{"id":64,"date":"2025-09-11T15:56:43","date_gmt":"2025-09-11T07:56:43","guid":{"rendered":"http:\/\/hmuseab.tstatic.top\/?p=64"},"modified":"2025-09-19T11:19:40","modified_gmt":"2025-09-19T03:19:40","slug":"%e5%88%a9%e7%94%a8frida%e6%8a%93%e5%8f%96%e5%a4%b4x%e7%b3%bb%e8%a5%bf%e7%ba%a2%e6%9f%bfapp%e7%9a%84%e5%b0%8f%e8%af%b4","status":"publish","type":"post","link":"https:\/\/muse.lzink.icu\/?p=64","title":{"rendered":"\u5229\u7528frida\u6293\u53d6\u5934x\u7cfb\u897f\u7ea2\u67ffapp\u7684\u5c0f\u8bf4"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">\u5229\u7528frida\u6293\u53d6\u5934x\u7cfb\u897f\u7ea2\u67ffapp\u7684\u5c0f\u8bf4<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">apk\u722c\u866b\u7684\u597d\u5904\u8fd8\u662f\u5f88\u591a\u7684\uff0c\u5148\u8981\u6bd4web\u7aef\u7a33\u5b9a\uff0c\u7248\u672c\u5347\u7ea7\u4e00\u822c\u4e0d\u4f1a\u5f71\u54cd\u5230\u65e7\u7248\u672c\uff0c\u7f3a\u70b9\u662f\u8981\u6bd4web\u7aef\u8981\u96be\u4e9b\uff0c\u5f53\u7136\u5728\u638c\u63e1\u9006\u5411\u540e\uff0c\u4e5f\u5c31\u611f\u89c9\u6ca1\u6709\u533a\u522b\u4e86\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u722c\u866b\u7b2c\u4e00\u6b65\u5206\u6790\u4ed6\u7684\u5305\uff0c\u8fd9\u91cc\u7528\u7684\u662fcharles\uff0c\u5982\u4f55\u4f7f\u7528\u5c31\u4e0d\u7ec6\u8bf4\u4e86\u3002\u5728\u5206\u6790\u5305\u7684\u8fc7\u7a0b\u4e2d\uff0c\u53d1\u73b0\u4e86\u4e00\u4e2a\u719f\u6089\u7684\u53c2\u6570<\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic1.zhimg.com\/v2-2a3cece8a99ed1cc746a3ff6e33955ec_1440w.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic1.zhimg.com\/v2-2a3cece8a99ed1cc746a3ff6e33955ec_1440w.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"img\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e0d\u662f\u6296\u97f3\u7684<a href=\"https:\/\/zhida.zhihu.com\/search?content_id=124235694&amp;content_type=Article&amp;match_order=1&amp;q=x-gorgon%E5%8A%A0%E5%AF%86%E7%AE%97%E6%B3%95&amp;zhida_source=entity\">x-gorgon\u52a0\u5bc6\u7b97\u6cd5<\/a>\u5417\uff1f\u8ba9\u6bcf\u4e2a\u722c\u866ber\u90fd\u5934\u76ae\u53d1\u9ebb\u7684\u7b97\u6cd5\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e0b\u4e00\u6b65\u53cd\u7f16\u8bd1apk\uff0c\u7528\u7684\u5de5\u5177\u662fjadx\uff0c\u6211\u4eec\u53ef\u4ee5\u627e\u5230\u751f\u6210\u52a0\u5bc6\u7684\u65b9\u6cd5\u662f\u5728native\u65b9\u6cd5\u4e2d\uff0c\u4e5f\u5c31\u662f\u8bf4\u65e0\u6cd5\u770b\u5230\u8fd9\u4e2a\u65b9\u6cd5\u5230\u5e95\u662f\u600e\u4e48\u6837\u52a0\u5bc6\u7684\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/picx.zhimg.com\/v2-de8a5f945562c9873039ccd62c9871e5_1440w.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/picx.zhimg.com\/v2-de8a5f945562c9873039ccd62c9871e5_1440w.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"img\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u73b0\u5728\u5934\u6761\u7cfb\u5df2\u7ecf\u53ef\u4ee5\u76d1\u63a7\u5230<a href=\"https:\/\/zhida.zhihu.com\/search?content_id=124235694&amp;content_type=Article&amp;match_order=1&amp;q=xposed%E6%A1%86%E6%9E%B6&amp;zhida_source=entity\">xposed\u6846\u67b6<\/a>\uff0c\u5728android\u4e0a\u5199xposed\u811a\u672c\u670d\u52a1\u5668\u505a\u8f6c\u53d1\u5df2\u7ecf\u884c\u4e0d\u901a\u4e86\uff0c\u53ea\u80fd\u53e6\u627e\u65b9\u6cd5\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">frida\u662f\u4e00\u6b3e\u795e\u5668\uff0c\u5b83\u53ef\u4ee5\u5e2e\u52a9\u9006\u5411\u4eba\u5458\u5bf9\u6307\u5b9a\u7684\u8fdb\u7a0b\u7684so\u6a21\u5757\u8fdb\u884c\u5206\u6790\u3002\u5b83\u4e3b\u8981\u63d0\u4f9b\u4e86\u529f\u80fd\u7b80\u5355\u7684python\u63a5\u53e3\u548c\u529f\u80fd\u4e30\u5bcc\u7684js\u63a5\u53e3\uff0c\u4f7f\u5f97hook\u51fd\u6570\u548c\u4fee\u6539so\u7f16\u7a0b\u