Android Reverse Tour---hook artifact family Frida Tool usage

<span id="Label3"></p>first, Preface<p><p>In the reverse process has a hook artifact is an essential tool, has been introduced xposed and substrate, do not understand the classmate can read these two articles: Android hook artifact xposed tool Introduction and Android Hook artifact Substratecydia Tool Introduction These two articles are very important one is the hook Java layer when the most commonly used xposed and hook native layer of substratecydia, Can see my previous articles such as Write Plug-ins and so on have adopted the xposed tool, because the personal feel xposed use more cool, write code more Convenient. And for the Substratecydia tool can hook native layer, This article will explain how to Use. So why do we introduce Frida tools with these two artifacts? And this tool has been introduced on the internet, why also introduced, because this Frida tool for the reverse operation of the hack is very convenient, so-called convenience is his installation environment and configuration requirements are very simple compatibility is very good, because recently in a protocol decryption, Helpless mobile phone installed after the Cydia is not compatible led to the crash so I turned to use this tool to achieve the hook, so think this tool is very useful on a separate introduction.</p></p><p><p></p></p>second, the Environment installation configuration<p><p>Because there is indeed an introduction on the internet, and the official website also has a document: https://www.frida.re/docs/javascript-api, but the most important is the fragment is a west of a place, there is no inductive summary, and a lot of commonly used functions are not introduced, So this article on the commonly used hook tool detailed introduction, mainly from the following aspects to Introduce:</p></p><p><p>first, How to modify the Java layer function parameters and return values</p></p><p><p>second, How to print the Java Layer method stack information</p></p><p><p>third, How to intercept the function parameter and return value of native layer</p></p><p><p>For the Java layer will focus on the introduction, because we have used the xposed tool after all know, such as the parameters are custom type how hooks and so On. Not Much. using a single case as a sample, in order to be able to cover all the operational possibilities cases need to write complex points:</p></p><p><p></p></p><p><p>There are basic types of parameters and return values, as well as custom types, so let's start our Frida Tour.</p></p><p><p></p></p><p><p>This online has already had the tutorial, because Frida general principle is the handset side installs a server program, then carries on the handset port to the PC side, the PC writes the Python script to communicate, but the Python script needs the hook the code to use the JavaScript language. So it looks like we first need to install the Python environment on the PC side, this is not difficult to install Python directly, and then began to install frida, directly run the command: pip install Frida</p></p><p><p></p></p><p><p>The premise is that you need to configure the Python environment variable, otherwise the PIP command cannot be found. After the installation is complete, we will go to the official website to download the corresponding version of the mobile phone program frida-server:https://github.com/frida/frida/releases Note Here must be Frida-server version and the above Pc-side installed Frida version of the same, or run an Error. In fact, here to see the real hook function is the mobile phone side of the frida-server, this is open source we can study his principles. We also see that this tool is very similar to ida, and it also forwards the port on the phone to the PC side for Communication. With the frida-server after the good run, directly push to the phone directory, and then modify the properties of the File:</p></p><p><p>ADB push/data/local/tmp Frida-server</p></p><p><p>root# chmod 777/data/local/tmp/frida-server</p></p><p><p>Then run the program directly:</p></p><p><p>/data/local/tmp#./frida-server</p></p><p><p></p></p><p><p>Then forward the port to the PC Side:</p></p><p><p>ADB forward tcp:27042 tcp:27042</p></p><p><p>ADB forward tcp:27043 tcp:27043</p></p><p><p></p></p><p><p>Here we put the communication phone end work done, is not feeling and xposed compared very convenient, compatibility is very good, do not need to install xposed and other tools to consider the system mobile phone adaptation Problems. The next step is to start writing the hook program on the PC Side:</p></p><p><p></p></p><p><p>The code here is also very simple, because the Frida module is installed, directly import the module, and then call the API to get the session of the device and then hook the package name, then you can execute the JS script code to hook operation, and then print the Message:</p></p><p><p></p></p><p><p>Here with the Python print function printing, in fact, if you want to print can be used in the above JS script Console.log is also possible to see their habits. So here we see the general flow of the script is the outermost use of Python reference Frida Library to communicate with the device, and then write a JS script to perform the hook Operation. So here the most important is the JS script is to understand the JS Syntax. But it's not that Difficult. Now that the above conditions have been exhausted, we will begin the partial disassembly operation to see how we can cover our usual use of the hook Case.