学习总结:
一开始如果我们觉得是哪个系统类去调用该函数我们不确定
那么我们就采用hook系统
常用系统相关函数
java.uti l.HashMap..........的put方法
java.util.ArrayList............的add、addAI I、set
android.text.....................的Textutils isEmpty
Log
java.util.Collections.........的sort
org.json.JSONObject......的put和getstring
android.widget.Toast.......的show
android.util.Base64
加密库相关的hook(自吐算法)
依次我写上实例代码
Java.perform(function (){
console.log("test my hook2")
var hashmap=Java.use("java.util.HashMap");
console.log("得到我们类的对象");
function showstack(){
var log=Java.use("android.util.Log");
var throwable = Java.use("java.lang.Throwable");
var stackTraceString = log.getStackTraceString(throwable.$new());
console.log(stackTraceString);
}
hashmap.put.implementation=function (a,b){
if(a.equals('username')){
showstack();
console.log("获取hashmap.的类的参数",a,b);
}
return this.put(a,b);
}
});
java.util.ArrayList............的add、addAI I、set
Java.perform(function (){
var arraylist =Java.use("java.util.ArrayList");
arraylist.add.overload('int','java.lang.Object').implementation =function (a,b){
console.log("关于arraylist的类",a,b);
return this.add(a,b);
};
function showstack(){
var log=Java.use("android.util.Log");
var throwable = Java.use("java.lang.Throwable");
var stackTraceString = log.getStackTraceString(throwable.$new());
console.log(stackTraceString);
}
var arraylist1 =Java.use("java.util.ArrayList");
arraylist1.add.overload('java.lang.Object').implementation =function (b){
if(b.equals("username=15759531734")){
showstack();
console.log("限制的堆栈",b)
}
console.log("关于arraylist2的类",b);
return this.add(b);
};
});
android.text.....................的Textutils isEmpty
一般查看是否密码或者姓名为空,定位字符串很快
Java.perform(function (){
var TextUtis = Java.use("android.text.TextUtils");
console.log("得到我们类的对象");
function showstack(){
var log=Java.use("android.util.Log");
var throwable = Java.use("java.lang.Throwable");
var stackTraceString = log.getStackTraceString(throwable.$new());
console.log(stackTraceString);
}
TextUtis.isEmpty.implementation=function (a){
if(a==('2v+DC2gq7RuAC8PE5GZz5wH3/y9ZVcWhFwhDY9L19g9iEd075+Q7xwewvfIN0g0ec/NaaF43/S0=')){
showstack();
console.log("获取TextUtils.的类的参数",a);
}
return this.isEmpty(a);
}
});
Log,这个对于正规的公司是不会用这种错误漏洞让对方发现自己的。
Java.perform(function (){
var log = Java.use("android.util.Log");
console.log("得到我们类的对象");
function showstack(){
var log=Java.use("android.util.Log");
var throwable = Java.use("java.lang.Throwable");
var stackTraceString = log.getStackTraceString(throwable.$new());
console.log(stackTraceString);
}
log.w.overload('java.lang.String','java.lang.String').implementation =function (a,c){
// if(a==('2v+DC2gq7RuAC8PE5GZz5wH3/y9ZVcWhFwhDY9L19g9iEd075+Q7xwewvfIN0g0ec/NaaF43/S0=')){
// showstack();
console.log("获取log.的类的参数",a,c);
// }
return this.w(a,c);
}
});
java.util.Collections.........的sort
Java.perform(function (){
var Colections = Java.use("java.util.Collections");
console.log("得到我们类的对象");
function showstack(){
var log=Java.use("android.util.Log");
var throwable = Java.use("java.lang.Throwable");
var stackTraceString = log.getStackTraceString(throwable.$new());
console.log(stackTraceString);
}
Colections.sort.overload('java.util.List').implementation =function (a){
// if(a==('2v+DC2gq7RuAC8PE5GZz5wH3/y9ZVcWhFwhDY9L19g9iEd075+Q7xwewvfIN0g0ec/NaaF43/S0=')){
showstack();
var relt=Java.cast(a,Java.use("java.util.Arraylist"));
console.log("collection.sor的hook",relt.toString());
// }
return this.sort(a);
}
//
Colections.sort.overload('java.util.List', 'java.util.Comparator') .implementation =function (a,b){
// if(a==('2v+DC2gq7RuAC8PE5GZz5wH3/y9ZVcWhFwhDY9L19g9iEd075+Q7xwewvfIN0g0ec/NaaF43/S0=')){
// showstack();
var relt=Java.cast(a,Java.use("java.util.Arraylist"));
console.log("collection.sor的hook",relt.toString());
console.log("获取log.的类的参数",a.toString(),b);
// }
return this.sort(a,b);
}
});
org.json.JSONObject......的put和getstring
涉及到加密算法的
Java.perform(function (){
function showstack(){
var log=Java.use("android.util.Log");
var throwable = Java.use("java.lang.Throwable");
var stackTraceString = log.getStackTraceString(throwable.$new());
console.log(stackTraceString);
