总结的比较重要命令
cat /proc/pid/cmdline 查看命令行
cat /proc/pid/status 查看TracerPid.
ls /proc/pid/task 查看有多少线程
cat /proc/pid/task/tid/status 查看线程TracerPid.
dmsg | grep -i ptrace 利用kernel-model打印ptrace的记录
拿到的事实上是一个odex文件, 里面会包含odex的指令. 通过一个修改过的baksmali处理后可以恢复原始的dex.
更新: 修复odex的方法,
1. 将系统的/system/framework目录复制到本地的framework目录
2. 运行baksmali -x -d framework abc.odex //将输出smali文件到out目录, 请尽量使用linux
3. 运行smali out -o classes.dex //重新制作dex
目前梆梆加固根据此文附加线程的方式,已经gcore不出正常的数据,数据如下:
00000000h: 7F 45 4C 46 01 01 01 61 00 00 00 00 00 00 00 00 ; ELF...a........
00000010h: 04 00 28 00 01 00 00 00 00 00 00 00 34 00 00 00 ; ..(.........4...
00000020h: 28 02 00 00 00 00 00 00 34 00 20 00 01 00 28 00 ; (.......4. ...(.
00000030h: 03 00 02 00 04 00 00 00 54 00 00 00 00 00 00 00 ; ........T.......
00000040h: 00 00 00 00 C0 01 00 00 00 00 00 00 04 00 00 00 ; ....?..........
00000050h: 01 00 00 00 05 00 00 00 7C 00 00 00 03 00 00 00 ; ........|.......
00000060h: 43 4F 52 45 00 00 00 00 00 00 00 00 00 00 00 00 ; CORE............
00000070h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000080h: 00 00 00 00 61 70 70 5F 70 72 6F 63 65 73 73 00 ; ....app_process.
00000090h: 00 00 00 00 2F 73 79 73 74 65 6D 2F 62 69 6E 2F ; ..../system/bin/
000000a0h: 61 70 70 5F 70 72 6F 63 65 73 73 20 00 00 00 00 ; app_process ....
000000b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000e0h: 00 00 00 00 05 00 00 00 94 00 00 00 01 00 00 00 ; ........?......
000000f0h: 43 4F 52 45 00 00 00 00 00 00 00 00 00 00 00 00 ; CORE............
00000100h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000110h: 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ?..............
00000120h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000130h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000140h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000160h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000170h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000180h: 00 00 00 00 65 73 73 20 00 00 00 00 05 00 00 00 ; ....ess ........
00000190h: 74 00 00 00 02 00 00 00 43 4F 52 45 00 00 00 00 ; t.......CORE....
000001a0h: F4 81 25 00 30 25 99 BE 68 25 99 BE 18 25 99 BE ; 魜%.0%櫨h%櫨.%櫨
000001b0h: CC 25 99 BE 00 00 00 00 54 09 3D 00 30 25 99 BE ; ?櫨....T.=.0%櫨
000001c0h: 88 EA 1C 00 38 36 32 00 F4 25 99 BE 40 09 3D 00 ; 堦..862.?櫨@.=.
000001d0h: 10 E7 3C 00 40 09 3D 00 08 00 00 00 90 00 00 00 ; .?.@.=.....?..
000001e0h: D0 09 3D 00 04 25 99 BE EC EB 1C 00 03 00 00 00 ; ?=..%櫨祀......
000001f0h: 74 24 99 BE 7C 00 00 00 00 00 00 00 01 00 00 00 ; t$櫨|...........
00000200h: 00 00 00 00 68 25 99 BE F4 25 99 BE 00 00 00 00 ; ....h%櫨?櫨....
00000210h: 10 E7 3C 00 00 2E 73 68 73 74 72 74 61 62 00 6E ; .?...shstrtab.n
00000220h: 6F 74 65 30 00 00 00 00 00 00 00 00 00 00 00 00 ; ote0............
00000230h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000240h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000250h: 0B 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 ; ................
00000260h: 54 00 00 00 C0 01 00 00 00 00 00 00 00 00 00 00 ; T...?..........
00000270h: 01 00 00 00 00 00 00 00 01 00 00 00 03 00 00 00 ; ................
00000280h: 00 00 00 00 00 00 00 00 14 02 00 00 11 00 00 00 ; ................
00000290h: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ; ................
转:http://www.52pojie.cn/forum.php?mod=viewthread&tid=252099 与
注意: 这个方法截止2014-07-29有效, 后续版本未测试. 由于dalvik的执行机制要求dex在内存中是连续的, 所以想办法拿到内存的coredump总是不错的选择.
更新: 某公司会对名字为gdb的程序进行检测, 请将gdb重命名, 比如hello.
注意: 如果gdb连不上对应的pid, 请尝试连接/proc/[pid]/task/目录下的
更新: 拿到的事实上是一个odex文件, 里面会包含odex的指令. 通过一个修改过的baksmali处理后可以恢复原始的dex.
更新: 修复odex的方法,
1. 将系统的/system/framework目录复制到本地的framework目录
2. 运行baksmali -x -d framework abc.odex //将输出smali文件到out目录, 请尽量使用linux
3. 运行smali out -o classes.dex //重新制作dex