0

我正在尝试使用 frida 注入以下脚本

setImmediate(function() { //prevent timeout
    console.log("[*] Starting script");

    Java.perform(function() {

      var bClass = Java.use("sg.vantagepoint.uncrackable1.a");
      bClass.onClick.implementation = function(v) {
         console.log("[*] onClick called");
         // do nothing
      }
      console.log("[*] onClick handler modified")

    })
})

抛出以下错误

Attaching...                                                            
[*] Starting script
TypeError: cannot write property 'implementation' of undefined
    at [anon] (../../../frida-gum/bindings/gumjs/duktape.c:57636)
    at /inject.js:10
    at frida/node_modules/frida-java-bridge/lib/vm.js:11
    at E (frida/node_modules/frida-java-bridge/index.js:346)
    at frida/node_modules/frida-java-bridge/index.js:298
    at frida/node_modules/frida-java-bridge/lib/vm.js:11
    at frida/node_modules/frida-java-bridge/index.js:278
    at /inject.js:13
    at frida/runtime/core.js:55

命令我正在使用frida -U -l injection.js owasp.mstg.uncrackable1

下面一张是apk文件的反编译代码。

package sg.vantagepoint.uncrackable1;

public class MainActivity extends Activity {
        private void a(String str) {
            AlertDialog create = new AlertDialog.Builder(this).create();
            create.setTitle(str);
            create.setMessage("This is unacceptable. The app is now going to exit.");
            create.setButton(-3, "OK", new DialogInterface.OnClickListener() {
                public void onClick(DialogInterface dialogInterface, int i) {
                    System.exit(0);
                }
            });
            create.setCancelable(false);
            create.show();
        }
4

2 回答 2

0

尝试注入此脚本

setImmediate(function () {
    console.log("[*] Starting script");

    Java.perform(function () {

        var bClass = Java.use("sg.vantagepoint.uncrackable1.MainActivity$1");
        bClass.onClick.implementation = function (v) {
            console.log("[*] onClick called.");
        }
        console.log("[*] onClick handler modified")


        var aaClass = Java.use("sg.vantagepoint.a.a");
        aaClass.a.implementation = function (arg1, arg2) {
            var retval = this.a(arg1, arg2);
            var password = ''
            for (var i = 0; i < retval.length; i++) {
                password += String.fromCharCode(retval[i]);
            }

            console.log("[*] Decrypted: " + password);
            return retval;
        }
        console.log("[*] sg.vantagepoint.a.a.a modified");

    });

});
于 2020-11-02T10:33:20.363 回答
0

发生这种情况是因为您试图覆盖主要活动的 onClick 函数:sg.vantagepoint.uncrackable1.MainActivity$1没有 onClick() 函数。您可以通过重写 a 函数以不执行任何操作来完全取消函数调用,或者如果您想保留逻辑但只是取消显示,则应在实例化后使用Java.choose(...) API选择警报对话框并将其更改为适合您的需要 - 例如,您可以使对话窗口可取消,如下所示:

setImmediate(function() { //prevent timeout
    console.log("[*] Starting script");

    Java.perform(function() {

      var bClass = Java.use("sg.vantagepoint.uncrackable1.a");
      var oldImpl = bClass.a.implementation;
      bClass.a.implementation = function(v){
          console.log("Initial activity logic is launching");
          oldImpl(v);
          Java.choose("android.app.AlertDialog", {
              onMatch: function(instance){
                  console.log("Found an alert dialog, making it cancelable")
                  instance.setCancelable(true);
              }
              onComplete: function(){
                  console.log("Done")
              }
          })
      }

    })
})
于 2021-04-28T15:37:39.553 回答