本帖最后由 骇客之技术 于 2020-6-12 13:33 编辑
1. 免写参数
[JavaScript] 纯文本查看 复制代码
// 函数原型 encodeRequest(int i, String str, String str2, String str3, String str4, String str5, byte[] bArr, int i2, int i3, String str6, byte b, byte b2, byte[] bArr2, boolean z)
var CodecWarpper = Java.use("xx.CodecWarpper");
CodecWarpper.encodeRequest.implementation = function() {
var ret = this.encodeRequest.apply(this, arguments);
//这里可以打印参数和返回值
return ret;
}
2. jstring, jbytearray 输出
[JavaScript] 纯文本查看 复制代码 function jstring2Str(jstring) {
var ret;
Java.perform(function() {
var String = Java.use("java.lang.String");
ret = Java.cast(jstring, String);
});
return ret;
}
function jbyteArray2Array(jbyteArray) {
var ret;
Java.perform(function() {
var b = Java.use('[B');
var buffer = Java.cast(jbyteArray, b);
ret = Java.array('byte', buffer);
});
return ret;
}
其它类型可以参考上面的写法
3. bytes2Hex
java中 byte范围 -128~127
16进制范围 0 ~ 255
[JavaScript] 纯文本查看 复制代码 function bytes2Hex(arr) {
var str = "[";
for (var i = 0; i < arr.length; i++) {
var z = parseInt(arr[i]);
if (z < 0) z = 255 + z;
var tmp = z.toString(16);
if (tmp.length == 1) {
tmp = "0" + tmp;
}
str = str + " " + tmp;
}
return (str + " ]").toUpperCase();
}
4. 获取方法名
[JavaScript] 纯文本查看 复制代码 function getMethodName() {
var ret;
Java.perform(function() {
var Thread = Java.use("java.lang.Thread")
ret = Thread.currentThread().getStackTrace()[2].getMethodName();
});
return ret;
}
5. 打印堆栈
[JavaScript] 纯文本查看 复制代码 function showStacks() {
Java.perform(function() {
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
});
}
6. 输出类所有方法名
[JavaScript] 纯文本查看 复制代码 function enumMethods(targetClass) {
var ret;
Java.perform(function() {
var hook = Java.use(targetClass);
var ret = hook.class.getDeclaredMethods();
ret.forEach(function(s) {
console.log(s);
})
})
return ret;
}
7. hook 所有重载函数
[JavaScript] 纯文本查看 复制代码 function hookAllOverloads(targetClass, targetMethod) {
Java.perform(function () {
var targetClassMethod = targetClass + '.' + targetMethod;
var hook = Java.use(targetClass);
var overloadCount = hook[targetMethod].overloads.length;
for (var i = 0; i < overloadCount; i++) {
hook[targetMethod].overloads[i].implementation = function() {
var retval = this[targetMethod].apply(this, arguments);
//这里可以打印结果和参数
return retval;
}
}
});
}
8.输出 byte[] 等 java 对象
[JavaScript] 纯文本查看 复制代码 function jobj2Str(jobject) {
var ret = JSON.stringify(jobject);
return ret;
}
9. dump 地址
[JavaScript] 纯文本查看 复制代码 function dumpAddr(address, length) {
length = length || 1024;
console.log(hexdump(address, {
offset: 0,
length: length,
header: true,
ansi: false
}));
}
10. ArrayBuffer 转换
[JavaScript] 纯文本查看 复制代码 function ab2Hex(buffer) {
var arr = Array.prototype.map.call(new Uint8Array(buffer), function (x) {return ('00' + x.toString(16)).slice(-2)}).join(" ").toUpperCase();
return "[" + arr + "]";
}
function ab2Str(buffer) {
return String.fromCharCode.apply(null, new Uint8Array(buffer));
}
11. 获取类型
[JavaScript] 纯文本查看 复制代码 function getParamType(obj) {
return obj == null ? String(obj) : Object.prototype.toString.call(obj).replace(/\[object\s+(\w+)\]/i, "$1") || "object";
}
12. hook native 函数
[JavaScript] 纯文本查看 复制代码 function hookNativeFun(callback, funName, moduleName) {
var time = 1000;
moduleName = moduleName || null;
if (!(callback && callback.onEnter && callback.onLeave)) {
console.log("callback error");
return
}
var address = Module.findExportByName(moduleName, funName);
if (address == null) {
setTimeout(hookNativeFun, time, callback, funName, moduleName);
} else {
console.log(funName + " hook ok")
var nativePointer = new NativePointer(address);
Interceptor.attach(nativePointer, callback);
}
}
以上为分析某款软件协议所写, 部分参考于网络~
不定期更新!
欢迎各位补充~
| 
[复制链接]
发表于 2020-6-9 20:09
|
发表于 2020-10-12 14:27
发表于 2020-6-9 20:18
