g.stringWithString_("hi wit!") // 对应的oc语法:NSString *str = [NSString stringWithString:@"hi with!"];
retval.replace(str) // 修改返回值
var after = new ObjC.Object(retval); // 打印出来是个指针时,请用该方式转换后再打印
log(`before:=${retval}=`);
log(`after:=${after}=`);
}
}
17、打印字符串、数组、字典
frida-trace -UF -m “-[DetailViewController setObj:]”
{
onEnter(log, args, state) {
var self = new ObjC.Object(args[0]); // 当前对象
var method = args[1].readUtf8String(); // 当前方法名
log(`[${self.$className} ${method}]`);
var before = args[2];
// 注意,日志输出请直接使用log函数。不要使用console.log()
var after = new ObjC.Object(args[2]); // 打印出来是个指针时,请用该方式转换后再打印
log(`before:=${before}=`);
log(`after:=${after}=`);
},
onLeave(log, retval, state) {
}
}
18、打印NSData
frida-trace -UF -m “-[DetailViewController setObj:]”
#js
{
onEnter(log, args, state) {
var self = new ObjC.Object(args[0]); // 当前对象
var method = args[1].readUtf8String(); // 当前方法名
log(`[${self.$className} ${method}]`);
var before = args[2];
// 注意,日志输出请直接使用log函数。不要使用console.log()
var after = new ObjC.Object(args[2]); // 打印NSData
var outValue = after.bytes().readUtf8String(after.length()) // 将data转换为string
log(`before:=${before}=`);
log(`after:=${outValue}=`);
},
onLeave(log, retval, state) {
}
}
19、打印对象的所有属性和方法
frida-trace -UF -m “-[DetailViewController setObj:]”
#js
{
onEnter(log, args, state) {
var self = new ObjC.Object(args[0]); // 当前对象
var method = args[1].readUtf8String(); // 当前方法名
log(`[${self.$className} ${method}]`);
var customObj = new ObjC.Object(args[2]); // 自定义对象
// 打印该对象所有属性
var ivarList = customObj.$ivars;
for (key in ivarList) {
log(`key${key}=${ivarList[key]}=`);
}
// 打印该对象所有方法
var methodList = customObj.$methods;
for (var i=0; i<methodList.length; i++) {
log(`method=${methodList[i]}=`);
}
},
onLeave(log, retval, state) {
}
}
20、打印调用栈
frida-trace -UF -m “+[NSURL URLWithString:]”
#js
{
onEnter(log, args, state) {
var url = new ObjC.Object(args[2]);
log(`+[NSURL URLWithString:${url}]`);
log('NSURL URLWithString: called from:\n' +
Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
},
onLeave(log, retval, state) {
}
}
21、日志输出到文件
frida-trace -UF -m “+[NSURL URLWithString:]” -o run.log
22、更多数据类型
/**
* Converts to a signed 32-bit integer.
*/
toInt32(): number;
/**
* Converts to an unsigned 32-bit integer.
*/
toUInt32(): number;
/**
* Converts to a “0x”-prefixed hexadecimal string, unless a `radix`
* is specified.
*/
toString(radix?: number): string;
/**
* Converts to a JSON-serializable value. Same as `toString()`.
*/
toJSON(): string;
/**
* Returns a string containing a `Memory#scan()`-compatible match pattern for this pointer’s raw value.
*/
toMatchPattern(): string;
readPointer(): NativePointer;
readS8(): number;
readU8(): number;
readS16(): number;
readU16(): number;
readS32(): number;
readU32(): number;
readS64(): Int64;
readU64(): UInt64;
readShort(): number;
readUShort(): number;
readInt(): number;
readUInt(): number;
readLong(): number | Int64;
readULong(): number | UInt64;
readFloat(): number;
readDouble(): number;
readByteArray(length: number): ArrayBuffer | null;
readCString(size?: number): string | null;
readUtf8String(size?: number): string | null;
readUtf16String(length?: nu