5316\uff0c\u503c\u5f97\u4e00\u63d0\u7684\u662f\u63a5\u53e3\u4e2d\u5305\u542b\u4e86\u4e3b\u63a7\u7aef\u4e0e\u76ee\u6807\u8fdb\u7a0b\u7684\u4ea4\u4e92\u63a5\u53e3\uff0c\u7531\u6b64\u6211\u4eec\u53ef\u4ee5\u5373\u65f6\u83b7\u53d6\u4fe1\u606f\u5e76\u968f\u65f6\u8fdb\u884c\u4fee\u6539\u3002\u4f7f\u7528frida\u53ef\u4ee5\u83b7\u53d6\u8fdb\u7a0b\u7684\u4fe1\u606f\uff08\u6a21\u5757\u5217\u8868\uff0c\u7ebf\u7a0b\u5217\u8868\uff0c\u5e93\u5bfc\u51fa\u51fd\u6570\uff09\uff0c\u53ef\u4ee5\u62e6\u622a\u6307\u5b9a\u51fd\u6570\u548c\u8c03\u7528\u6307\u5b9a\u51fd\u6570\uff0c\u53ef\u4ee5\u6ce8\u5165\u4ee3\u7801\uff0c\u603b\u800c\u8a00\u4e4b\uff0c\u4f7f\u7528frida\u6211\u4eec\u53ef\u4ee5\u5bf9\u8fdb\u7a0b\u6a21\u5757\u8fdb\u884c\u624b\u672f\u5200\u5f0f\u5256\u6790\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5176\u5b9e\u5c31\u662f\u5165\u4fb5\u5230\u4e86\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u8fbe\u5230\u63a7\u5236\u67d0\u4e2a\u65b9\u6cd5\u4f5c\u7528\u3002<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">device = frida.get_remote_device()<br># \u5e94\u7528\u5305\u540d<br>app_package_name = \"\u5305\u540d\" <br>try:<br> &nbsp; &nbsp;# pid = device.spawn([app_package_name])<br> &nbsp; &nbsp;# device.resume(pid)<br> &nbsp; &nbsp;# time.sleep(1)  # 2<br> &nbsp; &nbsp;session = device.attach(app_package_name)<br> &nbsp; &nbsp;print(\"[*] start hook\")<br> &nbsp; &nbsp;print(session)<br> &nbsp; &nbsp;# \u52a0\u8f7d\u811a\u672c<br> &nbsp; &nbsp;with open(\"hook\u7684js\u6587\u4ef6\", \"r\", encoding=\"utf-8\") as file:<br> &nbsp; &nbsp; &nbsp; &nbsp;js_code = file.read()<br> &nbsp; &nbsp;script = session.create_script(js_code)<br> &nbsp; &nbsp;script.on('message', on_message)<br> &nbsp; &nbsp;script.load()<br> &nbsp; &nbsp;return script<br>except frida.NotSupportedError:<br> &nbsp; &nbsp;print(\"\u8bf7\u68c0\u67e5\u5305\u540d\u7684\u6709\u6548\u6027.\")<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">frida\u7684\u4f7f\u7528\u5c31\u662f\u8fd9\u6837\uff0cget_<em>remote_device\u662f\u6211\u9700\u8981\u8fdc\u7a0b\u8fde\u63a5\u670d\u52a1\u5668\uff0cfrida\u4e5f\u63d0\u4f9b\u4e86get_usb_device\u65b9\u6cd5\u3002\u4e3b\u8981\u96be\u5ea6\u662f\u5728js hook\u90e8\u5206<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>frida_rpc\u7684\u4f7f\u7528\uff1a<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>\u901a\u8fc7hook \u53ef\u4ee5\u770b\u5230\u4ed6\u524d\u9762\u7684native\u65b9\u6cd5\u6240\u9700\u8981\u7684\u53c2\u6570\uff0c\u65e0\u975e\u662f\u4e00\u4e9b\u8bf7\u6c42\u5934\u91cc\u7684\u53c2\u6570\u548c\u65f6\u95f4\u6233\uff0c<\/em><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rpc.exports = {<br>\"b\": function (str1,json_str){<br> &nbsp; &nbsp;var ret = {};<br> &nbsp; &nbsp;Java.perform(function () {<br> &nbsp; &nbsp; &nbsp; &nbsp;var tt1 = Java.use(\"com.ss.sys.ces.gg.tt$1\").$new();<br> &nbsp; &nbsp; &nbsp; &nbsp;var url = str1;<br> &nbsp; &nbsp; &nbsp; &nbsp;var ArrayList = Java.use(\"java.util.ArrayList\").$new();<br> &nbsp; &nbsp; &nbsp; &nbsp;var ObjectJava = Java.use(\"java.lang.Object\");<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;var map = Java.use(\"java.util.HashMap\").