{"id":225,"date":"2024-05-12T00:28:22","date_gmt":"2024-05-11T16:28:22","guid":{"rendered":"https:\/\/noobxiaomeng.top\/?p=225"},"modified":"2024-07-16T16:42:42","modified_gmt":"2024-07-16T08:42:42","slug":"swpu-2019easyapp-android_first","status":"publish","type":"post","link":"https:\/\/noobxiaomeng.top\/index.php\/2024\/05\/12\/swpu-2019easyapp-android_first\/","title":{"rendered":"[SWPU 2019]easyapp\u2014\u2014Android\u306e\u521d\u4f53\u9a8c"},"content":{"rendered":"

\u524d\u8a00<\/h3>\n

\u5728\u5237mobile\u9898\u7684\u65f6\u5019\u9047\u89c1\u4e86\u8fd9\u9053\u9898\uff0c\u5728\u8fd9\u9053\u9898\u4e2d\u5b66\u5230\u4e86\u8bb8\u591a\u65b0\u7684\u4e1c\u897f\uff0c\u7279\u6b64\u8bb0\u5f55\u4e00\u4e0b\uff0c\u6574\u7bc7\u4e0b\u6765\u771f\u7684\u662f\u624b\u628a\u624b\uff0c\u4fdd\u59c6\u7ea7\u6559\u5b66<\/p>\n

\u9898\u76ee\u4e0b\u8f7d\uff1aMOIBLE-easyapp<\/a><\/p>\n

\u5206\u6790\u7a0b\u5e8f\u4ee3\u7801<\/h3>\n

Java\u5c42<\/h4>\n

\u4e0b\u8f7d\u9644\u4ef6\u4e4b\u540e\u67e5\u770b\u6587\u4ef6\u4fe1\u606f\u53d1\u73b0\u662f\u4e00\u4e2a\u6ca1\u6709\u52a0\u56fa\u7684.apk\u6587\u4ef6\uff0c\u6211\u4eec\u7528JEB\u770b\u770b\uff1a<\/p>\n

\u8fdb\u5165MainActivity\u4e4b\u540e\u53ef\u4ee5\u770b\u89c1\uff1a<\/p>\n

package com.example.ndktest2;\n\nimport android.os.Bundle;\nimport android.view.View.OnClickListener;\nimport android.view.View;\nimport android.widget.Button;\nimport android.widget.EditText;\nimport android.widget.Toast;\nimport androidx.appcompat.app.AppCompatActivity;\n\npublic class MainActivity extends AppCompatActivity {\n    private EditText password;\n\n    static {\n        System.loadLibrary("native-lib");\n    }\n\n    public native String Encrypt() {\n    }\n\n    @Override  \/\/ androidx.appcompat.app.AppCompatActivity\n    protected void onCreate(Bundle savedInstanceState) {\n        super.onCreate(savedInstanceState);\n        this.setContentView(0x7F09001C);  \/\/ layout:activity_main\n        EditText password = (EditText)this.findViewById(0x7F07005B);  \/\/ id:password\n        ((Button)this.findViewById(0x7F07004E)).setOnClickListener(new View.OnClickListener() {  \/\/ id:login\n            @Override  \/\/ android.view.View$OnClickListener\n            public void onClick(View view) {\n                if(password.getText().toString().equals(MainActivity.this.Encrypt())) {\n                    Toast.makeText(MainActivity.this, "\u767b\u5f55\u6210\u529f", 1).show();\n                    return;\n                }\n\n                Toast.makeText(MainActivity.this, "\u767b\u5f55\u5931\u8d25", 0).show();\n            }\n        });\n    }\n}\n<\/code><\/pre>\n
\u53ef\u4ee5\u770b\u89c1\u8c03\u7528\u4e86\u672c\u5730\u5e93\u4e2d\u7684"native-lib"\uff0c\u6211\u4eec\u53ef\u4ee5\u4eceLibraries\u4e2d\u67e5\u770b\u8fd9\u4e9b\u672c\u5730\u5e93\u6587\u4ef6
\n
\"\"<\/div><\/a><\/p>\n
\u5176\u4e2dpublic native String Encrypt()<\/code>\u4f7f\u7528\u4e86.so\u6587\u4ef6\u4e2d\u7684Encrypt()\u51fd\u6570\u6765\u52a0\u5bc6flag\uff0c\u6211\u4eec\u4f7f\u7528IDA\u5bfc\u5165libnative-lib.so\u6587\u4ef6\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u51fd\u6570<\/p>\n
native\u5c42<\/h4>\n
\u6211\u4eec\u5728\u51fd\u6570\u7a97\u53e3\u76f4\u63a5\u641c\u7d22Encrypt\u51fd\u6570\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u53ef\u4ee5\u770b\u89c1\u53ea\u6709\u4e00\u4e2a\u51fd\u6570\uff0c\u6211\u4eec\u76f4\u63a5\u8fdb\u53bb\u5c31\u53ef\u4ee5\u4e86<\/p>\n
\u5f53\u65f6\u4ee5\u4e3a\u662f\u4e00\u4e2abase64\u52a0\u5bc6\uff0c\u4f20\u5165\u53c2\u6570v5\u4e5f\u5c31\u662f\u4e0a\u9762\u7684\u4e00\u4e9b\u5b57\u7b26\u4e32\u8fdb\u884cbase64\u52a0\u5bc6\uff0c\u53c2\u6570v7\u662fbase64\u7801\u8868\uff0c\u51fd\u6570\u7684\u8fd4\u56de\u503c\u5c31\u662f\u7f16\u7801\u7ed3\u679c\u3002\u7136\u540e\u8fd4\u56de\u503c\u4e0eflag{wllmwelcome<\/code>\u62fc\u63a5\u5c31\u662f\u7ed3\u679c\u4e86<\/p>\n
\u7136\u540e\u53d1\u73b0\u4e0d\u5bf9\uff0c\u4e8e\u662f\u5728\u51fd\u6570\u5f00\u5934\u4e0b\u4e00\u4e2a\u65ad\u70b9\u770b\u770b\u4ec0\u4e48\u60c5\u51b5\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u7ed3\u679c\u53d1\u73b0\u8fd8\u6ca1\u8dd1\u5230\u65ad\u70b9\u5904\u5c31\u767b\u5f55\u5931\u8d25\u4e86\uff0c\u60f3\u60f3\u522b\u7684\u529e\u6cd5\u5427<\/p>\n
\u540e\u9762\u901a\u8fc7\u4e86\u89e3\uff0c\u77e5\u9053\u4e86NewStringUTF<\/code> \u662f\u4e00\u4e2aJNI\u51fd\u6570\uff0c\u7528\u4e8e\u5c06\u672c\u5730\u7684C\u6216C++\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3aJava\u7684UTF-8\u5b57\u7b26\u4e32\uff0c\u8fd9\u4e2a\u51fd\u6570\u5728\u771f\u6b63\u7684\u52a0\u5bc6\u51fd\u6570\u4e4b\u4e2d\u80af\u5b9a\u4e5f\u4f1a\u88ab\u7528\u5230\u7684\uff0c\u800c\u5047\u7684\u52a0\u5bc6\u51fd\u6570Encrypt\u4e2d\u4e5f\u8c03\u7528\u4e86\u8fd9\u4e2a\u51fd\u6570\uff0c\u6240\u4ee5\u6211\u4eec\u53bb\u8fd9\u4e2a\u51fd\u6570\u4e0b\u65ad\u70b9
\n
\"\"<\/div><\/a><\/p>\n
\u65ad\u70b9\u4e0b\u5728\uff1aA53C9093\uff0c\u56e0\u4e3apush ebp\uff1bmov ebp, esp\uff1b\u8981\u4fdd\u5b58\u6808\u5e27<\/p>\n
