use magisck root image && frida example

# use magisck root image && frida example # magisck 對 android 虛擬機進行root https://systemweakness.com/rooting-emulator-and-installing-magisk-c3cbd34ec436 ![image](https://hackmd.io/_uploads/Skjd-aIvyx.png) 這邊直接指向 android 虛擬機 ram disk.img刷入即可 ``` >rootAVD.bat system-images\android-35\google_apis_playstore\x86_64\ramdisk.img ``` # 啟動虛擬機 ``` C:\Users\x213212\AppData\Local\Android\Sdk\emulator>emulator.exe -avd Small_Phone_API_35 -writable-system -selinux permissive ``` 重開後就可以透過 magisk 進行 root ![image](https://hackmd.io/_uploads/BkRuMa8v1x.png) ![image](https://hackmd.io/_uploads/HyRZyfEDJx.png) ![image](https://hackmd.io/_uploads/HJvgkMEvJx.png) ![image](https://hackmd.io/_uploads/SJuG1GVPye.png) ![image](https://hackmd.io/_uploads/SkL9Jz4DJe.png) ![image](https://hackmd.io/_uploads/rkHnkM4wkg.png) ```bash= adb shell su ``` 看到#字號就是root 成功 ![image](https://hackmd.io/_uploads/rJJakM4Pyg.png) # frida 這是一個動態插樁的 tool ```python= pip install frida frida-tools ``` 記得這邊放環境變數，cli tool 都放在這，當然你可以透過python 去呼叫這邊要去 frida下載 https://github.com/frida/frida/releases 反正就是gdb server的概念 ![image](https://hackmd.io/_uploads/HJTiEGEDke.png) ``` adb push ./frida-server-16.6.2-android-x86_64 /data/local/tmp/ ``` 上傳後直接啟動 ![image](https://hackmd.io/_uploads/B1taNzEvkl.png) ``` ./frida-server-16.6.2-android-x86_64 & ps ``` ![image](https://hackmd.io/_uploads/Sk47N6Ivke.png) 接下來就可以對 apk進行 hook 了這邊透過我們剛剛環境變數設置的frida cli tool ```cmd= C:\Users\x213212\156156>frida-ls-devices Id Type Name OS ------------- ------ --------------------- ------------------ local local Local System Windows 10.0.22631 emulator-5554 usb Android Emulator 5554 Android 15 barebone remote GDB Remote Stub socket remote Local Socket ``` ```cmd= C:\Users\x213212\156156>frida-ps -U PID Name ---- ------------------------------------------------------------------------------------------------- 4077 Chrome 1397 Google 4022 Google Play Store 4642 Magisk 2445 Messages 4329 Personal Safety 3912 Photos 997 SIM Toolkit 3962 Settings 3814 YouTube 456 adbd 187 android.hardware.atrace@1.0-service 385 android.hardware.audio.service 417 android.hardware.authsecret-service.example 786 android.hardware.biometrics.face-service.example 785 android.hardware.biometrics.fingerprint-service.ranchu 401 android.hardware.bluetooth-service.default 386 android.hardware.camera.provider.ranchu 387 android.hardware.camera.provider@2.7-service-google 422 android.hardware.cas-service.example 402 android.hardware.contexthub-service.example 441 android.hardware.drm-service.widevine 390 android.hardware.gatekeeper@1.0-service.software 866 android.hardware.gnss-service.ranchu 391 android.hardware.graphics.allocator@3.0-service.ranchu 403 android.hardware.graphics.composer3-service.ranchu 392 android.hardware.health-service.example 404 android.hardware.identity-service.example 407 android.hardware.lights-service.example 393 android.hardware.media.c2@1.0-service-goldfish 432 android.hardware.neuralnetworks-service-sample-all 434 android.hardware.neuralnetworks-service-sample-limited 437 android.hardware.neuralnetworks-shim-service-sample 408 android.hardware.power-service.example 409 android.hardware.power.stats-service.example 440 android.hardware.rebootescrow-service.default 190 android.hardware.security.keymint-service 397 android.hardware.sensors-service.multihal 398 android.hardware.thermal@2.0-service.mock 399 android.hardware.usb-service.example 411 android.hardware.vibrator-service.example 400 android.hardware.wifi-service 384 android.hidl.allocator@1.0-service 1607 android.process.acore 2409 android.process.media 185 android.system.suspend-service 1399 artd 442 audioserver 486 bt_vhci_forwarder 487 cameraserver 4147 com.android.chrome:privileged_process0 4258 com.android.chrome:sandboxed_process0:org.chromium.content.app.SandboxedProcessService0:0 3157 com.android.chrome_zygote 1449 com.android.emulator.multidisplay 3881 com.android.externalstorage 920 com.android.networkstack.process 4060 com.android.providers.calendar 