【无标题】

frida 简单使用

frida-ps -U | grep settings

frida -U "烧饼修改器" -l test.js

frida -U com.google.android.settings.intelligence -l hello.js

adb shell ps -A | grep frida-server

frida -U "ABC" -l demo01.js

https://github.com/postern-overwal/postern-stuff/blob/master/Postern-3.1.2.apk

sudo apt install python3.12-venv

1. 创建虚拟环境

python3 -m venv myenv

2. 激活虚拟环境

source myenv/bin/activate # Linux/macOS

myenv\Scripts\activate # Windows

3. 在虚拟环境中安装 objection

pip install objection

objection -g BTCC explore

objection -g "烧饼修改器" explore

objection -n "com.sankuai.meituan" start

枚举类

android hooking list classes

Objection支持Hook类中全部非构造函数的方法，其命令格式如下：

android hooking watch gw.com.android.ui.coin.buy2.BuyCoinActivity

android hooking search gw.com.android.ui.coin.buy2.BuyCoinActivity

frida -U "烧饼修改器" -l test.js

frida -U -f "com.sankuai.meituan" -l okhttp.js

frida -U -f "com.btcc.hy" -l okhttp.js

//调用java方法 静态方法
function invokeTest1(){
    console.log("hello frida invokeTest1");
    Java.perform(function(){
        var MainDemo = Java.use("com.tcm.app.ui.main.MainDemo");
        var javaString = Java.use("java.lang.String");
        var plaintext = "097234567890"
        var result = MainDemo.test1(javaString.$new(plaintext));
        console.log("hello frida result=>", result);
        MainDemo.test1("hello frida invokeTest1");
    })
}

//调用java 方法 非静态类
function invokeTest2(){
    console.log("hello frida invokeTest2");
    Java.perform(function(){
        Java.choose("com.tcm.app.ui.main.MainDemo",{
            onMatch: function(instance){
                console.log("hello frida instance=>", instance);
                var javaString = Java.use("java.lang.String");
                var text = "1213213312321"
                var result = instance.test2(javaString.$new(text));
                console.log("hello frida result=>", result);
            },
            onComplete: function(){
                console.log("hello frida onComplete");
            }
        })

    })
}

//hook Java 方法
// 烧饼修改器 (run) on (Android: 16) [usb] # android hooking watch com.tcm.app.ui.main.MainDemo
// (agent) Watching com.tcm.app.ui.main.MainDemo.test1(java.lang.String)
// (agent) Watching com.tcm.app.ui.main.MainDemo.test2()
function hook3(){
    console.log("hello frida test1");
    Java.perform(function(){
        console.log("hello frida test1 2222222222222");
        var MainDemo = Java.use("com.tcm.app.ui.main.MainDemo");
        MainDemo.test1.implementation = function(str) {
            console.log("hello frida test1");
            console.log("hello frida str=>", str);

            // 调用原始方法，避免递归
            // 当使用overload指定后，this.test1会调用原始方法
            var result = this.test1(str+"000000888888");

            console.log("hello frida result=>", result);
            return result;
        };
    })
}