##各位大厂粑粑好,请不要介意我用你们的app的一小部分的功能做技术实验案例。 我只是在这里证明一下我的专业能力,无意冒犯任何一位。如有任何介意请立即联系我进行删除。谢谢!
点此播放 密码:dp89
点此播放 密码:lkgf
点此播放 密码:rmn8
git https://github.com/CreditTone/radar-frida
cd radar-frida
./hookerPID Name ----- ------------------------------------ 511 adbd 2725 android.ext.services 3214 android.process.acore 6733 android.process.media 629 audioserver 2742 cameraserver 6764 com.android.defcontainer 2861 com.android.deskclock 3198 com.android.email 2391 com.android.phone 3359 com.android.providers.calendar 2408 com.android.settings 2972 com.android.smspush 2097 com.android.systemui 3379 com.cyanogenmod.lockclock 10566 com.example.myapplication 2092 com.google.android.inputmethod.latin 3525 com.koudai.weidian.buyer 3659 com.koudai.weidian.buyer:pushservice 3416 com.mokee.aegis 2915 com.mokee.audiofx 4281 com.qualcomm.timeservice 3769 com.ss.android.ugc.aweme 4613 com.ss.android.ugc.aweme:downloader 4455 com.ss.android.ugc.aweme:miniapp0 3639 com.ss.android.ugc.aweme:push 4152 com.ss.android.ugc.aweme:pushservice
cd radar ./hooker Enter need to attach package:com.example.myapplication It's com.example.myapplication that you want to attach app. ------------------------ Please enter e, s, h or ex command. e: Determines whether a class exists. eg:'e android.app.Application' s: Discovering classes in the specified path. eg1:'s com.example.myapplication' In regex eg2:'s com.example.net.*' j: Generating hooked js. eg1:'j okhttp3.Request:build' To specific Multiple methods eg2:'j okhttp3.Request:url,method,build' ex: Exit to the upper layer. eg:'ex' :
Please enter e, s, h or ex command. e: Determines whether a class exists. eg:'e android.app.Application' s: Discovering classes in the specified path. eg1:'s com.example.myapplication' In regex eg2:'s com.example.net.*' j: Generating hooked js. eg1:'j okhttp3.Request:build' To specific Multiple methods eg2:'j okhttp3.Request:url,method,build' ex: Exit to the upper layer. eg:'ex' :e okhttp3.Request python hooker.py -p com.example.myapplication -e okhttp3.Request True #True表示存在 False表示不存在
Please enter e, s, h or ex command. e: Determines whether a class exists. eg:'e android.app.Application' s: Discovering classes in the specified path. eg1:'s com.example.myapplication' In regex eg2:'s com.example.net.*' j: Generating hooked js. eg1:'j okhttp3.Request:build' To specific Multiple methods eg2:'j okhttp3.Request:url,method,build' ex: Exit to the upper layer. eg:'ex' :s com.example.myapplication python hooker.py -p com.example.myapplication -s com.example.myapplication androidVersion:7.1.2 Discovering:com.example.myapplication class com.example.myapplication.MainActivity extends androidx.appcompat.app.AppCompatActivity class com.example.myapplication.MainActivity1ドル implements android.view.View$OnClickListener class com.example.myapplication.MainActivity2ドル implements android.view.View$OnClickListener Discovering done #由此我们知道com.example.myapplication这个包下有一个类com.example.myapplication.MainActivity,并且在com.example.myapplication.MainActivity中有两个内部类com.example.myapplication.MainActivity1ドル和com.example.myapplication.MainActivity2ドル
Please enter e, s, h or ex command. e: Determines whether a class exists. eg:'e android.app.Application' s: Discovering classes in the specified path. eg1:'s com.example.myapplication' In regex eg2:'s com.example.net.*' j: Generating hooked js. eg1:'j okhttp3.Request:build' To specific Multiple methods eg2:'j okhttp3.Request:url,method,build' ex: Exit to the upper layer. eg:'ex' :j com.example.myapplication.MainActivity:stringFromJNI,stringFromJNI2 python hooker.py -p com.example.myapplication -j com.example.myapplication.MainActivity:stringFromJNI,stringFromJNI2 Hooking js code have generated. Path is ef555384-772a-11ea-bfdd-086d41d57a6a.js. #生成的js文件是当前目录的ef555384-772a-11ea-bfdd-086d41d57a6a.js #建议使用https://tool.oschina.net/codeformat/js/做格式化处理
