1. Install the python environment
2. Install frida on the computer
pip install frida-tools
3. Install frida-server on your mobile phone
https://github.com/frida/frida/releases
frida-server-16.0.9-android-arm64.xz (mobile phone arm64)
Don’t download wrong
frida must be consistent with frida-server
View frida version
C:\Users\sanqiu> frida --version
16.0.9
Then put the file in /data/local/tmp/ and remember to modify the file permission
4. Run the frida-server
cmd window 1 on the mobile phone to execute
adb shell
su
/data/local/tmp/frida-server-arm64
cmd window 2 execution
adb forward tcp:27042 tcp:27042
5. Check whether the frida-server is successfully connected to the computer
frida-ps -U
If the mobile phone process list can be displayed, the connection is successful
C:\Users\sanqiu>frida-ps -U
PID Name
----- --------------------------------------------------------
739 JunkServer
6079 MT管理器
6233 Magisk
728 adbd
437 aee_aed
438 aee_aed64
439 aee_aedv
440 aee_aedv64
1751 android.ext.services
519 android.hardware.audio.service.mediatek
...
6. Code test
Use Notepad++, edit the code and click Run to enter the name of the running program
cmd /k python "文件全路径名" & ECHO & PAUSE & EXIT
The demo is as follows
#https://blog.csdn.net/weixin_38819889/article/details/122535920 HOOK SO层需要用到的函数
import frida, sys
#在此编写hook代码
jsCode = """
var str_name_so = "libil2cpp.so"; //要hook的so名
var n_addr_func_offset = 0x6B257C; //要hook的函数在函数里面的偏移
//加载到内存后 函数地址 = so地址 + 函数偏移
var n_addr_so = Module.findBaseAddress(str_name_so);
var n_addr_func = parseInt(n_addr_so, 16) + n_addr_func_offset;
var ptr_func = new NativePointer(n_addr_func);
Interceptor.attach(ptr_func,
{
onEnter: function(args)
{
console.log("hook api start");
},
onLeave:function(retval)
{
console.log("hook api stop");
}
});
""";
#在此填写应用程序名
#使用 命令 frida-ps -U 查看
package_name = '穿越火线:最后战役X'
def message(message, data):
if message["type"] == 'send':
print(u"[*] {0}".format(message['payload']))
fw.write(u"[*] {0}\n".format(message['payload']))
fw.flush()
else:
print(message)
process = frida.get_remote_device().attach(package_name)
script= process.create_script(jsCode)
script.on("message", message)
script.load()
sys.stdin.read()