pollux's Dairy

frida-notebook

字数统计: 251阅读时长: 1 min
2019/11/06 Share

1、hook函数,获取java层某个函数的返回值

1
2
3
if (1000 == MainActivity.this.cnt) {
    tv3.setText("SECCON{" + String.valueOf((MainActivity.this.cnt + MainActivity.this.calc()) * 107) + "}");
}

calc为native层的函数,可以直接hook onCreate方法,重新实现onCreate方法,调用calc方法,获得返回值

1
2
3
4
5
6
7
8
9
10
//Java.Perform 开始执行JavaScript脚本。
Java.perform(function () {
    var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');
    MainActivity.onCreate.implementation = function () {
        var returnValue = this.calc();//调用MainActivity.calc()
        send("Return:"+returnValue);
        var result = (1000+returnValue)*107;
        send("Flag:"+"SECCON{"+result.toString()+"}");
    }
});

2、hook函数,修改java层变量的值

1
2
3
4
5
6
7
8
9
10
11
12
Java.perform(function () {
    var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');
    //hook onClick方法,此处要注意的是onClick方法是传递了一个View参数v
    MainActivity.onClick.implementation = function (v) {
        //调用onClick,模拟点击事件
        this.onClick(v);
        this.n.value = 0;
        this.m.value = 2;
        this.cnt.value = 999;
        send("Success!")
    }
});
1
2
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
1
2
var boolean_clz = Java.use("java.lang.Boolean");
var ret = boolean_clz.valueOf(true);
1
frida -U -f app完整名

原文作者:Po1lux

原文链接:http://yoursite.com/2019/11/06/frida使用/

发表日期:November 6th 2019, 3:05:33 pm

更新日期:April 7th 2020, 12:05:01 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 1、hook函数,获取java层某个函数的返回值
  2. 2. 2、hook函数,修改java层变量的值
Total : 56
2020
2019
2018
unlink fastbin attack House of spirit House of Force UAF DynELF PIE format string off by one x64 64bit 格式化字符串漏洞 栈溢出 Canary tcache libc-2.29 chunk overlapping chunk extend shellcode,系统调用 libc2.29 stack overflow fmt rop 2016,CTFs,fsb CTF stack pivoting OS pwnable fsb
heap stack android-reverse learning-note android-system Operating-System pwnable conclusion