一、环境
- python 3.0以上 :这篇博客中并未直接使用到python编程,只是在下载frida-tools时使用到了pip命令,所以若选择下载下面的工具包,就不需要配置python环境
- adb环境 :电脑连接手机通过命令行进行操作
- frida命令环境 :命令行执行frida命令
- dex2jar :将dex文件转换成jar文件
- jd-gui :将jar文件进行反编译,得到java源码文件
- root
- frida-server服务器
工具包(frida-tools、adb、dex2jar 、jd-gui):
- 链接:https://pan.baidu.com/s/1KTT-cTMhW3osm7nTUw5gWQ
- 提取码:lgll
- 注:下载后可直接跳至步骤中的第4步,无需python环境
二、步骤
1、windows安装python环境(3.0以上,自行百度)
- 3.1 cmd中使用python命令’pip’安装frida和frida-tools
<span style="color:#000000"><code class="language-cmd">> pip install frida
> pip install frida-tools
</code></span>
- 3.2 可通过执行命令来查看是否安装成功
<span style="color:#000000"><code class="language-cmd">frida --version
</code></span>
- 1
- 4.1 adb连接手机(这里采用有线连接,需要手机usb连接电脑,并开启开发者选项中的允许usb调试),cmd中输入命令(注意cmd工作目录):
<span style="color:#000000"><code class="language-cmd">adb tcpip 5555
</code></span>
- 1
- 4.2 根据自己的cpu版本下载frida服务端并解压(一般下载arm就可以了,我红米note7下载的是arm64)
可以使用adb命令查看cpu版本(AArch64下载arm64就好):
<span style="color:#000000"><code class="language-cmd">adb shell cat /proc/cpuinfo
</code></span>
- 1
下载链接:https://github.com/frida/frida/releases
- 4.3 依次执行以下命令将frida-server推送到手机中
<span style="color:#000000"><code class="language-cmd">> adb root
> adb push frida-server /data/local/tmp/frida-server
> adb shell "chmod 755 /data/local/tmp/frida-server"
</code></span>
- 5.1 将apk文件压缩为rar文件,双击打开压缩文件,再双击打开里面的apk文件
- 5.2 打开assets/project/,以下main.js等就是我们需要的脚本,但此时得到的js文件打开后是乱码,是经过加密的
- 5.3 我们不采用直接解密main.js文件的方法,而是hook的方式,所以我们需要回到上一步(根目录)中,得到classes.dex文件
- 5.4 cmd使用dex2jar将classes.dex文件转变为classes-dex2jar.jar文件(注意使用d2j-dex2jar.bat命令时的工作目录,否则会出现“d2j-dex2jar.bat不是内部或外部命令”)
<span style="color:#000000"><code class="language-cmd">d2j-dex2jar.bat classes.dex
</code></span>
- 1
- 5.5 使用jd-gui打开jar文件,反编译其中的class文件,得到java文件
- 5.6 找到和解密有关的关键词decrypt所在位置
- 5.7 确定decrypt是解密脚本文件的方法,记录下方法的全路径(com.stardust.autojs.engine.encryption.ScriptEncryption.decrypt)
- 注:可以看到上面decrypt方法中返回值其实调用了另一个类中的decrypt方法,我们也可以点进去然后使用该方法的全路径,最终效果是一样的。
6、编写frida hook脚本以获得解密后的auto.js脚本文件
- 6.1 根据上面得到的解密方法全路径(com.stardust.autojs.engine.encryption.ScriptEncryption.decrypt)编写frida hook脚本,下面代码保存为decrypt.js文件
<span style="color:#000000"><code class="language-javascript"><span style="color:#c678dd">if</span><span style="color:#999999">(</span>Java<span style="color:#999999">.</span>available<span style="color:#999999">)</span><span style="color:#999999">{</span>
Java<span style="color:#999999">.</span><span style="color:#61aeee">perform</span><span style="color:#999999">(</span><span style="color:#c678dd">function</span><span style="color:#999999">(</span><span style="color:#999999">)</span><span style="color:#999999">{</span>
<span style="color:#c678dd">function</span> <span style="color:#61aeee">bytesToString</span><span style="color:#999999">(</span>bytes<span style="color:#999999">)</span><span style="color:#999999">{</span>
<span style="color:#c678dd">var</span> str<span style="color:#669900">=</span><span style="color:#669900">"{"</span><span style="color:#999999">;</span>
<span style="color:#c678dd">for</span><span style="color:#999999">(</span><span style="color:#c678dd">var</span> i <span style="color:#669900">=</span> <span style="color:#98c379">0</span><span style="color:#999999">;</span> i <span style="color:#669900"><</span> bytes<span style="color:#999999">.</span>length<span style="color:#999999">;</span> i<span style="color:#669900">++</span><span style="color:#999999">)</span> <span style="color:#999999">{</span>
str <span style="color:#669900">+=</span>bytes<span style="color:#999999">[</span>i<span style="color:#999999">]</span><span style="color:#669900">+</span><span style="color:#669900">","</span>
<span style="color:#999999">}</span>
<span style="color:#c678dd">return</span> str<span style="color:#669900">+</span><span style="color:#669900">"0}"</span><span style="color:#999999">;</span>
<span style="color:#999999">}</span>
<span style="color:#c678dd">var</span> scriptEncryption<span style="color:#669900">=</span> Java<span style="color:#999999">.</span><span style="color:#61aeee">use</span><span style="color:#999999">(</span><span style="color:#669900">"com.stardust.autojs.engine.encryption.ScriptEncryption"</span><span style="color:#999999">)</span><span style="color:#999999">;</span>
