-
Notifications
You must be signed in to change notification settings - Fork 2
/
trace_class.js
347 lines (274 loc) · 8.77 KB
/
trace_class.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
/*
* raptor_frida_android_trace.js - Code tracer for Android
* Copyright (c) 2017 Marco Ivaldi <[email protected]>
*
* Frida.re JS script to trace arbitrary Java Methods and
* Module functions for debugging and reverse engineering.
* See https://www.frida.re/ and https://codeshare.frida.re/
* for further information on this powerful tool.
*
* "We want to help others achieve interop through reverse
* engineering" -- @oleavr
*
* Many thanks to @inode-, @federicodotta, @leonjza, and
* @dankluev.
*
* Example usage:
* # frida -U -f com.target.app -l raptor_frida_android_trace.js --no-pause
*
* Get the latest version at:
* https://github.com/0xdea/frida-scripts/
*/
//公众号:逆向APP
var logContentArray = new Array();
var singlePrefix = "|----"
// generic trace
function trace(pattern)
{
// indexOf() 方法可返回某个指定的字符串值在字符串中首次出现的位置,未出现则返回-1
var type = (pattern.toString().indexOf("!") === -1) ? "java" : "module";
if (type === "module") {
// console.log("is--module")
// trace Module
var res = new ApiResolver("module");
var matches = res.enumerateMatchesSync(pattern);
var targets = uniqBy(matches, JSON.stringify);
targets.forEach(function(target) {
traceModule(target.address, target.name);
});
} else if (type === "java") {
// console.log("is--java")
// trace Java Class, 遍历加载的类,判断追踪的是否是类
var found = false;
Java.enumerateLoadedClasses({
onMatch: function(className) {
//match() 方法可在字符串内检索指定的值,或找到一个或多个正则表达式的匹配。
// 该方法类似 indexOf() 和 lastIndexOf(),但是它返回指定的值,而不是字符串的位置。
if (className.match(pattern) != null) {
found = true
// console.log("hooking:"+className.toString())
traceClass(className);
}
},
onComplete: function() {}
});
// trace Java Method, 追踪方法
if (!found) {
try {
console.log('trace---method---'+pattern.toString())
traceMethod(pattern);
}
catch(err) { // catch non existing classes/methods
console.error(err);
}
}
}
}
// find and trace all methods declared in a Java Class
function traceClass(targetClass)
{
var hook = Java.use(targetClass);
var methods = hook.class.getDeclaredMethods();
hook.$dispose; //释放实例
var parsedMethods = [];
// 下面这么操作的原因是为了traceMethod传递string类型,而不是object
methods.forEach(function(method) {
parsedMethods.push(method.toString().replace(targetClass + ".", "TOKEN").match(/\sTOKEN(.*)\(/)[1]);
});
var targets = uniqBy(parsedMethods, JSON.stringify);
targets.forEach(function(targetMethod) {
traceMethod(targetClass + "." + targetMethod);
});
}
// trace a specific Java Method
function traceMethod(targetClassMethod)
{
// console.log("进入traceMethod")
// console.log(typeof(targetClassMethod))
var delim = targetClassMethod.lastIndexOf(".");
if (delim === -1) return;
// slice() 方法可提取字符串的某个部分,并以新的字符串返回被提取的部分
var targetClass = targetClassMethod.slice(0, delim)
var targetMethod = targetClassMethod.slice(delim + 1, targetClassMethod.length)
// console.log("targetClass:"+targetClass)
// console.log("targetMethod:"+targetMethod)
var hook = Java.use(targetClass);
var overloadCount = hook[targetMethod].overloads.length;
console.log("Tracing " + targetClassMethod + " [" + overloadCount + " overload(s)]");
for (var i = 0; i < overloadCount; i++) {
// hook方法
hook[targetMethod].overloads[i].implementation = function() {
var logContent_1 = "entered--"+targetClassMethod;
var prefixStr = gainLogPrefix(logContentArray);
logContentArray.push(prefixStr + logContent_1);
console.warn(prefixStr + logContent_1);
// print backtrace, 打印调用堆栈
// Java.perform(function() {
// var bt = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());
// console.log(prefixStr +"Backtrace:" + bt);
// });
// print args
// if (arguments.length) console.log();
// 打印参数
for (var j = 0; j < arguments.length; j++)
{
var tmpLogStr = prefixStr + "arg[" + j + "]: " + arguments[j];
console.log(tmpLogStr);
logContentArray.push(tmpLogStr);
}
// print retval
var retval = this[targetMethod].apply(this, arguments); // rare crash (Frida bug?)
