篇幅有限
完整內(nèi)容及源碼關(guān)注公眾號:ReverseCode痴鳄,發(fā)送沖
刷機(jī)
https://developers.google.com/android/images#angler
開機(jī)鍵+音量減 進(jìn)入recovery
Pixel
ES文件瀏覽器 查看系統(tǒng)文件
玩逆向必備一臺真機(jī)察迟,那么非谷歌親兒子莫屬,模擬器缺失native/so層,屬于精簡版系統(tǒng)秦爆,故還是真機(jī)香呀。
adb reboot bootloader 或 按住音量向下鍵和開機(jī)鍵 進(jìn)入fastboot狀態(tài)
cd sailfish-opm4.171019.021.p1-factory-0bcf4315/sailfish-opm4.171019.021.p1 && flash-all.sh 開始刷機(jī)
設(shè)置-關(guān)于手機(jī)-版本號8下點(diǎn)擊-進(jìn)入開發(fā)者模式臼闻,進(jìn)入系統(tǒng)-高級-打開開發(fā)者選項(xiàng)-USB調(diào)試
adb push Magisk-v20.4.zip /sdcard
adb push magisk-riru-v21.3.zip /sdcard/Download 使用magisk模塊安裝并重啟
adb push magisk-EdXposed-SandHook-v0.4.5.1_beta.4463.-release.zip /sdcard/Download 使用magisk模塊安裝并重啟
adb install EdXposedManager-4.5.7-45700-org.meowcat.edxposed.manager-release.apk 安裝xposed
adb push MagiskHidePropsConf-v5.3.4.zip /sdcard/Download
adb install JustTrustMePlus-debug.apk 用于結(jié)合xposed突破SSL Pinning抓包限制
twrp作為第三方刷機(jī)工具,刷入Magisk囤采,nethunter等魔改系統(tǒng)述呐。
fastboot flash recovery twrp-3.3.0-0-angler.img
adb reboot bootloader
fastboot boot twrp-3.4.0-0-sailfish.img 進(jìn)入recovery mode
install Magisk-v20.4.zip
adb install MagiskManager-v7.5.1.apk
settings put global captive_portal_http_url https://www.google.cn/generate_204 去除wifi上的×
settings put global captive_portal_https_url https://www.google.cn/generate_204
settings put global ntp_server 1.hk.pool.ntp.org 修改時區(qū)
reboot
linux下載最新的platform-tools刷機(jī)的時候,fastboot會報各種unknow command或接近的錯誤蕉毯,把fastboot文件替換成隨著aosp一起編譯出來的即可,使用自行編譯的fastboot即可乓搬。
rm ~/Android/Sdk/platform-tools/fastboot cp fastboot810r1 fastboot fastboot --version
通過wifi連接adb可實(shí)現(xiàn)群控
adb -s 192.168.0.104:5555 install com.ttxapps.wifiadb_2.1.3-810031745_minAPI15(nodpi)_apkmirror.com.apk
安裝apk
adb connect 192.168.0.104:5555
使用adb連接手機(jī)
termux
adb -s 192.168.0.104:5555 install com.termux_92.apk
adb被禁時在app端使用命令行操作
pkg update && pkg install htop
在app端安裝管理進(jìn)程的包
xdebuggable && XAppDebug
啟動EdXposed,搜索xdebuggable 和XAppDebug模塊并安裝開啟debug apk(需要借助梯子)
ro.debuggable
adb push MagiskHidePropsConf-v5.3.4.zip /sdcard/Download
并通過Magisk Manager-模塊-下載-安裝MagiskHidePropsConf-v5.3.4.zip
reboot-adb shell-props
1 - Edit device fingerprint
2 - Force BASIC key attestation
3 - Device simulation (disabled)
4 - Edit MagiskHide props
5 - Add/edit custom props
6 - Delete prop values
7 - Script settings
8 - Collect logs
u - Perform module update check
r - Reset all options/settings
b - Reboot device
e - Exit
See the module readme or the
support thread @ XDA for details.
Enter your desired option: 4
1 - ro.debuggable
2 - ro.secure
3 - ro.build.type
4 - ro.build.tags
5 - ro.bootmode
6 - ro.boot.mode
a - Change all props
b - Go back to main menu
e - Exit
Pick several options at once by
separating inputs with a comma.
Example: 1,3,4
See the module readme or the
support thread @ XDA for details.
Enter your desired option: 1
You currently have the safe value set.
Are you sure you want to change it to 1?
