一直在手机&PC上使用微信插件，正好学习Frida中尝试hook一下，记录下笔记。

0x01 前言

资源混淆

对于apk反编译有很多直接的工具可以使用，但是微信使用AndResGuard对资源文件进行混淆，导致直接使用apktool反编译后无法获取资源文件，即使使用apktool -r d保持资源文件，重打包的微信也不能直接运行，因为微信启动后会对dex文件进行校验

解决方案：ShakaApktool对资源混淆进行Bypass，针对腾讯的apk可以加上-xn参数

文件校验

解决方案：找到校验的的位置将代码patch掉

在微信6.6.1版本中，校验代码位于smali/com/tencent/mm/f/a.smali

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

.line 532
const v2, 0x19000
 
:try_start_2
invoke-static {v3, v2}, Lcom/tencent/mm/a/g;->a(Ljava/io/InputStream;I)Ljava/lang/String;
 
move-result-object v2
 
.line 533
if-eqz v2, :cond_2
 
iget-object v4, p0, Lcom/tencent/mm/f/a$a;->eHC:Ljava/lang/String;
 
invoke-virtual {v2, v4}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z
:try_end_2
.catch Ljava/io/IOException; {:try_start_2 .. :try_end_2} :catch_6
.catchall {:try_start_2 .. :try_end_2} :catchall_2
 
move-result v2
 
if-eqz v2, :cond_2
 
.line 534
:try_start_3
invoke-virtual {v5}, Lcom/tencent/tinker/loader/shareutil/ShareFileLockHelper;->close()V
:try_end_3
.catch Ljava/lang/Exception; {:try_start_3 .. :try_end_3} :catch_0
 
.line 551
:goto_1
invoke-static {v3}, Lcom/tencent/mm/f/a;->b(Ljava/io/Closeable;)V
 
goto :goto_0

0x02 准备

就目前而言，学习的主要目的是如何跟踪代码逻辑，找到需要hook的点，等技能日渐成熟可直接上xposed进行持续维持，毕竟frida太容易导致进程崩溃

Apktool和ShakaApktool反编译出来的是smali，可以配合ideasmali动态调试，但是就是很怪的装不上，于是选用jadx直接反编译出java代码进行静态分析

反编译

• Android studio
• jadx
• 微信 v7.0.0

常见报错

1. 如果报 OOM 错误，需要根据物理内存大小修改JVM内存使用限制，推荐至少为5G

   1	set DEFAULT_JVM_OPTS="-Xms5g" "-Xmx8g"

2. 在Mac上可能因线程过多导致崩溃，推荐直接使用单线程

   1	> jadx -e -d out -j 1 weixin700android1380.apk

0x03 新手酷爱的骰子

探索

1. 先使用 Android SDK 下的uiautomatorviewer工具获取🎲的资源ID

   

2. 如果没有反编译资源文件就在resources.arsc中查找资源类型id下名为x5的资源对应的ID

   

   如果反编译了资源文件就在res/values/public.xml下查找对应ID
   

3. 通过Find in Path功能，全局搜索ID在R类中实际使用的变量名为art_emoji_icon_iv

   

4. 通过搜索变量名art_emoji_icon_iv，根据类所在的路径，基本可以定位相关代码应为以下其中之一

   

5. 对上面出现的类都简单Hook一下，发现在打开表情界面时触发了以下两个，在点击骰子后没有反应

   1 2 3 4

   [>]android.widget.FrameLayout{4b23dd3 V.E...... ......I. 0,0-0,0} [!]Hook com.tencent.mm.view.a.b [>]android.widget.RelativeLayout{de3011a V.E...... ......I. 0,0-0,0 #7f111a74 app:id/e82} [!]Hook com.tencent.mm.view.a.c

6. 发现在a.b下面并没有处理点击触发的相关函数（IOC——控制反转），查看a.b的引用，应该是跟入com.tencent.mm.view.SmileyGrid

   
   

7. 查看a.c的引用，没什么额外的东西

   

8. 注意到com.tencent.mm.view.SmileyGrid，yIT默认初始值为20，推测case 20是布局，case 23&25是监听点击，最后进入到SmileyGrid.a(SmileyGrid.this, emojiInfo);

