frida

问题 I'm trying to hook the following constructor of java.net.URL: URL(URL context, String spec, URLStreamHandler handler) My code is as follows: import argparse import frida import sys jscode = """ Java.perform(function () { Java.use('java.net.URL').$init.overload('java.net.URL', 'java.lang.String', 'java.net.URLStreamHandler').implementation = function(arg0,arg1,arg2) { return this.$init(arg0,arg1,arg2); }; }); """ parser = argparse.ArgumentParser() parser.add_argument("target") args = parser

问题 I'm trying to hook the following constructor of java.net.URL: URL(URL context, String spec, URLStreamHandler handler) My code is as follows: import argparse import frida import sys jscode = """ Java.perform(function () { Java.use('java.net.URL').$init.overload('java.net.URL', 'java.lang.String', 'java.net.URLStreamHandler').implementation = function(arg0,arg1,arg2) { return this.$init(arg0,arg1,arg2); }; }); """ parser = argparse.ArgumentParser() parser.add_argument("target") args = parser

问题 I'm able to sucessfully hook into an Android method using Frida, but I am trying to find out who is calling that method. I can find that out if I can rewrite the method with Frida to print the stacktrace when the method gets called. I've tried a few things, but all of them have had some sort of error. This is the latest thing I have tried. setImmediate(function() { console.log("[*] Starting script"); Java.perform(function () { var Activity = Java.use("com.package.MyClass"); Activity

问题 I can successfully hook into this getAuthToken method public class AuthResponse2 extends DataResponse<Data> { public static class Data { private String mAuthToken; public String getAuthToken() { return this.mAuthToken; } } } This is my Frida JS script setImmediate(function() { console.log("[*] Starting script"); Java.perform(function () { var Activity = Java.use("com.app.network.AuthResponse2$Data"); Activity.getAuthToken.overload().implementation = function () { console.log(mAuthToken);

问题 I'm trying to understand an Android app which contains a native method named foo in class com.app.Bar Inside class Bar there is a static clause that loads a shared object System.loadLibrary("libfoo.so") which I assume is build with -fvisibility=hidden because the only export is JNI_OnLoad , no JNIEXPORT void JNICALL Java_com_app_Bar_foo which means public native int foo does not follow the naming convention. What is the process when foo is invoked ? How can I extract the address of foo ? I'm