search

zhouat / ctf

0 stars 0 forks source link

frida #9

Open zhouat opened 7 years ago

zhouat commented 7 years ago

frida-trace -U -p 12553 -i 'strcmp' -f inject zygote

frida -U -f sg.vantagepoint.uncrackable2 --no-pause -l uncrackable2.js

setImmediate(function() {
    Java.perform(function() {

        });
});
#!/usr/bin/env python
# coding=utf-8
from __future__ import print_function
import frida,sys

#0-export sym
#1-offset
hook_fun_switch=0
target_pkg_name="com.yaotong.crackme"

#0
hook_fun_by_export_sym = """

target_so="libcrackme.so";
target_fun_symbol="Java_com_yaotong_crackme_MainActivity_securityCheck"

Java.perform(function(){
    send("Running Script");

    var target_fun_add = undefined;
    exports = Module.enumerateExportsSync(target_so);
    for(i=0; i<exports.length; i++){
        if(exports[i].name == target_fun_symbol){
            target_fun_add = exports[i].address;
            send("find fun at " + target_fun_add);
            break;
        }
    }

    Interceptor.attach(target_fun_add,{
        onEnter: function(args){
            send("key is: " +Memory.readUtf8String(Memory.readPointer(target_fun_add.sub(0x11a8).add(0x628c))));
        }
    });
});
"""

hook_fun_by_export_sym_2 = """

target_so="libcrackme.so";
target_fun_symbol="Java_com_yaotong_crackme_MainActivity_securityCheck"

Java.perform(function(){
    send("Running Script");

    target_fun_add=Module.findExportByName(target_so , target_fun_symbol)
    Interceptor.attach(target_fun_add,{
        onEnter: function(args){
            send("key exp is: " +Memory.readUtf8String(Memory.readPointer(target_fun_add.sub(0x11a8).add(0x628c))));
        }
    });
});
"""

#1
hook_fun_by_offet= """

target_so="libcrackme.so";
target_fun_offset=0x11A8;

Java.perform(function(){
    send("Running Script");

    target_fun_add=Module.findBaseAddress(target_so).add(target_fun_offset);
    send("find fun at " + target_fun_add)

    Interceptor.attach(target_fun_add,{
        onEnter: function(args){
            send("key is: " +Memory.readUtf8String(Memory.readPointer(target_fun_add.sub(0x11a8).add(0x628c))));
        }
    });
});
"""

check_hook_code = """
    send("Running Script");
    Java.perform(function(){
    MainActivity = Java.use("com.yaotong.crackme.MainActivity");
    MainActivity.securityCheck.implementation = function(v){
        send("securityCheck hooked");
        return true;
    }
});
"""

def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

process = frida.get_device_manager().enumerate_devices()[-1].attach(target_pkg_name)
if hook_fun_switch ==1:
    script = process.create_script(hook_fun_by_offet)
else:
    script = process.create_script(hook_fun_by_export_sym_2)
script.on('message', on_message)
script.load()
sys.stdin.read()
zhouat commented 7 years ago

Ref : https://www.codemetrix.net/hacking-android-apps-with-frida-1/ http://bobao.360.cn/learning/detail/3641.html