Enter y(es), n(o) or e(xit): y
Do you want to reboot now (y/n)?
Enter y(es), n(o) or e(xit): y
getprop ro.debuggable 即可查看1,開啟全局可調(diào)式
Pixel XL
adb reboot bootloader
fastboot boot twrp-3.4.0-0-marlin.img 進(jìn)入twrp
「TWRP主界面」->「Wipe」->「Format Data」 輸入yes
「Adavanced Wipe」-> 勾選「Dalvik / ART Cache」、「Cache」代虾、「System」进肯、「Data」、「Internal Storage」(切勿勾選到「Vendor」) -> 劃過滑動條確認(rèn)擦除
「TWRP主界面」->「Advanced」->「ADB Sideload」(劃過滑條即可) 勾選雙清
adb sideload lineage-17.1-20201028-nightly-marlin-signed.zip 重啟
設(shè)置-關(guān)于手機(jī)-版本號-8次打開開發(fā)者選項(xiàng)
設(shè)置-系統(tǒng)-高級-開發(fā)者選項(xiàng)-Android 調(diào)試
adb install MagiskManager-v7.5.1.apk
adb install EdXposedManager-4.5.7-45700-org.meowcat.edxposed.manager-release.apk
adb push magisk-riru-v21.3.zip /sdcard/Download
adb push MagiskHidePropsConf-v5.3.4.zip /sdcard/Download
adb push EdXposed-SandHook-v0.4.6.2.4529.-release.zip /sdcard/Download
adb reboot bootloader
fastboot boot twrp-3.4.0-0-marlin.img
「TWRP主界面」->「Advanced」->「ADB Sideload」(劃過滑條即可)
adb sideload Magisk-v20.4.zip 重啟
通過Magisk模塊新增選擇下載目錄棉磨,安裝riru江掩,MagiskHidePropsConf,EdXposed
adb install JustTrustMePlus-debug.apk
marlin,SR5-SuperSU-v2.82-SR5-20171001224502.zip,xposed-v89-sdk25-arm64.zip,XposedInstaller_3.1.5
adb reboot bootloader
./flash-all.bat
設(shè)置-關(guān)于手機(jī)-版本號-8次打開開發(fā)者選項(xiàng)
設(shè)置-系統(tǒng)-高級-開發(fā)者選項(xiàng)-Android 調(diào)試
adb install XposedInstaller_3.1.5.apk
fastboot boot twrp-3.4.0-0-marlin.img
install SR5-SuperSU-v2.82-SR5-20171001224502.zip,xposed-v89-sdk25-arm64.zip
adb push timeadjust.sh /data/local/tmp && sh timeadjust.sh
pixel系列安裝xposed不可使用xposed-v89-sdk25-arm64.zip乘瓤,只能ssr后谷歌下載xposed框架安裝环形。
Nexus 6P
adb reboot bootloader
fastboot devices
fastboot erase cache 如出現(xiàn)< waiting for any device >,插拔usb
fastboot erase userdata
fastboot flashing unlock
fastboot flash bootloader .\bootloader-angler-angler-03.68.img
fastboot reboot-bootloader
fastboot flash radio .\radio-angler-angler-03.81.img
fastboot reboot-bootloader
fastboot flash vendor .\image-angler-n2g48c\vendor.img
fastboot reboot-bootloader
fastboot flash system .\image-angler-n2g48c\system.img
fastboot flash boot .\image-angler-n2g48c\boot.img
fastboot flash recovery recovery.img
fastboot erase cache
fastboot erase userdata
fastboot flash cache cache.img
fastboot flash userdata userdata.img
fastboot flashing lock
設(shè)置-關(guān)于手機(jī)-版本號8下點(diǎn)擊-進(jìn)入開發(fā)者模式-打開開發(fā)者選項(xiàng)
adb push UPDATE-SuperSU-v2.79-20161211114519.zip /sdcard
adb push xposed-v89-sdk25-arm64.zip /sdcard
rom:https://dl.google.com/dl/android/aosp/angler-n2g48c-factory-6a21e528.zip
解壓得到angler-n2g48c-factory-6a21e528\angler-n2g48c\image-angler-n2g48c
superSu:https://download.chainfire.eu/1016/SuperSU/UPDATE-SuperSU-v2.79-20161211114519.zip
