app签名检测

2025-04-17 08:27:02 +08:00 · 2024-01-30 03:11:43 +08:00 · 2024-01-30 03:11:43 +08:00 · 139c943788
commit 139c943788
parent 2fdd3910bc
2 changed files with 52 additions and 0 deletions
--- a/猿人学app逆向/新-sec6-lesson3-平头哥框架(ratel)的安装及其简单应用/init.py
+++ b/猿人学app逆向/新-sec6-lesson3-平头哥框架(ratel)的安装及其简单应用/init.py
--- a/猿人学app逆向/新-sec6-lesson3-平头哥框架(ratel)的安装及其简单应用/hook签名相关函数.py
+++ b/猿人学app逆向/新-sec6-lesson3-平头哥框架(ratel)的安装及其简单应用/hook签名相关函数.py
@ -0,0 +1,52 @@
+import frida
+import sys
+
+
+def on_message(message, data):
+    if message['type'] == 'send':
+        print("[*] {0}".format(message['payload']))
+    else:
+        print(message)
+
+
+test_sig = '''
+Java.perform(
+    function(){
+        # hook 内置类android.content.pm.Signature
+        var Signature = Java.use('android.content.pm.Signature')
+        # hook 内置类的hashCode方法
+        Signature.hashCode.implementation = function() {
+            console.log('hashCode')
+            return this.hashCode()
+        }
+        # hook 内置类的toByteArray方法
+        Signature.toByteArray.implementation = function() {
+            console.log('toByteArray')
+            printstack()
+            return this.toByteArray()
+        }
+        # 打印调用堆栈
+        function printstack() {
+            console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
+        }
+        # 过掉检测
+        var AA = Java.use('com.chaozhuo.texteditor.widget.a')
+        AA.a.overload('android.content.Context').implementation = function() {
+            return true
+            //this.a()
+        }
+    }
+)
+'''
+
+# 启动方式2 spawn 重启APP 可以hook APP启动阶段
+device = frida.get_usb_device(-1)
+pid = device.spawn(['com.chaozhuo.texteditor'])
+process = device.attach(pid)
+
+script = process.create_script(test_sig)
+script.on('message', on_message)
+print('[*] Running')
+script.load()
+device.resume(pid)
+sys.stdin.read()