Mobile / RE / Bug Hunter
Welcome to hluwa's Publication
A frida tool to dump dex in memory to support security engineers analyzing malware.
License: GNU General Public License v3.0
Mobile / RE / Bug Hunter
Welcome to hluwa's Publication
This is a minor issue.
I have frida-dexdump 2.0.1:
$ pip list | grep dexdump
frida-dexdump 2.0.1
But if I do frida-dexdump --version
, it says 15.1.17, which is Frida's version.
The program's help says:
--version show program's version number and exit
So, with this comment, I think that we should get 2.0.1
. If not, it's just as simple as modifying the help with something like "show Frida's version number and exit"
360加固头部抹除的无法dump
[Except] - Error: access violation accessing 0xe7402000
at (frida/runtime/core.js:127)
at memorydump (/script1.js:110)
at apply (native)
at (frida/runtime/message-dispatcher.js:13)
at c (frida/runtime/message-dispatcher.js:23): {'addr': '0xe7323490', 'size': 6680424}
[Except] - Error: access violation accessing 0xe7402000
at (frida/runtime/core.js:127)
at memorydump (/script1.js:110)
at apply (native)
at (frida/runtime/message-dispatcher.js:13)
at c (frida/runtime/message-dispatcher.js:23): {'addr': '0xe7323500', 'size': 7013392}
[Except] - Error: access violation accessing 0xe7402000
at (frida/runtime/core.js:127)
at memorydump (/script1.js:110)
at apply (native)
at (frida/runtime/message-dispatcher.js:13)
at c (frida/runtime/message-dispatcher.js:23): {'addr': '0xe73235e0', 'size': 5704696}
FRIDA-DEXDump-1.0.3
frida version 14.2.18
尝试用其脱壳,main.py 49行报错
发生异常: RPCException
Error: expected an integer
at frida/runtime/core.js:144
at frida/runtime/message-dispatcher.js:15
at o (frida/runtime/message-dispatcher.js:25)
File "E:\Win_tools\FRIDA-DEXDump-master\main.py", line 49, in
bs = script.exports.memorydump(dex['addr'], dex['size'])
打印 (dex['addr'], dex['size'])发现最后一个[DEXDump]是负值
像这样 addr:-1727442502,size:-1727442502
第一次用Frida,不太明白。求大神解惑。server,core也是最新的
[Except] - Unable to inject into process: unable to connect to remote frida-server in
File "d:\python\python37\lib\site-packages\frida\core.py", line 101, in enumerate_processes
return self._impl.enumerate_processes()
我是用pip install安装的frida-dexdump然后直接运行frida-dexdump提示上述报错
我检查了下frida-server都是连接正常的,frida-ps -U 也能正常读 ,请问该怎么解决
frida 的版本 和模拟器安卓版本 推荐一下
jadx.plugins.input.dex.DexException: Bad checksum: 0x7d0b2ec3, expected: 0xb39bba93
at jadx.plugins.input.dex.utils.DexCheckSum.verify(DexCheckSum.java:22)
at jadx.plugins.input.dex.DexFileLoader.load(DexFileLoader.java:68)
at jadx.plugins.input.dex.DexFileLoader.loadDexFromFile(DexFileLoader.java:50)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Unknown Source)
at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source)
at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source)
at jadx.plugins.input.dex.DexFileLoader.collectDexFiles(DexFileLoader.java:45)
at jadx.plugins.input.dex.DexInputPlugin.loadFiles(DexInputPlugin.java:34)
at jadx.plugins.input.dex.DexInputPlugin.loadFiles(DexInputPlugin.java:30)
at jadx.api.JadxDecompiler.loadInputFiles(JadxDecompiler.java:130)
at jadx.api.JadxDecompiler.load(JadxDecompiler.java:114)
at jadx.gui.JadxWrapper.openFile(JadxWrapper.java:52)
at jadx.gui.ui.MainWindow.lambda$openFiles$0(MainWindow.java:427)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 70 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 70 00 00 00
frida-dexdump 获取到的dex中的类 和 trace method 获取到的类对比,发现dump下来的类缺失。除了利用dexdump这种手段,可以有哪些手段获取下缺失的dex文件呢?
frida模块不能正常启动的原因还是在于多python环境的环境变量问题,python2和python3都可以成功启动,这里举例python2方法.