xposed安卓7.1對應(yīng)sdk:https://dl-xda.xposed.info/framework/sdk25/arm64/xposed-v89-sdk25-arm64.zip
twrp:https://dl.twrp.me/angler/twrp-3.4.0-0-angler.img
Kali NetHunter
wget https://dl.google.com/dl/android/aosp/angler-opm1.171019.011-factory-39448337.zip
adb kill-server
adb start-server
adb reboot bootloader
./flash-all.sh 如報錯替換fastboot,which fastboot,使用fastboot8.1.0r1,開啟開發(fā)者選項(xiàng)衙傀,打開USB調(diào)試
https://www.kali.org/kali-nethunter/
https://www.offensive-security.com/kali-linux-nethunter-download/
Nexus 6P Oreo (ZIP)
adb push SR5-SuperSU-v2.82-SR5-20171001224502.zip /sdcard/
adb push nethunter-2021.1-angler-oreo-kalifs-full.zip /sdcard/
adb push timeadjust.sh /sdcard/
adb reboot bootloader
fastboot flash recovery twrp-3.4.0-0-angler.img
刷完之后按音量向下鍵抬吟,選擇Recovery mode,按電源鍵進(jìn)入统抬,
進(jìn)入Recovery之后火本,選擇Install→SR5-SuperSU-v2.82-SR5-20171001224502.zip開始刷機(jī)。
再次進(jìn)入recovery聪建,把nethunter-2020.2-pre3-angler-oreo-kalifs-full.zip.torrent刷進(jìn)去发侵,中間解壓Kali rootfs的過程,會至多25分鐘
連接wifi
sh timeadjust.sh 同步時間妆偏,reboot
刷機(jī)結(jié)束后進(jìn)入系統(tǒng)首次也要先點(diǎn)擊Nethunter的應(yīng)用刃鳄,申請的所有權(quán)限都給,左側(cè)導(dǎo)航進(jìn)入Kali Chroot Manager钱骂,點(diǎn)擊START KALI CHROOT叔锐,只要初始化這一次,后續(xù)無論如何重啟都會出現(xiàn)如圖所示的Everything is fine and Chroot has been started!见秽。
點(diǎn)開Nethunter終端這款A(yù)pp愉烙,選擇KALI,進(jìn)入Kali系統(tǒng)
apt update升級系統(tǒng)中的軟件庫信息
apt install neofetch htop jnettop
點(diǎn)開Nethunter進(jìn)入標(biāo)左側(cè)簽KeX Manager解取,點(diǎn)擊“SETUP LOCAL SERVER”步责,會要求輸入一個連接密碼和顯示密碼,輸入和確認(rèn)即可,然后點(diǎn)擊“START SERVER”開啟服務(wù)器蔓肯。點(diǎn)開“Nethunter KeX”這個App遂鹊,在密碼那一欄輸入密碼之后,點(diǎn)擊“Connect”進(jìn)行連接蔗包,即可直接進(jìn)入Kali Nethunter操作系統(tǒng)的桌面秉扑。
搭配QtScrcpy就可以在電腦上觀看手機(jī)屏幕上的內(nèi)容,或者通過usb一拖四實(shí)現(xiàn)鼠標(biāo)鍵盤完全電腦操作调限。該系統(tǒng)自動集成了java,BurpSuite2020.06,charles,python3,python舟陆。
vnc
點(diǎn)開Nethunter
這個app
- 切換到
Kali Chroot Manager
,START KALI CHROOT - 切換到
Kali Services
,將SSH
啟動并且勾選Start at Boot
耻矮,這樣就擁有了sshd
- 切換到
Kex Manage
--SETUP LOCAL SERVER
設(shè)置好密碼后--取消Localhost Only--START SERVER--OPEN KEX CLIENT
打開VNC Viewer,通過NetHunter 終端查看ip地址秦躯,顯示器為1,開啟VNC登錄
通過一拖四的typec轉(zhuǎn)USB裆装,連接鍵盤鼠標(biāo)宦赠,將Nexus 6p變成一臺kali電腦。
Nexus
adb reboot bootloader
fastboot oem unlock
fastboot erase cache 如出現(xiàn)< waiting for any device >米母,插拔usb
fastboot erase userdata
fastboot flash bootloader .\bootloader-hammerhead-hhz20h.img
fastboot flash radio .\radio-hammerhead-m8974a-2.0.50.2.30.img
fastboot reboot-bootloader
cd .\image-hammerhead-m4b30z\
fastboot flash recovery recovery.img
fastboot flash boot boot.img
fastboot flash system system.img
fastboot flash userdata userdata.img
fastboot erase cache
fastboot erase userdata
fastboot flash cache cache.img
fastboot flash userdata userdata.img
fastboot reboot
設(shè)置-關(guān)于手機(jī)-版本號8下點(diǎn)擊-進(jìn)入開發(fā)者模式-打開開發(fā)者選項(xiàng)
