mac使用frida

mac2022-06-30 19

mac使用frida

安装

https://github.com/frida/frida/releases

根据手机的cpu的版本，选择相应的文件，一般通过手机信息可以看到我这里是frida-server-12.6.7-android-arm64.xz

解压frida-server-12.6.7-android-arm64.xz，然后把解压后的文件重命名执行命令frida-server。依次执行下面命令

$ adb push frida-server /data/local/tmp/ $ adb shell "chmod 755 /data/local/tmp/frida-server" $ adb shell "/data/local/tmp/frida-server &"

然后在电脑上测试手机是否连通

$ adb devices -l

Frida大致原理是手机端安装一个server程序，然后把手机端的端口转到PC端，PC端写python脚本进行通信，而python脚本中需要hook的代码采用javascript语言。所以这么看来我们首先需要安装PC端的python环境，这个没难度直接安装python即可，然后开始安装frida了，直接运行命令：

pip install frida

之后另外开启一个命令窗口运行命令：

frida-ps -U

入口看到下面这样“frida-ps 不是内部或外部命令” ，需要再安装frida-tools

命令：

pip install frida-tools

再次执行命令

frida-ps -U

看到类似的结果

PID Name ----- ----------------------------------------------------------------- 2681 .dataservices 835 ATFWD-daemon 12174 adbd 844 adsprpcd 845 adsprpcd 745 android.hardware.audio@2.

即可。

插曲okttp3

okhttp3没混淆的hook

try { var CertificatePinner = Java.use('okhttp3.CertificatePinner'); quiet_send('OkHTTP 3.x Found'); CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function () { quiet_send('OkHTTP 3.x check() called. Not throwing an exception.'); } }

okhttp3混淆的话改为混淆的名字我这里是d.k.a， Java.use表示使用d包的k类,然后后面CertificatePinner.a.overload 表示hook a方法

/*** okhttp3.x unpinning ***/ // Wrap the logic in a try/catch as not all applications will have // okhttp as part of the app. try { var CertificatePinner = Java.use('d.k'); quiet_send('OkHTTP 3.x Found'); CertificatePinner.a.overload('java.lang.String', 'java.util.List').implementation = function () { quiet_send('OkHTTP 3.x check() called. Not throwing an exception.'); } } catch (err) { // If we dont have a ClassNotFoundException exception, raise the // problem encountered. if (err.message.indexOf('ClassNotFoundException') === 0) { throw new Error(err); } }

application脚本

# -*- coding: utf-8 -*- import frida, sys, re, sys, os from subprocess import Popen, PIPE, STDOUT import codecs, time if (len(sys.argv) > 1): APP_NAME = str(sys.argv[1]) else: APP_NAME = "com.loco.example.OkHttp3SSLPinning" def sbyte2ubyte(byte): return (byte % 256) def print_result(message): print ("[!] Received: [%s]" %(message)) def on_message(message, data): if 'payload' in message: data = message['payload'] if type(data) is str: print_result(data) elif type(data) is list: a = data[0] if type(a) is int: hexstr = "".join([("X" % (sbyte2ubyte(a))) for a in data]) print_result(hexstr) print_result(hexstr.decode('hex')) else: print_result(data) print_result(hexstr.decode('hex')) else: print_result(data) else: if message['type'] == 'error': print (message['stack']) else: print_result(message) def kill_process(): cmd = "adb shell pm clear {} 1> /dev/null".format(APP_NAME) os.system(cmd) #kill_process() try: with codecs.open("hooks.js", 'r', encoding='utf8') as f: jscode = f.read() device = frida.get_usb_device(timeout=5) #pid = device.spawn([APP_NAME]) session = device.attach("com.loco.example.OkHttp3SSLPinning") script = session.create_script(jscode) #device.resume(APP_NAME) script.on('message', on_message) print ("[*] Intercepting on {} ...".format(APP_NAME)) script.load() sys.stdin.read() except KeyboardInterrupt: print ("[!] Killing app...") kill_process() time.sleep(1) kill_process()

转载于:https://www.cnblogs.com/c-x-a/p/11056627.html

最新回复(0)