- 調(diào)用靜態(tài)函數(shù)和調(diào)用非靜態(tài)函數(shù)
- 設(shè)置(同名)成員變量
- 內(nèi)部類侵状,枚舉類的函數(shù)并hook,trace原型1
- 查找接口勇劣,hook動態(tài)加載dex
- 枚舉class阳堕,trace原型2
- objection不能切換classloader
Frida hook : 打印參數(shù)松忍、返回值/設(shè)置返回值/主動調(diào)用
首先是安卓的登錄的代碼
public class LoginActivity extends AppCompatActivity {
/* access modifiers changed from: private */
public Context mContext;
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
this.mContext = this;
setContentView((int) R.layout.activity_login);
final EditText editText = (EditText) findViewById(R.id.username);
final EditText editText2 = (EditText) findViewById(R.id.password);
((Button) findViewById(R.id.login)).setOnClickListener(new View.OnClickListener() {
public void onClick(View view) {
String obj = editText.getText().toString();
String obj2 = editText2.getText().toString();
if (TextUtils.isEmpty(obj) || TextUtils.isEmpty(obj2)) {
Toast.makeText(LoginActivity.this.mContext, "username or password is empty.", 1).show();
} else if (LoginActivity.a(obj, obj).equals(obj2)) {
LoginActivity.this.startActivity(new Intent(LoginActivity.this.mContext, FridaActivity1.class));
LoginActivity.this.finishActivity(0);
} else {
Toast.makeText(LoginActivity.this.mContext, "Login failed.", 1).show();
}
}
});
}
private static String a(byte[] bArr) {
StringBuilder sb = new StringBuilder();
int i = 0;
while (bArr != null && i < bArr.length) {
String hexString = Integer.toHexString(bArr[i] & 255);
if (hexString.length() == 1) {
sb.append('0');
}
sb.append(hexString);
i++;
}
return sb.toString().toLowerCase();
}
/* access modifiers changed from: private */
public static String a(String str, String str2) {
try {
SecretKeySpec secretKeySpec = new SecretKeySpec(str2.getBytes(), "HmacSHA256");
Mac instance = Mac.getInstance("HmacSHA256");
instance.init(secretKeySpec);
return a(instance.doFinal(str.getBytes()));
} catch (Exception e) {
e.printStackTrace();
return BuildConfig.FLAVOR;
}
}
}
LoginActivity.a(obj, obj).equals(obj2)分析之后可得obj2來自password蒸殿,由從username得來的obj,經(jīng)過a函數(shù)運(yùn)算之后得到一個值,這兩個值相等則登錄成功宏所。
所以這里關(guān)鍵是hook a函數(shù)的參數(shù)酥艳,最簡腳本如下。
打印參數(shù)楣铁、返回值
//打印參數(shù)、返回值
function Login(){
Java.perform(function(){
Java.use("com.example.androiddemo.Activity.LoginActivity").a.overload('java.lang.String', 'java.lang.String').implementation = function (str, str2){
var result = this.a(str, str2);
console.log("args0:"+str+" args1:"+str2+" result:"+result);
return result;
}
})
}
setImmediate(Login)
觀察輸入和輸出,這里也可以直接主動調(diào)用
function login() {
Java.perform(function () {
console.log("start")
var login = Java.use("com.example.androiddemo.Activity.LoginActivity")
var result = login.a("1234","1234")
console.log(result)
})
}
setImmediate(login)
結(jié)果
image.png
然后
adb shell input text "4e4feaea959d426155a480dc07ef92f4754ee93edbe56d993d74f131497e66fb"
接下來是第一關(guān)
直接把返回值喂給函數(shù)
安卓代碼
ublic class FridaActivity1 extends BaseFridaActivity {
private static final char[] table = {'L', 'K', 'N', 'M', 'O', 'Q', 'P', 'R', 'S', 'A', 'T', 'B', 'C', 'E', 'D', 'F', 'G', 'H', 'I', 'J', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'o', 'd', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'e', 'f', 'g', 'h', 'j', 'i', 'k', 'l', 'm', 'n', 'y', 'z', '0', '1', '2', '3', '4', '6', '5', '7', '8', '9', '+', '/'};
public String getNextCheckTitle() {
return "當(dāng)前第1關(guān)";
}
public void onCheck() {
try {
if (a(b("請輸入密碼:")).equals("R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=")) {
CheckSuccess();
startActivity(new Intent(this, FridaActivity2.class));
finishActivity(0);
return;
}
super.CheckFailed();
} catch (Exception e) {
e.printStackTrace();
}
}
public static String a(byte[] bArr) throws Exception {
StringBuilder sb = new StringBuilder();
for (int i = 0; i <= bArr.length - 1; i += 3) {
byte[] bArr2 = new byte[4];
