frida-rpc 远程调用SO里面的加解密算法
apk拖到jadx里面,找到我们需要调用的方法1
2
3
4
5
6
7
8
9
10
11
12
public class JavaNdk {
private static JavaNdk instance = new JavaNdk();
private final String TAG = StringFog.decrypt("IgsFMwxSLh8G");
private native byte[] decrypt(String str);
private native byte[] encrypt(String str);
public static native void init(Context context);
private JavaNdk() {
}
1
decrypt---解密 在native层
1
encrypt----加密 在native层
我们就不去分析他的so了我们要使用的是frida-rpc远程调用接口 PS:请问一下大神们,我知道了他的so文件名,但是我解压apk里面,跟本找不到这个so文件,我又用Frida遍历加载的so也都没有这个so,这种情况下如何用可以分析的的SO呢??
看一下,这两个方法的具体代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
private String encryptSrc(String msg) {
if (msg != null) {
byte[] result = encrypt(msg);
if (result != null) {
try {
return new String(result, StringFog.decrypt("PREKVA=="));
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
return null;
}
} else {
throw new IllegalArgumentException(StringFog.decrypt("LQsPHhZQI08UDQ0kS0JC"));
}
} else {
throw new IllegalArgumentException(StringFog.decrypt("JRYLTANFOU8XHhYnF0JCQQ=="));
}
}
private String decryptSrc(String msg) {
if (msg != null) {
byte[] ret = decrypt(msg);
if (ret != null) {
return new String(ret);
}
throw new IllegalArgumentException(StringFog.decrypt("LAAPHhZQI08UDQ0kS0JC"));
}
throw new IllegalArgumentException(StringFog.decrypt("JRYLTANFOU8XHhYnF0JCQQ=="));
}
传string参数返回byte[]直接调用encryptSrc 传string返回string decryptSrc 同理
上frida rpc代码test.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
var result;
function encrypt(str_url) {
Java.perform(function fn() {
console.log("begin");
Java.choose("com.mingning179.networkapi.util.JavaNdk", {
onMatch: function (x) {
console.log("find instance :" + x);
console.log("result of fun(string) encrypt:" + str_url);
result=x.encryptSrc(Java.use("java.lang.String").$new(str_url));
},
onComplete: function () {
console.log("end");
}
})
});
return result;
}
function decrypt(str_data) {
Java.perform(function fn() {
console.log("begin");
Java.choose("com.mingning179.networkapi.util.JavaNdk", {
onMatch: function (x) {
console.log("find instance :" + x);
console.log("result of fun(string) decrypt:"+str_data);
result=x.decryptSrc(Java.use("java.lang.String").$new(str_data));
},
onComplete: function () {
console.log("end");
}
})
});
return result;
}
rpc.exports = {
decrypt: decrypt,
encrypt: encrypt,
};
python 代码我们要远程调用API接口,
我直接在GitHub下载的 别人代码改了一下,全POST接口方法传参数flask框架
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/usr/bin/python3
# -*- coding: utf-8 -*-
import frida
import json
from flask import Flask, jsonify, request
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
js = open('test.js', 'r', encoding='utf8').read()
# session = frida.get_usb_device().attach('me.ele')
session = frida.get_usb_device().attach('com.wjmt.app')
script = session.create_script(js)
script.on('message', on_message)
script.load()
app = Flask(__name__)
@app.route('/decrypt', methods=['POST'])#data解密
def decrypt_class():
data = request.get_data()
json_data = json.loads(data.decode("utf-8"))
postdata = json_data.get("data")
res = script.exports.decrypt(postdata)
return res
@app.route('/encrypt', methods=['POST'])#url加密
def encrypt_class():
data = request.get_data()
json_data = json.loads(data.decode("utf-8"))
postdata = json_data.get("data")
print(postdata)
res = script.exports.encrypt(postdata)
return res
if __name__ == '__main__':
app.run()
启动我们手机里面的frida-server 服务,我改名为fs用后台启动看图检查,启动成功
运行我们的flask框架
调用一下加密,接迷的API接口看看
实现成功
我们可以开启本地IP转发,这样外网任意调用了,
页:
[1]