Android逆向之分析基操
1,ndk开发函数名体现形式
extern "C" JNIEXPORT
extern "C" __attribute__ ((visibility ("hidden")))
JNIEXPORT
__attribute__ ((visibility ("hidden")))
总结:
__attribute__ ((visibility ("hidden"))) --> 函数名隐藏
JNIEXPORT --> C++ 为了重载的 name mangling
extern "C" JNIEXPORT --> 按C语言进行编译,函数名不变
2,函数注册跟踪
so文件监控及静态注册
function find_function(){
Java.perform(function (){
// var func_name = "android_dlopen_ext";
var func_name = "dlsym";
var func_address;
var modules = Process.enumerateModules();
for(var i=0;i<modules.length;i++){
var module = modules;
var module_name = module.name;
var exports = module.enumerateExports();
for(var j=0;j<exports.length;j++){
var export_name = exports.name;
if(export_name.indexOf(func_name) > -1){
console.log("find function", module_name, export_name);
if (func_name == export_name){
func_address = exports.address;
}
}
}
}
if(func_address){
console.log("fun_address", func_address);
Interceptor.attach(func_address, {
onEnter: function (args) {
if (func_name.indexOf("dlopen") > -1){
// dlopen
this.path = ptr(args).readCString();
}else if (func_name.indexOf("dlsym") > -1){
// dlsym
this.func_name = ptr(args).readCString();
}else{
console.log("please check your code");
}
console.log("find agrs", "arg =", this.path, ", arg =", this.func_name);
},
onLeave: function (retval){
if(Process.findModuleByAddress(retval)){
console.log("find target", Process.findModuleByAddress(retval).name, "-->", this.func_name);
}else{
console.log("find other", this.path, "-->", this.func_name);
}
}
});
}
});
}
hook dlopen:
hook dlsym:
动态注册
yang神的脚本地址:
https://github.com/lasting-yang/frida_hook_libart
3,trace剑客
[*]
jnitrace
[*]
frida-trace
hook strcat:
hook open:
hook dlsym:
[*]
hook_artmethod
yang神的脚本地址:
https://github.com/lasting-yang/frida_hook_libart
trace结果:
ndk开发代码:
看了这些trace再看凯神的unidbg是不是有点似曾相识的感觉和熟悉的点位
4,总结
肉丝姐的星球是个好东西
5,滴滴
读码百遍,trace自现,然后去玩unicorn,AndroidNativeEmu,unidbg
欢迎关注我的公众号【妄为写代码】,一起交流学习
666 666 666 666 666 666 666 666 666666666666666