加載frida
alias activityFrida="adb shell 'su /data/local/tmp/frida-server64 &'"-
電腦啟動(dòng)frida
- 直接啟動(dòng)
frida -U packageName -l hook.js - app 剛啟動(dòng)的時(shí)候hook, 用frida去啟動(dòng)app
frida -U --no-pause -f com.tlamb96.spetsnazmessenger -l hook.js
- 直接啟動(dòng)
-
hook 構(gòu)造函數(shù)购啄,類對(duì)象然后.$init來(lái)hook 構(gòu)造函數(shù)
//hook 構(gòu)造函數(shù) a.$init.implementation = function (i, str, str2, z) { this.$init(i, str, str2, z); console.log("a.$init:", i, str, str2, z); print_stack(); //打印了調(diào)用棧 };
-
打印調(diào)用棧,調(diào)用java自帶的功能,拋出一個(gè)異常,打印內(nèi)容灰瞻,打印完之后 要把對(duì)象析構(gòu)掉
function print_stack() { Java.perform(function () { var Exception = Java.use("java.lang.Exception"); var instance = Exception.$new("print_stack"); var stack = instance.getStackTrace(); console.log(stack); instance.$dispose(); }); }
jar -cvf ddex.jar com/example/androiddemo/DecodeUtils.class
? /Users/yang/Library/Android/sdk/build-tools/28.0.3/dx --dex --output=ddex.dex ddex.jar
打包成dex
加載dex
var ddex2 = Java.openClassFile("/data/local/tmp/ddex2.dex");構(gòu)造字符串?dāng)?shù)組
var Ref_arr = Java.use('java.lang.reflect.Array')
var stringClass = Java.use("java.lang.String").class
var arg1 = Ref_arr.newInstance(stringClass, array.length);
for (var i =0; i < array.length; i++) {
Ref_arr.set(arg1, i, array[i])
}