byte b = 0;
for (int i2 = 0; i2 <= 2; i2++) {
int i3 = i + i2;
if (i3 <= bArr.length - 1) {
bArr2[i2] = (byte) (b | ((bArr[i3] & 255) >>> ((i2 * 2) + 2)));
b = (byte) ((((bArr[i3] & 255) << (((2 - i2) * 2) + 2)) & 255) >>> 2);
} else {
bArr2[i2] = b;
b = 64;
}
}
bArr2[3] = b;
for (int i4 = 0; i4 <= 3; i4++) {
if (bArr2[i4] <= 63) {
sb.append(table[bArr2[i4]]);
} else {
sb.append('=');
}
}
}
return sb.toString();
}
public static byte[] b(String str) {
try {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
GZIPOutputStream gZIPOutputStream = new GZIPOutputStream(byteArrayOutputStream);
gZIPOutputStream.write(str.getBytes());
gZIPOutputStream.finish();
gZIPOutputStream.close();
byte[] byteArray = byteArrayOutputStream.toByteArray();
try {
byteArrayOutputStream.close();
return byteArray;
} catch (Exception e) {
e.printStackTrace();
return byteArray;
}
} catch (Exception unused) {
return null;
}
}
}
關(guān)鍵函授在aa(b("請輸入密碼:")).equals("R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=")
這里直接 hook a 讓其返回值為 "R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=" 就可以進(jìn)入下一關(guān)
function challenge1(){
Java.perform(function(){
Java.use("com.example.androiddemo.Activity.FridaActivity1").a.implementation = function(bArr){
console.log("inside Frida1 a function")
return Java.use('java.lang.String').$new("R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=");
}
})
}
setImmediate(challenge1)
Frida hook : 主動調(diào)用靜態(tài)/非靜態(tài)函數(shù) 以及 設(shè)置靜態(tài)/非靜態(tài)成員變量的值
總結(jié):
- 靜態(tài)函數(shù)直接use class然后調(diào)用方法更扁,非靜態(tài)函數(shù)需要先choose實例然后調(diào)用
- 設(shè)置成員變量的值盖腕,寫法是xx.value = yy,其他方面和函數(shù)一樣浓镜。
- 如果有一個成員變量和成員函數(shù)的名字相同溃列,則在其前面加一個_,如_xx.value = yy
然后是第二關(guān)
public class FridaActivity2 extends BaseFridaActivity {
private static boolean static_bool_var = false;
private boolean bool_var = false;
public String getNextCheckTitle() {
return "當(dāng)前第2關(guān)";
}
private static void setStatic_bool_var() {
static_bool_var = true;
}
private void setBool_var() {
this.bool_var = true;
}
public void onCheck() {
if (!static_bool_var || !this.bool_var) {
super.CheckFailed();
return;
}
CheckSuccess();
startActivity(new Intent(this, FridaActivity3.class));
finishActivity(0);
}
}
這一關(guān)的關(guān)鍵在于下面的if判斷要為false膛薛,則static_bool_var和this.bool_var都要為true听隐。
function challenge2(){
Java.perform(function(){
//hook靜態(tài)函數(shù)直接調(diào)用
var FridaActivity2 = Java.use("com.example.androiddemo.Activity.FridaActivity2")
FridaActivity2.setStatic_bool_var();
//hook動態(tài)函數(shù),找到instance實例哄啄,從實例調(diào)用函數(shù)方法
Java.choose("com.example.androiddemo.Activity.FridaActivity2",{
onMatch:function(instance){
instance.setBool_var();
},onComplete:function(){}
})
})
}
setImmediate(challenge2)
接下來是第三關(guān)
public class FridaActivity3 extends BaseFridaActivity {
private static boolean static_bool_var = false;
private boolean bool_var = false;
private boolean same_name_bool_var = false;
public String getNextCheckTitle() {
return "當(dāng)前第3關(guān)";
}
private void same_name_bool_var() {
Log.d("Frida", static_bool_var + " " + this.bool_var + " " + this.same_name_bool_var);
}
public void onCheck() {
if (!static_bool_var || !this.bool_var || !this.same_name_bool_var) {
super.CheckFailed();
return;
}
CheckSuccess();
startActivity(new Intent(this, FridaActivity4.class));
finishActivity(0);
}
}
關(guān)鍵還是讓if (!static_bool_var || !this.bool_var || !this.same_name_bool_var)為false雅任,則三個變量都要為true
function challenge3(){
Java.perform(function(){
var Frida3 = Java.use("com.example.androiddemo.Activity.FridaActivity3");
//靜態(tài)成員變量可以直接設(shè)置結(jié)果
Frida3.static_bool_var.value = true;
console.log("After set new value 1:"+Frida3.static_bool_var.value);
//動態(tài)成員變量需要找到實例,給實例設(shè)置結(jié)果咨跌;
Java.choose("com.example.androiddemo.Activity.FridaActivity3",{
