Mobile/Frida
FRIDA Cheat Sheet
pyozzi
2020. 3. 2. 06:32
메모리 스캔 및 검색
function Memory_scan()
{
var ranges = Process.enumerateRangesSync({protection: 'r--', coalesce: true});
var range;
function Next_Range(){
range = ranges.pop();
if(!range)
{
console.log("Memory Scan Done!");
return;
}
Memory.scan(range.base, range.size, "70 79 30 7a 7a 31", //py0zz1
{
onMatch: function(address, size)
{
console.log("[*] Pattern Found at: " + address.toString());
console.log(hexdump(address,
{
offset:0,
length:32
}));
console.log("");
},
onError: function(reason)
{
console.log("[!] Error Scanning Memory - " + reason );
},
onComplete: function()
{
Next_Range();
}
});
}
Next_Range();
}Memory.scan( )의 3번째 인자 "70 79 30 7a 7a 31"을 검색할 내용으로 바꿔서 사용하면 된다.
아래는 결과 예시이다.
결과
더보기
"""
[!] Error Scanning Memory - access violation accessing 0x75e3ef2000
[*] Pattern Found at: 0x755ab0b9e7
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
755ab0b9e7 70 79 30 7a 7a 31 01 70 91 9f 17 cd 00 00 00 00 py0zz1.p........
755ab0b9f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[*] Pattern Found at: 0x755aba05e7
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
755aba05e7 70 79 30 7a 7a 31 38 04 03 0d 01 37 04 03 0d 01 py0zz18....7....
755aba05f7 36 04 03 0d 01 35 04 03 0d 01 34 04 03 0d 01 33 6....5....4....3
[*] Pattern Found at: 0x7557df2942
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
7557df2942 70 79 30 7a 7a 31 20 63 6f 6e 76 65 72 73 61 74 py0zz1 conversat
7557df2952 69 6f 6e 54 79 70 65 20 3d 20 30 20 74 61 72 67 ionType = 0 targ
[*] Pattern Found at: 0x754ada04e4
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
754ada04e4 70 79 30 7a 7a 31 20 63 6f 6e 76 65 72 73 61 74 py0zz1 conversat
754ada04f4 69 6f 6e 54 79 70 65 20 3d 20 30 20 74 61 72 67 ionType = 0 targ
[!] Error Scanning Memory - access violation accessing 0x7549694000
[*] Pattern Found at: 0x7544c1d06d
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
7544c1d06d 70 79 30 7a 7a 31 01 70 91 9f 17 cd 00 00 00 00 py0zz1.p........
7544c1d07d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[*] Pattern Found at: 0x7544c2f75d
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
7544c2f75d 70 79 30 7a 7a 31 01 70 91 9f 17 cd 81 63 37 2e py0zz1.p.....c7.
7544c2f76d 00 2b 2b 01 08 2b 25 08 01 08 09 0d 05 08 08 08 .++..+%.........
[!] Error Scanning Memory - access violation accessing 0x75448f9000
[*] Pattern Found at: 0x753d0806f4
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
753d0806f4 70 79 30 7a 7a 31 00 00 00 00 28 02 01 92 7c f4 py0zz1....(...|.
753d080704 a3 00 84 00 00 41 7c f4 a3 00 84 00 00 01 00 01 .....A|.........
[*] Pattern Found at: 0x753bd618bc
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
753bd618bc 70 79 30 7a 7a 31 00 00 00 00 28 02 01 92 7c f4 py0zz1....(...|.
753bd618cc a3 00 84 00 00 41 7c f4 a3 00 84 00 00 01 00 01 .....A|.........
[*] Pattern Found at: 0x7539923f08
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
7539923f08 70 79 30 7a 7a 31 00 00 4b 52 00 01 75 00 00 00 py0zz1..KR..u...
7539923f18 70 79 30 7a 7a 31 00 00 33 00 d4 c6 01 00 00 00 py0zz1..3.......
[*] Pattern Found at: 0x7539923f18
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
7539923f18 70 79 30 7a 7a 31 00 00 33 00 d4 c6 01 00 00 00 py0zz1..3.......
7539923f28 30 00 04 44 75 00 00 00 30 00 0b 44 75 00 00 00 0..Du...0..Du...
