参考:
https://blog.csdn.net/Xzike/article/details/123819856
关键代码:
如果arg2是java.util.List类对象,则
var arrays = Java.use('java.util.Arrays')
send('arg2 : ' + arrays.toString(arg2.toArray()));
完整代码:
# coding=utf-8
# import frida, sys
# reload(sys)
# sys.setdefaultencoding('utf8')
import frida,importlib, sys
importlib.reload(sys)
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
jscode = """
Java.perform(function () {
Java.enumerateClassLoaders({
onMatch: function (loader) {
try {
// cronet apk contains class: org.chromium.net.AndroidNetworkLibrary
if (loader.findClass("org.chromium.net.AndroidNetworkLibrary")) {
// should be: /data/user_de/0/com.google.android.gms/app_chimera/m/00000009/CronetDynamite.apk
if (loader.toString().indexOf("CronetDynamite") != -1) {
Java.classFactory.loader = loader;
send("loader: " + loader);
// console.log(loader);
}
}
} catch (error) {
}
}, onComplete: function () {
}
});
var class_name = 'org.chromium.net.AndroidCertVerifyResult';
var DymClass = Java.use(class_name);
DymClass.$init.overload('boolean','java.util.List').implementation = function (arg1,arg2)
{
var bt = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());
if(bt.indexOf("di.b") != -1) {
// if (1) {
console.log("Backtrace:" + bt);
send('arg1 : ' + arg1);
var arrays = Java.use('java.util.Arrays')
send('arg2 : ' + arrays.toString(arg2.toArray()));
send('ret : ' + this.$init(arg1,arg2));
}
return this.$init(arg1,arg2);
}
});
"""
process = frida.get_usb_device().attach('com.google.android.gms')
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Running hooking')
script.load()
sys.stdin.read()