onMatch:function(instance){
instance.bool_var.value = true ;
console.log("After set new value 2:"+instance.bool_var.value);
instance._same_name_bool_var.value = true ;
console.log("After set new value 3:"+instance._same_name_bool_var.value);
},onComplete:function(){}
})
})
}
setImmediate(challenge3)
這里要注意類里有一個成員函數(shù)和成員變量都叫做same_name_bool_var沪么,這種時候在成員變量前加一個_,修改值的形式為xx.value = yy
Frida hook : 內(nèi)部類锌半,枚舉類的函數(shù)并hook禽车,trace原型1
總結(jié):
- 對于內(nèi)部類,通過類名$內(nèi)部類名去use或者choose
- 對use得到的clazz應(yīng)用反射刊殉,如clazz.class.getDeclaredMethods()可以得到類里面聲明的所有方法殉摔,即可以枚舉類里面的所有函數(shù)。
接下來是第四關(guān)
public class FridaActivity4 extends BaseFridaActivity {
public String getNextCheckTitle() {
return "當(dāng)前第4關(guān)";
}
private static class InnerClasses {
public static boolean check1() {
return false;
}
public static boolean check2() {
return false;
}
public static boolean check3() {
return false;
}
public static boolean check4() {
return false;
}
public static boolean check5() {
return false;
}
public static boolean check6() {
return false;
}
private InnerClasses() {
}
}
public void onCheck() {
if (!InnerClasses.check1() || !InnerClasses.check2() || !InnerClasses.check3() || !InnerClasses.check4() || !InnerClasses.check5() || !InnerClasses.check6()) {
super.CheckFailed();
return;
}
CheckSuccess();
startActivity(new Intent(this, FridaActivity5.class));
finishActivity(0);
}
}
hook 內(nèi)部類下的所有方法
function challenge4(){
Java.perform(function(){
//內(nèi)部類
Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses").check1.implementation = function(){return true;}
Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses").check2.implementation = function(){return true;}
Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses").check3.implementation = function(){return true;}
Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses").check4.implementation = function(){return true;}
Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses").check5.implementation = function(){return true;}
Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses").check6.implementation = function(){
console.log("enter check6")
return true;
}
})
}
setImmediate(challenge4)
利用反射记焊,獲取類中的所有method聲明逸月,然后字符串拼接去獲取到方法名,例如下面的check1遍膜,然后就可以批量hook彻采,而不用像我上面那樣一個一個寫。
function challenge42(){
Java.perform(function(){
var class_name = "com.example.androiddemo.Activity.FridaActivity4$InnerClasses"
var InnerClass = Java.use(class_name);
var all_methods = InnerClass.class.getDeclaredMethods();
console.log(all_methods);
for(var i = 0;i<all_methods.length;i++){
var method = all_methods[i];
console.log(method);
var methodStr = method.toString();
var substring = methodStr.substr(methodStr.indexOf(class_name)+class_name.length+1);
var finalMethodString = substring.substr(0,substring.indexOf("("));
console.log(finalMethodString);
InnerClass[finalMethodString].implementation = function(){return true};
}
})
}
setImmediate(challenge42)
Frida hook : hook動態(tài)加載的dex捌归,與查找interface肛响,
總結(jié):
- 通過enumerateClassLoaders來枚舉加載進(jìn)內(nèi)存的classloader,再loader.findClass(xxx)尋找是否包括我們想要的interface的實現(xiàn)類惜索,最后通過Java.classFactory.loader = loader來切換classloader特笋,從而加載該實現(xiàn)類。
第五關(guān)比較有趣,它的check函數(shù)是動態(tài)加載進(jìn)來的猎物。
java里有interface的概念虎囚,是指一系列抽象的接口,需要類來實現(xiàn)蔫磨。
public class FridaActivity5 extends BaseFridaActivity {
private CheckInterface DynamicDexCheck = null;
public String getNextCheckTitle() {
return "當(dāng)前第5關(guān)";
}
public static void copyFiles(android.content.Context r2, java.lang.String r3, java.io.File r4) {
throw new UnsupportedOperationException("Method not decompiled: com.example.androiddemo.Activity.FridaActivity5.copyFiles(android.content.Context, java.lang.String, java.io.File):void");
}
private void loaddex() {
File filesDir = getFilesDir();