\u8dd1\u4e00\u4e0b\u53d1\u73b0\u8dd1\u8d77\u6765\u4e86\uff0c\u8fd9\u8bf4\u660e\u5e76\u6ca1\u6709\u53cd\u8c03\u8bd5\uff0c\u800c\u662f\u52a0\u5bc6\u51fd\u6570\u88ab\u6df7\u6dc6\u4e86\u6216\u8005\u88abhook\u4e86\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u51fd\u6570\u8c03\u7528\u6808\u627e\u5230\u771f\u6b63\u7684\u52a0\u5bc6\u51fd\u6570
\n
\"\"<\/div><\/a>
\n
\"\"<\/div><\/a><\/p>\n
\u6240\u8c13\u51fd\u6570\u8c03\u7528\u6808\u5c31\u662f\u5f53\u6211\u4eec\u6bcf\u4e00\u4e2a\u51fd\u6570\u88ab\u8c03\u7528\u65f6\uff0c\u90fd\u4f1a\u5728\u51fa\u6808\u5165\u6808\u65f6\u7559\u4e0b\u81ea\u5df1\u7684\u8db3\u8ff9\uff0c\u5728\u5bc4\u5b58\u5668ebp\u4e2d\u3002\u4e8e\u662f\u6211\u4eec\u5c31\u53ef\u4ee5\u901a\u8fc7\u51fd\u6570\u8c03\u7528\u6808\u627e\u5230\u54ea\u4e00\u4e2a\u51fd\u6570\u5077\u5077\u8c03\u7528\u4e86\u8fd9\u4e2a\u5b57\u7b26\u4e32\u5904\u7406\u51fd\u6570<\/p>\n
\u5173\u4e8e\u51fd\u6570\u6808\u5e27\uff1a\u3010\u8be6\u89e3\u3011\u51fd\u6570\u6808\u5e27\u2014\u2014\u591a\u56fe\uff08c\u8bed\u8a00\uff09\u6307\u9488\u4e0e\u51fd\u6570\u503c\u4f20\u9012-CSDN\u535a\u5ba2<\/a><\/p>\n
\u6700\u7ec8\u627e\u5230\u771f\u6b63\u7684\u52a0\u5bc6\u51fd\u6570\u662ftest<\/p>\n
\u8fdb\u4e00\u6b65\u63a2\u7a76\u51fd\u6570\u662f\u5982\u4f55\u88ab\u6df7\u6dc6\u7684<\/h4>\n
\u4f5c\u4e3a\u4e00\u540d\u9006\u5411\u5de5\u7a0b\u7231\u597d\u8005\uff0c\u6700\u597d\u5177\u6709\u4e00\u9897\u80fd\u591f\u6df1\u5165\u63a2\u7a76\u7684\u597d\u5947\u5fc3\uff0c\u8fd9\u5bf9\u6211\u4eec\u662f\u975e\u5e38\u6709\u597d\u5904\u7684\u3002\u56e0\u6b64\u6211\u5c06\u7ee7\u7eed\u63a2\u7a76\u51fd\u6570\u662f\u5982\u4f55\u88ab\u6df7\u6dc6\u7684\uff0c\u800c\u4e0d\u662f\u5f97\u5230\u4e86flag\u5c31\u5306\u5306\u4e86\u4e8b<\/p>\n
\u627e\u5230\u4e00\u7bc7\u6709\u5173\u8fd9\u4e2a\u9898\u7684wp\uff0c\u6709\u5173\u8fd9\u4e2a\u9898\u7684wp\u771f\u7684\u5f88\u5c11(\u76f8\u5bf9\u4e8e\u5176\u4ed6\u9898\u76ee\u6765\u8bf4)\uff0c\u800c\u4e14\u5927\u90e8\u5206\u7684\u89e3\u6cd5\u662f\u7528Frida\u53bbhook
\n\u7b2c\u5341\u5c4aSWPUCTFwriteup-\u5b89\u5168\u5ba2 - \u5b89\u5168\u8d44\u8baf\u5e73\u53f0 (anquanke.com)<\/a>
\n\u8fd9\u4e2awp\u5176\u4e2d\u8bb2\u5230\u4e86\u4e0eJNI_OnLoad\u6709\u5173<\/p>\n
\u6211\u4eec\u901a\u8fc7\u51fd\u6570\u641c\u7d22\u7a97\u53e3\u8fdb\u5165JNI_OnLoad\u51fd\u6570\u53bb\u770b\u4e00\u4e0b<\/p>\n
int __cdecl JNI_OnLoad(_JavaVM *a1)\n{\n  void *v3; \/\/ [esp+24h] [ebp-18h] BYREF\n\n  if ( _JavaVM::GetEnv(a1, &v3, 65542) )\n    return -1;\n  if ( sub_A570(v3) )\n    return 65542;\n  return -1;\n}<\/code><\/pre>\n
\u8fdb\u5165\u4e0b\u9762\u7684sub_A570\u51fd\u6570\uff1a<\/p>\n
_BOOL4 __cdecl sub_A570(_JNIEnv *a1)\n{\n  return sub_A5F0(a1, "com\/example\/ndktest2\/MainActivity", off_38008, 1) != 0;\n}<\/code><\/pre>\n
\u53d1\u73b0\u6d89\u53ca\u4e86MainActivity\uff0c\u518d\u8fdb\u5165sub_A5F0\u51fd\u6570\u53bb\uff0c\u5728\u6b64\u4e4b\u524d\u5148\u770b\u770b\u8fd9\u7bc7JNI \u5b66\u4e60\u7b14\u8bb0\u2014\u2014\u901a\u8fc7RegisterNatives\u6ce8\u518c\u539f\u751f\u65b9\u6cd5 - \u7b80\u4e66 (jianshu.com)<\/a><\/p>\n
_BOOL4 __cdecl sub_A5F0(_JNIEnv *a1, char *a2, int a3, int a4)\n{\n  int Class; \/\/ [esp+24h] [ebp-18h]\n\n  Class = _JNIEnv::FindClass(a1, a2);\n  return Class && _JNIEnv::RegisterNatives(a1, Class, a3, a4) >= 0;\n}<\/code><\/pre>\n
\u627e\u5230\u4e86RegisterNatives\uff0c\u6ce8\u518cnative
\n\u518d\u8fdb\u5165RegisterNatives\uff0c\u53d1\u73b0\u8fd4\u56de\u4e86JNINAtiveMethod\uff0c\u8fd9\u662f\u4e00\u4e2a\u7ed3\u6784\u4f53
\n
\"\"<\/div><\/a>
\nJNINativeMethod \u7ed3\u6784\u4f53\u6570\u7ec4\u7528\u4e8e\u5728JNI\u4e2d\u6ce8\u518c\u672c\u5730\u65b9\u6cd5\u3002\u4e0d\u5f97\u4e0d\u8bf4\uff0c\u6ce8\u518c\u7684\u8fc7\u7a0b\u4e0eWindowsAPI\u6709\u4e9b\u8bb8\u5f02\u66f2\u540c\u5de5\u4e4b\u5999<\/p>\n
\u5176\u7ed3\u6784\u4f53\u5305\u542b\u4ee5\u4e0b\u5b57\u6bb5\uff1a<\/p>\n
`char* name` \u672c\u5730\u65b9\u6cd5\n`char* signature` \u7b7e\u540d\n`void* fnPtr` \u5b9e\u9645\u7684\u672c\u5730\u51fd\u6570<\/code><\/pre>\n
\u6211\u4eec\u56de\u5230RegisterNatives\u7684\u4e0a\u7ea7\u51fd\u6570sub_A570\uff0c\u53d1\u73b0\u5b83\u7684\u8fd4\u56de\u51fd\u6570sub_A5F0\u5373RegisterNatives\u5176\u4e2d\u7684\u53c2\u6570\u4e2d\u7684off_38008\u6b63\u597d\u7b26\u5408\u4e0a\u8ff0\u7684\u7ed3\u6784\u4f53\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u5176\u4e2d getNativeString \u4e3aJava\u7c7b\u4e2d\u5b9a\u4e49\u7684Native\u65b9\u6cd5\u540d\u3002
\n()Ljava\/lang\/String; \u4e3a\u65b9\u6cd5\u7684\u7b7e\u540d\uff0c () \u8868\u793a\u8be5\u65b9\u6cd5\u65e0\u53c2\u6570\uff0c Ljava\/lang\/String; \u8868\u793a\u8fd4\u56de\u503c\u4e3a
\nJava\u4e2d\u7684String\u7c7b\u578b\u3002<\/p>\n
\u6240\u4ee5Encrypt\u51fd\u6570\u53ea\u662f\u672c\u5730\u65b9\u6cd5\uff0c\u5b9e\u9645\u4e0a\u7684\u672c\u5730\u51fd\u6570\u5373\u771f\u6b63\u7684\u52a0\u5bc6\u51fd\u6570\u5c31\u662ftest\u51fd\u6570<\/p>\n
\u89e3\u6cd5\u4e00\uff1a\u52a8\u6001\u8c03\u8bd5.so\u6587\u4ef6<\/h3>\n
\u51c6\u5907\u5de5\u4f5c<\/h4>\n
\u672c\u6b21\u5b66\u4e60\u52a8\u8c03.so\u6587\u4ef6\u4e3b\u8981\u6765\u6e90\u662f\uff1a
\nadb\u67e5\u770b\u624b\u673a\u8bbe\u5907\u578b\u53f7\u3001\u54c1\u724c\u3001\u673a\u578b\u7b49\u4fe1\u606f_abd \u83b7\u53d6\u624b\u673a\u578b\u53f7-CSDN\u535a\u5ba2<\/a><\/p>\n