   

9. 尝试hook查看下传入值

   1 2 3 4 5

   sgClass = Java.use("com.tencent.mm.view.SmileyGrid"); sgClass.a.overload('com.tencent.mm.view.SmileyGrid', 'com.tencent.mm.storage.emotion.EmojiInfo').implementation = function (arg1, arg2) { s = this.a(arg1, arg2); console.log(arg1, arg2); };

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

   [LGE Nexus 5X::com.tencent.mm]-> com.tencent.mm.view.SmileySubGrid{8691b21 V.ED..C.. .......D 0,0-1080,644 #7f110382 app:id/x9} field_md5:08f223fa83f1ca34e143d1e580252c7c field_svrid: field_catalog:18 field_type:1 field_size:0 field_start:0 field_state:0 field_name:dice.png field_content:50 field_reserved1: field_reserved2: field_reserved3:0 field_reserved4:0 field_app_id: field_groupId:18 field_lastUseTime:0 field_framesInfo: field_idx:0 field_temp:0 field_source:0 field_needupload:0 field_designerID:null field_thumbUrl:null field_captureStatus:0 field_captureUploadErrCode0 field_captureUploadCounter0

10. 分析下代码，从判断逻辑上看，最后有.show()的Toast分支肯定不用看了，基本可以确定是最中央的else

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

    static /* synthetic */ void a(SmileyGrid smileyGrid, EmojiInfo emojiInfo) { if (smileyGrid.uga == null || emojiInfo == null) { ab.e("MicroMsg.emoji.SmileyGrid", "jacks npe dealCustomEmojiClick"); } else if (yIS != 2) { if (!smileyGrid.uga.bEl()) { com.tencent.mm.ui.base.h.a(smileyGrid.getContext(), i.chatting_msg_type_not_support_send, 0, new OnClickListener() { public final void onClick(DialogInterface dialogInterface, int i) { } }); } else if (emojiInfo == null) { } else { // HERE HERE HERE if (emojiInfo.field_type != EmojiInfo.AIJ && emojiInfo.field_type != EmojiInfo.AIU) { ab.i("MicroMsg.emoji.SmileyGrid", "cpan send dealcustom emoji click emoji:%s", emojiInfo.QX()); // maybe 1 final EmojiInfo c = ((com.tencent.mm.plugin.emoji.b.d) g.N(com.tencent.mm.plugin.emoji.b.d.class)).getProvider().c(emojiInfo); if (c != null) { ... } ab.w("MicroMsg.emoji.SmileyGrid", "onSendCustomEmoji error, emoji is null"); } else if (smileyGrid.uga.bEk()) { // maybe 2 smileyGrid.uga.o(emojiInfo); ab.d("MicroMsg.emoji.SmileyGrid", "onSendAppMsgCustomEmoji emoji md5 is [%s]", emojiInfo.QX()); } else { Toast.makeText(smileyGrid.getContext(), smileyGrid.getContext().getString(i.chatting_msg_type_not_support), 0).show(); } } } else if (emojiInfo.field_catalog == EmojiGroupInfo.AIx) { Context context = smileyGrid.getContext(); int i = i.chatting_can_not_del_sys_smiley; com.tencent.mm.ui.base.h.j(context, i, i).show(); } }

11. 关键的两行代码

    1 2 3 4 5

    final EmojiInfo c = ((com.tencent.mm.plugin.emoji.b.d) g.N(com.tencent.mm.plugin.emoji.b.d.class)).getProvider().c(emojiInfo); // g 为 com.tencent.mm.kernel.g // com.tencent.mm.plugin.emoji.b.d 为一个接口类 smileyGrid.uga.o(emojiInfo);

12. 通过Hook g.N查看返回结果有以下两种

    1 2 3 4

    class com.tencent.mm.plugin.emoji.PluginEmoji # 下面这个看名字应该就不是 class com.tencent.mm.plugin.story.PluginStory

13. 在PluginEmoji的getProvider中，会创建一个a类

    1 2 3 4 5 6

    public e getProvider() { if (this.keM == null) { this.keM = new com.tencent.mm.ca.a(); } return this.keM; }

