frida rpc调用之某软件商店

一.什么是frida rpc

　　rpc就是Remote Procedure Call (远程过程调用), 用数据线连手机电脑, 启动爬*虫, hook自动调用so函数, 省的分析so天书了.

二.demo讲解

　　包名：com.oppo.market

　　版本：9.0.1

　　过程：sign参数生成，我们发现sign由com.heytap.cdo.client.OcsTool.c方法生成

　　

 

 　　看下c方法，这是个native方法

　　

 

 　　frida支持rpc，直接把这个方法开出来:rpc_test.js

var result;

function sign(str_data, data_length) {
    Java.perform(function () {
        //静态方法主动调用，先找到对应的类
        var OcsTool = Java.use("com.heytap.cdo.client.OcsTool");
        //c 方法又两个入参，一个字符串string，一个是字符串对应的长度int
        var str = Java.use("java.lang.String");
        var string_data = str.$new(str_data);
        result = OcsTool.c(string_data, data_length);
        console.log(result);
    });
    return result
}

rpc.exports  = {
    sign: sign
};

　　在通过frida进行启动

import os

import frida


def on_message(message, payload):
    message_type = message['type']
    if message_type == 'send':
        print('[* message]', message['payload'])

    elif message_type == 'error':
        stack = message['stack']
        print('[* error]', stack)

    else:
        print(message)


js_code = open("rpc_test.js", "r", encoding="utf-8").read()
session = frida.get_usb_device().attach("com.oppo.market")
script = session.create_script(js_code)
script.on("message", on_message)
script.load()


def get_sign():
    base_str = "asdadad"
    data_length = len(base_str)
    res = script.exports.sign(base_str, data_length)
    print(res)
    return res
get_sign()

  　运行流程

1.启动app 
2.启动frida-server 
3. 端口转发 
4.运行成功：

　　

 

 

三.接口开放给其他人使用，使用fastapi

　　　　其他不变，修改frida启动代码：

import os
import frida
from fastapi import FastAPI
import uvicorn


def on_message(message, payload):
    message_type = message['type']
    if message_type == 'send':
        print('[* message]', message['payload'])

    elif message_type == 'error':
        stack = message['stack']
        print('[* error]', stack)

    else:
        print(message)


js_code = open("rpc_test.js", "r", encoding="utf-8").read()
session = frida.get_usb_device().attach("com.oppo.market")
script = session.create_script(js_code)
script.on("message", on_message)
script.load()


def get_sign(query):
    base_str = "asdadad" + query
    data_length = len(base_str)
    res = script.exports.sign(base_str, data_length)
    print(res)
    return res


app = FastAPI()


@app.get("/get_data")
def get_oppO_sign(query):
    print(query)
    sign_str = get_sign(query)
    dic = {}
    dic["sign"] = sign_str
    return dic


if __name__ == '__main__':
    uvicorn.run(app=app)

　　运行结果：

D:\python37\python.exe D:/tom/frida_learning/oppo_store_rpc/rpc.py
INFO:     Started server process [2964]
INFO:     Waiting for application startup.
INFO:     Application startup complete.
INFO:     Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)
INFO:     127.0.0.1:56460 - "GET / HTTP/1.1" 404
INFO:     127.0.0.1:56460 - "GET /favicon.ico HTTP/1.1" 404
hahah
INFO:     127.0.0.1:56461 - "GET /get_data?query=hahah HTTP/1.1" 200
88d8d13cc3d6849d3bc33ecdfd310384
88d8d13cc3d6849d3bc33ecdfd310384
asdadsa
1ba13945334e29f1e520e99bc879538e
1ba13945334e29f1e520e99bc879538e
INFO:     127.0.0.1:56933 - "GET /get_data?query=asdadsa HTTP/1.1" 200