1,卸载python2和python3下frida和frida-tools
2,确保运行"python"运行的是python2
-->解决此问题将python2的两个环境变量放在python3的两个环境变量前面,python3记得改名位python3.exe(目录里没有python.exe)
3,重新安装pip,重新安装pip后,pip会自动关联python版本
4,重新安装frida和frida-tools
解决
Traceback (most recent call last):
File "main.py", line 8, in
import click
ModuleNotFoundError: No module named 'click'
FRIDA-Dexdump tool does not unpack successfully the following malware and dumps an erroneous DEX file that disassemblers fail to process. It seems there is a checksum issue.
How to reproduce / grab the sample
See this tweet: https://twitter.com/ReBensk/status/1485569424874938371?s=20 and download 53108_Video_Oynatıcı.apk
(sha256: 62a313bcf8611205a25850405fdf45c5c207d4755411d1ce26607eeb41581fd7
). It is a malware, be cautious, don't install it on a real phone, rather an emulator.
Dump the DEXes
Launch it the app, and try to dump its DEXes with frida-dexdump
(I personally needed to attach to its PID, the other ways did not work). You should get 2 DEXs: the main one, and the payload.
com.donkey.fragile$ ls
0x7acff17e401c.dex 0x7acff1a4401c.dex
Now, try and decompile 0x7acff17e401c.dex
(sha256: 7b9961dbba9b6fb9522d15ef7169af26e30810989b4bb8b58b40f087896d1956
).
Disassembly errors
For instance, head to com.about.across.bot.a.a
.
With JADX, you get an error at opening the DEX: "Load failed, Error count: 1" and the following logs:
ERROR - File open error: /workshop/./0x7acff17e401c.dex
jadx.plugins.input.dex.DexException: Bad checksum: 0x73eb147b, expected: 0x6f8eb545
at jadx.plugins.input.dex.utils.DexCheckSum.verify(DexCheckSum.java:22)
at jadx.plugins.input.dex.DexFileLoader.checkFileMagic(DexFileLoader.java:57)
at jadx.plugins.input.dex.DexFileLoader.loadDexFromFile(DexFileLoader.java:40)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566)
at jadx.plugins.input.dex.DexFileLoader.collectDexFiles(DexFileLoader.java:35)
at jadx.plugins.input.dex.DexInputPlugin.loadDexFiles(DexInputPlugin.java:29)
at jadx.plugins.input.dex.DexInputPlugin.loadFiles(DexInputPlugin.java:25)
at jadx.api.JadxDecompiler.loadInputFiles(JadxDecompiler.java:126)
at jadx.api.JadxDecompiler.load(JadxDecompiler.java:111)
at jadx.gui.JadxWrapper.openFile(JadxWrapper.java:45)
at jadx.gui.ui.MainWindow.lambda$open$0(MainWindow.java:419)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
INFO - Loaded classes: 0, methods: 0, instructions: 0
With JEB decompiler you get:
public static void a(Context arg5) {
// ERROR - The method was not decompiled
// Cannot decompile method containing odex instructions: Lcom/about/across/bot/a/a;->a(Landroid/content/Context;)V
// Restore the original dex first, then load it into JEB.
// Reference: https://www.pnfsoftware.com/jeb/manual/android/#optimized-dex-odex
}
With baksmali you get:
aput-object v3, v2, v4
invoke-static {v0, v2}, Lcom/about/across/bot/e/d;->a(Ljava/lang/String;[Ljava/lang/Object;)V
invoke-static {p0, v1}, Lcom/about/across/bot/a/a;->a(Landroid/content/Context;Z)V
#disallowed odex opcode
#return-void-no-barrier
nop
.end method
With baksmali + jd-gui, you get:
public class a {
public static void a(Context paramContext) {
d.a("!!!!!", new Object[] { "attempt to enable internet" });
a(paramContext, true);
throw new VerifyError("bad dex opcode");
}
I am using latest FRIDA-Dexdump from git and Frida server 15.1.14.
Spawning xxxxxxxx
...
