查找用例
objection -g com.weico.international explore
android hooking watch class com.weico.international.activity.SinaLoginMainActivity
hook后确定调用
查看
android hooking watch class_method com.sina.weibo.security.WeiboSecurityUtils.calculateSInJava --dump-args --dump-return --dump-backtrace
s参数一致
查看
打开对应so文件
静态方法
静态方法注释掉
运行
填参数
报错
往上找报错点
签名检测
往上找
tab
(byte)0xFF, (byte) 0xF7, (byte) 0xEB, (byte) 0xFE
改掉
public void patchVerify1(){
Pointer pointer = UnidbgPointer.pointer(emulator, module.base + 0x1E86);
assert pointer != null;
byte[] code = pointer.getByteArray(0, 4);
if (!Arrays.equals(code, new byte[]{ (byte)0xFF, (byte) 0xF7, (byte) 0xEB, (byte) 0xFE })) { // BL sub_1C60
throw new IllegalStateException(Inspector.inspectString(code, "patch32 code=" + Arrays.toString(code)));
}
try (Keystone keystone = new Keystone(KeystoneArchitecture.Arm, KeystoneMode.ArmThumb)) {
KeystoneEncoded encoded = keystone.assemble("mov r0,1");
byte[] patch = encoded.getMachineCode();
if (patch.length != code.length) {
throw new IllegalStateException(Inspector.inspectString(patch, "patch32 length=" + patch.length));
}
pointer.write(0, patch, 0, patch.length);
}
}
一样