frida-writeup-rps

发表于 | 分类于 | | 阅读次数:
frida 官网给定学习例子

frida-writeup-rps

打开apk,很平凡,源码分析

JEB打开,无壳无混淆

看java代码分析流程

1587914666664

石头剪刀布,赢1000遍就可以得到对应的flag

想要获取到flag,可以使用以下方法:

  1. 碰运气赢它1000次 …
  2. hook this.calc()的返回值,然后直接计算即可
  3. 分析 this.calc()静态分析得到calc的值
  4. this.cnt改为1000

这里利用frida来hook尝试拿到flag

1 hook this.calc()

1
2
3
4
5
6
7
8
9
10
11
12
13
Java.perform(function () {
    var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');
    //hook该类下的onCreate方法,重新实现它
    MainActivity.onCreate.implementation = function () {
        send("Hook Start...");
        //调用calc()方法,获取返回值
        var returnValue = this.calc();
        send("Return:"+returnValue);
        var result = (1000+returnValue)*107;
        //解出答案
        send("Flag:"+"SECCON{"+result.toString()+"}");
    }
});
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import frida, sys
 
def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)
 
jscode = """
Java.perform(function () {
    var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');
    MainActivity.onCreate.implementation = function () {
        send("Hook Start...");
        var returnValue = this.calc();
        send("Return:"+returnValue);
        var result = (1000+returnValue)*107;
        send("Flag:"+"SECCON{"+result.toString()+"}");
    }
});
"""
 
process = frida.get_usb_device().attach('com.example.seccon2015.rock_paper_scissors')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()

2 将this.cnt改为1000

1
2
3
4
5
6
7
8
9
10
11
12
13
Java.perform(function() {
    var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');
    MainActivity.onClick.implementation = function (v) {
        send("Hook Start...");
        //调用onClick,模拟点击事件
        this.onClick(v);
        //修改参数
        this.n.value = 0;
        this.m.value = 2;
        this.cnt.value = 999;
        send("Success!")
    }
})
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import frida, sys
 
def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)
 
jscode = """
Java.perform(function () {
    var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');
    MainActivity.onClick.implementation = function (v) {
        send("Hook Start...");
        this.onClick(v);
        this.n.value = 0;
        this.m.value = 2;
        this.cnt.value = 999;
        send("Success!")
    }
});
"""
 
process = frida.get_usb_device().attach('com.example.seccon2015.rock_paper_scissors')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()