From 56c3fd2976d5ffa5b2ded5390db2b39fac96d51d Mon Sep 17 00:00:00 2001 From: luzhisheng Date: Fri, 23 Feb 2024 13:27:13 +0800 Subject: [PATCH] =?UTF-8?q?=E8=AF=BE=E7=A8=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../__init__.py | 0 .../hook_os.py | 96 +++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 猿人学app逆向/新-sec2-lesson10-反序列化protobuf和简单so/__init__.py create mode 100644 猿人学app逆向/新-sec2-lesson10-反序列化protobuf和简单so/hook_os.py diff --git a/猿人学app逆向/新-sec2-lesson10-反序列化protobuf和简单so/__init__.py b/猿人学app逆向/新-sec2-lesson10-反序列化protobuf和简单so/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/猿人学app逆向/新-sec2-lesson10-反序列化protobuf和简单so/hook_os.py b/猿人学app逆向/新-sec2-lesson10-反序列化protobuf和简单so/hook_os.py new file mode 100644 index 0000000..812843f --- /dev/null +++ b/猿人学app逆向/新-sec2-lesson10-反序列化protobuf和简单so/hook_os.py @@ -0,0 +1,96 @@ +import frida +import sys +import os +import time + +hook_code = """ +Java.perform( + function(){ + console.log('ffff') + var ByteString = Java.use('com.android.okhttp.okio.ByteString') + + var Requester = Java.use('com.shjt.map.view.layout.realtime.LineLayout$Requester') + Requester.request.implementation = function(p1){ + send('here me?') + this.request(p1) + } + + var Req = Java.use('com.shjt.map.data.rline.Request') + Req.toString.implementation = function(p1){ + + //send(this.mBuilder.build().toByteArray()) + var tmp = this.toString() + send('ggggg:'+tmp) + return tmp + } + + var Native = Java.use('com.shjt.map.tool.Native') + + Native.decode2.implementation = function(pp){ + console.log("str :" + Java.use('java.lang.String').$new(pp)); + console.log("hex :" + ByteString.of(pp).hex()); + console.log("array :" + JSON.stringify(pp)); + return this.decode2(pp) + } + + /*Native.encode2.implementation = function(pp){ + console.log("str :" + Java.use('java.lang.String').$new(pp)); + console.log() + console.log("hex :" + ByteString.of(pp).hex()); + console.log("array :" + JSON.stringify(pp)); + var ret = this.encode2(pp) + console.log("ret hex :" + ByteString.of(ret).hex()); + return ret + }*/ + + + var aes_decrypt_cbc = Module.getExportByName('libnative.so', '_Z15aes_decrypt_cbcPKhjPhPKjiS0_'); + Interceptor.attach(aes_decrypt_cbc, { + onEnter:function(args){ + console.log('1:') + console.log('0:',args[0].readByteArray(16)) + console.log('1:',args[1].toInt32()) + console.log('2:',args[2].readByteArray(16)) + console.log('3:',args[3].readByteArray(16)) + console.log('4:',args[4].toInt32()) + console.log('5:',args[5].readByteArray(16)) + }, + onLeave:function(retval){ + + } + }) + + var aes_key_setup = Module.getExportByName('libnative.so', '_Z13aes_key_setupPKhPji'); + Interceptor.attach(aes_key_setup, { + onEnter:function(args){ + console.log('2:') + console.log('0:',args[0].readByteArray(16)) + console.log('2:',args[1].readByteArray(16)) + console.log('1:',args[2].toInt32()) + }, + onLeave:function(retval){ + + } + }) + + + + + } +) + +function printstack() { + send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new())); +} +""" + + +def test_hook(): + process = frida.get_usb_device(-1).attach('com.shjt.map') + script = process.create_script(hook_code) + script.load() + sys.stdin.read() + + +if __name__ == "__main__": + test_hook()