下载[frida-server],跟frida版本号同步 https://github.com/frida/frida/releases?page=4打开app进入手机目录并启动frida sargo:/data/local/tmp # ./frida-server-15.1.27-android-arm64端口转发 adb forward tcp:27042 tcp:27042确定包名使用frida -U -f com.xxx.xxx.xxx -l dupDex.js --no-pause
命令 或者使用frida-hexdump -U -f com.inmo.inmolife命令在com.xxx.xxx.xxx 中寻找dex文件 或者在输出的日志中有输出路径使用dex2jar工具把dex文件转为jar文件 d2j-dex2jar.sh *.dex -d --skip-exceptions -f,也可以直接用jadx打开
frida-ps -Ua | findstr com.inmo.inmolife frida -U -f com.inmo.inmolife -l D:\work\yinjincc\Frida-Android-unpack\dupDex.js --pause
frida-hexdump -U -f com.inmo.inmolife
Spawned com.inmo.inmolife. Use %resume to let the main thread start executing!
资料
app逆向抓包技巧:ROOT检测绕过 360加固脱壳分析 Frida Javascript Api 逆向调试利器:Frida 安卓逆向-脱壳学习记录 某日热榜 360 加固脱修的两种方法 解锁会员功能 Android反编译#零基础脱掉360加固包的“外衣” Android逆向之路:如何脱壳360加固 脱掉360加固壳(破解约友神器的钻石充值功能) 安卓修改大师是如何脱掉“360加固”的壳的? 转载:【安卓逆向】360加固-脱壳修复 360加固一键脱壳工具详解 NP-Manager MT 管理器 FRIDA-DEXDump Android 常见脱壳与反编译工具 Frida-Dexdump 脱壳工具下载使用以及相关技术介绍 最新各大apk加固特征库 脱壳
[1197]脱壳工具dumpDex、frida_dump、BlackDex 反编译 - 360加固后的脱壳 - 使用: frida + 葫芦娃的 frida-dexdump 可以秒级搞定, apk, decompile, frida, frida-server, android
dexDump.js
'use strict';
//Android O:
//ARM32/64: _ZN3art7DexFile10OpenCommonEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPKNS_10OatDexFileEbbPS9_PNS0_12VerifyResultE
//Android P:
//ARM32/64: _ZN3art13DexFileLoader10OpenCommonEPKhmS2_mRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPKNS_10OatDexFileEbbPS9_NS3_10unique_ptrINS_16DexFileContainerENS3_14default_deleteISH_EEEEPNS0_12VerifyResultE
//if u want to get own func name,u can use this script to get it!
var moduleFuncName;
var m = Module.enumerateExportsSync('libart.so');
m.forEach(function(m){
if(m.name.indexOf("OpenCommon") != -1){
moduleFuncName = m.name;
console.log("module function name: "+ m.name);
}else if(m.name.indexOf("OpenMemory") != -1){
moduleFuncName = m.name;
console.log("module function name: "+ m.name);
};
});
//var moduleO = "_ZN3art7DexFile10OpenCommonEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPKNS_10OatDexFileEbbPS9_PNS0_12VerifyResultE";
//var moduleP = "_ZN3art13DexFileLoader10OpenCommonEPKhmS2_mRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPKNS_10OatDexFileEbbPS9_NS3_10unique_ptrINS_16DexFileContainerENS3_14default_deleteISH_EEEEPNS0_12VerifyResultE";
if(moduleFuncName != null){
console.log("=========================================");
console.log("Hook Start");
var OpenCommon = Module.findExportByName("libart.so",moduleFuncName);
if(OpenCommon != undefined){
Interceptor.attach(OpenCommon,{
onEnter: function(args){
console.log("base: "+ args[1]);
console.log("size: "+ args[2].toInt32());
console.log(hexdump(
args[1],{
offset: 0,
length: 64,
header: true,
ansi: true
}
));
var begin = args[1];
console.log("magic : " + Memory.readUtf8String(begin))
var address = parseInt(begin,16) + 0x20;
var dex_size = Memory.readInt(ptr(address));
console.log("dex_size :" + dex_size);
var file = new File("/data/data/com.jjwxc.reader/" + dex_size + ".dex", "wb");
file.write(Memory.readByteArray(begin, dex_size));
file.flush();
file.close();
},
onLeave: function(retval){
console.log("Finished!!!");
console.log("=========================================");
}
});
}else{
console.log("Null Point!!!");
}
}else{
console.log("Function not exist!\n");
}