frida study

1. Install the python environment
2. Install frida on the computer

pip install frida-tools

3. Install frida-server on your mobile phone
https://github.com/frida/frida/releases
frida-server-16.0.9-android-arm64.xz (mobile phone arm64)
Don’t download wrong
frida must be consistent with frida-server
View frida version

C:\Users\sanqiu> frida --version
16.0.9

Then put the file in /data/local/tmp/ and remember to modify the file permission
4. Run the frida-server
cmd window 1 on the mobile phone to execute

adb shell
su
/data/local/tmp/frida-server-arm64

cmd window 2 execution

adb forward tcp:27042 tcp:27042

5. Check whether the frida-server is successfully connected to the computer

frida-ps -U

If the mobile phone process list can be displayed, the connection is successful

C:\Users\sanqiu>frida-ps -U
  PID  Name
-----  --------------------------------------------------------
  739  JunkServer
 6079  MT管理器
 6233  Magisk
  728  adbd
  437  aee_aed
  438  aee_aed64
  439  aee_aedv
  440  aee_aedv64
 1751  android.ext.services
  519  android.hardware.audio.service.mediatek
  ...

6. Code test
Use Notepad++, edit the code and click Run to enter the name of the running program

cmd /k python "文件全路径名" & ECHO & PAUSE & EXIT

The demo is as follows

#https://blog.csdn.net/weixin_38819889/article/details/122535920  HOOK SO层需要用到的函数

import frida, sys

#在此编写hook代码
jsCode = """

var str_name_so = "libil2cpp.so";    //要hook的so名
var n_addr_func_offset = 0x6B257C;         //要hook的函数在函数里面的偏移

//加载到内存后 函数地址 = so地址 + 函数偏移
var n_addr_so = Module.findBaseAddress(str_name_so);
var n_addr_func = parseInt(n_addr_so, 16) + n_addr_func_offset;

var ptr_func = new NativePointer(n_addr_func);
Interceptor.attach(ptr_func, 
{
    
    
    onEnter: function(args) 
    {
    
    
        console.log("hook api start");
    },
    onLeave:function(retval)
    {
    
    
        console.log("hook api stop");
    }
});


""";
 #在此填写应用程序名
 #使用 命令 frida-ps -U 查看
package_name = '穿越火线：最后战役X'
 
def message(message, data):
    if message["type"] == 'send':
        print(u"[*] {0}".format(message['payload']))
        fw.write(u"[*] {0}\n".format(message['payload']))
        fw.flush()
    else:
        print(message)
 
process = frida.get_remote_device().attach(package_name)
script= process.create_script(jsCode)
script.on("message", message)
script.load()
sys.stdin.read()