FridaHook框架学习(2)

FridaHook框架学习(2)

前言

学习过程参考https://bbs.pediy.com/thread-227233.htm。

逆向分析

安装并运行例子程序,可以看到这个例子是一个验证注册码的程序。

image-20200726210607976

使用jadx解析这个APK。

image-20200726205903362

通过类名以及AndroidManifest可以猜测以及知道LauncherActivity是这个程序的启动类。先看看LauncherActivity的代码。

public class LauncherActivity extends AppCompatActivity {
    /* access modifiers changed from: protected */
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView((int) R.layout.activity_launcher);
    }

    public void verifyClick(View v) {
        try {
            InputStream in = new URL("http://broken.license.server.com/query?license=" + ((EditText) findViewById(R.id.text_license)).getText().toString()).openConnection().getInputStream();
            StringBuilder responseBuilder = new StringBuilder();
            byte[] b = new byte[0];
            while (in.read(b) > 0) {
                responseBuilder.append(b);
            }
            String response = responseBuilder.toString();
            if (response.equals("LICENSEKEYOK")) {
                String activatedKey = new String(MainActivity.xor(getMac().getBytes(), response.getBytes()));
                SharedPreferences.Editor editor = getApplicationContext().getSharedPreferences("preferences", 0).edit();
                editor.putString("KEY", activatedKey);
                editor.commit();
                new AlertDialog.Builder(this).setTitle((CharSequence) "Activation successful").setMessage((CharSequence) "Activation successful").setIcon(17301543).show();
                return;
            }
            new AlertDialog.Builder(this).setTitle((CharSequence) "Invalid license!").setMessage((CharSequence) "Invalid license!").setIcon(17301543).show();
        } catch (Exception e) {
            new AlertDialog.Builder(this).setTitle((CharSequence) "Error occured").setMessage((CharSequence) "Server unreachable").setNeutralButton((CharSequence) "OK", (DialogInterface.OnClickListener) null).setIcon(17301543).show();
        }
    }

    private String getKey() {
        return getApplicationContext().getSharedPreferences("preferences", 0).getString("KEY", "");
    }

    private String getMac() {
        try {
            return ((WifiManager) getApplicationContext().getSystemService("wifi")).getConnectionInfo().getMacAddress();
        } catch (Exception e) {
            return "";
        }
    }

    public void showPremium(View view) {
        Intent i = new Intent(this, MainActivity.class);
        i.putExtra("MAC", getMac());
        i.putExtra("KEY", getKey());
        startActivity(i);
    }
}

可以通过方法名猜测verifyClick方法应该就是VERIFY按钮的点击事件,showPremium应该就是另一个按钮的点击事件。可以看到程序的逻辑大概为通过网络验证license的正确性,若正确就调用MainActivity的xor方法通过MAC和response生成密钥并保存在本地的preference中。

其中InputStream是Java一个用于读取流的类。SharedPreferences是一个类似Python中字典的一种数据结构。

再来看看MainActivity的代码

public class MainActivity extends AppCompatActivity {
    public native String stringFromJNI(String str, String str2);

    public static byte[] xor(byte[] val, byte[] key) {
        byte[] o = new byte[val.length];
        for (int i = 0; i < val.length; i++) {
            o[i] = (byte) (val[i] ^ key[i % key.length]);
        }
        return o;
    }

    public void onCreate(Bundle savedInstanceState) {
        String key = getIntent().getStringExtra("KEY");
        String mac = getIntent().getStringExtra("MAC");
        if (key == "" || mac == "") {
            key = "";
            mac = "";
        }
        super.onCreate(savedInstanceState);
        setContentView((int) R.layout.activity_main);
        ((TextView) findViewById(R.id.sample_text)).setText(stringFromJNI(key, mac));
    }

    static {
        System.loadLibrary("native-lib");
    }
}

可以看到显示flag的函数写在了So中,通过密钥KEY和MAC生成。

可以得到Hook思路:Hook getKey方法直接使用MAC和LICENSEOK构造密钥并返回,之后点击PREMIUMCONTENT按钮即可

Hook代码编写

import frida
import sys


jscode = """
    Java.perform(function(){

        function stringToBytes(str){
            var javaString = Java.use('java.lang.String');
            var bytes = [];
            bytes = javaString.$new(str).getBytes();
            return bytes;
        }
    
        function bytesToString(bytes){
            var javaString = Java.use('java.lang.String');
            return javaString.$new(bytes);
        }


        var launcheractivity = Java.use('de.fraunhofer.sit.premiumapp.LauncherActivity');
        var main = Java.use('de.fraunhofer.sit.premiumapp.MainActivity');
        var license = "LICENSEKEYOK";
        launcheractivity.getKey.implementation = function() {
            var mac = this.getMac();

            var macbyte = stringToBytes(mac);
            var licensebyte = stringToBytes(license);

            var xor = main.xor(macbyte,licensebyte);
            send(xor)
            var key = bytesToString(xor);
            send(key.toString());
            return key;
        }

        launcheractivity.verifyClick.implementation = function(v) {
            this.showPremium(v);
        }
    });
"""

def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)


process = frida.get_usb_device().attach('de.fraunhofer.sit.premiumapp')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()

运行结果

image-20200727122943025

总结

编写js代码的时候是真的累,因为要写在字符串里,没法自动补全,有些变量名就打错了,还全部都是绿绿的很难看出来,终于也看懂了一点js的报错才找出来了。Js中可以通过Java.use使用Java中的一些基类用于灵活转换类型。

posted @ 2020-07-27 12:34  S1mba  阅读(221)  评论(0编辑  收藏  举报