frida的rpc远程调用

# -*- coding: UTF-8 -*-
import frida
import sys
jsCode = """
    Java.perform(function(){
        var RequestUtil = Java.use('com.dodonew.online.http.RequestUtil');
        RequestUtil.encodeDesMap.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation 
        = function(a, b, c){
            console.log('data: ', a);
            console.log('desKey: ', b);
            console.log('desIV: ', c);
            var retval = this.encodeDesMap(a, b, c);
            send( retval);
            return retval;
        }
        var Utils = Java.use('com.dodonew.online.util.Utils');
        Utils.md5.implementation = function(a){
            console.log('MD5 string: ', a);
            var retval = this.md5(a);
            send( retval);
            recv(function(obj){retval =obj.data}).wait();
            return retval;
        }
        function test(data){
        var result = "";
        Java.perform(function(){
            result = Java.use('com.dodonew.online.util.Utils').md5(data);
        });
        return result;
    }
    rpc.exports = {
        rpcfunc: test
    };
    });
"""
def message_1(message, data):
    print(message)
    if message["type"] == 'send':
        print(u"[*] {0}".format(message['payload']))
        script.post({'data': message['payload']})
    else:
        print(message)
process = frida.get_usb_device().attach('com.dodonew.online')
script = process.create_script(jsCode)
script.load()
script.on('message', message_1)
print("开始运行")
result = script.exports.rpcFUnc('equtype=ANDROID&loginImei=Androidnull&timeStamp=1626790668'
                                +'522&userPwd=a12345678&username=15968079477&key=sdlkjsdljf0j2fsjk')
print("result -> ",result)
sys.stdin.read()

• js代码处：rpc.exports = {rpcfunc: xxx}python代码处：script.exports.rpcfunc()/script.exports.RPCFUNC()
• js代码处：rpc.exports = {rpcFUnc: xxx}python代码处：script.exports.rpc_f_unc()
• python代码处不管rpcfunc还是RPCFUNC，都代表js中的rpcfunc。要表示大写，python代码处需要在字母前面加下划线，比如_f代表js代码中的F

  算法转发-get

1. 本地服务部署

• pip install fastapi
• pip install uvicorn ```python

  -- coding: UTF-8 --

  import frida import sys import uvicorn from fastapi import FastAPI

jsCode = “”” function aa(cc){ var result; Java.perform(function () { result = Java.use(‘com.dodonew.online.util.Utils’).md5(cc); }) return result; } rpc.exports = { bb: aa }; “””

process = frida.get_device_manager().add_remote_device(‘IP:8888’).attach(“com.dodonew.online”) script = process.create_script(jsCode) script.load()

app = FastAPI() @app.get(“/get”) async def getEchoApi(cc): data = script.exports.bb(cc) return {“plaintext”: cc, “result”: data}

if name == ‘main‘: uvicorn.run(app, port = 12345)

疑问点，开一个接口供别人调用这种方式，不知道为啥只能用“frida.get_device_manager().add_remote_device”这种方式；原因待挖掘！！！
<a name="bjnbB"></a>
#### 算法转发-post
```python
# -*- coding: UTF-8 -*-
import frida
import sys
import uvicorn
from pydantic import BaseModel
from fastapi import FastAPI
jsCode = """
function aa(cc){
    var result;
    Java.perform(function () {
        result = Java.use('com.dodonew.online.util.Utils').md5(cc);
    })
    return result;
}
rpc.exports = {
    bb: aa
};
"""
process = frida.get_device_manager().add_remote_device('IP:8877').attach("com.dodonew.online")
script = process.create_script(jsCode)
script.load()
class plainojb(BaseModel):
    参数: str = None
app = FastAPI()
@app.post("/post")
async def getEchoApi(postData: plainojb):
    result = script.exports.bb(postData.参数)
    return {"plaintxt": postData.参数, "encryptdata": result}
if __name__ == '__main__':
    uvicorn.run(app, port = 12345)

外网服务部署

待补充