dstmath / frida-unpack Goto Github PK

View Code? Open in Web Editor NEW

1.3K 37.0 314.0 7 KB

基于Frida的脱壳工具

License: MIT License

JavaScript 31.74% Shell 2.20% Python 66.06%

frida-unpack's Introduction

frida-unpack

基于Frida的脱壳工具

0x0 frida环境搭建

frida环境搭建，参考frida官网：frida。

0x2 原理说明

利用frida hook libart.so中的OpenMemory方法，拿到内存中dex的地址，计算出dex文件的大小，从内存中将dex导出。 ps：查看OpenMemory的导出名称，可以将手机中的libart.so通过adb pull命令导出到电脑，然后利用： nm libart.so |grep OpenMemory命令来查看到出名。其中android 10为/apex/com.android.runtime/lib/libdexfile.so方法为OpenCommon。

0x3 脚本用法

在手机上启动frida server端
执行脱壳脚本

    执行./inject.sh 要脱壳的应用的包名 OpenMemory.js

脱壳后的dex保存在/data/data/应用包名/目录下

0x4 脚本测试环境

此脚本在以下环境测试通过

android os: 7.1.2 32bit (64位可能要改OpenMemory的签名)
legu: libshella-2.8.so
360: libjiagu.so

0x5 参考链接

frida

0x06 python脚本支持

python frida_unpack.py 应用包名

0x07 相关技巧

利用c++filt命令还原C++ name managling之后的函数名

c++filt _ZN3art7DexFile10OpenMemoryEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_10OatDexFileEPS9_

输出：
art::DexFile::OpenMemory(unsigned char const*, unsigned int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, unsigned int, art::MemMap*, art::OatDexFile const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*)

frida-unpack's People

Contributors

Stargazers

Watchers

Forkers

crackercat strivemario zhanglang001 shuixi2013 android-sec01 weieast uvbs obaby tsdl2018 woozoo86 focuspadding icew4y binihao5bei leoonzhang omasko ching2018 jimmyjones97 xautzbl klase1337 antizy0 zbx91 ondreji suge mickeystone nexthacker bcsl cylee0909 s3curity-er1c vxzhong zhangkn skyun1314 zekn tigerwood nearjmp jlvsjp m8599399 widy28 kong6001 beike2020 liujianying h1d3r secice imxy bamqj raslin777 yuknight sanjingshou11 ghostrong1983 harry1080 eagle518 iiiusky liuxinfeng feilongluo yongdono ac-km exiahan markjian hello-xbugs danyplay gtchendong darkness0ut pancts 0xffc2 anyeguying n8v79a fengjixuchui rcbing greasepigm mz135135 xuedev watchet niefengxin superf0sh idone redstorm82 marstau yb1994917 barcating jackyglony q251995379 wujila musktime yuaotian haidragon ouyangtian ryanjeson xwangkai peterdocter 0xr0ot alltheend huanledeyang lgq2015 waytoinc 99kyuu xianyucoder imulmul 58563528 moojx xjl219 adamin1990

frida-unpack's Issues

百度壳报错

TypeError: cannot read property ' @readU8' of null
at [anon] (duk_hobject_props.c:2384)
at frida/runtime/core.js:369
at /repl1.js:32

360 加固的无法脱了

magic : qh
dex_size :1647731812
Error: breakpoint triggered
    at /repl1.js:23

log 如上，在脱 360 的壳其中一个重要的 dex 的提示，而且这个 dex 的 size 明显比其他的大很多，其他的最多 7 位数，这个 dex 是 10 位数

Nexus 5x 在 Android 8.1 失败

想脱乐固的，但是在 Android 8.1 下失败了，请教一下，怎么改 Memroy.js?

请问一下64位的OpenMemory签名是什么

Failed to spawn: java.lang.SecurityException: Not allowed to start activity Intent

Failed to spawn: java.lang.SecurityException: Not allowed to start activity Intent 是啥意思

It's cannot resolve the classes and methods that dynamic loaded by the Packer

Hello,thx for this tool.

But……

It's cannot resolve the classes and the methods that dynamic loaded by the Packer.So how to fix it?

小米6 Android8.0失败

系统Android 8.0 arm64，没有修改lib签名，另外请问怎么使用nm那个命令，cmd提示找不到这个命令

错误信息：Error: expected a pointer
at frida/runtime/core.js:502
at /repl1.js:32

乐固脱壳遇到问题

Usage: ./inject.sh packageName xx.js
./inject.sh[4]: frida: not found
127|root@P653N11:/data/local/tmp #，frida-server已经启动

乐加固报权限错误

... magic : dex 035 dex_size :18904 Error: failed to open file (Permission denied) at repl1.js:22

执行nm libart.so |grep OpenMemory没有过滤到任何有用信息

请教执行以上指令之后，无法过滤任何的有效信息。。应该怎么处理？手机系统是64位的。

360 和乐固都失败了

环境：Android 7.1.2，frida 11.0.13
多个 dex 提示：

magic : dex
035
dex_size :xxxxxx（这个是变化的）
Error: failed to open file (No such file or directory)
    at repl1.js:22

报错

Usage: ./inject.sh packageName xx.js
____
/ _ | Frida 15.1.14 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
Spawning xxxxxxx...
Spawned xxxxxx. Resuming main thread!
Error: expected a pointer
at value (frida/runtime/core.js:367)
at (/OpenMemory.js:32)
[M2102K1C::xxxxxxxxx]->

unexpectedly timed out while waiting for app to launch

app打不开

请教脱出来的dex用jadx反编译的时候出现大量的jadx.core.utils.exceptions.DecodeException: Load method exception: bogus opcode: 0073 in method

jadx反编译脱出来的dex，出现大量的下面的错误，不知道你有没有遇到过？是怎么修复的？
WARN - Ignore decode error: 'bogus opcode: 0073', replace with NOP instruction
ERROR - Method load error: com.qihoo.util.Configuration.():void
jadx.core.utils.exceptions.DecodeException: Load method exception: bogus opcode: 0073 in method: com.qihoo.util.Configuration.():void, dex:
at jadx.core.dex.nodes.MethodNode.load(MethodNode.java:116)
at jadx.core.dex.nodes.ClassNode.load(ClassNode.java:249)
at jadx.core.ProcessClass.process(ProcessClass.java:31)
at jadx.api.JadxDecompiler.processClass(JadxDecompiler.java:282)
at jadx.api.JavaClass.decompile(JavaClass.java:62)
at jadx.api.JadxDecompiler.lambda$appendSourcesSave$0(JadxDecompiler.java:200)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

谢谢