对于App逆向时,时常不知道如何定位网络请求代码的发出位置,部分情况都是使用自定义框架开发的,想要快速定位这部分就得使用Frida 对JNI的string函数进行hook,看看是不是能再调用栈的位置能够找到。
function hookNewStringUTF() {
const NewStringUTFAddr = findNewStringUtfAddr()
console.log('NewStringUTFAddr', NewStringUTFAddr);
if (NewStringUTFAddr !== null) {
Interceptor.attach(NewStringUTFAddr, {
onEnter: function (args) {
let input = args[1].readCString()
if (input.includes('target') || input.includes('target_str')) {
console.log('<<<<<<<<<<<<<')
console.log('input')
console.log('RegisterNatives called from:\\n' + Thread.backtrace(this.context, Backtracer.FUZZY).map(DebugSymbol.fromAddress).join('\\n') + '\\n');
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
console.log('>>>>>>>>>>>>>')
}
},
onLeave: function (retval) {},
})
}
const GetStringUTFChars = findGetStringUTFCharsAddr()
// Hook GetStringUTFChars 函数
Interceptor.attach(GetStringUTFChars, {
onEnter: function (args) {
// var env = args[0];
// var jstr = args[1];
// var isCopy = args[2];
// console.log('GetStringUTFChars called with:', jstr, 'isCopy:', isCopy);
},
onLeave: function (retval) {
var result = retval.readCString();
if (result.includes('target') || result.includes('target_str') ) {
console.log('11<<<<<<<<<<<<<')
console.log('GetStringUTFChars returned:', result);
console.log('RegisterNatives called from:\\n' + Thread.backtrace(this.context, Backtracer.FUZZY).map(DebugSymbol.fromAddress).join('\\n') + '\\n');
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
console.log('11>>>>>>>>>>>>>')
}
}
});
}
以上方法试试,看能不能找到位置