环境配置见肉丝大佬的github

https://github.com/r0ysue/AndroidSecurityStudy/tree/master/FRIDA/A01

1.下载系统

官方镜像工厂下载指定的镜像

https://developers.google.com/android/images

校验SHA-256 Checksum 要和官网的一致

1 2	openssl dgst -sha256 bullhead-opm7.181205.001-factory-5f189d84.zip SHA256(bullhead-opm7.181205.001-factory-5f189d84.zip)= 5f189d84781a26b49aca0de84a941a32ae0150da0aab89f1d7709d56c31b3c0a

2.安装系统

手机关机按电源键加音量下键或 adb reboot bootloader

解压系统

执行

1	./flash-all.sh

等待几分钟自动重启

3.安装twrp

https://twrp.me/Devices/

选择你的设备的twrp

pixel xl twrp

https://dl.twrp.me/marlin

https://dl.twrp.me/marlin/twrp-3.3.1-3-marlin.img

解压

adb reboot bootloader

fastboot devices

fastboot flash recovery twrp-3.3.1-3-marlin.img

fastboot reboot

出错了

FAILED (remote: ‘partition [recovery] doesn’t exist’)

fastboot: error: Command failed

尝试执行

fastboot boot twrp-3.3.1-3-marlin.img

4.刷入Magisk

https://github.com/topjohnwu/Magisk

在github项目主页的release页面，下载最新的卡刷包：Magisk-v17.3.zip

1	adb push Magisk-v17.3.zip /sdcard/

然后安装选择magisk

安装完成后直接重启即可，Reboot System

5.获取root权限

adb shell

whoami

su -

whoami

6.安装frida

查看手机cpu安装相同系统和构架的frida

adb shell getprop ro.product.cpu.abi

https://github.com/frida/frida/releases

https://github.com/frida/frida/releases/download/12.8.14/frida-server-12.8.14-android-arm64.xz

下载完成后进行解压，获得linux原生的可执行文件，我们将它重命名为frida-server。

adb push frida-server /data/local/tmp/
adb shell
bullhead:/ $ su -
bullhead:/ # whoami
root
bullhead:/ # cd /data/local/tmp/
bullhead:/data/local/tmp # chmod 755 /data/local/tmp/frida-server
bullhead:/data/local/tmp # ./frida-server &
[1] 9849
bullhead:/data/local/tmp #
$ ./adb root # might be required
$ ./adb push frida-server /data/local/tmp/
$ ./adb shell "chmod 755 /data/local/tmp/frida-server"
$ ./adb shell "/data/local/tmp/frida-server &"

此时在电脑上新开一个shell，运行frida-ps -U命令，即可显示手机中正在运行的进程。

1	frida-ps -U

1
2
3

pip install frida-tools # CLI tools
pip install frida       # Python bindings
npm install frida       # Node.js bindings

frida by node.js

https://github.com/oleavr/frida-agent-example

$ git clone git://github.com/oleavr/frida-agent-example.git

$ cd frida-agent-example/

$ npm install

$ frida -U -f com.example.android –no-pause -l _agent.js

有个错误

(FRIDA) Failed to spawn: unable to access zygote64 while preparing for app launch; try disabling Magisk Hide in case it is active

https://stackoverflow.com/questions/56316329/frida-failed-to-spawn-unable-to-access-zygote64-while-preparing-for-app-launc

Magisk Manager > Settings >Magisk > Magisk Hide (Toggle Off)