-
加载frida
alias activityFrida="adb shell 'su /data/local/tmp/frida-server64 &'" -
电脑启动frida
- 直接启动
frida -U packageName -l hook.js - app 刚启动的时候hook, 用frida去启动app
frida -U --no-pause -f com.tlamb96.spetsnazmessenger -l hook.js
- 直接启动
-
hook 构造函数,类对象然后.$init来hook 构造函数
//hook 构造函数 a.$init.implementation = function (i, str, str2, z) { this.$init(i, str, str2, z); console.log("a.$init:", i, str, str2, z); print_stack(); //打印了调用栈 };
-
打印调用栈,调用java自带的功能,抛出一个异常,打印内容,打印完之后 要把对象析构掉
function print_stack() { Java.perform(function () { var Exception = Java.use("java.lang.Exception"); var instance = Exception.$new("print_stack"); var stack = instance.getStackTrace(); console.log(stack); instance.$dispose(); }); }
-
jar -cvf ddex.jar com/example/androiddemo/DecodeUtils.class
/Users/yang/Library/Android/sdk/build-tools/28.0.3/dx --dex --output=ddex.dex ddex.jar
打包成dex
-
加载dex
var ddex2 = Java.openClassFile("/data/local/tmp/ddex2.dex"); -
构造字符串数组
var Ref_arr = Java.use('java.lang.reflect.Array')
var stringClass = Java.use("java.lang.String").class
var arg1 = Ref_arr.newInstance(stringClass, array.length);
for (var i =0; i < array.length; i++) {
Ref_arr.set(arg1, i, array[i])
}
网友评论