981 com.android.se 832 com.android.systemui 4328 com.android.traceur 4153 com.android.vending 2818 com.google.android.adservices.api 1410 com.google.android.apps.messaging:rcs 1131 com.google.android.apps.nexuslauncher 2162 com.google.android.apps.wallpaper 1313 com.google.android.apps.wellbeing 1378 com.google.android.as 1932 com.google.android.as.oss 951 com.google.android.bluetooth 4353 com.google.android.cellbroadcastreceiver 1022 com.google.android.ext.services 1559 com.google.android.gms 1086 com.google.android.gms.persistent 4355 com.google.android.gms.ui 3255 com.google.android.gms.unstable 1583 com.google.android.googlequicksearchbox:search 4397 com.google.android.healthconnect.controller 1291 com.google.android.inputmethod.latin 4418 com.google.android.marvin.talkback 3613 com.google.android.partnersetup 2041 com.google.android.permissioncontroller 1368 com.google.android.providers.media.module 3656 com.google.android.rkpdapp 3997 com.google.android.settings.intelligence 2770 com.google.android.webview:sandboxed_process0:org.chromium.content.app.SandboxedProcessService0:0 4675 com.topjohnwu.magisk:root:0 443 credstore 370 dhcpclient 474 drmserver 5108 frida-server-16.6.2-android-x86_64 506 gatekeeperd 444 gpuservice 163 hwservicemanager 490 incidentd 1 init 92 init 491 installd 395 ip6tables-restore 394 iptables-restore 186 keystore2 4672 libbusybox.so 498 libgoldfish-rild 161 lmkd 571 logcat 5110 logcat 155 logd 352 magiskd 472 mdnsd 492 media.extractor 493 media.metrics 501 media.swcodec 495 mediaserver 376 netd 153 prng_seeder 167 qemu-props 162 servicemanager 3422 sh 3495 sh 375 statsd 496 storaged 3491 su 4663 su 446 surfaceflinger 588 system_server 218 tombstoned 476 traced 475 traced_probes 93 ueventd 177 vold 879 webview_zygote 497 wificond 819 wpa_supplicant 377 zygote64 C:\Users\x213212\156156>frida-ps -U ``` 這邊開啟之前的專案 ![image](https://hackmd.io/_uploads/SyPmSTIP1e.png) # jadx decompiler https://github.com/skylot/jadx/releases/tag/v1.5.1 這邊將專案build 成 apk 反編譯查看 ![image](https://hackmd.io/_uploads/rJydUpIvJx.png) ``` C:\Users\x213212\AndroidStudioProjects\secchat\app\build\outputs\apk\debug ``` ![image](https://hackmd.io/_uploads/B16RUTIPJg.png) ![image](https://hackmd.io/_uploads/ByCWP6UDkg.png) 沒加殼應該很好看 ![image](https://hackmd.io/_uploads/Sy8mPa8PJl.png) ![image](https://hackmd.io/_uploads/rJxSva8DJl.png) 找到InputActivity ![image](https://hackmd.io/_uploads/r1cNOaLD1l.png) ![image](https://hackmd.io/_uploads/S1Mxsa8PJl.png) 這邊透過 frida attach ，有兩種方式一種用 ld_preload ,一種是用 ptrace ,android 對解析 apk 其實是透過 Zygote fork 一個 process 來解析 apk 的 dex 檔案,來能運行 java 的 app https://segmentfault.com/a/1190000023185691 這邊直接attach 剛剛的 process ``` frida -U -n secchat ``` ```hook.js Java.perform(() => { console.log("Script loaded successfully!"); // Hook InputActivity const InputActivity = Java.use('com.example.secchat.InputActivity'); // Hook onCreate 方法，设置标题默认值 InputActivity.onCreate.overload('android.os.Bundle').implementation = function (savedInstanceState) { console.log("Hooked InputActivity.onCreate"); // 调用原始方法 this.onCreate(savedInstanceState); // 确保 binding 初始化 const binding = this.binding.value; if (binding == null) { console.log("binding is null"); return; } // 设置 etTitle 的默认值 const etTitle = binding.etTitle.value; etTitle.setText("Hello Frida"); console.log("Set default title to 'Hello Frida'"); }; // Hook submitTitle 方法，打印标题和用户 ID InputActivity.submitTitle.overload('com.example.secchat.TitleEntryRequest').implementation = function (titleRequest) { const title = titleRequest.getTitle(); const userId = titleRequest.getUser_id(); console.log(`Intercepted submitTitle: Title = ${title}, UserID = ${userId}`); // 调用原始方法 this.submitTitle(titleRequest); }; }); ``` frida 加載 hook.js ``` % load hook.js ``` 這邊可以看到實現攔截的效果多試幾次可能發生崩潰這邊升級版本好像也沒辦本解決，可能要降 api sdk 在測試 ![image](https://hackmd.io/_uploads/HJgnn08vJx.png) 這邊降版到 api 34 android 14 確定該程式碼不會崩潰 ![image](https://hackmd.io/_uploads/BJeccguPyx.png) ![image](https://hackmd.io/_uploads/ry7DqxdDyx.png)