一直保持这个页面是什么情况。。。
请问大佬这个报错是什么原因
frida-server_12.0.5
root@ubuntu:~/apktool/FRIDA-DEXDump# python3 main.py [DEXDump]: found target [24720] com.xxx.android.xxxx Traceback (most recent call last): File "main.py", line 46, in <module> matches = script.exports.scandex() File "/usr/local/lib/python3.6/dist-packages/frida/core.py", line 322, in method return script._rpc_request('call', js_name, args) File "/usr/local/lib/python3.6/dist-packages/frida/core.py", line 250, in _rpc_request raise result[2] frida.core.RPCException: Error: missing argument at frida/runtime/core.js:223 at scandex (script1.js:13) at e (frida/runtime/message-dispatcher.js:45) at t (frida/runtime/message-dispatcher.js:24)
plugin dexdump dump包括:
[Except] - can only concatenate str (not "int") to str: {'addr': '0x7ebef4a01c', 'size': 686392}
[Except] - can only concatenate str (not "int") to str: {'addr': '0x7ec862f01c', 'size': 237732}
[Except] - can only concatenate str (not "int") to str: {'addr': '0x7ecbd5401c', 'size': 6384772}
[Except] - can only concatenate str (not "int") to str: {'addr': '0x7ecc6b201c', 'size': 7980312}
[Except] - can only concatenate str (not "int") to str: {'addr': '0x7eccee901c', 'size': 9034624}
[Except] - can only concatenate str (not "int") to str: {'addr': '0x7ecdc9c01c', 'size': 4631576}
[Except] - can only concatenate str (not "int") to str: {'addr': '0x7ecf7b0028', 'size': 355688}
[Except] - can only concatenate str (not "int") to str: {'addr': '0x7ecf806d94', 'size': 2436}
[Except] - can only concatenate str (not "int") to str: {'addr': '0x7ecf807718', 'size': 2436}
[Except] - Unable dump dex: Error: missing argument
at frida/runtime/core.js:225
at scandex (/script1.js:117)
at frida/runtime/message-dispatcher.js:45
at o (frida/runtime/message-dispatcher.js:27) in
File "d:\python37\lib\site-packages\frida\core.py", line 333, in _rpc_request
raise result[2]
大佬,我想请教一下,app使用了TracerPid反调试怎样脱壳呢
While i am trying to dump dynamically loaded dex files i got exception
this is the error log
[Except] - Error: access violation accessing 0x7854600000 at <anonymous> (frida/runtime/core.js:127) at memorydump (/script1.js:110) at apply (native) at <anonymous> (frida/runtime/message-dispatcher.js:13) at c (frida/runtime/message-dispatcher.js:23): {'addr': '0x78545fa880', 'size': 90320} [Except] - Error: access violation accessing 0x7861600000 at <anonymous> (frida/runtime/core.js:127) at memorydump (/script1.js:110) at apply (native) at <anonymous> (frida/runtime/message-dispatcher.js:13) at c (frida/runtime/message-dispatcher.js:23): {'addr': '0x7861543820', 'size': 4618488}
(frida-dexdump -U -f com.sec.n1book1 -d --sleep 5
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
__ _ _ _ _
/ _|_ __(_) __| | __ _ __| | _____ ____| |_ _ _ __ ___ _ __
| |_| '__| |/ _` |/ _` |_____ / _` |/ _ \ \/ / _` | | | | '_ ` _ \| '_ \
| _| | | | (_| | (_| |_____| (_| | __/> < (_| | |_| | | | | | | |_) |
|_| |_| |_|\__,_|\__,_| \__,_|\___/_/\_\__,_|\__,_|_| |_| |_| .__/
|_|
https://github.com/hluwa/frida-dexdump
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Spawning `com.sec.n1book1`...
INFO:Agent:DexDumpAgent<Connection(pid=Session(pid=21402), connected:True), attached=True>: Attach.
INFO:frida-dexdump:Waiting 5s...
INFO:frida-dexdump:[+] Searching...
INFO:frida-dexdump:[*] Successful found 12 dex, used 5 time.
INFO:frida-dexdump:[+] Starting dump to '/Users/xxx/Desktop/hack/tools/ooo/com.sec.n1book1'...
INFO:frida-dexdump:[+] DexMd5=df2b99537b2d11d3074d6fe752a763bb, SavePath=/Users/xxx/Desktop/hack/tools/ooo/com.sec.n1book1/classes.dex, DexSize=0x2154fc
INFO:frida-dexdump:[+] DexMd5=b0cef7130867f8df4b2612290ef8a639, SavePath=/Users/xxx/Desktop/hack/tools/ooo/com.sec.n1book1/classes02.dex, DexSize=0x21c000
INFO:frida-dexdump:[+] DexMd5=4d956f9be62251c9b41aec34bdc39ad4, SavePath=/Users/xxx/Desktop/hack/tools/ooo/com.sec.n1book1/classes03.dex, DexSize=0x77e4
INFO:frida-dexdump:[+] DexMd5=e0ade20e9e8fa40707ca9311ef7471ac, SavePath=/Users/xxx/Desktop/hack/tools/ooo/com.sec.n1book1/classes04.dex, DexSize=0xc2000
INFO:frida-dexdump:[+] DexMd5=f1771b68f5f9b168b79ff59ae2daabe4, SavePath=/Users/xxx/Desktop/hack/tools/ooo/com.sec.n1book1/classes05.dex, DexSize=0x11c
INFO:frida-dexdump:[+] DexMd5=f787db82adb852244f53363bef7debc1, SavePath=/Users/xxx/Desktop/hack/tools/ooo/com.sec.n1book1/classes06.dex, DexSize=0x3e3c2
INFO:frida-dexdump:[+] DexMd5=97b84ab1fdeff52bd3b0dadeab89e7bc, SavePath=/Users/xxx/Desktop/hack/tools/ooo/com.sec.n1book1/classes07.dex, DexSize=0x180000
ERROR:frida-dexdump:[-] Error: access violation accessing 0xea280000
at <anonymous> (frida/runtime/core.js:141)
at memorydump (src/search.ts:41)
at apply (native)
at <anonymous> (frida/runtime/message-dispatcher.js:13)
at c (frida/runtime/message-dispatcher.js:23): {'addr': '0xea2097b0', 'size': 2210360}
Traceback (most recent call last):
File "/Users/xxx/Desktop/hack/tools/ooo/env/lib/python3.8/site-packages/frida_dexdump/__main__.py", line 81, in dump
bs = self.agent.memory_dump(dex['addr'], dex['size'])
File "/Users/xxx/Desktop/hack/tools/ooo/env/lib/python3.8/site-packages/frida_dexdump/agent/__init__.py", line 24, in memory_dump
return self._rpc.memorydump(base, size)
File "/Users/xxx/Desktop/hack/tools/ooo/env/lib/python3.8/site-packages/frida/core.py", line 468, in method
return script._rpc_request('call', js_name, args, **kwargs)
File "/Users/xxx/Desktop/hack/tools/ooo/env/lib/python3.8/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/Users/xxx/Desktop/hack/tools/ooo/env/lib/python3.8/site-packages/frida/core.py", line 400, in _rpc_request
raise result[2]
frida.core.RPCException: Error: access violation accessing 0xea280000
at <anonymous> (frida/runtime/core.js:141)
at memorydump (src/search.ts:41)
at apply (native)
at <anonymous> (frida/runtime/message-dispatcher.js:13)
at c (frida/runtime/message-dispatcher.js:23)
INFO:frida-dexdump:[+] DexMd5=259b24fa37bd13fc13441551db3dc4a2, SavePath=/Users/xxx/Desktop/hack/tools/ooo/com.sec.n1book1/classes08.dex, DexSize=0x76850
INFO:frida-dexdump:[*] All done...)
The Tool didn't give any runtime loaded DEXs with DexProtector.
Thank you for this Repo.
unable to access process with pid 1333 due to system restrictions; try sudo sysctl kernel.yama.ptrace_scope=0
, or run Frida as root
怎么解决
现在很多壳带反调试,frida附不上。我现在遇到一个厉害的,梆梆的壳。用spawn -f参数都绕不过,打开直接黑屏。大佬有啥好思路一键脱这种壳的dex吗?
After I did dump a package using frida-dexdump command and find new classes, I hooked new classes, but Frida said like "trace class failed Error: java.lang.ClassNotFoundException: Didn't find class "com.priguard.C4510KernelInstance" on path: DexPathList[[zip file "/data/app/com.ui-1/base.apk"],nativeLibraryDirectories=[/data/app/com.ui-1/lib/x86, /data/app/com.ui-1/base.apk!/lib/x86, /system/lib, /vendor/lib]]"
Hook code is:
Java.perform(function (targetClass) {
var hook;
try {
hook = Java.use(targetClass);
} catch (e) {
console.error("trace class failed", e);
return;
}
}
Could anyone help me how to hook to com.priguard.C4510KernelInstance?
