转载:https://blog.csdn.net/tslx1020/article/details/128250777
1、spawn - 冷启动
frida-trace -U -f com.apple.ExampleCode -m “+[NSURL URLWithString:]"
2、attach - 热启动
frida-trace -UF -m “+[NSURL URLWithString:]"
3、Hook类方法
frida-trace -UF -m “+[NSURL URLWithString:]"
4、Hook实例方法
frida-trace -UF -m “-[NSURL host]"
5、Hook类的所有方法
frida-trace -UF -m “*[NSURL *]"
6、模糊Hook类的所有方法
frida-trace -UF -m “*[service *]"
7、模糊Hook所有类的特定方法
frida-trace -UF -m “[ sign]"
8、模糊Hook所有类的特定方法并忽略大小写
假设我们要hook所有类中包含getSign或getsign关键词的方法
frida-trace -UF -m “[ get?ign]"
9、模糊Hook所有类的特定方法并排除viewDidLoad方法
frida-trace -UF -m “*[DetailViewController *]" -M “-[DetailViewController viewDidLoad]"
10、Hook某个动态库
frida-trace -UF -I “libcommonCrypto*"
11、Hook get或post的接口地址
frida-trace -UF -m "+[NSURL URLWithString:]"
js例子
{
onEnter(log, args, state) {
var args2 = new ObjC.Object(args[2]);
log(`-[NSURL URLWithString:${args2}]`);
},
onLeave(log, retval, state) {
}
}
12、Hook post的body
frida-trace -UF -m “-[NSMutableURLRequest setHTTPBody:]”
js例子
{
onEnter(log, args, state) {
var args2 = new ObjC.Object(args[2]);
log(`-[NSMutableURLRequest setHTTPBody:${args2.bytes().readUtf8String(args2.length())}]`);
},
onLeave(log, retval, state) {
}
}
13、Hook即将显示页面
frida-trace -UF -m “-[UINavigationController pushViewController:animated:]” -m “-[UIViewController presentViewController:animated:completion:]”
pushViewController:animated:方法的js代码如下:
{
onEnter(log, args, state) {
var args2 = new ObjC.Object(args[2]);
log(`-[UINavigationController pushViewController:${args2.$className} animated:${args[3]}]`);
},
onLeave(log, retval, state) {
}
}
presentViewController:animated:completion:
{
onEnter(log, args, state) {
var args2 = new ObjC.Object(args[2]);
log(`-[UIViewController presentViewController:${args2.$className} animated:${args[3]} completion:${args[4]}]`);
},
onLeave(log, retval, state) {
}
}
14、Hook 通用加密算法
Md5
frida-trace -UF -i “CC_MD5”
#js
{
onEnter(log, args, state) {
this.args0 = args[0]; // 入参
this.args2 = args[2]; // 返回值指针
},
onLeave(log, retval, state) {
var ByteArray = Memory.readByteArray(this.args2, 16);
var uint8Array = new Uint8Array(ByteArray);
var str = "";
for(var i = 0; i < uint8Array.length; i++) {
var hextemp = (uint8Array[i].toString(16))
if(hextemp.length == 1){
hextemp = "0" + hextemp
}
str += hextemp;
}
log(`CC_MD5(${this.args0.readUtf8String()})`); // 入参
log(`CC_MD5()=${str}=`); // 返回值
}
}
Base64编码方法
frida-trace -UF -m “-[NSData base64EncodedStringWithOptions:]”
#js
{
onEnter(log, args, state) {
this.self = args[0];
},
onLeave(log, retval, state) {
var before = ObjC.classes.NSString.alloc().initWithData_encoding_(this.self, 4);
var after = new ObjC.Object(retval);
log(`-[NSData base64EncodedStringWithOptions:]before=${before}=`);
log(`-[NSData base64EncodedStringWithOptions:]after=${after}=`);
}
}
Base64解码
frida-trace -UF -m “-[NSData initWithBase64EncodedData:options:]” -m “-[NSData initWithBase64EncodedString:options:]”
initWithBase64EncodedData:options:方法对应的js代码如下:
{
onEnter(log, args, state) {
this.arg2 = args[2];
},
onLeave(log, retval, state) {
var before = ObjC.clas