课程

猿人学app逆向/新-sec2-lesson10-反序列化protobuf和简单so/hook_os.py

@@ -0,0 +1,96 @@
+import frida
+import sys
+import os
+import time
+
+hook_code = """
+Java.perform(
+    function(){
+        console.log('ffff')
+        var ByteString = Java.use('com.android.okhttp.okio.ByteString')
+
+        var Requester = Java.use('com.shjt.map.view.layout.realtime.LineLayout$Requester')
+        Requester.request.implementation = function(p1){
+            send('here me?')
+            this.request(p1)
+        }
+
+        var Req = Java.use('com.shjt.map.data.rline.Request')
+        Req.toString.implementation = function(p1){
+
+            //send(this.mBuilder.build().toByteArray())
+            var tmp = this.toString()
+            send('ggggg:'+tmp)
+            return tmp
+        }
+
+        var Native = Java.use('com.shjt.map.tool.Native')
+
+        Native.decode2.implementation = function(pp){
+            console.log("str :"     + Java.use('java.lang.String').$new(pp));
+            console.log("hex :"     + ByteString.of(pp).hex());
+            console.log("array :"     + JSON.stringify(pp));
+            return this.decode2(pp)
+        }
+
+        /*Native.encode2.implementation = function(pp){
+            console.log("str :"     + Java.use('java.lang.String').$new(pp));
+            console.log()
+            console.log("hex :"     + ByteString.of(pp).hex());
+            console.log("array :"     + JSON.stringify(pp));
+            var ret =  this.encode2(pp)
+            console.log("ret hex :"     + ByteString.of(ret).hex());
+            return ret
+        }*/
+
+
+        var aes_decrypt_cbc = Module.getExportByName('libnative.so', '_Z15aes_decrypt_cbcPKhjPhPKjiS0_');
+        Interceptor.attach(aes_decrypt_cbc, {
+            onEnter:function(args){
+                console.log('1:')
+                console.log('0:',args[0].readByteArray(16))
+                console.log('1:',args[1].toInt32())
+                console.log('2:',args[2].readByteArray(16))
+                console.log('3:',args[3].readByteArray(16))
+                console.log('4:',args[4].toInt32())
+                console.log('5:',args[5].readByteArray(16))
+            },
+            onLeave:function(retval){
+
+            }
+        })
+
+        var aes_key_setup = Module.getExportByName('libnative.so', '_Z13aes_key_setupPKhPji');
+        Interceptor.attach(aes_key_setup, {
+            onEnter:function(args){
+                console.log('2:')
+                console.log('0:',args[0].readByteArray(16))
+                console.log('2:',args[1].readByteArray(16))
+                console.log('1:',args[2].toInt32())
+            },
+            onLeave:function(retval){
+
+            }
+        })
+
+
+
+
+    }
+)
+
+function printstack() {
+    send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
+}
+"""
+
+
+def test_hook():
+    process = frida.get_usb_device(-1).attach('com.shjt.map')
+    script = process.create_script(hook_code)
+    script.load()
+    sys.stdin.read()
+
+
+if __name__ == "__main__":
+    test_hook()