adb push UPDATE-SuperSU-v2.79-20161211114519.zip /sdcard
adb push .\xposed-v89-sdk23-arm.zip /sdcard
adb reboot bootloader
fastboot flash recovery twrp-3.4.0-0-hammerhead.img 然后進(jìn)入recovery mode
adb install .\XposedInstaller_3.1.5.apk 安裝Xposed
adb shell
adb shell 輸入su獲取超級用戶權(quán)限
chmod 711 /data/user/0/de.robv.android.xposed.installer
reboot 安裝完畢
小米 Mix 2
打開開發(fā)者選項(xiàng)-usb調(diào)試
-設(shè)備解鎖狀態(tài)-綁定賬號和設(shè)備
adb reboot bootloader 解鎖bootloader,執(zhí)行miflash_unlock.exe
EdXposed-SandHook-v0.4.6.2.4529.-release.zip
adb reboot bootloader
fastboot flash recovery twrp-3.3.1-1-chiron.img
fastboot boot twrp-3.3.1-1-chiron.img
adb push lineage-17.0-chiron.zip 不能有中文
進(jìn)入twrp后清除Cache毡琉,System铁瞒,Data分區(qū)
install lineage-17.0-chiron.zip
install Magisk-v20.4.zip
adb install MagiskManager-v7.5.1.apk
adb install EdXposedManager-4.5.7-45700-org.meowcat.edxposed.manager-release.apk
在magisk中安裝
adb push magisk-riru-v21.3.zip /sdcard/Download
adb push MagiskHidePropsConf-v5.3.4.zip /sdcard/Download
adb push EdXposed-SandHook-v0.4.6.2.4529.-release.zip /sdcard/Download
Genymotion
安裝全程開全局代理,安裝nexus 5x 8.0network mode選擇Bridge或者在virtualbox中修改網(wǎng)絡(luò)為橋接桅滋,如virtualbox網(wǎng)絡(luò)連接里沒有橋接網(wǎng)卡選擇
修改D:\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf
settings-system-Languages&input-Languages-Add a language-簡體中文
adb 無法連接genymotion怎么辦慧耍?
修改genymotion的settings,Use custom Android SDK tools為本地android sdk路徑
adb kill-server + adb start-server 重啟adb
安裝wifiadb后即可丐谋,默認(rèn)可以連接192網(wǎng)段芍碧,配置橋接,可adb connect 192.168.0.104:5555
arm橋接
uname -a i686
查看cpu架構(gòu)為x86 32位 不支持arm号俐,需要安裝arm橋泌豆,直接將 Genymotion-ARM-Translation_for_8.0.zip拖入nexus 5x 8.0, 進(jìn)行安裝
adb reboot 即可安裝帶有arm的so的apk
Kali
別用Windows了,魯迅曾經(jīng)說過吏饿,他在逆向生涯中超過一半的苦難均由Windows賜予踪危。
vmware安裝文件 秘鑰:YC34H-6WWDK-085MQ-JYPNX-NZRA2
kali-linux-2020.4-vmware-amd64.7z種子,使用vmware打開vmx文件猪落,配置6g內(nèi)存贞远,80g磁盤存儲,網(wǎng)絡(luò)適配選擇橋接到本地網(wǎng)卡(虛擬網(wǎng)絡(luò)編輯器)笨忌,默認(rèn)賬密:kali/kali蓝仲,sudo passwd root 修改密碼123456
重啟后使用root登錄,android-studio-ide-201.7042882-linux.tar.gz安裝包
~/.cache/vmware/drag_and_drop 定期刪除拷貝的文件緩存
基本配置
apt update;apt install htop jnettop tmux iotop
dpkg-reconfigure tzdata 選擇Asia-Shanghai
apt update 更新自動同步時間
apt install xfonts-intl-chinese 裝中文字體
apt-get install ttf-wqy-microhei
# nano /etc/ssh/sshd_config 開啟sshd
PermitRootLogin yes
# /etc/init.d/ssh start
常用軟件
tar zxf android-studio-ide-201.7042882-linux.tar.gz
cd ~/Desktop/android-studio/bin && ./studio.sh 啟動android studio
ctrl+shift+t 當(dāng)前窗口新建終端
vim ~/.zshrc
export PATH="/root/Android/Sdk/platform-tools:$PATH" 加入環(huán)境變量
exec "$SHELL"
dpkg -i code_1.52.1-1608136922_amd64.deb 安裝vscode
as若報錯
To build this project, accept the SDK license agreements and install the missing components?
