1.下载对应资源包
链接:https://pan.baidu.com/s/1afxJ4nXTBKPP_vkJwOJodw
提取码:kylu
2.Frida安装
//python环境安装frida
pip install frida-tools
//查看frida版本
C:\Users\Administrator>frida --version
手机设备的架构:因为我的手机是arm64平台的所以选择的是android-arm64,将对应的frida-server-16.2.1-android-arm64.xz解压,解压后文件为frida-server-16.2.1-android-arm64,将其放在手机目录下,这里是我放的目录,仅供参考
电脑控制台执行adb命令
//将文件push到手机中/data/local/tmp/目录下
adb push E:/MDS/soft/frida-server-16.2.1-android-arm64 /data/local/tmp/
//给frida-server文件设置可执行权限使其可以运行
//手机通过数据线与电脑连接
adb shell chmod 755 /data/local/tmp/frida-server-16.2.1-android-arm64
//进行端口转发
adb forward tcp:24515tcp:24515
//在python的py文件执行前启动server
adb shell /data/local/tmp/frida-server-16.2.1-android-arm64
3.Python代码编写
目录结构如下
load2.py负责加载js代码和注入,代码如下:
# -*- coding: UTF-8 -*-
import frida,sys
# 目标包名
'''
appPacknName = "com.example.testapp"
scriptFile = "testapp.js"
appPacknName = "com.example.testapp"
scriptFile = "hook_script.js"
appPacknName = "com.amazon.minitv.android.app"
scriptFile = "hook_minitv.js"
appPacknName = "io.github.vvb2060.mahoshojo"
'''
#文件包名
appPacknName = "com.unicostudio.braintest4"
#具体的hook代码会放在js中
scriptFile = "hook_unico.js"
# 输出日志的回调方法
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
device = frida.get_usb_device()
# spawn模式,找到目标包名并重启,在启动前注入脚本
pid = device.spawn([appPacknName])
session = device.attach(pid)
# 注意这里需要将device.attach(pid)这句代码写在前面,这样执行才符合预期(启动时程序白屏,等待下面这行代码来恢复执行)
# 其实在https://www.jianshu.com/p/b833fba1bffe这篇文章中有提到
device.resume(pid)
# 方式一: 通过js文件创建hook代码
with open(scriptFile, encoding='UTF-8') as f :
script = session.create_script(f.read())
# 方式二: 直接将hook代码写在python文件中
# script = session.create_script(js_code)
script.on("message", on_message)
script.load() #把js代码注入到目标应用中
# 避免结束
sys.stdin.read()
hook_unico.js复制具体的hook方法,代码如下:
function main(){
//hook的是DataOutputStream的writeBytes(String)方法
Java.perform(function(){
var cls = Java.use("java.io.DataOutputStream");
cls.writeBytes.overload('java.lang.String').implementation = function(arg1){
console.log("*************************************");
console.log("App.check(byte[])");
console.log("数据:",arg1);
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
}
});
}
setImmediate(main)
最后执行load2.py就行了,当然,执行前需要adb shell /data/local/tmp/frida-server-16.2.1-android-arm64启动server和adb forward tcp:24515tcp:24515端口转发