Frida用法
根据cpu版本去下载相应frida-server运行./frida-sever &
frida官网:https://frida.re/docs/javascript-api/
1.hook静态函数

文章插图
当函数内部有相同的函数名，即重载时，hook时就必须指定函数类型
function hook_java() {Java.perform(function () {var LoginActivity = Java.use("com.example.androiddemo.Activity.LoginActivity");console.log(LoginActivity);LoginActivity.a.overload('java.lang.String', 'java.lang.String').implementation = function (str, str2) {var result = this.a(str, str2);//result = '';console.log("LoginActivity.a:", str, str2, result);return result;};//当函数有重载时，错误写法，当函数没重载时，可以这样写LoginActivity.a.implementation = function (str1, str2) {var result = this.a(str1, str2);//调用原来的函数console.log("LoginActivity.a:", str1, str2, result);return result;};}

文章插图
2.修改函数返回值和成员变量(1)修改返回值

文章插图
function hook_java() {Java.perform(function () {var FridaActivity1 = Java.use("com.example.androiddemo.Activity.FridaActivity1");// FridaActivity1.a.implementation = function (barr) {//console.log("FridaActivity1.a");//// return "R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=";//var result = this.a(barr);//console.log("FridaActivity1.a result:", result);//return result;// };// 第二种写法FridaActivity1.a.overload('[B').implementation = function (barr) {console.log("FridaActivity1.a");var result = this.a(barr);console.log("FridaActivity1.a 修改前返回值:", result);result = "R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=";console.log("FridaActivity1.a 修改后返回值:", result);return result;};console.log("hook_java");});}

文章插图
(2)修改成员变量

文章插图
function call_FridaActivity3() {Java.perform(function () {var FridaActivity3 = Java.use("com.example.androiddemo.Activity.FridaActivity3");FridaActivity3.$newFridaActivity3.static_bool_var.value = https://tazarkount.com/read/true;//设置静态成员变量console.log(FridaActivity3.static_bool_var.value);Java.choose("com.example.androiddemo.Activity.FridaActivity3", {onMatch: function (instance) {//设置非静态成员变量的值instance.bool_var.value = https://tazarkount.com/read/true;//设置有相同函数名的成员变量的值instance._same_name_bool_var.value = true;console.log(instance.bool_var.value, instance._same_name_bool_var.value);},onComplete: function () {}});});}3.hook内部类

文章插图
第一种写法function hook_InnerClasses() {Java.perform(function () {//hook内部类var InnerClasses = Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses");console.log(InnerClasses);InnerClasses.check1.implementation = function () {return true;};InnerClasses.check2.implementation = function () {return true;};InnerClasses.check3.implementation = function () {return true;};InnerClasses.check4.implementation = function () {return true;};InnerClasses.check5.implementation = function () {return true;};InnerClasses.check6.implementation = function () {return true;};});}第二种写法function hook_mul_function() {Java.perform(function () {//hook 类的多个函数var class_name = "com.example.androiddemo.Activity.FridaActivity4$InnerClasses";var InnerClasses = Java.use(class_name);var all_methods = InnerClasses.class.getDeclaredMethods();for (var i = 0; i < all_methods.length; i++) {var method = (all_methods[i]);var methodStr = method.toString();var substring = methodStr.substr(methodStr.indexOf(class_name) + class_name.length + 1);var methodname = substring.substr(0, substring.indexOf("("));console.log(methodname);InnerClasses[methodname].implementation = function () {console.log("hook_mul_function:", this);return true;}}});}4.hook动态dex【frida用法小汇总】

文章插图
function hook_dyn_dex() {Java.perform(function () {//hook 动态加载的dex（注意点:牛轧糖版本之上）Java.enumerateClassLoaders({onMatch: function (loader) {try {if (loader.findClass("com.example.androiddemo.Dynamic.DynamicCheck")) {console.log(loader);// Java.classFactory.loader = loader;//切换classloader}} catch (error) {}}, onComplete: function () {}});// var DynamicCheck = Java.use("com.example.androiddemo.Dynamic.DynamicCheck");// console.log(DynamicCheck);// DynamicCheck.check.implementation = function () {//console.log("DynamicCheck.check");//return true;// }});}

文章插图
5.frida加载动态dexfunction hook_java() {//var ddex = Java.openClassFile("/data/local/tmp/ddex.dex");//frida动态加载了dex/*jar -cvf ddex.jar com/example/androiddemo/DecodeUtils.class/Users/yang/Library/Android/sdk/build-tools/28.0.3/dx --dex --output=ddex.dex ddex.jar*/var ddex2 = Java.openClassFile("/data/local/tmp/ddex2.dex");Java.perform(function () {//frida动态加载了dexddex2.load();var DecodeUtils = Java.use("com.example.androiddemo.DecodeUtils");console.log("DecodeUtils.decode_p:", DecodeUtils.decode_p());});}

• 春季老年人吃什么养肝？土豆、米饭换着吃
• 三八妇女节节日祝福分享 三八妇女节节日语录
• 老人谨慎！选好你的“第三只脚”
• 校方进行了深刻的反思 青岛一大学生坠亡校方整改校规
• 脸皮厚的人长寿！有这特征的老人最长寿
• 长寿秘诀：记住这10大妙招 100%增寿
• 春季老年人心血管病高发 3条保命要诀
• 眼睛花不花要看四十八 老年人怎样延缓老花眼
• 香槟然能防治老年痴呆症？ 一天三杯它人到90不痴呆
• 老人手抖的原因 为什么老人手会抖