[!] Error Scanning Memory - access violation accessing 0xbefff000
[!] Error Scanning Memory - access violation accessing 0xbeff3000
[!] Error Scanning Memory - access violation accessing 0xbefeb000
[!] Error Scanning Memory - access violation accessing 0xbefdf000
[!] Error Scanning Memory - access violation accessing 0xbefd3000
[!] Error Scanning Memory - access violation accessing 0xbefc4000
[!] Error Scanning Memory - access violation accessing 0xbef5b000
[!] Error Scanning Memory - access violation accessing 0xbef23000
[!] Error Scanning Memory - access violation accessing 0xbef17000
[!] Error Scanning Memory - access violation accessing 0xbeef3000
[!] Error Scanning Memory - access violation accessing 0xbeee4000
[!] Error Scanning Memory - access violation accessing 0xbeec7000
[!] Error Scanning Memory - access violation accessing 0xbee64000
[!] Error Scanning Memory - access violation accessing 0xbee1a000
[!] Error Scanning Memory - access violation accessing 0xbee14000
[!] Error Scanning Memory - access violation accessing 0xbed44000
[!] Error Scanning Memory - access violation accessing 0xbed23000
[!] Error Scanning Memory - access violation accessing 0xbed06000
[!] Error Scanning Memory - access violation accessing 0xbecdb000
[!] Error Scanning Memory - access violation accessing 0xbecb3000
[!] Error Scanning Memory - access violation accessing 0xbecab000
[!] Error Scanning Memory - access violation accessing 0xbec97000
[!] Error Scanning Memory - access violation accessing 0xbebdf000
[!] Error Scanning Memory - access violation accessing 0xbebd3000
[!] Error Scanning Memory - access violation accessing 0xbebbf000
[!] Error Scanning Memory - access violation accessing 0xbebb3000
[!] Error Scanning Memory - access violation accessing 0xbeb9f000
[!] Error Scanning Memory - access violation accessing 0xbeb93000
[!] Error Scanning Memory - access violation accessing 0xbeb7f000
[!] Error Scanning Memory - access violation accessing 0xbeb5f000
[!] Error Scanning Memory - access violation accessing 0xbeaef000
[!] Error Scanning Memory - access violation accessing 0xbeae3000
[!] Error Scanning Memory - access violation accessing 0xbeacf000
[!] Error Scanning Memory - access violation accessing 0xbeac3000
[!] Error Scanning Memory - access violation accessing 0xbeaaf000
[!] Error Scanning Memory - access violation accessing 0xbeaa3000
[!] Error Scanning Memory - access violation accessing 0xbea83000
[!] Error Scanning Memory - access violation accessing 0xbea6f000
[!] Error Scanning Memory - access violation accessing 0xbea03000
[!] Error Scanning Memory - access violation accessing 0xbe9c3000
[!] Error Scanning Memory - access violation accessing 0xbe9af000
[!] Error Scanning Memory - access violation accessing 0xbe994000
[!] Error Scanning Memory - access violation accessing 0xbe988000
[!] Error Scanning Memory - access violation accessing 0xbe980000
[!] Error Scanning Memory - access violation accessing 0xbe96c000
[!] Error Scanning Memory - access violation accessing 0xbe960000
[!] Error Scanning Memory - access violation accessing 0xbe94c000
[!] Error Scanning Memory - access violation accessing 0xbe940000
[!] Error Scanning Memory - access violation accessing 0xbe92c000
[!] Error Scanning Memory - access violation accessing 0xbe920000
[!] Error Scanning Memory - access violation accessing 0xbe90c000
[!] Error Scanning Memory - access violation accessing 0xbe900000
[!] Error Scanning Memory - access violation accessing 0xbe8ec000
[!] Error Scanning Memory - access violation accessing 0xbe8e0000
[!] Error Scanning Memory - access violation accessing 0xbe81c000
[!] Error Scanning Memory - access violation accessing 0xbe810000
[!] Error Scanning Memory - access violation accessing 0xbe7fc000
[!] Error Scanning Memory - access violation accessing 0xbe7f0000
[!] Error Scanning Memory - access violation accessing 0xbe5f0000
[!] Error Scanning Memory - access violation accessing 0xbe5cc000
[!] Error Scanning Memory - access violation accessing 0xbe5c0000
[!] Error Scanning Memory - access violation accessing 0xbe59c000
[!] Error Scanning Memory - access violation accessing 0xbe590000
[!] Error Scanning Memory - access violation accessing 0xbe570000
