ApkShelling
https://github.com/OakChen/ApkShelling
- 修改XposedEntry.java中的targetPackages
1
2
| private static final String[] targetPackages =
new String[]{"com.sfysoft.shellingtest", "com.sfysoft.shellingtest2", "com.example.how_debug"};
|
1
2
3
4
| $ adb logcat -s Xposed
06-15 14:58:01.091 6048 6048 I Xposed : Found com.SecShell.SecShell.ApplicationWrapper
06-15 14:58:01.119 6048 6064 I Xposed : Thread: 246, File: /data/data/com.example.how_debug/00246-01.dex
06-15 14:58:01.228 6048 6064 I Xposed : Thread: 246, File: /data/data/com.example.how_debug/00246-02.dex
|
- pull 生成的dex
如果出现Not found object的问题,可以先把文件移动到/sdcard/
1
2
| root@angler:/data/data/com.example.how_debug # cp 00246-01.dex /sdcard/01.dex
root@angler:/data/data/com.example.how_debug # cp 00246-02.dex /sdcard/02.dex
|
Frida框架使用
1
2
3
4
5
6
7
8
| push frida-server-arm64 /data/local/tmp
chmod 777 frida-server-arm64
./frida-server-arm64
# 端口转发
adb forward tcp:27043 tcp:27043
adb forward tcp:27042 tcp:27042
# 检查是否成功
frida-ps -U
|
frida自带的Messages机制与进程交互
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| import frida, sys
# hook代码,采用javascript编写
jscode = """
javascript代码,重点
"""
# 自定义回调函数
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
# 重点的4行代码
# 获取手机设备并附加到进程
process = frida.get_usb_device().attach('应用完整包名')
script = process.create_script(jscode)
# 回调
script.on('message', on_message)
# 在服务端就启动javascript脚本了
script.load()
sys.stdin.read()
|
这里用到的语言分别是python和javascript,他们之间的关系是python作为载体,javascript作为在android中真正执行代码。
运行给的两个实例
- 直接hook MainActivity中的OnCreate()方法,获取calc函数的返回值
js代码解释
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| //Java.Perform 开始执行JavaScript脚本。
Java.perform(function () {
//定义变量MainActivity,Java.use指定要使用的类
var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');
//hook该类下的onCreate方法,重新实现它
MainActivity.onCreate.implementation = function () {
send("Hook Start...");
//调用calc()方法,获取返回值
var returnValue = this.calc();
send("Return:"+returnValue);
var result = (1000+returnValue)*107;
//解出答案
send("Flag:"+"SECCON{"+result.toString()+"}");
}
});
|
完整实现
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| import frida, sys
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
jscode = """
Java.perform(function () {
var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');
MainActivity.onCreate.implementation = function () {
send("Hook Start...");
var returnValue = this.calc();
send("Return:"+returnValue);
var result = (1000+returnValue)*107;
send("Flag:"+"SECCON{"+result.toString()+"}");
}
});
"""
process = frida.get_usb_device().attach('com.example.seccon2015.rock_paper_scissors')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()
|
- 修改MainActivity中的变量
js代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| Java.perform(function () {
var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');
//hook onClick方法,此处要注意的是onClick方法是传递了一个View参数v
MainActivity.onClick.implementation = function (v) {
send("Hook Start...");
//调用onClick,模拟点击事件
this.onClick(v);
//修改参数
this.n.value = 0;
this.m.value = 2;
this.cnt.value = 999;
send("Success!")
}
});
|
完整代码实现
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| import frida, sys
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
jscode = """
Java.perform(function () {
var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');
MainActivity.onClick.implementation = function (v) {
send("Hook Start...");
this.onClick(v);
this.n.value = 0;
this.m.value = 2;
this.cnt.value = 999;
send("Success!")
}
});
"""
process = frida.get_usb_device().attach('com.example.seccon2015.rock_paper_scissors')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()
|
由于关键的实现部分其实在于js代码,下面是frida js中的一些关键函数
https://www.frida.re/docs/javascript-api/
参考链接
ApkShelling脱壳和FART脱壳
Frida从入门到入门—安卓逆向菜鸟的frida食用说明
初识Frida–Android逆向之Java层hook