Hook<\/strong>\u662f\u6307\u62e6\u622a\u548c\u4fee\u6539\u5e94\u7528\u7a0b\u5e8f\u6216Android\u7cfb\u7edf\u4e2d\u51fd\u6570\u6216\u65b9\u6cd5\u884c\u4e3a\u7684\u8fc7\u7a0b\u3002\u4f8b\u5982\uff0c\u6211\u4eec\u53ef\u4ee5\u94a9\u53d6\u6211\u4eec\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u4e00\u4e2a\u65b9\u6cd5\uff0c\u5e76\u901a\u8fc7\u63d2\u5165\u6211\u4eec\u81ea\u5df1\u7684\u5b9e\u73b0\u6765\u6539\u53d8\u5176\u529f\u80fd\u3002<\/p>\n\u73b0\u5728\uff0c\u8ba9\u6211\u4eec\u5c1d\u8bd5\u5728\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u4e2d\u94a9\u53d6\u4e00\u4e2a\u65b9\u6cd5\u3002\u6211\u4eec\u5c06\u4f7f\u7528JavaScript API \u6765\u5b8c\u6210\u8fd9\u4e2a\u4efb\u52a1\uff0c\u4f46\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0cFrida\u4e5f\u652f\u6301Python\u3002<\/p>\n
1\u3001\u4f7f\u7528Hook\u4fee\u6539\u88ab\u8c03\u7528\u7684\u65b9\u6cd5\u7684\u903b\u8f91\uff0c\u8fd4\u56de\u503c\uff0c\u4f20\u5165\u53c2\u6570<\/h2>\n\u57fa\u672c\u6a21\u677f<\/h3>\n
\u9996\u5148\u8ba9\u6211\u63d0\u4f9b\u7ed9\u4f60\u4e00\u4e2a\u6a21\u677f\uff0c\u7136\u540e\u6211\u4eec\u4e00\u6b65\u6b65\u6765\u89e3\u91ca\u3002<\/p>\n
Java.perform(function() {\n\n var <class_reference> = Java.use("<package_name>.<class>");\n <class_reference>.<method_to_hook>.implementation = function(<args>) {\n\n \/*\n \u6211\u4eec\u81ea\u5df1\u7684\u65b9\u6cd5\u5b9e\u73b0\n *\/\n\n }\n\n})<\/code><\/pre>\n\n- \n
Java.perform<\/code> \u662f Frida \u4e2d\u7528\u4e8e\u521b\u5efa\u4e00\u4e2a\u7279\u6b8a\u4e0a\u4e0b\u6587\u7684\u51fd\u6570\uff0c\u8ba9\u4f60\u7684\u811a\u672c\u80fd\u591f\u4e0e Android \u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684 Java \u4ee3\u7801\u8fdb\u884c\u4ea4\u4e92\u3002\u5b83\u5c31\u50cf\u662f\u6253\u5f00\u4e86\u4e00\u6247\u95e8\uff0c\u8ba9\u4f60\u80fd\u591f\u8bbf\u95ee\u5e76\u64cd\u7eb5\u5e94\u7528\u7a0b\u5e8f\u5185\u90e8\u8fd0\u884c\u7684 Java \u4ee3\u7801\u3002\u4e00\u65e6\u8fdb\u5165\u8fd9\u4e2a\u4e0a\u4e0b\u6587\uff0c\u4f60\u5c31\u53ef\u4ee5\u6267\u884c\u8bf8\u5982\u94a9\u53d6\u65b9\u6cd5\u6216\u8bbf\u95ee Java \u7c7b\u7b49\u64cd\u4f5c\u6765\u63a7\u5236\u6216\u89c2\u5bdf\u5e94\u7528\u7a0b\u5e8f\u7684\u884c\u4e3a\u3002<\/p>\n<\/li>\n- \n
var <class_reference> = Java.use("<package_name>.<class>");<\/code>
\n\u5728\u8fd9\u91cc\uff0c\u4f60\u58f0\u660e\u4e00\u4e2a\u53d8\u91cf <class_reference><\/code> \u6765\u8868\u793a\u76ee\u6807 Android \u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u4e00\u4e2a Java \u7c7b\u3002\u4f60\u4f7f\u7528 Java.use<\/code> \u51fd\u6570\u6307\u5b9a\u8981\u4f7f\u7528\u7684\u7c7b\uff0c\u8be5\u51fd\u6570\u63a5\u53d7\u7c7b\u540d\u4f5c\u4e3a\u53c2\u6570\u3002<package_name><\/code> \u8868\u793a Android \u5e94\u7528\u7a0b\u5e8f\u7684\u5305\u540d\uff0c<class><\/code> \u8868\u793a\u4f60\u60f3\u8981\u4e0e\u4e4b\u4ea4\u4e92\u7684\u7c7b\u3002
\n<package_name><\/code> \uff1a
\n![\"file\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n<\/li>\n
- \n
<class_reference>.<method_to_hook>.implementation = function(<args>) {}<\/code>
\n\u5728\u6240\u9009\u7684\u7c7b\u5185\u90e8\uff0c\u901a\u8fc7 <class_reference>.<method_to_hook><\/code> \u7b26\u53f7\u8bbf\u95ee\u4f60\u60f3\u8981\u94a9\u53d6\u7684\u65b9\u6cd5\u3002\u8fd9\u662f\u4f60\u53ef\u4ee5\u5b9a\u4e49\u81ea\u5df1\u7684\u903b\u8f91\u4ee5\u5728\u94a9\u53d6\u7684\u65b9\u6cd5\u88ab\u8c03\u7528\u65f6\u6267\u884c\u7684\u5730\u65b9\u3002<args><\/code> \u8868\u793a\u4f20\u9012\u7ed9\u51fd\u6570\u7684\u53c2\u6570\u3002<\/p>\n<\/li>\n<\/ul>\n\u4f8b\u9898Frida-Labs 0x1<\/h3>\n
\u901a\u8fc7Jadx\u5206\u6790Frida-labs 0x1<\/p>\n
