Frida Hook初次实战 做攻防世界的CTF题,看到有大佬搞Frida的操作,按照大佬做到试了一下
ill-intentions(Native hook) 攻防世界——ill-intentions
frida,frida-server,objection该安装的都安装好
adb连接上机子
由于没有修改apk包,触发按钮的Intent显示不了,用objection手动开启
1 2 objection -g com.example.hellojni explore android intent launch_activity com.example.application.IsThisTheRealOne
效果如下
挂上大佬hook Native的脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 function main ( ) { function getjstring (jstr ) { return Java .vm .getEnv ().getStringUtfChars (jstr, null ).readCString (); } Java .perform (function ( ) { var so_addr = Module .findBaseAddress ("libhello-jni.so" ); var perhapsThis_addr = Module .findExportByName ("libhello-jni.so" , "Java_com_example_application_IsThisTheRealOne_perhapsThis" ); console .log ("perhapsThis_addr" , perhapsThis_addr); Interceptor .attach (perhapsThis_addr, { onEnter : function (args ) { console .log ("perhapsThis_args:[1]" , getjstring (args[2 ]), "\n [2]" , getjstring (args[3 ]), "\n [3]" , getjstring (args[4 ]), "\n" ); }, onLeave : function (retval ) { console .log ("perhapsThis_result:" , getjstring (retval)); }, }); Interceptor .attach (Module .findExportByName ("libhello-jni.so" , "Java_com_example_application_ThisIsTheRealOne_orThat" ), { onEnter : function (args ) { console .log ("orThat_args:[1]" , getjstring (args[2 ]), "\n [2]" , getjstring (args[3 ]), "\n [3]" , getjstring (args[4 ]), "\n" ); }, onLeave : function (retval ) { console .log ("orThat_result:" , getjstring (retval)); }, }); Interceptor .attach (Module .findExportByName ("libhello-jni.so" , "Java_com_example_application_DefinitelyNotThisOne_definitelyNotThis" ), { onEnter : function (args ) { console .log ("definitelyNotThis_args:[1]" , getjstring (args[2 ]), "\n [2]" , getjstring (args[3 ]), "\n" ); }, onLeave : function (retval ) { console .log ("definitelyNotThis_result:" , getjstring (retval)); }, }); }); } setImmediate (main);
出flag
ill-intentions(java hook) GDA 看雪大佬出品的GDA 好用!
还是因为没有修改apk包,触发按钮的Intent显示不了,再次用objection手动开启,找到相对应的进程注入
鼠标点击,即可完成操作
按下中间那个BroadcastIntent,就能hook出flag
Obejction直接注入 发现GDA那个纯属走弯路,直接Objection注入不就好了
1 2 3 4 5 objection -g com.example.hellojni explore >>CLI中输入 android intent launch_activity com.example.application.IsThisTheRealOne android hooking watch class_method android.content.Intent.putExtra --dump-return --dump-args --dump-backtra ce
遇到一个问题,就是不知道Intent属于什么类,这个是看了GDA里的脚本后才知道的(android.content.Intent),如果想要直接注入的话,需要andriod的开发经验
bilibili-1024-技术对抗赛第6题(2021年) 参考了 https://www.bilibili.com/read/cv13720199/
大佬的脚本少写启动命令,当时折腾一个早上没解决出来
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 function hook_native ( ) { Java .perform (function ( ){ var str0; var arg1; Interceptor .attach (Module .findExportByName ("libc.so" , "__system_property_get" ), { onEnter : function (args ) { str0 = Memory .readCString (args[0 ]); arg1 = args[1 ]; if (str0.indexOf ('ro.product.cpu.abi' )!=-1 ||str0.indexOf ('ro.build.version.release' )!=-1 ){ console .log ('arg0 ' +str0) } }, onLeave : function (retval ) { if (str0.indexOf ('ro.product.cpu.abi' )!=-1 ){ var before = Memory .readCString (arg1); Memory .writeUtf8String (arg1, "x86" ); var after = Memory .readCString (arg1); console .log ('retval:' ,'before' ,before,'after' ,after) }else if (str0.indexOf ('ro.build.version.release' )!=-1 ){ var before = Memory .readCString (arg1); Memory .writeUtf8String (arg1, "9" ); var after = Memory .readCString (arg1); console .log ('retval:' ,'before' ,before,'after' ,after) } } }); }); } setImmediate (hook_native);
方便是真的方便,大佬诚不欺我
结语 Objection好用,降低Frida使用门槛,java层面的hook可以解决很多问题,Native hook老实写frida就行了