14. 跟入到com.tencent.mm.ca下类a中的c函数，又调用PluginEmoji下的getEmojiMgr

    1 2 3 4 5 6

    public final EmojiInfo c(EmojiInfo emojiInfo) { if (((h) g.ME().Mg()).Nx()) { return ((d) g.N(d.class)).getEmojiMgr().c(emojiInfo); } ... }

15. PluginEmoji.getEmojiMgr代码如下

    1 2 3 4 5 6 7 8 9 10

    public void setEmojiMgr() { if (this.keL == null) { this.keL = com.tencent.mm.plugin.emoji.b.b.a.kgD.getEmojiMgr(); } } public com.tencent.mm.pluginsdk.a.d getEmojiMgr() { setEmojiMgr(); return this.keL; }

16. 这里hook直接获取返回值的类却显示[object Object]，查询网上说可能是android版本问题，亦可能是返回类型问题，反正没能解决，只好尝试跟com.tencent.mm.plugin.emoji.b.b.a下值kgD的来源（话说model下的类是不是直接对应emoji下同名类？）

    

17. 接着几次跟入

    1 2 3 4 5 6 7 8

    public final class b extends p { public b() { super(c.adY("emoji")); a.kgD = new com.tencent.mm.plugin.emoji.b.b() { public final d getEmojiMgr() { return j.bbs(); } ...

    跟入同路径下j.java

    1 2 3 4 5 6 7 8 9 10 11

    import com.tencent.mm.plugin.emoji.e.g; public class j implements as { public static g bbs() { com.tencent.mm.kernel.g.MF().LO(); if (bbq().kjm == null) { bbq().kjm = new g(); } return bbq().kjm; } ...

    跟入后，发现关键信息来源于bo.gq

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

    import com.tencent.mm.sdk.platformtools.bo; public final class g implements d { ... public final EmojiInfo c(EmojiInfo emojiInfo) { if (emojiInfo.field_catalog == EmojiGroupInfo.AIx && emojiInfo.field_type == EmojiInfo.AIG && emojiInfo.getContent().length() > 0 && EmojiInfo.SM(bo.getInt(emojiInfo.getContent(), 0))) { Cursor Ke = j.getEmojiStorageMgr().wKL.Ke(bo.getInt(emojiInfo.getContent(), 0)); if (Ke != null && Ke.getCount() > 1) { int gq = bo.gq(Ke.getCount() - 1, 0); emojiInfo = new EmojiInfo(); Ke.moveToPosition(gq); emojiInfo.d(Ke); } if (Ke != null) { Ke.close(); } } return emojiInfo; } ...

18. 在com.tencent.mm.sdk.platformtools.bo下gq函数中看到了让人激动的Random，大致应该就是这里了

    1 2 3 4

    public static int gq(int i, int i2) { Assert.assertTrue(i > i2); return new Random(System.currentTimeMillis()).nextInt((i - i2) + 1) + i2; }

19. 简单hook下

    1 2 3 4 5 6 7 8

    fClass = Java.use("com.tencent.mm.sdk.platformtools.bo"); fClass.gq.implementation = function (arg1, arg2) { s = this.gq(arg1, arg2); console.log('------------------'); console.log("[In]", arg1, arg2); console.log("[Out]", s); return s; };

    发现此函数也用来生成猜拳结果，且生成规则如下

    1 2 3 4 5 6 7 8 9

    # 输入 5 0 # 输出 0-5 对应骰子 1-6 [In] 5 0 [Out] 2 # 输入 2 0 # 输出 0-2 对应猜拳 剪刀-石头-布 [In] 2 0 [Out] 1

快速定位

根据网上资料可知最终还是通过Random函数产生随机结果，且代码位于com.tencent.mm.sdk.platformtools下，直接搜索即可定位

效果

可通过arg1区分猜拳、骰子，这里没处理

1
2
3
4
5
6
7
8

setImmediate(function () {
    Java.perform(function(){
        cClass = Java.use("com.tencent.mm.sdk.platformtools.bo");
        cClass.gq.implementation = function (arg1, arg2) {
            return 5;
        };
    })
});

参考资料

1. https://bbs.pediy.com/thread-225912.htm
2. https://bbs.pediy.com/thread-202965.htm
3. https://cloud.tencent.com/developer/article/1048423
4. https://blog.csdn.net/jiangwei0910410003/article/details/52892330
5. https://www.jianshu.com/p/3968ffabdf9d

来自于Awesome Frida的介绍

Frida is Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript into native apps that run on Windows, Mac, Linux, iOS and Android.