Frida\u5b89\u88c5\u4e0e\u4f7f\u7528\uff0c\u5bf9nu1lbook\u7b2c\u56db\u7ae0-\u6570\u5b57\u58f3\u7684\u4f20\u8bf4\u9898\u76ee\u8fdb\u884c\u8131\u58f3_\u6570\u5b57\u58f3 frida-CSDN\u535a\u5ba2<\/a><\/p>\n
\u4ee5\u53ca\u5b66\u957f\u7684\u624b\u628a\u624b\u6559\u5b66\uff09<\/p>\n
\u672c\u6b21\u7528\u5230\u7684\u8bbe\u5907\u662f\uff1a\u96f7\u7535\u6a21\u62df\u5668\u3001JEB4.20.0\u3001IDA Pro 8.3\u3001Windows\u3001ADB<\/p>\n
\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\uff0c\u7531\u4e8e\u9898\u76ee\u6587\u4ef6\u8fc7\u4e8e\u8001\u65e7\uff0c\u9700\u8981\u5b89\u53535\u53ca\u4ee5\u4e0b\u7684\u5b89\u5353\u624b\u673a\/\u6a21\u62df\u5668\uff0c\u5426\u5219\u7a0b\u5e8f\u4f1a\u7531\u4e8e\u4e0d\u9002\u914d\u800c\u5d29\u6e83\uff01\u5f53\u65f6\u6211\u8fd9\u91cc\u5361\u4e86\u5f88\u4e45\uff0c\u7ed3\u679c\u53d1\u73b0\u662f\u7248\u672c\u7684\u95ee\u9898.\u3002\u3002<\/p>\n
\u642d\u5efa\u6a21\u62df\u5668\u4e0eIDA\u4e4b\u95f4\u7684\u6865\u6881<\/h4>\n
\u9996\u5148\u542f\u52a8\u6a21\u62df\u5668\uff0c\u540c\u65f6\u5c06APK\u6587\u4ef6\u5b89\u88c5\u8fdb\u6a21\u62df\u5668<\/p>\n
\u518d\u6253\u5f00Windows\u7684\u7ec8\u7aef\uff0ccmd\u548cpowershell\u90fd\u53ef\u4ee5\uff0c\u8f93\u5165adb devices<\/code>\u67e5\u770b\u6709\u51e0\u4e2a\u624b\u673a\u8bbe\u5907\uff1a
\n
\"\"<\/div><\/a>
\n\u53ea\u6709\u4e00\u4e2a\u8bbe\u5907\u88ab\u641c\u7d22\u5230\uff0c\u7aef\u53e3\u662f5037\uff0c\u4f46\u662f\u56e0\u4e3a\u53ea\u6709\u4e00\u4e2a\u8bbe\u5907\u7aef\u53e3\u5c31\u4e0d\u7528\u7ba1\u4e86<\/p>\n
\u8f93\u5165adb shell<\/code>\u8fde\u63a5\u5230\u624b\u673a\uff0c\u518d\u8f93\u5165getprop ro.product.cpu.abi<\/code>\u67e5\u770b\u624b\u673a\u578b\u53f7\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u77e5\u9053\u662fx86\u7684\u67b6\u6784\u4e4b\u540e\u6211\u4eec\u5c31\u53ef\u4ee5\u628aIDA\u4e2d\u5bf9\u5e94\u7684server push\u8fdb\u6a21\u62df\u5668\u4e86<\/p>\n
server\u5728IDA\u6240\u5728\u6587\u4ef6\u76ee\u5f55\u7684dbgsrv<\/code>\u6587\u4ef6\u5939\u4e2d\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u524d\u4e24\u4e2aserver\u662farm\u67b6\u6784\u7684\uff0c\u6211\u4eec\u9700\u8981\u7528\u5230\u7684\u662f\u540e\u9762\u7684x86\u67b6\u6784<\/p>\n
\u8f93\u5165exit<\/code>\u9000\u51faadb shell\u6a21\u5f0f\uff0c\u5c06android_x86_server<\/code>push\u8fdb\u6a21\u62df\u5668\u4e2d\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u518d\u6b21\u8fdb\u5165adb shell\u6a21\u5f0f\uff0ccd\u5230server\u6240\u5728\u7684\u76ee\u5f55\u7ed9\u4e88\u6587\u4ef6\u6743\u9650\uff0c\u7136\u540e\u8fd0\u884c\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u5982\u56fe\u6240\u793a\u5c31\u7b97\u662f\u8fd0\u884c\u6210\u529f\u4e86<\/p>\n
\u518d\u91cd\u65b0\u6253\u5f00\u53e6\u4e00\u4e2acmd\uff0c\u5c06\u6a21\u62df\u5668\u7684\u7aef\u53e3\u8f6c\u53d1\u5230\u7535\u8111\uff0c\u82e5\u4e0d\u6267\u884c\u6b64\u6b65\u9aa4\uff0c\u53ef\u80fd\u4f1a\u5bfc\u81f4\u4f7f\u7528IDA\u8c03\u8bd5\u65f6\u65e0\u6cd5\u8fde\u63a5\u5230\u6a21\u62df\u5668\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u4f7f\u7528JEB\u542f\u52a8\u8c03\u8bd5<\/h4>\n
\u9996\u5148\u6253\u5f00JEB\u5bfc\u5165apk\u6587\u4ef6\uff0c\u5728manifest\u770b\u662f\u5426\u6709\u8c03\u8bd5\u6743\u9650
\n
\"\"<\/div><\/a>
\n\u8fd9\u91cc\u663e\u793a\u7684\u662ftrue\u5c31\u8868\u793a\u6709\u6587\u4ef6\u8c03\u8bd5\u6743\u9650\uff0c\u540c\u65f6\u6211\u4eec\u8fd8\u53ef\u4ee5\u627e\u5230\u5305\u540d\uff1a
\n<activity android:name="com.example.ndktest2.MainActivity"><\/code><\/p>\n
\u5728cmd\u4e2d\u542f\u52a8\u8c03\u8bd5\uff1a\u8f93\u5165\u547d\u4ee4adb shell am start -D -n com.example.ndktest2\/.MainActivity<\/code>
\n
\"\"<\/div><\/a>
\n\u8fd9\u5c31\u7b97\u662f\u542f\u52a8\u6210\u529f\u4e86\uff0c\u6211\u4eec\u53ef\u4ee5\u5728\u6a21\u62df\u5668\u4e2d\u770b\u89c1\u7b49\u5f85\u8c03\u8bd5\u7684\u9875\u9762\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u8fd9\u65f6\u6211\u4eec\u5c31\u53ef\u7528JEB\u542f\u52a8app\u8c03\u8bd5\u4e86\uff0c\u5728debugger\u7a97\u53e3\u70b9\u51fb\u5f00\u59cb
\n
\"\"<\/div><\/a><\/p>\n
\u53cc\u51fb\u4e0b\u9762\u7684\u8fdb\u7a0b\u5c31\u53ef\u4ee5\u542f\u52a8\u4e86\uff0c\u6211\u4eec\u5c31\u4f1a\u5728\u6a21\u62df\u5668\u4e2d\u770b\u89c1\u7a0b\u5e8f\u6b63\u5e38\u8fd0\u884c<\/p>\n
\"\"<\/div><\/a><\/p>\n
\u5728IDA\u4e2d\u8c03\u8bd5.so\u6587\u4ef6<\/h4>\n
\u5728\u5b8c\u6210\u4e0a\u8ff0\u6b65\u9aa4\u4e4b\u540e\uff0c\u6211\u4eec\u5c31\u5df2\u7ecf\u5b8c\u6210\u4e86\u4f7f\u7528IDA Pro\u8c03\u8bd5.so\u6587\u4ef6\u7684\u6240\u6709\u524d\u7f6e\u51c6\u5907\u5de5\u4f5c\u4e86<\/p>\n
\u5728JEB\u4e2d\u5c06.so\u6587\u4ef6\u5bfc\u51fa\u6765\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u5728IDA\u4e2d\u6253\u5f00\uff0c\u5728\u52a0\u5bc6\u51fd\u6570\u5904\u4e0b\u65ad\u70b9\uff1a
\n
\"\"<\/div><\/a>
\n\u70b9\u51fbRemote Linux debugger\u6a21\u5f0f<\/p>\n
\u70b9\u51fbdebugger\u7a97\u53e3\u4e2d\u7684Process options\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u5728\u7a97\u53e3\u4e2d\u8f93\u5165\u9ed8\u8ba4IP\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u518d\u4f7f\u7528Attach\u6a21\u5f0f\u53bbdebugger
\n
\"\"<\/div><\/a><\/p>\n
\u4f1a\u51fa\u73b0\u4e00\u4e2a\u7a97\u53e3\uff1a