[!] Error Scanning Memory - access violation accessing 0xbe520000
[!] Error Scanning Memory - access violation accessing 0xbe4d0000
[!] Error Scanning Memory - access violation accessing 0xbe4b0000
[!] Error Scanning Memory - access violation accessing 0xbe490000
[!] Error Scanning Memory - access violation accessing 0xbe470000
[!] Error Scanning Memory - access violation accessing 0xbe450000
[!] Error Scanning Memory - access violation accessing 0xbe420000
[!] Error Scanning Memory - access violation accessing 0xbe400000
[!] Error Scanning Memory - access violation accessing 0xbe3ec000
[!] Error Scanning Memory - access violation accessing 0xbe3d0000
[!] Error Scanning Memory - access violation accessing 0xbdef0000
[!] Error Scanning Memory - access violation accessing 0xbdea0000
[!] Error Scanning Memory - access violation accessing 0xbde80000
[!] Error Scanning Memory - access violation accessing 0xbde60000
[!] Error Scanning Memory - access violation accessing 0xbde40000
[!] Error Scanning Memory - access violation accessing 0xbde20000
[!] Error Scanning Memory - access violation accessing 0xbde00000
[!] Error Scanning Memory - access violation accessing 0xbdde8000
[!] Error Scanning Memory - access violation accessing 0xbdd40000
[!] Error Scanning Memory - access violation accessing 0xbdd20000
[!] Error Scanning Memory - access violation accessing 0xbdcf0000
[!] Error Scanning Memory - access violation accessing 0xbdcd0000
[!] Error Scanning Memory - access violation accessing 0xbdcb0000
[!] Error Scanning Memory - access violation accessing 0xbdc90000
[!] Error Scanning Memory - access violation accessing 0xbdc70000
[!] Error Scanning Memory - access violation accessing 0xbdc50000
[!] Error Scanning Memory - access violation accessing 0xbdbf0000
[!] Error Scanning Memory - access violation accessing 0xbdbc0000
[!] Error Scanning Memory - access violation accessing 0xbdb30000
[!] Error Scanning Memory - access violation accessing 0xbdb00000
[!] Error Scanning Memory - access violation accessing 0xbdad0000
[!] Error Scanning Memory - access violation accessing 0xbd8f0000
[!] Error Scanning Memory - access violation accessing 0xbd8d0000
[!] Error Scanning Memory - access violation accessing 0xbd8b0000
[!] Error Scanning Memory - access violation accessing 0xbd890000
[!] Error Scanning Memory - access violation accessing 0xbd7e4000
[*] Pattern Found at: 0x13408920
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
13408920 70 79 30 7a 7a 31 00 00 88 8e 26 13 00 00 00 00 py0zz1....&.....
13408930 02 00 00 00 b8 e8 7c 13 b8 d4 6f 13 00 00 00 00 ......|...o.....
[*] Pattern Found at: 0x13408b80
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
13408b80 70 79 30 7a 7a 31 00 00 b8 83 3c 70 00 00 00 00 py0zz1....13408b90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[*] Pattern Found at: 0x13408c50
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
13408c50 70 79 30 7a 7a 31 00 00 48 5c 6d 13 00 00 00 00 py0zz1..H\m.....
13408c60 00 00 00 00 00 00 00 00 78 1d 6d 13 00 00 00 00 ........x.m.....
[*] Pattern Found at: 0x1340d820
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
1340d820 70 79 30 7a 7a 31 00 00 60 0c 02 70 00 00 00 00 py0zz1..`..p....
1340d830 08 00 00 00 00 00 00 00 57 49 46 49 00 00 00 00 ........WIFI....
[*] Pattern Found at: 0x1340da70
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
1340da70 70 79 30 7a 7a 31 00 00 28 15 02 70 00 00 00 00 py0zz1..(..p....
1340da80 00 00 00 00 08 0c 43 70 00 00 00 00 00 00 00 00 ......Cp........
[*] Pattern Found at: 0x1340dc08
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
1340dc08 70 79 30 7a 7a 31 00 00 40 de fc 6f 00 00 00 00 py0zz1..@..o....
1340dc18 f8 db 40 13 98 dc 40 13 88 dc 40 13 f8 db 40 13 ..@...@...@...@.
[*] Pattern Found at: 0x1340df50
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
1340df50 70 79 30 7a 7a 31 00 00 48 5c 6d 13 00 00 00 00 py0zz1..H\m.....
1340df60 00 00 00 00 00 00 00 00 60 1e 6d 13 00 00 00 00 ........`.m.....
[*] Pattern Found at: 0x13414596
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
13414596 70 79 30 7a 7a 31 00 00 00 00 68 a7 04 70 00 00 py0zz1....h..p..
134145a6 00 00 e8 46 41 13 91 00 00 00 70 6b 02 70 00 00 ...FA.....pk.p..
