FridaHook框架学习(2)
FridaHook框架学习(2)
前言
学习过程参考https://bbs.pediy.com/thread-227233.htm。
逆向分析
安装并运行例子程序,可以看到这个例子是一个验证注册码的程序。
使用jadx解析这个APK。
通过类名以及AndroidManifest可以猜测以及知道LauncherActivity是这个程序的启动类。先看看LauncherActivity的代码。
public class LauncherActivity extends AppCompatActivity {
/* access modifiers changed from: protected */
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView((int) R.layout.activity_launcher);
}
public void verifyClick(View v) {
try {
InputStream in = new URL("http://broken.license.server.com/query?license=" + ((EditText) findViewById(R.id.text_license)).getText().toString()).openConnection().getInputStream();
StringBuilder responseBuilder = new StringBuilder();
byte[] b = new byte[0];
while (in.read(b) > 0) {
responseBuilder.append(b);
}
String response = responseBuilder.toString();
if (response.equals("LICENSEKEYOK")) {
String activatedKey = new String(MainActivity.xor(getMac().getBytes(), response.getBytes()));
SharedPreferences.Editor editor = getApplicationContext().getSharedPreferences("preferences", 0).edit();
editor.putString("KEY", activatedKey);
editor.commit();
new AlertDialog.Builder(this).setTitle((CharSequence) "Activation successful").setMessage((CharSequence) "Activation successful").setIcon(17301543).show();
return;
}
new AlertDialog.Builder(this).setTitle((CharSequence) "Invalid license!").setMessage((CharSequence) "Invalid license!").setIcon(17301543).show();
} catch (Exception e) {
new AlertDialog.Builder(this).setTitle((CharSequence) "Error occured").setMessage((CharSequence) "Server unreachable").setNeutralButton((CharSequence) "OK", (DialogInterface.OnClickListener) null).setIcon(17301543).show();
}
}
private String getKey() {
return getApplicationContext().getSharedPreferences("preferences", 0).getString("KEY", "");
}
private String getMac() {
try {
return ((WifiManager) getApplicationContext().getSystemService("wifi")).getConnectionInfo().getMacAddress();
} catch (Exception e) {
return "";
}
}
public void showPremium(View view) {
Intent i = new Intent(this, MainActivity.class);
i.putExtra("MAC", getMac());
i.putExtra("KEY", getKey());
startActivity(i);
}
}
可以通过方法名猜测verifyClick方法应该就是VERIFY按钮的点击事件,showPremium应该就是另一个按钮的点击事件。可以看到程序的逻辑大概为通过网络验证license的正确性,若正确就调用MainActivity的xor方法通过MAC和response生成密钥并保存在本地的preference中。
其中InputStream是Java一个用于读取流的类。SharedPreferences是一个类似Python中字典的一种数据结构。
再来看看MainActivity的代码
public class MainActivity extends AppCompatActivity {
public native String stringFromJNI(String str, String str2);
public static byte[] xor(byte[] val, byte[] key) {
byte[] o = new byte[val.length];
for (int i = 0; i < val.length; i++) {
o[i] = (byte) (val[i] ^ key[i % key.length]);
}
return o;
}
public void onCreate(Bundle savedInstanceState) {
String key = getIntent().getStringExtra("KEY");
String mac = getIntent().getStringExtra("MAC");
if (key == "" || mac == "") {
key = "";
mac = "";
}
super.onCreate(savedInstanceState);
setContentView((int) R.layout.activity_main);
((TextView) findViewById(R.id.sample_text)).setText(stringFromJNI(key, mac));
}
static {
System.loadLibrary("native-lib");
}
}
可以看到显示flag的函数写在了So中,通过密钥KEY和MAC生成。
可以得到Hook思路:Hook getKey方法直接使用MAC和LICENSEOK构造密钥并返回,之后点击PREMIUMCONTENT按钮即可
Hook代码编写
import frida
import sys
jscode = """
Java.perform(function(){
function stringToBytes(str){
var javaString = Java.use('java.lang.String');
var bytes = [];
bytes = javaString.$new(str).getBytes();
return bytes;
}
function bytesToString(bytes){
var javaString = Java.use('java.lang.String');
return javaString.$new(bytes);
}
var launcheractivity = Java.use('de.fraunhofer.sit.premiumapp.LauncherActivity');
var main = Java.use('de.fraunhofer.sit.premiumapp.MainActivity');
var license = "LICENSEKEYOK";
launcheractivity.getKey.implementation = function() {
var mac = this.getMac();
var macbyte = stringToBytes(mac);
var licensebyte = stringToBytes(license);
var xor = main.xor(macbyte,licensebyte);
send(xor)
var key = bytesToString(xor);
send(key.toString());
return key;
}
launcheractivity.verifyClick.implementation = function(v) {
this.showPremium(v);
}
});
"""
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_usb_device().attach('de.fraunhofer.sit.premiumapp')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()
运行结果
总结
编写js代码的时候是真的累,因为要写在字符串里,没法自动补全,有些变量名就打错了,还全部都是绿绿的很难看出来,终于也看懂了一点js的报错才找出来了。Js中可以通过Java.use使用Java中的一些基类用于灵活转换类型。