mirror of
https://github.com/luzhisheng/js_reverse.git
synced 2025-04-04 23:03:48 +08:00
课程
This commit is contained in:
parent
496a24210a
commit
56c3fd2976
96
猿人学app逆向/新-sec2-lesson10-反序列化protobuf和简单so/hook_os.py
Normal file
96
猿人学app逆向/新-sec2-lesson10-反序列化protobuf和简单so/hook_os.py
Normal file
@ -0,0 +1,96 @@
|
||||
import frida
|
||||
import sys
|
||||
import os
|
||||
import time
|
||||
|
||||
hook_code = """
|
||||
Java.perform(
|
||||
function(){
|
||||
console.log('ffff')
|
||||
var ByteString = Java.use('com.android.okhttp.okio.ByteString')
|
||||
|
||||
var Requester = Java.use('com.shjt.map.view.layout.realtime.LineLayout$Requester')
|
||||
Requester.request.implementation = function(p1){
|
||||
send('here me?')
|
||||
this.request(p1)
|
||||
}
|
||||
|
||||
var Req = Java.use('com.shjt.map.data.rline.Request')
|
||||
Req.toString.implementation = function(p1){
|
||||
|
||||
//send(this.mBuilder.build().toByteArray())
|
||||
var tmp = this.toString()
|
||||
send('ggggg:'+tmp)
|
||||
return tmp
|
||||
}
|
||||
|
||||
var Native = Java.use('com.shjt.map.tool.Native')
|
||||
|
||||
Native.decode2.implementation = function(pp){
|
||||
console.log("str :" + Java.use('java.lang.String').$new(pp));
|
||||
console.log("hex :" + ByteString.of(pp).hex());
|
||||
console.log("array :" + JSON.stringify(pp));
|
||||
return this.decode2(pp)
|
||||
}
|
||||
|
||||
/*Native.encode2.implementation = function(pp){
|
||||
console.log("str :" + Java.use('java.lang.String').$new(pp));
|
||||
console.log()
|
||||
console.log("hex :" + ByteString.of(pp).hex());
|
||||
console.log("array :" + JSON.stringify(pp));
|
||||
var ret = this.encode2(pp)
|
||||
console.log("ret hex :" + ByteString.of(ret).hex());
|
||||
return ret
|
||||
}*/
|
||||
|
||||
|
||||
var aes_decrypt_cbc = Module.getExportByName('libnative.so', '_Z15aes_decrypt_cbcPKhjPhPKjiS0_');
|
||||
Interceptor.attach(aes_decrypt_cbc, {
|
||||
onEnter:function(args){
|
||||
console.log('1:')
|
||||
console.log('0:',args[0].readByteArray(16))
|
||||
console.log('1:',args[1].toInt32())
|
||||
console.log('2:',args[2].readByteArray(16))
|
||||
console.log('3:',args[3].readByteArray(16))
|
||||
console.log('4:',args[4].toInt32())
|
||||
console.log('5:',args[5].readByteArray(16))
|
||||
},
|
||||
onLeave:function(retval){
|
||||
|
||||
}
|
||||
})
|
||||
|
||||
var aes_key_setup = Module.getExportByName('libnative.so', '_Z13aes_key_setupPKhPji');
|
||||
Interceptor.attach(aes_key_setup, {
|
||||
onEnter:function(args){
|
||||
console.log('2:')
|
||||
console.log('0:',args[0].readByteArray(16))
|
||||
console.log('2:',args[1].readByteArray(16))
|
||||
console.log('1:',args[2].toInt32())
|
||||
},
|
||||
onLeave:function(retval){
|
||||
|
||||
}
|
||||
})
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
)
|
||||
|
||||
function printstack() {
|
||||
send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
|
||||
}
|
||||
"""
|
||||
|
||||
|
||||
def test_hook():
|
||||
process = frida.get_usb_device(-1).attach('com.shjt.map')
|
||||
script = process.create_script(hook_code)
|
||||
script.load()
|
||||
sys.stdin.read()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
test_hook()
|
Loading…
Reference in New Issue
Block a user