0x00 安装frida

请参见：Android逆向之hook框架frida篇

0x01 获取360root app的pid

$ frida-ps -Ua
PID Name Identifier

2690 360超级ROOT com.qihoo.permmgr
2496 Android Keyboard (AOSP) com.android.inputmethod.latin
2266 Android System android
3023 Calendar com.android.calendar
2856 Calendar Storage com.android.providers.calendar
3106 Clock com.android.deskclock

0x02 提取脚本

# -*- coding:utf-8 -*-
import frida, sys

def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

jscode = """
Java.perform(function () {
    var currentApplication = Java.use("android.app.ActivityThread").currentApplication();
    var context = currentApplication.getApplicationContext();
    var pkgName = context.getPackageName();
    console.log("inject "  + pkgName + " successfully!");
    Java.openClassFile("/data/data/com.qihoo.permmgr/files/permmgr/core.dex").load();
    var phoneSummary =  Java.use("com.qihoo.permmgr.util.PhoneSummary").getInstance(context);
    //phoneSummary.strEmulatorString.value = "xxxx";
    var strEmulatorString = phoneSummary.getStrEmulatorString();
    var isPostRoot = 0;
    var intNew = 1;
    var strAppend = "&pr=" + isPostRoot + "&new=" + intNew;
    var req = phoneSummary.getRequestParams(strAppend, true);
    console.log("req : " + req);
    var AESUtils = Java.use("com.qihoo.permmgr.util.AESUtils")
    var aes_req = AESUtils.AESEncrypt(req);
    var url = "https://api.shuaji.360.cn/c/getsolutionex?req=" + aes_req;
    console.log("url : " + url);
    var aes_resp = Java.use("com.qihoo.permmgr.util.HttpUtlis").httpsGetString(context, url);
    var resp = AESUtils.AESDecrypt(aes_resp);
    console.log("resp : " + resp);

});
"""


if __name__ == "__main__":
    dev = frida.get_usb_device(1)
    print dev
    #session = dev.attach("com.qihoo.permmgr") #attach pid of com.qihoo.permmgr
    session = dev.attach(${pid})
    script = session.create_script(jscode)
    script.on('message', on_message)
    print('[*] Running fridex')
    script.load()
    sys.stdin.read()

0x03 说明

360超级root的方案获取流程代码主要是动态加载/data/data/com.qihoo.permmgr/files/permmgr/core.dex来实现的，core.dex抽离了部分方法，比如类com.qihoo.permmgr.util.HttpUtlis的httpsGetString方法就已经被抽掉，等到需要运行该函数时再还原，这里我们不去还原了，而是直接通过frida去调用这些函数。
　　另外只需要改变PhoneSummary对象（保存着手机机型参数）的各个成员就可以实现获取不同机型的方案了,如下：

phoneSummary.strEmulatorString.value = "xxxx";

PhoneSummary的所有成员如下：

public class PhoneSummary {
    public static PhoneSummary instance = null;
    private static Lock lock = new ReentrantLock();
    private String appver = null;
    private String ar = null;
    private String brand = null;
    private String buildTime = null;
    private String buildno = null;
    private String camerres = null;
    private String cpunum = null;
    private String cr = null;
    private String cr1 = null;
    private String dis = null;
    private String displayid = null;
    private String firstbootTime = null;
    private String fp = null;
    private String hasSimCard = null;
    private String imei = null;
    private String isArt = null;
    private String m2 = null;
    private Context mContext = null;
    private String manufacturer = null;
    private String model = null;
    private String netType = null;
    private String pid = null;
    private String platform = null;
    private String res = null;
    private String se = null;
    private String strEmulatorString = null;
    private String version = null;
    private String vid = null;
    private String wifiMac = null;
}