Frida可以认为是原生应用的油猴脚本，或其他更专业的技术术语。它是一种动态插桩工具集，可以将js代码插入到在Windows、Mac、Linux、iOS、Android上运行的原生应用中。

1. 比较

0x01 安装

1. 安装frida

   1	> pip install frida frida-tools

2. 下载对应版本frida-server，使用adb推送

   1	> adb push frida-server /data/local/tmp/

3. root 下执行frida-server

   1 2 3 4 5

   > adb shell bullhead:/ $ su - bullhead:/ # cd /data/local/tmp bullhead:/ # chmod +x frida-server bullhead:/ # ./frida-server

0x02 测试机选择

经测试最好还是使用物理机，x64架构虚拟机上很多app无法安装，arm虚拟机太卡且有时候frida会莫名报错

Android

选用Nexus 5X，刷8.1.0 & Magisk，具体操作可见参考资料1

iOS

待更新

0x0N Crackme

环境

• 主机

  • frida

• 手机

  • Nexus 5 (with Android 8.1.0) 已 root
  • frida-server

注意

需要要注意几点

1. setImmediate据说可以避免一些执行时间过长问题
2. 使用-f参数 新启动并暂时挂起进程，然后待布置好hook代码后再恢复进程运行，配合使用--no-pause取消挂起相当于直接创建一个新进程后进行hook，这里在hook onCreate时会有问题，下面会提到

一些常用命令

安装apk

1

> adb install UnCrackable-Level1.apk

快捷截图

1

> adb shell screencap -p > `date "+%Y%m%d%H%M%S"`.png

Crack

1. 启动后会检测是否Root

   

2. 查看检测代码，将apk拖入到jadx-gui中

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

   public class MainActivity extends Activity { private void a(String str) { AlertDialog create = new Builder(this).create(); create.setTitle(str); create.setMessage("This in unacceptable. The app is now going to exit."); create.setButton(-3, "OK", new b(this)); create.setCancelable(false); create.show(); } protected void onCreate(Bundle bundle) { if (c.a() || c.b() || c.c()) { a("Root detected!"); } if (b.a(getApplicationContext())) { a("App is debuggable!"); } super.onCreate(bundle); setContentView(R.layout.activity_main); } public void verify(View view) { String obj = ((EditText) findViewById(R.id.edit_text)).getText().toString(); AlertDialog create = new Builder(this).create(); if (a.a(obj)) { create.setTitle("Success!"); create.setMessage("This is the correct secret."); } else { create.setTitle("Nope..."); create.setMessage("That's not it. Try again."); } create.setButton(-3, "OK", new c(this)); create.show(); } }

3. 这里有两种方法

   1. 通过所有检测，即Hook掉c.a&c.b&c.c&b.a

   2. 注意到弹窗的监听类为b，可Hook b.onClick不执行退出

      1 2 3 4 5 6 7 8 9 10 11

      class b implements OnClickListener { final /* synthetic */ MainActivity a; b(MainActivity mainActivity) { this.a = mainActivity; } public void onClick(DialogInterface dialogInterface, int i) { System.exit(0); } }

4. 先尝试ii中的Hook b.onClick

   1 2 3 4 5 6 7

   setImmediate(function () { Java.perform(function(){ cClass = Java.use("sg.vantagepoint.uncrackable1.b"); cClass.onClick.implementation = function () { console.log("[!] hook click"); }}) });

   注入脚本，点击ok按钮

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

   > frida -U -f sg.vantagepoint.uncrackable1 -l 1.js --no-pause ____ / _ | Frida 12.2.29 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at http://www.frida.re/docs/home/ Spawned `sg.vantagepoint.uncrackable1`. Resuming main thread! [LGE Nexus 5X::sg.vantagepoint.uncrackable1]-> [!] Hook click [LGE Nexus 5X::sg.vantagepoint.uncrackable1]-> exit Thank you for using Frida!

