Frida-trace常用命令 - Python

TOP

Frida-trace常用命令(一)

2023-07-25 21:27:12 【大中小】浏览:86次

转载:https://blog.csdn.net/tslx1020/article/details/128250777

1、spawn - 冷启动

frida-trace -U -f com.apple.ExampleCode -m “+[NSURL URLWithString:]"

2、attach - 热启动

frida-trace -UF -m “+[NSURL URLWithString:]"

3、Hook类方法

 frida-trace -UF -m “+[NSURL URLWithString:]"

4、Hook实例方法

frida-trace -UF -m “-[NSURL host]"

5、Hook类的所有方法

frida-trace -UF -m “*[NSURL *]"

6、模糊Hook类的所有方法

frida-trace -UF -m “*[service *]"

7、模糊Hook所有类的特定方法

frida-trace -UF -m “[ sign]"

8、模糊Hook所有类的特定方法并忽略大小写

假设我们要hook所有类中包含getSign或getsign关键词的方法

frida-trace -UF -m “[ get?ign]"

9、模糊Hook所有类的特定方法并排除viewDidLoad方法

 frida-trace -UF -m “*[DetailViewController *]" -M “-[DetailViewController viewDidLoad]"

10、Hook某个动态库

frida-trace -UF -I “libcommonCrypto*"

11、Hook get或post的接口地址

frida-trace -UF -m "+[NSURL URLWithString:]"

js例子

{
  onEnter(log, args, state) {
    var args2 = new ObjC.Object(args[2]);
    log(`-[NSURL URLWithString:${args2}]`);
  },
  onLeave(log, retval, state) {
  }
}

12、Hook post的body

frida-trace -UF -m “-[NSMutableURLRequest setHTTPBody:]”

js例子

{
  onEnter(log, args, state) {
    var args2 = new ObjC.Object(args[2]);
    log(`-[NSMutableURLRequest setHTTPBody:${args2.bytes().readUtf8String(args2.length())}]`);
  },
  onLeave(log, retval, state) {
  }
}

13、Hook即将显示页面

frida-trace -UF -m “-[UINavigationController pushViewController:animated:]” -m “-[UIViewController presentViewController:animated:completion:]”


pushViewController:animated:方法的js代码如下：
{
  onEnter(log, args, state) {
    var args2 = new ObjC.Object(args[2]);
    log(`-[UINavigationController pushViewController:${args2.$className} animated:${args[3]}]`);
  },
  onLeave(log, retval, state) {
  }
}

presentViewController:animated:completion:
{
  onEnter(log, args, state) {
    var args2 = new ObjC.Object(args[2]);
    log(`-[UIViewController presentViewController:${args2.$className} animated:${args[3]} completion:${args[4]}]`);
  },
  onLeave(log, retval, state) {
  }
}

14、Hook 通用加密算法

Md5

 frida-trace -UF -i “CC_MD5”
 
 
 #js
 {
  onEnter(log, args, state) {
    this.args0 = args[0];	// 入参
    this.args2 = args[2];	// 返回值指针
  },
  onLeave(log, retval, state) {
    var ByteArray = Memory.readByteArray(this.args2, 16);
    var uint8Array = new Uint8Array(ByteArray);

    var str = "";
    for(var i = 0; i < uint8Array.length; i++) {
        var hextemp = (uint8Array[i].toString(16))
        if(hextemp.length == 1){
            hextemp = "0" + hextemp
        }
        str += hextemp;
    }
    log(`CC_MD5(${this.args0.readUtf8String()})`);   	// 入参
    log(`CC_MD5()=${str}=`);	// 返回值
  }
}

Base64编码方法

frida-trace -UF -m “-[NSData base64EncodedStringWithOptions:]”

#js
{
  onEnter(log, args, state) {
    this.self = args[0];
  },
  onLeave(log, retval, state) {
    var before = ObjC.classes.NSString.alloc().initWithData_encoding_(this.self, 4);
    var after = new ObjC.Object(retval);
    log(`-[NSData base64EncodedStringWithOptions:]before=${before}=`);
    log(`-[NSData base64EncodedStringWithOptions:]after=${after}=`);
  }
}

Base64解码

frida-trace -UF -m “-[NSData initWithBase64EncodedData:options:]” -m “-[NSData initWithBase64EncodedString:options:]”

initWithBase64EncodedData:options:方法对应的js代码如下：
{
  onEnter(log, args, state) {
    this.arg2 = args[2];
  },
  onLeave(log, retval, state) {
    var before = ObjC.clas

首页上一页 1 2 3 4 5 下一页尾页 1/5/5
【大中小】【打印】【繁体】【投稿】【收藏】【推荐】【举报】【评论】【关闭】【返回顶部】

上一篇：Python实现抽奖程序	下一篇：Odoo 增加web后端的响应能力