Frida + AndroidAsync implement RPC

A, goals,

In previous tutorials we used Python’s Flask library to start a Web Server to implement RPC calls to App functions.

Today we are going to introduce a new friend, AndroidAsync, to start the Web Server with AndroidAsync, so that Frida can do it directly without needing to ask Python for help.

Second, the steps

AndroidAsync

AndroidAsync: AndroidAsync: AndroidAsync: AndroidAsync: AndroidAsync: AndroidAsync: AndroidAsync: AndroidAsync: AndroidAsync: AndroidAsync: AndroidAsync: AndroidAsync:

Its home is here github.com/koush/Andro…

Get it down, compile it into a jar and turn it into a dex, and frida is ready to call. The preparation is ok

To a chestnut

Let’s take yesterday’s signature analysis of an information App (1) as an example

Let’s get the Web service running

Copy androidAsync. Dex to your phone

adb push androidAsync.dex /data/local/tmp/
Copy the code

In the android. App. Application. Start the WebServer attach

//Java.openClassFile("/data/local/tmp/androidAsync.dex").load(); var ApplicationCls = Java.use("android.app.Application"); ApplicationCls.attach.implementation = function () { try { var AsyncHttpServer = Java.use("com.koushikdutta.async.http.server.AsyncHttpServer"); var androidAsync = AsyncHttpServer.$new(); androidAsync.get("/", RequestTestCallback.$new()); androidAsync.listen(8181); console.log("reg webServer Ok"); } catch (e) { console.error("reg webServer Error!!! , e:" + e); } this.attach.apply(this, arguments); };Copy the code

The code doesn’t have to be explained. The code speaks for itself.

Start WebServer on port 8181 and register a RequestTestCallback for the test

Hang up your favorite Frida and give it a try

Open browser http://127.0.0.1:8181 wood response?

Oh, dizzy, this is monitored 8181 in mobile phone, not on the computer, so it should be access to the mobile IP, http://192.168.2.113:8181/

Or wood reaction? There is no reg webServer Ok or reg webServer Error!!

We use the original Frida attach mode, may not run to android. The app. Application. Attach this function.

To do this, set a switch variable to start the service directly inside the signature function signInternal

var bRunServer = 0;

var SignUtilCls = Java.use("com.yxdxxx.news.util.sign.SignUtil");
SignUtilCls.signInternal.implementation = function(a,b){
		if( bRunServer == 0){
			bRunServer = 1;
			runWebServer();
		}

        var rc = this.signInternal(a,b);
        console.log("inStr = " + b);
        console.log(">>> rc = " + rc);
        return rc;
}
Copy the code

Ok, this time you can see the successful startup prompt

[MI NOTE Pro::com.hxxx.yxdxxx]-> reg webServer Ok
Copy the code

Actively invoke the signature function

Add a/onenewsSign interface for RunServer

// androidAsync.get("/onenewssign", OneNewsSignRequestCallback.$new()); OneNewsSignRequestCallback = Java.registerClass({ name: "OneNewsSignRequestCallback", implements: [HttpServerRequestCallback], methods: { onRequest: Function (request, response) {var InStr = request.getQuery().getString(" InStr "); console.log("RPC Str = " + InStr); var context1 = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(); console.log(context1); var SignUtilCls = Java.use("com.yxdxxx.news.util.sign.SignUtil"); var ret = SignUtilCls.signInternal(context1,InStr); response.send("{\"code\":0,\"message\":\"" + ret + "\"}"); }}});Copy the code

Direct call, http://192.168.2.113:8181/onenewssign? Instr = yxdxxx5.7.7.21k6LWWMIG_1620967068422_166028401

The result is different, but the result is different every time the same parameter is passed. Random number is still added into the algorithm for estimating SO. But it should work.

Third, summary

I don’t know if AndroidAsync is too stable or Frida+AndroidAsync is too stable, but I crashed several times.

Help yourself. Maybe it’s my phone. Multiple methods are always good.

There are two ways to obtain the android.content.Context parameter, one is to use the Api to obtain the global Context, and the other is to save the parameters of the signInternal function.

Note: The return value of response.send must be Json

Most of the time, it’s better to do something halfway than to do it perfectly. Most of the time, it’s better to start right away than to think you’re ready.

TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.

Wechat public account: Fenfei safety, the latest technology dry goods real-time push

A, goals,

Second, the steps

AndroidAsync

To a chestnut

Actively invoke the signature function

Third, summary

Related Posts

Kotlin Standard Method Notes

Update of novel reader (5) — integrate ScrollActivity

You don’t have to be a Bull to be able to use the hand to componentize (2)