同LLDB+Debugserver一樣殉挽，F(xiàn)rida能hook函數(shù)剿牺、修改函數(shù)的傳入?yún)?shù)、修改函數(shù)的返回值等

1. SSH登錄到手機(jī)設(shè)備端颜价，開啟frida-server服務(wù)涯保，我的frida-server是放在手機(jī)根目錄下面的，沒有改名周伦，用的是12.10.4版本：

iPhone-3:/ root# ./frida-server-12.10.4-ios-arm64

2. Mac端調(diào)試：

xxxMacBook-Pro:Downloads xxx$ frida -U -f com.miniclip.8ballpoolmult -l __handlers__/block.js

其中block.js就是借助frida的js文檔編寫的相關(guān)hook測(cè)試代碼夕春。
羅列幾個(gè)關(guān)鍵的使用方法：

利用frida的攔截器Interceptor.replace

2.1 hook形如sub_xxx的函數(shù)

//此函數(shù)在module模塊中尋找地址為offset的sub_xxx
function get_func_addr(module, offset) {
   var base_addr = Module.findBaseAddress(module);
   // console.log("base_addr: " + base_addr);
   // console.log(hexdump(ptr(base_addr), {
   //          length: 16,
   //          header: true,
   //          ansi: true
   //      }))
   var func_addr = base_addr.add(offset);
   if (Process.arch == 'arm')
      return func_addr.add(1);  //如果是32位地址+1
   else
      return func_addr;
}

對(duì)sub_xxx函數(shù)完全替換：【Interceptor.replace】

//替換abcKit.dylib模塊中，hopper中的地址為0xeba6c處的sub_xxx函數(shù)
var func_addr_replace_eba6c = get_func_addr('abcKit.dylib', 0xeba6c);
var add_replace_eba6c = new NativeFunction(func_addr_replace_eba6c, 'void', []);
// 進(jìn)行替換
Interceptor.replace(add_replace_eba6c, new NativeCallback(function() {
    console.log('替換eba6c函數(shù)');
}, 'void', []));

修改sub_xxx函數(shù)的傳入?yún)?shù)或是返回值：【與frida-trace同效】

//對(duì)主程序CrackMe中的0x6684處的sub_xxx函數(shù)
var func_addr = get_func_addr('CrackMe', 0x6684);
Interceptor.attach(ptr(func_addr), {
   onEnter: function(args) {
      console.log("onEnter");
      var num1 = args[0];
      var num2 = args[1];
 
      console.log("num1: " + num1);
      console.log("num2: " + num2);
   },
   onLeave: function(retval) {
      console.log("onLeave");
      retval.replace(3);  //返回值替換成3
   }
});

2.2 攔截系統(tǒng)的函數(shù)专挪，比如 open 及志、exit函數(shù)【Interceptor.replace】

//攔截open函數(shù)
var openPtr = Module.getExportByName(null, 'open');
var open = new NativeFunction(openPtr, 'int', ['pointer', 'int']);
Interceptor.replace(openPtr, new NativeCallback(function (pathPtr, flags) {
  var path = pathPtr.readUtf8String();
  console.log('Opening "' + path + '"');
  var fd = open(pathPtr, flags);
  console.log('Got fd: ' + fd);
  return fd;
}, 'int', ['pointer', 'int']));

//攔截exit函數(shù)
var openPtr = Module.getExportByName(null, 'exit');
  var open = new NativeFunction(openPtr, 'void', ['int']);
  Interceptor.replace(openPtr, new NativeCallback(function (flags) {
    console.log('Got fd: ');
  }, 'void', ['int']));

2.3 攔截Object-C函數(shù)

//完全替換
var method = ObjC.classes.NSURL['+ URLWithString:'];
var origImp = method.implementation; 
method.implementation = ObjC.implement(method, function  (self, sel, url){  

      //console.log("+ [NSURL URLWithString:]");
      var urlString = ObjC.Object(url);
      
      var url = urlString.toString();
      if (url.indexOf("tont") != -1 || url.indexOf("tpan") != -1) {
        console.log("阻止url: " + url);
      }else {
        return origImp(self, sel, url);   //調(diào)用原方法，如果不調(diào)用則原方法得不到執(zhí)行
      }
      

      //替換參數(shù)寨腔，將 URL 替換成 http://www.ioshacker.net
      //var newUrl = ObjC.classes.NSString.stringWithString_("http://www.ioshacker.net");
      //return origImp(self, sel, newUrl);  

}); 

//hook修改
Interceptor.attach(hook.implementation, {
    onLeave: function(retval) {
 
        console.log("[*] Class Name: " + className);
        console.log("[*] Method Name: " + funcName);
        console.log('startWithOptions--111-----');
        console.log("\t[-] Type of return value: " + typeof retval);
        console.log("\t[-] Original Return Value: " + retval.readUtf8String());
        var string = Memory.allocUtf8String("4567fsdfdesdfs89");  //分配內(nèi)存
        retval.replace(string); //替換
        console.log("\t[-] New Return Value: " + retval.readUtf8String());
    },
 
    onEnter: function(args){
        console.log('startWithOptions----enter---');
        var className = ObjC.Object(args[0]);
        var methodName = args[1];
        var urlString = ObjC.Object(args[2]);
 
        console.log("className: " + className.toString());
        console.log("methodName: " + methodName.readUtf8String());
        console.log("urlString: " + urlString.toString());
        console.log("-----------------------------------------");
 
        urlString = ObjC.classes.NSString.stringWithString_("http://www.baidu.com")
        console.log("newUrlString: " + urlString.toString());
        console.log("-----------------------------------------");
 
    }
});

參考：https://bbs.pediy.com/thread-259875.htm
https://bbs.pediy.com/thread-259424.htm

更多參考frida官方文檔：https://frida.re/docs/javascript-api/#objc