网站开发子账号,wordpress打开图片预览代码,做外链哪个网站好,哈尔滨发布本文作者#xff1a;杉木涂鸦智能安全实验室
Frida
https://github.com/frida/frida Frida是一个动态代码插入工具#xff0c;可用于各种应用程序的调试和逆向工程。它提供了多种安装选项#xff0c;包括Python和Node.js绑定#xff0c;并提供了详细的命令行参数和选项。…本文作者杉木涂鸦智能安全实验室
Frida
https://github.com/frida/frida Frida是一个动态代码插入工具可用于各种应用程序的调试和逆向工程。它提供了多种安装选项包括Python和Node.js绑定并提供了详细的命令行参数和选项。Frida还提供了一个服务器端可以在目标执行环境如手机上安装和运行。此外Frida还提供了多种工具如frida-apk、frida-compile和frida-ps。Frida的Python库提供了丰富的功能可以通过Python脚本调用。最后文档通过一个CTF题目示例展示了如何使用Frida进行调试和逆向工程。
Install
pip install frida-tools # CLI tools
pip install frida # Python bindings
npm install frida # Node.js bindingsusage: frida [options] targetpositional arguments:args extra arguments and/or targetoptional arguments:-h, --help show this help message and exit-D ID, --device ID connect to device with the given ID-U, --usb connect to USB device-R, --remote connect to remote frida-server-H HOST, --host HOST connect to remote frida-server on HOST--certificate CERTIFICATEspeak TLS with HOST, expecting CERTIFICATE--origin ORIGIN connect to remote server with “Origin” header set to ORIGIN--token TOKEN authenticate with HOST using TOKEN--keepalive-interval INTERVALset keepalive interval in seconds, or 0 to disable (defaults to -1 to auto-select based ontransport)--p2p establish a peer-to-peer connection with target--stun-server ADDRESSset STUN server ADDRESS to use with --p2p--relay address,username,password,turn-{udp,tcp,tls}add relay to use with --p2p-f TARGET, --file TARGETspawn FILE-F, --attach-frontmostattach to frontmost application-n NAME, --attach-name NAMEattach to NAME-N IDENTIFIER, --attach-identifier IDENTIFIERattach to IDENTIFIER-p PID, --attach-pid PIDattach to PID-W PATTERN, --await PATTERNawait spawn matching PATTERN--stdio {inherit,pipe}stdio behavior when spawning (defaults to “inherit”)--aux option set aux option when spawning, such as “uid(int)42” (supported types are: string, bool, int)--realm {native,emulated}realm to attach in--runtime {qjs,v8} script runtime to use--debug enable the Node.js compatible script debugger--squelch-crash if enabled, will not dump crash report to console-O FILE, --options-file FILEtext file containing additional command line options--version show programs version number and exit-l SCRIPT, --load SCRIPTload SCRIPT-P PARAMETERS_JSON, --parameters PARAMETERS_JSONparameters as JSON, same as Gadget-C USER_CMODULE, --cmodule USER_CMODULEload CMODULE--toolchain {any,internal,external}CModule toolchain to use when compiling from source code-c CODESHARE_URI, --codeshare CODESHARE_URIload CODESHARE_URI-e CODE, --eval CODE evaluate CODE-q quiet mode (no prompt) and quit after -l and -e-t TIMEOUT, --timeout TIMEOUTseconds to wait before terminating in quiet mode--pause leave main thread paused after spawning program-o LOGFILE, --output LOGFILEoutput to log file--eternalize eternalize the script before exit--exit-on-error exit with code 1 after encountering any exception in the SCRIPT--kill-on-exit kill the spawned program when Frida exits--auto-perform wrap entered code with Java.perform--auto-reload Enable auto reload of provided scripts and c module (on by default, will be required in thefuture)--no-auto-reload Disable auto reload of provided scripts and c moduleFrida详细安装教程
frida server
前面是一些frida的客户端和一些工具类以及js的工具接下来是在执行环境下的服务端安装
https://github.com/frida/frida/releases
先看本地的frida客户端版本
登录到执行环境下也就是手机查看环境下载对应的版本和环境的frida-server并移动到手机上执行 进行端口转发
一开始传到下载目录下面没有执行权限 要传到/data/local/tmp目录然后修改文件权限再执行 如果运行不了关闭liunx的SELinux echo 0 /sys/fs/selinux/enforce。 frida工具 frida-apk
usage: frida-apk [options] path.apkpositional arguments:apk apk fileoptional arguments:-h, --help show this help message and exit-O FILE, --options-file FILEtext file containing additional command line options--version show programs version number and exit-o OUTPUT, --output OUTPUToutput pathfrida-compile
