function hook_java(){
Java.perform(function(){
});
}
function main(){
// hook_java();
hook_native();
}
function nop_addr(addr) {
Memory.protect(addr, 4 , 'rwx');
var w = new Arm64Writer(addr);
w.putRet();
w.flush();
w.dispose();
}
function hook_linker_call_constructors() {
let linker = null;
// let baseAddr = null
if (Process.pointerSize === 4) {
linker = Process.findModuleByName("linker");
} else {
linker = Process.findModuleByName("linker64");
// baseAddr = Module.getBaseAddress('linker64')
}
let call_constructors_addr, get_soname
let symbols = linker.enumerateSymbols();
for (let index = 0; index < symbols.length; index++) {
let symbol = symbols[index];
if (symbol.name === "__dl__ZN6soinfo17call_constructorsEv") {
call_constructors_addr = symbol.address;
console.log("call_constructors_addr",call_constructors_addr)
// console.log("offset",call_constructors_addr-baseAddr)
} else if (symbol.name === "__dl__ZNK6soinfo10get_sonameEv") {
get_soname = new NativeFunction(symbol.address, "pointer", ["pointer"]);
}
}
console.log(call_constructors_addr)
var listener = Interceptor.attach(call_constructors_addr, {
onEnter: function (args) {
console.log("hooked call_constructors")
var module = Process.findModuleByName("libmsaoaidsec.so")
if (module != null) {
nop_addr(module.base.add(0x1c544))
console.log("0x1c544:替换成功")
nop_addr(module.base.add(0x1b8d4))
console.log("0x1b8d4:替换成功")
nop_addr(module.base.add(0x26e5c))
console.log("0x26e5c:替换成功")
// Interceptor.replace(module.base.add(0x1c544), new NativeCallback(function () {
// console.log("0x1c544:替换成功")
// }, "void", []))
// Interceptor.replace(module.base.add(0x1b8d4), new NativeCallback(function () {
// console.log("0x1b8d4:替换成功")
// }, "void", []))
// Interceptor.replace(module.base.add(0x26e5c), new NativeCallback(function () {
// console.log("0x26e5c:替换成功")
// }, "void", []))
listener.detach()
}
},
})
}
function hook_dlopen(so_name=''){
Interceptor.attach(Module.findExportByName(null,"android_dlopen_ext"),
{
onEnter: function(args)
{
var pathptr = args[0];
if (pathptr!==undefined&&pathptr!==null){
var path = Memory.readUtf8String(pathptr);
if(path.indexOf(so_name)>=0){
//this.can_hook = true
hook_linker_call_constructors();
}
console.log("dlopen: "+path);
}
},onLeave:function(retval){
if(this.can_hook){
hook_JNI_OnLoad();
}
}
})
}
function hook_JNI_OnLoad(){
let moudle = Process.findModuleByName("libmsaoaidesc.so");
//通过静态分析得知JNI_ONLOAD函数的地址为0xC6DC。又因为是thumb所以+1.
Interceptor.attach(moudle.base.add(0xC6DC + 1),{
onEnter:function(args){
console.log("JNI_OnLoad");
}
})
}
function locate_init() {
let secmodule = null
var addr = Module.findExportByName(null, "__system_property_get")
console.log("__system_property_get: "+addr);
// var addr = ptr("0x4c10").add(1)
console.log("__system_property_get: " + addr);
Interceptor.attach(addr,
{
// _system_property_get("ro.build.version.sdk", v1);
onEnter: function (args) {
secmodule = Process.findModuleByName("libmsaoaidsec.so")
var name = args[0];
if (name !== undefined && name != null) {
var nameStr = ptr(name).readCString();
console.log("name is",nameStr);
if (nameStr=="ro.build.version.sdk") {
// 这是.init_proc刚开始执行的地方,是一个比较早的时机点
// do something
console.log("find: ",nameStr);
}
}
}
}
);
}
function hook_native(){
hook_dlopen("libmsaoaidsec.so")
}
function hook_pth() {
var pth_create = Module.findExportByName("libc.so", "pthread_create");
console.log("[pth_create]", pth_create);
Interceptor.attach(pth_create, {
onEnter: function (args) {
var module = Process.findModuleByAddress(args[2]);
if (module != null) {
console.log("开启线程-->", module.name, args[2].sub(module.base));
}
},
onLeave: function (retval) {}
});
}
// hook_pth()
setImmediate(main)
浙公网安备 33010602011771号