執(zhí)行/root/Android/Sdk/tools/bin/sdkmanager --licenses
jadx-1.2.0.zip多dex打開袱结,修改jadx-gui中set DEFAULT_JVM_OPTS="-Xms512M" "-Xmx8g"
,加入zshrc的環(huán)境變量中export PATH="/root/Android/Sdk/ndk-bundle:/root/Android/Sdk/platform-tools:${JAVA_HOME}/bin:$PATH:/root/Desktop/charles/bin:/root/Desktop/jadx-1.2.0/bin:$NDK_HOME"
curl -fsSL https://deb.nodesource.com/setup_14.x | bash -
apt-get install -y nodejs
npm install --save @types/frida-gum frida代碼提示
jeb-pro-3.19.1.202005071620_pwd_ilbtcdnwiuypbzeo_.7z 運(yùn)行./jeb_linux.sh亮隙,輸入密碼:ilbtcdnwiuypbzeo,進(jìn)入界面點(diǎn)擊Manual Key Generation中間按鈕獲取LICENSE DATA擎勘,運(yùn)行jebKeygen.py 獲取license key后輸入到界面的key中咱揍,continue
Kali Linux里的as4的DDMS啟動失敗,原因是要用as自帶的jre來啟動棚饵,直接./monitor用的是Kali系統(tǒng)的jdk煤裙,版本太高了ln -s /root/Desktop/android-studio/jre/ /root/Android/Sdk/tools/lib/monitor-x86_64/
,然后通過~/Android/Sdk/tools/monitor打開ddms
vim ~/.bashrc && source ~/.bashrc
export PATH=$PATH:/root/Android/Sdk/platform-tools
jdk1.8
apt-get remove openjdk-11-jre-headless:amd64
apt-get remove openjdk-11-jre:amd64
tar zxf jdk-8u191-linux-x64.tar.gz -C /opt/jdk
vim ~/.zshrc
export JAVA_HOME=/opt/jdk
export CLASSPATH=.:${JAVA_HOME}/lib
export PATH="/root/Android/Sdk/ndk-bundle:/root/Android/Sdk/platform-tools:${JAVA_HOME}/bin:$PATH"
source ~/.zshrc
update-alternatives --install /usr/bin/java java /opt/jdk/bin/java 1
update-alternatives --install /usr/bin/javac javac /opt/jdk/bin/javac 1
update-alternatives --set java /opt/jdk/bin/java
update-alternatives --set javac /opt/jdk/bin/javac
nexus 5x
安裝流程 twrp->SuperSu-> nethunter
kali nethunter下載nexus 5x nethunter,使用投屏可變成一個迷你的linux滲透系統(tǒng)噪漾,通過twrp進(jìn)行install 硼砰,sh userinit.sh
同步時間
tab | smali與java代碼轉(zhuǎn)換 |
---|---|
ctrl+b | 下斷點(diǎn)(注意這個必須在smali代碼界面才有用) |
esc | 回退上一級引用 |
activity_main.xml中配置的view組件:jeb中以十六進(jìn)制存在于代碼中,利用計算器的程序員模式轉(zhuǎn)為十進(jìn)制欣硼,jadx將該十進(jìn)制存入resources.arsc题翰,gda有APK入口直接進(jìn)入MainActivity,同樣以十六進(jìn)制存入代碼中诈胜。
基本命令
getprop ro.product.cpu.abi | 判斷系統(tǒng)cpu版本 虛擬機(jī)一般都是x86 |
---|---|
dumpsys meminfo pid | 查看進(jìn)程占用內(nèi)存映射的信息 |
cat /proc/pid/maps | 進(jìn)程加載的so |
cat /proc/pid/maps | grep -i libart.so | 所有java代碼通過libart.so解析豹障,脫殼機(jī)的關(guān)鍵 |
dumpsys activity top | 顯示當(dāng)前的Activity,顯示View Hierarchy焦匈,看view的類信息 |
dumpsys package com.soviet.hook4crawler | 查看運(yùn)行包信息 |
pm list packages | 查看所有安裝的包 |
pyenv環(huán)境
對python不同包(frida,objection...)多版本管理
全套安裝最新版本:proxychains pip install objection
3.8.0
PYTHON_CONFIGURE_OPTS="--disable-ipv6" proxychains4 pyenv install 3.8.0
pyenv local 3.8.0
PYTHON_CONFIGURE_OPTS="--disable-ipv6" proxychains4 pip install frida==12.8.0
PYTHON_CONFIGURE_OPTS="--disable-ipv6" proxychains4 pip install frida-tools==5.3.0
PYTHON_CONFIGURE_OPTS="--disable-ipv6" proxychains4 pip install objection==1.8.4
