首页
论坛
课程
招聘
[求助]使用 frida hook 时 Java.choose 报错
2021-10-1 02:52 4455

[求助]使用 frida hook 时 Java.choose 报错

2021-10-1 02:52
4455

我正在阅读《安卓 Frida 逆向抓包与实战》。目前在尝试主动调用动态方法,但使用随书代码进行测试的时候意外报错。暂时没在网上找到解决方法,希望得到帮助。以下是测试 app 的 MainActivity.java:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package com.roysue.demo02;
 
import androidx.appcompat.app.AppCompatActivity;
 
import android.os.Bundle;
import android.util.Log;
 
public class MainActivity extends AppCompatActivity {
 
    private String total = "hello";
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        while (true){
 
            try {
                Thread.sleep(1000);
            } catch (InterruptedException e) {
                e.printStackTrace();
            }
 
            fun(50,30);
            Log.d("r0ysue.string" , fun("LoWeRcAsE Me!!!!!!!!!"));
        }
    }
    void fun(int x , int y ){
        Log.d("r0ysue.sum" , String.valueOf(x+y));
    }
    String fun(String x){
        return x.toLowerCase();
    }
 
    void secret(){
        total += " secretFunc";
        Log.d("r0ysue.secret" , "this is secret func");
    }
    static void staticSecret(){
        Log.d("r0ysue.secret" , "this is static secret func");
    }
}

接着是我使用的 frida 脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
function main(){
    console.log("Script loaded successfully ")
    Java.perform(function(){
        console.log("Inside java perform function")
        var MainAcitivity = Java.use('com.roysue.demo02.MainActivity')
 
        // 静态函数主动调用
        MainAcitivity.staticSecret();
 
        // Error: secret: cannot call instance method without an instance
        // MainAcitivity.secret();
 
 
        // 动态函数主动调用
        Java.choose('com.roysue.demo02.MainActivity',{
            onMatch: function(instance){
                console.log('instance found',instance)
                instance.secret()
            },
            onComplete: function(){
                console.log('search Complete')
            }
        })
    })
}
setImmediate(main)

以下是报错信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Script loaded successfully
Inside java perform function
Error: Unexpected end of block
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/android.js:1515)
    at forEach (native)
    at ur (frida/node_modules/frida-java-bridge/lib/android.js:1580)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/android.js:1330)
    at _patchCode (native)
    at value (frida/runtime/core.js:181)
    at dr (frida/node_modules/frida-java-bridge/lib/android.js:1331)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/memoize.js:4)
    at dt (frida/node_modules/frida-java-bridge/lib/android.js:541)
    at choose (frida/node_modules/frida-java-bridge/lib/class-factory.js:246)
    at choose (frida/node_modules/frida-java-bridge/index.js:252)
    at <anonymous> (/3.js:23)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:11)
    at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:238)
    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:213)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:11)
    at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:232)
    at perform (frida/node_modules/frida-java-bridge/index.js:192)
    at main (/3.js:24)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:45)
TypeError: cannot set property '_code' of null
    at dr (frida/node_modules/frida-java-bridge/lib/android.js:1331)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/memoize.js:4)
    at dt (frida/node_modules/frida-java-bridge/lib/android.js:541)
    at choose (frida/node_modules/frida-java-bridge/lib/class-factory.js:246)
    at choose (frida/node_modules/frida-java-bridge/index.js:252)
    at <anonymous> (/3.js:23)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:11)
    at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:238)
    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:213)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:11)
    at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:232)
    at perform (frida/node_modules/frida-java-bridge/index.js:192)
    at main (/3.js:24)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:45)
Connection terminated

我注意到我进行测试的手机与作者的不同,我的是 LG Nexus 5,作者使用的是 LG Nexus 5X。一个 32 位,一个 64 位,问题会出在这吗?


[公告] 欢迎大家踊跃尝试高研班11月试题,挑战自己的极限!

最后于 2021-10-1 02:52 被芝士蛋挞编辑 ,原因:
收藏
点赞0
打赏
分享
最新回复 (2)
雪    币: 425
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
mb_izaswxak 活跃值 2021-10-1 10:33
2
0
简单查看了脚本下没看出什么毛病,你可以查看下系统版本和Frida的版本(可以通过不注入空代码,测试还报不报同样的错误),他们是有关联的
雪    币: 170
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
芝士蛋挞 活跃值 2021-10-1 14:49
3
0

问题解决了。根据 https://github.com/frida/frida/issues/1672,我尝试使用 12.8.10 版本的 frida,脚本成功运行。 

游客
登录 | 注册 方可回帖
返回