5. 尝试i中Hook onCreate

   初步尝试在加上--no-pause启动后，由于取消挂起这时候代码并没有hook进去，而是在onCreate结束后才开始注入，所以需要去掉--no-pause等待 hook 后恢复进程，会比较耗时，但能正常 hook onCreate

   1	> frida -U -f <package> -l <script file>

   Hook脚本

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

   setImmediate(function () { Java.perform(function(){ cClass = Java.use("sg.vantagepoint.a.c"); cClass.a.implementation = function () { console.log('[!] Hook c.a'); return false; }; cClass.b.implementation = function () { console.log('[!] Hook c.a'); return false; }; cClass.c.implementation = function () { console.log('[!] Hook c.c'); return false; }; bClass = Java.use("sg.vantagepoint.a.b"); bClass.a.implementation = function () { console.log('[!] Hook b.a'); return false; } }) });

   执行注入，就没有弹窗了

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

   > frida -U -f sg.vantagepoint.uncrackable1 -l 1.js ____ / _ | Frida 12.2.29 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at http://www.frida.re/docs/home/ Spawned `sg.vantagepoint.uncrackable1`. Use %resume to let the main thread start executing! [LGE Nexus 5X::sg.vantagepoint.uncrackable1]-> [!] Hook c.a [!] Hook c.a [!] Hook c.c [!] Hook b.a [LGE Nexus 5X::sg.vantagepoint.uncrackable1]-> exit Thank you for using Frida!

6. 接下来是一个输入字符串返回比较结果，事件函数为a.a，重要的是获取bArr，即sg.vantagepoint.a.a.a返回结果

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

   public class a { public static boolean a(String str) { byte[] bArr = new byte[0]; try { bArr = sg.vantagepoint.a.a.a(b("8d127684cbc37c17616d806cf50473cc"), Base64.decode("5UJiFctbmgbDoLXmpL12mkno8HT4Lv8dlat8FxR2GOc=", 0)); } catch (Exception e) { Log.d("CodeCheck", "AES error:" + e.getMessage()); } return str.equals(new String(bArr)); } public static byte[] b(String str) { int length = str.length(); byte[] bArr = new byte[(length / 2)]; for (int i = 0; i < length; i += 2) { bArr[i / 2] = (byte) ((Character.digit(str.charAt(i), 16) << 4) + Character.digit(str.charAt(i + 1), 16)); } return bArr; } }

   sg.vantagepoint.a.a.a代码如下，我们不用在意代码内容，只要 hook 结果就好了

   1 2 3 4 5 6 7 8

   public class a { public static byte[] a(byte[] bArr, byte[] bArr2) { Key secretKeySpec = new SecretKeySpec(bArr, "AES/ECB/PKCS7Padding"); Cipher instance = Cipher.getInstance("AES"); instance.init(2, secretKeySpec); return instance.doFinal(bArr2); } }

   Hook 代码，使用this.a调用原a函数

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

   setImmediate(function () { Java.perform(function(){ ... aaClass = Java.use("sg.vantagepoint.a.a"); aaClass.a.implementation = function (arg1, arg2) { pass = ""; s = this.a(arg1, arg2); for(i=0; i<s.length; i++) { pass += String.fromCharCode(s[i]); } console.log("[*] content: " + pass); return s; } }) });

   执行代码，获取隐藏内容

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

   > frida -U -f sg.vantagepoint.uncrackable1 -l 1.js --no-pause ____ / _ | Frida 12.2.29 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at http://www.frida.re/docs/home/ Spawned `sg.vantagepoint.uncrackable1`. Resuming main thread! [LGE Nexus 5X::sg.vantagepoint.uncrackable1]-> [!] Hook click [*] content: I want to believe [LGE Nexus 5X::sg.vantagepoint.uncrackable1]-> exit Thank you for using Frida!

参考资料

1. https://www.52pojie.cn/thread-836277-1-1.html
2. https://github.com/iromise/AOS-Note/blob/42544f4635/frida-exp/frida.md
3. https://github.com/dweinstein/awesome-frida