关于python:Frida-Hook-Md5加密类

53次阅读

共计 1840 个字符,预计需要花费 5 分钟才能阅读完成。

改一下包名即可应用

import frida,sys

def on_message(message,data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)


jscode = """
// 打印调用堆栈
function printstack(){send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
}

//array 转成 string
function array2string(array){var buffer = Java.array('byte',array);
    var result = "";
    for(var i = 0; i< buffer.length; ++i){result += (String.fromCharCode(buffer[i]));
    }
    return result;
}

Java.perform(function(){var MessageDigest = Java.use('java.security.MessageDigest');

        MessageDigest.update.overload('[B').implementation = function(bytesarray){send('I am here 0:');
            //var String = Java.use('java.lang.String').$new(bytesarray);
            send("ori:"+array2string(bytesarray));
            printstack();
            this.update(bytesarray);
        },
        MessageDigest.update.overload('java.nio.ByteBuffer').implementation = function(bytesarray){send('I am here 1:');
            //var String = Java.use('java.lang.String').$new(bytesarray);
            //send("ori:"+array2string(bytesarray));
            //printstack();
            this.update(bytesarray);
        },
        MessageDigest.update.overload('byte').implementation = function(bytesarray){send('I am here 2:');
            //var String = Java.use('java.lang.String').$new(bytesarray);
            //send("ori:"+array2string(bytesarray));
            //printstack();
            this.update(bytesarray);
        },
        MessageDigest.update.overload('[B', 'int', 'int').implementation = function(bytesarray){send('I am here 3:');
            //var String = Java.use('java.lang.String').$new(bytesarray);
            //send("ori:"+array2string(bytesarray));
            //printstack();
            this.update(bytesarray);
        },
        //hook 什么加密办法
        MessageDigest.getInstance.overloads[0].implementation = function(algorithm){send("call ->fetInstance for" + algorithm);
            return this.getInstance.overloads[0].apply(this,arguments);
        };
})
"""process = frida.get_usb_device(timeout=1000).attach(' 包名 ')
script = process.create_script(jscode)
script.on('message',on_message)
print('[*] Running CTF')
script.load()
sys.stdin.read()

正文完
 0