\n
\"\"<\/div><\/a>
\n\u5728\u8fd9\u4e2a\u7a97\u53e3\u9009\u62e9\u8fdb\u7a0b\u5c31\u884c\u4e86<\/p>\n
\u542f\u52a8\u8c03\u8bd5\u4e4b\u540e\u4f1a\u51fa\u73b0\u4e00\u4e2a\u62a5\u9519\u7a97\u53e3\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u6211\u4eec\u70b9\u51fbSame\u5c31\u53ef\u4ee5\u8fdb\u5165\u8c03\u8bd5\u4e86<\/p>\n
\u4e0d\u8fc7\u597d\u50cf\u662f\u6709\u5165\u53e3\u65ad\u70b9\u7684\uff0c\u6211\u4eec\u9700\u8981\u518d\u6b21\u70b9\u51fb\u8fd0\u884c\u7a0b\u5e8f
\n
\"\"<\/div><\/a><\/p>\n
\u7136\u540e\u5c31\u53ef\u4ee5\u5728\u6a21\u62df\u5668\u4e0a\u8fdb\u884c\u8f93\u5165\u4e86\u3002\u6211\u4eec\u968f\u4fbf\u8f93\u70b9\u4ec0\u4e48\u4e1c\u897f\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u70b9\u51fb\u767b\u5f55\uff0cIDA\u5c31\u4f1a\u8fd0\u884c\u5230\u65ad\u70b9\u5904\uff0c\u5c31\u8ddf\u6211\u4eec\u5e73\u5e38\u4f7f\u7528IDA\u8fdb\u884c\u672c\u5730\u8c03\u8bd5\u4e00\u6837<\/p>\n
\"\"<\/div><\/a><\/p>\n
\u518dF8\u5355\u6b65\u5230\u52a0\u5bc6\u51fd\u6570\u5c31\u884c\u4e86\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u53ef\u4ee5\u53cc\u51fbv1\u8fdb\u53bb\u67e5\u770b\u6570\u636e\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u63d0\u53d6\u51fa\u6765\u5c31\u83b7\u53d6\u5230flag\u4e86\uff1aYouaretheB3ST<\/code><\/p>\n
\u89e3\u6cd5\u4e8c\uff1a\u4f7f\u7528Frida\u53bbhook\u51fd\u6570<\/h3>\n
\u51c6\u5907\u5de5\u4f5c<\/h4>\n
\u6211\u4eec\u5728\u9762\u5bf9\u4e0d\u540c\u7248\u672c\u7684\u5b89\u5353\u73af\u5883\u65f6\u6709\u4e0d\u540c\u7684Frida\u7248\u672c\u66f4\u9002\u914d\uff0c\u6bd4\u5982Android 8.1 \u9002\u5408Frida12.8.X \u7cfb\u5217\u7684\uff0cAndroid 10 \u9002\u5408Frida 14\u4ee5\u4e0a\u7684\uff0c\u90a3\u4e48\u4e0d\u65ad\u7684\u91cd\u590d\u5b89\u88c5\u662f\u6ca1\u6709\u6548\u7387\u7684\u4e8b\u60c5\uff0c\u6240\u4ee5\u9700\u8981\u80fd\u7b80\u5355\u7ba1\u7406\u591a\u4e2aPython\u73af\u5883\u7684\u5de5\u5177\u3002\u5e38\u89c1\u7684python\u7ba1\u7406\u5de5\u5177\u6709pyenv\u3001virtualenvwrapper\u3001anaconda\u3001miniconda\u7b49\uff0c\u4f46\u5176\u4e2d\u4e5f\u6709\u4e00\u4e9b\u4e0d\u592a\u9002\u5408\u5728Windows\u7cfb\u7edf\u4e0a\u5b89\u88c5\u548c\u4f7f\u7528\uff0c\u672c\u6b21\u6211\u4f7f\u7528\u7684\u662fanaconda
\nanaconda\u7684\u5b89\u88c5\u548c\u4f7f\u7528\uff08\u7ba1\u7406python\u73af\u5883\u770b\u8fd9\u4e00\u7bc7\u5c31\u591f\u4e86\uff09-CSDN\u535a\u5ba2<\/a><\/p>\n
\u5b98\u7f51\u4e0b\u8f7d\u5730\u5740\uff1ahttps:\/\/www.anaconda.com\/download<\/a><\/p>\n
\u4e0b\u8f7d\u4e4b\u540e\u8ddf\u7740\u5b89\u88c5\u5c31\u884c\u4e86\uff0c\u4e00\u8defnext\uff0c\u53ef\u4ee5\u81ea\u5b9a\u4e49\u5b89\u88c5\u8def\u5f84\u7684\uff0c\u4e0d\u7528\u5b89\u5728C\u76d8<\/p>\n
\u5b89\u88c5\u5408\u9002\u7684python\u73af\u5883<\/h4>\n
\u88c5\u597danaconda\u4e4b\u540e\u6211\u4eec\u53ef\u4ee5\u5728win\u4e2d\u627e\u5230\u7ec8\u7aef\uff0c\u6211\u4eec\u8fdb\u5165anaconda\u7684\u7ec8\u7aef\uff1a
\n\u53ef\u4ee5\u5148\u67e5\u770b\u76ee\u524dpython\u7248\u672c\uff1a<\/p>\n
(base) C:\\Users\\11043>conda info\n\n     active environment : base\n    active env location : F:\\Anaconda\n            shell level : 1\n       user config file : C:\\Users\\11043\\.condarc\n populated config files : C:\\Users\\11043\\.condarc\n          conda version : 24.1.2\n    conda-build version : 24.1.2\n         python version : 3.11.7.final.0\n                 solver : libmamba (default)\n       virtual packages : __archspec=1=x86_64\n                          __conda=24.1.2=0\n                          __cuda=12.3=0\n                          __win=0=0\n       base environment : F:\\Anaconda  (read only)\n      conda av data dir : F:\\Anaconda\\etc\\conda\n  conda av metadata url : None\n           channel URLs : https:\/\/repo.anaconda.com\/pkgs\/main\/win-64\n                          https:\/\/repo.anaconda.com\/pkgs\/main\/noarch\n                          https:\/\/repo.anaconda.com\/pkgs\/r\/win-64\n                          https:\/\/repo.anaconda.com\/pkgs\/r\/noarch\n                          https:\/\/repo.anaconda.com\/pkgs\/msys2\/win-64\n                          https:\/\/repo.anaconda.com\/pkgs\/msys2\/noarch\n          package cache : F:\\Anaconda\\pkgs\n                          C:\\Users\\11043\\.conda\\pkgs\n                          C:\\Users\\11043\\AppData\\Local\\conda\\conda\\pkgs\n       envs directories : C:\\Users\\11043\\.conda\\envs\n                          F:\\Anaconda\\envs\n                          C:\\Users\\11043\\AppData\\Local\\conda\\conda\\envs\n               platform : win-64\n             user-agent : conda\/24.1.2 requests\/2.31.0 CPython\/3.11.7 Windows\/10 Windows\/10.0.22631 solver\/libmamba conda-libmamba-solver\/24.1.0 libmambapy\/1.5.6 aau\/0.4.3 c\/VZAbQE--iNbp2n9VDN0GPQ s\/RRYVJsYFGmMR0XKsAo2GOA\n          administrator : False\n             netrc file : None\n           offline mode : False<\/code><\/pre>\n
\u4e0b\u9762\u6211\u4eec\u6765\u8f93\u5165\u4e00\u4e2a\u6307\u4ee4\u6765\u521b\u5efapython3.7\u7684\u73af\u5883\uff1aconda create -n python37 python=3.7<\/code><\/p>\n
