Frida Java Hook
使用到的工具
frida:
https://github.com/frida/frida
frida函数提示脚本:
在脚本文件夹执行:npm install --save @types/frida-gum
https://npmjs.com/package/@types/frida-gum
jadx-gui
https://github.com/skylot/jadx
演示DEMO
function ke0(){
Java.perform(function(){
console.info("第一课=================");
var System_Clazz = Java.use("java.lang.System");
System_Clazz.getenv.overload('java.lang.String').implementation = function (str){
console.info(str);
var result = this.getenv(str);
console.info("返回值:",result);
result = "Imyang";
console.info("修改返回值为:",result);
return result;
}
})
}
function keInit(){
Java.perform(function (){
console.info("首关====================");
var LoginActivity = Java.use("com.github.lastingyang.androiddemo.Activity.LoginActivity");
LoginActivity.a.overload('java.lang.String','java.lang.String').implementation = function (str1,str2){ //有方法重载的静态方法
var result = this.a(str1,str2);
console.info("参数内容为:",str1,str2);
result = "123123";//修改返回值直接
console.info("返回内容为:",result);
return result;
}
})
}
function ke1(){
Java.perform(function (){
console.info("第一关====================");
var FridaActivity1 = Java.use("com.github.lastingyang.androiddemo.Activity.FridaActivity1");
FridaActivity1.a.implementation = function (b){ //没有方法重载的静态方法
var result = this.a(b);
result = "R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=";
return result;
}
})
}
function ke2(){
Java.perform(function (){
console.info("第二关====================");
var FridaActivity2 = Java.use("com.github.lastingyang.androiddemo.Activity.FridaActivity2");
//静态方法可以直接执行
FridaActivity2.setStatic_bool_var();//可以直接执行
console.info("静态方法执行成功!");
// 以下注释代码执行报错
// FridaActivity2.setBool_var();
// console.info("非静态方法执行成功!");
//非静态方法,需要通过Java.choose 方法遍历符合条件的实例类,并且进行操作,这对于那些无法直接获取到实例引用的场景非常有用。
Java.choose("com.github.lastingyang.androiddemo.Activity.FridaActivity2",{
onMatch : function(instance){ //对每个匹配的实例进行处理
console.info("遍历到类!");
instance.setBool_var();
},
onComplete : function(){ //在遍历结束后执行一些清理操作。
console.info("执行完清空!");
}
});
})
}
function ke3(){
Java.perform(function (){
console.info("第三关====================");
var FridaActivity3 = Java.use("com.github.lastingyang.androiddemo.Activity.FridaActivity3");
//先调用非静态方法进行打印
Java.choose("com.github.lastingyang.androiddemo.Activity.FridaActivity3",{
onMatch : function (instance){
console.info("bool_var:",instance.bool_var.value);
//注释掉的部分直接这样写不行,因为same_name_bool_var除了是变量名以外,还有一个相同名字的方法名,所以,要写成_same_name_bool_var
//console.info("same_name_bool_var:",instance.same_name_bool_var.value);
console.info("same_name_bool_var:",instance._same_name_bool_var.value);
console.info("static_bool_var:",instance.static_bool_var.value);
//修改静态变量
instance.bool_var.value = true;
//instance.same_name_bool_var.value = true;
instance._same_name_bool_var.value = true;
FridaActivity3.static_bool_var.value = true;
console.info("bool_var:",instance.bool_var.value);
//console.info("same_name_bool_var:",instance.same_name_bool_var.value);
console.info("same_name_bool_var:",instance._same_name_bool_var.value);
console.info("static_bool_var:",instance.static_bool_var.value);
},
onComplete : function (){
}
});
})
}
function ke4(){
Java.perform(function (){
console.info("第四关====================");
var FridaActivity4$InnerClasses = Java.use("com.github.lastingyang.androiddemo.Activity.FridaActivity4$InnerClasses");
FridaActivity4$InnerClasses.check1.implementation = function (){
return true;
}
FridaActivity4$InnerClasses.check2.implementation = function (){