Hey. After dumping all .dex from memory and trying to decompile it getting:
#disallowed odex opcode
#iget-object-quick v2, p0, field@0x8
nop
Lot of code like this. Tried to decompile with deodex, not worked too.
How to decompile it?
DEVICE: nexus 5X , SYSTEM: 6.0.1 (MMB29K)
CLIENT: 15.1.17, SERVER: frida-server-15.1.17-android-arm64
COMMAND: frida-ps -U
CAUSE: Android UI Crash
error log:
{"type":"error","description":"RangeError: Maximum call stack size exceeded","stack":"RangeError: Maximum call stack size exceeded\n at Proxy.value (frida/node_modules/frida-java-bridge/lib/class-factory.js:722:1)\n at frida/node_modules/frida-java-bridge/lib/class-factory.js:627:1\n at Array.forEach ()\n at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:624:1)\n at CallbackContext. (frida/node_modules/frida-java-bridge/lib/class-factory.js:592:1)\n at Function.value (frida/node_modules/frida-java-bridge/lib/class-factory.js:1058:1)\n at Proxy.e (frida/node_modules/frida-java-bridge/lib/class-factory.js:580:1)\n at Function.value (frida/node_modules/frida-java-bridge/lib/class-factory.js:964:1)\n at Proxy.e (frida/node_modules/frida-java-bridge/lib/class-factory.js:547:1)\n at Proxy.sendMessageDelayed.implementation (/internal-agent.js:443:31)","fileName":"frida/node_modules/frida-java-bridge/lib/class-factory.js","lineNumber":722,"columnNumber":1}
frida.PermissionDeniedError: unable to access process with pid 20541 due to system restrictions; try sudo sysctl kernel.yama.ptrace_scope=0
, or run Frida as root
是app内部,有检测么
环境:frida 15.1.2,对象顺丰速运
在choose函数中target.identifier的值是包名
Application(identifier="com.sf.activity", name="顺丰速运", pid=14246, parameters={})
但是在device.enumerate_processes()中process的name值却是“顺丰速运”,而非包名"com.sf.activity",导致匹配失败。
建议在choose函数处理如下
if pid is None and pkg is None:
target = device.get_frontmost_application()
pid = target.pid
#return target.pid, target.identifier
C:\Users\jin10>objection -g wind.android explore -P C:\Users\kingking\.objection\plugins Using USB device
Pixel 2`
Agent injected and responds ok!
[plugin] C:\Users\kingking.objection\plugins\dexdump does not appear to be a valid plugin. Missing init.py
Loaded plugin: wallbreaker
_ _ _ _
| |||__ | |||__ ___
| . | . | | -| | | | . | |
||| |||| |||||
|___|(object)inject(ion) v1.9.6
Runtime Mobile Exploration
by: @leonjza from @sensepost
[tab] for command suggestions
`
frida.InvalidOperationError: script has been destroyed
今年360加固增加了对dex包的加密处理,脱壳出无法解析,请问怎么办,谢谢
apk: https://www.wandoujia.com/apps/7868176
安装apk后修改脚本:
把get_usb_device替换为get_remote_device (win64)
测试
[DEXDump]: found target [1596] com.jtjsb.xndwsq [DEXDump]: DexSize=0x6df168, SavePath=./com.jtjsb.xndwsq/0xe208f000.dex [DEXDump]: DexSize=0x23162c, SavePath=./com.jtjsb.xndwsq/0xe276f000.dex [DEXDump]: DexSize=0x11c, SavePath=./com.jtjsb.xndwsq/0xf46ce678.dex [DEXDump]: DexSize=0x1, SavePath=./com.jtjsb.xndwsq/0xf46cf0f8.dex [DEXDump]: DexSize=0x789, SavePath=./com.jtjsb.xndwsq/0xf7531000.dex
大佬辛苦了.
嘿嘿嘿
只找出一些依赖包的,应用包名下的没有?怎么回事?
脱出的hex分好几个文件,是需要合并吗?如果需要合并具体怎么操作?
我测试的一个脱出三个hex文件,前两个能打开,最后一个打开啥也没有,但是文件大小有2M.