onCreate\u65b9\u6cd5<\/h4>\n public void onCreate(Bundle bundle) {\n super.onCreate(bundle);\n setContentView(C0570R.layout.activity_main);\n final EditText editText = (EditText) findViewById(C0570R.C0573id.editTextTextPassword);\n this.f103t1 = (TextView) findViewById(C0570R.C0573id.textview1);\n final int i = get_random();\n ((Button) findViewById(C0570R.C0573id.button)).setOnClickListener(new View.OnClickListener() { \/\/ from class: com.ad2001.frida0x1.MainActivity.1\n @Override \/\/ android.view.View.OnClickListener\n public void onClick(View view) {\n String obj = editText.getText().toString();\n if (TextUtils.isDigitsOnly(obj)) {\n MainActivity.this.check(i, Integer.parseInt(obj));\n } else {\n Toast.makeText(MainActivity.this.getApplicationContext(), "Enter a valid number !!", 1).show();\n }\n }\n });\n }\n<\/code><\/pre>\n\u53ef\u4ee5\u53d1\u73b0\uff0c\u5728onCreate\u65b9\u6cd5\u4e2d\uff0c\u6709\u4e00\u4e2a\u76d1\u542c\u4e8b\u4ef6\uff0c\u76d1\u542c\u4e86button\u7684\u70b9\u51fb\uff0c\u5f53\u6309\u94ae\u70b9\u51fb\u4e0b\u53bb\u4e4b\u540e\uff0c\u7a0b\u5e8f\u9996\u5148\u5224\u65ad\u8f93\u5165\u662f\u4e0d\u662f\u6570\u5b57\uff0c\u662f\u6570\u5b57\u7684\u8bdd\uff0c\u5c31\u5c06\u5176\u4ecestring\u8f6c\u5316\u4e3aint\uff0c\u518d\u8fdb\u5165check\u4e2d\u4e0ei\u6bd4\u8f83\uff0c\u56e0\u6b64\u6211\u4eec\u9700\u8981\u68c0\u67e5check\u65b9\u6cd5\u3002<\/p>\n
check\u65b9\u6cd5<\/h4>\n void check(int i, int i2) {\n if ((i * 2) + 4 == i2) {\n Toast.makeText(getApplicationContext(), "Yey you guessed it right", 1).show();\n StringBuilder sb = new StringBuilder();\n for (int i3 = 0; i3 < 20; i3++) {\n char charAt = "AMDYV{WVWT_CJJF_0s1}".charAt(i3);\n if (charAt < 'a' || charAt > 'z') {\n if (charAt >= 'A') {\n if (charAt <= 'Z') {\n charAt = (char) (charAt - 21);\n if (charAt >= 'A') {\n }\n charAt = (char) (charAt + 26);\n }\n }\n sb.append(charAt);\n } else {\n charAt = (char) (charAt - 21);\n if (charAt >= 'a') {\n sb.append(charAt);\n }\n charAt = (char) (charAt + 26);\n sb.append(charAt);\n }\n }\n this.f103t1.setText(sb.toString());\n return;\n }\n Toast.makeText(getApplicationContext(), "Try again", 1).show();\n }\n<\/code><\/pre>\n\u672c\u65b9\u6cd5\u663e\u800c\u6613\u89c1\u5c31\u662f\u68c0\u67e5\u8f93\u5165\u662f\u5426\u80fd\u591f\u6ee1\u8db3i*2 + 4 == i2,\u5982\u679c\u6ee1\u8db3\u5219\u5c06flag\u8f93\u51fa\u5230f103t1\u6240\u7ed1\u5b9a\u7684textView\u63a7\u4ef6\u4e0a,\u5176\u4e2d\u7528\u4e8e\u5224\u65ad\u7684i\u5219\u6765\u81eaget_random\u3002<\/p>\n
get_random<\/h4>\n int get_random() {\n return new Random().nextInt(100);\n }\n<\/code><\/pre>\n\u663e\u800c\u6613\u89c1\uff0c\u672c\u65b9\u6cd5\u5c31\u53ea\u662f\u666e\u901a\u7684\u8fd4\u56de\u4e00\u4e2a\u968f\u673a\u6570\u3002<\/p>\n
Hook begin!<\/h4>\n
\u5bf9\u4e8e\u672c\u6837\u4f8b\u7a0b\u5e8f\uff0c\u6211\u4eec\u6709\u4e24\u79cd\u65b9\u6cd5\u53bb\u89e3\u51b3\uff0c\u9996\u5148\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5hook\u7a0b\u5e8f\u903b\u8f91\u3002\u66f4\u6539\u968f\u673a\u4ea7\u751f\u7684\u503c\u4e3a\u4e00\u4e2a\u56fa\u5b9a\u503c\u3002\u6216\u8005hook check\u65b9\u6cd5\u66f4\u6539check\u65b9\u6cd5\u4f20\u5165\u7684\u53c2\u6570<\/p>\n
Hook get_random\u65b9\u6cd5<\/h5>\n\u5b9e\u73b0\u4ee3\u7801<\/h6>\nfunction hook(){\n var MainActivity = Java.use("com.ad2001.frida0x1.MainActivity");\n MainActivity.get_random.implementation = function (){\n return 0;\n }\n}\n\nfunction main(){\n Java.perform(function (){\n hook();\n })\n}\n\nsetImmediate(main);\n<\/code><\/pre>\n\u4ee3\u7801\u89e3\u91ca\u5982\u4e0b\uff1a<\/p>\n
\n- \n
\u9996\u5148\u5b9a\u4e49\u4e86\u4e00\u4e2a\u540d\u4e3ahook<\/code>\u7684JavaScript\u51fd\u6570\uff0c\u5176\u4e2d\u5305\u542b\u4e86\u5bf9\u76ee\u6807\u5e94\u7528\u7279\u5b9a\u65b9\u6cd5\u7684hook\u903b\u8f91\u3002<\/p>\n\nhook<\/code>\u51fd\u6570\u901a\u8fc7Frida\u7684Java API\u6765\u83b7\u53d6\u76ee\u6807\u5e94\u7528\u4e2d\u7684MainActivity<\/code>\u7c7b\u3002<\/li>\n- \u7136\u540e\uff0c\u5b83\u901a\u8fc7
Java.use()<\/code>\u65b9\u6cd5\u83b7\u53d6\u4e86MainActivity<\/code>\u7c7b\u7684\u5f15\u7528\uff0c\u4f7f\u5f97\u6211\u4eec\u53ef\u4ee5\u8bbf\u95ee\u8be5\u7c7b\u7684\u65b9\u6cd5\u3002<\/li>\n- \u6700\u540e\uff0c
