Android逆向实战-FridaHook破解极简记账VIP

OrientalGlass · 发表于 2024-8-19 21:35

[toc]

前言

本文中所有内容仅供研究与学习使用，请勿用于任何商业用途和非法用途，否则后果自负！

最近在学习frida,平常用极简记账记录日常流水,正好实战一波VIP破解

样本使用了360加固,但java代码没有混淆,总体难度不大适合新手上路

基本思路:

通过vip相关组件定位关键代码所在类
frida打印关键代码所在类信息
dump dex文件,分析关键代码
hook vip判断逻辑

一. 相关环境

测试机: Pixel 3XL Android12

主机环境: Windows10 frida-16.0.19 python3.10 Java8

二. VIP代码定位

使用MT管理器记录活动,点击已经购买,定位vip检测的相关类

可以发现关键类为com.luyun.simpleaccout.ui.VipActivity

使用frida hook打印VipActivity相关信息

function main(){
    Java.perform(function (){
        Java.choose("com.luyun.simpleaccout.ui.VipActivity",{
            onMatch:function(instance){
                console.log("instance:",instance);
                var methods=instance.class.getDeclaredMethods();            //方法
                var fields=instance.class.getDeclaredFields();              //字段
                console.log("\n==========methods==========");
                for(let i=0;i<methods.length;i++){
                    var methodParams=methods[i].getParameterTypes()
                    var methodReturnType=methods[i].getReturnType()
                    var methodName=methods[i].getName();
                    console.log(methodReturnType+" "+methodName+"("+methodParams+")");
                }
                console.log("\n==========fields==========");
                for(let i=0;i<fields.length;i++){
                    var fieldName=fields[i].getName();
                    var fieldType=fields[i].getType();
                    var fieldValue=instance[fieldName].value;
                    console.log(fieldType,fieldName,"=",fieldValue);
                }
            },
            onComplete:function(instance){
            }
        })
    })
}
setTimeout(main,500)

发现和支付/vip相关的几个方法

三. DumpDex

使用frida-dexdump 拉取dex文件

将所有dex文件拖进jeb工具分析(jadx无法正确反编译VipActivity相关部分代码)

四. 代码分析

反编译完成后搜索VipActivity,发现alreadyBuy()方法,该方法即为点击"已经购买"后的检测方法

内部主要通过调用isVip()判断是否为vip用户

跟进发现isVip方法是继承自BaseActivity

该方法内部目测是向服务器拉取vip的起始和终止时间判断是否为有效vip,最终返回值为bool类型

VipActivity中还能看到getVipType()不同返回值对应的vip类型

type=0时未解锁,type=1时可续订,type=2时是永久vip

最初hook了VipActivity的isVip()和getVipType()方法,发现ui显示为永久会员但是仍然需要解锁

于是搜索所有isVip()和getVipType()方法实现

五. Hook脚本

将以上所有类的isVip和getVipType方法实现全部hook

function main(){
    Java.perform(function (){
        var baseActivity=Java.use("com.luyun.simpleaccout.ui.BaseActivity")
        baseActivity.isVip.implementation=function(){
            console.log("Hook isVip() method!Origin result=",this.isVip())
            return true;
        }
        baseActivity.getVipType.implementation=function(){
            console.log("Hook getVipType() method!Origin result=",this.getVipType())
            return 2;
        }
        var baseFragment=Java.use("com.luyun.simpleaccout.ui.fragment.BaseFragment")
        baseFragment.isVip.implementation=function(){
            console.log("Hook BaseFragment isVip() Succeeded!Origin result=",this.isVip());
            return true;
        }
        baseFragment.getVipType.implementation=function(){
            console.log("Hook BaseFragment getVipType() Succeeded!Origin result=",this.getVipType())
            return 2;
        }
        var splashActivity=Java.use("com.luyun.simpleaccout.ui.SplashActivity");
        splashActivity.isVip.implementation=function(){
            console.log("Hook SplashActivity isVip() Succeeded!Origin result=",this.isVip());
            return true;
        }
        var accountWidgetProvider=Java.use("com.luyun.simpleaccout.provider.AccountWidgetProvider")
        accountWidgetProvider.isVip.implementation=function(){
            console.log("Hook AccountWidgetProvider isVip() Succeeded!Origin result=",this.isVip());
            return true;
        }
    })
}
setTimeout(main,500)

