做攻防世界的CTF题,看到有大佬搞Frida的操作,按照大佬做到试了一下
ill-intentions(Native hook)
攻防世界——ill-intentions
frida,frida-server,objection该安装的都安装好
adb连接上机子
由于没有修改apk包,触发按钮的Intent显示不了,用objection手动开启
objection -g com.example.hellojni explore
android intent launch_activity com.example.application.IsThisTheRealOne
效果如下
挂上大佬hook Native的脚本
//出自https://blog.csdn.net/Palmer9/article/details/122464683
//别问脚本什么意思,frida脚本还不太会写
function main() {
function getjstring(jstr) {
return Java.vm.getEnv().getStringUtfChars(jstr, null).readCString();
}
Java.perform(function () {
var so_addr = Module.findBaseAddress("libhello-jni.so");
var perhapsThis_addr = Module.findExportByName("libhello-jni.so", "Java_com_example_application_IsThisTheRealOne_perhapsThis");
console.log("perhapsThis_addr", perhapsThis_addr);
Interceptor.attach(perhapsThis_addr, {
onEnter: function (args) {
console.log("perhapsThis_args:[1]", getjstring(args[2]), "\n [2]", getjstring(args[3]), "\n [3]", getjstring(args[4]), "\n");
},
onLeave: function (retval) {
console.log("perhapsThis_result:", getjstring(retval));
},
});
Interceptor.attach(Module.findExportByName("libhello-jni.so", "Java_com_example_application_ThisIsTheRealOne_orThat"), {
onEnter: function (args) {
console.log("orThat_args:[1]", getjstring(args[2]), "\n [2]", getjstring(args[3]), "\n [3]", getjstring(args[4]), "\n");
},
onLeave: function (retval) {
console.log("orThat_result:", getjstring(retval));
},
});
Interceptor.attach(Module.findExportByName("libhello-jni.so", "Java_com_example_application_DefinitelyNotThisOne_definitelyNotThis"), {
onEnter: function (args) {
console.log("definitelyNotThis_args:[1]", getjstring(args[2]), "\n [2]", getjstring(args[3]), "\n");
},
onLeave: function (retval) {
console.log("definitelyNotThis_result:", getjstring(retval));
},
});
});
}
setImmediate(main);
出flag
ill-intentions(java hook)
GDA
看雪大佬出品的GDA 好用!
还是因为没有修改apk包,触发按钮的Intent显示不了,再次用objection手动开启,找到相对应的进程注入
鼠标点击,即可完成操作
按下中间那个BroadcastIntent,就能hook出flag
Obejction直接注入
发现GDA那个纯属走弯路,直接Objection注入不就好了
objection -g com.example.hellojni explore
>>CLI中输入
android intent launch_activity com.example.application.IsThisTheRealOne
android hooking watch class_method android.content.Intent.putExtra --dump-return --dump-args --dump-backtra
ce
遇到一个问题,就是不知道Intent属于什么类,这个是看了GDA里的脚本后才知道的(android.content.Intent),如果想要直接注入的话,需要andriod的开发经验
bilibili-1024-技术对抗赛第6题(2021年)
参考了 https://www.bilibili.com/read/cv13720199/
大佬的脚本少写启动命令,当时折腾一个早上没解决出来
function hook_native() {
Java.perform(function(){
var str0;
var arg1;
Interceptor.attach(Module.findExportByName("libc.so", "__system_property_get"), {
onEnter: function (args) {
str0 = Memory.readCString(args[0]);
arg1 = args[1];
if(str0.indexOf('ro.product.cpu.abi')!=-1||str0.indexOf('ro.build.version.release')!=-1){
console.log('arg0 '+str0)
}
},
onLeave: function (retval) {
if(str0.indexOf('ro.product.cpu.abi')!=-1){
var before = Memory.readCString(arg1);
Memory.writeUtf8String(arg1, "x86");
var after = Memory.readCString(arg1);
console.log('retval:','before',before,'after',after)
}else if(str0.indexOf('ro.build.version.release')!=-1){
var before = Memory.readCString(arg1);
Memory.writeUtf8String(arg1, "9");
var after = Memory.readCString(arg1);
console.log('retval:','before',before,'after',after)
}
}
});
});
}
setImmediate(hook_native);
方便是真的方便,大佬诚不欺我
结语
Objection好用,降低Frida使用门槛,java层面的hook可以解决很多问题,Native hook老实写frida就行了
