import frida,sys
def on_message(message,data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
jscode = """
//打印调用堆栈
function printstack(){
send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
}
//array 转成 string
function array2string(array){
var buffer = Java.array('byte',array);
var result = "";
for(var i = 0; i< buffer.length; ++i){
result += (String.fromCharCode(buffer[i]));
}
return result;
}
Java.perform(
function(){
var MessageDigest = Java.use('java.security.MessageDigest');
MessageDigest.update.overload('[B').implementation = function(bytesarray){
send('I am here 0:');
//var String = Java.use('java.lang.String').$new(bytesarray);
send("ori:"+array2string(bytesarray));
printstack();
this.update(bytesarray);
},
MessageDigest.update.overload('java.nio.ByteBuffer').implementation = function(bytesarray){
send('I am here 1:');
//var String = Java.use('java.lang.String').$new(bytesarray);
//send("ori:"+array2string(bytesarray));
//printstack();
this.update(bytesarray);
},
MessageDigest.update.overload('byte').implementation = function(bytesarray){
send('I am here 2:');
//var String = Java.use('java.lang.String').$new(bytesarray);
//send("ori:"+array2string(bytesarray));
//printstack();
this.update(bytesarray);
},
MessageDigest.update.overload('[B', 'int', 'int').implementation = function(bytesarray){
send('I am here 3:');
//var String = Java.use('java.lang.String').$new(bytesarray);
//send("ori:"+array2string(bytesarray));
//printstack();
this.update(bytesarray);
},
//hook什么加密方法
MessageDigest.getInstance.overloads[0].implementation = function(algorithm){
send("call ->fetInstance for " + algorithm);
return this.getInstance.overloads[0].apply(this,arguments);
};
})
"""
process = frida.get_usb_device(timeout=1000).attach('包名')
script = process.create_script(jscode)
script.on('message',on_message)
print('[*] Running CTF')
script.load()
sys.stdin.read()
frida hook md5加密类
发布时间 2023-08-08 11:58:07作者: CJTARRR