}
var jsonobject = Java.use("org.json.JSONObject");
jsonobject.put.overload('java.lang.String', 'java.lang.Object').implementation=function (a,b){
showstack()
console.log("我是jsonobject在hook",a,"我是另外一个对象",b)
return this.put(a,b)
}
jsonobject.getString.implementation=function (a){
console.log("我是另外一个a",a);
var relt=this.getString(a);
return relt;
}
});
android.widget.Toast.......的show
Java.perform(function (){
function showstack(){
var log=Java.use("android.util.Log");
var throwable = Java.use("java.lang.Throwable");
var stackTraceString = log.getStackTraceString(throwable.$new());
console.log(stackTraceString);
}
var toast=Java.use("android.widget.Toast");
toast.show.implementation =function (){
showstack();
console.log("toast.show:")
return this.show();
}
});
java.lang.Throwable
at android.widget.Toast.show(Native Method)
at com.dodonew.online.util.ToastMsg.showToastMsg(ToastMsg.java:66)
at com.dodonew.online.base.ProgressActivity.showToast(ProgressActivity.java:81)
at com.dodonew.online.ui.LoginActivity$2.onResponse(LoginActivity.java:156)
at com.dodonew.online.ui.LoginActivity$2.onResponse(LoginActivity.java:145)
at com.dodonew.online.http.JsonBaseRequest.deliverResponse(JsonBaseRequest.java:25)
at com.android.volley.ExecutorDelivery$ResponseDeliveryRunnable.run(ExecutorDelivery.java:99)
at android.os.Handler.handleCallback(Handler.java:938)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:233)
at android.app.ActivityThread.main(ActivityThread.java:8068)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:631)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:978)
toast.show:
android.util.Base64
Java.perform(function (){
function showstack(){
var log=Java.use("android.util.Log");
var throwable = Java.use("java.lang.Throwable");
var stackTraceString = log.getStackTraceString(throwable.$new());
console.log(stackTraceString);
}
var Base64= Java.use("android.util.Base64");
Base64.encodeToString.overload('[B', 'int').implementation= function (a,b){
showstack();
//这里a是字节数字,所以要用JSON.stringify(a)来打印
console.log("返回我们base64的字符串:",JSON.stringify(a))
var result=this.encodeToString(a,b);
console.log("返回的最后结果是",result);
return result;
}
});
得到的结果是
java.lang.Throwable
at android.util.Base64.encodeToString(Native Method)
at com.dodonew.online.util.DesSecurity.encrypt64(DesSecurity.java:49)
at com.dodonew.online.http.RequestUtil.encodeDesMap(RequestUtil.java:129)
at com.dodonew.online.http.JsonRequest.addRequestMap(JsonRequest.java:113)
at com.dodonew.online.ui.LoginActivity.requestNetwork(LoginActivity.java:161)
at com.dodonew.online.ui.LoginActivity.login(LoginActivity.java:134)
at com.dodonew.online.ui.LoginActivity.onClick(LoginActivity.java:103)
at android.view.View.performClick(View.java:7520)
at android.view.View.performClickInternal(View.java:7489)
at android.view.View.access$3600(View.java:826)
at android.view.View$PerformClick.run(View.java:28555)
at android.os.Handler.handleCallback(Handler.java:938)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:233)
at android.app.ActivityThread.main(ActivityThread.java:8068)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:631)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:978)
返回我们base64的字符串: [52,-117,51,106,-95,79,-94,-51,111,119,74,69,-88,-87,65,-29,99,105,-26,43,79,-59,-93,71,-1,-15,67,-79,25,-27,5,-8,11,-30,87,21,-58,53,-30,-117,-11,13,113,-43,-40,50,77,4,29,-42,-35,-63,16,-58,0,51,-52,-32
,80,65,-10,-22,-77,39,70,-101,-125,33,-66,-113,-92,54,106,-101,4,-64,88,-54,118,-5,-38,-46,55,-86,69,15,-123,-116,77,-78,-34,86,-91,-9,125,37,-44,123,-1,116,48,-43,-79,-90,100,-85,43,-56,-44,-52,-68,26,-53,27,76,-10,-48,-19,-87,
-34,18,127,122,-52,111,-125,-10,-49,-38,88,-74,33,-60,-82,-112,-21,-108,-103,21,43,116,-119,102,115,-8,21,90,-7,75,-69,-118,124,98,122,90,56,118,79,7,111,-19,15,104,-42,59,-82,-22,66]
返回的最后结果是 NIszaqFPos1vd0pFqKlB42Np5itPxaNH//FDsRnlBfgL4lcVxjXii/UNcdXYMk0EHdbdwRDGADPM
4FBB9uqzJ0abgyG+j6Q2apsEwFjKdvva0jeqRQ+FjE2y3lal930l1Hv/dDDVsaZkqyvI1My8Gssb
TPbQ7aneEn96zG+D9s/aWLYhxK6Q65SZFSt0iWZz+BVa+Uu7inxielo4dk8Hb+0PaNY7rupC