Frida Hook动态加载的DEX里的方法,需要切换到ClassLoader下。
Java
package com.github.lastingyang.androiddemo.Activity;
import android.content.Intent;
import android.os.Bundle;
import android.widget.Toast;
import com.example.androiddemo.Dynamic.AbstractC0000CheckInterface;
import dalvik.system.DexClassLoader;
import java.io.File;
import java.io.IOException;
public class FridaActivity5 extends BaseFridaActivity {
private AbstractC0000CheckInterface DynamicDexCheck = null;
@Override // com.github.lastingyang.androiddemo.Activity.BaseFridaActivity
public String getNextCheckTitle() {
return "当前第5关";
}
/* JADX WARNING: Removed duplicated region for block: B:30:0x0045 */
/* JADX WARNING: Removed duplicated region for block: B:33:0x004d */
/* JADX WARNING: Removed duplicated region for block: B:37:0x0058 A[SYNTHETIC, Splitter:B:37:0x0058] */
/* JADX WARNING: Removed duplicated region for block: B:42:0x0060 A[Catch:{ IOException -> 0x005c }] */
/* JADX WARNING: Removed duplicated region for block: B:47:? A[RETURN, SYNTHETIC] */
/* Code decompiled incorrectly, please refer to instructions dump. */
public static void copyFiles(android.content.Context r2, java.lang.String r3, java.io.File r4) {
/*
// Method dump skipped, instructions count: 106
*/
throw new UnsupportedOperationException("Method not decompiled: com.github.lastingyang.androiddemo.Activity.FridaActivity5.copyFiles(android.content.Context, java.lang.String, java.io.File):void");
}
private void loaddex() {
File filesDir = getFilesDir();
if (!filesDir.exists()) {
filesDir.mkdir();
}
String str = filesDir.getAbsolutePath() + File.separator + "DynamicPlugin.dex";
File file = new File(str);
try {
if (!file.exists()) {
file.createNewFile();
copyFiles(this, "DynamicPlugin.dex", file);
}
} catch (IOException e) {
e.printStackTrace();
}
try {
AbstractC0000CheckInterface checkInterface = (AbstractC0000CheckInterface) new DexClassLoader(str, filesDir.getAbsolutePath(), null, getClassLoader()).loadClass("com.example.androiddemo.Dynamic.DynamicCheck").newInstance();
this.DynamicDexCheck = checkInterface;
if (checkInterface == null) {
Toast.makeText(this, "loaddex Failed!", 1).show();
}
} catch (Exception e2) {
e2.printStackTrace();
}
}
public AbstractC0000CheckInterface getDynamicDexCheck() {
if (this.DynamicDexCheck == null) {
loaddex();
}
return this.DynamicDexCheck;
}
/* access modifiers changed from: protected */
@Override // androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, com.github.lastingyang.androiddemo.Activity.BaseFridaActivity, androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
loaddex();
}
@Override // com.github.lastingyang.androiddemo.Activity.BaseFridaActivity
public void onCheck() {
if (getDynamicDexCheck() == null) {
Toast.makeText(this, "onClick loaddex Failed!", 1).show();
} else if (getDynamicDexCheck().check()) {
CheckSuccess();
startActivity(new Intent(this, FridaActivity6.class));
finishActivity(0);
} else {
super.CheckFailed();
}
}
}
这段代码首先加载DynamicPlugin.dex,然后调用其中的getDynamicDexCheck().check()。这里就要hook的是check,但是check不在当前Dex环境下,而是在DynamicPlugin下,因此要先切换到DynamicPlugin下。
Frida JS
function hook_dyn_dex() {
Java.perform(function() {
Java.enumerateClassLoaders({
onMatch : function(loader) {
try {
if (loader.findClass("com.example.androiddemo.Dynamic.DynamicCheck")) {
Java.classFactory.loader = loader;
console.log(loader);
}
} catch (error) {
}
}, onComplete : function() {
}
});
var DynamicCheck = Java.use("com.example.androiddemo.Dynamic.DynamicCheck");
DynamicCheck.check.implementation = function() {
var result = this.check();
console.log("DynamicCheck.check:", result);
return true;
}
})
}
首先是枚举所有的ClassLoader,其次找到包含DynamicCheck的ClassLoader,最后把这个ClassLoader加载到当前loader。