(base) C:\\Users\\11043>conda create -n python37 python=3.7\nChannels:\n - defaults\nPlatform: win-64\nCollecting package metadata (repodata.json): done\nSolving environment: done\n\n## Package Plan ##\n\n  environment location: C:\\Users\\11043\\.conda\\envs\\python37\n\n  added \/ updated specs:\n    - python=3.7\n\nThe following packages will be downloaded:\n\n    package                    |            build\n    ---------------------------|-----------------\n    ca-certificates-2024.3.11  |       haa95532_0         128 KB\n    certifi-2022.12.7          |   py37haa95532_0         149 KB\n    openssl-1.1.1w             |       h2bbff1b_0         5.5 MB\n    pip-22.3.1                 |   py37haa95532_0         2.7 MB\n    python-3.7.16              |       h6244533_0        17.2 MB\n    setuptools-65.6.3          |   py37haa95532_0         1.1 MB\n    sqlite-3.45.3              |       h2bbff1b_0         973 KB\n    wheel-0.38.4               |   py37haa95532_0          82 KB\n    wincertstore-0.2           |   py37haa95532_2          15 KB\n    ------------------------------------------------------------\n                                           Total:        27.9 MB\n\nThe following NEW packages will be INSTALLED:\n\n  ca-certificates    pkgs\/main\/win-64::ca-certificates-2024.3.11-haa95532_0\n  certifi            pkgs\/main\/win-64::certifi-2022.12.7-py37haa95532_0\n  openssl            pkgs\/main\/win-64::openssl-1.1.1w-h2bbff1b_0\n  pip                pkgs\/main\/win-64::pip-22.3.1-py37haa95532_0\n  python             pkgs\/main\/win-64::python-3.7.16-h6244533_0\n  setuptools         pkgs\/main\/win-64::setuptools-65.6.3-py37haa95532_0\n  sqlite             pkgs\/main\/win-64::sqlite-3.45.3-h2bbff1b_0\n  vc                 pkgs\/main\/win-64::vc-14.2-h21ff451_1\n  vs2015_runtime     pkgs\/main\/win-64::vs2015_runtime-14.27.29016-h5e58377_2\n  wheel              pkgs\/main\/win-64::wheel-0.38.4-py37haa95532_0\n  wincertstore       pkgs\/main\/win-64::wincertstore-0.2-py37haa95532_2\n\nProceed ([y]\/n)? y\n\nDownloading and Extracting Packages:\n\nPreparing transaction: done\nVerifying transaction: done\nExecuting transaction: done\n#\n# To activate this environment, use\n#\n#     $ conda activate python37\n#\n# To deactivate an active environment, use\n#\n#     $ conda deactivate<\/code><\/pre>\n
\u540c\u6837\uff0c\u6211\u4eec\u7565\u5fae\u66f4\u6539\u4e00\u4e0b\u6307\u4ee4\uff0c\u4e5f\u53ef\u4ee5\u5b89\u88c5python3.8\uff1aconda create -n python38 python=3.8<\/code><\/p>\n
\u5b8c\u6210python\u73af\u5883\u7684\u5b89\u88c5\u4e4b\u540e\u6211\u4eec\u5c31\u53ef\u4ee5\u4f7f\u7528\u8be5\u73af\u5883\u4e86<\/p>\n
\u5728\u65b0\u5b89\u88c5\u7684python\u73af\u5883\u4e2d\u5b89\u88c5Frida<\/h4>\n
\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528\u4ee5\u4e0b\u6307\u4ee4\u5728anaconda\u7ec8\u7aef\u5c06\u73af\u5883\u5207\u6362\u5230python3.7\uff1aconda activate python37<\/code><\/p>\n
\u5728\u6b64\u4e4b\u540e\u6211\u4eec\u5c31\u53ef\u4ee5\u5728python3.7\u4e2d\u5b89\u88c5frida\u4e86\uff0c\u8f93\u5165pip install frida==12.8.0<\/code>\uff1a<\/p>\n
(python37) C:\\Users\\11043>pip install frida==12.8.0\nLooking in indexes: https:\/\/mirrors.aliyun.com\/pypi\/simple\/\nCollecting frida==12.8.0\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/38\/1b\/8a462787cedda36c57227ed0babbd80c4c4cc5bc9c1f9b5aa285ed6aebba\/frida-12.8.0.tar.gz (6.9 kB)\n  Preparing metadata (setup.py) ... done\nBuilding wheels for collected packages: frida\n  Building wheel for frida (setup.py) ... done\n  Created wheel for frida: filename=frida-12.8.0-cp37-cp37m-win_amd64.whl size=16765861 sha256=9f60e1b1f00e7098ba3eb3997eb3f935c36fe6f7df005e620d934d2b9d31392c\n  Stored in directory: c:\\users\\11043\\appdata\\local\\pip\\cache\\wheels\\c7\\d7\\b2\\52787d5207a4fd6bffc3531f61a7077b3fb91f95298b575a21\nSuccessfully built frida\nInstalling collected packages: frida\nSuccessfully installed frida-12.8.0<\/code><\/pre>\n
\u5728\u7ec8\u7aef\u7684\u5f00\u5934\u6211\u4eec\u53ef\u4ee5\u770b\u89c1(base)\u53d8\u6210\u4e86(python37)\uff0c\u82e5\u6211\u4eec\u60f3\u8981\u8fd4\u56de\u539f\u672c\u7684\u73af\u5883\uff0c\u5219\u8f93\u5165conda activate base<\/code>\u5c31\u53ef\u4ee5\u4e86<\/p>\n
\u6211\u4eec\u518d\u5b89\u88c5frida-tools\uff0c\u8f93\u5165pip install frida-tools==5.4.0<\/code>\uff0c\u8fd9\u4e2a\u6307\u4ee4\u4f1a\u81ea\u52a8\u5b89\u88c5Frida\u7684\u5168\u7cfb\u5217\u7248\u672c\u4ea7\u54c1\uff1a<\/p>\n
