进入bootloader模式
adb reboot bootloader
Root成功之后安装Frida Server到设备上
从Frida官网下载安装包 frida-server-xxx-android-arm64.xz放到设备相应目录
adb push frida-xxx.xz /data/local/tmp/
执行这个文件
adb shell
su
cd /data/local/tmp
chmod +x frida-xxx.xz
./frida-server-xxx
dump.py
#!/usr/bin/env python
# encoding: utf-8
import frida
import sys
def on_message(message, data):
if message['type'] == 'send':
pass
else:
print(message)
jscode = """
function Bytes2HexString(arrBytes) {
var str = "";
for (var i = 0; i < arrBytes.length; i++) {
var tmp;
var num=arrBytes[i];
if (num < 0) {
//此处填坑,当byte因为符合位导致数值为负时候,需要对数据进行处理
tmp =(255+num+1).toString(16);
} else {
tmp = num.toString(16);
}
if (tmp.length == 1) {
tmp = "0" + tmp;
}
str += tmp;
}
return str;
}
function print(bytes){
var s = "";
var i = 0;
for(var i=0;i < bytes.length; i+=1)
s += String.fromCharCode(bytes[i]);
return s;
}
function hexdumpp(tag, buf, buf_len) {
var buf = Memory.readByteArray(buf, buf_len);
//var str = Bytes2HexString(buf);
//console.log(str);
//print(buf);
/*console.log(hexdump(buf, {
offset: 0,
length: buf_len,
header: false,
ansi: false
}));
*/
}
var base = Module.findBaseAddress('libwechatnormsg.so');
// // 703 ??var compressFunc = Module.findExportByName("libz.so" , "compress");
// // 704 0xE00F0
// // 705 0xE00F0
// // 706 0xE2DD0
// // 708 0x38367C
// var compressFunc = base.add(0x38367C+1)
// Interceptor.attach(compressFunc, {
// onEnter: function(args) {
// hexdumpp("compress", args[2], args[3].toInt32());
// },
// onLeave: function(retval) {}
// });
var sub_347008 = base.add(0x347008)
Interceptor.attach(sub_347008, {
onEnter: function(args) {
console.log('>>> onEnter MD5Final this: ' + args[0]+',args1:'+args[1]+',args2:'+args[2]);
console.log("Call Stack:"+Thread.backtrace(this.context,Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join(" "));
this.MyRet1 = args[1];
},
onLeave: function(retval) {
console.log("MD5:"+hexdump(this.MyRet1, {
offset: 0,
length: 16,
header: true,
ansi: false
}));
}
});
"""
# var sub_37b2a4 = base.add(0x37b2a4+1);
# console.log("sub_37b2a4:" + sub_37b2a4);
# Interceptor.attach(sub_37b2a4, {
# onEnter: function(args) {
# //console.log('>>> onEnter Md5Update this: ' + args[0]+',args1:'+args[1]+',args2:'+args[2]);
# //console.log(Thread.backtrace(this.context,Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join(" "));
# var file = Memory.readCString(args[1]);
# if(args[2].toInt32()<0x1000){
# if(file.startsWith("/system")){
# console.log(file);
# }else{
# console.log(hexdump(args[1], {
# offset: 0,
# length: args[2].toInt32(),
# header: true,
# ansi: false
# }));
# }
# }
# this.MyRet = args[0];
# },
# onLeave: function(retval) {
# }
# });
# var sub_37b350 = base.add(0x37b350+1);
# Interceptor.attach(sub_37b350, {
# onEnter: function(args) {
# console.log('>>> onEnter MD5Final this: ' + args[0]+',args1:'+args[1]+',args2:'+args[2]);
# this.MyRet1 = args[1];
# },
# onLeave: function(retval) {
# console.log("MD5:"+hexdump(this.MyRet1, {
# offset: 0,
# length: 16,
# header: true,
# ansi: false
# }));
# }
# });
# const libcso = "libc.so";
# var dlopen = Module.findExportByName(libcso, 'lstat');
# console.log("lstat:" + dlopen);
# Interceptor.attach(ptr(dlopen), {
# onEnter: function(args) {
# //console.log("Enter dlopen call:args[0]:"+args[0]+",args1:"+args[1]);
# console.log(Memory.readCString(args[0]));
# },
# onLeave: function(retval) {
# }
# });
process = frida.get_usb_device().attach('com.tencent.mm')
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Dump Data')
script.load()
sys.stdin.read()