Teach you how to build a Frida + Sekiro RPC framework

Objectives

Signing with a mobile phone is a tricky solution. We have introduced it before.

Sekiro + Xposed signature solution

Frida is now widely used, and Sekiro has also upgraded to a new version. Today we will teach you how to build a Frida + Sekiro Rpc framework.

Run the server first

The official website is here https://github.com/virjar/sekiro

git clone it;

On Linux or Mac, execute the script build_demo_server.sh, and then get the release compressed package: sekiro-service-demo/target/sekiro-release-demo.zip

If you are using Windows, or don’t want to build it yourself, you can download it directly here

https://oss.virjar.com/sekiro/sekiro-demo

Transfer the zip package to the server and decompress it

Run sekiro.bat on Windows and sekiro.sh on Linux/Mac

This way the server is running.

firda develops sekiro client

Sekiro is a pretty awesome library that basically works out of the box.

new SekiroClient("test-android", UUID.randomUUID().toString())
        .setupSekiroRequestInitializer(new SekiroRequestInitializer() {
            @Override
            public void onSekiroRequest(SekiroRequest sekiroRequest, HandlerRegistry handlerRegistry) {
                handlerRegistry.registerSekiroHandler(new ClientTimeHandler());
            }
        }).start();

In the Android code, just add an API like this, and then write the logic in the ClientTimeHandler class

The use of frida is a little bit complicated. The complexity lies in creating a java class ClientTimeHandler to handle the calling logic.

function initSekiro() {
    const SekiroClient = Java.use('com.virjar.sekiro.business.api.SekiroClient');
    const ActionHandler = Java.use('com.virjar.sekiro.business.api.interfaze.ActionHandler');
    const SekiroRequestInitializer = Java.use('com.virjar.sekiro.business.api.interfaze.SekiroRequestInitializer');

    const ClientTimeHandler = Java.registerClass({
        name: 'ClientTimeHandler',
        implements: [ActionHandler],
        methods: {
            action: function () {
                return 'mobile';
            },
            handleRequest: function (sekiroRequest, sekiroResponse) {
                                const requestJsonData = sekiroRequest.getJsonModel();
                                const requestData = JSON.parse(requestJsonData)['requestData'];

                                if(!requestData){
                                        sekiroResponse.failed(JavaString.$new('requestData 不能为空'));
                                }else{
                                        try{
                                                sekiroResponse.success(callMobile(requestData));
                                        }catch(error){
                                                sekiroResponse.failed(JavaString.$new(error.stack));
                                                throw error;
                                        }
                                }
            }
        }
    })

     const SekiroRequestDefault = Java.registerClass({
        name: "SekiroRequestDefault",
        implements: [SekiroRequestInitializer],
        methods: {
            onSekiroRequest: function (sekiroRequest, handlerRegistry) {
                handlerRegistry.registerSekiroHandler(ClientTimeHandler.$new());
            }
        }
    });

    const clientID = guid();
    const group = 'fridaHook_atlasEncrypt';
    const ip = '110.42.246.110';

    const sekiro = SekiroClient.$new(group, clientID, ip, 8989);
    sekiro.setupSekiroRequestInitializer(SekiroRequestDefault.$new());
    sekiro.start();
}

That’s it, hang up frida and run

Sekiro status viewing and access service

http://110.42.246.110:8989/business-demo/groupList displays all groups registered in the current system

{"data":["fridaHook_atlasEncrypt"],"ok":true,"status":0}

http://110.42.246.110:8989/business-demo/clientQueue?group=fridaHook_atlasEncrypt shows the clients/mobile phones registered under a specific group.

{"data":["65c8e8b5-1a67-2036-5b38-769cb670aeb3"],"ok":true,"status":0}

Execute it and see the result

# -*- coding: utf-8 -*-

import requests

url = 'http://110.42.246.110:8989/business-demo/invoke'

mobileid = '18913872618'

data = {
    'group': 'fridaHook_atlasEncrypt',
    'action': 'mobile',
    'requestData': mobileid
    }

res = requests.post(url,json=data).json()
print(res['data'])

The result is perfect

3sCt3iAAMzIwOTAxMjA4AM8HAO7Jtk8ia8xTExAAAACFS7z70nRA3Ppgtdz9Kefb

Fresh beer after work

Conclusion

Basically, frida can use Java libraries seamlessly, which is much more convenient than Xposed.

There is a small problem that the frida hook app has a chance of crashing, so a watchdog is needed to implement this.

Sekiro official documentation https://sekiro.virjar.com/sekiro-doc/index.html

frida loads sekiro dex file to interact with the server https://www.qinless.com/387

Only then did I realize that all my efforts were just to complete an ordinary life.