FART与frida结合

柴正祥
2023-12-01

1、优点:

1、对FART的脱壳能力增强,对主动调用的dex(没有初始函数)进行脱壳

function fartwithClassloader() {
    Java.perform(function () {

        Java.choose("dalvik.system. ", {

            onMatch: function (instance) {
                console.log(instance);

                try {
                    Java.use("android.app.ActivityThread").fartwithClassloader(instance);
                } catch (e) {
                    console.log(e);
                }
            },
            onComplete: function () {
                console.log("heap search complete");
            }

        });
    })


}
//hook DexClassLoader 主动调用 fartwithClassloader 来对主动调用的类进行脱壳

2、控制FART主动调用的范围,比如按需进行类甚至函数的修复

1、只对某个类主动调用加载

//cn.cntv.ui.activity.SpringPlayerActivity

function loadoneclass(classname) {
    Java.perform(function () {
//public static void loadClassAndInvoke
//(ClassLoader appClassloader, String eachclassname, Method dumpMethodCode_method)
//public static ClassLoader getClassloader()
        var appClassloader = Java.use("android.app.ActivityThread").getClassloader();
        console.log("appClassloader->", appClassloader);
        //dumpMethodCode
// private static native void dumpMethodCode(Object m);
        var DexFile = Java.use("dalvik.system.DexFile");
        var Object = Java.use("java.lang.Object");
        var array = Java.array("java.lang.Class", [Object.class]);
        var dumpMethodCode = DexFile.class.getDeclaredMethod("dumpMethodCode", array);
        dumpMethodCode.setAccessible(true);//私有函数无法直接调用,需要设置
        console.log("dumpMethodCode->", dumpMethodCode);
        Java.use("android.app.ActivityThread").loadClassAndInvoke(appClassloader, classname, dumpMethodCode);
    })
}

2、编译时不主动加载fart,使用frida主动调用脱壳线程

function justfart() {
    Java.perform(function () {
         Java.use("android.app.ActivityThread").fartthread();
    })
}

rpc远程调用

rpc.exports = ({

    loadclasslist: function (classname) {
        loadoneclass(classname);
    }

});
import frida
import sys


def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)


device = frida.get_usb_device()
if __name__ == "__main__":
    try:
        session = device.attach("cn.cntv")
        print("[Info] Attach success!")
        with open('fart_frida.js') as f:
            jscode = f.read()
        script = session.create_script(jscode)
        script.on('message', on_message)
        print('[*] Running CTF')
        script.load()
        #Lcom/hpplay/sdk/source/service/e$a;
        content=""
        with open('8848960_classlist_execute.txt','r') as f:
            content=f.read()
            f.close()
        array=content.split("\n")
        for i in array:
            print("classname->"+i)
            #Lcom/hpplay/sdk/source/service/e$a;
            i=i[1:len(i)-1]
            i=i.replace('/','.')
            print("classname->" + i)
            script.exports.loadclasslist(i)
        #script.exports.loadclasslist()
        sys.stdin.read()
    except Exception as e:
        print("[Info] Spawn and attach failed!")
        print(e)

 

 

 

 类似资料: