篇幅有限
完整內容及源碼關注公眾號:ReverseCode,發送沖
刷機
https://developers.google.com/android/images#angler
開機鍵+音量減 進入recovery
Pixel
ES文件瀏覽器 查看系統文件
玩逆向必備一台真機,那么非谷歌親兒子莫屬,模擬器缺失native/so層,屬於精簡版系統,故還是真機香呀。
adb reboot bootloader 或 按住音量向下鍵和開機鍵 進入fastboot狀態
cd sailfish-opm4.171019.021.p1-factory-0bcf4315/sailfish-opm4.171019.021.p1 && flash-all.sh 開始刷機
設置-關於手機-版本號8下點擊-進入開發者模式,進入系統-高級-打開開發者選項-USB調試
adb push Magisk-v20.4.zip /sdcard
adb push magisk-riru-v21.3.zip /sdcard/Download 使用magisk模塊安裝並重啟
adb push magisk-EdXposed-SandHook-v0.4.5.1_beta.4463.-release.zip /sdcard/Download 使用magisk模塊安裝並重啟
adb install EdXposedManager-4.5.7-45700-org.meowcat.edxposed.manager-release.apk 安裝xposed
adb push MagiskHidePropsConf-v5.3.4.zip /sdcard/Download
adb install JustTrustMePlus-debug.apk 用於結合xposed突破SSL Pinning抓包限制
twrp作為第三方刷機工具,刷入Magisk,nethunter等魔改系統。
fastboot flash recovery twrp-3.3.0-0-angler.img
adb reboot bootloader
fastboot boot twrp-3.4.0-0-sailfish.img 進入recovery mode
install Magisk-v20.4.zip
adb install MagiskManager-v7.5.1.apk
settings put global captive_portal_http_url https://www.google.cn/generate_204 去除wifi上的×
settings put global captive_portal_https_url https://www.google.cn/generate_204
settings put global ntp_server 1.hk.pool.ntp.org 修改時區
reboot
linux下載最新的platform-tools刷機的時候,fastboot會報各種unknow command或接近的錯誤,把fastboot文件替換成隨着aosp一起編譯出來的即可,使用自行編譯的fastboot即可。
rm ~/Android/Sdk/platform-tools/fastboot cp fastboot810r1 fastboot fastboot --version
通過wifi連接adb可實現群控
adb -s 192.168.0.104:5555 install com.ttxapps.wifiadb_2.1.3-810031745_minAPI15(nodpi)_apkmirror.com.apk 安裝apk
adb connect 192.168.0.104:5555 使用adb連接手機
termux
adb -s 192.168.0.104:5555 install com.termux_92.apk adb被禁時在app端使用命令行操作
pkg update && pkg install htop 在app端安裝管理進程的包
xdebuggable && XAppDebug
啟動EdXposed,搜索xdebuggable 和XAppDebug模塊並安裝開啟debug apk(需要借助梯子)
ro.debuggable
adb push MagiskHidePropsConf-v5.3.4.zip /sdcard/Download 並通過Magisk Manager-模塊-下載-安裝MagiskHidePropsConf-v5.3.4.zip
reboot-adb shell-props
1 - Edit device fingerprint
2 - Force BASIC key attestation
3 - Device simulation (disabled)
4 - Edit MagiskHide props
5 - Add/edit custom props
6 - Delete prop values
7 - Script settings
8 - Collect logs
u - Perform module update check
r - Reset all options/settings
b - Reboot device
e - Exit
See the module readme or the
support thread @ XDA for details.
Enter your desired option: 4
1 - ro.debuggable
2 - ro.secure
3 - ro.build.type
4 - ro.build.tags
5 - ro.bootmode
6 - ro.boot.mode
a - Change all props
b - Go back to main menu
e - Exit
Pick several options at once by
separating inputs with a comma.
Example: 1,3,4
See the module readme or the
support thread @ XDA for details.
Enter your desired option: 1
You currently have the safe value set.
Are you sure you want to change it to 1?
Enter y(es), n(o) or e(xit): y
Do you want to reboot now (y/n)?
Enter y(es), n(o) or e(xit): y
getprop ro.debuggable 即可查看1,開啟全局可調式
Pixel XL
adb reboot bootloader
fastboot boot twrp-3.4.0-0-marlin.img 進入twrp
「TWRP主界面」->「Wipe」->「Format Data」 輸入yes
「Adavanced Wipe」-> 勾選「Dalvik / ART Cache」、「Cache」、「System」、「Data」、「Internal Storage」(切勿勾選到「Vendor」) -> 划過滑動條確認擦除
「TWRP主界面」->「Advanced」->「ADB Sideload」(划過滑條即可) 勾選雙清
adb sideload lineage-17.1-20201028-nightly-marlin-signed.zip 重啟
設置-關於手機-版本號-8次打開開發者選項
設置-系統-高級-開發者選項-Android 調試
adb install MagiskManager-v7.5.1.apk
adb install EdXposedManager-4.5.7-45700-org.meowcat.edxposed.manager-release.apk
adb push magisk-riru-v21.3.zip /sdcard/Download
adb push MagiskHidePropsConf-v5.3.4.zip /sdcard/Download
adb push EdXposed-SandHook-v0.4.6.2.4529.-release.zip /sdcard/Download
adb reboot bootloader
fastboot boot twrp-3.4.0-0-marlin.img
「TWRP主界面」->「Advanced」->「ADB Sideload」(划過滑條即可)
adb sideload Magisk-v20.4.zip 重啟
通過Magisk模塊新增選擇下載目錄,安裝riru,MagiskHidePropsConf,EdXposed
adb install JustTrustMePlus-debug.apk
marlin,SR5-SuperSU-v2.82-SR5-20171001224502.zip,xposed-v89-sdk25-arm64.zip,XposedInstaller_3.1.5
adb reboot bootloader
./flash-all.bat
設置-關於手機-版本號-8次打開開發者選項
設置-系統-高級-開發者選項-Android 調試
adb install XposedInstaller_3.1.5.apk
fastboot boot twrp-3.4.0-0-marlin.img
install SR5-SuperSU-v2.82-SR5-20171001224502.zip,xposed-v89-sdk25-arm64.zip
adb push timeadjust.sh /data/local/tmp && sh timeadjust.sh
pixel系列安裝xposed不可使用xposed-v89-sdk25-arm64.zip,只能ssr后谷歌下載xposed框架安裝。
Nexus 6P
adb reboot bootloader
fastboot devices
fastboot erase cache 如出現< waiting for any device >,插拔usb
fastboot erase userdata
fastboot flashing unlock
fastboot flash bootloader .\bootloader-angler-angler-03.68.img
fastboot reboot-bootloader
fastboot flash radio .\radio-angler-angler-03.81.img
fastboot reboot-bootloader
fastboot flash vendor .\image-angler-n2g48c\vendor.img
fastboot reboot-bootloader
fastboot flash system .\image-angler-n2g48c\system.img
fastboot flash boot .\image-angler-n2g48c\boot.img
fastboot flash recovery recovery.img
fastboot erase cache
fastboot erase userdata
fastboot flash cache cache.img
fastboot flash userdata userdata.img
fastboot flashing lock
設置-關於手機-版本號8下點擊-進入開發者模式-打開開發者選項
adb push UPDATE-SuperSU-v2.79-20161211114519.zip /sdcard
adb push xposed-v89-sdk25-arm64.zip /sdcard
rom:https://dl.google.com/dl/android/aosp/angler-n2g48c-factory-6a21e528.zip
解壓得到angler-n2g48c-factory-6a21e528\angler-n2g48c\image-angler-n2g48c