hook<\/code>\u51fd\u6570\u5c06MainActivity<\/code>\u7c7b\u4e2d\u7684get_random<\/code>\u65b9\u6cd5\u8fdb\u884c\u4e86\u4fee\u6539\u3002\u5b83\u7528\u81ea\u5b9a\u4e49\u7684\u5b9e\u73b0\u66ff\u6362\u4e86\u539f\u6709\u65b9\u6cd5\u7684\u5b9e\u73b0\uff0c\u4f7f\u5f97\u6bcf\u6b21\u8c03\u7528get_random<\/code>\u65b9\u6cd5\u65f6\u90fd\u8fd4\u56de\u56fa\u5b9a\u503c0\u3002<\/li>\n<\/ul>\n<\/li>\n- \n
\u63a5\u7740\u5b9a\u4e49\u4e86\u4e00\u4e2a\u540d\u4e3amain<\/code>\u7684JavaScript\u51fd\u6570\uff0c\u5176\u4e2d\u5305\u542b\u4e86Frida\u7684Java.perform()<\/code>\u65b9\u6cd5\uff0c\u7528\u4e8e\u6267\u884c\u6307\u5b9a\u7684hook\u903b\u8f91\u3002<\/p>\n<\/li>\n- \n
\u6700\u540e\uff0c\u901a\u8fc7setImmediate()<\/code>\u51fd\u6570\u8c03\u7528main<\/code>\u51fd\u6570\uff0c\u786e\u4fdd\u5728Frida\u811a\u672c\u542f\u52a8\u540e\u7acb\u5373\u6267\u884c\u3002<\/p>\n<\/li>\n<\/ol>\nhook check\u65b9\u6cd5<\/h5>\n
\u5982\u679c\u6211\u4eec\u68c0\u67e5check\u51fd\u6570\u7684\u53c2\u6570\uff0c\u7b2c\u4e00\u4e2a\u53c2\u6570i\u8868\u793a\u968f\u673a\u6570\uff0c\u800c\u7b2c\u4e8c\u4e2a\u53c2\u6570i2\u5bf9\u5e94\u4e8e\u7528\u6237\u8f93\u5165\u7684\u6570\u5b57\u3002\u8ba9\u6211\u4eec\u4f7f\u7528Frida\u6765\u6355\u83b7\u5e76\u8f6c\u50a8\u8fd9\u4e24\u4e2a\u53c2\u6570\u3002<\/p>\n
\u5728\u5904\u7406\u5177\u6709\u53c2\u6570\u7684\u65b9\u6cd5\u65f6\uff0c\u91cd\u8981\u7684\u662f\u4f7f\u7528overload(arg_type)\u5173\u952e\u5b57\u6307\u5b9a\u9884\u671f\u7684\u53c2\u6570\u7c7b\u578b\u3002\u6b64\u5916\uff0c\u5728\u94a9\u5165\u65b9\u6cd5\u65f6\u786e\u4fdd\u5305\u62ec\u8fd9\u4e9b\u6307\u5b9a\u7684\u53c2\u6570\u5728\u4f60\u7684\u5b9e\u73b0\u4e2d\u3002\u5728\u8fd9\u91cc\uff0c\u6211\u4eec\u7684check()\u51fd\u6570\u63a5\u53d7\u4e24\u4e2a\u6574\u6570\u53c2\u6570\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u8fd9\u6837\u6307\u5b9a\uff1a<\/p>\n
a.check.overload(int, int).implementation = function(a, b) {\n\n ...\n\n}\n<\/code><\/pre>\nfunction hook2(){\n var MainActivity = Java.use("com.ad2001.frida0x1.MainActivity");\n MainActivity.check.overload('int','int').implementation = function (a,b){\n console.log("Origin i and i2 = ",a,b);\n return this.check(a,b);\n }\n}\n\nfunction main(){\n Java.perform(function (){\n hook2();\n })\n}\n\nsetImmediate(main);<\/code><\/pre>\n\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528console.log\u67e5\u770b\u4f20\u5165\u7684a\u4e0eb\u662f\u4ec0\u4e48
\n
<\/div><\/p>\n
\u5728this.check(a,b);<\/code>\u4e2d\u7684a,b\u6539\u4e3a\u81ea\u5df1\u8bbe\u5b9a\u7684\u503c\u5c31\u53ef\u4ee5\u4e86\u3002
\n<\/div><\/p>\n
2\u3001Hook\u8c03\u7528\u9759\u6001\u7684\u672a\u88ab\u8c03\u7528\u7684\u65b9\u6cd5<\/h2>\n
\u5728\u4e4b\u524d\u8bb2\u5230\u7684Java.use Api\u4e2d\uff0c\u5982\u679c\u6211\u4eec\u6307\u5b9a\u7684\u7c7b\u4e2d\u5305\u542b\u4e86\u9759\u6001\u7684\u65b9\u6cd5\uff0c\u5219\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u8c03\u7528\u8be5\u65b9\u6cd5\u3002\u6a21\u677f\u5982\u4e0b\uff1a<\/p>\n
Java.perform(function (){\n var <class_reference> = Java.use("<package_name>.<class>");\n a.function(val);\n})<\/code><\/pre>\n\u4f8b\u9898Frida-labs 0x2<\/h3>\nMainActivity\u7c7b<\/h4>\npackage com.ad2001.frida0x2;\n\nimport android.os.Bundle;\nimport android.util.Base64;\nimport android.widget.TextView;\nimport androidx.appcompat.app.AppCompatActivity;\nimport javax.crypto.Cipher;\nimport javax.crypto.spec.IvParameterSpec;\nimport javax.crypto.spec.SecretKeySpec;\n\n\/* loaded from: classes3.dex *\/\npublic class MainActivity extends AppCompatActivity {\n\n \/* renamed from: t1 *\/\n static TextView f103t1;\n\n \/* JADX INFO: Access modifiers changed from: protected *\/\n @Override \/\/ androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity\n public void onCreate(Bundle savedInstanceState) {\n super.onCreate(savedInstanceState);\n setContentView(C0569R.layout.activity_main);\n f103t1 = (TextView) findViewById(C0569R.C0572id.textview);\n }\n\n public static void get_flag(int a) {\n if (a == 4919) {\n try {\n SecretKeySpec secretKeySpec = new SecretKeySpec("HILLBILLWILLBINN".getBytes(), "AES");\n Cipher cipher = Cipher.getInstance("AES\/CBC\/PKCS5Padding");\n IvParameterSpec iv = new IvParameterSpec(new byte[16]);\n cipher.init(2, secretKeySpec, iv);\n byte[] decryptedBytes = cipher.doFinal(Base64.decode("q7mBQegjhpfIAr0OgfLvH0t\/D0Xi0ieG0vd+8ZVW+b4=", 0));\n String decryptedText = new String(decryptedBytes);\n f103t1.setText(decryptedText);\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n }\n}<\/code><\/pre>\n\u672c\u7528\u4f8b\u7a0b\u5e8f\u5c31\u4e00\u4e2aMainActivity\u7c7b\uff0c\u7c7b\u4e2d\u5b58\u5728\u4e00\u4e2a\u672a\u88ab\u4f7f\u7528\u7684\u9759\u6001\u65b9\u6cd5get_flag\uff0c\u5728get_flag\u4e2d\u6bd4\u8f83\u4e86\u4f20\u5165\u7684\u53c2\u6570\uff0c\u5982\u679c\u4f20\u5165\u7684\u53c2\u6570\u4e3a4919\u5219\u89e3\u5bc6flag\uff0c\u8bbe\u7f6e\u7ed9txtView\u63a7\u4ef6\uff0c\u90a3\u4e48\u6839\u636e\u4e4b\u524d\u7ed9\u51fa\u7684\u8c03\u7528\u6a21\u677f\uff0c\u6211\u4eechook\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
Hook\u4ee3\u7801\uff1a<\/h4>\nfunction hook(){\n var MainActivity = Java.use("com.ad2001.frida0x2.MainActivity");\n MainActivity.get_flag(4919);\n}\n\nfunction main(){\n Java.perform(function (){\n hook();\n })\n}\n\nsetImmediate(main);<\/code><\/pre>\n\u4f46\u662f\u6211\u4eec\u53d1\u73b0\u5982\u679c\u4f7f\u7528\u7684\u662fsetIMMediate(main)\u7684\u8bdd\u6211\u4eec\u4f7f\u7528
\nfrida -U -f com.ad2001.frida0x2 -l .\\Hook.js<\/code>
\n\u53ef\u80fd\u4f1a\u5bfc\u81f4hook\u4e0d\u4e0a\u7684\u60c5\u51b5\u3002
\n<\/div><\/p>\n
\u89e3\u51b3\u65b9\u6cd51<\/h5>\n
\u6211\u4eec\u4e8b\u5148\u542f\u52a8Frida 0x2\u5e94\u7528\u7a0b\u5e8f\u3002\u7136\u540e\u4f7f\u7528\u5982\u4e0b\u547d\u4ee4\u6ce8\u5165\u6211\u4eec\u7684\u811a\u672c
\nfrida -U 'Frida 0x2' -l .\\Hook.js<\/code>
\n<\/div>
\n\u672c\u65b9\u6cd5\u4e0e\u4e4b\u524d\u7684\u65b9\u6cd5\u4e0d\u540c\u4e4b\u5904\u662f\u8be5\u65b9\u6cd5\u662f\u76f4\u63a5hook\u5165\u6211\u4eec\u540e\u53f0\u6b63\u5728\u542f\u52a8\u7684\u7a0b\u5e8f\uff0c\u800c\u4e4b\u524d\u7684\u65b9\u6cd5\u662f\u6839\u636e\u5305\u540d\u518d\u542f\u52a8\u4e00\u4e2a\u7a0b\u5e8f\u3002<\/p>\n
\u89e3\u51b3\u65b9\u6cd52<\/h5>\n
\u5f53\u6211\u4eec\u53d1\u73b0\u4f7f\u7528\u89e3\u51b3\u65b9\u6cd51<\/code>\u80fd\u591f\u6210\u529fhook\u7684\u65f6\u5019\uff0c\u5c31\u53ef\u4ee5\u63a8\u65ad\u51fa\uff0c\u662f\u7531\u4e8e\u6211\u4eec\u542f\u52a8main\u51fd\u6570\u4f7f\u7528\u7684\u662fsetImmediate(main)\uff0c\u662f\u7acb\u5373\u542f\u52a8\u53ef\u80fd\u4f1a\u5bfc\u81f4\u811a\u672c\u6ce8\u5165\u7684\u901f\u5ea6\u6bd4\u7a0b\u5e8f\u542f\u52a8\u7684\u901f\u5ea6\u5feb\u3002\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u6539\u7528setTimeout(main,1000)<\/code>\uff0c\u4e5f\u5c31\u662f\u5ef6\u8fdf1\u79d2\u949f\u542f\u52a8\u7a0b\u5e8f\u3002
\n\u8be6\u60c5\u53ef\u89c1https:\/\/www.cnblogs.com\/fsjohnhuang\/p\/4151595.html
\n<\/div><\/p>\n
3\u3001\u66f4\u6539\u7c7b\u4e2d\u7684\u9759\u6001\u53d8\u91cf<\/h2>\n
\u7c7b\u4f3c\u4e8e\u5982\u4e0b\u5199\u6cd5static int code = 0;
\n\u4f7f\u7528static \u4fee\u9970\u7684\u53d8\u91cf\u5219\u4e3a\u9759\u6001\u53d8\u91cf\u3002\u6211\u4eec\u53ef\u4ee5\u7528\u5982\u4e0b\u65b9\u6cd5\u66f4\u6539\u9759\u6001\u53d8\u91cf\u3002<\/p>\n
Java.perform(function (){\n\n var <class_reference> = Java.use("<package_name>.<class>");\n <class_reference>.<variable>.value = <value>;\n\n})<\/code><\/pre>\n\u4f8b\u9898 Frida-labs 0x3<\/h3>\n
MainActivity\u7c7b
\n
<\/div>
\n\u6807\u8bb0\u5904\u6211\u4eec\u53ef\u4ee5\u53d1\u73b0\uff0c\u5f53Checker.code\u4e3a512\u7684\u65f6\u5019\u70b9\u51fb\u6309\u94ae\uff0c\u7a0b\u5e8f\u5219\u4f1a\u89e3\u5bc6\u5e76\u4e14\u5c06textView\u63a7\u4ef6\u8bbe\u7f6e\u4e3aFlag\u3002<\/p>\n
