frida
https://frida.re/
1 、安装python3.8并配置好环境变量(官方推荐python3以上版本至少为3.7),python安装包官方下载地址:https://www.python.org/downloads/。
2 、安装frida模块,命令为pip install frida(配置了多个python版本环境的可以使用命令python -m pip install frida防止用pip install frida命令报错)。
3、安装frida-tools模块,命令同上,pip install frida-tools或者python -m pip install frida-tools。
查看Android手机设备设置getprop ro.product.cpu.abi
arm64-v8a
** 4、下载运行在目标机上的frida-sever端,官方下载地址:https://github.com/frida/frida/releases,下载时要选择对应的版本下载.
5、将第四步下载好的文件解压,然后通过命令adb push 你的电脑是存放位置 /data/local/tmp将文件传输到手机中,然后通过adb shell进入手机端,给文件赋权777,并于root权限启动。
adb push path/frida-server /data/local/tmp
./frida-server
6、做完以上几步后,新开一个命令行输入命令frida-ps -U查看手机进程,如果出现以下结果,则frida安装成功。
frida frida-ps -U
PID Name
----- ------------
19990 frida-server
19778 sh
adb shell
cd /data/local/tmp
# Unable to load SELinux policy from the kernel: Failed to open file ?/sys/fs/selinux/policy?: Permission denie
# 需要切换到root,否则不能hook
su root
./frida-server & # 必须运行
# computer 设置端口转发
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
# 查看对应的app列表,如果显示对应的包表示frida顺利开启
frida-ps -U
# 打开app
# 运行脚本等
参考
frida入门总结
抖音算法暴力获取 init_gorgon(),x-gorgon,Python爬虫
jadx 反编译后的定位分析
public static c a(final Context context, long j2, int i2, IExpendFunctions iExpendFunctions) {
if (t == null) {
synchronized (c.class) {
long timeInMillis = Calendar.getInstance().getTimeInMillis();
if (iExpendFunctions != null) {
s = iExpendFunctions;
}
if (t == null) {
if (context == null) {
context = com.ss.sys.ces.a.a.b().getApplicationContext();
}
if (context == null) {
return null;
}
t = new c(context, j2);
}
com.ss.a.a.a.a(i2);
com.ss.a.a.a.b((int) b());
u = b.a(context);
long timeInMillis2 = Calendar.getInstance().getTimeInMillis();
try {
if (s != null) {
s.loadLibrary(context, "cms");
w = Calendar.getInstance().getTimeInMillis() - timeInMillis2;
tt.init_gorgon();
StringBuilder sb = new StringBuilder();
sb.append((int) b());
a.meta(102, context, sb.toString());
int a2 = b.a(i2);
StringBuilder sb2 = new StringBuilder();
sb2.append(a2);
a.meta(UserServiceOptimize.UserServiceOptimizeExperiment.OPTION_ALL_EXC_OPTION_5, (Context) null, sb2.toString());
a.meta(1020, (Context) null, c());
StringBuilder sb3 = new StringBuilder();
sb3.append(com.ss.sys.ces.a.a.b(context));
a.meta(105, (Context) null, sb3.toString());
a.meta(106, (Context) null, com.ss.sys.ces.a.a.a(context));
a.meta(107, (Context) null, com.ss.sys.ces.a.a.c(context));
a.meta(108, (Context) null, com.ss.sys.ces.a.a.d(context));
a.meta(109, (Context) null, com.ss.sys.ces.a.a.c());
a.meta(110, (Context) null, com.ss.sys.ces.a.a.d());
new Thread("0.6.11.28.39-IH") {
public final void run() {
com.ss.sys.ces.a.b.a(context);
Context context = context;
StringBuilder sb = new StringBuilder();
sb.append(Thread.currentThread().getId());
a.meta(100, context, sb.toString());
}
}.start();
v = Calendar.getInstance().getTimeInMillis() - timeInMillis;
} else {
throw new NullPointerException("null expend functions");
}
} catch (Throwable unused) {
long uptimeMillis = SystemClock.uptimeMillis();
com.bytedance.j.a.a("cms");
com.ss.android.ugc.aweme.lancet.b.b.a(uptimeMillis, "cms");
}
}
}
return t;
}
leviathan
L_0x0170:
java.lang.StringBuilder r11 = new java.lang.StringBuilder // Catch:{ all -> 0x0227 }
r11.<init>() // Catch:{ all -> 0x0227 }
r11.append(r0) // Catch:{ all -> 0x0227 }
r11.append(r12) // Catch:{ all -> 0x0227 }
r11.append(r15) // Catch:{ all -> 0x0227 }
r11.append(r9) // Catch:{ all -> 0x0227 }
java.lang.String r0 = r11.toString() // Catch:{ all -> 0x0227 }
byte[] r0 = com.ss.a.b.a.a((java.lang.String) r0) // Catch:{ all -> 0x0227 }
byte[] r0 = com.ss.sys.ces.a.leviathan(r14, r10, r0) // Catch:{ all -> 0x0227 }
java.lang.String r9 = com.ss.a.b.a.a((byte[]) r0) // Catch:{ all -> 0x0227 }
r14 = r17
r11 = 1
if (r14 != r11) goto L_0x01c5
r12 = r18
if (r12 == 0) goto L_0x01c5
int r0 = r12.length() // Catch:{ all -> 0x01c2 }
if (r0 <= 0) goto L_0x01c5
r11 = 0
byte[] r0 = android.util.Base64.decode(r12, r11) // Catch:{ all -> 0x01c0 }
r2 = -1
byte[] r0 = com.ss.sys.ces.a.leviathan(r2, r10, r0) // Catch:{ all -> 0x01c0 }
java.lang.String r2 = "x-bd-lanus"
java.lang.StringBuilder r12 = new java.lang.StringBuilder // Catch:{ all -> 0x01c0 }
r12.<init>() // Catch:{ all -> 0x01c0 }
java.lang.String r0 = android.util.Base64.encodeToString(r0, r11) // Catch:{ all -> 0x01c0 }
r12.append(r0) // Catch:{ all -> 0x01c0 }
java.lang.String r0 = r12.toString() // Catch:{ all -> 0x01c0 }
r6.put(r2, r0) // Catch:{ all -> 0x01c0 }
goto L_0x01c5
public final class a {
public static String a(byte[] bArr) {
if (bArr == null) {
return null;
}
char[] charArray = "0123456789abcdef".toCharArray();
char[] cArr = new char[(bArr.length * 2)];
for (int i = 0; i < bArr.length; i++) {
byte b2 = bArr[i] & 255;
int i2 = i * 2;
cArr[i2] = charArray[b2 >>> 4];
cArr[i2 + 1] = charArray[b2 & 15];
}
return new String(cArr);
}
public static byte[] a(String str) {
int length = str.length();
byte[] bArr = new byte[(length / 2)];
for (int i = 0; i < length; i += 2) {
bArr[i / 2] = (byte) ((Character.digit(str.charAt(i), 16) << 4) + Character.digit(str.charAt(i + 1), 16));
}
return bArr;
}
public static byte[] a(byte[]... bArr) {
int i = 0;
for (int i2 = 0; i2 < 2; i2++) {
i += bArr[i2].length;
}
byte[] bArr2 = new byte[i];
int i3 = 0;
for (int i4 = 0; i4 < 2; i4++) {
byte[] bArr3 = bArr[i4];
System.arraycopy(bArr3, 0, bArr2, i3 + 0, bArr3.length);
i3 += bArr3.length;
}
return bArr2;
}
}
