frida的Python库使用

学习目标：了解frida的python库的使用

为什么需要使用frida的python库

• 之前介绍的frida更多是用于手工调试阶段，如果要用代码自动化处理，还需要其他语言介入，比如python爬虫
• 后续介绍的frida算法转发方案的rpc也需要使用python，算法转发和rpc能给逆向带来无比便捷的体验
• frida可以实时与python进行数据交互，可以把数据发送给python，等待python处理完后，接收返回值，frida再接着往下执行代码
• python提供的各种库，让代码编写更为简单

包名注入

# -*- coding: UTF-8 -*-
import frida, sys

jsCode = """
    Java.perform(function(){
        var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
        RequestUtil.encodeDesMap.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(a, b, c){
            console.log('data: ', a);
            console.log('desKey: ', b);
            console.log('desIV: ', c);
            var retval = this.encodeDesMap(a, b, c);
            console.log('retval: ', retval);
            return retval;
        }
        var Utils = Java.use('com.dodonew.online.util.Utils');
        Utils.md5.implementation = function(a){
            console.log('MD5 string: ', a);
            var retval = this.md5(a);
            console.log('retval: ', retval);
            return retval;
        }
    });

    function test(data){
        var result = "";
        Java.perform(function(){
            result = Java.use('com.dodonew.online.util.Utils').md5(data);
        });
        return result;
    }

    rpc.exports = {
        rpcfunc: test
    };

"""
process = frida.get_usb_device().attach('com.dodonew.online')
script = process.create_script(jsCode)
script.load()
print("脚本开始运行")
sys.stdin.read()

pid注入

# -*- coding: UTF-8 -*-
import frida, sys

jsCode = """
    Java.perform(function(){
        var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
        RequestUtil.encodeDesMap.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(a, b, c){
            console.log('data: ', a);
            console.log('desKey: ', b);
            console.log('desIV: ', c);
            var retval = this.encodeDesMap(a, b, c);
            console.log('retval: ', retval);
            return retval;
        }
        var Utils = Java.use('com.dodonew.online.util.Utils');
        Utils.md5.implementation = function(a){
            console.log('MD5 string: ', a);
            var retval = this.md5(a);
            console.log('retval: ', retval);
            return retval;
        }
    });

    function test(data){
        var result = "";
        Java.perform(function(){
            result = Java.use('com.dodonew.online.util.Utils').md5(data);
        });
        return result;
    }

    rpc.exports = {
        rpcfunc: test
    };

"""
process = frida.get_usb_device().attach(5734)
script = process.create_script(jsCode)
script.load()
print("脚本开始运行")
sys.stdin.read()

spawn方式启动

# -*- coding: UTF-8 -*-
import frida, sys

jsCode = """
    Java.perform(function(){
        var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
        RequestUtil.encodeDesMap.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(a, b, c){
            console.log('data: ', a);
            console.log('desKey: ', b);
            console.log('desIV: ', c);
            var retval = this.encodeDesMap(a, b, c);
            console.log('retval: ', retval);
            return retval;
        }
        var Utils = Java.use('com.dodonew.online.util.Utils');
        Utils.md5.implementation = function(a){
            console.log('MD5 string: ', a);
            var retval = this.md5(a);
            console.log('retval: ', retval);
            return retval;
        }
    });

    function test(data){
        var result = "";
        Java.perform(function(){
            result = Java.use('com.dodonew.online.util.Utils').md5(data);
        });
        return result;
    }

    rpc.exports = {
        rpcfunc: test
    };

"""
device = frida.get_usb_device()
print("device: ", device)
pid = device.spawn(['com.dodonew.online'])
print("pid: ", pid)
process = device.attach(pid)
print("process: ", process)
script = process.create_script(jsCode)
script.load()
device.resume(pid)
print("开始运行")
sys.stdin.read()

连接非标准端口、连接多个设备

# -*- coding: UTF-8 -*-
import frida, sys

jsCode = """
    Java.perform(function(){
        var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
        RequestUtil.encodeDesMap.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(a, b, c){
            console.log('data: ', a);
            console.log('desKey: ', b);
            console.log('desIV: ', c);
            var retval = this.encodeDesMap(a, b, c);
            console.log('retval: ', retval);
            return retval;
        }
        var Utils = Java.use('com.dodonew.online.util.Utils');
        Utils.md5.implementation = function(a){
            console.log('MD5 string: ', a);
            var retval = this.md5(a);
            console.log('retval: ', retval);
            return retval;
        }
    });

    function test(data){
        var result = "";
        Java.perform(function(){
            result = Java.use('com.dodonew.online.util.Utils').md5(data);
        });
        return result;
    }

    rpc.exports = {
        rpcfunc: test
    };

"""
process = frida.get_device_manager().add_remote_device("10.133.4.254:0328").attach('com.dodonew.online')
script = process.create_script(jsCode)
script.load()
print("开始运行")
sys.stdin.read()

frida与python的交互

send的使用

# -*- coding: UTF-8 -*-
import frida, sys

jsCode = """
    Java.perform(function(){
        var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
        RequestUtil.encodeDesMap.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(a, b, c){
            console.log('data: ', a);
            console.log('desKey: ', b);
            console.log('desIV: ', c);
            var retval = this.encodeDesMap(a, b, c);
            console.log('retval: ', retval);
            return retval;
        }
        var Utils = Java.use('com.dodonew.online.util.Utils');
        Utils.md5.implementation = function(a){
            console.log('MD5 string: ', a);
            var retval = this.md5(a);
            send(retval);
            return retval;
        }
    });

    function test(data){
        var result = "";
        Java.perform(function(){
            result = Java.use('com.dodonew.online.util.Utils').md5(data);
        });
        return result;
    }

    rpc.exports = {
        rpcfunc: test
    };

