https://www.jianshu.com/p/c349471bdef7
frida安装
python -m pip install --upgrade pip -i http://mirrors.aliyun.com/pypi/simple --trusted-host mirrors.aliyun.com
pip install frida -i http://mirrors.aliyun.com/pypi/simple --trusted-host mirrors.aliyun.com
pip install frida==12.2.29 -i http://mirrors.aliyun.com/pypi/simple --trusted-host mirrors.aliyun.com
pip install frida==12.2.29 -i https://pypi.tuna.tsinghua.edu.cn/simple
adb
- 获取root权限:
adb shell
su
- adb清除密码(先进root权限)
cd data/system
rm locksettings.db
rm locksettings.db-shm
查看Android手机设备设置
getprop ro.product.cpu.abi
Android有 x86、x86_64、arm、arm64
adb push C:UsersghyDesktopffrida-core-devkit-12.8.20-android-x86.tarfrida-core-devkit-12.8.20-android-x86.tar /data/local/tmp/
adb push C:UsersghyDesktopffrida-server86 /data/local/tmp/
chmod 777 frida-server86
cd data/local/tmp
./frida-server86
列出该设备上运行中的进程
frida-ps -U
列出运行中的程序
frida-ps -Ua
列出安装的程序
frida-ps -Uai
注入脚本:
frida -U -l script.js com.ghy
https://www.sohu.com/a/246175537_557054
https://www.jianshu.com/p/b833fba1bffe
https://www.52pojie.cn/thread-836277-1-1.html
https://www.52pojie.cn/forum.php?mod=viewthread&tid=931872
hook带参数的实例方法
if (Java.available) {
Java.perform(function () {
var LoginActivity = Java.use("com.app.ui.activity.LoginActivity");
LoginActivity.login.overload("java.lang.String", "java.lang.String").implementation = function (paramString1, paramString2) {
console.log(paramString1)
console.log(paramString2)
console.log("test....11")
//send("isExcellent be called")
return this.login(paramString1, paramString2);
}
});
}
hook同名不同参数的方法(重载方法)
类.方法.overload('java.lang.String','java.lang.String','boolean').implementation =function(arg1,arg2,arg3){
}
hook js
// 这个方法是为了辅助我输出用的,和python的字符串.format差不多的用法
String.prototype.format = function () {
var values = arguments;
return this.replace(/{(d+)}/g, function (match, index) {
if (values.length > index) {
return values[index];
} else {
return "";
}
});
};
// Resources 类hook
Java.perform(function() {
var Resources = Java.use('android.content.res.Resources'); // 获取Resources类
// 因为getString方法重载,有几个我也没数,我只知道我需要用到的是接收一个id作为参数的方法
//.overload填上你要hook的方法的参数类型,如果不知道直接不写,frida会报错提示你
Resources['getString'].overload('int').implementation = function(id) { // id是接收到的参数
console.log('
----- [Resources.getString] -----');
var str = this.getText(id); // 这里通过this调用了Resources类中的getText方法
console.log('resId:{0} => string:{1}'.format(id,str)); // 输出
return str // 返回
}
});
// Toast 类hook,和上面一样
Java.perform(function() {
var Toast = Java.use('android.widget.Toast');
Toast['makeText'].overload('android.content.Context', 'java.lang.CharSequence', 'int').implementation = function(context, text, duration) { // 三个参数
console.log('
----- [Toast.makeText] -----');
console.log('[Context]');
console.log('
Context:', context);
console.log('
Class:', context.getClass());
var clazz = String(context.getClass()).split('.');
console.log('
Class Package:', clazz[0]);
console.log('
Class Name:', clazz[1]);
console.log('Text:', text);
console.log('Duration:', duration);
return this.makeText(context, null, text, duration);
}
});