Hook\u4ee3\u7801<\/h3>\nfunction hook(){\n var a = Java.use("com.ad2001.frida0x3.Checker");\n a.code.value = 512;\n}\n\nfunction main(){\n Java.perform(function (){\n hook();\n })\n}\nsetImmediate(main);\n<\/code><\/pre>\n4\u3001\u8c03\u7528\u975eMainActivity,\u975e\u9759\u6001\u65b9\u6cd5<\/h2>\n
\u5728JAVA\u4ee3\u7801\u4e2d\uff0c\u5982\u679c\u521b\u5efa\u4e86\u4e00\u4e2a\u975e\u9759\u6001\u7684\u7c7b\uff0c\u5f53\u6211\u4eec\u9700\u8981\u4f7f\u7528\u8fd9\u4e2a\u7c7b\u7684\u65f6\u5019\u9700\u8981new\u4e00\u4e2a\u7c7b\u7684\u5bf9\u8c61\u51fa\u6765\u6211\u4eec\u624d\u80fd\u4f7f\u7528\u8fd9\u4e2a\u7c7b\u7684\u529f\u80fd\u3002\u7c7b\u4f3c\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
\nCheck ch = new Check();\nString flag = ch.get_flag(1337);\n<\/code><\/pre>\n\u90a3\u4e48\u5728Java\u6e90\u7801\u4e2d\u9700\u8981new\u51fa\u6765\u7684\u5b9e\u4f8b\uff0c\u6211\u4eec\u600e\u4e48\u4f7f\u7528Frida\u6765\u5b9e\u73b0\u5462\uff1f
\n\u6a21\u677f\u5982\u4e0b\uff1a<\/p>\n
Java.perform(function() {\n\n var <class_reference> = Java.use("<package_name>.<class>");\n var <class_instance> = <class_reference>.$new(); \/\/ Class Object\n <class_instance>.<method>(); \/\/ \u8c03\u7528\u65b9\u6cd5\n\n})\n<\/code><\/pre>\n\u4f8b\u9898Frida-labs 0x4<\/h3>\nMainActivity\uff1a<\/h4>\n
<\/div>
\nMainActivity\u4e2d\u6ca1\u6709\u4efb\u4f55\u4e1c\u897f\u3002<\/p>\n
Checker<\/h4>\n
<\/div>
\nChecker\u4e2d\u51fa\u73b0\u4e86get_flag\u65b9\u6cd5\uff0c\u8fd4\u56de\u4e86flag\u3002\u5219\u6211\u4eec\u4f7f\u7528\u4e4b\u524d\u7684\u6a21\u677f\u6765Hook<\/p>\n
Hook\u4ee3\u7801\uff1a<\/h4>\nfunction hook(){\n console.log("Hook Success!");\n var Check = Java.use("com.ad2001.frida0x4.Check");\n var Check_obj = Check.$new();\n var String = Check_obj.get_flag(1337);\n console.log(String);\n}\n\nfunction main(){\n Java.perform(function (){\n hook();\n\n })\n}\n\nsetImmediate(main);<\/code><\/pre>\n<\/div><\/p>\n
5\u3001\u8c03\u7528MainActivity\u4e2d\u7684\u975e\u9759\u6001\u65b9\u6cd5<\/h2>\n
\u524d\u9762\u6709\u63d0\u5230\u8fc7\u5982\u679c\u4e0d\u662fMainActivity\u4e2d\u7684\u65b9\u6cd5\u6211\u4eec\u4f7f\u7528.$new()\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a\u5b9e\u4f8b\u3002\u90a3\u4e48\u5982\u679c\u6211\u4eec\u5c06\u8fd9\u4e2a\u4f7f\u7528\u5230MainActivity\u4f1a\u53d1\u751f\u4ec0\u4e48\u5462?<\/p>\n
function hook(){\n var MainActivity = Java.use("com.ad2001.frida0x5");\n var MainActivity_obj = MainActivity.$new();\n}<\/code><\/pre>\n<\/div>
\n\u597d\u5427\uff0c\u5b83\u5d29\u6e83\u4e86\u3002\u90a3\u4e48\u8fd9\u662f\u4ec0\u4e48\u539f\u56e0\u5462\uff1f<\/p>\n
\u76f4\u63a5\u4f7f\u7528Frida\u521b\u5efaMainActivity<\/code>\u6216\u4efb\u4f55Android\u7ec4\u4ef6\u53ef\u80fd\u4f1a\u5f88\u68d8\u624b\uff0c\u56e0\u4e3aAndroid\u7684\u751f\u547d\u5468\u671f\u548c\u7ebf\u7a0b\u89c4\u5219\u3002Android\u7ec4\u4ef6\uff0c\u5982Activity<\/code>\u5b50\u7c7b\uff0c\u4f9d\u8d56\u4e8e\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u8fdb\u884c\u6b63\u786e\u8fd0\u884c\u3002\u5728Frida\u4e2d\uff0c\u60a8\u53ef\u80fd\u7f3a\u5c11\u5fc5\u8981\u7684\u4e0a\u4e0b\u6587\u3002Android UI\u7ec4\u4ef6\u901a\u5e38\u9700\u8981\u5177\u6709\u5173\u8054Looper<\/code>\u7684\u7279\u5b9a\u7ebf\u7a0b\u3002\u5982\u679c\u6d89\u53caUI\u4efb\u52a1\uff0c\u8bf7\u786e\u4fdd\u5728\u5177\u6709\u6d3b\u52a8Looper<\/code>\u7684\u4e3b\u7ebf\u7a0b\u4e0a\u6267\u884c\u3002\u6d3b\u52a8\u662f\u8f83\u5927\u7684Android\u5e94\u7528\u7a0b\u5e8f\u751f\u547d\u5468\u671f\u7684\u4e00\u90e8\u5206\u3002\u521b\u5efaMainActivity<\/code>\u7684\u5b9e\u4f8b\u53ef\u80fd\u9700\u8981\u5e94\u7528\u5904\u4e8e\u7279\u5b9a\u72b6\u6001\uff0c\u5e76\u4e14\u901a\u8fc7Frida\u7ba1\u7406\u6574\u4e2a\u751f\u547d\u5468\u671f\u53ef\u80fd\u5e76\u4e0d\u76f4\u63a5\u3002\u603b\u4e4b\uff0c\u4e3aMainActivity<\/code>\u521b\u5efa\u5b9e\u4f8b\u5e76\u4e0d\u662f\u4e00\u4e2a\u597d\u4e3b\u610f\u3002<\/p>\n\u90a3\u4e48\u8fd9\u91cc\u7684\u89e3\u51b3\u65b9\u6848\u662f\u4ec0\u4e48\u5462\uff1f<\/p>\n
