使用frida hook重载函数

Posted by bfpiaoran on November 28, 2018

apply arguments 

MyClass.MyFunc.overload(<span class="hljs-string">"java.util.List"</span>).implementation = <span class="hljs-function"><span class="hljs-keyword">function</span>() </span>{
    <span class="hljs-keyword">this</span>.MyFunc.overload(<span class="hljs-string">"java.util.List"</span>).apply(<span class="hljs-keyword">this</span>, <span class="hljs-built_in">arguments</span>);
}

argments下标 

MyClass.MyFunc.overload(<span class="hljs-string">"java.util.List"</span>).implementation = <span class="hljs-function"><span class="hljs-keyword">function</span> () </span>{
    <span class="hljs-keyword">this</span>.MyFunc(<span class="hljs-built_in">arguments</span>[<span class="hljs-number">0</span>]);
};

用具体的 

MyClass.MyFuncs.overload(<span class="hljs-string">"int"</span>, <span class="hljs-string">"int"</span>).implementation = <span class="hljs-function"><span class="hljs-keyword">function</span> (<span class="hljs-params">s1, s2</span>) </span>{
    <span class="hljs-keyword">var</span> ret = <span class="hljs-keyword">this</span>.MyFuncs(s1, s2);
}

字符串数组 

hook.hookMeArray.overload(<span class="hljs-string">"[Ljava.lang.String;"</span>).implementation = {}

用call 

<span class="hljs-keyword">var</span> Handler = classFactory.use(<span class="hljs-string">"android.os.Handler"</span>);
<span class="hljs-keyword">var</span> Looper = classFactory.use(<span class="hljs-string">"android.os.Looper"</span>);

<span class="hljs-keyword">var</span> looper = Looper.getMainLooper();
<span class="hljs-keyword">var</span> handler = Handler.$<span class="hljs-keyword">new</span>.overload(<span class="hljs-string">"android.os.Looper"</span>).call(Handler, looper);



MyClass.MyFunc.overload(<span class="hljs-string">"java.lang.String;"</span>).implementation = {
     <span class="hljs-keyword">this</span>.MyFunc.overload(<span class="hljs-string">"java.lang.String"</span>).call(<span class="hljs-keyword">this</span>, args[<span class="hljs-number">1</span>])
     MyClass.MyFunc.overload(<span class="hljs-string">"java.lang.String"</span>).call()
}

最近正好练习分析app

分析娘家人的一个app

发现登陆处是加密的  于是尝试解密

无混淆无壳

 

java太渣了 没定位到传入参数

于是想hook下login

Java.perform(function() {                

    var test1 = Java.use("com.wanmei.tiger.module.person.net.AccountLikeDownloader");
    var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
	var orglogin = test1.login.overload("java.lang.String","java.lang.String");
	
	test1.login.implementation = function(arg1,arg2){
		console.log(arg1);
		console.log(arg2);
		orglogin.call(arg1,arg2);
	}
},0);

使用frida  hook下 成功截获信息 没想到加密只是最普通的加密2333

FEATURED TAGS
security
FRIENDS