Frida 创建任意类型的数组
参考:
https://zyzling.gitee.io/2020/05/12/Frida%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/#Frida%E5%88%9B%E5%BB%BA%E4%BB%BB%E6%84%8F%E7%B1%BB%E5%9E%8B%E7%9A%84%E6%95%B0%E7%BB%84
通过Java.array(),例如想创建一个"Ljava.security.cert.X509Certificate;"类型的数组,代码如下:
var ArrayX509Certificate = Java.array("Ljava.security.cert.X509Certificate;",[]);
//arg1是hook到的"Ljava.security.cert.X509Certificate;"类型的数组)
ArrayX509Certificate = [arg1[0],arg1[1],arg1[2]];
完整代码如下:
var class_name = 'android.net.http.X509TrustManagerExtensions';
var DymClass = Java.use(class_name);
var ArrayX509Certificate = Java.array("Ljava.security.cert.X509Certificate;",[]);
DymClass.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String').implementation = function (arg1,arg2,arg3)
// DymClass.checkServerTrusted.implementation = function (arg1,arg2,arg3)
{
var bt = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());
if(bt.indexOf("dh.a") != -1 && arg3.indexOf("www.googleapis.com") != -1) {
// if (1) {
send('hooked');
console.log("Backtrace:" + bt);
send('orin arg1 : ' + arg1);
send('orin arg2 : ' + arg2);
send('orin arg3 : ' + arg3);
// 1st time
if(time==0){
send('1st time ');
time = time + 1;
// store arg1
ArrayX509Certificate = [arg1[0],arg1[1],arg1[2]];
send('new arg1 : ' + ArrayX509Certificate);
return this.checkServerTrusted(arg1,arg2,arg3);
}
// 2nd time
if (time==1) {
send('2nd time ');
send('new arg1 : ' + ArrayX509Certificate);
return this.checkServerTrusted(ArrayX509Certificate,arg2,arg3);
}
}
else{
return this.checkServerTrusted(arg1,arg2,arg3);
}
}