test {'type': 'error', 'description': 'Error: java.lang.ClassNotFoundException: Didn\'t find class "cn.chaitin.geektan.crackme.MainActivityPatch" on path: DexPathList[[zip file "/data/app/cn.chaitin.geektan.crackme-1/base.apk"],nativeLibraryDirectories=[/data/app/cn.chaitin.geektan.crackme-1/lib/x86, /vendor/lib, /system/lib]]', 'stack': 'Error: java.lang.ClassNotFoundException: Didn\'t find class "cn.chaitin.geektan.crackme.MainActivityPatch" on path: DexPathList[[zip file "/data/app/cn.chaitin.geektan.crackme-1/base.apk"],nativeLibraryDirectories=[/data/app/cn.chaitin.geektan.crackme-1/lib/x86, /vendor/lib, /system/lib]]\n at <anonymous> (frida/node_modules/frida-java-bridge/lib/env.js:124)\n at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:443)\n at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:812)\n at _make (frida/node_modules/frida-java-bridge/lib/class-factory.js:112)\n at use (frida/node_modules/frida-java-bridge/lib/class-factory.js:63)\n at use (frida/node_modules/frida-java-bridge/index.js:246)\n at <anonymous> (/script1.js:4)\n at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:16)\n at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:238)\n at <anonymous> (frida/node_modules/frida-java-bridge/index.js:230)\n at apply (native)\n at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:613)\n at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:592)', 'fileName': 'frida/node_modules/frida-java-bridge/lib/env.js', 'lineNumber': 124, 'columnNumber': 1}
Java.perform(function(){ var dexclassLoader = Java.use("dalvik.system.DexClassLoader"); var hookClass = undefined; //hook loadClass方法 dexclassLoader.loadClass.implementation = function(name){ /*因为loadClass可能会加载很多类,所以我们得定义个hookname变量, 这样有针对的获取我们想要的类*/ var hookname = "cn.chaitin.geektan.crackme.MainActivityPatch"; var result = this.loadClass(name,false); if(name === hookname){ hookClass = result; console.log(hookClass); return result; } return result; } });
执行看看结果
{'type': 'error', 'description': "Error: loadClass(): has more than one overload, use .overload(<signature>) to choose from:.overload('java.lang.String') .overload('java.lang.String', 'boolean')"....}
protected Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundException { // First, check if the class has already been loaded Class<?> c = findLoadedClass(name); if (c == null) { try { if (parent != null) { c = parent.loadClass(name, false); } else { c = findBootstrapClassOrNull(name); } } catch (ClassNotFoundException e) { // ClassNotFoundException thrown if class not found // from the non-null parent class loader } if (c == null) { // If still not found, then invoke findClass in order // to find the class. c = findClass(name); } } return c; }
public MainActivityPatch(Object obj){ this.orginClass = (MainActivity) obj; }
我们如何构造并传入这个数组呢
\\利用java.array的标准写法 var objectclass= Java.use("java.lang.Object"); var ConstructorParam =Java.array('Ljava.lang.Object;',[objectclass.class]); var a = hookClassCast.getDeclaredConstructor(ConstructorParam); \\偷懒写法 var a = hookClassCast.getDeclaredConstructor([objectclass.class]);
public Method[] getDeclaredMethods() throws SecurityException { Method[] result = getDeclaredMethodsUnchecked(false); for (Method m : result) { // Throw NoClassDefFoundError if types cannot be resolved. m.getReturnType(); m.getParameterTypes(); } return result; }
从getDeclareMethods(),我们知道它返回的是一个Method数组
var func = hookClassCast.getDeclaredMethods(); console.log(func); //直接通过下标获取我们要调用的方法 console.log(func[0]);
看看一个完整的示例,和上面的一样,仅仅调用了getDeclaredMethods()方法。
Java.perform(function(){ var hookClass = undefined; var ClassUse = Java.use("java.lang.Class"); var objectclass= Java.use("java.lang.Object"); var dexclassLoader = Java.use("dalvik.system.DexClassLoader"); var orininclass = Java.use("cn.chaitin.geektan.crackme.MainActivity"); var Integerclass = Java.use("java.lang.Integer"); //实例化MainActivity对象 var mainAc = orininclass.$new(); dexclassLoader.loadClass.overload('java.lang.String').implementation = function(name){ var hookname = "cn.chaitin.geektan.crackme.MainActivityPatch"; var result = this.loadClass(name,false); if(name == hookname){ var hookClass = result; var hookClassCast = Java.cast(hookClass,ClassUse); console.log("-----------------------------BEGIN-------------------------------------"); //获取构造器 var ConstructorParam =Java.array('Ljava.lang.Object;',[objectclass.class]); var Constructor = hookClassCast.getDeclaredConstructor(ConstructorParam); console.log("Constructor:"+Constructor); console.log("orinin:"+mainAc); //实例化,newInstance的参数也是Ljava.lang.Object; var instance = Constructor.newInstance([mainAc]); console.log("MainActivityPatchInstance:"+instance); send(instance); console.log("----------------------------Methods---------------------------------"); var func = hookClassCast.getDeclaredMethods(); console.log(func); console.log("--------------------------Need Method---------------------------------"); console.log(func[0]); var f = func[0]; console.log("---------------------------- OVER---------------------------------"); return result; } return result; } });
var Integerclass = Java.use("java.lang.Integer"); var num1 = Integerclass.$new(5); var num2 = Integerclass.$new(6); var numArr1 = Java.array('Ljava.lang.Object;',[num1,num2]); var num3 = Integerclass.$new(7); var num4 = Integerclass.$new(8); var numArr2 = Java.array('Ljava.lang.Object;',[num3,num4]);
接下来我们就可以愉快的调用Joseph方法了。
最终代码
Java.perform(function(){ var hookClass = undefined; var ClassUse = Java.use("java.lang.Class"); var objectclass= Java.use("java.lang.Object"); var dexclassLoader = Java.use("dalvik.system.DexClassLoader"); var orininclass = Java.use("cn.chaitin.geektan.crackme.MainActivity"); var Integerclass = Java.use("java.lang.Integer"); var mainAc = orininclass.$new(); dexclassLoader.loadClass.overload('java.lang.String').implementation = function(name){ var hookname = "cn.chaitin.geektan.crackme.MainActivityPatch"; var result = this.loadClass(name,false); if(name == hookname){ var hookClass = result; var hookClassCast = Java.cast(hookClass,ClassUse); console.log("-----------------------------GET Constructor-------------------------------------"); var ConstructorParam =Java.array('Ljava.lang.Object;',[objectclass.class]); var Constructor = hookClassCast.getDeclaredConstructor(ConstructorParam); console.log("Constructor:"+Constructor); console.log("orinin:"+mainAc); var instance = Constructor.newInstance([mainAc]); console.log("patchAc:"+instance); send(instance); console.log("-----------------------------GET Methods----------------------------"); var func = hookClassCast.getDeclaredMethods(); console.log(func); console.log("--------------------------GET Joseph Function---------------------------"); console.log(func[0]); var f = func[0]; var num1 = Integerclass.$new(5); var num2 = Integerclass.$new(6); var numArr1 = Java.array('Ljava.lang.Object;',[num1,num2]); var num3 = Integerclass.$new(7); var num4 = Integerclass.$new(8); var numArr2 = Java.array('Ljava.lang.Object;',[num3,num4]); console.log("-----------------------------GET Array------------------------------"); console.log(numArr1); console.log(numArr2); var rtn1 = f.invoke(instance,numArr1); var rtn2 = f.invoke(instance,numArr2); console.log("--------------------------------FLAG---------------------------------"); console.log("DDCTF{"+rtn1+rtn2+"}"); console.log("--------------------------------OVER--------------------------------"); return result; } return result; } });
评论