Frida Hook 登录校验
本文简单介绍下firda 如何绕过简单的登录检验.
1: demo检验
首先我们创建个简单的demo程序, 程序很简单, 一个edittext输入框(6位数字密码),一个button按钮,
检验程序如下:
private boolean checkPwd(String pwd) {
return TextUtils.equals("123456", pwd);
}
执行程序如下:
btnCommit.setOnClickListener(v -> {
String pwd = editPwd.getText().toString();
if (checkPwd(pwd)) {
Toast.makeText(this, "登录成功", Toast.LENGTH_SHORT).show();
} else {
Toast.makeText(this, "密码校验失败", Toast.LENGTH_SHORT).show();
}
});
2: frida hook
我们先简单的来, hook 后不论输入什么密码都可以直接通过.
代码如下 pwd.js:
Java.perform(function() {
console.log(“hook start”)
var cls = Java.use(‘com.zh.xpose.Pwd’);
//hook checkPwd
cls.checkPwd.implementation = function(arg1) {
console.log(“hook checkPwd success”)
//返回给原函数的调用
return true;
}
});
执行pwd.js :
frida -U -f com.zh.xpose -l /home/zh/workSpace/test/Xpose/app/src/main/java/com/zh/xpose/js/pwd.js
执行结果如下:
____
/ _ | Frida 16.0.2 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to LEX820 (id=6b4a96b2)
Spawned `com.zh.xpose`. Resuming main thread!
[LEX820::com.zh.xpose ]-> hook start
现在重新输入密码,发现不论输入什么都可以提示登录成功了.
第二种方法则是可以通过穷举的方法,试出来密码是什么,代码如下:
Java.perform(function() {
console.log(“hook start”)
var cls = Java.use(‘com.zh.xpose.Pwd’);
//hook checkPwd
cls.checkPwd.overload(“java.lang.String”).implementation = function(arg1) {
console.log(‘开始破解pwd’);
//暴力破解
for (var i = 0;; i++) {
var result = this.checkPwd(i.toString());
if (result) {
console.log(‘pwd:’, i)
break;
}
}
return result;
}
});
执行js,输出如下:
____
/ _ | Frida 16.0.2 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to LEX820 (id=6b4a96b2)
Spawned `com.zh.xpose`. Resuming main thread!
[LEX820::com.zh.xpose ]-> hook start
开始破解pwd
pwd: 123456