根据cpu版本去下载相应frida-server 运行./frida-sever &
frida官网:https://frida.re/docs/javascript-api/
1.hook静态函数
当函数内部有相同的函数名,即重载时,hook时就必须指定函数类型
function hook_java() {
Java.perform(function () {
var LoginActivity = Java.use("com.example.androiddemo.Activity.LoginActivity");
console.log(LoginActivity);
LoginActivity.a.overload('java.lang.String', 'java.lang.String').implementation = function (str, str2) {
var result = this.a(str, str2);
//result = '';
console.log("LoginActivity.a:", str, str2, result);
return result;
};
//当函数有重载时,错误写法,当函数没重载时,可以这样写
LoginActivity.a.implementation = function (str1, str2) {
var result = this.a(str1, str2); //调用原来的函数
console.log("LoginActivity.a:", str1, str2, result);
return result;
};
}
修改函数返回值和成员变量
(1)修改返回值
function hook_java() {
Java.perform(function () {
var FridaActivity1 = Java.use("com.example.androiddemo.Activity.FridaActivity1");
// FridaActivity1.a.implementation = function (barr) {
// console.log("FridaActivity1.a");
// // return "R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=";
// var result = this.a(barr);
// console.log("FridaActivity1.a result:", result);
// return result;
// };
// 第二种写法
FridaActivity1.a.overload('[B').implementation = function (barr) {
console.log("FridaActivity1.a");
var result = this.a(barr);
console.log("FridaActivity1.a 修改前返回值:", result);
result = "R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=";
console.log("FridaActivity1.a 修改后返回值:", result);
return result;
};
console.log("hook_java");
});
}
(2)修改成员变量
function call_FridaActivity3() {
Java.perform(function () {
var FridaActivity3 = Java.use("com.example.androiddemo.Activity.FridaActivity3");
FridaActivity3.$new
FridaActivity3.static_bool_var.value = true; //设置静态成员变量
console.log(FridaActivity3.static_bool_var.value);
Java.choose("com.example.androiddemo.Activity.FridaActivity3", {
onMatch: function (instance) {
//设置非静态成员变量的值
instance.bool_var.value = true;
//设置有相同函数名的成员变量的值
instance._same_name_bool_var.value = true;
console.log(instance.bool_var.value, instance._same_name_bool_var.value);
},
onComplete: function () {
}
});
});
}
2.hook内部类
第一种写法
function hook_InnerClasses() {
Java.perform(function () {
//hook内部类
var InnerClasses = Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses");
console.log(InnerClasses);
InnerClasses.check1.implementation = function () {
return true;
};
InnerClasses.check2.implementation = function () {
return true;
};
InnerClasses.check3.implementation = function () {
return true;
};
InnerClasses.check4.implementation = function () {
return true;
};
InnerClasses.check5.implementation = function () {
return true;
};
InnerClasses.check6.implementation = function () {
return true;
};
});
}
第二种写法
function hook_mul_function() {
Java.perform(function () {
//hook 类的多个函数
var class_name = "com.example.androiddemo.Activity.FridaActivity4$InnerClasses";
var InnerClasses = Java.use(class_name);
var all_methods = InnerClasses.class.getDeclaredMethods();
for (var i = 0; i < all_methods.length; i++) {
var method = (all_methods[i]);
var methodStr = method.toString();
var substring = methodStr.substr(methodStr.indexOf(class_name) + class_name.length + 1);
var methodname = substring.substr(0, substring.indexOf("("));
console.log(methodname);
InnerClasses[methodname].implementation = function () {
console.log("hook_mul_function:", this);
return true;
}
}
});
}
3.hook动态dex
function hook_dyn_dex() {
Java.perform(function () {
//hook 动态加载的dex (注意点:牛轧糖版本之上)
Java.enumerateClassLoaders({
onMatch: function (loader) {
try {
if (loader.findClass("com.example.androiddemo.Dynamic.DynamicCheck")) {
console.log(loader);
// Java.classFactory.loader = loader; //切换classloader
}
} catch (error) {
}
}, onComplete: function () {
}
});
// var DynamicCheck = Java.use("com.example.androiddemo.Dynamic.DynamicCheck");
// console.log(DynamicCheck);
// DynamicCheck.check.implementation = function () {
// console.log("DynamicCheck.check");
// return true;
// }
});
}
4.frida加载动态dex
function hook_java() {
//var ddex = Java.openClassFile("/data/local/tmp/ddex.dex");
//frida动态加载了dex
/*
jar -cvf ddex.jar com/example/androiddemo/DecodeUtils.class
/Users/yang/Library/Android/sdk/build-tools/28.0.3/dx --dex --output=ddex.dex ddex.jar
*/
var ddex2 = Java.openClassFile("/data/local/tmp/ddex2.dex");
Java.perform(function () {
//frida动态加载了dex
ddex2.load();
var DecodeUtils = Java.use("com.example.androiddemo.DecodeUtils");
console.log("DecodeUtils.decode_p:", DecodeUtils.decode_p());
});
}