利用frida来解一些安卓题目

情到浓时终转凉″ 提交于 2020-04-06 12:20:11

之前在github看了r0ysue大佬的frida系列教程,于是想来实践一下。

DDCTF2018-HelloBabyDex

这道题涉及到了APK的热修复,目前还没有怎么接触,之后得深入一下。

 

 这道题在Mainactivity的onCreate函数中调用了Joseph函数,并把它的返回值拼接作为flag

            String v9 = this.Joseph(1, 2);
            super.onCreate(arg13);
            this.setContentView(0x7F09001B);  // layout:activity_main
            this.runRobust();
            SignCheck v10 = new SignCheck(this, this, "1B:D0:4A:9D:B5:A9:84:93:7E:79:27:9C:6C:C4:14:AB:DD:B0:75:7F");
            v10.check();
            Debug.isDebuggerConnected();
            View v8 = this.findViewById(0x7F07003D);  // id:input_text
            EditText v8_1 = (EditText)v8;
            View v7 = this.findViewById(0x7F070026);  // id:check_btn
            Button v7_1 = (Button)v7;
            cn.chaitin.geektan.crackme.MainActivity.1 v0_3 = new View.OnClickListener() {
                public static ChangeQuickRedirect changeQuickRedirect;

                @Override  // android.view.View$OnClickListener
                public void onClick(View arg9) {
                    Object[] v0 = new Object[1];
                    v0[0] = arg9;
                    ChangeQuickRedirect v2 = cn.chaitin.geektan.crackme.MainActivity.1.changeQuickRedirect;
                    Class[] v5 = new Class[1];
                    Class v1 = View.class;
                    v5[0] = v1;
                    Class v6 = Void.TYPE;
                    boolean v0_1 = PatchProxy.isSupport(v0, this, v2, false, 18, v5, v6);
                    if(v0_1) {
                        Object[] v0_2 = new Object[1];
                        v0_2[0] = arg9;
                        ChangeQuickRedirect v2_1 = cn.chaitin.geektan.crackme.MainActivity.1.changeQuickRedirect;
                        Class[] v5_1 = new Class[1];
                        Class v1_1 = View.class;
                        v5_1[0] = v1_1;
                        Class v6_1 = Void.TYPE;
                        PatchProxy.accessDispatch(v0_2, this, v2_1, false, 18, v5_1, v6_1);
                    }
                    else {
                        EditText v0_3 = v8_1;
                        Editable v0_4 = v0_3.getText();
                        boolean v0_5 = TextUtils.isEmpty(v0_4);
                        if(v0_5) {
                        label_31:
                            MainActivity v0_12 = MainActivity.this;
                            Toast v0_13 = Toast.makeText(v0_12, "大佬莫急!再试试!", 0);
                            v0_13.show();
                        }
                        else {
                            EditText v0_6 = v8_1;
                            Editable v0_7 = v0_6.getText();
                            String v0_8 = v0_7.toString();
                            StringBuilder v1_2 = new StringBuilder();
                            StringBuilder v1_3 = v1_2.append("DDCTF{");
                            String v2_2 = v9;
                            StringBuilder v1_4 = v1_3.append(v2_2);
                            StringBuilder v1_5 = v1_4.append("}");
                            String v1_6 = v1_5.toString();
                            boolean v0_9 = v0_8.equals(v1_6);
                            if(!v0_9) {
                                goto label_31;
                            }

                            MainActivity v0_10 = MainActivity.this;
                            Toast v0_11 = Toast.makeText(v0_10, "恭喜大佬!密码正确!", 0);
                            v0_11.show();
                        }
                    }
                }
            };
            v7_1.setOnClickListener(v0_3);    

