一開始是在羣裏和一些老哥聊android 的hook 框架 我就學習了xpose 而且感覺很好使 但是和他們有瞭解到了 frida 感覺非常好使
決定來學習一波
這裏寫了一個小demo
java 層:
python代碼
import frida
import sys
jscode = """
Java.perform(function () {
var demo = Java.use('com.example.frida_demo.demo');
demo.add.implementation = function (a,b) {
send("Hook Start...");
send(a)
send(b)
var add_ret = this.add(a+1,b+1);
send("Return:"+add_ret);
return add_ret
}
});
"""
def on_message(message, data):
if message['type']=='send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_remote_device().attach('com.example.frida_demo')
script = process.create_script(jscode)
script.on("message", on_message)
script.load()
sys.stdin.read()
android demo代碼
別忘記端口轉發
adb forward tcp:27043 tcp:27043
adb forward tcp:27042 tcp:27042
可以實驗得出 在java層 確實還是挺好使的,
然後就是在so層
so層拿了iscc的程序做了例子
import frida
import sys
jscode = """
Java.perform(function () {
var nativePointer = Module.findExportByName("libnative-lib.so", "Java_com_iscc_crackme_MainActivity_checkSecond");
send("native: " + nativePointer);
Interceptor.attach(nativePointer, {
onEnter: function(args){
send(args[0]);
send(args[1]);
send(args[2]);
send(args[3]);
send(args[4]);
},
onLeave: function(retval){
send(retval.toInt32());
}
});
});
"""
def on_message(message, data):
if message['type']=='send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_remote_device().attach('com.iscc.crackme')
script = process.create_script(jscode)
script.on("message", on_message)
script.load()
sys.stdin.read()
如圖 輸入正確的flag 返回值就是1了
搞定-==== 開始寫自己的項目了。