mac使用frida
安装
https://github.com/frida/frida/releases
根据手机的cpu的版本,选择相应的文件,一般通过手机信息可以看到 我这里是frida-server-12.6.7-android-arm64.xz
解压frida-server-12.6.7-android-arm64.xz,然后把解压后的文件重命名frida-server 后来我使用genymotion,查看系统为x86。 
所以下载了frida-server-12.7.5-android-x86.xz文件,然后解压并重命名为frida-server。 执行命令frida-server。 依次执行下面命令
$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"
$ adb shell "/data/local/tmp/frida-server &"
然后在电脑上测试手机是否连通
$ adb devices -l
Frida大致原理是手机端安装一个server程序,然后把手机端的端口转到PC端,PC端写python脚本进行通信,而python脚本中需要hook的代码采用javascript语言。所以这么看来我们首先需要安装开始安装frida了,直接运行命令:
/Applications/Python\ 3.6/Install\ Certificates.command
python3.6 -m pip install -i https://pypi.tuna.tsinghua.edu.cn/simple/ --trusted-host pypi.tuna.tsinghua.edu.cn frida frida-tools
我这大概要等很长时间才下载完。 然后执行命令
frida-ps -U
看到类似的结果 
PID Name
----- -----------------------------------------------------------------
2681 .dataservices
835 ATFWD-daemon
12174 adbd
844 adsprpcd
845 adsprpcd
745 android.hardware.audio@2.
即可。 ###插曲okttp3 okhttp3没混淆的hook
try {
var CertificatePinner = Java.use('okhttp3.CertificatePinner');
quiet_send('OkHTTP 3.x Found');
CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function () {
quiet_send('OkHTTP 3.x check() called. Not throwing an exception.');
}
}
okhttp3混淆的话 改为混淆的名字我这里是d.k.a, Java.use表示使用d包的k类,然后后面CertificatePinner.a.overload 表示hook a方法
/*** okhttp3.x unpinning ***/
// Wrap the logic in a try/catch as not all applications will have
// okhttp as part of the app.
try {
var CertificatePinner = Java.use('d.k');
quiet_send('OkHTTP 3.x Found');
CertificatePinner.a.overload('java.lang.String', 'java.util.List').implementation = function () {
quiet_send('OkHTTP 3.x check() called. Not throwing an exception.');
}
} catch (err) {
// If we dont have a ClassNotFoundException exception, raise the
// problem encountered.
if (err.message.indexOf('ClassNotFoundException') === 0) {
throw new Error(err);
}
}
application脚本
# -*- coding: utf-8 -*-
import frida, sys, re, sys, os
from subprocess import Popen, PIPE, STDOUT
import codecs, time
if (len(sys.argv) > 1):
APP_NAME = str(sys.argv[1])
else:
APP_NAME = "com.loco.example.OkHttp3SSLPinning"
def sbyte2ubyte(byte):
return (byte % 256)
def print_result(message):
print ("[!] Received: [%s]" %(message))
def on_message(message, data):
if 'payload' in message:
data = message['payload']
if type(data) is str:
print_result(data)
elif type(data) is list:
a = data[0]
if type(a) is int:
hexstr = "".join([("%02X" % (sbyte2ubyte(a))) for a in data])
print_result(hexstr)
print_result(hexstr.decode('hex'))
else:
print_result(data)
print_result(hexstr.decode('hex'))
else:
print_result(data)
else:
if message['type'] == 'error':
print (message['stack'])
else:
print_result(message)
def kill_process():
cmd = "adb shell pm clear {} 1> /dev/null".format(APP_NAME)
os.system(cmd)
#kill_process()
try:
with codecs.open("hooks.js", 'r', encoding='utf8') as f:
jscode = f.read()
device = frida.get_usb_device(timeout=5)
#pid = device.spawn([APP_NAME])
session = device.attach("com.loco.example.OkHttp3SSLPinning")
script = session.create_script(jscode)
#device.resume(APP_NAME)
script.on('message', on_message)
print ("[*] Intercepting on {} ...".format(APP_NAME))
script.load()
sys.stdin.read()
except KeyboardInterrupt:
print ("[!] Killing app...")
kill_process()
time.sleep(1)
kill_process()
来源:oschina
链接:https://my.oschina.net/u/4288520/blog/3493832