1.ida运行脚本
autoi,fp,begin,end;
fp=fopen("D:\\xx.so","wb");
begin=0xAC338000;
end=0xAC393000;
for(i=begin;i
{
fputs(Byte(i),fp);
}
2.gdb dump
dump binary memoryC:\Users\DW\Desktop\baidu_jiagu\so\baidu 0xa8878000 0xA8B9C000
3.dd命令
dd if=/proc/1214/mem of=mmm skip=a8878000 ibs=1 count=324000这个不行,网上误传
4.修改内核
dalvik/vm/oo/Class.cpp此文件的
initclass在加载cinit类的时候加入下面的代码
我们将so dump
5自己写工具dump内存
#include
#include
#include
#include
#include
#include
#include
//#define LOG_TAG"snow"
//#defineLOGE(...) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG,__VA_ARGS__)
//使用办法
//xx pid beginaddrendaddr
int main(intargc,char *argv[]) {
char filename[256] = {0};
if(4!=argc)
{
printf("please input xx pid beginaddr endaddr\n");
exit(1);
}
printf("argv[2]=%s-->argv[3]=%s-\n",argv[2],argv[3]);
long long beginaddr = strtoll(argv[2],NULL,16);
long long endaddr=strtoll(argv[3],NULL,16);
long long length=endaddr-beginaddr;
//printf("-fuck-length=%x---\n",length);
//printf("beginaddr=%x,endaddr=%x-\n",beginaddr,endaddr);
sprintf(filename,"/proc/%s/mem",argv[1]);
printf("will open filepath=%s\n",filename);
FILE* fpsrc=fopen(filename,"r");
FILE* fpdest=fopen("dumpMemory","wb");
if(NULL==fpsrc||NULL==fpdest)
{
printf("open file error!!!\n");
exit(1);
}
int c;
fseek(fpsrc,beginaddr,SEEK_SET)
while((c=fgetc(fpsrc))!=EOF&&length-->0)
{
fputc(c, fpdest);
}
fclose(fpsrc);
fclose(fpdest);
return 0;
}
LOCAL_PATH :=$(call my-dir)
include $(CLEAR_VARS)
LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog
#LOCAL_ARM_MODE := arm
LOCAL_MODULE := dump
LOCAL_SRC_FILES := dump.c
include $(BUILD_EXECUTABLE)
注意以上五种办法,目前的加壳都有反调试模块,会对mem文件进行检测,比如360会检测/proc/pid/mem文件,和监控maps文件故此上面读mem文件会导致闪退,,总的来说第四种办法最管用!!!!!
原文链接:http://blog.csdn.net/kingdiggrave/article/details/53993315