1, Recently, we have been exploring the loopholes in industrial control equipment , When an application penetrates, the request parameters are encrypted or signed , Prompt for exception after the requested data is modified ,
It leads to the failure of effective vulnerability mining , So make a record of the recent methods of shelling , Reverse decompile application for viewing

 

2, Through the shell check and the above analysis 360 reinforce , Reinforced apk, The source code cannot be obtained by decompiling in the normal way

3, Configure environment and start frida service

4, Port forwarding

5, Related orders
--version show program's version number and exit -h, --help show this help
message and exit -D ID, --device=ID connect to device with the given ID -U,
--usb connect to USB device -R, --remote connect to remote frida-server -H
HOST, --host=HOST connect to remote frida-server on HOST -f FILE, --file=FILE
spawn FILE -n NAME, --attach-name=NAME attach to NAME -p PID, --attach-pid=PID
attach to PID --debug enable the Node.js compatible script debugger
--disable-jit disable JIT -I MODULE, --include-module=MODULE include MODULE -X
MODULE, --exclude-module=MODULE exclude MODULE -i FUNCTION, --include=FUNCTION
include FUNCTION -x FUNCTION, --exclude=FUNCTION exclude FUNCTION -a
MODULE!OFFSET, --add=MODULE!OFFSET add MODULE!OFFSET -T, --include-imports
include program's imports -t MODULE, --include-module-imports=MODULE include
MODULE imports -m OBJC_METHOD, --include-objc-method=OBJC_METHOD include
OBJC_METHOD
6, Script and put libart.so take out . then IDA reverse OpenMemory Corresponding signature function name of .

 

Interceptor.attach(Module.findExportByName("libart.so",
"_ZN3art7DexFile10OpenMemoryEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_10OatDexFileEPS9_"),
{

    onEnter: function (args) {

   

        //dex Starting position

        var begin = args[1]

        // Printing magic

        console.log("magic : " + Memory.readUtf8String(begin))

        //dex fileSize address

        var address = parseInt(begin,16) + 0x20

        //dex size

        var dex_size = Memory.readInt(ptr(address))

 

        console.log("dex_size :" + dex_size)

   

        var packageName = "com.********" 

        var file = new File("/data/data/"+packageName+"/" + dex_size + ".dex",
"wb")

 

        file.write(Memory.readByteArray(begin, dex_size))

        file.flush()

        file.close()

    },

    onLeave: function (retval) {

        if (retval.toInt32() > 0) {

            /* do something */

        }

    }

});

7, After the script is configured, the shell is removed as follows

8, You can see that we're shelling down here dex file

 

Technology
©2019-2020 Toolsou All rights reserved,
Online troubleshooting HTTP Status code ——415 and 406 Front end to background 5 Summary of different ways Summary of artificial intelligence algorithm [RK3399][Android7.1] Learning notes DRM Driver development ( introduce )[AndroidO] [RK3399] -- GPIO Drive and control mode Digital rolling lottery program Science fiction comes true !“ Trisomy ” Found out ( Essence )2020 year 6 month 26 day C# Class library read json Profile help class JQ get request Splicing url parameter ( query criteria ) Obviously post Why does the request display parameters in the address bar ?