\u5f53Android\u5e94\u7528\u7a0b\u5e8f\u542f\u52a8\u65f6\uff0c\u7cfb\u7edf\u4f1a\u521b\u5efaMainActivity<\/code>\u7684\u4e00\u4e2a\u5b9e\u4f8b\uff08\u6216AndroidManifest.xml\u6587\u4ef6\u4e2d\u6307\u5b9a\u7684\u542f\u52a8\u5668\u6d3b\u52a8\uff09\u3002\u521b\u5efaMainActivity<\/code>\u5b9e\u4f8b\u662fAndroid\u5e94\u7528\u7a0b\u5e8f\u751f\u547d\u5468\u671f\u7684\u4e00\u90e8\u5206\u3002\u56e0\u6b64\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528frida\u83b7\u53d6MainActivity<\/code>\u7684\u5b9e\u4f8b\uff0c\u7136\u540e\u8c03\u7528flag()<\/code>\u65b9\u6cd5\u6765\u83b7\u53d6\u6211\u4eec\u7684\u6807\u5fd7\u3002<\/p>\n\u5728\u73b0\u6709\u5b9e\u4f8b\u4e0a\u8c03\u7528\u65b9\u6cd5<\/h3>\n
\u5728\u73b0\u6709\u5b9e\u4f8b\u4e0a\u8c03\u7528\u65b9\u6cd5\u53ef\u4ee5\u5f88\u5bb9\u6613\u5730\u901a\u8fc7Frida\u5b8c\u6210\u3002\u4e3a\u6b64\uff0c\u6211\u4eec\u5c06\u4f7f\u7528\u4e24\u4e2aAPI\u3002<\/p>\n
\n- \n
Java.performNow<\/code>\uff1a\u7528\u4e8e\u5728Java\u8fd0\u884c\u65f6\u73af\u5883\u4e2d\u6267\u884c\u4ee3\u7801\u7684\u51fd\u6570\u3002<\/p>\n<\/li>\n- \n
Java.choose<\/code>\uff1a\u5728\u8fd0\u884c\u65f6\u679a\u4e3e\u6307\u5b9aJava\u7c7b\uff08\u4f5c\u4e3a\u7b2c\u4e00\u4e2a\u53c2\u6570\u63d0\u4f9b\uff09\u7684\u5b9e\u4f8b\u3002<\/p>\n<\/li>\n<\/ul>\n\u8ba9\u6211\u5c55\u793a\u4e00\u4e2a\u6a21\u677f\u7ed9\u4f60\u3002<\/p>\n
Java.performNow(function() {\n Java.choose('<\u5305\u540d>.<\u7c7b\u540d>', {\n onMatch: function(instance) {\n \/\/ \u5f85\u529e\u4e8b\u9879\n },\n onComplete: function() {}\n });\n});<\/code><\/pre>\n\u8fd9\u91cc\u6709\u4e24\u4e2a\u56de\u8c03\u51fd\u6570\uff1a<\/p>\n
\n- onMatch<\/strong>\n
\nonMatch<\/code>\u56de\u8c03\u51fd\u6570\u5728Java.choose<\/code>\u64cd\u4f5c\u671f\u95f4\u627e\u5230\u6307\u5b9a\u7c7b\u7684\u6bcf\u4e2a\u5b9e\u4f8b\u65f6\u6267\u884c\u3002<\/li>\n- \u8fd9\u4e2a\u56de\u8c03\u51fd\u6570\u63a5\u6536\u5f53\u524d\u5b9e\u4f8b\u4f5c\u4e3a\u5b83\u7684\u53c2\u6570\u3002<\/li>\n
- \u60a8\u53ef\u4ee5\u5728
onMatch<\/code>\u56de\u8c03\u4e2d\u5b9a\u4e49\u81ea\u5b9a\u4e49\u64cd\u4f5c\uff0c\u4ee5\u5728\u6bcf\u4e2a\u5b9e\u4f8b\u4e0a\u6267\u884c\u3002<\/li>\nfunction(instance) {}<\/code>\uff0cinstance<\/code>\u53c2\u6570\u8868\u793a\u76ee\u6807\u7c7b\u7684\u6bcf\u4e2a\u5339\u914d\u5b9e\u4f8b\u3002\u60a8\u53ef\u4ee5\u4f7f\u7528\u4efb\u4f55\u5176\u4ed6\u540d\u79f0\u3002<\/li>\n<\/ul>\n<\/li>\n- onComplete<\/strong>\n
\nonComplete<\/code>\u56de\u8c03\u5728Java.choose<\/code>\u64cd\u4f5c\u5b8c\u6210\u540e\u6267\u884c\u64cd\u4f5c\u6216\u6e05\u7406\u4efb\u52a1\u3002\u6b64\u5757\u662f\u53ef\u9009\u7684\uff0c\u5982\u679c\u60a8\u5728\u641c\u7d22\u5b8c\u6210\u540e\u4e0d\u9700\u8981\u6267\u884c\u4efb\u4f55\u7279\u5b9a\u64cd\u4f5c\uff0c\u5219\u53ef\u4ee5\u9009\u62e9\u5c06\u5176\u7559\u7a7a\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\u4f8b\u9898Frida-labs 0x5<\/h3>\nMainActivity<\/h4>\n
<\/div>
\n\u53ef\u4ee5\u53d1\u73b0\u5176\u4e2dflag\u65b9\u6cd5\u662f\u672a\u88ab\u8c03\u7528\u7684\u65b9\u6cd5\uff0c\u5e76\u4e14\u662f\u89e3\u5bc6\u5bc6\u6587\u5c06Flag\u8f93\u51fa\u5230TextView\u63a7\u4ef6\u4e0a\u3002<\/p>\n
BeginHook\uff01<\/h4>\n
\u73b0\u5728\u6211\u4eec\u77e5\u9053\u5982\u4f55\u4f7f\u7528Java.choose<\/code> API\uff0c\u8ba9\u6211\u4eec\u5f00\u59cb\u7f16\u5199\u6211\u4eec\u7684frida\u811a\u672c\u3002<\/p>\n\n- \u5305\u540d\uff1a
com.ad2001.frida0x5<\/code><\/li>\n- \u7c7b\u540d\uff1a
MainActivity<\/code><\/li>\n- \u51fd\u6570\u540d\uff1a
