setTimeout(//将function这个匿名函数作为参数传递给setTimeout()函数//注册到js的运行库function(){//匿名函数functionJava.perform(function(){//Java.perform()方法将函数注册到APPJava运行库中 执行函数打印logconsole.log("hello world!")})})
//1.jsfunction main(){//存放hook脚本console.log("Script loaded successfully")Java.perform(function(){//Java.perform()API函数,注入脚本内容//参数是匿名函数console.log("Inside java perform function")var MainActivity = Java.use('com.roysue.demo02.MainActivity')//调用API函数的Java.use()函数//参数是hook函数所在的类的全名console.log("Java.Use.Successfully!")//类定位成功MainActivity.fun.implementation=function(x,y){//implementation实现MainActivity对象中的fun函数//定义到function这个匿名函数 来作为Java.perform()的参数console.log("x=>",x,"y=>",y)var ret_value=this.fun(x,y)return ret_value}})}setImmediate(main)//被执行函数 main参数传递 类似setTimeout()函数--延时注入//针对于MainActivity对象的fun函数//Frida注入app之后立即执行main函数
//修改参数的change_args()函数function change_args(){console.log("Scripts loaded successfully")Java.perform(function(){console.log("Inside java perform function")var MainActivity = Java.use('com.roysue.demo02.MainActivity')console.log("Java.Use.Successfully!")MainActivity.fun.implementation=function(x,y){console.log("orignal args:x=>",x,",y=>",y)var ret_value=this.fun(2,5);//函数参数修改为(2,5)return ret_value}})}
frida -U -l 1.js com.roysue.demo02# -U USB设备# -l 指定注入脚本所在的路径 后面是要注入的脚本
//void fun(int x,int y)function main(){console.log("Script loaded successfully")Java.perform(function(){console.log("Inside java perform function")var MainActivity=Java.use("com.roysue.demo02.MainActivity")console.log("Java.Use.Successfully")//定位类成功//hook重载函数MainActivity.fun.overload('int','int').implementation=function(x,y){console.log("x=>",x,"y=>",y)var ret_value=this.fun(2,5);return ret_value}})}setImmediate(main)
//String fun(String x)function main(){console.log("Script loaded successfully")Java.perform(function(){console.log("Inside java perform function")var MainActivity=Java.use("com.roysue.demo02.MainActivity")console.log("Java.Use.Successfully")MainActivity.fun.overload('java.lang.String').implementation=function(x){console.log("x=>",x)var ret_value=this.fun("I")return ret_value}})}setImmediate(main)
//3.2.3 Java层主动调用function main(){console.log("script loaded successfully")Java.perform(function(){console.log("inside java perform function")//静态函数//API Java.use()获取类var MainActivity = Java.use('com.roysue.demo02.MainActivity')MainActivity.staticSecret()//动态函数//API Java.choose()从内存中获取类的实例对象Java.choose('com.roysue.demo02.MainActivity',{//?API回调onMatchonMatch:function(instance){console.log('instance found',instance)instance.secret()},onComplete:function(){console.log('search complete')}})})}setImmediate(main)
objectionpip install -U objectionandroid hooking list classesandroid hooking search classes XXXandroid hooking search methods XXXandroid hooking list class_methodsandroid hooking list activitiesandroid hooking list servicesandroid hooking watch class_method XXXandroid hooking watch class_method XXX.File.$init --dump-args --dump-backtrace --dump-returnjobs listjobs kill job_IDandroid hooking watch class <classname>android heap search instances <classname>android heap execute <Handle> <methodname>android heap execute 0x3606 setExecutable Trueandroid heap evaluate <Handle>
本文内容来自网络,如有侵权请联系删除
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...