Steps to reverse WhatsApp using a combination of dynamic and static methods in Java

Dynamic and static combination of reverse WhatsApp

All overloads of the 0x01.hook method

In an article that takes you to understand the essence of Frida, we have learned how to overload To process, let's review the code first:

my_class.fun.overload("int" , "int").implementation = function(x,y){
my_class.fun.overload("java.lang.String").implementation = function(x){

That is to say, we need to construct an overloaded array and print out each overload. Let's go directly to the code:

//目标类
var hook = Java.use(targetClass);
//重载次数
var overloadCount = hook[targetMethod].overloads.length;
//打印日志：追踪的方法有多少个重载
console.log("Tracing " + targetClassMethod + " [" + overloadCount + " overload(s)]");
//每个重载都进入一次
for (var i = 0; i <p> In this way, we have processed all overloads of the method, and then enumerate all methods. </p><h4 id="All-methods-of-the-x-hook-class">All methods of the 0x02.hook class</h4><p>still go directly to the code:</p><pre class="brush:php;toolbar:false">function traceClass(targetClass)
{
  //Java.use是新建一个对象哈，大家还记得么？
    var hook = Java.use(targetClass);
  //利用反射的方式，拿到当前类的所有方法
    var methods = hook.class.getDeclaredMethods();
  //建完对象之后记得将对象释放掉哈
    hook.$dispose;
  //将方法名保存到数组中
    var parsedMethods = [];
    methods.forEach(function(method) {
        parsedMethods.push(method.toString().replace(targetClass + ".", "TOKEN").match(/\sTOKEN(.*)\(/)[1]);
    });
  //去掉一些重复的值
    var targets = uniqBy(parsedMethods, JSON.stringify);
  //对数组中所有的方法进行hook，traceMethod也就是第一小节的内容
    targets.forEach(function(targetMethod) {
        traceMethod(targetClass + "." + targetMethod);
    });
}

All subclasses of the 0x03.hook class

still go to the core part Code:

//枚举所有已经加载的类
Java.enumerateLoadedClasses({
    onMatch: function(aClass) {
        //迭代和判断
        if (aClass.match(pattern)) {
            //做一些更多的判断，适配更多的pattern
            var className = aClass.match(/[L]?(.*);?/)[1].replace(/\//g, ".");
            //进入到traceClass里去
            traceClass(className);
        }
    },
    onComplete: function() {}
});

0x04.hook the export function of the local library

// 追踪本地库函数
function traceModule(impl, name)
{
    console.log("Tracing " + name);
    //frida的Interceptor
    Interceptor.attach(impl, {
        onEnter: function(args) {

        console.warn("\n*** entered " + name);
        //打印调用栈
        console.log("\nBacktrace:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE)
                        .map(DebugSymbol.fromAddress).join("\n"));
        },
        onLeave: function(retval) {
        //打印返回值
        console.log("\nretval: " + retval);
        console.warn("\n*** exiting " + name);

        }
    });
}

0x05. Dynamic and static combination of reverse WhatsApp

Finally it’s time for actual combat, splicing the above codes together to form A script. In fact, this script is also introduced in awesome-frida. The code is here, but it has a small bug. After being modified by Calabash, it can finally be used.

Let’s try some of its main functions. The first is the export function of the local library.

setTimeout(function() {
    Java.perform(function() {
        trace("exports:*!open*");
        //trace("exports:*!write*");
        //trace("exports:*!malloc*");
        //trace("exports:*!free*");
    });
}, 0);

Our hook is the open() function, run it and see the effect:

$ frida -U -f com.whatsapp -l raptor_frida_android_trace_fixed.js --no-pause

As shown in the figure, *!open* matches exported functions such as openlog and open64 according to regular rules, hooks all these functions, and prints out their parameters and return value.

Which part you want to see next, just throw it into jadx, statically "analyze" it, browse it by yourself, or search it based on the string.

For example, if we want to see the contents of the com.whatsapp.app.protocol package in the picture above, we can set trace ("com.whatsapp.app.protocol").

You can see that all functions and methods in the package, including overloads, parameters and return values, are printed. This is the charm of fridascript.

Of course, the script is just a tool after all. Your understanding of Java, Android App, and your creativity are crucial.

Next, you can use Xposed module to see which modules others have made for whatsapp, which functions of hook, what functions are implemented, and learn to write them yourself .

Of course, I would like to emphasize again that cheating is illegal. Do not make and distribute any App cheats, otherwise you will only be punished by the law.

The above is the detailed content of Steps to reverse WhatsApp using a combination of dynamic and static methods in Java. For more information, please follow other related articles on the PHP Chinese website!