flag<\/code><\/li>\n<\/ul>\nJava.performNow(function() {\n Java.choose('com.ad2001.frida0x5.MainActivity', {\n onMatch: function(instance) {\n \/\/ \u5f85\u529e\u4e8b\u9879\n },\n onComplete: function() {}\n });\n});<\/code><\/pre>\n\u8ba9\u6211\u4eec\u5728\u6210\u529f\u627e\u5230MainActivity<\/code>\u5b9e\u4f8b\u65f6\u5305\u542b\u4e00\u4e2aconsole.log<\/code>\u8bed\u53e5\u4ee5\u6253\u5370\u4e00\u6761\u6d88\u606f\u3002\u7531\u4e8e\u5728\u679a\u4e3e\u5b8c\u6210\u540e\u6211\u4eec\u6ca1\u6709\u4efb\u4f55\u7279\u5b9a\u7684\u64cd\u4f5c\u8981\u6267\u884c\uff0c\u6211\u4eec\u53ef\u4ee5\u5c06onComplete<\/code>\u5757\u7559\u7a7a\u3002<\/p>\nJava.performNow(function() {\n Java.choose('com.ad2001.frida0x5.MainActivity', {\n onMatch: function(instance) {\n console.log("\u627e\u5230\u5b9e\u4f8b");\n },\n onComplete: function() {}\n });\n});<\/code><\/pre>\n\u8ba9\u6211\u4eec\u542f\u52a8Frida\u5e76\u6ce8\u5165\u6211\u4eec\u7684\u811a\u672c\u3002
\n
<\/div><\/p>\n
Hook\u4ee3\u7801<\/h4>\nfunction hook(){\n Java.choose('com.ad2001.frida0x5.MainActivity',{\n onMatch:function (MainActivity){\n MainActivity.flag(1337);\n console.log("Hook Success!");\n },onComplete:function (){\n\n }\n })\n}\n\nfunction main(){\n\n Java.perform(function (){\n hook();\n })\n}\n\nsetImmediate(main);<\/code><\/pre>\n<\/div><\/p>\n
6\u3001MainActivity\u4e2d\u975e\u9759\u6001\u5e76\u4e14\u53c2\u6570\u4e3a\u975e\u9759\u6001\u53d8\u91cf\u65b9\u6cd5\u8c03\u7528<\/h2>\n\u4f8b\u9898Frida-labs 0x6<\/h3>\n
<\/div>
\n\u6211\u4eec\u4e4b\u524d\u5df2\u7ecf\u89e3\u51b3\u8fc7\u7c7b\u4f3c\u7684\u95ee\u9898\u4e86\u3002\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u6211\u4eec\u6709\u4e00\u4e2a
get_flag()<\/code>\u65b9\u6cd5\uff0c\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u6ca1\u6709\u88ab\u8c03\u7528\u3002\u5982\u679c\u8c03\u7528\u6b64\u65b9\u6cd5\uff0c\u5b83\u5c06\u4f7f\u7528AES<\/code>\u89e3\u5bc6\u6807\u5fd7\uff0c\u5e76\u5c06\u6807\u5fd7\u8bbe\u7f6e\u5728Textview\u4e2d\u3002\u5982\u679c\u6211\u4eec\u68c0\u67e5get_flag<\/code>\u65b9\u6cd5\uff0c\u5b83\u53ea\u63a5\u53d7\u4e00\u4e2a\u53c2\u6570\uff0c\u8fd9\u4e2a\u53c2\u6570\u662fChecker<\/code>\u7c7b\u7684\u4e00\u4e2a\u5b9e\u4f8b\u3002\u53c2\u6570\u88ab\u547d\u540d\u4e3aA<\/code>\uff0c\u5176\u7c7b\u578b\u662fChecker<\/code>\u3002<\/p>\npublic void get_flag(Checker A) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {\n \/\/ \u65b9\u6cd5\u4f53\n}<\/code><\/pre>\n\u5728\u65b9\u6cd5\u5185\u90e8\uff0c\u5b83\u68c0\u67e5A.num1<\/code>\u662f\u5426\u7b49\u4e8e1234<\/code>\uff0c\u4ee5\u53caA.num2<\/code>\u662f\u5426\u7b49\u4e8e4321<\/code>\u3002\u5982\u679c\u6761\u4ef6\u6210\u7acb\uff0c\u8be5\u65b9\u6cd5\u5c06\u7ee7\u7eed\u4f7f\u7528AES\u89e3\u5bc6\u52a0\u5bc6\u5b57\u7b26\u4e32\uff0c\u5e76\u5c06\u89e3\u5bc6\u540e\u7684\u7ed3\u679c\u8bbe\u7f6e\u5728TextView\u4e2d\u3002\u56e0\u6b64\uff0c\u8ba9\u6211\u4eec\u68c0\u67e5\u4e00\u4e0bChecker\u7c7b\u3002<\/p>\n<\/div><\/p>\n
\u5728Checker\u7c7b\u4e2d\uff0c\u6211\u4eec\u6709\u4e24\u4e2a\u53d8\u91cf\u3002<\/p>\n
\n- num1<\/li>\n
- num2<\/li>\n<\/ul>\n
num1<\/code>\u5e94\u8be5\u7b49\u4e8e1234<\/code>\uff0cnum2<\/code>\u5e94\u8be5\u7b49\u4e8e4321<\/code>\uff0c\u4ee5\u6ee1\u8db3if<\/code>\u6761\u4ef6\u6267\u884c\u89e3\u5bc6\u5e76\u8bbe\u7f6e\u6807\u5fd7\u7684\u4ee3\u7801\u5757\u3002\u8bf7\u8bb0\u4f4f\uff0c\u8fd9\u4e2a\u7c7b\u4e5f\u6ca1\u6709\u5b9e\u4f8b\u3002<\/p>\n\u89e3\u51b3\u65b9\u6848<\/h4>\n
\u8fd9\u4e2a\u95ee\u9898\u5f88\u5bb9\u6613\u89e3\u51b3\uff0c\u56e0\u4e3a\u6211\u4eec\u4e4b\u524d\u5df2\u7ecf\u5728\u4e0a\u4e00\u7bc7\u5e16\u5b50\u4e2d\u505a\u8fc7\u4e86\uff0c\u552f\u4e00\u7684\u533a\u522b\u662fget_flag<\/code>\u65b9\u6cd5\u7684\u53c2\u6570\u662fChecker<\/code>\u7c7b\u7684\u4e00\u4e2a\u5bf9\u8c61\u3002\u6211\u5c06\u603b\u7ed3\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u7684\u6b65\u9aa4\u5982\u4e0b\uff1a<\/p>\n\n- \u521b\u5efa\u4e00\u4e2a
Checker<\/code>\u7c7b\u7684\u5b9e\u4f8b\u3002<\/li>\n- \u5c06
num1<\/code>\u8bbe\u7f6e\u4e3a1234\uff0cnum2<\/code>\u8bbe\u7f6e\u4e3a4321\u3002<\/li>\n- \u83b7\u53d6
MainActivity<\/code>\u7684\u5b9e\u4f8b\u3002<\/li>\n- \u4f7f\u7528\u5b9e\u4f8b\u4f5c\u4e3a\u53c2\u6570\u8c03\u7528
get_flag<\/code>\u65b9\u6cd5\u3002<\/li>\n<\/ul>\n\u8ba9\u6211\u4eec\u5f00\u59cb\u7f16\u5199\u6211\u4eec\u7684frida\u811a\u672c\u3002<\/p>\n
