Frida Tutorial 2

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Je, unafanya kazi katika kampuni ya usalama wa mtandao? Unataka kuona kampuni yako ikitangazwa kwenye HackTricks? au unataka kupata upatikanaji wa toleo jipya la PEASS au kupakua HackTricks kwa PDF? Angalia MIPANGO YA KUJIUNGA!
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
Pata swagi rasmi ya PEASS & HackTricks
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au nifuata kwenye Twitter 🐦@carlospolopm.
Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa repo ya hacktricks na repo ya hacktricks-cloud.

Siri ya tuzo ya mdudu: jiandikishe kwa Intigriti, jukwaa la mdudu la malipo lililoundwa na wakora! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata tuzo hadi $100,000!

Hii ni muhtasari wa chapisho: https://11x256.github.io/Frida-hooking-android-part-2/ (Sehemu 2, 3 & 4) APKs na Msimbo wa Chanzo: https://github.com/11x256/frida-android-examples

Sehemu ya 1 ni rahisi sana.

Baadhi ya sehemu za msimbo asilia hazifanyi kazi na zimebadilishwa hapa.

Sehemu 2

Hapa unaweza kuona mfano wa jinsi ya kufunga 2 kazi zenye jina moja lakini parameta tofauti. Pia, utajifunza jinsi ya kuita kazi na parameta zako mwenyewe. Na mwishowe, kuna mfano wa jinsi ya kupata kifungu cha darasa na kufanya kiite kazi.

//s2.js
console.log("Script loaded successfully ");
Java.perform(function x() {
console.log("Inside java perform function");
var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
//Hook "fun" with parameters (int, int)
my_class.fun.overload("int", "int").implementation = function (x, y) { //hooking the old function
console.log("original call: fun(" + x + ", " + y + ")");
var ret_value = this.fun(2, 5);
return ret_value;
};
//Hook "fun" with paramater(String)
var string_class = Java.use("java.lang.String");
my_class.fun.overload("java.lang.String").implementation = function (x) { //hooking the new function
console.log("*")
//Create a new String and call the function with your input.
var my_string = string_class.$new("My TeSt String#####");
console.log("Original arg: " + x);
var ret = this.fun(my_string);
console.log("Return value: " + ret);
console.log("*")
return ret;
};
//Find an instance of the class and call "secret" function.
Java.choose("com.example.a11x256.frida_test.my_activity", {
onMatch: function (instance) {
console.log(tring, and the it has"Found instance: " + instance);
console.log("Result of secret func: " + instance.secret());
},
onComplete: function () { }
});
});

Unaweza kuona kwamba ili kuunda String kwanza imekuwa ikirejelea darasa java.lang.String na kisha imeunda kitu cha $new cha darasa hilo na String kama maudhui. Hii ndio njia sahihi ya kuunda kitu kipya cha darasa. Lakini, katika kesi hii, unaweza tu kupitisha kwa this.fun() String yoyote kama: this.fun("hey there!")

Python

//loader.py
import frida
import time

device = frida.get_usb_device()
pid = device.spawn(["com.example.a11x256.frida_test"])
device.resume(pid)
time.sleep(1) #Without it Java.perform silently fails
session = device.attach(pid)
script = session.create_script(open("s2.js").read())
script.load()

#prevent the python script from terminating
raw_input()

python loader.py

Sehemu 3

Python

Sasa utaona jinsi ya kutuma amri kwa programu iliyefungwa kupitia Python ili kuita kazi:

//loader.py
import time
import frida

def my_message_handler(message, payload):
print message
print payload


device = frida.get_usb_device()
pid = device.spawn(["com.example.a11x256.frida_test"])
device.resume(pid)
time.sleep(1)  # Without it Java.perform silently fails
session = device.attach(pid)
with open("s3.js") as f:
script = session.create_script(f.read())
script.on("message", my_message_handler)
script.load()

command = ""
while 1 == 1:
command = raw_input("Enter command:\n1: Exit\n2: Call secret function\n3: Hook Secret\nchoice:")
if command == "1":
break
elif command == "2":
script.exports.callsecretfunction()
elif command == "3":
script.exports.hooksecretfunction()

Amri "1" itatoka, amri "2" itapata na instance ya class na kuita function ya kibinafsi secret() na amri "3" itahook function secret() ili irudishe string tofauti.

