1.安装python环境
2.电脑安装frida
pip install frida-tools
3.手机安装frida-server
https://github.com/frida/frida/releases
frida-server-16.0.9-android-arm64.xz(手机arm64)
别下载错了
frida必须与frida-server保持一致
查看frida版本
C:\Users\sanqiu> frida --version
16.0.9
然后把文件放到/data/local/tmp/里 记得修改文件权限
4.手机运行frida-server
cmd窗口1执行
adb shell
su
/data/local/tmp/frida-server-arm64
cmd窗口2执行
adb forward tcp:27042 tcp:27042
5.查询frida-server是否与电脑连接成功
frida-ps -U
如果能显示手机进程列表则说明连接成功
C:\Users\sanqiu>frida-ps -U
PID Name
----- --------------------------------------------------------
739 JunkServer
6079 MT管理器
6233 Magisk
728 adbd
437 aee_aed
438 aee_aed64
439 aee_aedv
440 aee_aedv64
1751 android.ext.services
519 android.hardware.audio.service.mediatek
...
6.代码测试
使用Notepad++,编辑代码 点击运行 输入运行程序名
cmd /k python "文件全路径名" & ECHO & PAUSE & EXIT
demo如下
#https://blog.csdn.net/weixin_38819889/article/details/122535920 HOOK SO层需要用到的函数
import frida, sys
#在此编写hook代码
jsCode = """
var str_name_so = "libil2cpp.so"; //要hook的so名
var n_addr_func_offset = 0x6B257C; //要hook的函数在函数里面的偏移
//加载到内存后 函数地址 = so地址 + 函数偏移
var n_addr_so = Module.findBaseAddress(str_name_so);
var n_addr_func = parseInt(n_addr_so, 16) + n_addr_func_offset;
var ptr_func = new NativePointer(n_addr_func);
Interceptor.attach(ptr_func,
{
onEnter: function(args)
{
console.log("hook api start");
},
onLeave:function(retval)
{
console.log("hook api stop");
}
});
""";
#在此填写应用程序名
#使用 命令 frida-ps -U 查看
package_name = '穿越火线:最后战役X'
def message(message, data):
if message["type"] == 'send':
print(u"[*] {0}".format(message['payload']))
fw.write(u"[*] {0}\n".format(message['payload']))
fw.flush()
else:
print(message)
process = frida.get_remote_device().attach(package_name)
script= process.create_script(jsCode)
script.on("message", message)
script.load()
sys.stdin.read()