Shulou(Shulou.com)05/31 Report--

In this article, the editor introduces in detail the "java dynamic and static combination of reverse WhatsApp method", the content is detailed, the steps are clear, and the details are handled properly. I hope that this "java dynamic and static combination of reverse WhatsApp method" article can help you solve your doubts, following the editor's ideas slowly in depth, together to learn new knowledge.

All overloads of dynamic and static combined inverse WhatsApp0x01.hook method

In an article that gives you an insight into the essence of Frida, we've learned how to deal with overloading, so let's review the code:

My_class.fun.overload ("int", "int"). Implementation = function (xQuery) {my_class.fun.overload ("java.lang.String"). Implementation = function (x) {

In other words, we need to construct an overloaded array and print each overload. Let's go straight to the code:

/ / Target class var hook = Java.use (targetClass); / / number of overloads var overloadCount = hook [targetMethod] .overloads.length; / / print log: how many overloaded console.log are tracked by the method ("Tracing" + targetClassMethod + "[" + overloadCount + "overload (s)]"); / / each overload enters for (var I = 0; I)

< overloadCount; i++) {//hook每一个重载 hook[targetMethod].overloads[i].implementation = function() { console.warn("\n*** entered " + targetClassMethod); //可以打印每个重载的调用栈，对调试有巨大的帮助，当然，信息也很多，尽量不要打印，除非分析陷入僵局 Java.perform(function() { var bt = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()); console.log("\nBacktrace:\n" + bt); }); // 打印参数 if (arguments.length) console.log(); for (var j = 0; j < arguments.length; j++) { console.log("arg[" + j + "]: " + arguments[j]); } //打印返回值 var retval = this[targetMethod].apply(this, arguments); // rare crash (Frida bug?) console.log("\nretval: " + retval); console.warn("\n*** exiting " + targetClassMethod); return retval; }} 这样我们对于方法的所有重载就处理好了，接下来是枚举所有方法。 0x02.hook类的所有方法 还是直接上代码： function traceClass(targetClass){ //Java.use是新建一个对象哈，大家还记得么？ var hook = Java.use(targetClass); //利用反射的方式，拿到当前类的所有方法 var methods = hook.class.getDeclaredMethods(); //建完对象之后记得将对象释放掉哈 hook.$dispose; //将方法名保存到数组中 var parsedMethods = []; methods.forEach(function(method) { parsedMethods.push(method.toString().replace(targetClass + ".", "TOKEN").match(/\sTOKEN(.*)\(/)[1]); }); //去掉一些重复的值 var targets = uniqBy(parsedMethods, JSON.stringify); //对数组中所有的方法进行hook，traceMethod也就是第一小节的内容 targets.forEach(function(targetMethod) { traceMethod(targetClass + "." + targetMethod); });}0x03.hook类的所有子类 还是上核心部分的代码： //枚举所有已经加载的类Java.enumerateLoadedClasses({ onMatch: function(aClass) { //迭代和判断 if (aClass.match(pattern)) { //做一些更多的判断，适配更多的pattern var className = aClass.match(/[L]?(.*);?/)[1].replace(/\//g, "."); //进入到traceClass里去 traceClass(className); } }, onComplete: function() {}});0x04.hook本地库的导出函数// 追踪本地库函数function traceModule(impl, name){ console.log("Tracing " + name); //frida的Interceptor Interceptor.attach(impl, { onEnter: function(args) { console.warn("\n*** entered " + name); //打印调用栈 console.log("\nBacktrace:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE) .map(DebugSymbol.fromAddress).join("\n")); }, onLeave: function(retval) { //打印返回值 console.log("\nretval: " + retval); console.warn("\n*** exiting " + name); } });}0x05.动静态结合逆向WhatsApp 终于到了实战的时候，把以上代码拼接起来，形成一个脚本，其实这个脚本awesome-frida 里面也有介绍，代码在这里，就是有点小bug，经葫芦娃修改好之后，终于可以用了。 我们来试下它的几个主要的功能，首先是本地库的导出函数。 setTimeout(function() { Java.perform(function() { trace("exports:*!open*"); //trace("exports:*!write*"); //trace("exports:*!malloc*"); //trace("exports:*!free*"); });}, 0); 我们hook的是open()函数，跑起来看下效果： $ frida -U -f com.whatsapp -l raptor_frida_android_trace_fixed.js --no-pause

As shown in the figure *! open* regularly matches to openlog, open64 and other export functions, and hook all these functions, printing out their parameters and return values.

Which part you want to see next, just throw it into jadx, statically "analyze" it, flip through it yourself, or search it according to the string.

For example, if we want to see the contents of the com.whatsapp.app.protocol package in the figure above, we can set trace ("com.whatsapp.app.protocol").

You can see that the functions, methods, including overloads, parameters, and return values in the package are all printed out. That's the charm of frida scripts.

Of course, scripts are just tools after all, and it's your understanding of Java, Android App, and your creativity that matters.

Next, you can work with Xposed module to see what modules others have done for whatsapp, which functions of hook, what functions have been achieved, and learn to write for yourself.

Of course, again, it is illegal to do plug-ins, do not make and distribute any App plug-ins, otherwise what is waiting for you will only be legal sanctions.

Read this, the "java dynamic and static combination of reverse WhatsApp method" article has been introduced, want to master the knowledge of this article still need to practice and use in order to understand, if you want to know more related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.