六. 效果演示

Hook成功,并且是永久会员

vip的导出账本功能正常使用

林伊轩 · 发表于 2024-9-16 18:38

经过下面这个网站的学习,可算是把frida的js脚本移植到xposed中了.

https://forum.butian.net/share/2248

[Java] 纯文本查看 复制代码

 // 解决动态加载dex文件hook不到问题
        XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
//                XposedBridge.log(TAG + " clazz => " + clazz);
                Class<?> clazz = (Class<?>) param.getResult();
                if (clazz != null) {
                    switch (clazz.getName()) {
                        case "com.luyun.simpleaccout.ui.SplashActivity":
                            XposedBridge.hookAllMethods(clazz, "isVip", new XC_MethodHook() {
                                @Override
                                protected void afterHookedMethod(MethodHookParam param) {
                                    XposedBridge.log(TAG + "  Hook SplashActivity isVip()");
                                    Object context = XposedHelpers.callMethod(param.thisObject, "getApplicationContext");
                                    Class<?> sharedPreferencesUtilsClass = XposedHelpers.findClass("com.luyun.simpleaccout.utils.SharedPreferencesUtils", loadPackageParam.classLoader);
                                    Class<?> stubAppClass = XposedHelpers.findClass("com.stub.StubApp", loadPackageParam.classLoader);
                                    Object applicationContext = XposedHelpers.callStaticMethod(stubAppClass, "getOrigApplicationContext", context);
                                    Object paramValue = XposedHelpers.callStaticMethod(sharedPreferencesUtilsClass, "getParam", applicationContext, "is_privacy_show", Boolean.valueOf(false));
                                    boolean bl = (Boolean) XposedHelpers.callMethod(paramValue, "booleanValue");
                                    XposedBridge.log(TAG + " Hook SplashActivity isVip() Succeeded! Origin result=" + param.getResult() + " bl=" + bl);
                                    param.setResult(bl);
                                }
                            });
                            XposedBridge.hookAllMethods(clazz, "popPrivacyDialog", new XC_MethodHook() {
                                @Override
                                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                                    XposedBridge.log(TAG + " Hook popPrivacyDialog 确认弹窗，执行相关初始化操作并跳转到主界面");
                                    Object context = XposedHelpers.callMethod(param.thisObject, "getApplicationContext");
                                    Class<?> sharedPreferencesUtilsClass = XposedHelpers.findClass("com.luyun.simpleaccout.utils.SharedPreferencesUtils", loadPackageParam.classLoader);
                                    Class<?> stubAppClass = XposedHelpers.findClass("com.stub.StubApp", loadPackageParam.classLoader);
                                    Object origContext = XposedHelpers.callStaticMethod(stubAppClass, "getOrigApplicationContext", context);
                                    XposedHelpers.callStaticMethod(sharedPreferencesUtilsClass, "setParam", origContext, "is_privacy_show", true);
                                    XposedBridge.log(TAG + " SharedPreferencesUtils.setParam() 已执行");
                                    XposedHelpers.callMethod(param.thisObject, "goToMainActivity");
                                    param.setResult(null);
                                }
                            });
                    }
                }
            }
        });
    }