\u9996\u5148\u8ba9\u6211\u4eec\u521b\u5efaChecker<\/code>\u7c7b\u7684\u5b9e\u4f8b\u3002<\/p>\nvar checker = Java.use("com.ad2001.frida0x6.Checker");\nvar checker_obj = checker.$new(); \/\/ \u7c7b\u5bf9\u8c61<\/code><\/pre>\n\u8bbe\u7f6enum1<\/code>\u548cnum2<\/code>\u7684\u503c\u3002<\/p>\nchecker_obj.num1.value = 1234;\nchecker_obj.num2.value = 4321;<\/code><\/pre>\n\u73b0\u5728\u8ba9\u6211\u4eec\u83b7\u53d6MainActivity<\/code>\u7684\u5b9e\u4f8b\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528Java.performNow<\/code>\u548cJava.choose<\/code>API\u3002\u6211\u4eec\u5728\u4e4b\u524d\u7684\u6311\u6218\u4e2d\u5df2\u7ecf\u505a\u8fc7\u4e86\u3002<\/p>\nJava.performNow(function() {\n Java.choose('com.ad2001.frida0x6.MainActivity', {\n onMatch: function(instance) {\n console.log("\u627e\u5230\u5b9e\u4f8b");\n\n },\n onComplete: function() {}\n });\n})<\/code><\/pre>\n\u8ba9\u6211\u4eec\u66f4\u65b0\u811a\u672c\uff0c\u52a0\u5165Checker<\/code>\u7c7b\u7684\u5b9e\u4f8b\u3002<\/p>\nJava.performNow(function() {\n Java.choose('com.ad2001.frida0x6.MainActivity', {\n onMatch: function(instance) {\n console.log("\u627e\u5230\u5b9e\u4f8b");\n\n var checker = Java.use("com.ad2001.frida0x6.Checker");\n var checker_obj = checker.$new(); \/\/ \u7c7b\u5bf9\u8c61\n checker_obj.num1.value = 1234;\n checker_obj.num2.value = 4321;\n\n },\n onComplete: function() {}\n });\n});<\/code><\/pre>\n\u73b0\u5728\u552f\u4e00\u8981\u505a\u7684\u662f\u901a\u8fc7\u4f20\u9012Checker<\/code>\u7c7b\u7684\u5b9e\u4f8b\u6765\u8c03\u7528get_flag<\/code>\u65b9\u6cd5\u3002<\/p>\nJava.performNow(function() {\n Java.choose('com.ad2001.frida0x6.MainActivity', {\n onMatch: function(instance) {\n console.log("\u627e\u5230\u5b9e\u4f8b");\n\n var checker = Java.use("com.ad2001.frida0x6.Checker");\n var checker_obj = checker.$new(); \/\/ \u7c7b\u5bf9\u8c61\n checker_obj.num1.value = 1234; \/\/ num1\n checker_obj.num2.value = 4321; \/\/ num2\n instance.get_flag(checker_obj); \/\/ \u8c03\u7528get_flag\u65b9\u6cd5\n\n },\n onComplete: function() {}\n });\n});<\/code><\/pre>\n\u8ba9\u6211\u4eec\u542f\u52a8frida\u5e76\u8fd0\u884c\u6211\u4eec\u7684\u811a\u672c\u3002<\/p>\n
PS C:\\Users\\ajind> frida -U -f com.ad2001.frida0x6<\/code><\/pre>\n
![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709457853451.png\")
<\/div><\/p>\n<\/li>\n![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709460070492.png\")
<\/div><\/p>\n![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709460323348.png\")
<\/div><\/p>\n![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709465780915.png\")
<\/div><\/p>\n![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709465999157.png\")
<\/div>![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709466387598.png\")
<\/div><\/p>\n![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709468739573.png\")
<\/div>![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709471309782.png\")
<\/div>![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709471365351.png\")
<\/div>![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709471656698.png\")
<\/div><\/p>\n![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709483078034.png\")
<\/div>![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709483467607.png\")
<\/div>![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709483710080.png\")
<\/div><\/p>\n![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709483873021.png\")
<\/div><\/p>\n![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709485036952.png\")
<\/div>![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709485070587.png\")
<\/div><\/p>\n![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709485205036.png\")
<\/div><\/p>\n![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709485878632.png\")
<\/div>![\"file\"](\"https:\/\/shangwendada.top\/wp-content\/uploads\/2024\/03\/image-1709486446902.png\")
<\/div><\/p>\n