android逆向神器之firda
来源:互联网 发布:电子表格数据对比 编辑:程序博客网 时间:2024/05/20 11:25
这东西ios和android有部分相似
ios装插件,android是个原生的arm包,放进去运行一下。不过要端口转发如下:
echo hello world!!source ~/.bash_profileadb forward tcp:27042 tcp:27042adb forward tcp:27043 tcp:27043echo work
写成了脚本,没啥好说的。
花了些时间写了个挂钩脚本模版,留着以后用:
#!/usr/bin/env python# -*- coding: utf-8 -*-import fridaimport sysimport optparseimport reglobal sessiondef enume_proc(): global session rdev = frida.get_remote_device() session = rdev.attach("com.tencent.mm") modules = session.enumerate_modules() for module in modules: print module export_funcs = module.enumerate_exports() print "\tfunc_name\tRVA" for export_func in export_funcs: print "\t%s\t%s"%(export_func.name,hex(export_func.relative_address))#枚举某个进程加载的所有模块def proc_module_show(): global session rdev = frida.get_remote_device() session = rdev.attach("com.tencent.mm") #如果存在两个一样的进程名可以采用rdev.attach(pid)的方式 modules = session.enumerate_modules() for module in modules: print module export_funcs = module.enumerate_exports() print "\tfunc_name\tRVA" for export_func in export_funcs: print "\t%s\t%s"%(export_func.name,hex(export_func.relative_address))#hook native函数def native_hook(name): global session rdev = frida.get_remote_device() session = rdev.attach(name) scr = """ Interceptor.attach(Module.findExportByName("libc.so" , "open"), { onEnter: function(args) { send("open("+Memory.readCString(args[0])+","+args[1]+")"); }, onLeave:function(retval){ } }); """ script = session.create_script(scr) script.on("message" , on_message) script.load() sys.stdin.read()'''如下代码为hook微信(测试版本为6.3.13,不同版本由于混淆名字的随机生成的原因或者代码改动导致名称不一样)com.tencent.mm.sdk.platformtools.ay类的随机数生成函数,让微信猜拳随机(tye=2),二摇色子总是为6点(type=5)'''def hook(name): global session print name rdev = frida.get_remote_device() session = rdev.attach(name) scr = """ Java.perform(function () { var ay = Java.use("com.sina.deviceidjnisdk.DeviceId"); DeviceId.getDeviceId.implementation = function(){ var type = arguments[0]; send("type="+type); var result=this.getDeviceId(); send("reuslt="+result) return result; }; }); """ script = session.create_script(scr) script.on("message" , on_message) script.load() sys.stdin.read()def on_message(message ,data): print message'''枚举手机进程'''def enume_proc(): rdev = frida.get_remote_device() processes = rdev.enumerate_processes() for process in processes: print processdef find_proc(name): rdev = frida.get_remote_device() processes = rdev.enumerate_processes() for process in processes: if process.name==name: return True return Falsedef main(): if len(sys.argv)>2: name=sys.argv[2] else: name="com.sina.weibo" if sys.argv[1]=='ps': enume_proc() elif sys.argv[1]=='hookjava': #等待程序启动,直接附加 print "please app waiting launched..." while True: if find_proc(name)==False: continue else: break print "find process" hook(name)if __name__ == "__main__": try: main() except KeyboardInterrupt: if session: session.detach() sys.exit() else: pass finally: pass
据说还可以注入dex没试,记录下:
'''通过friada向android进程注入dex'''def on_message2(message, data): if message['type'] == 'send': print("[*] {0}".format(message['payload'])) else: print(message)jscode = """Java.perform(function () { var currentApplication = Java.use("android.app.ActivityThread").currentApplication(); var context = currentApplication.getApplicationContext(); var pkgName = context.getPackageName(); var dexPath = "%s"; var entryClass = "%s"; Java.openClassFile(dexPath).load(); console.log("inject " + dexPath +" to " + pkgName + " successfully!") Java.use(entryClass).%s("%s"); console.log("call entry successfully!")});"""def checkRequiredArguments(opts, parser): missing_options = [] for option in parser.option_list: if re.match(r'^\[REQUIRED\]', option.help) and eval('opts.' + option.dest) == None: missing_options.extend(option._long_opts) if len(missing_options) > 0: parser.error('Missing REQUIRED parameters: ' + str(missing_options))if __name__ == "__main__": usage = "usage: python %prog [options] arg\n\n" \ "example: python %prog -p com.android.launcher " \ "-f /data/local/tmp/test.apk " \ "-e com.parker.test.DexMain/main " \ "\"hello fridex!\"" parser = optparse.OptionParser(usage) parser.add_option("-p", "--package", dest="pkg", type="string", help="[REQUIRED]package name of the app to be injected.") parser.add_option("-f", "--file", dest="dexPath", type="string", help="[REQUIRED]path of the dex") parser.add_option("-e", "--entry", dest="entry", type="string", help="[REQUIRED]the entry function Name.") (options, args) = parser.parse_args() checkRequiredArguments(options, parser) if len(args) == 0: arg = "" else: arg = args[0] pkgName = options.pkg dexPath = options.dexPath entry = options.entry.split("/") if len(entry) > 1: entryClass = entry[0] entryFunction = entry[1] else: entryClass = entry[0] entryFunction = "main" process = frida.get_usb_device(1).attach(pkgName) jscode = jscode%(dexPath, entryClass, entryFunction, arg) script = process.create_script(jscode) script.on('message', on_message2) print('[*] Running fridex') script.load() sys.stdin.read()
阅读全文
0 0
- android逆向神器之firda
- Android应用逆向——分析反编译代码之大神器
- Android逆向之旅---Native层的Hook神器Cydia Substrate使用详解
- Android逆向之旅---Native层的Hook神器Cydia Substrate使用详解
- Android逆向之旅---Android手机端破解神器MT的内购VIP功能破解教程
- Android逆向之旅---Android手机端破解神器MT的内购VIP功能破解教程
- Android逆向之旅—Android手机端破解神器MT的内购VIP功能破解教程
- Android动态逆向分析工具ZjDroid--脱壳神器
- Android动态逆向分析工具ZjDroid--脱壳神器
- Android动态逆向分析工具ZjDroid--脱壳神器
- Android动态逆向分析工具ZjDroid--脱壳神器
- android 自定义view之神器
- Android逆向之静态分析
- Android逆向分析之APKTool
- Android逆向分析之Cydia
- android逆向分析之反编译
- Android逆向之smali注入
- Android 驱动开发必备神器之 ADB
- Android 自定义View合集
- Stream
- Retrofit的使用详解,我见过最详细的博客,没有之一
- 线程作业
- 语义分割--Mix-and-Match Tuning for Self-Supervised Semantic Segmentation
- android逆向神器之firda
- C语言与数据结构之计算器的设计
- 使用GPUImage做美颜导致远端图像颠倒的问题详解
- 解决jquery跨域cookie丢失问题
- Java复习总结1
- SSHL
- JavaScript学习-事件
- 【Android控件】轮播图的实现
- ngrok 外网搭建