[*] Pattern Found at: 0x1341496e
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
1341496e 70 79 30 7a 7a 31 20 63 6f 6e 76 65 72 73 61 74 py0zz1 conversat
1341497e 69 6f 6e 54 79 70 65 20 3d 20 30 00 00 00 00 00 ionType = 0.....
[*] Pattern Found at: 0x13414dde
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
13414dde 70 79 30 7a 7a 31 20 63 6f 6e 76 65 72 73 61 74 py0zz1 conversat
13414dee 69 6f 6e 54 79 70 65 20 3d 20 30 20 74 61 72 67 ionType = 0 targ
[*] Pattern Found at: 0x1341506f
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
1341506f 70 79 30 7a 7a 31 20 63 6f 6e 76 65 72 73 61 74 py0zz1 conversat
1341507f 69 6f 6e 54 79 70 65 20 3d 20 30 20 74 61 72 67 ionType = 0 targ
[*] Pattern Found at: 0x13415359
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
13415359 70 79 30 7a 7a 31 20 63 6f 6e 76 65 72 73 61 74 py0zz1 conversat
13415369 69 6f 6e 54 79 70 65 20 3d 20 30 20 74 61 72 67 ionType = 0 targ
[*] Pattern Found at: 0x13416124
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
13416124 70 79 30 7a 7a 31 00 00 00 00 00 00 10 9a 05 70 py0zz1.........p
13416134 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
[*] Pattern Found at: 0x13419b2c
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
13419b2c 70 79 30 7a 7a 31 00 00 00 00 00 00 b0 70 02 70 py0zz1.......p.p
13419b3c 00 00 00 00 45 00 00 00 01 01 01 01 01 01 01 01 ....E...........
[*] Pattern Found at: 0x13419e98
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
13419e98 70 79 30 7a 7a 31 00 00 d0 aa 52 70 00 00 00 00 py0zz1....Rp....
13419ea8 10 32 3d 70 00 32 3d 70 88 9e 41 13 00 00 00 00 .2=p.2=p..A.....
[*] Pattern Found at: 0x1348fdbc
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
1348fdbc 70 79 30 7a 7a 31 00 00 00 00 00 00 b0 70 02 70 py0zz1.......p.p
1348fdcc 00 00 00 00 45 00 00 00 01 01 01 01 01 01 01 01 ....E...........
[*] Pattern Found at: 0x13490128
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
13490128 70 79 30 7a 7a 31 00 00 d0 aa 52 70 00 00 00 00 py0zz1....Rp....
13490138 10 32 3d 70 00 32 3d 70 18 01 49 13 00 00 00 00 .2=p.2=p..I.....
DONE!
"""Boolean 값 생성
Java.use("java.lang.Boolean").$new(true)
Class 인스턴스 생성 및 Method 호출
Java.perform(function()
{
a=Java.use("com.PackageName.MainActivity");
Java.scheduleOnMainThread(function()
{
b=a.$new();
console.log(b.myMethod1("a","b"));
console.log(b.myMethod2("f"));
});
});
ByteArray 출력
var data = "";
for(var i=0; i < bytearray.length; i++)
{
data += String.fromCharCode(bytearray[i]);
}
console.log("DATA: " + data);
Native 함수 NOP 처리
예시) NOP처리할 타겟 함수
// Target Function Example
int get_hacked(int id, int signature)
{
if( check != id + signature )
{
invalid_check();
return 1;
}
return 0;
}
위와 같은 타겟 함수가 있다고 했을 때,
// Hooking Script
var target = Module.getBaseAddress("libfoo.so");
Interceptor.replace(target, new NativeCallback(function(id, signature)
{
console.log("[*] target() Hook (NOP!)");
},'int',['int','int']));해당 함수를 아무런 동작 없이 끝나도록 한다. (NOP)
replace( )의 3번째 인자 'int'는 타겟 함수의 반환 타입, 4번째 인자 ['int','int']는 타겟 함수의 인자 타입을 정의한다.
Natvie 함수 인자값 및 반환값 조작
Interceptor.attach(target,
{
onEnter: function(args)
{
args[1] = ptr("100"); // 인자값 '정수형 100'으로 조작
},
onLeave: function(retVal)
{
retVal.replace(830); // 반환값 '정수형 830'으로 조작
}
});
Interceptor.replace(target, new NativeCallback(function()
{
return 123.4; // 반환값 'float형 123.4' 조작
},'float',[]));실수형(float,double)의 반환 값은 위와 같이 조작할 수 있다.