superSu:https://download.chainfire.eu/1016/SuperSU/UPDATE-SuperSU-v2.79-20161211114519.zip
xposed安卓7.1對應sdk:https://dl-xda.xposed.info/framework/sdk25/arm64/xposed-v89-sdk25-arm64.zip
twrp:https://dl.twrp.me/angler/twrp-3.4.0-0-angler.img
Kali NetHunter
wget https://dl.google.com/dl/android/aosp/angler-opm1.171019.011-factory-39448337.zip
adb kill-server
adb start-server
adb reboot bootloader
./flash-all.sh 如報錯替換fastboot,which fastboot,使用fastboot8.1.0r1,開啟開發者選項,打開USB調試
https://www.kali.org/kali-nethunter/
https://www.offensive-security.com/kali-linux-nethunter-download/
Nexus 6P Oreo (ZIP)
adb push SR5-SuperSU-v2.82-SR5-20171001224502.zip /sdcard/
adb push nethunter-2021.1-angler-oreo-kalifs-full.zip /sdcard/
adb push timeadjust.sh /sdcard/
adb reboot bootloader
fastboot flash recovery twrp-3.4.0-0-angler.img
刷完之后按音量向下鍵,選擇Recovery mode,按電源鍵進入,
進入Recovery之后,選擇Install→SR5-SuperSU-v2.82-SR5-20171001224502.zip開始刷機。
再次進入recovery,把nethunter-2020.2-pre3-angler-oreo-kalifs-full.zip.torrent刷進去,中間解壓Kali rootfs的過程,會至多25分鍾
連接wifi
sh timeadjust.sh 同步時間,reboot
刷機結束后進入系統首次也要先點擊Nethunter的應用,申請的所有權限都給,左側導航進入Kali Chroot Manager,點擊START KALI CHROOT,只要初始化這一次,后續無論如何重啟都會出現如圖所示的Everything is fine and Chroot has been started!。
點開Nethunter終端這款App,選擇KALI,進入Kali系統
apt update升級系統中的軟件庫信息
apt install neofetch htop jnettop
點開Nethunter進入標左側簽KeX Manager,點擊“SETUP LOCAL SERVER”,會要求輸入一個連接密碼和顯示密碼,輸入和確認即可,然后點擊“START SERVER”開啟服務器。點開“Nethunter KeX”這個App,在密碼那一欄輸入密碼之后,點擊“Connect”進行連接,即可直接進入Kali Nethunter操作系統的桌面。
搭配QtScrcpy就可以在電腦上觀看手機屏幕上的內容,或者通過usb一拖四實現鼠標鍵盤完全電腦操作。該系統自動集成了java,BurpSuite2020.06,charles,python3,python。
vnc
點開Nethunter這個app
- 切換到
Kali Chroot Manager,START KALI CHROOT - 切換到
Kali Services,將SSH啟動並且勾選Start at Boot,這樣就擁有了sshd - 切換到
Kex Manage--SETUP LOCAL SERVER設置好密碼后--取消Localhost Only--START SERVER--OPEN KEX CLIENT
打開VNC Viewer,通過NetHunter 終端查看ip地址,顯示器為1,開啟VNC登錄
通過一拖四的typec轉USB,連接鍵盤鼠標,將Nexus 6p變成一台kali電腦。
Nexus
adb reboot bootloader
fastboot oem unlock
fastboot erase cache 如出現< waiting for any device >,插拔usb
fastboot erase userdata
fastboot flash bootloader .\bootloader-hammerhead-hhz20h.img
fastboot flash radio .\radio-hammerhead-m8974a-2.0.50.2.30.img
fastboot reboot-bootloader
cd .\image-hammerhead-m4b30z\
fastboot flash recovery recovery.img
fastboot flash boot boot.img
fastboot flash system system.img
fastboot flash userdata userdata.img
fastboot erase cache
fastboot erase userdata
fastboot flash cache cache.img
fastboot flash userdata userdata.img
fastboot reboot
設置-關於手機-版本號8下點擊-進入開發者模式-打開開發者選項
adb push UPDATE-SuperSU-v2.79-20161211114519.zip /sdcard