// 打印返回值
// console.log("\n"+ targetClassMethod +"--retval: " + retval);
var tmpReturnStr = prefixStr + "retval: " + retval;
logContentArray.push(tmpReturnStr);
console.log(tmpReturnStr);
//结束标志
var logContent_ex = "exiting--" + targetClassMethod;
logContentArray.push(prefixStr + logContent_ex);
console.warn(prefixStr + logContent_ex);
return retval;
}
}
}
// 获取打印前缀
function gainLogPrefix(theArray)
{
var lastIndex = theArray.length - 1;
if (lastIndex<0)
{
return singlePrefix;
}
for (var i = lastIndex; i >= 0; i--)
{
var tmpLogContent = theArray[i];
var cIndex = tmpLogContent.indexOf("entered--");
if ( cIndex == -1)
{
var cIndex2 = tmpLogContent.indexOf("exiting--");
if ( cIndex2 == -1)
{
continue;
}
else
{
//与上个方法平级
var resultStr = tmpLogContent.slice(0,cIndex2);
return resultStr;
}
}
else
{
//在上个方法的内部
var resultStr = singlePrefix + tmpLogContent.slice(0,cIndex);//replace(/entered--/, "");
// console.log("("+tmpLogContent+")前缀是:("+resultStr+")");
return resultStr;
}
}
return "";
}
// 获取打印前缀
function gainLogPrefix_Module(theArray,status)
{
var lastIndex = theArray.length - 1;
if (lastIndex<0)
{
return singlePrefix;
}
for (var i = lastIndex; i >= 0; i--)
{
var tmpLogContent = theArray[i];
var cIndex = tmpLogContent.indexOf("entered--");
if ( cIndex == -1)
{
var cIndex2 = tmpLogContent.indexOf("exiting--");
if ( cIndex2 == -1)
{
continue;
}
else
{
//与上个方法平级
var resultStr = tmpLogContent.slice(0,cIndex2);
return resultStr;
}
}
else
{
if (tmpLogContent.indexOf(status)==-1)
{
//与上一条输出 平级
var resultStr = tmpLogContent.slice(0,cIndex);//replace(/entered--/, "");
// console.log("("+tmpLogContent+")前缀是:("+resultStr+")");
return resultStr;
}
else
{
//在上个方法的内部
var resultStr = singlePrefix + tmpLogContent.slice(0,cIndex);//replace(/entered--/, "");
// console.log("("+tmpLogContent+")前缀是:("+resultStr+")");
return resultStr;
}
}
}
return "";
}
// trace Module functions
function traceModule(impl, name)
{
console.log("Tracing " + name);
Interceptor.attach(impl, {
onEnter: function(args) {
// debug only the intended calls
this.flag = false;
// var filename = Memory.readCString(ptr(args[0]));
// if (filename.indexOf("XYZ") === -1 && filename.indexOf("ZYX") === -1) // exclusion list
// if (filename.indexOf("my.interesting.file") !== -1) // inclusion list
this.flag = true;
if (this.flag) {
var prefixStr = gainLogPrefix_Module(logContentArray,"entered--");
// console.warn("\n*** entered " + name);
var logContent_1 = "entered--"+name;
logContentArray.push(prefixStr + logContent_1);
console.warn(prefixStr + logContent_1);
// print backtrace, 打印调用堆栈
// console.log("\nBacktrace:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n"));
}
},
onLeave: function(retval) {
if (this.flag) {
var prefixStr = gainLogPrefix_Module(logContentArray,"non6soidjs3kejf6sle8ifsjie");
// print retval
// console.log("\nretval: " + retval);
var logContent_1 = "retval:"+retval;
logContentArray.push(prefixStr + logContent_1);
console.warn(prefixStr + logContent_1);
var logContent_2 = "exiting--"+name;
logContentArray.push(prefixStr + logContent_2);
console.warn(prefixStr + logContent_2);
// console.warn("\n*** exiting " + name);
}
}
});
}
// remove duplicates from array
function uniqBy(array, key)
{
var seen = {};
return array.filter(function(item) {
var k = key(item);
return seen.hasOwnProperty(k) ? false : (seen[k] = true);
});
}
// usage examples
setImmediate(function() { // avoid java.lang.ClassNotFoundException
Java.perform(function() {
trace("com.stardust.autojs.engine.encryption.ScriptEncryption");
// trace("com.test.flyer.MainActivity.gainAge");
// trace("com.target.utils.CryptoUtils.decrypt");
// trace("com.target.utils.CryptoUtils");
// trace("CryptoUtils");
// trace(/crypto/i);
// trace("exports:*!open*");
});
}, 0);