一.原理
安卓开发调用md5加密时候都会调用到系统类java.security.MessageDigest
加密时候会会调用里面2个关键方法update以及digest
根据这个原理我们开始写代码吧
二.代码
hook.js
function Uint8ArrayToString(fileData){ //Uint8Array转字符串 var dataString = ""; for (var i = 0; i < fileData.length; i++) { dataString += String.fromCharCode(fileData[i]); // console.log(dataString) } return dataString } function byteToHexString(uint8arr) { //byte数组转16进制字符串 if (!uint8arr) { return ''; } var hexStr = ''; for (var i = 0; i < uint8arr.length; i++) { var hex = (uint8arr[i] & 0xff).toString(16); hex = (hex.length === 1) ? '0' + hex : hex; hexStr += hex; } return hexStr.toUpperCase(); } Java.perform(function () { var BB = Java.use("java.security.MessageDigest"); BB.update.overload('[B').implementation = function (args1, args2, args3, args4, args5, args6) { console.log(Uint8ArrayToString(args1)) var args = this.update(args1) console.log("update", args) return args } BB.digest.overload().implementation = function (args1, args2, args3, args4, args5, args6) { var args = this.digest() console.log(byteToHexString(args)) return args } });
可以直接cmd窗口调用(老手推荐)
frida -U 包名 -l js
#修改js他会热更新
可以用python调用(新手推荐)
import logging import frida import sys def on_message(message, data): if message['type'] == 'send': print("[*] {0}".format(message['payload'])) else: print(message) with open('hook.js', 'r', encoding='utf-8') as f: # js文件 sta = ''.join(f.readlines()) rdev = frida.get_remote_device() session = rdev.attach("xxxxxx") #app包名 print(session) script = session.create_script(sta) print(script) def show(message,data): print(message) script.on("message",show) # 加载脚本 script.load() sys.stdin.read()
或者都写在一起:
js_code = """ function Uint8ArrayToString(fileData){ //Uint8Array转字符串 var dataString = ""; for (var i = 0; i < fileData.length; i++) { dataString += String.fromCharCode(fileData[i]); // console.log(dataString) } return dataString } function byteToHexString(uint8arr) { //byte数组转16进制字符串 if (!uint8arr) { return ''; } var hexStr = ''; for (var i = 0; i < uint8arr.length; i++) { var hex = (uint8arr[i] & 0xff).toString(16); hex = (hex.length === 1) ? '0' + hex : hex; hexStr += hex; } return hexStr.toUpperCase(); } Java.perform(function () { var BB = Java.use("java.security.MessageDigest"); BB.update.overload('[B').implementation = function (args1, args2, args3, args4, args5, args6) { console.log(Uint8ArrayToString(args1)) var args = this.update(args1) console.log("update", args) return args } BB.digest.overload().implementation = function (args1, args2, args3, args4, args5, args6) { var args = this.digest() console.log(byteToHexString(args)) return args } }); """ import logging import frida import sys def on_message(message, data): if message['type'] == 'send': print("[*] {0}".format(message['payload'])) else: print(message) rdev = frida.get_remote_device() session = rdev.attach("com.xiachufang") # app包名 # session = rdev.attach("com.md.md211106") # app包名 print(session) script = session.create_script(js_code) print(script) def show(message, data): print(message) script.on("message", show) # 加载脚本 script.load() sys.stdin.read()