objection -g com.android.settings explore
7z x frida-server-12.8.0-android-arm64
adb push frida-server-12.8.0-android-arm64 /data/local/tmp
mv frida-server-12.8.0-android-arm64 fs128arm64 改名防止反調(diào)試
chmod 777 frida-server-12.8.0-android-arm64
objection -g com.android.settings explore
android hooking list classes
特定版本frida
按照這個順序血公,在裝objection的時候,就會直接Requirement already satisfied缓熟,不會再去下載新的frida來安裝了累魔。
pip install frida==12.8.0
pip install frida-tools==5.3.0
pip install objection==1.8.4
frida開發(fā)環(huán)境
pyenv local 3.8.0 && ./fs128arm64
- git clone https://github.com/oleavr/frida-agent-example.git
- cd frida-agent-example/
- npm install
- 使用VSCode等IDE打開此工程,在agent下編寫typescript够滑,會有智能提示垦写。
- npm run watch會監(jiān)控代碼修改自動編譯生成js文件
- frida -UF -l demo.js usb連接手機(jī)保存將自動調(diào)用demo.js 進(jìn)行hook
Java.perform(function(){console.log("frida hook")})
- frida -UF -l demo.js --runtime=v8 使用v8引擎
Java.perform(()=>{console.log("Hello World")})
- frida-ps -U 查看所有進(jìn)程
- frida -H 192.168.0.100:5555 -f com.ttxapps.wifiadb -l demo.js --runtime=v8 遠(yuǎn)程hook,-l指定腳本
- frida -Uf com.android.settings -l demo.js --runtime=v8 --no-pause 經(jīng)過usb主動啟動應(yīng)用調(diào)用demo.js,-f是spawn模式,--no-pause直接加載應(yīng)用,沒有的話需要%resume啟動主線程
- frida -UF --runtime=v8 -e "Java.perform(()=>{console.log('Hello World')})" -o /root/log.txt 直接執(zhí)行腳本寫入文件
遠(yuǎn)程連接
./fs128arm64 -v -l 0.0.0.0:8888
指定端口啟動frida彰触,默認(rèn)端口27042
frida-ps -H 192.168.0.8:8888
指定-U表示usb,-H表示主機(jī)ip
frida -H 192.168.0.8:8888 -F
指定-H表示主機(jī)ip梯投,-F表示前臺應(yīng)用,輸入frida即可查看Frida信息
cd frida-agent-example/ && npm install && npm run watch && frida -H 192.168.0.8:8888 -F -l agent/demo.js 遠(yuǎn)程調(diào)用js腳本
Java.perform(()=>{console.log("Hello World")})
function main(){
Java.perform(function(){
console.log("hello")
})
}
setImmediate(main)
遠(yuǎn)程調(diào)用
import frida
device = frida.get_usb_device()
print(device.get_frontmost_application())
#pid = device.spawn(["com.onejane.demo02"])
pid=device.get_frontmost_application().pid # 若雙進(jìn)程保護(hù)况毅,指定pid進(jìn)行hook
print(device.enumerate_processes()) # 枚舉所有進(jìn)程
print(device.enumerate_applications()) # 枚舉所有包名
# device.resume(pid)
# time.sleep(1)
session = device.attach(pid)
with open("demo.js") as f:
script = session.create_script(f.read())
script.load()
plugins
proxychains git clone https://github.com/hluwa/FRIDA-DEXDump ~/Downloads/FRIDA-DEXDump 脫殼
mv ~/Downloads/FRIDA-DEXDump/frida_dexdump ~/.objection/plugins/dexdump 在plugins子目錄插件下必須有__init__.py
proxychains git clone https://github.com/hluwa/Wallbreaker ~/.objection/plugins/Wallbreaker 內(nèi)存漫游
objection -N -h 192.168.0.8 -p 8888 -g com.android.settings explore -P ~/.objection/plugins 遠(yuǎn)程連接批量加載插件
本文由博客群發(fā)一文多發(fā)等運(yùn)營工具平臺 OpenWrite 發(fā)布