林伊轩 · 发表于 2024-9-16 14:41

为什么这个代码转成xp框架代码的时候,报错,提示找不到对应的类,好奇怪

[Java] 纯文本查看 复制代码

LSPosed-Bridge      E  KWs.VughjCuW.z.gAm.sQH.XposedHelpers$ClassNotFoundError: java.lang.ClassNotFoundException: com.luyun.simpleaccout.ui.SplashActivity
                                               	at KWs.VughjCuW.z.gAm.sQH.XposedHelpers.findClass(Unknown Source:12)
                                               	at KWs.VughjCuW.z.gAm.sQH.XposedHelpers.findAndHookMethod(SourceFile:6)
                                               	at yuu.xposed.jjjz.Hook.handleLoadPackage(Hook.java:20)
                                               	at KWs.VughjCuW.z.gAm.sQH.IXposedHookLoadPackage$Wrapper.handleLoadPackage(Unknown Source:2)
                                               	at KWs.VughjCuW.z.gAm.sQH.callbacks.XC_LoadPackage.call(Unknown Source:6)
                                               	at KWs.VughjCuW.z.gAm.sQH.callbacks.XCallback.callAll(Unknown Source:26)
                                               	at h0.a(Unknown Source:320)
                                               	at java.lang.reflect.Method.invoke(Native Method)
                                               	at J.callback(Unknown Source:253)
                                               	at LSPHooker_.createOrUpdateClassLoaderLocked(Unknown Source:11)
                                               	at android.app.LoadedApk.getClassLoader(LoadedApk.java:810)
                                               	at android.app.LoadedApk.getResources(LoadedApk.java:1032)
                                               	at android.app.ContextImpl.createAppContext(ContextImpl.java:2345)
                                               	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5907)
                                               	at android.app.ActivityThread.access$1100(ActivityThread.java:207)
                                               	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1663)
                                               	at android.os.Handler.dispatchMessage(Handler.java:106)
                                               	at android.os.Looper.loop(Looper.java:193)
                                               	at android.app.ActivityThread.main(ActivityThread.java:6840)
                                               	at java.lang.reflect.Method.invoke(Native Method)
                                               	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
                                               	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:860)
                                               Caused by: java.lang.ClassNotFoundException: com.luyun.simpleaccout.ui.SplashActivity
                                               	at java.lang.Class.classForName(Native Method)
                                               	at java.lang.Class.forName(Class.java:470)
                                               	at q.a(Unknown Source:16)
                                               	at KWs.VughjCuW.z.gAm.sQH.XposedHelpers.findClass(Unknown Source:4)
                                               	at KWs.VughjCuW.z.gAm.sQH.XposedHelpers.findAndHookMethod(SourceFile:6)&#160;
                                               	at yuu.xposed.jjjz.Hook.handleLoadPackage(Hook.java:20)&#160;
                                               	at KWs.VughjCuW.z.gAm.sQH.IXposedHookLoadPackage$Wrapper.handleLoadPackage(Unknown Source:2)&#160;
                                               	at KWs.VughjCuW.z.gAm.sQH.callbacks.XC_LoadPackage.call(Unknown Source:6)&#160;
                                               	at KWs.VughjCuW.z.gAm.sQH.callbacks.XCallback.callAll(Unknown Source:26)&#160;
                                               	at h0.a(Unknown Source:320)&#160;
                                               	at java.lang.reflect.Method.invoke(Native Method)&#160;
                                               	at J.callback(Unknown Source:253)&#160;
                                               	at LSPHooker_.createOrUpdateClassLoaderLocked(Unknown Source:11)&#160;
                                               	at android.app.LoadedApk.getClassLoader(LoadedApk.java:810)&#160;
                                               	at android.app.LoadedApk.getResources(LoadedApk.java:1032)&#160;
                                               	at android.app.ContextImpl.createAppContext(ContextImpl.java:2345)&#160;
                                               	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5907)&#160;
                                               	at android.app.ActivityThread.access$1100(ActivityThread.java:207)&#160;
                                               	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1663)&#160;
                                               	at android.os.Handler.dispatchMessage(Handler.java:106)&#160;
                                               	at android.os.Looper.loop(Looper.java:193)&#160;
                                               	at android.app.ActivityThread.main(ActivityThread.java:6840)&#160;
                                               	at java.lang.reflect.Method.invoke(Native Method)&#160;
                                               	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)&#160;
                                               	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:860)&#160;
                                               Caused by: java.lang.ClassNotFoundException: Didn't find class "com.luyun.simpleaccout.ui.SplashActivity" on path: DexPathList[[zip file "/system/framework/org.apache.http.legacy.boot.jar", zip file "/data/app/com.luyun.simpleaccout-yGgylEBqfcTC9oijJkFuxQ==/base.apk"],nativeLibraryDirectories=[/data/app/com.luyun.simpleaccout-yGgylEBqfcTC9oijJkFuxQ==/lib/arm, /data/app/com.luyun.simpleaccout-yGgylEBqfcTC9oijJkFuxQ==/base.apk!/lib/armeabi-v7a, /system/lib, /system/vendor/lib]]
                                               	at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:134)
                                               	at java.lang.ClassLoader.loadClass(ClassLoader.java:379)
                                               	at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
                                               	at java.lang.Class.classForName(Native Method)&#160;
                                               	at java.lang.Class.forName(Class.java:470)&#160;
                                               	at q.a(Unknown Source:16)&#160;
                                               	at KWs.VughjCuW.z.gAm.sQH.XposedHelpers.findClass(Unknown Source:4)&#160;
                                               	at KWs.VughjCuW.z.gAm.sQH.XposedHelpers.findAndHookMethod(SourceFile:6)&#160;
                                               	at yuu.xposed.jjjz.Hook.handleLoadPackage(Hook.java:20)&#160;
                                               	at KWs.VughjCuW.z.gAm.sQH.IXposedHookLoadPackage$Wrapper.handleLoadPackage(Unknown Source:2)&#160;
                                               	at KWs.VughjCuW.z.gAm.sQH.callbacks.XC_LoadPackage.call(Unknown Source:6)&#160;
                                               	at KWs.VughjCuW.z.gAm.sQH.callbacks.XCallback.callAll(Unknown Source:26)&#160;
                                               	at h0.a(Unknown Source:320)&#160;
                                               	at java.lang.reflect.Method.invoke(Native Method)&#160;
                                               	at J.callback(Unknown Source:253)&#160;
                                               	at LSPHooker_.createOrUpdateClassLoaderLocked(Unknown Source:11)&#160;
                                               	at android.app.LoadedApk.getClassLoader(LoadedApk.java:810)&#160;
                                               	at android.app.LoadedApk.getResources(LoadedApk.java:1032)&#160;
                                               	at android.app.ContextImpl.createAppContext(ContextImpl.java:2345)&#160;
                                               	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5907)&#160;
                                               	at android.app.ActivityThread.access$1100(ActivityThread.java:207)&#160;
                                               	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1663)&#160;
                                               	at android.os.Handler.dispatchMessage(Handler.java:106)&#160;
                                               	at android.os.Looper.loop(Looper.java:193)&#160;
                                               	at android.app.ActivityThread.main(ActivityThread.java:6840)&#160;
                                               	at java.lang.reflect.Method.invoke(Native Method)&#160;
                                               	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)&#160;
                                               	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:860)&#160;