adb push .\xposed-v89-sdk23-arm.zip /sdcard
adb reboot bootloader
fastboot flash recovery twrp-3.4.0-0-hammerhead.img 然后進入recovery mode
adb install .\XposedInstaller_3.1.5.apk 安裝Xposed
adb shell
adb shell 輸入su獲取超級用戶權限
chmod 711 /data/user/0/de.robv.android.xposed.installer
reboot 安裝完畢
小米 Mix 2
打開開發者選項-usb調試
-設備解鎖狀態-綁定賬號和設備
adb reboot bootloader 解鎖bootloader,執行miflash_unlock.exe
EdXposed-SandHook-v0.4.6.2.4529.-release.zip
adb reboot bootloader
fastboot flash recovery twrp-3.3.1-1-chiron.img
fastboot boot twrp-3.3.1-1-chiron.img
adb push lineage-17.0-chiron.zip 不能有中文
進入twrp后清除Cache,System,Data分區
install lineage-17.0-chiron.zip
install Magisk-v20.4.zip
adb install MagiskManager-v7.5.1.apk
adb install EdXposedManager-4.5.7-45700-org.meowcat.edxposed.manager-release.apk
在magisk中安裝
adb push magisk-riru-v21.3.zip /sdcard/Download
adb push MagiskHidePropsConf-v5.3.4.zip /sdcard/Download
adb push EdXposed-SandHook-v0.4.6.2.4529.-release.zip /sdcard/Download
Genymotion
安裝全程開全局代理,安裝nexus 5x 8.0
network mode選擇Bridge或者在virtualbox中修改網絡為橋接,如virtualbox網絡連接里沒有橋接網卡選擇
修改D:\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf
settings-system-Languages&input-Languages-Add a language-簡體中文
adb 無法連接genymotion怎么辦?
修改genymotion的settings,Use custom Android SDK tools為本地android sdk路徑
adb kill-server + adb start-server 重啟adb
安裝wifiadb后即可,默認可以連接192網段,配置橋接,可adb connect 192.168.0.104:5555
arm橋接
uname -a i686 查看cpu架構為x86 32位 不支持arm,需要安裝arm橋,直接將 Genymotion-ARM-Translation_for_8.0.zip拖入nexus 5x 8.0, 進行安裝
adb reboot 即可安裝帶有arm的so的apk
Kali
別用Windows了,魯迅曾經說過,他在逆向生涯中超過一半的苦難均由Windows賜予。
vmware安裝文件 秘鑰:YC34H-6WWDK-085MQ-JYPNX-NZRA2
kali-linux-2020.4-vmware-amd64.7z種子,使用vmware打開vmx文件,配置6g內存,80g磁盤存儲,網絡適配選擇橋接到本地網卡(虛擬網絡編輯器),默認賬密:kali/kali,sudo passwd root 修改密碼123456
重啟后使用root登錄,android-studio-ide-201.7042882-linux.tar.gz安裝包
~/.cache/vmware/drag_and_drop 定期刪除拷貝的文件緩存
基本配置
apt update;apt install htop jnettop tmux iotop
dpkg-reconfigure tzdata 選擇Asia-Shanghai
apt update 更新自動同步時間
apt install xfonts-intl-chinese 裝中文字體
apt-get install ttf-wqy-microhei
# nano /etc/ssh/sshd_config 開啟sshd
PermitRootLogin yes
# /etc/init.d/ssh start
常用軟件
tar zxf android-studio-ide-201.7042882-linux.tar.gz
cd ~/Desktop/android-studio/bin && ./studio.sh 啟動android studio
ctrl+shift+t 當前窗口新建終端
vim ~/.zshrc
export PATH="/root/Android/Sdk/platform-tools:$PATH" 加入環境變量
exec "$SHELL"
dpkg -i code_1.52.1-1608136922_amd64.deb 安裝vscode
as若報錯
To build this project, accept the SDK license agreements and install the missing components?執行/root/Android/Sdk/tools/bin/sdkmanager --licenses
