文章转载于 安卓逆向菜鸟修炼记(微信公众号),个人感觉很实用,记录下来方便回顾,想看原文的请移步公众号。
1.JAVA层HOOK普通方法
import frida, sys
jscode ="""
Java.perform(function () {
var utils = Java.use('com.renren.mobile.utils.RSA');//Java.use('类名') utils.D.implementation D为方法名
utils.D.implementation = function (a, b,c) {
console.log("Hook Start...");
send(arguments[0]); //打印方法第一个参数 用send(a)也行
send(arguments[1]); //打印方法第二个参数 用send(b)也行
send(arguments[2]); //打印方法第三个参数 用send(c)也行
// var num=arguments[0]+arguments[1];
//send(num);
}
});
"""
def message(message, data):
if message["type"] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_remote_device().attach('com.renren.mobile.android') //apk包名
script= process.create_script(jscode)
script.on("message", message)
script.load()
sys.stdin.read()
2. JAVA层HOOK构造方法
jscode = """
Java.perform(function () {
var money = Java.use('com.qiang.fridaapp.Money');
money.$init.implementation = function (a, b) {
console.log("Hook Start...");
send(arguments[0]);
send(arguments[1]);
send("Success!");
return this.$init(10000, "美元");
}
});
"""
3.JAVA层HOOK重载方法
jscode ="""
Java.perform(function () {
var utils = Java.use('com.qiang.fridaapp.Utils');
utils.test.overload("int").implementation = function (a) {
console.log("Hook Start...");
send(arguments[0]);
return "helloworld";
}
});
"""
4.JAVA层HOOK构造对象参数
jscode = """
Java.perform(function () {
var utils = Java.use('com.qiang.fridaapp.Utils');
var money = Java.use('com.qiang.fridaapp.Money');
utils.test.overload().implementation = function () {
//send("Hook Start...");
var mon = money.$new(2000,'港币');
//send(mon.getInfo());
return this.test(800);
}
});
"""
5. JAVA层HOOK修改对象属性
jscode = """
Java.perform(function () {
var utils = Java.use('com.qiang.fridaapp.Utils');
var money = Java.use('com.qiang.fridaapp.Money');
var clazz = Java.use('java.lang.Class');
utils.test.overload().implementation = function () {
send("Hook Start...");
var mon = money.$new(200,"RMB");
send(mon.getInfo());
var num= Java.cast(mon.getClass(),clazz).getDeclaredField('num');
num.setAccessible(true);
num.setInt(mon, 2000);
send(mon.getInfo());
return this.test();
}
});
"""
6.JAVA层HOOK匿名内部类
jscode = """
Java.perform(function () {
var login = Java.use('com.qiang.helloworld.LoginActivity$1');
login.onClick.implementation = function (a) {
send("Hook Start...");
send("helloworld");
}
});
"""
7.JAVA层HOOK打印堆栈信息
jscode = """
Java.perform(function () {
var login = Java.use('com.qiang.helloworld.LoginActivity$1');
login.onClick.implementation = function (a) {
send("Hook Start...");
printStack();
}
function printStack(){
var threadef = Java.use('java.lang.Thread');
var threadinstance = threadef.$new();
var stack = threadinstance.currentThread().getStackTrace();
for(var i = 0;i<stack.length;i++){
send("stack:" + stack[i].toString());
}
}
});
"""
8.JAVA层HOOK字符串转字节数组
jscode = """
Java.perform(function () {
var login = Java.use('com.qianyu.helloworld.LoginActivity$1');
login.onClick.implementation = function (a) {
send("Hook Start...");
var bytes=stringToBytes("hello world!")
send(bytes);
}
function stringToBytes(str) {
var ch, st, re = [];
for(var i = 0; i < str.length; i++ ) {
ch = str.charCodeAt(i);
st = [];
do{
st.push( ch & 0xFF );
ch = ch >> 8;
}
while(ch);
re = re.concat(st.reverse());
}
return re;
}
});
"""
9.JAVA层字节数组转字符串
jscode = """
Java.perform(function () {
var login = Java.use('com.qiang.helloworld.LoginActivity$1');
login.onClick.implementation = function (a) {
send("Hook Start...");
var bytes=stringToBytes("hello world!")
send(bytes);
var str=byteToString(bytes)
send(str);
}
function stringToBytes(str) {
var ch, st, re = [];
for(var i = 0; i < str.length; i++ ) {
ch = str.charCodeAt(i);
st = [];
do{
st.push( ch & 0xFF );
ch = ch >> 8;
}
while(ch);
re = re.concat(st.reverse());
}
return re;
}
function byteToString(arr){
if(typeof arr === 'string'){
return arr;
}
var str='',
_arr = arr;
for(var i=0; i<_arr.length; i++) {
var one =_arr[i].toString(2), v=one.match(/^1+?(?=0)/);
if(v && one.length == 8){
var bytesLength = v[0].length;
var store = _arr[i].toString(2).slice(7 - bytesLength);
for(var st=1; st < bytesLength; st++) {
store+=_arr[st + i].toString(2).slice(2);
}
str+=String.fromCharCode(parseInt(store, 2));
i+=bytesLength-1;
} else {
str+=String.fromCharCode(_arr[i]);
}
}
return str;
}
});
"""
10.Java层hook复杂参数
jscode = """
Java.perform(function () {
var md5 = Java.use('com.renren.mobile.utils.Md5');
md5.toMD5.implementation = function (a) {
console.log("================================");
//printStack();
send(a);
var res = this.toMD5(a);
send(res);
return res;
}
var info=Java.use('com.renren.mobile.android.service.ServiceProvider');
info.a.overload('java.lang.String', 'java.lang.String', 'int', 'java.lang.String', 'java.lang.String',
'android.content.Context', 'com.renren.mobile.android.loginfree.LoginStatusListener').implementation =
function(str1,str2,i,str3,str4,context,loginStatus){
console.log("================================");
//printStack();
send("=>"+str1);
send("=>"+str2);
send("=>"+i);
send("=>"+str3);
send("=>"+str4);
send("=>"+context);
send("=>"+loginStatus);
}
function printStack(){
var threadef = Java.use('java.lang.Thread');
var threadinstance = threadef.$new();
var stack = threadinstance.currentThread().getStackTrace();
for(var i = 0;i<stack.length;i++){
send("stack:" + stack[i].toString());
}
}
});
"""