hook in java(2)

• 加载fridaalias activityFrida="adb shell 'su /data/local/tmp/frida-server64 &'"

• 电脑启动frida

  • 直接启动frida -U packageName -l hook.js
  • app 刚启动的时候hook, 用frida去启动app frida -U --no-pause -f com.tlamb96.spetsnazmessenger -l hook.js

• hook 构造函数，类对象然后.$init来hook 构造函数

  • //hook 构造函数
    a.$init.implementation = function (i, str, str2, z) {
      this.$init(i, str, str2, z);
      console.log("a.$init:", i, str, str2, z);
      print_stack();       //打印了调用栈
    };
    

• 打印调用栈，调用java自带的功能，抛出一个异常，打印内容，打印完之后 要把对象析构掉

  • function print_stack() {
        Java.perform(function () {
            var Exception = Java.use("java.lang.Exception");
            var instance = Exception.$new("print_stack");
            var stack = instance.getStackTrace();
            console.log(stack);
            instance.$dispose();
        });
    }
    

• jar -cvf ddex.jar com/example/androiddemo/DecodeUtils.class

​ /Users/yang/Library/Android/sdk/build-tools/28.0.3/dx --dex --output=ddex.dex ddex.jar

打包成dex

• 加载dex var ddex2 = Java.openClassFile("/data/local/tmp/ddex2.dex");

• 构造字符串数组

   var Ref_arr  = Java.use('java.lang.reflect.Array')
       var stringClass = Java.use("java.lang.String").class
       var arg1 = Ref_arr.newInstance(stringClass, array.length);
       for (var i =0; i < array.length; i++) {
           Ref_arr.set(arg1, i, array[i])
       }