基本讲解
对于基本类型, 直接使用,比如: int, long, 但是如果是数组, 我们需要使用器缩写,并且要加[, 如果int数组就是[I
| 基本类型 | 缩写 |
|---|---|
| boolean | Z |
| byte | B |
| char | C |
| double | D |
| float | F |
| int | I |
| long | J |
| short | S |
需要hook的java代码
import javax.crypto.spec.DESKeySpec;
public static byte[] encrypt(byte[] keyByte, byte[] paramString) throws Exception {
DESKeySpec desKeySpec = new DESKeySpec(keyByte);
Key key = SecretKeyFactory.getInstance("DES").generateSecret(desKeySpec);
Cipher localCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
localCipher.init(Cipher.ENCRYPT_MODE, key);
return localCipher.doFinal(paramString);
}
普通方法hook
我们hook Cipher.getInstance参数
import frida
import sys
jscode = """
Java.perform(function () {
var ClassName = Java.use('javax.crypto.Cipher');
console.log("Find ClassName Successfully!");//定位类成功!
ClassName.getInstance.overload("java.lang.String").implementation=function(param){
send("Hook Start...");
send(param);
var ret = this.getInstance(param);
return ret;
}
});
"""
def printMessage(message,data):
if message['type'] == 'send':
print('[*] {0}'.format(message['payload']))
else:
print(message)
process = frida.get_remote_device().attach('XXX') // 应用
script = process.create_script(jscode)
script.on('message',printMessage)
script.load()
sys.stdin.read()
构造函数hook
要hook加密的秘钥
import frida
import sys
jscode = """
Java.perform(function () {
var ClassName = Java.use('javax.crypto.spec.DESKeySpec'); // 要hook的类
console.log("Find ClassName Successfully!");//定位类成功!
ClassName.$init.overload("[B").implementation=function(param){
send("Hook Start...");
send(param);
var ret = this.$init(param);
return ret;
}
});
"""
def printMessage(message,data):
if message['type'] == 'send':
print('[*] {0}'.format(message['payload']))
else:
print(message)
process = frida.get_remote_device().attach('XXX') // 应用
script = process.create_script(jscode)
script.on('message',printMessage)
script.load()
sys.stdin.read()
静态方法
hook SecretKeyFactory.getInstance, 和普通方法一致
import frida
import sys
jscode = """
Java.perform(function () {
var ClassName = Java.use('javax.crypto.SecretKeyFactory');
console.log("Find ClassName Successfully!");//定位类成功!
ClassName.getInstance.overload("java.lang.String").implementation=function(param){
send("Hook Start...");
send(param);
var ret = this.getInstance(param);
return ret;
}
});
"""
def printMessage(message,data):
if message['type'] == 'send':
print('[*] {0}'.format(message['payload']))
else:
print(message)
process = frida.get_remote_device().attach('XXXX')
script = process.create_script(jscode)
script.on('message',printMessage)
script.load()
sys.stdin.read()