jadx-1.2.0.zip多dex打開,修改jadx-gui中set DEFAULT_JVM_OPTS="-Xms512M" "-Xmx8g",加入zshrc的環境變量中export PATH="/root/Android/Sdk/ndk-bundle:/root/Android/Sdk/platform-tools:${JAVA_HOME}/bin:$PATH:/root/Desktop/charles/bin:/root/Desktop/jadx-1.2.0/bin:$NDK_HOME"
curl -fsSL https://deb.nodesource.com/setup_14.x | bash -
apt-get install -y nodejs
npm install --save @types/frida-gum frida代碼提示
jeb-pro-3.19.1.202005071620_pwd_ilbtcdnwiuypbzeo_.7z 運行./jeb_linux.sh,輸入密碼:ilbtcdnwiuypbzeo,進入界面點擊Manual Key Generation中間按鈕獲取LICENSE DATA,運行jebKeygen.py 獲取license key后輸入到界面的key中,continue
Kali Linux里的as4的DDMS啟動失敗,原因是要用as自帶的jre來啟動,直接./monitor用的是Kali系統的jdk,版本太高了ln -s /root/Desktop/android-studio/jre/ /root/Android/Sdk/tools/lib/monitor-x86_64/,然后通過~/Android/Sdk/tools/monitor打開ddms
vim ~/.bashrc && source ~/.bashrc
export PATH=$PATH:/root/Android/Sdk/platform-tools
jdk1.8
apt-get remove openjdk-11-jre-headless:amd64
apt-get remove openjdk-11-jre:amd64
tar zxf jdk-8u191-linux-x64.tar.gz -C /opt/jdk
vim ~/.zshrc
export JAVA_HOME=/opt/jdk
export CLASSPATH=.:${JAVA_HOME}/lib
export PATH="/root/Android/Sdk/ndk-bundle:/root/Android/Sdk/platform-tools:${JAVA_HOME}/bin:$PATH"
source ~/.zshrc
update-alternatives --install /usr/bin/java java /opt/jdk/bin/java 1
update-alternatives --install /usr/bin/javac javac /opt/jdk/bin/javac 1
update-alternatives --set java /opt/jdk/bin/java
update-alternatives --set javac /opt/jdk/bin/javac
nexus 5x
安裝流程 twrp->SuperSu-> nethunter
kali nethunter下載nexus 5x nethunter,使用投屏可變成一個迷你的linux滲透系統,通過twrp進行install ,sh userinit.sh 同步時間
| tab | smali與java代碼轉換 |
|---|---|
| ctrl+b | 下斷點(注意這個必須在smali代碼界面才有用) |
| esc | 回退上一級引用 |
activity_main.xml中配置的view組件:jeb中以十六進制存在於代碼中,利用計算器的程序員模式轉為十進制,jadx將該十進制存入resources.arsc,gda有APK入口直接進入MainActivity,同樣以十六進制存入代碼中。
基本命令
| getprop ro.product.cpu.abi | 判斷系統cpu版本 虛擬機一般都是x86 |
|---|---|
| dumpsys meminfo pid | 查看進程占用內存映射的信息 |
| cat /proc/pid/maps | 進程加載的so |
| cat /proc/pid/maps | grep -i libart.so | 所有java代碼通過libart.so解析,脫殼機的關鍵 |
| dumpsys activity top | 顯示當前的Activity,顯示View Hierarchy,看view的類信息 |
| dumpsys package com.soviet.hook4crawler | 查看運行包信息 |
| pm list packages | 查看所有安裝的包 |
pyenv環境
對python不同包(frida,objection...)多版本管理
全套安裝最新版本:proxychains pip install objection
3.8.0
PYTHON_CONFIGURE_OPTS="--disable-ipv6" proxychains4 pyenv install 3.8.0
pyenv local 3.8.0
PYTHON_CONFIGURE_OPTS="--disable-ipv6" proxychains4 pip install frida==12.8.0
PYTHON_CONFIGURE_OPTS="--disable-ipv6" proxychains4 pip install frida-tools==5.3.0
PYTHON_CONFIGURE_OPTS="--disable-ipv6" proxychains4 pip install objection==1.8.4