</p></p><p><p></p></p>third, Java Layer Hook operation case study the first Case: hook class construction method<p><p>We sometimes want to hook a class of construction method, in xposed directly with the Findconstructor method can be, because the construction method may have a number of overloaded forms, so need to use parameters as a distinction, here we hook our case of the Coinmoney class construction method:</p></p><p><p></p></p><p><p>first, the script uses the Java.use method to get the class type through the class name, and then constructs the method to be fixed: $init; this to remember, and then because of the need to overload so with overload (...) Form can be separated by commas between parameters and Parameters. The following is the operation after interception, here the method parameter can be custom variable name, because JS is weak language, not the type of strong check, of course, there are other methods to get the parameters are described later. Here's How to construct the Coinmoney class:</p></p><p><p></p></p><p><p>Then we use Send for sending a print message, of course, you can print the log in Console.log form, the code is finished, the following start to run see the effect, run is very simple, direct Python frida.py:</p></p><p><p></p></p><p><p>Before this must first open the hook application, otherwise it will be an error indicating that the program process is not found:</p></p><p><p></p></p><p><p>At this time in the run to see the success, we put the parameters of the construction method printed out, then the hook is successful Here. So you can see that this operation is more convenient than the xposed Tool. But he also has drawbacks to be summed up later.</p></p><p><p></p></p>second, the common method of hook class<p><p>The common methods here include static methods, private methods, and public methods, which are very similar to the construction method above, and the code is as Follows:</p></p><p><p></p></p><p><p>This is the construction method of the fixed wording $init changed to the need to hook the method Name. If the method is overloaded or overload, for example, here we hook the uitls.getpwd (String pwd) method:</p></p><p><p></p></p><p><p>And here we see that we can get the parameters with an implied variable arguments, which is the System's own parameter information that holds the METHOD. So we have two ways to get the parameter information of the METHOD. Run a look at the Effect:</p></p><p><p></p></p><p><p>See the print message, the hook succeeded. So here the hook method to get the parameters of the case are introduced, summed up is very simple, the construction method using fixed notation $init, the other methods all use the method Name. If the method has overloaded forms it needs to be separated by commas with the overload form of the Operation Parameters. The get parameter can be custom parameter names or obtained with the system implied arguments Variable. of course, before this, you need to use Java.use to get the type through the class Name.</p></p><p><p></p></p>third, Modify the parameters and return values of the method<p><p>When we use xposed to hook the most commonly used may be to modify parameters and return values to implement Plug-ins and external functions, in the Frida can actually be done but unlike xposed, we can see from the above code, There is no before method like Xposed and after method, and Frida is directly you can call the original method in function to modify the parameters, for example, I want to modify the above method parameter and return value:</p></p><p><p></p></p><p><p>Because there is no before and after method in frida, but can call the original method in fact Xposed can also directly call the original method, but not commonly used, as long as the original method can be called, then the parameters and return values can be arbitrarily modified, Here we change the parameters to jiangwei212, the return value is appended with the yyyy, see the print log:</p></p><p><p></p></p><p><p>In fact, this is more convenient than before and after forms, and you can do something before the original method call and do something behind it.</p></p><p><p></p></p>Iv. constructing and modifying custom type objects and properties<p><p>We also encounter this kind of common problem when we write the plug-in xposed, that is, the method parameter is not the basic type is a custom type, then also want to modify his property value or call him a method we will use reflection to operate, and when the return value, objects that want to construct a custom type are also manipulated directly by instantiating an object with Reflection. In fact, because JS is also supported in the reflection operation, so it is very simple:</p></p><p><p></p></p><p><p>It is very simple to construct an object here, and then you can simply fix the $new and then have the object directly call its corresponding method, then how to modify the field value of an object type? This is going to be reflected:</p></p><p><p></p></p><p><p>Here we intercept the Getcoinmoney method, the parameter is the Coinmoney type, we want to modify his money field value, when we directly call his method is not a problem, but if the direct call to the field value or modification will appear to fail, so only through reflection to modify the field value, But first get this object corresponding to the class type, with the Java.cast interface can be, and then get the reflection field directly modified, here to note whether the field is private or public writing is the same, it is this code everyone should pay attention to this code to Remember. Let's look at the result after the Hook:</p></p><p><p></p></p><p><p>If you do not use reflection to manipulate the direct Get field value printing is an Object.