手册

Frida手册#

var strcmp = Module.findExportByName(null, 'strcmp');
var strncmp = Module.findExportByName(null, 'strncmp');

Interceptor.attach(strcmp, {
    onEnter: function(args) {
        console.log('strcmp(' + Memory.readUtf8String(args[0]) + ', ' + Memory.readUtf8String(args[1]) + ')')
    }
})

Interceptor.attach(strncmp, {
    onEnter: function(args) {
        console.log('strncmp(' + Memory.readUtf8String(args[0]) + ', ' + Memory.readUtf8String(args[1]) + ', ' + args[2] + ')')
    }
})

Interceptor.attach(ptr("0x401AA5"), {
    onEnter: function(args) {
        console.log("call ", this.context.rax);
        console.log(hexdump(ptr(0x401123), {
            offset: 0,
            length: 8,
            header: true,
            ansi: false
        }));
    }
});

Python脚本，处理输入流#

不能 shell=True !!

import subprocess
import frida

p = subprocess.Popen(["./chall"], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
session = frida.attach(p.pid)
session.create_script(open("./hook_cmp.js", "r").read()).load()
stdout, stderr = p.communicate(b"flag{")

Frida配合IDA#

手册

Frida手册#

Python脚本，处理输入流#

Frida配合IDA#

On This Page