objection -g com.android.settings explore
7z x frida-server-12.8.0-android-arm64
adb push frida-server-12.8.0-android-arm64 /data/local/tmp
mv frida-server-12.8.0-android-arm64 fs128arm64 改名防止反調試
chmod 777 frida-server-12.8.0-android-arm64
objection -g com.android.settings explore
android hooking list classes
特定版本frida
按照這個順序,在裝objection的時候,就會直接Requirement already satisfied,不會再去下載新的frida來安裝了。
pip install frida==12.8.0
pip install frida-tools==5.3.0
pip install objection==1.8.4
frida開發環境
pyenv local 3.8.0 && ./fs128arm64
- git clone https://github.com/oleavr/frida-agent-example.git
- cd frida-agent-example/
- npm install
- 使用VSCode等IDE打開此工程,在agent下編寫typescript,會有智能提示。
- npm run watch會監控代碼修改自動編譯生成js文件
- frida -UF -l demo.js usb連接手機保存將自動調用demo.js 進行hook
Java.perform(function(){console.log("frida hook")}) - frida -UF -l demo.js --runtime=v8 使用v8引擎
Java.perform(()=>{console.log("Hello World")}) - frida-ps -U 查看所有進程
- frida -H 192.168.0.100:5555 -f com.ttxapps.wifiadb -l demo.js --runtime=v8 遠程hook,-l指定腳本
- frida -Uf com.android.settings -l demo.js --runtime=v8 --no-pause 經過usb主動啟動應用調用demo.js,-f是spawn模式,--no-pause直接加載應用,沒有的話需要%resume啟動主線程
- frida -UF --runtime=v8 -e "Java.perform(()=>{console.log('Hello World')})" -o /root/log.txt 直接執行腳本寫入文件
遠程連接
./fs128arm64 -v -l 0.0.0.0:8888 指定端口啟動frida,默認端口27042
frida-ps -H 192.168.0.8:8888 指定-U表示usb,-H表示主機ip
frida -H 192.168.0.8:8888 -F 指定-H表示主機ip,-F表示前台應用,輸入frida即可查看Frida信息
cd frida-agent-example/ && npm install && npm run watch && frida -H 192.168.0.8:8888 -F -l agent/demo.js 遠程調用js腳本
Java.perform(()=>{console.log("Hello World")})
function main(){
Java.perform(function(){
console.log("hello")
})
}
setImmediate(main)
遠程調用
import frida
device = frida.get_usb_device()
print(device.get_frontmost_application())
#pid = device.spawn(["com.onejane.demo02"])
pid=device.get_frontmost_application().pid # 若雙進程保護,指定pid進行hook
print(device.enumerate_processes()) # 枚舉所有進程
print(device.enumerate_applications()) # 枚舉所有包名
# device.resume(pid)
# time.sleep(1)
session = device.attach(pid)
with open("demo.js") as f:
script = session.create_script(f.read())
script.load()
plugins
proxychains git clone https://github.com/hluwa/FRIDA-DEXDump ~/Downloads/FRIDA-DEXDump 脫殼
mv ~/Downloads/FRIDA-DEXDump/frida_dexdump ~/.objection/plugins/dexdump 在plugins子目錄插件下必須有__init__.py
proxychains git clone https://github.com/hluwa/Wallbreaker ~/.objection/plugins/Wallbreaker 內存漫游
objection -N -h 192.168.0.8 -p 8888 -g com.android.settings explore -P ~/.objection/plugins 遠程連接批量加載插件
本文由博客一文多發平台 OpenWrite 發布!