</p></p><p><p></p></p>The stack information of the printing method<p><p>It is sometimes more efficient to print stack information by throwing an exception during the crack Process. Xposed operation is very convenient direct Java code with the Log.xxx method to print the stack information, but in the Frida a bit of trouble, because he is the JS code bad operation, The first thought is to write a class to print the stack information and then into a dex, then put this dex into the program, because Frid A supports injecting a Dex file into the original program, and then invoking the method in the Dex in the method that requires the stack information to be Printed. Specifically how to inject this article not much Introduced. I thought it was too much trouble at the time, so what are the alternatives? In fact, because we can construct an object, why not construct a exception object directly? In fact, the operation is very simple, first we use the Java.use method to obtain the type variable: var Exception = Java.use ("java.lang.Exception"), and then JS in support of the throw syntax, Call directly in the method that needs to print the stack information:</p></p><p><p></p></p><p><p>But this is really thrown out of the exception, no capture, so the program crashes, when we develop the Android application, if the program crashes the fastest way to view the exception information is log filtering method: adb logcat-s androidruntime</p></p><p><p></p></p><p><p>So we have to print the stack information, in fact, here can see that this is really a crash exception, because there is no catch so directly with the system crash log can be Viewed. This is the easiest way to be rude. Very useful for tracking Code.</p></p><p><p></p></p><pre><pre>Static Struct:public V8::string::externalonebytestringresource { //override parent class function //force Const unsigned char[] = Www.bomaoyule.cn/const char* type conversion const char* Data () const override { return Reinterpret_cast<const char* > (raw_internal_bootstrap_loaders_value); } Array length size_t length () const override {return arraysize (raw_internal_bootstrap_loaders_value);} Default Delete function void Dispose () override {www.huayi1.cn/*</pre></pre><p><p>www.huazongyule.net/<br>Www.jyz521.com</p></p><pre><pre>Default calls ' Delete this '. * /}//const char* = local<string> type conversion v8::local<v8::string> tostringchecked (v8::isolate* Isolate) { return v8::string::newexternalonebyte (isolate,www.078881.cn this). tolocalchecked (); }} internal_bootstrap_loaders_value;</pre></pre><p><p>Here we have all the possible scenarios Java layer Hook operation has been introduced, mainly including the following several common situations:</p></p><p><p>first, the Hook class construction method and the common method, the attention constructs the method is the fixed wording $init can, obtains the parameter can through the custom parameter name also may directly use the system implicit arguments variable Obtains.</p></p><p><p>second, Modify the parameters and return values of the method, call the original method directly into the parameter values that need to be modified and directly modify the return Value.</p></p><p><p>third, constructs the object to use the fixed wording $new to be able.</p></p><p><p>Iv. If you need to modify the field values of the object, you need to use reflection to do the Operation.</p></p><p><p>The stack information printing directly calls the Java exception class, and through the ADB logcat-s androidruntime to filter the log information to view the crash stack Information.</p></p><p><p>Summary: Remember to use the Java.use method to get the class type, if you encounter overloaded method with overload implementation Can.</p></p><p><p></p></p>four, native Layer hook operation case analysis<p><p>Continue to see Frida more powerful place is the hook native code, said the power is not because of the function, but the convenience, we hook native may use more cydia, but all know Cydia and xposed have compatibility problems, Environment installation configuration is too troublesome, and Frida still only need a few lines of JS code can be done, here hook native or two case introduction: one is hook export function, a hook is not exported function, by getting parameters and modify the return value to demonstrate, Here we do not write their own native code, directly with the first to crack the data requested by the so file, he has a function at the bottom to get string information, There is a recent study of the Information-based app encryption algorithm so, we modify his function return Value.</p></p>first, hook does not export function function<p><p>non-exported functions We need to manually calculate the function address, then convert it to a Nativepointer object and then hook operation, then how to calculate a function address? This is very simple as long as you get so the memory base address plus the relative addresses of the function can Be. The base site obtains the maps file corresponding to the direct viewer program:</p></p><p><p></p></p><p><p>The relative address can be viewed directly with Ida open so file, for example here we want to hook this sub_5070 function after static analysis:</p></p><p><p></p></p><p><p>Then we F5 look at the C language code for the function to see the parameter information:</p></p><p><p></p></p><p><p>See here is three parameters, then the actual address after the calculation is 0x7816a000+5070=0x7816f070, but this address is not the last address, because the thumb and arm instructions, the address of the last bit of parity to flag, So here also need to add 1 is the final 0x7816f071, this is very important regardless of the use of Cydia or Frida should pay