下载frida v16.0.1
使用adb命令查看手机架构信息: adb shell getprop ro.product.cpu.abi
shujie@shujiedeMBP ~ % adb shell getprop ro.product.cpu.abi
arm64-v8a
shujie@shujiedeMBP ~ %
查询到俺的是arm64-v8a下载: frida-server-16.0.1-android-arm64.xz
解压后获得文件: frida-server-16.0.1-android-arm64(感觉文件名称太长可以重命名)
把文件上传到手机中/data/local/tmp/路径下: adb push /Users/shujie/Documents/BaseData/app逆向/常用/frida-server-16.0.1-android-arm64 /data/local/tmp/
给上传到手机上的文件赋予可执行权限
adb shell
cd /data/local/tmp/
su
手机端打开Magisk.apk,点击下面的超级用户
adb shell
su
chmod 755 frida-server-16.0.1-android-arm64
电脑配置frida环境
python版本推荐3.7.9,新建一个py项目选择一个全新的py3.7环境
pip3 install frida-tools==12.0.1
pip3 install frida==16.0.1
使用frida
手机上使用frida-server运行起来,执行完下面命令后终端卡住代表frida-server运行起来了
adb shell
su
cd /data/local/tmp/
./frida-server-16.0.1-android-arm64
命令行端口转发
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
python脚本形式端口转发
import os
import subprocess
subprocess.getoutput("adb forward tcp:27042 tcp:27042")
subprocess.getoutput("adb forward tcp:27043 tcp:27043")
获取进程名称
import time
import frida
def get_android_info():
# 获取设备信息
rdev = frida.get_remote_device()
# print(rdev)
# # 枚举所有的进程
# processes = rdev.enumerate_processes()
# for process in processes:
# print(process)
# 获取在前台运行的APP
front_app = rdev.get_frontmost_application()
print(front_app)
get_android_info()
使用frida attach模式 hook app
attach: 在已打开的app上hook
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("应用名称")
scr = """
Java.perform(function () {
var SPUtils = Java.use("com.che168.autotradercloud.util.SPUtils");
SPUtils.getDeviceId.implementation = function(){
console.log("getDeviceId-----------------------");
return "";
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
使用frida spawn模式 hook app
spawn: 自动打开app执行hook
import frida
import sys
rdev = frida.get_remote_device()
pid = rdev.spawn(["com.app.name"])
session = rdev.attach(pid)
scr = """
Java.perform(function () {
var UpdateDialog = Java.use('com.azhon.appupdate.dialog.UpdateDialog');
UpdateDialog.show.implementation = function(ctx){
//this.show();
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
rdev.resume(pid)
sys.stdin.read()
使用js文件执行hook
hook_update.js
Java.perform(function () {
var UpdateDialog = Java.use('com.azhon.appupdate.dialog.UpdateDialog');
UpdateDialog.show.implementation = function(ctx){
//this.show();
}
});
spawn模式启动js文件: frida -Uf com.app.name -l hook_update.js
attach模式启动js文件: frida -UF -l hook_update.js
网友评论