(python37) C:\\Users\\11043>pip install frida-tools==5.4.0\nLooking in indexes: https:\/\/mirrors.aliyun.com\/pypi\/simple\/\nCollecting frida-tools==5.4.0\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/6c\/ed\/0541eb716815fedc1788e276aeb650a4fd27d17e5393c54de0be3a6373b3\/frida-tools-5.4.0.tar.gz (28 kB)\n  Preparing metadata (setup.py) ... done\nCollecting colorama<1.0.0,>=0.2.7\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/d1\/d6\/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221\/colorama-0.4.6-py2.py3-none-any.whl (25 kB)\nRequirement already satisfied: frida<13.0.0,>=12.7.3 in c:\\users\\11043\\.conda\\envs\\python37\\lib\\site-packages (from frida-tools==5.4.0) (12.8.0)\nCollecting prompt-toolkit<3.0.0,>=2.0.0\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/87\/61\/2dfea88583d5454e3a64f9308a686071d58d59a55db638268a6413e1eb6d\/prompt_toolkit-2.0.10-py3-none-any.whl (340 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 340.0\/340.0 kB 3.0 MB\/s eta 0:00:00\nCollecting pygments<3.0.0,>=2.0.2\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/97\/9c\/372fef8377a6e340b1704768d20daaded98bf13282b5327beb2e2fe2c7ef\/pygments-2.17.2-py3-none-any.whl (1.2 MB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 1.2\/1.2 MB 3.4 MB\/s eta 0:00:00\nCollecting wcwidth\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/fd\/84\/fd2ba7aafacbad3c4201d395674fc6348826569da3c0937e75505ead3528\/wcwidth-0.2.13-py2.py3-none-any.whl (34 kB)\nCollecting six>=1.9.0\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/d9\/5a\/e7c31adbe875f2abbb91bd84cf2dc52d792b5a01506781dbcf25c91daf11\/six-1.16.0-py2.py3-none-any.whl (11 kB)\nBuilding wheels for collected packages: frida-tools\n  Building wheel for frida-tools (setup.py) ... done\n  Created wheel for frida-tools: filename=frida_tools-5.4.0-py3-none-any.whl size=32056 sha256=f27841ebe95a0490b88b90b0c24c97cf3349c0bf734339f071476295673d8ccc\n  Stored in directory: c:\\users\\11043\\appdata\\local\\pip\\cache\\wheels\\1f\\52\\df\\750cf2dd60711ca0df70a88204ed2daca4a67cf5eb099482d9\nSuccessfully built frida-tools\nInstalling collected packages: wcwidth, six, pygments, colorama, prompt-toolkit, frida-tools\nSuccessfully installed colorama-0.4.6 frida-tools-5.4.0 prompt-toolkit-2.0.10 pygments-2.17.2 six-1.16.0 wcwidth-0.2.13<\/code><\/pre>\n
\u518d\u8f93\u5165pip install objection==1.8.4<\/code>\uff1a<\/p>\n
Looking in indexes: https:\/\/mirrors.aliyun.com\/pypi\/simple\/\nCollecting objection==1.8.4\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/33\/40\/d36e7f877bc8112a54c72363ee54668d633936061465a24f10c455f4e8a4\/objection-1.8.4.tar.gz (223 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 223.6\/223.6 kB 1.7 MB\/s eta 0:00:00\n  Preparing metadata (setup.py) ... done\nRequirement already satisfied: frida in c:\\users\\11043\\.conda\\envs\\python37\\lib\\site-packages (from objection==1.8.4) (12.8.0)\nRequirement already satisfied: frida-tools<6.0.0 in c:\\users\\11043\\.conda\\envs\\python37\\lib\\site-packages (from objection==1.8.4) (5.4.0)\nRequirement already satisfied: prompt_toolkit<3.0.0,>=2.0.9 in c:\\users\\11043\\.conda\\envs\\python37\\lib\\site-packages (from objection==1.8.4) (2.0.10)\nCollecting click\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/00\/2e\/d53fa4befbf2cfa713304affc7ca780ce4fc1fd8710527771b58311a3229\/click-8.1.7-py3-none-any.whl (97 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 97.9\/97.9 kB ? eta 0:00:00\nCollecting tabulate\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/40\/44\/4a5f08c96eb108af5cb50b41f76142f0afa346dfa99d5296fe7202a11854\/tabulate-0.9.0-py3-none-any.whl (35 kB)\nCollecting delegator.py\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/a7\/c2\/2860c52ef858c4672b6cf637f473e9139342cdb281135db9b3c32cfb0a85\/delegator.py-0.1.1-py2.py3-none-any.whl (5.0 kB)\nCollecting requests\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/70\/8e\/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44\/requests-2.31.0-py3-none-any.whl (62 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 62.6\/62.6 kB ? eta 0:00:00\nCollecting flask\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/9f\/1a\/8b6d48162861009d1e017a9740431c78d860809773b66cac220a11aa3310\/Flask-2.2.5-py3-none-any.whl (101 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 101.8\/101.8 kB 5.7 MB\/s eta 0:00:00\nRequirement already satisfied: pygments in c:\\users\\11043\\.conda\\envs\\python37\\lib\\site-packages (from objection==1.8.4) (2.17.2)\nCollecting litecli==1.1.0\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/04\/4c\/b375b33afe4413cd0eabfc55514f1f4223d0cb0bc44883bb4fd36c982ebb\/litecli-1.1.0-py2.py3-none-any.whl (46 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 46.8\/46.8 kB 1.2 MB\/s eta 0:00:00\nCollecting cli-helpers[styles]>=1.0.1\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/f1\/c5\/2deaab90ce50f2e92aaff6e80c4e06a7160f97ae03a3835ae9121a54b428\/cli_helpers-2.3.1-py3-none-any.whl (19 kB)\nCollecting configobj>=5.0.5\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/d3\/bb\/d10e531b297dd1d46f6b1fd11d018247af9f2d460037554bb7bb9011c6ac\/configobj-5.0.8-py2.py3-none-any.whl (36 kB)\nCollecting sqlparse<0.3.0,>=0.2.2\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/65\/85\/20bdd72f4537cf2c4d5d005368d502b2f464ede22982e724a82c86268eda\/sqlparse-0.2.4-py2.py3-none-any.whl (38 kB)\nCollecting importlib-metadata\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/ff\/94\/64287b38c7de4c90683630338cf28f129decbba0a44f0c6db35a873c73c4\/importlib_metadata-6.7.0-py3-none-any.whl (22 kB)\nRequirement already satisfied: colorama in c:\\users\\11043\\.conda\\envs\\python37\\lib\\site-packages (from