Frida 找不到类: java.lang.ClassNotFoundException: Didn't find class
用frida hook公司线上app(经过360加固的),发现有的类能够hook到,有的类hook不到,提示如:
Error: java.lang.ClassNotFoundException: Didn't find class "duozhao.com.baselib.util.RsaUtil2" on path: DexPathList ...
于是乎准备hook一下DexClassLoader的loadClass方法打印一下加载的class:
var dexclassLoader = Java.use("dalvik.system.DexClassLoader");
//var pathclassLoader=Java.use("dalvik.system.PathClassLoader");
var hookClass = undefined;
var ClassUse = Java.use("java.lang.Class");
var hooked = false;
dexclassLoader.loadClass.overload("java.lang.String","boolean").implementation=function (name,resolve) {
console.log("加载类:"+name);
return this.loadClass(name,resolve);
};发现还是无法打印出想要的类,此时考虑可能是360加固改变了classloader,把加固后的app拿到jax下看,StupApp中以下代码:
public final void attachBaseContext(Context context) {
boolean r0;
super.attachBaseContext(context);
C0002.m6();
f5 = context;
if (f2 == null) {
f2 = this;
}
if (f3 == null) {
Boolean valueOf = Boolean.valueOf(C0002.m3());
Boolean valueOf2 = Boolean.valueOf(false);
Boolean valueOf3 = Boolean.valueOf(false);
if (Build.CPU_ABI.contains("64") || Build.CPU_ABI2.contains("64")) {
valueOf2 = Boolean.valueOf(true);
}
if (Build.CPU_ABI.contains("mips") || Build.CPU_ABI2.contains("mips")) {
valueOf3 = Boolean.valueOf(true);
}
if (valueOf.booleanValue() && needX86Bridge) {
System.loadLibrary("X86Bridge");
}
if (!loadFromLib) {
String absolutePath = context.getFilesDir().getParentFile().getAbsolutePath();
try {
absolutePath = context.getFilesDir().getParentFile().getCanonicalPath();
} catch (Exception e) {
}
String str = absolutePath + "/.jiagu";
f10 = m8(str, valueOf2.booleanValue(), valueOf3.booleanValue());
f6 = m8(str, false, false);
f7 = str + File.separator + f6;
f8 = str + File.separator + f10;
f9 = str;
if (valueOf3.booleanValue()) {
C0002.m4(context, f4 + "_mips.so", str, f6);
} else if (!valueOf.booleanValue() || needX86Bridge) {
C0002.m4(context, f4 + ".so", str, f6);
} else {
C0002.m4(context, f4 + "_x86.so", str, f6);
}
if (!valueOf2.booleanValue() || valueOf3.booleanValue()) {
System.load(str + "/" + f6);
} else {
if (!valueOf.booleanValue() || needX86Bridge) {
r0 = C0002.m4(context, f4 + "_a64.so", str, f10);
} else {
r0 = C0002.m4(context, f4 + "_x64.so", str, f10);
}
if (r0) {
System.load(str + "/" + f10);
} else {
System.load(str + "/" + f6);
}
}
} else if (!valueOf.booleanValue() || needX86Bridge) {
System.loadLibrary("jiagu");
} else {
System.loadLibrary("jiagu_x86");
}
}
interface5(f2);
if (f3 == null) {
f3 = m7(context);
if (f3 != null) {
try {
Method declaredMethod = Application.class.getDeclaredMethod("attach", new Class[]{Context.class});
if (declaredMethod != null) {
declaredMethod.setAccessible(true);
declaredMethod.invoke(f3, new Object[]{context});
}
interface8(f3, context);
} catch (Exception e2) {
throw new RuntimeException("Failed to call attachBaseContext.", e2);
}
} else {
System.exit(1);
}
}
}此时需要拿到真正的classloader类就能加载需要的类了:
//获取真实classloader
var application = Java.use("android.app.Application");
var classloader;
application.attach.overload('android.content.Context').implementation = function(context) {
var result = this.attach(context); // 先执行原来的attach方法
classloader = context.getClassLoader(); // 获取classloader
Java.classFactory.loader = classloader;
var Rsa = Java.classFactory.use("xxxxx.util.RsaUtil"); //这里能直接使用Java.use,因为java.use会检查在不在perform里面,不在就会失败
console.log("加密类: " + AyWelcome);
Rsa.encrypt.overload("java.lang.String","java.security.PublicKey")
.implementation=function (content, pub) {
console.log("加密"+content);
return this.encrypt(content,pub);
}
return result;
}本文为Adamin90原创文章,转载无需和我联系,但请注明来自http://www.lixiaopeng.top
请先登录后发表评论
- 最新评论
- 总共0条评论
