【APP逆向32】rpc传参相关
-
1.在执行frida-rpc时,会涉及到相关参数类型的处理和转换
- 1.1:Python程序调用时,传入参数
- 1.2:Frida的JavaScript脚本如何获取参数
- 1.3:JavaScript的参数如何转换到 Java中所需的类型
-
2.python传参
- 2.1:字符串/整型/浮点型等直接传递
import frida
rdev = frida.get_remote_device()
session = rdev.attach("大姨妈") # com.yoloho.dayima
scr = """
rpc.exports = {
encrypt:function(v1,v2,v3,v4,v5){
console.log(v1,typeof v1);
console.log(v2,typeof v2);
console.log(v3,typeof v3);
console.log(v4,typeof v4);
console.log(v5,typeof v5);
var v6 = parseInt(v5);
console.log(v6,typeof v6);
}
}
"""
script = session.create_script(scr)
script.load()
# 调用
script.exports.encrypt(100, "xwl", 19.2, -10, "-1")
- 2.2:列表,字典
import frida
rdev = frida.get_remote_device()
session = rdev.attach("大姨妈") # com.yoloho.dayima
scr = """
rpc.exports = {
encrypt:function(v1,v2){
console.log(v1,typeof v1, v1[0], v1[1]);
console.log(v2,typeof v2, v2.name, v2.age);
for(let key in v1){
console.log(key, v1[key] )
}
for(let key in v2){
console.log(key, v2[key] )
}
}
}
"""
script = session.create_script(scr)
script.load()
script.exports.encrypt([11, 22, 33], {"name": 123, "age": 456})
- 2.3:字节,无法直接传递,需转换为列表
import frida
rdev = frida.get_remote_device()
session = rdev.attach("大姨妈") # com.yoloho.dayima
scr = """
rpc.exports = {
encrypt:function(v1,v2){
console.log(v1,typeof v1);
// 转换为java的字节数组
var bs = Java.array('byte',v1);
console.log(JSON.stringify(bs))
}
}
"""
script = session.create_script(scr)
script.load()
arg_bytes = "哪吒闹海".encode('utf-8')
byte_list = [i for i in arg_bytes]
script.exports.encrypt(byte_list)
- 2.4:某个类的对象,无法直接传递,可以将参数传入,然后再在JavaScript调用frida api构造相关对象
import frida
rdev = frida.get_remote_device()
session = rdev.attach("大姨妈") # com.yoloho.dayima
scr = """
rpc.exports = {
encrypt:function(v1,v2){
const StringBuilder = Java.use('java.lang.StringBuilder');;
var obj = StringBuilder.$new(); // obj = new StringBuilder()
obj.append(v1);//obj.append(v1)
obj.append(v2);//obj.append(v2)
Java.perform(function () {
var Crypt = Java.use("com.yoloho.libcore.util.Crypt");
res = Crypt.encrypt_data(j2,obj,j3);
});
}
}
"""
script = session.create_script(scr)
script.load()
script.exports.encrypt("xwl", "666")
- 3.JavaScript参数,在frida的脚本中其实就用编写JavaScript代码,所以我们对于内部的执行过程完全是使用JavaScript语法来实现
import frida
rdev = frida.get_remote_device()
session = rdev.attach("大姨妈") # com.yoloho.dayima
scr = """
rpc.exports = {
encrypt:function(bytesList){
// [11,22,33,11,22,42,13,4]
// 先处理拼接好的数据(字节数组)
var bArr = [];
for(var i=0;i<bytesList.length;i+=2){
var item = (parseInt(bytesList[i],16) << 4) + parseInt(bytesList[i+1],16);
bArr.push(item);
}
console.log(bArr);
// 转换为java的字节数组
var bs = Java.array('byte',bArr);
}
}
"""
script = session.create_script(scr)
script.load()
arg_bytes = "xwl".encode('utf-8')
byte_list = [i for i in arg_bytes]
script.exports.encrypt(byte_list)
- 4.在编写frida的JavaScript脚本时,我们经常会:
- 调用Java中已编写的好的类、方法等功能
- 执行目标方法时,传入相关参数。
- 这种情况下,就需要使用frida相关API来完成JavaScript和Java中的调用
import frida
rdev = frida.get_remote_device()
session = rdev.attach("大姨妈") # com.yoloho.dayima
scr = """
rpc.exports = {
encrypt:function(v1,v2,v3,v4){
// 1.整型和字符串直接用
console.log(v1,v2);
// 2.字节数组
var v3_obj = Java.array('byte',v3);
console.log(v3_obj, JSON.stringify(v3_obj));
// 3.TreeMap对象 obj.get("xx")
var TreeMap = Java.use("java.util.TreeMap");
var v4_obj = TreeMap.$new();
for(let key in v4){
//console.log(key,v4[key]);
v4_obj.put(key,v4[key])
}
console.log( v4_obj )
console.log( v4_obj.get("name") )
console.log( v4_obj.get("age") )
var keyset = v4_obj.keySet();
var it = keyset.iterator();
while(it.hasNext()){
var keystr = it.next().toString();
var valuestr = v4_obj.get(keystr).toString();
console.log(keystr, valuestr);
}
}
}
"""
script = session.create_script(scr)
script.load()
v3 = [i for i in "xwl".encode('utf-8')]
script.exports.encrypt(10, "xwl", v3, {"name": "root", "age": "18"})
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
· Docker 太简单,K8s 太复杂?w7panel 让容器管理更轻松!