scriptEncryption<span style="color:#999999">.</span>decrypt<span style="color:#999999">.</span><span style="color:#61aeee">overload</span><span style="color:#999999">(</span><span style="color:#669900">'[B'</span><span style="color:#999999">,</span><span style="color:#669900">"int"</span><span style="color:#999999">,</span><span style="color:#669900">"int"</span><span style="color:#999999">)</span><span style="color:#999999">.</span><span style="color:#61aeee">implementation</span><span style="color:#669900">=</span><span style="color:#c678dd">function</span><span style="color:#999999">(</span>paramArrayOfByte<span style="color:#999999">,</span>paramInt1<span style="color:#999999">,</span>paramInt2<span style="color:#999999">)</span><span style="color:#999999">{</span>
<span style="color:#c678dd">var</span> bytes<span style="color:#669900">=</span><span style="color:#c678dd">this</span><span style="color:#999999">.</span><span style="color:#61aeee">decrypt</span><span style="color:#999999">(</span>paramArrayOfByte<span style="color:#999999">,</span>paramInt1<span style="color:#999999">,</span>paramInt2<span style="color:#999999">)</span><span style="color:#999999">;</span>
<span style="color:#5c6370">//最终得到的结果是一个十进制的byte数组</span>
console<span style="color:#999999">.</span><span style="color:#61aeee">log</span><span style="color:#999999">(</span><span style="color:#669900">"bytes is:"</span><span style="color:#669900">+</span><span style="color:#61aeee">bytesToString</span><span style="color:#999999">(</span>bytes<span style="color:#999999">)</span><span style="color:#999999">)</span><span style="color:#999999">;</span>
<span style="color:#c678dd">return</span> bytes
<span style="color:#999999">}</span>
<span style="color:#999999">}</span><span style="color:#999999">)</span><span style="color:#999999">;</span>
<span style="color:#999999">}</span>
</code></span>
- 6.2 cmd启动手机端的frida-server服务器,开启成功后会一直处于等待状态(停止为Ctrl+c)
<span style="color:#000000"><code class="language-cmd">adb shell '/data/local/tmp/frida-server'
</code></span>
- 1
若之前的adb root失败,则这里需要修改为
<span style="color:#000000"><code class="language-cmd">adb shell 'su -c /data/local/tmp/frida-server'
</code></span>
- 1
- 6.3 手机端运行目标脚本app
- 6.4 在frida所在目录中启动一个新的cmd窗口,注入编写好的decrypt.js脚本(com.nys.fridatest是目标脚本app的包名,可用auto.js悬浮窗分析得到)
<span style="color:#000000"><code class="language-cmd">frida -U -l decrypt.js com.nys.fridatest --no-pause
</code></span>
- 1
- 6.5 手机端退出app后再重新启动,即可查看到目标app解密后的js脚本文件(十进制byte数组)
将byte数组转为utf-8的String方法就很多了,才疏学浅没能用js搞定这个问题,所以使用java解析后的结果:
<span style="color:#000000"><code class="language-java"><span style="color:#c678dd">public</span> <span style="color:#c678dd">class</span> Bytes2String <span style="color:#999999">{</span>
<span style="color:#c678dd">public</span> <span style="color:#c678dd">static</span> <span style="color:#c678dd">void</span> <span style="color:#61aeee">main</span><span style="color:#999999">(</span>String<span style="color:#999999">[</span><span style="color:#999999">]</span> args<span style="color:#999999">)</span> <span style="color:#c678dd">throws</span> UnsupportedEncodingException <span style="color:#999999">{</span>
<span style="color:#c678dd">byte</span><span style="color:#999999">[</span><span style="color:#999999">]</span> b <span style="color:#669900">=</span> <span style="color:#999999">{</span> <span style="color:#98c379">34</span><span style="color:#999999">,</span> <span style="color:#98c379">117</span><span style="color:#999999">,</span> <span style="color:#98c379">105</span><span style="color:#999999">,</span> <span style="color:#98c379">34</span><span style="color:#999999">,</span> <span style="color:#98c379">59</span><span style="color:#999999">,</span> <span style="color:#98c379">13</span><span style="color:#999999">,</span> <span style="color:#98c379">10</span><span style="color:#999999">,</span> <span style="color:#98c379">118.</span><span style="color:#999999">.</span><span style="color:#999999">.</span><span style="color:#999999">}</span><span style="color:#999999">;</span>
System<span style="color:#999999">.</span>out<span style="color:#999999">.</span><span style="color:#61aeee">println</span><span style="color:#999999">(</span><span style="color:#999999">(</span><span style="color:#c678dd">new</span> String<span style="color:#999999">(</span>b<span style="color:#999999">,</span> <span style="color:#669900">"utf-8"</span><span style="color:#999999">)</span><span style="color:#999999">)</span><span style="color:#999999">.</span><span style="color:#61aeee">toString</span><span style="color:#999999">(</span><span style="color:#999999">)</span><span style="color:#999999">)</span><span style="color:#999999">;</span>
<span style="color:#999999">}</span>
<span style="color:#999999">}</span>
</code></span>