frida-js注入文件

frida 注入命令行使用

启动server

adb shell “.//data/local/tmp/xxoo12.8.11”

端口转发

adb forward tcp:27043 tcp:27043

查询包名

adb shell pm list packages -3

注入

frida -U -l js文件 包名

setImmediate(main);
function main(){Java.perform(function(){//tongsha();zhixie(); });
}
//获取包名类名
//定义方法
//构造方法类名和方法一样$inti	
//重载方法.overload("java.lang.String")
//构造.$init
//setImmediate防止注入超时
// 获取参数两种方式 一种给形参 第二种arguments[0]获取//function zhixie(){var nuo = Java.use("com.leyida.cloud.utils.RSAUtil");nuo.encryptByPublicKey.implementation=function(a){console.log("      ");console.log("      ");console.log("a:"+a);console.log("=================***自设hook开始***=================");var data=this.encryptByPublicKey(a);//切记修改函数名console.log("结果:"+data);console.log("=================***自设hook结束***=================");showStacks();console.log("=================***调用堆栈打印***=================");return data;   }}function 读取类变量(){Java.perform(function(){//获取java类  类.变量名.value  方法读取//要修改的话直接赋值l.E.value='诺诺'var l = Java.use("com.xiaojianbang.app.RSAHex");console.log(l.E.value);console.log(l.N.value);});}function 静态方法的主动调用(){Java.perform(function(){//静态方法的主动调用var AES = Java.use("com.xiaojianbang.app.MD5");var str = Java.use("java.lang.String");var base64 = Java.use("android.util.Base64");var bytes = str.$new("nuonuo").getBytes();console.log(str.$new(bytes))console.log(JSON.stringify(bytes));console.log(base64.encodeToString(str.$new("nuonuo").getBytes(),0))var rea=AES.md5_1("活活");console.log(rea);});
}function 静态方法的主动调用例子(){Java.perform(function(){//静态方法的主动调用var rsa = Java.use("com.xiaojianbang.app.RSA");var str = Java.use("java.lang.String");var base64 = Java.use("android.util.Base64");var bytes = str.$new("xiaojianbang").getBytes();console.log(JSON.stringify(bytes));var retval = rsa.encrypt(bytes);var result = base64.encodeToString(retval, 0);console.log(result);//非静态方法的主动调用1 (新建一个对象去调用)var res = Java.use("com.xiaojianbang.app.Money").$new("日元", 300000).getInfo();console.log(res);var utils = Java.use("com.xiaojianbang.app.Utils");res = utils.$new().myPrint(["xiaojianbang","is very good"," ","zygx8","is very good"]);console.log(res);//非静态方法的主动调用2 (获取已有的对象调用)Java.choose("com.xiaojianbang.app.Money",{onMatch: function(obj){if(obj._name.value == "美元"){res = obj.getInfo();console.log(res);}},onComplete: function(){}});});
}function 获取所有已加载的类(){//frida互交主动调用不用提前注入Java.perform(function(){//要过滤app的包名var baoming="com.mg.ec"Java.enumerateLoadedClasses({onMatch: function(name, handle){if(name.indexOf(baoming) != -1){console.log(name);} },onComplete: function(){}});});
}function 获取所有已加载的类的所有方法(){Java.perform(function(){// Java.enumerateLoadedClasses({//     onMatch: function(name, handle){//         if(name.indexOf("com.xiaojianbang.app") != -1){//             console.log(name);//             var clazz = Java.use(name);//             console.log(clazz);//             var methods = clazz.class.getDeclaredMethods();//             for(var i = 0; i < methods.length; i++){//                 console.log(methods[i]);//             }//         }//     },//     onComplete: function(){//     }// });//过滤apk包名var baoming="com.xiaojianbang.app"var classes = Java.enumerateLoadedClassesSync();for(var i = 0; i < classes.length; i++){if(classes[i].indexOf(baoming) != -1){console.log('');console.log('类名*************'+classes[i]);var clazz = Java.use(classes[i]);var methods = clazz.class.getDeclaredMethods();for(var j = 0; j < methods.length; j++){console.log('方法:'+methods[j]);}console.log('');}}});
}function Hook类的所有方法(){Java.perform(function(){//给一个类名var md5 = Java.use("com.xiaojianbang.app.MD5");var methods = md5.class.getDeclaredMethods();for(var j = 0; j < methods.length; j++){var methodName = methods[j].getName();console.log(methodName);for(var k = 0; k < md5[methodName].overloads.length; k++){md5[methodName].overloads[k].implementation = function(){for(var i = 0; i < arguments.length; i++){console.log(arguments[i]);}return this[methodName].apply(this, arguments);}}}});
}function tuoke(){//参数2的OpenMemory参数自己把手机的libart.so pull出来.然后看看自己手机OpenMemory的对应签名函数名.Interceptor.attach(Module.findExportByName("libart.so", "_ZN3art7DexFile10OpenMemoryEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_7OatFileEPS9_"), {onEnter: function (args) {//dex起始位置var begin = args[1]//打印magicconsole.log("magic : " + Memory.readUtf8String(begin))//dex fileSize 地址var address = parseInt(begin,16) + 0x20//dex 大小var dex_size = Memory.readInt(ptr(address))console.log("dex_size :" + dex_size)//dump dex 到/data/data/pkg/目录下var packageName = "com.androidapp.mibo" // 此处修改为要hook的包名var file = new File("/data/data/"+packageName+"/" + dex_size + ".dex", &

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！