*.前置条件
- frida 服务
- python支持库 fastapi,uvicorn,frida
1. 开启服务
# 指定非标准端口
adb shell
su
./data/local/tmp/fsarm64 -l 0.0.0.0:27042
2. 执行python脚本
# 方法1. 可以直接用pycharm指定frida的那个python解释器 直接 运行该文件 省略以下步骤
# 方法2. 另起cmd 进入这个环境
workon frida
# 进入到FridaHook路径
cd /d D:\Project\AndroidSecurity\FridaHook
# 执行python代码
python main.py
3. main.py
# -*- coding: UTF-8 -*-
from fastapi import FastAPI
import uvicorn
import frida
jsCode = """
function hookTest(username, passward){
var result;
Java.perform(function(){
var time = new Date().getTime();
time = '1597582774344';
var string = Java.use('java.lang.String');
var signData = string.$new('equtype=ANDROID&loginImei=Android352689082129358&timeStamp=' +
time + '&userPwd=' + passward + '&username=' + username + '&key=sdlkjsdljf0j2fsjk');
var Utils = Java.use('com.dodonew.online.util.Utils');
var sign = Utils.md5(signData).toUpperCase();
console.log('sign: ', sign);
var encryptData = '{"equtype":"ANDROID","loginImei":"Android352689082129358","sign":"'+
sign +'","timeStamp":"'+ time +'","userPwd":"' + passward + '","username":"' + username + '"}';
var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
var Encrypt = RequestUtil.encodeDesMap(encryptData, '65102933', '32028092');
console.log('Encrypt: ', Encrypt);
result = Encrypt;
});
return result;
}
rpc.exports = {
rpcHook: hookTest
};
""";
# 调用frida脚本
process =frida.get_device_manager().add_remote_device('192.168.1.18:27042').attach("com.dodonew.online")
script = process.create_script(jsCode)
print('[*] Running 调用frida脚本')
script.load()
app = FastAPI()
@app.get("/get") # 注意这里url上没有定义参数
async def getEchoApi(item_id, item_user, item_pass):
# fastapi 会聪明的发现它不是URL参数,然后自动将他识别为param参数
# RPC远程调用
result = script.exports.rpcHook(item_user, item_pass)
return {"item_id": item_id, "item_retval": result}
if __name__ == '__main__':
uvicorn.run(app, port=8080)
4. 总结
-
相对xposed模块,frida并不具有高并发的稳定性但是实现搭建相对较快,可以适用于轻量级生产环境。
-
python服务端
- 调用方法
http://127.0.0.1:8080/get?item_id=1&item_user=13333333333&item_pass=a12345678