Android,iOS Memory,String Scanner

속성
MOBILE
날짜
1번 memcpy 스캔
2번 Java String 스캔
3번 NSString 스캔
검색 문자열은 필수로 입력 *
변조 문자는 없을 경우 공백 입력
# 타겟 1,2,3 설정
# 검색 문자 입력 필수
# 변조 문자는 없을 경우 변조 없이 스캔

import sys, frida

print("[1] Memory   [2] Java String   [3] NSString", end=" : ")
target = input()
print("\n[!] Enter null if there is no character to find or replace")
print("[#] Search String", end=" : ")
search = input()
print("[#] Replace String", end=" : ")
replace = input()


def on_message(message, data):
    print(message)
        

################## 패키지 설정 ###########################
PACKAGE_NAME = "kr.co.sks.finlab.wealth"

jscode = """

if(%s == 1){
setTimeout(function() {

    Interceptor.attach(Module.findExportByName(null, 'memcpy'), {

                    onEnter: function (args) {
                    
                    var path1 = Memory.readUtf8String(args[0]);
                    var path2 = Memory.readUtf8String(args[1]);
                    args[0]
                    
                    if(path1.indexOf("%s") !== -1 || path2.indexOf("%s") !== -1){

                        var rep = "%s";

                        if(rep !== ""){
                            console.log("       \t\t\t\t\t\t\t\t\t\x1b[35m[-] Origin String : %s \x1b[0m");
                            Memory.writeUtf8String(args[1], "%s");
                        }

                    
                        dumpAddr('memcpy', args[1], args[2].toInt32());
                        console.log('cpy byte : ' + args[2]);
                        console.log("[*] android_dlopen_ext("+args[1]+" str : " + path +")");

                    }

                }
    });
},5000);
		
 function dumpAddr(info, addr, size) {
        if (addr.isNull())
            return;

        console.log('Data dump ' + info + ' :');
        var buf = addr.readByteArray(size);

        // If you want color magic, set ansi to true
        console.log(hexdump(buf, { offset: 0, length: size, header: true, ansi: false }));
    }
}


else if(%s == 2){
    setImmediate(function(){
        Java.perform(function () {
            const StringBuilder = Java.use('java.lang.StringBuilder');
                    
            StringBuilder.toString.implementation = function () {
            var retVal = this.toString();
                                    
            if(retVal.indexOf("%s") !== -1){
                var rep = "%s";
                
                if(rep !== ""){
                    retVal = "%s";
                    console.log("\x1b[35m[-] Origin String : %s \x1b[0m");
                
                }
                console.log("StringBuilder.toString(): " + retVal);
            }
            return retVal;
            };
        });
    });

}else if(%s == 3){
    Interceptor.attach(ObjC.classes.NSString['+ stringWithUTF8String:'].implementation, {
        onEnter: function (args) {
          //console.log('[+] Hooked +[NSString stringWithUTF8String:] ');
        },
        onLeave: function (retval) {
          var str = new ObjC.Object(ptr(retval)).toString()
          

            if(str.indexOf("%s") !== -1){
                console.log("Backtrace:" + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join(""));

                var rep = "%s";
                if(rep !== ""){
                    str = "%s";
                    console.log("\x1b[35m[-] Origin String : %s \x1b[0m");
                    
                }
            console.log('[+] Returning [NSString stringWithUTF8String:] -> ', str);
            }
          return retval;
        }
    });

}else{
    console.log("[!] Target Error !");
    console.log("[!] Target Error !");
    console.log("[!] Target Error !");
    console.log("[!] Target Error !");
}

"""% (target,search,search,replace,search,replace,target,search,replace,replace,search,target,search,replace,replace,search)
Python
복사