click->objection==1.8.4) (0.4.6)\nRequirement already satisfied: six>=1.9.0 in c:\\users\\11043\\.conda\\envs\\python37\\lib\\site-packages (from prompt_toolkit<3.0.0,>=2.0.9->objection==1.8.4) (1.16.0)\nRequirement already satisfied: wcwidth in c:\\users\\11043\\.conda\\envs\\python37\\lib\\site-packages (from prompt_toolkit<3.0.0,>=2.0.9->objection==1.8.4) (0.2.13)\nCollecting pexpect>=4.1.0\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/9e\/c3\/059298687310d527a58bb01f3b1965787ee3b40dce76752eda8b44e9a2c5\/pexpect-4.9.0-py2.py3-none-any.whl (63 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 63.8\/63.8 kB ? eta 0:00:00\nCollecting Werkzeug>=2.2.2\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/f6\/f8\/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f\/Werkzeug-2.2.3-py3-none-any.whl (233 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 233.6\/233.6 kB 4.9 MB\/s eta 0:00:00\nCollecting itsdangerous>=2.0\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/68\/5f\/447e04e828f47465eeab35b5d408b7ebaaaee207f48b7136c5a7267a30ae\/itsdangerous-2.1.2-py3-none-any.whl (15 kB)\nCollecting Jinja2>=3.0\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/31\/80\/3a54838c3fb461f6fec263ebf3a3a41771bd05190238de3486aae8540c36\/jinja2-3.1.4-py3-none-any.whl (133 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 133.3\/133.3 kB 8.2 MB\/s eta 0:00:00\nCollecting charset-normalizer<4,>=2\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/96\/fc\/0cae31c0f150cd1205a2a208079de865f69a8fd052a98856c40c99e36b3c\/charset_normalizer-3.3.2-cp37-cp37m-win_amd64.whl (98 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 98.1\/98.1 kB ? eta 0:00:00\nRequirement already satisfied: certifi>=2017.4.17 in c:\\users\\11043\\.conda\\envs\\python37\\lib\\site-packages (from requests->objection==1.8.4) (2022.12.7)\nCollecting idna<4,>=2.5\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/e5\/3e\/741d8c82801c347547f8a2a06aa57dbb1992be9e948df2ea0eda2c8b79e8\/idna-3.7-py3-none-any.whl (66 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 66.8\/66.8 kB ? eta 0:00:00\nCollecting urllib3<3,>=1.21.1\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/d2\/b2\/b157855192a68541a91ba7b2bbcb91f1b4faa51f8bae38d8005c034be524\/urllib3-2.0.7-py3-none-any.whl (124 kB)\n     \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 124.2\/124.2 kB 7.6 MB\/s eta 0:00:00\nCollecting typing-extensions>=3.6.4\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/ec\/6b\/63cc3df74987c36fe26157ee12e09e8f9db4de771e0f3404263117e75b95\/typing_extensions-4.7.1-py3-none-any.whl (33 kB)\nCollecting zipp>=0.5\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/5b\/fa\/c9e82bbe1af6266adf08afb563905eb87cab83fde00a0a08963510621047\/zipp-3.15.0-py3-none-any.whl (6.8 kB)\nCollecting MarkupSafe>=2.0\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/6c\/4c\/3577a52eea1880538c435176bc85e5b3379b7ab442327ccd82118550758f\/MarkupSafe-2.1.5-cp37-cp37m-win_amd64.whl (17 kB)\nCollecting ptyprocess>=0.5\n  Downloading https:\/\/mirrors.aliyun.com\/pypi\/packages\/22\/a6\/858897256d0deac81a172289110f31629fc4cee19b6f01283303e18c8db3\/ptyprocess-0.7.0-py2.py3-none-any.whl (13 kB)\nBuilding wheels for collected packages: objection\n  Building wheel for objection (setup.py) ... done\n  Created wheel for objection: filename=objection-1.8.4-py3-none-any.whl size=286310 sha256=bef993a5aa8554f2cf52c5d00b75b9d3c33d482c4743ba81580ec068c9f63122\n  Stored in directory: c:\\users\\11043\\appdata\\local\\pip\\cache\\wheels\\fc\\7e\\cf\\af9ead29c2ac430224467cccf15d3acb3ff664c1dee35d0c40\nSuccessfully built objection\nInstalling collected packages: sqlparse, ptyprocess, zipp, urllib3, typing-extensions, tabulate, pexpect, MarkupSafe, itsdangerous, idna, configobj, charset-normalizer, Werkzeug, requests, Jinja2, importlib-metadata, delegator.py, click, cli-helpers, flask, litecli, objection\nSuccessfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-2.2.3 charset-normalizer-3.3.2 cli-helpers-2.3.1 click-8.1.7 configobj-5.0.8 delegator.py-0.1.1 flask-2.2.5 idna-3.7 importlib-metadata-6.7.0 itsdangerous-2.1.2 litecli-1.1.0 objection-1.8.4 pexpect-4.9.0 ptyprocess-0.7.0 requests-2.31.0 sqlparse-0.2.4 tabulate-0.9.0 typing-extensions-4.7.1 urllib3-2.0.7 zipp-3.15.0<\/code><\/pre>\n
\u53ef\u4ee5\u8f93\u5165\u68c0\u67e5\u7248\u672c\u4fe1\u606f\u7684\u6307\u4ee4\u67e5\u770b\u662f\u5426\u5b89\u88c5\u6210\u529f\uff1a<\/p>\n
(python37) C:\\Users\\11043>objection version\nobjection: 1.8.4\n(python37) C:\\Users\\11043>frida --version\n12.8.0<\/code><\/pre>\n
\u5b89\u88c5frida-server<\/h4>\n