$new();<br> &nbsp; &nbsp; &nbsp; &nbsp;var obj = JSON.parse(json_str);<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;for (var key in obj){<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;var m1 = ArrayList;<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;var list_tmp = obj[key];<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;m1.add(list_tmp);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;map.put(key, Java.cast(Java.cast(m1, ArrayList), ObjectJava));<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp;var result = tt1.a(url, map);<br> &nbsp; &nbsp; &nbsp; &nbsp;ret[\"X-Gorgon\"]=result.get(\"X-Gorgon\").toString();<br> &nbsp; &nbsp; &nbsp; &nbsp;ret[\"X-Khronos\"]=result.get(\"X-Khronos\").toString();<br> &nbsp;  });<br> &nbsp; &nbsp;return ret;<br>}<br>};<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u6bb5js\u4ee3\u7801\u5c31\u662f\u7528python\u722c\u866b\u7a0b\u5e8f\u751f\u4ea7\u53c2\u6570\uff0c\u901a\u8fc7frida hook \u6765\u62ff\u5230\u52a0\u5bc6\u53c2\u6570\uff0c\u518d\u8fd4\u56de\u7ed9\u722c\u866b\u4f7f\u7528\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u722c\u866b\u91cc\u9700\u8981\u505a\u7684\u4e8b\uff0c\u662f\u5728\u8bf7\u6c42\u524d\uff0c\u5148\u62ff\u5230\u52a0\u5bc6\u53c2\u6570<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">map_data = {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\"x-ss-tc\": \"0\",<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\"cookie\": headers.get('cookie'),<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\"accept-encoding\": \"gzip, deflate\",<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\"user-agent\": headers.get('user-agent'),<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\"x-ss-req-ticket\": f\"{time_stamp}\"<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp;xgo = script.exports.b(fanqie_url, json.dumps(map_data))<br> &nbsp; &nbsp; &nbsp; &nbsp;headers['x-gorgon'] = xgo.get('X-Gorgon')<br> &nbsp; &nbsp; &nbsp; &nbsp;headers['x-khronos'] = xgo.get('X-Khronos')<br># js\u7684\u5bf9\u8c61\u5373\u4e3ajson<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5230\u8fd9\u4e00\u6b65\uff0c\u5c31\u7b97\u7834\u89e3\u7b97\u6cd5\u6210\u529f\uff0c\u53c8\u53ef\u4ee5\u5f00\u5f00\u5fc3\u5fc3\u7684\u770b\u5c0f\u8bf4\u5566\uff01\u4e0b\u6b21\u6709\u65f6\u95f4\u518d\u7ec6\u8bf4\u4e0bfrida\u8fd9\u4e2a\u5de5\u5177\uff0c\u8fd9\u4e2a\u5de5\u5177\u4e0d\u6b62\u5728\u5b89\u5353\uff0c\u5728\u5404\u4e2a\u7aef\u90fd\u53ef\u4ee5\u4f7f\u7528\uff0c\u975e\u5e38\u7684\u5f3a\u5927\u3002\u4e0d\u53cb\u597d\u7684\u662f\u5b98\u65b9\u6587\u6863\u5199\u7684\u771f\u7684\u592a\u6666\u6da9\uff0c\u592a\u70c2\u4e86\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5229\u7528frida\u6293\u53d6\u5934x\u7cfb\u897f\u7ea2\u67ffapp\u7684\u5c0f\u8bf4 apk\u722c\u866b\u7684\u597d\u5904\u8fd8\u662f\u5f88\u591a\u7684\uff0c\u5148\u8981\u6bd4web\u7aef\u7a33\u5b9a\uff0c\u7248\u672c\u5347\u7ea7\u4e00\u822c\u4e0d\u4f1a\u5f71 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-64","post","type-post","status-publish","format-standard","hentry","category-7"],"_links":{"self":[{"href":"https:\/\/muse.lzink.icu\/index.php?rest_route=\/wp\/v2\/posts\/64","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/muse.lzink.icu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/muse.lzink.icu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/muse.lzink.icu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/muse.lzink.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=64"}],"version-history":[{"count":1,"href":"https:\/\/muse.lzink.icu\/index.php?rest_route=\/wp\/v2\/posts\/64\/revisions"}],"predecessor-version":[{"id":65,"href":"https:\/\/muse.lzink.icu\/index.php?rest_route=\/wp\/v2\/posts\/64\/revisions\/65"}],"wp:attachment":[{"href":"https:\/\/muse.lzink.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=64"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/muse.lzink.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=64"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/muse.lzink.icu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=64"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}