function call_1CFF0() {
var base_hello_jni = Module.findBaseAddress("xxx.so");
var sub_1CFF0 = new NativeFunction(base_hello_jni.add(0x1CFF0), "int", ["pointer", "int", "pointer"]);
var input_str = "0123456789abcdef";
var arg0 = Memory.allocUtf8String(input_str);
var arg1 = input_str.length;
var arg2 = Memory.alloc(arg1);
sub_1CFF0(arg0, arg1, arg2);
console.log(hexdump(arg2, {length : arg1}));
}
function hex_dump(p) {
try {
return hexdump(p) + "\r\n";
} catch (error) {
return ptr(p) + "\r\n";
}
}
function print_hex(addr) {
var base_hello_jni = Module.findBaseAddress("xxx.so");
console.log(hexdump(base_hello_jni.add(addr)));
}
function hook_native_addr(addr, idb_addr) {
var base_hello_jni = Module.findBaseAddress("xxx.so");
Interceptor.attach(addr, {
onEnter: function (args) {
this.arg0 = args[0];
this.arg1 = args[1];
this.arg2 = args[2];
this.arg3 = args[3];
this.arg4 = args[4];
this.arg5 = args[5];
this.arg6 = args[6];
this.lr = this.context.lr;
// console.log(" \r\n" + hex_dump(args[0]));
// console.log(" \r\n" + hex_dump(args[1]));
// console.log(" \r\n" + hex_dump(args[2]));
// console.log(" \r\n" + hex_dump(args[3]));
}, onLeave: function (retval) {
console.log(
"ptr:" + ptr(addr) + "idb_addr:" + ptr(idb_addr) + " LR:" + ptr(this.lr).sub(base_hello_jni) + " \r\n",
"this.arg0:\r\n", hex_dump(this.arg0),
"this.arg1:\r\n", hex_dump(this.arg1),
"this.arg2:\r\n", hex_dump(this.arg2),
"this.arg3:\r\n", hex_dump(this.arg3),
"retval:\r\n", hex_dump(retval));
}
})
}
function hook_native() {
var base_hello_jni = Module.findBaseAddress("xxx.so");
console.log(base_hello_jni);
// var addr_0xC1950 = base_hello_jni.add(0xC1950);
// console.log(addr_0xC1950);
// Interceptor.attach(addr_0xC1950, {
// onEnter : function(args) {
// //.text:000000000000F620 STP X8, X23, [X29,#var_60]
// // console.log("addr_0xC1950:\r\n", hex_dump(args[0]));
// this.arg0 = args[0];
// this.arg1 = args[1];
// },
// onLeave: function(retval) {
// // 打印返回值
// console.log('[*] sub_C1950 returned: \r\n' + hex_dump(retval) + '\r\n' + hex_dump(this.arg0) + '\r\n' + hex_dump(this.arg1));
// }
// })
// var memcpy = Module.findExportByName(null, "memcpy")
// Interceptor.attach(memcpy, {
// onEnter: function (args) {
// var lr = ptr(this.context.lr);
// var module = Process.findModuleByAddress(lr);
// if (module.name == "libcryptutils.so") {
//
// console.log("memcpy X8:",
// JSON.stringify(this.context),
// "LR:", lr.sub(base_hello_jni));
// }
//
// }
// })
hook_native_addr(base_hello_jni.add(0x6408), 0x6408);
// hook_native_addr(base_hello_jni.add(0xC1950), 0xC1950);
// hook_native_addr(base_hello_jni.add(0x1DFB4), 0x1DFB4);
// hook_native_addr(base_hello_jni.add(0x1AB4C), 0x1AB4C);
// hook_native_addr(base_hello_jni.add(0x171C4), 0x171C4);
// hook_native_addr(base_hello_jni.add(0x18490), 0x18490);
}
function hook_libart() {
var module_libart = Process.findModuleByName("xxx.so");
// console.log(module_libart);
var addr_RegisterNatives = null;
var addr_GetStringUTFChars = null;
var addr_NewStringUTF = null;
var addr_FindClass = null;
var addr_GetByteArrayElements = null;
//枚举模块的符号
var symbols = module_libart.enumerateSymbols();
for (var i = 0; i < symbols.length; i++) {
var name = symbols[i].name;
if (name.indexOf("CheckJNI") == -1 && name.indexOf("JNI") > 0) {
if (name.indexOf("RegisterNatives") > 0) {
// console.log(name);
addr_RegisterNatives = symbols[i].address;
} else if (name.indexOf("GetStringUTFChars") > 0) {
// console.log(name);
addr_GetStringUTFChars = symbols[i].address;
} else if (name.indexOf("NewStringUTF") > 0) {
// console.log(name);
addr_NewStringUTF = symbols[i].address;
} else if (name.indexOf("FindClass") > 0) {
// console.log(name);
addr_FindClass = symbols[i].address;
}
}
}
// if (addr_RegisterNatives) {
// Interceptor.attach(addr_RegisterNatives, {
// onEnter: function (args) {
// var java_class = Java.vm.tryGetEnv().getClassName(args[1]);
// var methods = args[2];
// var method_count = parseInt(args[3]);
// console.log("addr_RegisterNatives java_class:", java_class, "method_count:", method_count);
// for (var i = 0; i < method_count; i++) {
// console.log(methods.add(i * Process.pointerSize * 3).readPointer().readCString());
// console.log(methods.add(i * Process.pointerSize * 3 + Process.pointerSize).readPointer().readCString());
// var fnPtr = methods.add(i * Process.pointerSize * 3 + Process.pointerSize * 2).readPointer();
// var module_so = Process.findModuleByAddress(fnPtr);
// console.log(module_so.name + "!" + fnPtr.sub(module_so.base));
//
// }
// }, onLeave: function (retval) {
//
// }
// })
// }
// if (addr_GetStringUTFChars) {
// Interceptor.attach(addr_GetStringUTFChars, {
// onLeave: function (retval) {
// console.log("[GetStringUTFChars] : ", ptr(retval).readCString());
// }
// })
// }
// if (addr_NewStringUTF) {
// Interceptor.attach(addr_NewStringUTF, {
// onEnter: function (args) {
// console.log("[NewStringUTF] : ", ptr(args[1]).readCString());
// }
// })
// }
// if (addr_FindClass) {
// Interceptor.attach(addr_FindClass, {
// onEnter: function (args) {
// console.log("[FindClass] : ", ptr(args[1]).readCString());
// }
// })
// }
}
function main() {
hook_native();
hook_libart()
}
setImmediate(main);
【安卓逆向】frida hook so模板
于 2024-07-07 08:30:05 首次发布