\u7531\u4e8e\u6211\u4eec\u5e76\u4e0d\u662f\u5bf9\u672c\u673a\u7684\u7a0b\u5e8f\u4f7f\u7528frida\u8fdb\u884chook\uff0c\u6240\u4ee5\u4ec5\u4ec5\u5728\u8ba1\u7b97\u673a\u4e0a\u5b89\u88c5Frida\u662f\u4e0d\u591f\u7684\uff0c\u6211\u4eec\u8fd8\u9700\u8981\u5728\u5bf9\u5e94\u7684\u6a21\u62df\u5668\/\u771f\u673a\u4e0a\u5b89\u88c5\u5bf9\u5e94\u7684server\u3002\u5176\u4e2d\u6709\u51e0\u4e2a\u9700\u8981\u6ce8\u610f\u7684\u70b9\uff0c\u4e00\u662ffrida-server\u7684\u7248\u672c\u9700\u8981\u4e0e\u8ba1\u7b97\u673a\u4e0a\u7684frida\u7248\u672c\u4e00\u81f4\uff0c\u6bd4\u5982\u8bf4\u4e0a\u6587\u6211\u4eec\u5b89\u88c5\u7684\u662f12.8.0\u7248\u672c\u7684frida\uff0c\u5219frida-server\u4e5f\u9700\u8981\u5b89\u88c5\u5bf9\u5e94\u7684\u7248\u672c\uff1b\u4e8c\u662ffrida-server\u7684\u67b6\u6784\u9700\u8981\u4e0e\u6a21\u62df\u5668\/\u771f\u673a\u4e0a\u7684\u7cfb\u7edf\u4ee5\u53ca\u67b6\u6784\u4e00\u81f4\uff0c\u901a\u5e38\u6211\u4eec\u53ef\u4ee5\u5728adb shell\u4e2d\u8f93\u5165getprop ro.product.cpu.abi<\/code>\u67e5\u770b\u624b\u673a\u67b6\u6784\uff1a<\/p>\n
C:\\Users\\11043>adb shell\nroot@aosp:\/ # getprop ro.product.cpu.abi\nx86<\/code><\/pre>\n
\u5728\u4e0a\u6587\u8c03\u8bd5.so\u6587\u4ef6\u65f6\u4e5f\u63d0\u5230\u8fc7\u5982\u4f55\u67e5\u770b\u67b6\u6784\uff0c\u63a5\u4e0b\u6765\u6211\u4eec\u9700\u8981\u505a\u7684\u5c31\u662f\u4e0b\u8f7dserver\u5e76push\u5230\u6a21\u62df\u5668\u91cc\u9762\u53bb\uff0c\u8fdb\u5165frida\u7684github\u5176\u4e2d\u7684release\uff1a\u4e0b\u8f7d\u5bf9\u5e94\u7684Frida 12.8.0<\/a><\/p>\n
\u8fd9\u91cc\u4e0b\u8f7d\u4e0b\u6765\u7684server\u662f.xz\u7684\uff0c\u6211\u4eec\u9700\u8981\u5148\u89e3\u538b\u518d\u5c06\u5176push\u5230\u6a21\u62df\u5668\u4e0a\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u518d\u5bf9\u5176\u7ed9\u4e88\u6587\u4ef6\u6743\u9650\u7136\u540e\u8fd0\u884c\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u4e0a\u8ff0\u62a5\u9519\u662f\u7531\u4e8ex86\u548carm\u4e0d\u517c\u5bb9\u5bfc\u81f4\u7684\uff0c\u4e0d\u7528\u7406\u4f1a\uff0c\u4e0d\u5f71\u54cd\u6211\u4eec\u8fdb\u884c\u9006\u5411\u8c03\u8bd5\uff1a
\n\u3010Android \u9006\u5411\u3011Frida \u6846\u67b6 ( Frida 2 \u79cd\u8fd0\u884c\u6a21\u5f0f | Frida 12.7.5 \u7248\u672c\u76f8\u5173\u5de5\u5177\u4e0b\u8f7d\u5730\u5740 | \u5728 Android \u6a21\u62df\u5668\u4e0a\u8fd0\u884c Frida \u8fdc\u7a0b\u670d\u52a1\u7a0b\u5e8f )51CTO\u535a\u5ba2_Android frida<\/a><\/p>\n
\u8fdb\u5165\u5e76\u542f\u52a8frida-objection\uff0chook\u51fd\u6570<\/h4>\n
\u5728\u6a21\u62df\u5668\u4e0a\u5b8c\u6210server\u7684\u8fd0\u884c\u4e4b\u540e\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u56de\u5230Anaconda\u7684python\u73af\u5883\u4e2d\u4e86<\/p>\n
(base) C:\\Users\\11043>conda activate python37\n\n(python37) C:\\Users\\11043>frida version\n     ____\n    \/ _  |   Frida 12.8.0 - A world-class dynamic instrumentation toolkit\n   | (_| |\n    > _  |   Commands:\n   \/_\/ |_|       help      -> Displays the help system\n   . . . .       object?   -> Display information about 'object'\n   . . . .       exit\/quit -> Exit\n   . . . .\n   . . . .   More info at https:\/\/www.frida.re\/docs\/home\/\nFailed to spawn: unable to find process with name 'version'\n\n(python37) C:\\Users\\11043>objection version\nobjection: 1.8.4<\/code><\/pre>\n
\u542f\u52a8objection\u6ce8\u5165objection -g com.example.ndktest2 explore<\/code>\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u542f\u52a8\u4e4b\u540e\u6211\u4eec\u8f93\u5165android\u00a0hooking\u00a0watch\u00a0class_method\u00a0com.example.ndktest2.MainActivity.Encrypt\u00a0--dump-args\u00a0--dump-backtrace\u00a0--dump-return<\/code>\u542f\u52a8hook\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u8fd9\u65f6\u6211\u4eec\u518d\u53bbapp\u4e2d\u968f\u4fbf\u8f93\u5165\u4e00\u4e9b\u4ec0\u4e48\uff0c\u7136\u540e\u70b9\u51fb\u767b\u5f55
\n
\"\"<\/div><\/a><\/p>\n
\u518d\u56de\u5230objection\u5c31\u4f1a\u53d1\u73b0hook\u5230\u7684\u8fd4\u56de\u503c\u5df2\u7ecf\u7ed9\u51fa\u6765\u4e86\uff1a
\n
\"\"<\/div><\/a><\/p>\n
\u518d\u6b21\u8f93\u5165\u8fd4\u56de\u7684\u7ed3\u679c\uff0c\u5c31\u4f1a\u663e\u793a\u767b\u9646\u6210\u529f\u4e86<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5728\u5237mobile\u9898\u7684\u65f6\u5019\u9047\u89c1\u4e86\u8fd9\u9053\u9898\uff0c\u5728\u8fd9\u9053\u9898\u4e2d\u5b66\u5230\u4e86\u8bb8\u591a\u65b0\u7684\u4e1c\u897f\uff0c\u7279\u6b64\u8bb0\u5f55\u4e00\u4e0b\uff0c\u6574\u7bc7\u4e0b\u6765\u771f\u7684\u662f\u624b\u628a\u624b\uff0c\u4fdd\u59c6\u7ea7\u6559\u5b66\u3002\u5176\u4e2d\u6709\u5173\u5999\u5999\u5de5\u5177Frida\u548c\u52a8\u8c03.so\u6587\u4ef6\u4e0e\u5b89\u5353\u9006\u5411\uff0c\u5999\u4e0d\u53ef\u8a00\uff01<\/p>\n","protected":false},"author":1,"featured_media":264,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-225","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android"],"_links":{"self":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts\/225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/comments?post=225"}],"version-history":[{"count":6,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts\/225\/revisions"}],"predecessor-version":[{"id":313,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts\/225\/revisions\/313"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/media\/264"}],"wp:attachment":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/media?parent=225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/categories?post=225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/tags?post=225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}