Looking for the missing class name

One 、 The goal is

A friend asked me a novice question a few days ago ,frida Tips ： Can't find p009cn.com.chinatelecom.gateway.lib.C1402a This class

as a result of ,jadx When decompiling , In order to avoid confusion , Will handle the class name , Add a few numbers , So that you can distinguish , It won't be full of variables a.

In fact, he has already reminded you , The real class name of this class is cn.com.chinatelecom.gateway.lib.a

I thought it was over like this , Who knows, two days later , On a dark, windy night , I also have this problem .

Two 、 step

The class name is a strange character

The old Jianghu has also encountered new problems , What the hell is this class name ？

1:step1

current App It's too rude , I will endure the confusion , Make a ghost symbol , What is the operation ？

This symbol is not easy to type , The normal operation is to directly copy the class name to js Inside , The result is bad ,frida Still complaining Can't find this class .

Checked the js file , There is one encodeURIComponent() function , This ghost symbol can be passed UTF-8 Escape of encoding Then print it out .

But what is the escape character of this class name ？

Ergodic

We can find a clever way , Traverse the classes under this package , In this way, you can know the class name UTF-8 Did you escape the code ？

Java.enumerateLoadedClasses({
    onMatch: function(className) {
        if(className.indexOf('com.google.android.material.tooltip') >=0 ){
            console.log(className.toString());
            console.log(encodeURIComponent(className.toString()));
        }
    },
    onComplete:function(){
    }
});

Run , The symbol is obvious .

1:show1

Hook And

How about getting the escape code hook Well ？ It's time to decodeURIComponent Function

var hookCls = Java.use(decodeURIComponent('com.google.android.material.tooltip.%DB%A4%DB%A4%DB%9F%DB%A6'));

This time, frida Don't complain that you can't find the class name .

Member function name

Finding the class name is certainly not our goal , Our goal is the sea of stars , Oh no , yes hook Member function .

1:step2

It is as expected , Its method name , Still a ghost symbol .

At this time, we need to traverse the method name

var hookCls = Java.use(decodeURIComponent('com.google.android.material.tooltip.%DB%A4%DB%A4%DB%9F%DB%A6'));
var methods = hookCls.class.getDeclaredMethods();

for (var i in methods) {
    console.log(methods[i].toString());
    console.log(encodeURIComponent(methods[i].toString().replace(/^.*?.([^\s.()]+)(.*?$/, "$1")));
}

The result is no problem , It's just a little troublesome to distinguish . We can only distinguish what we want from the input parameters and return values of member functions hook Member function of

1:show2

Hook The code of this member function is as follows

hookCls[decodeURIComponent("%DB%9F%DB%A3%DB%A5%DB%9F%DB%A3")]
           .implementation = function () {
                        console.log("m1344 =============== ");
                        return "xxx";

           }

Get it done , Call it a day ~

3、 ... and 、 summary

To resist analysis ,App I've thought of all the ways I can . Can only hide deeper than who , Find faster .

Always put his life into a drunken country