implementation = function() {
this.$init();
this.next.value = true;
}
});
}