可以看到v9参与了之后的拼接以及equals操作,于是我们这里可以使用frida直接来进行hook

hook equals函数的话,可以直接出flag,hook Joseph函数的话,可以出flag中的字符串,拼接起来。

上脚本:

import frida, sys

source = """
Java.perform(function() {
    var clazz = Java.use('cn.chaitin.geektan.crackme.MainActivity');
    clazz.Joseph.implementation = function() {

        var msg = clazz.Joseph.apply(this, arguments);
        send(msg);
        return msg;
    }
    var clazzz = Java.use('java.lang.String');
    clazzz.equals.implementation = function() {

        var msg = clazzz.equals.apply(this, arguments);
        var ret = clazzz.valueOf.apply(this,arguments);
        if(ret.indexOf("DDCTF")!=-1)
            send(ret);
        return msg;
    }
});
"""
def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

 
process = frida.get_usb_device().attach('cn.chaitin.geektan.crackme')
script = process.create_script(source)
script.on('message', on_message)
script.load()
sys.stdin.read()

 

 可以看到,Joseph函数只调用了一次,但输出了两次,这就是热补丁的结果。

hook equals函数后,再加以筛选,直接出flag!

 

RCTF2015(FlagSystem)

这道题看了奈沙夜影的wp,他是用xposed实现的,这里我使用了frida

引用大佬的分析过程,这里只给出frida实现。

https://blog.csdn.net/whklhhhh/article/details/89118707

 

上脚本:

#!/usr/bin/env python2
# -*- coding: utf-8 -*-
import frida , sys#select book_author,book_name from books_table
 
jscode = """
Java.perform(function () {
    send("Hook start..");
    
    var test = Java.use('com.example.mybackup.Test');
    var k;
    test.getSign.implementation = function () {
        send("getSign Function implemented");
        k = test.getSign.apply(this,arguments);
        send("Password is : " + k);

        return k;
    }

    var demo = Java.use('com.example.mybackup.BooksDB');
    var db;
    demo.getReadableDatabase.implementation = function (k) {
        send("getReadableDatabase Function implemented");
        db = this.getReadableDatabase(k);
        if(db != null)
            send('DB got');
        var S = Java.use("java.lang.String");
        var sql = S.$new("select book_author,book_name from books_table");
        var cursor = db.rawQuery(sql,null);
        if(cursor!=null)
            send('cursor got');
        /*cursor.getString(0);
        while(cursor.moveToNext()) {
            send("Result : " + cursor.getString(0));
        }
        Java.choose("net.sqlcipher.Cursor" , {
            onMatch : function(instance){
                console.log("Found instance: "+instance);
            },
            onComplete:function(){}
        });*/
        var class_cursor = Java.use("android.database.Cursor");
        cursor = Java.cast(cursor,class_cursor);
        while(cursor.moveToNext()) {
            send("Result : " + cursor.getString(0));
        }

        return db;
    }

    demo.$init.implementation = function (a) {
        send("$init Function implemented");
        return this.$init(a);
    }



});
"""
def on_message(message, data):
    if message['type']=='send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

device = frida.get_usb_device()
pid = device.spawn(['com.example.mybackup'])
process = device.attach(pid)
 
script = process.create_script(jscode)
 
script.on("message", on_message)
script.load()
device.resume(pid)
sys.stdin.read()

这里说明一下与上一个frida脚本的区别,这道题需要拿到sqlite的db,所以需要hook getReadableDatabase这个函数,这个函数在构造函数中所以需要在APK刚运行时插桩,使用了spawn。

拿到db之后就容易了,再获取到cursor,读取数据库就好了。

这里还有一个坑点,由于这个apk使用了sqlcipher库,这个库中的cursor是经过包装的接口,真正的Cursor.moveToNext等函数在AbstractCursor中实现,这里直接拿到cursor的话,调用

cursor.moveToNext会报错,所以需要强制cast成android.database.Cursor这个类型才行。当时尝试了直接获取AbstractCursor的instance和获取cursor的instance都不可以。。

最终效果:

 不得不说,frida真的是神器。

 

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!