return true;
}
FridaActivity4$InnerClasses.check3.implementation = function (){
return true;
}
FridaActivity4$InnerClasses.check4.implementation = function (){
return true;
}
FridaActivity4$InnerClasses.check5.implementation = function (){
return true;
}
FridaActivity4$InnerClasses.check6.implementation = function (){
return true;
}
console.info("第四关执行完毕!");
})
}
function ke5(){
//核心代码
// public void onCheck(){
// if (this.getDynamicDexCheck() != null) {
// if (this.getDynamicDexCheck().check()) {
// this.CheckSuccess();
// this.startActivity(new Intent(this, FridaActivity6.class));
// this.finishActivity(0);
// }else {
// super.CheckFailed();
// }
// }else {
// Toast.makeText(this, "onClick loaddex Failed!", 1).show();
// }
// return;
// }
Java.perform(function (){
console.info("第五关====================");
var getDynamicDexCheckNotNull = false;
//首先需要判断getDynamicDexCheck是否为null
Java.choose("com.github.lastingyang.androiddemo.Activity.FridaActivity5",{
onMatch : function (instance){
var Object_this = instance.getDynamicDexCheck();
if (Object_this != null){
getDynamicDexCheckNotNull = true;
}
},
onComplete : function (){
}
});
if (getDynamicDexCheckNotNull) { //如果不为空
console.info("getDynamicDexCheck不为空!");
//2.this.getDynamicDexCheck().check() 查看这个方法的返回,发现check是接口:public interface abstract CheckInterface,
//check的实现方法是在assets/DynamicPlugin.dex中,解压出来并且用工具打开反编译
//遍历classLoader
Java.enumerateClassLoaders({
onMatch : function (loader){
try{
if (loader.findClass("com.example.androiddemo.Dynamic.DynamicCheck")){
console.info("已经找到了classloader");
Java.classFactory.loader = loader; //切换这个loader
console.info(loader);
}
}catch(error){
}
},
onComplete : function (){
}
});
var DynamicCheck = Java.use("com.example.androiddemo.Dynamic.DynamicCheck");
//HOOK 不区分静态方法和非静态方法
DynamicCheck.check.implementation = function (){
var result = this.check();
console.info("原始返回:",result);
result = true;
console.info("修改后返回:",result);
return result;
}
}
})
}
function ke6(){
Java.perform(function (){
console.info("第六关====================");
var Frida6Class0 = Java.use("com.github.lastingyang.androiddemo.Activity.Frida6.Frida6Class0");
var Frida6Class1 = Java.use("com.github.lastingyang.androiddemo.Activity.Frida6.Frida6Class1");
var Frida6Class2 = Java.use("com.github.lastingyang.androiddemo.Activity.Frida6.Frida6Class2");
Frida6Class0.check.implementation = function (){
return true;
}
Frida6Class1.check.implementation = function (){
return true;
}
Frida6Class2.check.implementation = function (){
return true;
}
})
}
function ke7(){
console.info("第七关====================");
Java.perform(function(){
//首先在点击onCheck时候触发,也就是HOOK掉这个方法
var FridaActivity7 = Java.use("com.github.lastingyang.androiddemo.Activity.FridaActivity7");
FridaActivity7.$init.implementation = function (){
this.$init();
this.next.value = true;
console.info("执行了构造方法!");
}
})
}
function ke8(){
Java.perform(function (){
//首先获取到局部变量的值
var password = null;
Java.choose("com.github.lastingyang.androiddemo.Activity.FridaActivity8",{
onMatch : function (instance){
password =instance.password.value;
console.info("password:",password);
},
onComplete : function (){
}
});
if (password != null){
var FridaActivity8 = Java.use("com.github.lastingyang.androiddemo.Activity.FridaActivity8");
FridaActivity8.a.implementation = function (str){
return password;
}
}
})
}
function main(){
ke0();
keInit();
ke1();
ke2();
ke3();
ke4();
ke5();
ke6();
ke7();
ke8();
}
setImmediate(main);目录 返回
首页