Java.perform(function() { var com_example_myapplication_MainActivity_clz = Java.use('com.example.myapplication.MainActivity'); com_example_myapplication_MainActivity_clz.stringFromJNI2.overload().implementation = function() { printStacks('public static native java.lang.String com.example.myapplication.MainActivity.stringFromJNI2()'); return com_example_myapplication_MainActivity_clz.stringFromJNI2(); }; com_example_myapplication_MainActivity_clz.stringFromJNI.overload().implementation = function() { printStacks('public native java.lang.String com.example.myapplication.MainActivity.stringFromJNI()'); return this.stringFromJNI(); }; }); #根据自身需求做修改
androidVersion:7.1.2 inject dex of radar. injected. Discovering:com.example.myapplication class com.example.myapplication.MainActivity extends androidx.appcompat.app.AppCompatActivity hasLocalNativeMethod:true fields:131 constructors:1 methods:445 class com.example.myapplication.MainActivity1ドル extends java.lang.Object hasLocalNativeMethod:false fields:2 constructors:1 methods:10 class com.example.myapplication.MainActivity2ドル extends java.lang.Object hasLocalNativeMethod:false fields:2 constructors:1 methods:10 Discovering done 执行:Java.perform(function() {var com_example_myapplication_MainActivity_clz = Java.use('com.example.myapplication.MainActivity');com_example_myapplication_MainActivity_clz.stringFromJNI2.overload().implementation = function() {printStacks('public static native java.lang.String com.example.myapplication.MainActivity.stringFromJNI2()');return com_example_myapplication_MainActivity_clz.stringFromJNI2();};com_example_myapplication_MainActivity_clz.stringFromJNI.overload().implementation = function() {printStacks('public native java.lang.String com.example.myapplication.MainActivity.stringFromJNI()');return this.stringFromJNI();};com_example_myapplication_MainActivity_clz.stringFromJNI3.overload('java.lang.String','java.lang.String').implementation = function(v0,v1) {printStacks('private static native java.lang.String com.example.myapplication.MainActivity.stringFromJNI3(java.lang.String,java.lang.String)');return com_example_myapplication_MainActivity_clz.stringFromJNI3(v0,v1);};}); sys.stdin.read() public native java.lang.String com.example.myapplication.MainActivity.stringFromJNI() at com.example.myapplication.MainActivity.stringFromJNI(Native Method) at com.example.myapplication.MainActivity1ドル.onClick(MainActivity.java:35) at android.view.View.performClick(View.java:5637) at android.view.View$PerformClick.run(View.java:22433) at android.os.Handler.handleCallback(Handler.java:751) at android.os.Handler.dispatchMessage(Handler.java:95) at android.os.Looper.loop(Looper.java:154) at android.app.ActivityThread.main(ActivityThread.java:6236) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:891) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:781) public static native java.lang.String com.example.myapplication.MainActivity.stringFromJNI2() at com.example.myapplication.MainActivity.stringFromJNI2(Native Method) at com.example.myapplication.MainActivity2ドル.onClick(MainActivity.java:44) at android.view.View.performClick(View.java:5637) at android.view.View$PerformClick.run(View.java:22433) at android.os.Handler.handleCallback(Handler.java:751) at android.os.Handler.dispatchMessage(Handler.java:95) at android.os.Looper.loop(Looper.java:154) at android.app.ActivityThread.main(ActivityThread.java:6236) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:891) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:781)