百木园根据cpu版本去下载相应frida-server 运行./frida-sever &
frida官网:https://frida.re/docs/javascript-api/
1.hook静态函数
当函数内部有相同的函数名,即重载时,hook时就必须指定函数类型
function hook_java() {
Java.perform(function () {
var LoginActivity = Java.use(\"com.example.androiddemo.Activity.LoginActivity\");
console.log(LoginActivity);
LoginActivity.a.overload(\'java.lang.String\', \'java.lang.String\').implementation = function (str, str2) {
var result = this.a(str, str2);
//result = \'\';
console.log(\"LoginActivity.a:\", str, str2, result);
return result;
};
//当函数有重载时,错误写法,当函数没重载时,可以这样写
LoginActivity.a.implementation = function (str1, str2) {
var result = this.a(str1, str2); //调用原来的函数
console.log(\"LoginActivity.a:\", str1, str2, result);
return result;
};
}
修改函数返回值和成员变量
(1)修改返回值
function hook_java() {
Java.perform(function () {
var FridaActivity1 = Java.use(\"com.example.androiddemo.Activity.FridaActivity1\");
// FridaActivity1.a.implementation = function (barr) {
// console.log(\"FridaActivity1.a\");
// // return \"R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=\";
// var result = this.a(barr);
// console.log(\"FridaActivity1.a result:\", result);
// return result;
// };
// 第二种写法
FridaActivity1.a.overload(\'[B\').implementation = function (barr) {
console.log(\"FridaActivity1.a\");
var result = this.a(barr);
console.log(\"FridaActivity1.a 修改前返回值:\", result);
result = \"R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=\";
console.log(\"FridaActivity1.a 修改后返回值:\", result);
return result;
};
console.log(\"hook_java\");
});
}
(2)修改成员变量
function call_FridaActivity3() {
Java.perform(function () {
var FridaActivity3 = Java.use(\"com.example.androiddemo.Activity.FridaActivity3\");
FridaActivity3.$new
FridaActivity3.static_bool_var.value = true; //设置静态成员变量
console.log(FridaActivity3.static_bool_var.value);
Java.choose(\"com.example.androiddemo.Activity.FridaActivity3\", {
onMatch: function (instance) {
//设置非静态成员变量的值
instance.bool_var.value = true;
//设置有相同函数名的成员变量的值
instance._same_name_bool_var.value = true;
console.log(instance.bool_var.value, instance._same_name_bool_var.value);
},
onComplete: function () {
}
});
});
}
2.hook内部类
第一种写法
function hook_InnerClasses() {
Java.perform(function () {
//hook内部类
var InnerClasses = Java.use(\"com.example.androiddemo.Activity.FridaActivity4$InnerClasses\");
console.log(InnerClasses);
InnerClasses.check1.implementation = function () {
return true;
};
InnerClasses.check2.implementation = function () {
return true;
};
InnerClasses.check3.implementation = function () {
return true;
};
InnerClasses.check4.implementation = function () {
return true;
};
InnerClasses.check5.implementation = function () {
return true;
};
InnerClasses.check6.implementation = function () {
return true;
};
});
}
第二种写法
function hook_mul_function() {
Java.perform(function () {
//hook 类的多个函数
var class_name = \"com.example.androiddemo.Activity.FridaActivity4$InnerClasses\";
var InnerClasses = Java.use(class_name);
var all_methods = InnerClasses.class.getDeclaredMethods();
for (var i = 0; i < all_methods.length; i++) {
var method = (all_methods[i]);
var methodStr = method.toString();
var substring = methodStr.substr(methodStr.indexOf(class_name) + class_name.length + 1);
var methodname = substring.substr(0, substring.indexOf(\"(\"));
console.log(methodname);
InnerClasses[methodname].implementation = function () {
console.log(\"hook_mul_function:\", this);
return true;
}
}
});
}
3.hook动态dex
function hook_dyn_dex() {
Java.perform(function () {
//hook 动态加载的dex (注意点:牛轧糖版本之上)
Java.enumerateClassLoaders({
onMatch: function (loader) {
try {
if (loader.findClass(\"com.example.androiddemo.Dynamic.DynamicCheck\")) {
console.log(loader);
// Java.classFactory.loader = loader; //切换classloader
}
} catch (error) {
}
}, onComplete: function () {
}
});
// var DynamicCheck = Java.use(\"com.example.androiddemo.Dynamic.DynamicCheck\");
// console.log(DynamicCheck);
// DynamicCheck.check.implementation = function () {
// console.log(\"DynamicCheck.check\");
// return true;
// }
});
}
4.frida加载动态dex
function hook_java() {
//var ddex = Java.openClassFile(\"/data/local/tmp/ddex.dex\");
//frida动态加载了dex
/*
jar -cvf ddex.jar com/example/androiddemo/DecodeUtils.class
/Users/yang/Library/Android/sdk/build-tools/28.0.3/dx --dex --output=ddex.dex ddex.jar
*/
var ddex2 = Java.openClassFile(\"/data/local/tmp/ddex2.dex\");
Java.perform(function () {
//frida动态加载了dex
ddex2.load();
var DecodeUtils = Java.use(\"com.example.androiddemo.DecodeUtils\");
console.log(\"DecodeUtils.decode_p:\", DecodeUtils.decode_p());
});
}
来源:https://www.cnblogs.com/pythonywy/p/15650445.html
图文来源于网络,如有侵权请联系删除。