Shulou(Shulou.com)05/31 Report--

This article mainly explains the "Frida shelling tool how to use", the article explains the content is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "Frida shelling tool how to use" it!

Overview of Frida shelling tools

Nowadays, many app will detect Frida, so we should use it according to the situation of app.

Classification of shells

There are many kinds of shells, which can be simply divided into the following three categories:

First-generation monolithic: using Dex overall encryption, dynamic loading and running mechanism (shell of free class)

The second generation function extraction type: extract the method separately, encrypt and save, decrypt and execute (some encryption)

Third-generation VMP, Dex2C: independent virtual machine interpretation and execution.

Frida-Unpack

The principle of firda-unpack is to use the OpenMemory method in frida hook libart.so to get the address of the dex in memory, calculate the size of the dex file, and export the dex from memory, so that we can see the code in the OpenMemory.js file in the project more clearly and intuitively.

Dump the dex file and save it in the data/data/packageName directory

FRIDA-DEXDump

Written by Huluwa, the shelled dex file is saved in the same directory as main.py on the PC, with the package name as the file name.

GitHub address: https://github.com/hluwa/FRIDA-DEXDump

Frida_dump

Search for dex in the file header to remove the shell

Will search the dex file and dump it down and save it in the data/data/packageName/files directory

Frida_Fart [recommended]

Ice-written, Frida version of Fart can only be used on andorid8. The frida version of fart uses hook to achieve function granularity shelling. It only loads all the functions in the class, but it can still solve the vast majority of extraction protection.

GitHub address: https://github.com/hanbinglengyue/FART download frida_fart.zip

Decompress frida_fart.zip

Push the fart.so and fart64.so from the directory to the / data/app directory and use chmod 777

You need to start app in spawn mode, wait for app to enter the Activity interface, and then execute the fart () function. If the app package is named com.example.test,

Frida-U-f com.example.test-l frida_fart_hook.js-- no-pause

Shell

_ copy _

Wait for app to enter the main interface and execute fart ()

Advanced usage: if you find that the CodeItem of a function in a class does not have dump, you can call dump (classname), pass in the name of the class to be dealt with, and complete the dump,dump of all functions under this class. The functions will be appended to the bin file.

For the shelling repair of passive calls, due to the low code coverage, it is impossible to trigger calls to all functions in app, so the scope of repair is limited.

Thank you for your reading, the above is the content of "how to use Frida shelling tools". After the study of this article, I believe you have a deeper understanding of how to use Frida shelling tools, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.