cuteapi · 发表于 2024-8-20 10:44

推荐使用beancount，复式记账，相当好用

332378834 · 发表于 2024-8-20 12:02

看看好不好，学习一下

xiaobaixuepj · 发表于 2024-8-20 13:00

感谢分享，学习

Mathziw1c · 发表于 2024-8-20 13:54

最近也遇到类似的apk，这就试验一下

helel223 · 发表于 2024-8-20 14:27

牛批，刚好在学习frida，我也去试一下

dph5199278 · 发表于 2024-8-20 14:52

谢谢分享，学习了

MrYuxuan · 发表于 2024-8-20 14:57

学习到了，感谢楼主分享

聪本 · 发表于 2024-8-20 20:42

cuteapi 发表于 2024-8-20 10:44
推荐使用beancount，复式记账，相当好用

这个安卓好像不方便下载把

rEtb1Te · 发表于 2024-8-21 08:39

感谢分享。
我有一个问题想问一下：最后给出的hook脚本，需要如何运行？比方说是将该段代码嵌入到原本的代码中，再打包运行？还是有别的运行方式呢？

帐号		自动登录	找回密码
密码			注册[Register]

[Android 原创] Android逆向实战-FridaHook破解极简记账VIP

前言

一. 相关环境

二. VIP代码定位

三. DumpDex

四. 代码分析

五. Hook脚本

六. 效果演示

免费评分

本帖被以下淘专辑推荐: