frida hook md5 加密信息

还是上次的app 引力波

我们用frida hook住md5的加密函数，md5加密方式一共有四种，我们 不知道哪一种，就都写上，看打印输出结果

hook函数 如下

import frida
import sys


def on_message(message, data):
    if message['type'] == 'send':
        print("[*]{0}".format(message['payload']))
    else:
        print(message)


jscode = """
Java.perform(function(){
        var Testsig=Java.use('com.yaotong.crackme.MainActivity')
        Testsig.onCreate.overload('android.os.Bundle').implementation=function(v){
            send('I am here');
            this.onCreate();
        return true ;
        }
})
"""
# 打印输出基础地址
jscode1="""
        
        var base_address = Module.findBaseAddress('libc.so');
        send('base_address:'+base_address);
        
        var mod_address=Module.findExportByName('libc.so','dlopen');
        send('mod_address:'+mod_address);
        
        var lib_module=Process.findModuleByAddress(base_address);
        send('lib_module_name:'+lib_module.name);
        
        Interceptor.attach(mod_address,{
        onEnter: function(args){
            send("open("+Memory.readUtf8String(args[0])+","+args[1]+")");   
        },
        onLeave: function(retval){
            send('retval:'+retval);
        }
        })
        

"""
#hook md5加密
jscode2="""
    //打印调用堆栈
    function printstact(){     
        send(Java.use('android.util.log').getStackTraceString(Java.use('java.lang.Exception').$new()));
    }
    //array 转成 string
    function array2string(array){
            var buffer=Java.array('byte',array);
            var result='';
            for (var i = 0;i<buffer.length;i++){
            result +=(String.fromCharCode(buffer[i]))
            }
            return result;
    }
    Java.perform(function(){ 
        var MessageDigest=Java.use('java.security.MessageDigest');     
        MessageDigest.update.overload('[B').implementation= function (bytesarray) {
        send ('I am here 0');  
        send('ori:'+ array2string(bytesarray));
        printstact() ;
        send('md5:'+this.update('bytesarray'));
        },           
        MessageDigest.update.overload('byte').implementation=function(bytesarray){
        send ('I am here 1'); 
        send('ori:'+array2string(bytesarray));
        printstact();
        send('md5:'+this.update('bytesarray'));
        },   
        MessageDigest.update.overload('java.nio.ByteBuffer').implementation=function(bytesarray){
        send ('I am here 2');
        send('ori:'+array2string(bytesarray));
        printstact();
        send('md5:'+this.update('bytesarray'));
        },   
        MessageDigest.update.overload('[B','int','int').implementation=function(bytesarray){
        send ('I am here 3');
        send('ori:'+array2string(bytesarray));
        printstact();
        send('md5:'+this.update('bytesarray'));
        },
        
        MessageDigest.getInstance.overloads[0].implementation=function(algorithm){
        send('call->getInstance for ' + algorithm);
        return this.getInstance.overloads[0].apply(this,arguments);
        };
            
    }
    );
    """
deveice = frida.get_usb_device()

pid = deveice.spawn(['cn.soulapp.android'])

process = deveice.attach(pid)

# 创建运行脚本
script = process.create_script(jscode2)
# 输入打印，写死
script.on('message', on_message)
print('[*] Running CTF')
# 写死
script.load()
# 重启程序
deveice.resume(pid)
# 写死
sys.stdin.read()
最后打印结果，看出加密方式