Frida hook初次实战
Frida Hook初次实战
做攻防世界的CTF题,看到有大佬搞Frida的操作,按照大佬做到试了一下
ill-intentions(Native hook)
攻防世界——ill-intentions
frida,frida-server,objection该安装的都安装好
adb连接上机子
由于没有修改apk包,触发按钮的Intent显示不了,用objection手动开启
objection -g com.example.hellojni exploreandroid intent launch_activity com.example.application.IsThisTheRealOne
效果如下
挂上大佬hook Native的脚本
//出自https://blog.csdn.net/Palmer9/article/details/122464683//别问脚本什么意思,frida脚本还不太会写function main() { function getjstring(jstr) { return Java.vm.getEnv().getStringUtfChars(jstr, null).readCString(); } Java.perform(function () { var so_addr = Module.findBaseAddress("libhello-jni.so"); var perhapsThis_addr = Module.findExportByName("libhello-jni.so", "Java_com_example_application_IsThisTheRealOne_perhapsThis"); console.log("perhapsThis_addr", perhapsThis_addr); Interceptor.attach(perhapsThis_addr, { onEnter: function (args) { console.log("perhapsThis_args:[1]", getjstring(args[2]), "\n [2]", getjstring(args[3]), "\n [3]", getjstring(args[4]), "\n"); }, onLeave: function (retval) { console.log("perhapsThis_result:", getjstring(retval)); }, });
Interceptor.attach(Module.findExportByName("libhello-jni.so", "Java_com_example_application_ThisIsTheRealOne_orThat"), { onEnter: function (args) { console.log("orThat_args:[1]", getjstring(args[2]), "\n [2]", getjstring(args[3]), "\n [3]", getjstring(args[4]), "\n"); }, onLeave: function (retval) { console.log("orThat_result:", getjstring(retval)); }, });
Interceptor.attach(Module.findExportByName("libhello-jni.so", "Java_com_example_application_DefinitelyNotThisOne_definitelyNotThis"), { onEnter: function (args) { console.log("definitelyNotThis_args:[1]", getjstring(args[2]), "\n [2]", getjstring(args[3]), "\n"); }, onLeave: function (retval) { console.log("definitelyNotThis_result:", getjstring(retval)); }, }); });}setImmediate(main);出flag
ill-intentions(java hook)
GDA
看雪大佬出品的GDA 好用!
还是因为没有修改apk包,触发按钮的Intent显示不了,再次用objection手动开启,找到相对应的进程注入
鼠标点击,即可完成操作
按下中间那个BroadcastIntent,就能hook出flag
Obejction直接注入
发现GDA那个纯属走弯路,直接Objection注入不就好了
objection -g com.example.hellojni explore>>CLI中输入android intent launch_activity com.example.application.IsThisTheRealOneandroid hooking watch class_method android.content.Intent.putExtra --dump-return --dump-args --dump-backtrace
遇到一个问题,就是不知道Intent属于什么类,这个是看了GDA里的脚本后才知道的(android.content.Intent),如果想要直接注入的话,需要andriod的开发经验
bilibili-1024-技术对抗赛第6题(2021年)
参考了 https://www.bilibili.com/read/cv13720199/
大佬的脚本少写启动命令,当时折腾一个早上没解决出来
function hook_native() { Java.perform(function(){ var str0; var arg1; Interceptor.attach(Module.findExportByName("libc.so", "__system_property_get"), { onEnter: function (args) { str0 = Memory.readCString(args[0]); arg1 = args[1]; if(str0.indexOf('ro.product.cpu.abi')!=-1||str0.indexOf('ro.build.version.release')!=-1){ console.log('arg0 '+str0) } },
onLeave: function (retval) { if(str0.indexOf('ro.product.cpu.abi')!=-1){ var before = Memory.readCString(arg1); Memory.writeUtf8String(arg1, "x86"); var after = Memory.readCString(arg1); console.log('retval:','before',before,'after',after) }else if(str0.indexOf('ro.build.version.release')!=-1){ var before = Memory.readCString(arg1); Memory.writeUtf8String(arg1, "9"); var after = Memory.readCString(arg1); console.log('retval:','before',before,'after',after) } } }); });}setImmediate(hook_native);方便是真的方便,大佬诚不欺我
结语
Objection好用,降低Frida使用门槛,java层面的hook可以解决很多问题,Native hook老实写frida就行了
评论