Small knowledge, big challenge! This article is participating in the creation activity of “Essential Tips for Programmers”.
The installation
https://github.com/frida/frida/releases
Copy the codeFrida-server-12.6.7-android-arm64.xz frida-server-12.6.7-android-arm64.xz frida-server-12.6.7-android-arm64.xz frida-server-12.6.7-android-arm64.xz frida-server-12.6.7-android-arm64.xzPan.baidu.com/s/15_026MJ4…Unzip frida-server-12.6.7-android-arm64.xz and rename the unzip file frida-server. Later I use GenyMotion and check the system as x86.
So download the frida-server-12.7.5-android-x86.xz file and unzip it and rename it frida-server. Run frida-server. Run the following commands in sequence
$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"
$ adb shell "/data/local/tmp/frida-server &"
Copy the code
The phone is then tested on the computer to see if it works
$ adb devices -l
Copy the code
The general principle of Frida is that a server program is installed on the mobile terminal, and then the port on the mobile terminal is transferred to the PC terminal. The PC terminal writes Python scripts for communication, and the code requiring hook in the Python script adopts javascript language. So we need to start installing Frida by running the following command:
/Applications/Python\ 3.6/Install\ Certificates.command
python3.6 -m pip install -i https://pypi.tuna.tsinghua.edu.cn/simple/ --trusted-host pypi.tuna.tsinghua.edu.cn frida frida-tools
Copy the codeI’ll probably have to wait a long time to download it. And then execute the command
frida-ps -U -ai | grep -v '@' | grep -v ' - '
Copy the codeWe see similar results
PID Name
----- -----------------------------------------------------------------
2681 .dataservices
835 ATFWD-daemon
12174 adbd
844 adsprpcd
845 adsprpcd
745 android.hardware.audio@2.
Copy the codeCan. ### okttp3 okhttp3 no confused hook
try { var CertificatePinner = Java.use('okhttp3.CertificatePinner'); quiet_send('OkHTTP 3.x Found'); CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function () { quiet_send('OkHTTP 3.x check() called. Not throwing an exception.'); }}Copy the codeOkhttp3 confused words I here is D.K.A instead the name of confusion, Java. Use said using the k class d package, and then later CertificatePinner. A.o verload said hook a method
/*** okhttp3.x unpinning ***/ // Wrap the logic in a try/catch as not all applications will have // okhttp as part of the app. try { var CertificatePinner = Java.use('d.k'); quiet_send('OkHTTP 3.x Found'); CertificatePinner.a.overload('java.lang.String', 'java.util.List').implementation = function () { quiet_send('OkHTTP 3.x check() called. Not throwing an exception.'); } } catch (err) { // If we dont have a ClassNotFoundException exception, raise the // problem encountered. if (err.message.indexOf('ClassNotFoundException') === 0) { throw new Error(err); }}Copy the codeApplication scripts
# -*- coding: utf-8 -*- import frida, sys, re, sys, os from subprocess import Popen, PIPE, STDOUT import codecs, time if (len(sys.argv) > 1): APP_NAME = str(sys.argv[1]) else: APP_NAME = "com.loco.example.OkHttp3SSLPinning" def sbyte2ubyte(byte): return (byte % 256) def print_result(message): print ("[!] Received: [%s]" %(message)) def on_message(message, data): if 'payload' in message: data = message['payload'] if type(data) is str: print_result(data) elif type(data) is list: a = data[0] if type(a) is int: hexstr = "".join([("%02X" % (sbyte2ubyte(a))) for a in data]) print_result(hexstr) print_result(hexstr.decode('hex')) else: print_result(data) print_result(hexstr.decode('hex')) else: print_result(data) else: if message['type'] == 'error': print (message['stack']) else: print_result(message) def kill_process(): cmd = "adb shell pm clear {} 1> /dev/null".format(APP_NAME) os.system(cmd) #kill_process() try: with codecs.open("hooks.js", 'r', encoding='utf8') as f: jscode = f.read() device = frida.get_usb_device(timeout=5) #pid = device.spawn([APP_NAME]) session = device.attach("com.loco.example.OkHttp3SSLPinning") script = session.create_script(jscode) #device.resume(APP_NAME) script.on('message', on_message) print ("[*] Intercepting on {} ..." .format(APP_NAME)) script.load() sys.stdin.read() except KeyboardInterrupt: print ("[!] Killing app..." ) kill_process() time.sleep(1) kill_process()Copy the codeException handling
frida Unable to load SELinux policy from the kernel: Failed to open file ? /sys/fs/selinux/policy? : Permission denied
The main reason is that su permission is not enabled.
