function fartwithClassloader() {
Java.perform(function () {
Java.choose("dalvik.system. ", {
onMatch: function (instance) {
console.log(instance);
try {
Java.use("android.app.ActivityThread").fartwithClassloader(instance);
} catch (e) {
console.log(e);
}
},
onComplete: function () {
console.log("heap search complete");
}
});
})
}
//hook DexClassLoader 主动调用 fartwithClassloader 来对主动调用的类进行脱壳
1、只对某个类主动调用加载
//cn.cntv.ui.activity.SpringPlayerActivity
function loadoneclass(classname) {
Java.perform(function () {
//public static void loadClassAndInvoke
//(ClassLoader appClassloader, String eachclassname, Method dumpMethodCode_method)
//public static ClassLoader getClassloader()
var appClassloader = Java.use("android.app.ActivityThread").getClassloader();
console.log("appClassloader->", appClassloader);
//dumpMethodCode
// private static native void dumpMethodCode(Object m);
var DexFile = Java.use("dalvik.system.DexFile");
var Object = Java.use("java.lang.Object");
var array = Java.array("java.lang.Class", [Object.class]);
var dumpMethodCode = DexFile.class.getDeclaredMethod("dumpMethodCode", array);
dumpMethodCode.setAccessible(true);//私有函数无法直接调用,需要设置
console.log("dumpMethodCode->", dumpMethodCode);
Java.use("android.app.ActivityThread").loadClassAndInvoke(appClassloader, classname, dumpMethodCode);
})
}
2、编译时不主动加载fart,使用frida主动调用脱壳线程
function justfart() {
Java.perform(function () {
Java.use("android.app.ActivityThread").fartthread();
})
}
rpc远程调用
rpc.exports = ({
loadclasslist: function (classname) {
loadoneclass(classname);
}
});
import frida
import sys
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
device = frida.get_usb_device()
if __name__ == "__main__":
try:
session = device.attach("cn.cntv")
print("[Info] Attach success!")
with open('fart_frida.js') as f:
jscode = f.read()
script = session.create_script(jscode)
script.on('message', on_message)
print('[*] Running CTF')
script.load()
#Lcom/hpplay/sdk/source/service/e$a;
content=""
with open('8848960_classlist_execute.txt','r') as f:
content=f.read()
f.close()
array=content.split("\n")
for i in array:
print("classname->"+i)
#Lcom/hpplay/sdk/source/service/e$a;
i=i[1:len(i)-1]
i=i.replace('/','.')
print("classname->" + i)
script.exports.loadclasslist(i)
#script.exports.loadclasslist()
sys.stdin.read()
except Exception as e:
print("[Info] Spawn and attach failed!")
print(e)