"""
def messageFunc(message, data):
    if(message["type"] == "send"):
        print(u"[*]{0}".format(message["payload"]))
    else:
        print(message)
process = frida.get_usb_device().attach('com.dodonew.online')
script = process.create_script(jsCode)
script.on('message', messageFunc)
script.load()
print("开始运行")
sys.stdin.read()

revc

# -*- coding: UTF-8 -*-
import frida, sys
import time

jsCode = """
    Java.perform(function(){
        var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
        RequestUtil.encodeDesMap.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(a, b, c){
            console.log('data: ', a);
            console.log('desKey: ', b);
            console.log('desIV: ', c);
            var retval = this.encodeDesMap(a, b, c);
            console.log('retval: ', retval);
            return retval;
        }
        var Utils = Java.use('com.dodonew.online.util.Utils');
        Utils.md5.implementation = function(a){
            console.log('MD5 string: ', a);
            var retval = this.md5(a);
            send(retval);
            recv(function(obj){
                console.log(JSON.stringify(obj));
                console.log("Python:", obj.data);
                retval = obj.data;
            }).wait();
            return retval;
        }
    });
"""


def messageFunc(message, data):
   print(message)
   if message["type"] == 'send':
       print(u"[*] {0}".format(message['payload']))
       time.sleep(10)
       script.post({"data": "0e8315152843b943563031945032e957"})
   else:
       print(message)


# get_usb_device
# get_remote_device
process = frida.get_usb_device().attach('com.dodonew.online')
script = process.create_script(jsCode)
script.on('message', messageFunc)
script.load()
print("开始运行")
sys.stdin.read()

frida的rpc远程调用

# -*- coding: UTF-8 -*-
import frida, sys

jsCode = """
    Java.perform(function(){
        var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
        RequestUtil.encodeDesMap.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(a, b, c){
            console.log('data: ', a);
            console.log('desKey: ', b);
            console.log('desIV: ', c);
            var retval = this.encodeDesMap(a, b, c);
            console.log('retval: ', retval);
            return retval;
        }
        var Utils = Java.use('com.dodonew.online.util.Utils');
        Utils.md5.implementation = function(a){
            console.log('MD5 string: ', a);
            var retval = this.md5(a);
            console.log('retval: ', retval);
            return retval;
        }
    });
    
    function test(data){
        var result = "";
        Java.perform(function(){
            result = Java.use('com.dodonew.online.util.Utils').md5(data);
        });
        return result;
    }
    
    rpc.exports = {
        rpcfunc: test
    };
    
"""

# get_usb_device
# get_remote_device
device = frida.get_usb_device()
print("device: ", device)
pid = device.spawn(["com.dodonew.online"])    # 以挂起方式创建进程
print("pid: ", pid)
process = device.attach(pid)
print("process: ", process)
script = process.create_script(jsCode)
script.load()
device.resume(pid)  # 加载完脚本, 恢复进程运行

result = script.exports.rpcFUnc('equtype=ANDROID&loginImei=Androidnull&timeStamp=1626790668522&userPwd=a12345678&username=15968079477&key=sdlkjsdljf0j2fsjk')
print(result)
print("开始运行")
sys.stdin.read()

frida算法转发

import requests, json
import frida

jsCode = """
    function hookTest(username, passward){
        var result;
        Java.perform(function(){
        
            var time = new Date().getTime();
            var signData = 'equtype=ANDROID&loginImei=Android352689082129358&timeStamp=' + 
            time + '&userPwd=' + passward + '&username=' + username + '&key=sdlkjsdljf0j2fsjk';
            var Utils = Java.use('com.dodonew.online.util.Utils');
            var sign = Utils.md5(signData).toUpperCase();
            console.log('sign: ', sign);
    
            var encryptData = '{"equtype":"ANDROID","loginImei":"Android352689082129358","sign":"'+ 
            sign +'","timeStamp":"'+ time +'","userPwd":"' + passward + '","username":"' + username + '"}';
            var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
            var Encrypt = RequestUtil.encodeDesMap(encryptData, '65102933', '32028092');
            console.log('Encrypt: ', Encrypt);
            result = Encrypt;
            
        });
        return result;
    }
    rpc.exports = {
        xiaojianbang: hookTest
    };
"""

# 调用frida脚本
process = frida.get_device_manager().add_remote_device('192.168.3.68:27042').attach("com.dodonew.online")
script = process.create_script(jsCode)
print('[*] Running 小肩膀')
script.load()
cipherText = script.exports.xiaojianbang('15968079477', 'a12345678')


url = 'http://api.dodovip.com/api/user/login'
data = json.dumps({"Encrypt": cipherText})
headers = {
    "content-type": "application/json; charset=utf-8",
    "User-Agent": "Dalvik/2.1.0 (Linux; U; Android 10; Pixel Build/QP1A.191005.007.A3)"
}
r = requests.post(url=url, data=data, headers=headers)
print(r)
print(r.text)
print(type(r.text))
print(r.content)