0.$ adb connect 手机IP
1.$ adb shell #本地电脑执行进入安卓terminal
2.$ su root #登录到安卓后进入root权限
3.$ cd /data/local/tmp
4.$./frida-server-16.0.19-android-arm64 & #启动安卓frida服务端
5.$ adb forward tcp:27043 tcp:27043 #本地电脑上执行端口转发
6.$ adb forward tcp:27042 tcp:27042 #本地电脑上执行端口转发
7.$ frida-ps -U #本地电脑执行,查看是否成功
使用python脚本注入进程,获取参与签名的字符串:
import frida,sys
def on_message(message,data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
jscode = """
function printstack(){
send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
}
function array2string(array){
var buffer = Java.array('byte',array);
var result = "";
for(var i = 0; i< buffer.length; ++i){
result += (String.fromCharCode(buffer[i]));
}
return result;
}
Java.perform(
function(){
var MessageDigest = Java.use('java.security.MessageDigest');
MessageDigest.update.overload('[B').implementation = function(bytesarray){
send("进入签名的字符串: "+array2string(bytesarray));
printstack();
this.update(bytesarray);
},
MessageDigest.getInstance.overloads[0].implementation = function(algorithm){
send("获取到当前的加密方法为----> " + algorithm);
return this.getInstance.overloads[0].apply(this,arguments);
};
})
"""
process = frida.get_usb_device(timeout=1000).attach('进程名称') #进程名称frida-ps -U获取
script = process.create_script(jscode)
script.on('message',on_message)
print('[*] 启动成功,等待程序运行....')
script.load()
sys.stdin.read()