如何访问对象的字段
How to access object's fields
我可以使用 frida 在 android 应用程序上挂钩方法:
Java.perform(function () {
var targetClass = Java.use("X.0kI");
targetClass.getDoneValue.overload('java.lang.Object').implementation = function (object) {
var retval = this.getDoneValue(object);
console.log('return: ' + retval);
console.log('return: classname: ' + retval.$className);
console.log('return: success: ' + retval.success);
console.log('return: resultDataBundle: ' + retval.resultDataBundle);
console.log('return: toString(): ' + retval.toString());
};
})
此代码提供以下日志:
return: OperationResult success=true, resultDataString=, resultDataBundle=Bundle[{result=com.testapp.account.recovery.common.protocol.TestMethod$Result@a0a6954, resultType=1}], errorCode=NO_ERROR, errorDescription=, exception=
return: classname: com.testapp.service.OperationResult
return: success: undefined
return: resultDataBundle: undefined
return: toString(): OperationResult success=true, resultDataString=, resultDataBundle=Bundle[{result=com.testapp.account.recovery.common.protocol.TestMethod$Result@a0a6954, resultType=1}], errorCode=NO_ERROR, errorDescription=, exception=
为什么 retval.success 和 retval.resultDataBundle 是 undefined 尽管有第一行和最后一行的日志?
或者也许还有其他方法可以访问这些字段?
我也试过使用 Java.cast:
var OperationResult = Java.use('com.testapp.service.OperationResult');
if (retval.$className === 'com.testapp.service.OperationResult') {
var result = Java.cast(retval, OperationResult);
console.log('result: success: ' + result.success);
console.log('result: resultDataBundle: ' + result.resultDataBundle);
}
有日志:
result: success: [object Object]
result: resultDataBundle: [object Object]
JSON.stringify() 给出 {} 而不是 [object Object]
也很累 Java.choose() 结果几乎相同 undefined。
我应该如何使用 Frida 正确访问 Java 对象的字段?
*编辑
Class 描述使用 Object.getOwnPropertyNames(jClass.__proto__):
_name: com.testapp.service.OperationResult
_fields:
public android.os.Bundle com.testapp.service.OperationResult.resultDataBundle
public boolean com.testapp.service.OperationResult.success
转换后使用 .value 访问成员的值。
console.log(success.value)
我可以使用 frida 在 android 应用程序上挂钩方法:
Java.perform(function () {
var targetClass = Java.use("X.0kI");
targetClass.getDoneValue.overload('java.lang.Object').implementation = function (object) {
var retval = this.getDoneValue(object);
console.log('return: ' + retval);
console.log('return: classname: ' + retval.$className);
console.log('return: success: ' + retval.success);
console.log('return: resultDataBundle: ' + retval.resultDataBundle);
console.log('return: toString(): ' + retval.toString());
};
})
此代码提供以下日志:
return: OperationResult success=true, resultDataString=, resultDataBundle=Bundle[{result=com.testapp.account.recovery.common.protocol.TestMethod$Result@a0a6954, resultType=1}], errorCode=NO_ERROR, errorDescription=, exception=
return: classname: com.testapp.service.OperationResult
return: success: undefined
return: resultDataBundle: undefined
return: toString(): OperationResult success=true, resultDataString=, resultDataBundle=Bundle[{result=com.testapp.account.recovery.common.protocol.TestMethod$Result@a0a6954, resultType=1}], errorCode=NO_ERROR, errorDescription=, exception=
为什么 retval.success 和 retval.resultDataBundle 是 undefined 尽管有第一行和最后一行的日志?
或者也许还有其他方法可以访问这些字段?
我也试过使用 Java.cast:
var OperationResult = Java.use('com.testapp.service.OperationResult');
if (retval.$className === 'com.testapp.service.OperationResult') {
var result = Java.cast(retval, OperationResult);
console.log('result: success: ' + result.success);
console.log('result: resultDataBundle: ' + result.resultDataBundle);
}
有日志:
result: success: [object Object]
result: resultDataBundle: [object Object]
JSON.stringify() 给出 {} 而不是 [object Object]
也很累 Java.choose() 结果几乎相同 undefined。
我应该如何使用 Frida 正确访问 Java 对象的字段?
*编辑
Class 描述使用 Object.getOwnPropertyNames(jClass.__proto__):
_name: com.testapp.service.OperationResult
_fields:
public android.os.Bundle com.testapp.service.OperationResult.resultDataBundle
public boolean com.testapp.service.OperationResult.success
转换后使用 .value 访问成员的值。
console.log(success.value)