Kisha, ukitoa "2" utapata siri halisi, lakini ukitoa "3" na kisha "2" utapata siri bandia.

JS

console.log("Script loaded successfully ");
var instances_array = [];
function callSecretFun() {
Java.perform(function () {
if (instances_array.length == 0) { // if array is empty
Java.choose("com.example.a11x256.frida_test.my_activity", {
onMatch: function (instance) {
console.log("Found instance: " + instance);
instances_array.push(instance)
console.log("Result of secret func: " + instance.secret());
},
onComplete: function () { }

});
}
else {//else if the array has some values
console.log("Result of secret func: " + instances_array[0].secret());
}

});
}

function hookSecret() {
Java.perform(function () {
var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
var string_class = Java.use("java.lang.String");
my_class.secret.overload().implementation = function(){
var my_string = string_class.$new("TE ENGANNNNEEE");
return my_string;
}
});
}
rpc.exports = {
callsecretfunction: callSecretFun,
hooksecretfunction: hookSecret
};

Sehemu ya 4

Hapa utaona jinsi ya kufanya Python na JS kuingiliana kutumia vitu vya JSON. JS hutumia kazi ya send() kutuma data kwa mteja wa python, na Python hutumia kazi ya post() kutuma data kwa skripti ya JS. JS itazuia utekelezaji mpaka ipokee jibu kutoka kwa Python.

Python

//loader.py
import time
import frida

def my_message_handler(message, payload):
print message
print payload
if message["type"] == "send":
print message["payload"]
data = message["payload"].split(":")[1].strip()
print 'message:', message
data = data.decode("base64")
user, pw = data.split(":")
data = ("admin" + ":" + pw).encode("base64")
print "encoded data:", data
script.post({"my_data": data})  # send JSON object
print "Modified data sent"


device = frida.get_usb_device()
pid = device.spawn(["com.example.a11x256.frida_test"])
device.resume(pid)
time.sleep(1)
session = device.attach(pid)
with open("s4.js") as f:
script = session.create_script(f.read())
script.on("message", my_message_handler)  # register the message handler
script.load()
raw_input()

JS

console.log("Script loaded successfully ");
Java.perform(function () {
var tv_class = Java.use("android.widget.TextView");
tv_class.setText.overload('java.lang.CharSequence').implementation = function (x) {
var string_to_send = x.toString();
var string_to_recv = "";
send(string_to_send); // send data to python code
recv(function (received_json_object) {
string_to_recv = received_json_object.my_data;
}).wait(); //block execution till the message is received
console.log("Final string_to_recv: "+ string_to_recv)
return this.setText(string_to_recv);
}
});

Kuna sehemu ya 5 ambayo sitaeleza kwa sababu hakuna kitu kipya. Lakini ikiwa unataka kuisoma, ipo hapa: https://11x256.github.io/Frida-hooking-android-part-5/

Mwongozo wa tuzo ya mdudu: Jisajili kwa Intigriti, jukwaa la tuzo za mdudu la malipo lililoanzishwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata tuzo hadi $100,000!

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, unataka kuona kampuni yako ikitangazwa kwenye HackTricks? au unataka kupata ufikiaji wa toleo jipya la PEASS au kupakua HackTricks kwa PDF? Angalia MIPANGO YA KUJIUNGA!
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
Pata bidhaa rasmi za PEASS & HackTricks
Jiunge na 💬 Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha telegram](https://t.me/peass) au nifuata kwenye Twitter 🐦@carlospolopm.
Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye repo ya hacktricks na repo ya hacktricks-cloud.

PreviousFrida Tutorial 1 NextFrida Tutorial 3

Last updated 2 months ago