之前在github看了r0ysue大佬的frida系列教程,于是想来实践一下。
DDCTF2018-HelloBabyDex
这道题涉及到了APK的热修复,目前还没有怎么接触,之后得深入一下。
这道题在Mainactivity的onCreate函数中调用了Joseph函数,并把它的返回值拼接作为flag
String v9 = this.Joseph(1, 2);
super.onCreate(arg13);
this.setContentView(0x7F09001B); // layout:activity_main
this.runRobust();
SignCheck v10 = new SignCheck(this, this, "1B:D0:4A:9D:B5:A9:84:93:7E:79:27:9C:6C:C4:14:AB:DD:B0:75:7F");
v10.check();
Debug.isDebuggerConnected();
View v8 = this.findViewById(0x7F07003D); // id:input_text
EditText v8_1 = (EditText)v8;
View v7 = this.findViewById(0x7F070026); // id:check_btn
Button v7_1 = (Button)v7;
cn.chaitin.geektan.crackme.MainActivity.1 v0_3 = new View.OnClickListener() {
public static ChangeQuickRedirect changeQuickRedirect;
@Override // android.view.View$OnClickListener
public void onClick(View arg9) {
Object[] v0 = new Object[1];
v0[0] = arg9;
ChangeQuickRedirect v2 = cn.chaitin.geektan.crackme.MainActivity.1.changeQuickRedirect;
Class[] v5 = new Class[1];
Class v1 = View.class;
v5[0] = v1;
Class v6 = Void.TYPE;
boolean v0_1 = PatchProxy.isSupport(v0, this, v2, false, 18, v5, v6);
if(v0_1) {
Object[] v0_2 = new Object[1];
v0_2[0] = arg9;
ChangeQuickRedirect v2_1 = cn.chaitin.geektan.crackme.MainActivity.1.changeQuickRedirect;
Class[] v5_1 = new Class[1];
Class v1_1 = View.class;
v5_1[0] = v1_1;
Class v6_1 = Void.TYPE;
PatchProxy.accessDispatch(v0_2, this, v2_1, false, 18, v5_1, v6_1);
}
else {
EditText v0_3 = v8_1;
Editable v0_4 = v0_3.getText();
boolean v0_5 = TextUtils.isEmpty(v0_4);
if(v0_5) {
label_31:
MainActivity v0_12 = MainActivity.this;
Toast v0_13 = Toast.makeText(v0_12, "大佬莫急!再试试!", 0);
v0_13.show();
}
else {
EditText v0_6 = v8_1;
Editable v0_7 = v0_6.getText();
String v0_8 = v0_7.toString();
StringBuilder v1_2 = new StringBuilder();
StringBuilder v1_3 = v1_2.append("DDCTF{");
String v2_2 = v9;
StringBuilder v1_4 = v1_3.append(v2_2);
StringBuilder v1_5 = v1_4.append("}");
String v1_6 = v1_5.toString();
boolean v0_9 = v0_8.equals(v1_6);
if(!v0_9) {
goto label_31;
}
MainActivity v0_10 = MainActivity.this;
Toast v0_11 = Toast.makeText(v0_10, "恭喜大佬!密码正确!", 0);
v0_11.show();
}
}
}
};
v7_1.setOnClickListener(v0_3);
可以看到v9参与了之后的拼接以及equals操作,于是我们这里可以使用frida直接来进行hook
hook equals函数的话,可以直接出flag,hook Joseph函数的话,可以出flag中的字符串,拼接起来。
上脚本:
import frida, sys
source = """
Java.perform(function() {
var clazz = Java.use('cn.chaitin.geektan.crackme.MainActivity');
clazz.Joseph.implementation = function() {
var msg = clazz.Joseph.apply(this, arguments);
send(msg);
return msg;
}
var clazzz = Java.use('java.lang.String');
clazzz.equals.implementation = function() {
var msg = clazzz.equals.apply(this, arguments);
var ret = clazzz.valueOf.apply(this,arguments);
if(ret.indexOf("DDCTF")!=-1)
send(ret);
return msg;
}
});
"""
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_usb_device().attach('cn.chaitin.geektan.crackme')
script = process.create_script(source)
script.on('message', on_message)
script.load()
sys.stdin.read()
可以看到,Joseph函数只调用了一次,但输出了两次,这就是热补丁的结果。
hook equals函数后,再加以筛选,直接出flag!
RCTF2015(FlagSystem)
这道题看了奈沙夜影的wp,他是用xposed实现的,这里我使用了frida
引用大佬的分析过程,这里只给出frida实现。
https://blog.csdn.net/whklhhhh/article/details/89118707
上脚本:
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
import frida , sys#select book_author,book_name from books_table
jscode = """
Java.perform(function () {
send("Hook start..");
var test = Java.use('com.example.mybackup.Test');
var k;
test.getSign.implementation = function () {
send("getSign Function implemented");
k = test.getSign.apply(this,arguments);
send("Password is : " + k);
return k;
}
var demo = Java.use('com.example.mybackup.BooksDB');
var db;
demo.getReadableDatabase.implementation = function (k) {
send("getReadableDatabase Function implemented");
db = this.getReadableDatabase(k);
if(db != null)
send('DB got');
var S = Java.use("java.lang.String");
var sql = S.$new("select book_author,book_name from books_table");
var cursor = db.rawQuery(sql,null);
if(cursor!=null)
send('cursor got');
/*cursor.getString(0);
while(cursor.moveToNext()) {
send("Result : " + cursor.getString(0));
}
Java.choose("net.sqlcipher.Cursor" , {
onMatch : function(instance){
console.log("Found instance: "+instance);
},
onComplete:function(){}
});*/
var class_cursor = Java.use("android.database.Cursor");
cursor = Java.cast(cursor,class_cursor);
while(cursor.moveToNext()) {
send("Result : " + cursor.getString(0));
}
return db;
}
demo.$init.implementation = function (a) {
send("$init Function implemented");
return this.$init(a);
}
});
"""
def on_message(message, data):
if message['type']=='send':
print("[*] {0}".format(message['payload']))
else:
print(message)
device = frida.get_usb_device()
pid = device.spawn(['com.example.mybackup'])
process = device.attach(pid)
script = process.create_script(jscode)
script.on("message", on_message)
script.load()
device.resume(pid)
sys.stdin.read()
这里说明一下与上一个frida脚本的区别,这道题需要拿到sqlite的db,所以需要hook getReadableDatabase这个函数,这个函数在构造函数中所以需要在APK刚运行时插桩,使用了spawn。
拿到db之后就容易了,再获取到cursor,读取数据库就好了。
这里还有一个坑点,由于这个apk使用了sqlcipher库,这个库中的cursor是经过包装的接口,真正的Cursor.moveToNext等函数在AbstractCursor中实现,这里直接拿到cursor的话,调用
cursor.moveToNext会报错,所以需要强制cast成android.database.Cursor这个类型才行。当时尝试了直接获取AbstractCursor的instance和获取cursor的instance都不可以。。
最终效果:
不得不说,frida真的是神器。
来源:https://www.cnblogs.com/basstorm/p/12641393.html