"""
构造方法
构造函数,java类中的初始化函数
package com.example.administrator.myapplication;
public class gouzaofangfa {
int a;
int b;
public gouzaofangfa(int i, int i2) {
this.a = i;
this.b = i2;
}
}
"""
import frida
import sys
process = frida.get_usb_device().attach('com.example.administrator.myapplication')
src="""
Java.perform(function(){
var coinClass = Java.use("com.example.administrator.myapplication.gouzaofangfa"); //获得类包,相当于js的new()
coinClass.$init.overload("int","int").implementation=function(aaa,bbb){
console.log("hook开始===========================================");
console.log("第一个参数:"+aaa)
console.log("第一个参数:"+bbb)
return this.$init(aaa,bbb)
}
})
"""
script= process.create_script(src)
def on_message(message,data):
print (message)
script.on("message",on_message)
script.load()
sys.stdin.read()
"""
普通方法
这里的普通方法包括了静态方法,私有方法和公开方法等,
package com.example.administrator.myapplication;
public class putongfangfa {
public static int aaa(int i, int i2) {
return i + i2;
}
}
"""
import frida
import sys
process = frida.get_usb_device().attach('com.example.administrator.myapplication')
src="""
Java.perform(function(){
var coinClass = Java.use("com.example.administrator.myapplication.putongfangfa");
coinClass.aaa.implementation=function(){
console.log("hook开始===========================================");
var a=arguments[0]
var b=arguments[1]
console.log("第一个参数:"+a)
console.log("第一个参数:"+b)
console.log("返回值:"+this.aaa(a,b))
return this.aaa(1,2)
}
})
"""
script= process.create_script(src)
def on_message(message,data):
print (message)
script.on("message",on_message)
script.load()
sys.stdin.read()
"""
重载方法
一个方法有很多的类型
package com.example.administrator.myapplication;
public class chongzaifangfa {
public static int aaa(int i, int i2) {
return i + i2;
}
public static String aaa() {
return "111";
}
}
"""
import frida
import sys
process = frida.get_usb_device().attach('com.example.administrator.myapplication')
src="""
Java.perform(function(){
var coinClass = Java.use("com.example.administrator.myapplication.chongzaifangfa");
coinClass.aaa.overload("int","int").implementation=function(a,b){
console.log("hook开始===========================================");
console.log(a)
console.log(b)
return this.aaa(10,12)
}
})
"""
script= process.create_script(src)
def on_message(message,data):
print (message)
script.on("message",on_message)
script.load()
sys.stdin.read()
"""
package com.example.administrator.myapplication;
public class zidingyi {
public static zidingyifangfa get() {
return new zidingyifangfa(1, 1);
}
}
package com.example.administrator.myapplication;
public class zidingyifangfa {
int a;
int b;
public zidingyifangfa(int i, int i2) {
this.a = i;
this.b = i2;
}
}
"""
import frida
import sys
process = frida.get_usb_device().attach("com.example.administrator.myapplication")
src="""
//构造和修改自定义类型 方法的参数不是基本类型是自定义类型
Java.perform(function(){
var coinClass = Java.use("com.example.administrator.myapplication.zidingyi"); //new 对象
var www= Java.use("com.example.administrator.myapplication.zidingyifangfa") //new 一个 这个返回值的对象
coinClass.get.implementation=function(){
var obj = www.$new(10,2); // www.$new(10,333333333)
// console.log("第一个参数:"+obj.a.value);
// console.log("第二个参数:"+obj.b.value);
return obj;
}
});
"""
script= process.create_script(src)
def on_message(message,data):
print (message)
script.on("message",on_message)
script.load()
sys.stdin.read()
网友评论