usage: frida-compile [options] modulepositional arguments:module TypeScript/JavaScript module to compileoptional arguments:-h, --help show this help message and exit-O FILE, --options-file FILEtext file containing additional command line options--version show programs version number and exit-o OUTPUT, --output OUTPUTwrite output to file-w, --watch watch for changes and recompile-S, --no-source-maps omit source-maps-c, --compress compress using terser-v, --verbose be verbosefrida-ps
usage: frida-ps [options]optional arguments:-h, --help show this help message and exit-D ID, --device ID connect to device with the given ID-U, --usb connect to USB device-R, --remote connect to remote frida-server-H HOST, --host HOST connect to remote frida-server on HOST--certificate CERTIFICATEspeak TLS with HOST, expecting CERTIFICATE--origin ORIGIN connect to remote server with “Origin” header set to ORIGIN--token TOKEN authenticate with HOST using TOKEN--keepalive-interval INTERVALset keepalive interval in seconds, or 0 to disable (defaults to -1 to auto-select based on transport)--p2p establish a peer-to-peer connection with target--stun-server ADDRESSset STUN server ADDRESS to use with --p2p--relay address,username,password,turn-{udp,tcp,tls}add relay to use with --p2p-O FILE, --options-file FILEtext file containing additional command line options--version show programs version number and exit-a, --applications list only applications-i, --installed include all installed applications-j, --json output results as JSONfrida API
先看看python的frida库有哪些能力 通过一道CTF题来认识一下frida
题目文件查看文章绑定的资源。
一道看雪的题目打开APP执行一下看看 有了关键字反编译app后搜索一下就在main中可以清晰的看到入口处理逻辑 主要处理逻辑在这个vvvv里面只有vvvv通过验证就会返回flag进去vvvv里面看看 有两个判断条件一个是两个地方输入的长度总共要等于5一个是要和bytes§一样也就是说返回跟”6f452303f18605510aac694b0f5736beebf110bf“一样的内容就可以通过这里为了学习如何使用frida就先绕过验证因为要拿flag的话需要进行爆破从题目提示得知5位数字然后经过eeee处理后等于bytes§就是对应的flag了
先试着简单打印我们输入的内容
function main(){//frida的main函数入口Java.perform(function() { //获取包名类方法Java.use(com.kanxue.pediy1.VVVVV).VVVV.implementation function(x,y){//hook逻辑var result this.VVVV(x,y);console.log(x,y,result:,x,y,result);return result;}})
}
setImmediate(main)当然frida支持多种方式调用上面是js脚本可以直接用frida命令的方式调用
也可以使用python的frida库调用js的方式来执行如下
import frida# 1. 用户输入目标进程名称
target_process input(请输入目标进程名称)# 2. 通过进程名称附加到目标进程
process frida.get_usb_device().attach(target_process)# 3. 读取JavaScript文件内容
with open(exp.js, r) as file:js_code file.read()# 4. 创建一个Frida脚本
script process.create_script(js_code)# 5. 定义回调函数用于处理脚本的消息
def on_message(message, data):print([*] Message:, message)# 6. 注册回调函数
script.on(message, on_message)# 7. 加载并运行脚本
script.load()# 8. 保持脚本运行直到手动停止
input([!] Press Enter to stop...)# 9. 分离脚本并关闭Frida会话
script.unload()
process.detach()思路是通过篡改eeee函数执行结果让eeee返回跟bytes§一样的内容即可让程序验证通过
function main(){Java.perform(function() {Java.use(com.kanxue.pediy1.VVVVV).eeeee.implementation function(x){var result this.eeeee(x);console.log(x,result:,x,result);var v result;v Java.use(java.lang.String).$new(6f452303f18605510aac694b0f5736beebf110bf).getBytes();console.log(v);return v;}})
}
setImmediate(main)上面只是绕过了程序验证并非题目实际的flag要获得真实flag还需要对5位数字进行爆破
下面是爆破flag的脚本
function firethehome(){Java.perform(function(){var VVVVV_Class Java.use(com.kanxue.pediy1.VVVVV)console.log(VVVVV_Class:, VVVVV_Class)VVVVV_Class.eeeee.implementationfunction(x){var result this.eeeee(x);console.log(VVVVV.eeeee is hook! x ,result,x,JSON.stringify(result));return result;}var ByteString Java.use(com.android.okhttp.okio.ByteString);console.log(ByteString);var pSign Java.use(java.lang.String).$new(6f452303f18605510aac694b0f5736beebf110bf).getBytes();console.log( ByteString.of(pSign).hex());// 爆破5位for(var i 9999;i100000;i){console.log(ii);var v Java.use(java.lang.String).$new(String(i));var vSign VVVVV_Class.eeeee(v);console.log(vSign:,ByteString.of(vSign).hex());if(ByteString.of(vSign).hex() ByteString.of(pSign).hex()){console.log(ii);break;}}})
}
setImmediate(firethehome)Frida及Brida学习记录 - 先知社区
JavaScript API
Frida Android hook
[原创]举杯邀Frida对影成三题-Android安全-看雪-安全社区|安全招聘|kanxue.com
漏洞悬赏计划涂鸦智能安全响应中心https://src.tuya.com欢迎白帽子来探索。
