Frida Hook
改变程序执行流程的一种技术 在函数被调用前,通过HOOK技术,先得到该函数的控制权,实现该函数的逻辑改写
Hook 加密函数
案例
import frida
import sys
def on_message(message , data):
if message["type"] == "send":
print("[*] {0}".format(message['payload']))
else:
print(message)
jscode = """
function printstack(){
send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
}
// array 转 string
function array2string(array){
var buffer = Java.array('byte', array);
var result = "";
for(var i=0; i<buffer.length; ++i){
result += (String.fromCharCode(buffer[i]));
}
return result;
}
Java.perform(
function(){
var MessageDigest = Java.use('java.security.MessageDigest');
MessageDigest.update.overload('[B').implementation = function(bytesarray){
send('I am here 0:');
send("ori:"+array2string(bytesarray));
printstack();
this.update(bytesarray);
},
MessageDigest.update.overload('byte').implementation = function(bytesarray){
send('I am here 0:');
send("ori:"+array2string(bytesarray));
printstack();
this.update(bytesarray);
},
MessageDigest.update.overload('[B', 'int', 'int').implementation = function(bytesarray){
send('I am here 0:');
send("ori:"+array2string(bytesarray));
printstack();
this.update(bytesarray);
},
MessageDigest.getInstance.overloads[0].implementation = function(algorithm){
send("call -> getInstance for" + algorithm);
printstack();
return this.getInstance.overloads[0].apply(this, arguments);
}
}
);
"""
device = frida.get_remote_device()
# 先通过frida.add_remote_device来找到device,然后spawn方式启动settings,然后attach到上面,并执行frida脚本
pid = device.spawn('com.iCitySuzhou.suzhou001')
process = device.attach(pid)
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Runing CTF')
script.load()
device.resume(pid)
sys.stdin.read()
然后有几率会打印出加密字符串,可以看到是怎么加密的
下面还可以看到调用的栈
然后用 ApkTool 逆向,找到加密代码