attention to the final calculation of the absolute address to +1, or will be error:</p></p><p><p></p></p><p><p>There are two callback methods after the hook, one is to enter the function, after one is executed, this and xposed very similar, we print parameters, but this and the previous Hook Java layer is not the same, because in C is mostly related to the address pointer, especially the common string information, If we want to print the string value correctly, we need to use the memory system class to get the string information through the pointer, this class is very important, in the subsequent modification of the return value is also used to write memory Value. Let's take a look at what this Function's original return value Is:</p></p><p><p></p></p><p><p>This is the value after the encryption, and then we get the parameters, and through the IDA analysis found that the final result of this function is not returned by return, but by the third pointer parameter is returned, because C has a parameter function, that is, the direct manipulation of the pointer can be passed back to the results, This is often used in C because there is only one function return value if there is more than one return value for a function, it can be passed by a parameter pointer. So if we want to modify the final result of the function, we need to modify the memory segment data of the parameter pointer, we first get the memory segment data to print, here because the static analysis to know the final result is 16 bytes of data, So here can not be used to read the memory string method, but read pure byte data:</p></p><p><p></p></p><p><p>Then when the return value is modified, The return value modification is also very simple, rewrite the memory value directly, such as this change to 1111:</p></p><p><p></p></p><p><p>So see the C language in many places in the direct operation of memory is the address, in particular, with the use memory class, he has a lot of methods, including memory copy and so On. Specific use can go to the official website Query: https://www.frida.re/docs/javascript-api/#memory; Then we look at the hook results:</p></p><p><p></p></p><p><p>We hook up to his parameter information, the first parameter is the string information that needs to be encrypted we get the string by means of the memory method, because this parameter is a string pointer, the second argument is the string length, the third argument is the pointer to the result value of the operation, Then we see that the result value we get is the original encrypted Information. Note that we have succeeded, and then look at our revised 1111 value, through the log view:</p></p><p><p></p></p><p><p>Seeing that the signature information in Java is accessed through native has been modified to 1111, indicating that we have Succeeded. Here we will succeed, in hook native must pay attention to the absolute address of the function to calculate the right, finally must remember +1, the function return value may not be passed by return but the parameter pointer, the memory class can be used when the Operation.</p></p><p><p></p></p>second, Hook export function function<p><p>This part of the content is very simple, than the above simple because there is no need to manually calculate the function address, because it is exported, so directly can get the exported function name, because C language does not have overloaded form, and C + + has, So sometimes it is found that the exported function name and the normal function name are preceded by a string of data as a distinction that should be written in C + + Code. There is no need to construct nativeponiter with the so file and the exported function name:</p></p><p><p></p></p><p><p>This is more convenient than the above to find the function address manually, printing parameters are the same code. Here through the function name can be known is a native function, then his first argument is definitely jnienv pointer, the second parameter is Jclass type, This is the standard if the second parameter of the static method is not used, the following parameter is really passed to the value of native layer, For example, Here the Java layer method:</p></p><p><p></p></p><p><p>Then according to the above instructions, the function of the native layer is 4 parameters:</p></p><p><p></p></p><p><p>It is true that the following two parameters are the values we want, and we look at this function through Ida:</p></p><p><p></p></p><p><p>Then we use F5 to view the pseudo-code his return value:</p></p><p><p></p></p><p><p>Called with the ENV pointer Newstringutf returned a jstring object, okay, Let's go here we don't say the problem of the return value modification, first look at the hook parameter information:</p></p><p><p></p></p><p><p>But we see that the return value we print is empty, which is a null pointer, and what if we want to hook his return value here? If it is a normal return string information, we can directly use the memory method to construct the memory.allocutf8string ("XXXXX") a string information, and then directly return a pointer address, But now here is the return of a jstring object, in fact this we can know by looking at the jni.h file jstring is the object defined in C + +:</p></p><p><p></p></p><p><p>And the basic type is the basic data type:</p></p><p><p></p></p><p><p>There is no problem with this modification, so now the problem is to modify the Non-basic type, such as how to return the Jstring object here? One of the ways I can think of here is to get the function through the Nativefunction method by getting the Newstringutf function pointer, and then call</p></p><p><p></p></p><p><p>Here to see the code logic is not a problem, what is missing is the NEWSTRINGUTF function address, this because in so can not be viewed, so how to do? No hurry, we're looking at the definition of jnienv:</p></p><p><p></p></p><p><p>He's a struct, and then look at that function address:</p></p><p><p></p></p><p><p>We already have the jnienv struct pointer, each function pointer is an int type that is four bytes, so we can get the corresponding address of the NEWSTRINGUTF function from the jnienv pointer. But all said can not find a way to go to the official website to find, jnienv variable in fact there is a corresponding method, here the construction of jstring method is actually very simple:</p></p><p><p></p></p><p><p>This is more convenient than looking for a function, in fact Env has a lot of methods here have the corresponding Api.