首先感谢大神这个骨骼惊奇且高效的解决方案。
怀着激动地心情我在真机上进行了测试,用的是没加壳的APK(我觉得没加壳的apk在内存里也有dex结构)。
脱出的dex文件和原dex文件大小一致,但是MD5不用。
进一步发现,脱出来的dex文件转成jar的时候会产生很多错误。
样本:
WiFi ADB Debug Over Air_v3.0.2.apk.zip
测试环境
Nexus 6 (android 5.1)
Nexus 6 (android 7.0)
Google Pixel (android 7.0)
结果均一样。
请问这个方案是只针对加壳的dex才有效吗?还是我的测试环境有问题?
如果方便的话能提供样本apk吗,加壳之前和之后的
谢谢
[Except] - Unable to inject into process: 'NoneType' object has no attribute 'pid' in
File "main.py", line 147, in choose
return target.pid, target.identifier
[Except] - Unable dump dex: process with pid 2023 either refused to load frida-agent, or terminated during injection in
File "/home/kwaiching/.local/lib/python3.8/site-packages/frida/core.py", line 165, in attach
return Session(self._impl.attach(self._pid_of(target), *args, **kwargs))
[Except] - Unable dump dex: process with pid 2262 either refused to load frida-agent, or terminated during injection in
File "/home/kwaiching/.local/lib/python3.8/site-packages/frida/core.py", line 165, in attach
return Session(self._impl.attach(self._pid_of(target), *args, **kwargs))
[Except] - Unable to inject into process: unexpectedly timed out while waiting for FIFO to establish in
File "/home/kwaiching/.local/lib/python3.8/site-packages/frida/core.py", line 93, in get_frontmost_application
return self._impl.get_frontmost_application()
Then my phone reboot
[DEXDump]: found target [2940] cmb.pb
Permission denied
[Except] - Unable dump dex: process with pid 2940 either refused to load frida-agent, or ter
minated during injection in
File "C:\Users\xyz\AppData\Roaming\Python\Python37\site-packages\frida\core.py", line
156, in attach
return Session(selfattach(self._pid_of(target), *args, **kwargs))
赶紧更新版本,目前版本太老了,速度。。。
on Android Emulator (Google APIs), DEXDump cannot stop the process using the su -c 'cmd'
because the su format is su [UID[,GID[,GID2]...]] [COMMAND [ARG...]]
02-08/15:17:00 INFO [DEXDump]: found target [19245] logcat
su: invalid uid/gid '-c'
su: invalid uid/gid '-c'
FRIDA-DEXDump use dump(dexptr, map_offset), but I got an uncorrected dex file. When using dex2jar on it, I got an error:
╰─$ sh d2j-dex2jar.sh 0x7ba1f1f01c.dex
dex2jar 0x7ba1f1f01c.dex -> ./0x7ba1f1f01c-dex2jar.jar
java.lang.IllegalArgumentException: newPosition > limit: (1605878 > 427976)
at java.base/java.nio.Buffer.createPositionException(Buffer.java:318)
at java.base/java.nio.Buffer.position(Buffer.java:293)
at java.base/java.nio.ByteBuffer.position(ByteBuffer.java:1094)
at java.base/java.nio.ByteBuffer.position(ByteBuffer.java:262)
at com.googlecode.d2j.reader.DexFileReader.getString(DexFileReader.java:967)
at com.googlecode.d2j.reader.DexFileReader.getType(DexFileReader.java:981)
at com.googlecode.d2j.reader.DexFileReader.accept(DexFileReader.java:654)
at com.googlecode.d2j.reader.DexFileReader.accept(DexFileReader.java:625)
at com.googlecode.d2j.dex.Dex2jar.doTranslate(Dex2jar.java:88)
at com.googlecode.d2j.dex.Dex2jar.to(Dex2jar.java:280)
at com.googlecode.dex2jar.tools.Dex2jarCmd.doCommandLine(Dex2jarCmd.java:112)
at com.googlecode.dex2jar.tools.BaseCmd.doMain(BaseCmd.java:290)
at com.googlecode.dex2jar.tools.Dex2jarCmd.main(Dex2jarCmd.java:33)
So, I found that the dump size is wrong. After modifying the dump size to fileSize, I got a correct dex file, and successfully run dex2jar on it.
My question is why using map_offset?
and why it can dump correctly when dex_size > map_offset?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.