if (!filesDir.exists()) {
filesDir.mkdir();
}
String str = filesDir.getAbsolutePath() + File.separator + "DynamicPlugin.dex";
File file = new File(str);
try {
if (!file.exists()) {
file.createNewFile();
copyFiles(this, "DynamicPlugin.dex", file);
}
} catch (IOException e) {
e.printStackTrace();
}
try {
this.DynamicDexCheck = (CheckInterface) new DexClassLoader(str, filesDir.getAbsolutePath(), (String) null, getClassLoader()).loadClass("com.example.androiddemo.Dynamic.DynamicCheck").newInstance();
if (this.DynamicDexCheck == null) {
Toast.makeText(this, "loaddex Failed!", 1).show();
}
} catch (Exception e2) {
e2.printStackTrace();
}
}
public CheckInterface getDynamicDexCheck() {
if (this.DynamicDexCheck == null) {
loaddex();
}
return this.DynamicDexCheck;
}
/* access modifiers changed from: protected */
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
loaddex();
}
public void onCheck() {
if (getDynamicDexCheck() == null) {
Toast.makeText(this, "onClick loaddex Failed!", 1).show();
} else if (getDynamicDexCheck().check()) {
CheckSuccess();
startActivity(new Intent(this, FridaActivity6.class));
finishActivity(0);
} else {
super.CheckFailed();
}
}
}
這里有個loaddex其實就是先從資源文件加載classloader到內(nèi)存里淘讥,再loadClass DynamicCheck,創(chuàng)建出一個實例堤如,最終調(diào)用這個實例的check蒲列。
所以現(xiàn)在我們就要先枚舉class loader,找到能實例化我們要的class的那個class loader搀罢,然后把它設(shè)置成Java的默認(rèn)class factory的loader蝗岖。
現(xiàn)在就可以用這個class loader來使用.use去import一個給定的類。
function challenge5(){
Java.perform(function(){
Java.choose("com.example.androiddemo.Activity.FridaActivity5",{
onMatch:function(instace){
console.log(instace.getDynamicDexCheck().$className)
},onComplete:function(){}
})
Java.enumerateClassLoaders({
onMatch:function(loader){
try{
if(loader.findClass("com.example.androiddemo.Dynamic.DynamicCheck")){
console.log("Successfully found loader")
console.log(loader);
Java.classFactory.loader = loader ;
}
}catch(error){
console.log("find error:"+error)
}
},onComplete:function(){}
})
var DynamicCheck = Java.use("com.example.androiddemo.Dynamic.DynamicCheck");
console.log(DynamicCheck);
DynamicCheck.check.implementation = function(){return true};
})
}
setImmediate(challenge5)
Frida hook : 枚舉class榔至,trace原型2
總結(jié): 通過Java.enumerateLoadedClasses來枚舉類抵赢,然后name.indexOf(str)過濾一下并hook。
接下來是第六關(guān)
public class FridaActivity6 extends BaseFridaActivity {
public String getNextCheckTitle() {
return "當(dāng)前第6關(guān)";
}
public void onCheck() {
if (!Frida6Class0.check() || !Frida6Class1.check() || !Frida6Class2.check()) {
super.CheckFailed();
return;
}
CheckSuccess();
startActivity(new Intent(this, FridaActivity7.class));
finishActivity(0);
}
}
這關(guān)是import了一些類唧取,然后調(diào)用類里的靜態(tài)方法铅鲤,所以我們枚舉所有的類,然后過濾一下枫弟,并把過濾出來的結(jié)果hook上彩匕,改掉其返回值。
function challenge6(){
Java.perform(function(){
Java.use("com.example.androiddemo.Activity.Frida6.Frida6Class0").check.implementation = function(){return true};
Java.use("com.example.androiddemo.Activity.Frida6.Frida6Class1").check.implementation = function(){return true};
Java.use("com.example.androiddemo.Activity.Frida6.Frida6Class2").check.implementation = function(){return true};
})
}
setImmediate(challenge6)
Frida hook : 搜索interface的具體實現(xiàn)類
第7關(guān)
public class FridaActivity7 extends BaseFridaActivity {
public String getNextCheckTitle() {
return "當(dāng)前第7關(guān)";
}
public void onCheck() {
}
}
利用反射得到類里面實現(xiàn)的interface數(shù)組媒区,并打印出來驼仪。
//枚舉class,trace原型2
function challenge62(){
Java.perform(function(){
Java.enumerateLoadedClasses({
onMatch:function(name,handle){
//console.log("name:"+name+" handle:"+handle)
if(name.indexOf("com.example.androiddemo.Activity.Frida6")>=0){
console.log("name:"+name+" handle:"+handle)
Java.use(name).check.implementation=function(){return true}
}
},onComplete:function(){}
})
})
}
setImmediate(challenge62)
