./hooker cch.js TypeError: not a function

[nmweizi]

复现过程如下： 1.华为 手机

2. ./hooker

   com.alibaba.taurus.xxxs
   j cch

   提示都是正常的，能够正确生成cch.js

3. ./hooking cch.js

   ./hooking cch.js
   2021年 6月 5日 星期六 09时43分36秒 CST
    ____
   / _  |   Frida 14.2.18 - A world-class dynamic instrumentation toolkit
   | (_| |
   > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   Attaching...
   TypeError: not a function
   at Bt (frida/node_modules/frida-java-bridge/lib/android.js:1158)
   at replace (frida/node_modules/frida-java-bridge/lib/android.js:1003)
   at set (frida/node_modules/frida-java-bridge/lib/class-factory.js:1010)
   at <anonymous> (/cch.js:156)
   at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:16)
   at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:238)
   at <anonymous> (frida/node_modules/frida-java-bridge/index.js:213)
   at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:16)
   at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:232)
   at perform (frida/node_modules/frida-java-bridge/index.js:192)
   at <eval> (/cch.js:270)
   [HUAWEI MT7 CL00::com.alibaba.taurus.xxxs]->

4. 使用frida -U com.alibaba.taurus.xxxs -l cch.js 报同样错误
5. a命令是正常的。
6. getprop ro.build.version.release

   5.1.1

   cch.js.zip

[nmweizi]

后续

• 用frida-server 12的版本，提示成功了
• 但是运行到hook的函数时，提示错误了 [HUAWEI MT7 CL00::com.alibaba.taurus.xxxs]-> TypeError: undefined not callable (property 'art::mirror::Object::Clone' of [object Object]) at [anon] (duk_js_call.c:2870) at H (frida/node_modules/frida-java/lib/android.js:734) at resolveArtTargetMethodId (frida/node_modules/frida-java/lib/class-factory.js:1653) at input:1 at [anon] (/cch.js:266) at input:1 TypeError: undefined not callable (property 'art::mirror::Object::Clone' of [object Object]) at [anon] (duk_js_call.c:2870) at H (frida/node_modules/frida-java/lib/android.js:734) at resolveArtTargetMethodId (frida/node_modules/frida-java/lib/class-factory.js:1653) at input:1 at [anon] (/cch.js:221) at input:1

[nmweizi]

再继续，再调用之前修改 print(v0,v1,v1)是可以的，能够正确打印参数

[CreditTone]

221行，什么代码？

[nmweizi]

感谢 感觉是hook上函数后，调用这个函数时错误。 我试了直接hook 其他类里的函数，也是在hook成功后，调用原函数的时候错误。 var cch_clz_method_b_2821 = cch_clz.b.overload(); cch_clz_method_b_2821.implementation = function() { var executor = this.hashCode(); var beatText = 'private java.lang.String cch.b()'; var beat = newMethodBeat(beatText, executor); var ret = cch_clz_method_b_2821.call(this); # 这行 printBeat(beat); return ret; };

[nmweizi]

再比如这个 var ret = chm_clz_method_a_0161.call(chm_clz, v0, v1); # 执行到这行错了 错误提示： TypeError: undefined not callable (property 'art::mirror::Object::Clone' of [object Object]) at [anon] (duk_js_call.c:2870) at H (frida/node_modules/frida-java/lib/android.js:734) at resolveArtTargetMethodId (frida/node_modules/frida-java/lib/class-factory.js:1653) at input:1 at [anon] (/chm.js:163) at input:1

var chm_clz = Java.use('chm');
    var chm_clz_method_a_0161 = chm_clz.a.overload('java.lang.String', 'java.lang.String');
    chm_clz_method_a_0161.implementation = function(v0, v1) {
        var executor = 'Class';
        var beatText = 'public static java.lang.String chm.a(java.lang.String,java.lang.String)';
        var beat = newMethodBeat(beatText, executor);
        print("v0:",v0)
        print("v1:",v1)
        var ret = chm_clz_method_a_0161.call(chm_clz, v0, v1);     # 执行到这行错了
        printBeat(beat);
        return ret;
    };

[CreditTone]

关闭frida优化试试

[nmweizi]

怎么关闭frida优化啊？

[CreditTone]

frida hook时会主动进行一些优化，以提升性能，但是某些时候会导致百分百确定经过的方法却hook不上，这个时候调用一下Java.deoptimizeEverything()取消优化再hook就可以了。

[nmweizi]

我这现在是能hook上，就是在调用hook前函数的时候错误。和这个是不是不太一样。 非常感谢！

[CreditTone]

有的函数有时候我也hook不上，不清楚为什么

[nmweizi]

重新刷了下系统，搞定了