</p></p><p><p></p></p><p><p>So here we find that Frida is a bit of a hassle when the hook bottom function returns the type of jni, but Cydia will not, because he is an Android project and can refer to jni.h header files, for example, we use Cydia to modify the return value of this function:</p></p><p><p></p></p><p><p>see, this is very convenient because it is the Android project, so you can directly apply the JNI.H header file, and then directly call the Newstringutf method returned, look at the results of the Hook:</p></p><p><p></p></p><p><p>Also the modification Succeeded. So here to see Frida is not omnipotent, to see what the problem how to Analyze.</p></p><p><p></p></p>V. Technical SUMMARY<p><p>Here we will Frida commonly used functions and hook common usage are explained, the following to Summarize:</p></p><p><p>first, Java layer Code hook operation</p></p><p><p>1, The hook method includes the construction method and the object method, the construction method fixed writing is $init, the common method is directly the method name, the parameter can define itself also may use the system implicit variable arguments obtains.</p></p><p><p>2, Modify the parameters and return value of the method, call the original method directly by passing in the parameters you want to modify to modify the parameters, and modify the return Value.</p></p><p><p>3, constructs the object and modifies the object the attribute value, the direct use reflection carries on the operation, constructs the object with the fixed wording $new to be able.</p></p><p><p>4. Print the stack information directly from the Java exception object, and then use the ADB logcat-s androidruntime to view the exception information tracking Code.</p></p><p><p>Summary: get the class type of the object is the Java.use method, the method has overloaded words with overload (...) Solve.</p></p><p><p>second, native layer Code hook operation</p></p><p><p>1, Hook export function directly with so file name and function Name.</p></p><p><p>2, Hook does not export the function needs to calculate the function in memory absolute address, by looking at the maps file to get So's base address + function relative addresses can, finally do not forget +1 Operation.</p></p><p><p>Summary: the most commonly used in native is the memory address pointer, so if you want to get the correct value must use memory class as a helper, especially the string Information.</p></p><p><p></p></p>six, The hook family artifact comparison<p><p>Here's a look at the differences and pros and cons of the Frida,xposed,substratecydia three hook artifacts:</p></p><p><p>first, the advantages and disadvantages of xposed</p></p><p><p>Pros: When writing Java Layer Hook plug-in is very useful, this is completely superior to Frida and substratecydia, because he is also an Android project, you can directly write Java code to call various APIs to Operate. And can be installed on the phone directly to Use.</p></p><p><p>Disadvantage: Configuration installation Environment cumbersome, poor compatibility, at the bottom of the hook is very helpless.</p></p><p><p>second, the advantages and disadvantages of Frida</p></p><p><p>Advantages: in the above we can see that his advantage is that the configuration environment is very simple, the operation is very convenient, for the developer stage of the cracker is very useful. Support Java layer and native layer hook operation, in the native layer hook if the Non-basic type of operation is a bit cumbersome.</p></p><p><p>Cons: because he only applies to the cracker in the development phase, that is, he can not be used as xposed for practical production, such as I write a plug-in with Frida write definitely not, because he can't run on the Phone. That is, the cracker uses More.</p></p><p><p>third, the advantages and disadvantages of Substratecydia</p></p><p><p>Advantages: can be run on the phone side, and xposed similar can be used in practice Production. Support Java layer and native layer hook operation, but Java layer Hook is not commonly used, more is the native layer hook operation, because he is also Android engineering can refer to the system api, operation more Convenient.</p></p><p><p>Disadvantage: As with xposed installation configuration environment cumbersome, Poor Compatibility.</p></p><p><p>Above these three tools can be said is now used the most hook tool, summed up a sentence is to write Java layer hook or xposed convenient, write native layer hook or cydia, and for the cracker Development that is Frida most Reliable. however, the most difficult to write the plug-in is the most important is not to write code but to find hook point, that is, the reverse analysis of the app to find that place, and then write the hook code to implement plug-in Function.</p></p><p><p>Android Reverse Tour---hook artifact family Frida Tool usage</p></p></span>