Composite script:
# -*- coding: UTF-8 -*- # @ Import subprocess import sys import six import OS from loguru import Logger import requests from TQDM import tqdm _temp = os.path.dirname(os.path.abspath(__file__)) frida_server_path = os.path.join(_temp, "fs1280") if not os.path.exists(frida_server_path): os.makedirs(frida_server_path) def download_from_url(url, dst): response = requests.get(url, stream=True) # (1) file_size = int(response.headers['content-length']) # (2) if os.path.exists(dst): first_byte = os.path.getsize(dst) # (3) else: first_byte = 0 if first_byte >= file_size: # (4) return file_size header = {"Range": f"bytes={first_byte}-{file_size}"} pbar = tqdm( total=file_size, initial=first_byte, unit='B', unit_scale=True, desc=dst) req = requests.get(url, headers=header, stream=True) # (5) with(open(dst, 'ab')) as f: for chunk in req.iter_content(chunk_size=1024): # (6) if chunk: f.write(chunk) pbar.update(1024) pbar.close() return file_size class IsNotPython3(ValueError): def __str__(self): Return "install PYTHon3" def adb_operation(fs_file): "" :param fs_file: :return: """ command = f""" adb push {fs_file} /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/fs1280"; adb shell "/data/local/tmp/fs1280 &"; """ completed = subprocess.run(command, check=True, shell=True, stdout=subprocess.PIPE) logger.info(completed.stdout.decode("utf-8")) def get_python_version(): python_version = sys.version_info py3 = six.PY3 if py3: if python_version > (3, 6) and python_version < (3, 7): Logger. info(" perfect PYTHon3.6 environment ") else: Logger. warning(" Try python3.6 if there is a problem ") else: raise IsNotPython3 def get_frida_server(): # arm64 logger.info(" start downloading frida-server version arm64") file_name = "fs1280" url = Frida_full_path = "https://github.com/frida/frida/releases/download/12.8.0/frida-server-12.8.0-android-arm64.xz" Os.path. join(frida_server_PATH, file_name) download_from_url(url, DST =frida_full_path) logger.info(" Download Frida-server successfully!" ) adb_operation(frida_full_path) def main(): Get_python_version () install_list = ["frida==12.8.0", "frida-tools==5.3.0", "Files ==1.8.4"] PYTHon_path = sys.executable for install_item in install_list: Logger. The info (f "currently installed are: {install_item. The split () '= =' [0]}"), try: command = f'{python_path} -m pip install {install_item}' completed = subprocess.run(command, check=True, shell=True, stdout=subprocess.PIPE) result = completed.stdout.decode("utf-8") logger.info(result) except Subprocess. CalledProcessError: raise ValueError (f "{install_item}, installation failure") get_frida_server () if __name__ = = "__main__ ': main()Copy the codeThe latest supplement
In order to facilitate the use of each tool to list the corresponding version number
Python3.6 -m PIP install frida==12.8.0 python3.6 -m PIP install frida-tools==5.3.0 python3.6 -m PIP install Object ==1.8.4 then install frida-Server12.8.0Copy the codeI recommend you to use the real phone, here the recommended phone is Google pixels1 generation, you will find that most of the Internet reverse is the choice of this phone. The recommended android version is Android 8, not too high or too low, if it is Android 10, then it is recommended to choose the version of Frida 14, otherwise it is easy to flash back and other phenomena.
In order to facilitate your use, I created a one-click installation project, you can directly install and use, after installation, frida corresponding reverse environment is set up.
https://github.com/cxapython/install_frida
Copy the codeThe usage is as follows
Adapt to different cpu architectures
includes:
- arm64
- arm
- x86
- x86_64
Python Version
> 3.6
Install dependencies
python3 -m pip install requests
python3 -m pip install tqdm
python3 -m pip install loguru
Copy the codeHow To Run
git clone https://github.com/cxapython/install_frida.git
cd install_frida
python3 main.py
Copy the codeThe original article is integrated in my blog garden :www.cnblogs.com/c-x-a