求助脱壳学习思路
求助脱壳学习思路在frida hook爱某密企业版的加固中,频繁出现闪退,且frida -f 命令会报错Failed to spawn: process not found(没搞明白这个是为啥,其他app也会这样,只要加了-f参数就会)。观摩了网上大量帖子,可以hook android_dlopen_ext来开始,但是目前我走不到这一步,hook这也不行。__loader_dlopen 然后尝试hookJNI_OnLoad也失败了 。各位大佬帮忙看看。求求。目前的hook脚本。
// 显示调用栈辅助函数
function printStackTrace() {
console.log("\n[调用栈]");
var trace = Thread.backtrace(this.context, Backtracer.ACCURATE);
var symbols = DebugSymbol.fromAddresses(trace);
for (var i = 0; i < symbols.length; i++) {
var addr = trace[i];
var module = Process.findModuleByAddress(addr);
if (module) {
var offset = addr - module.base;
console.log("" + i + ". " + module.name + " +0x" + offset.toString(16) + " (" + addr + ")");
} else {
console.log("" + i + ". " + addr);
}
if (symbols[i].name) {
console.log(" -> " + symbols[i].name);
}
}
console.log("");
}
// Hook android_dlopen_ext
var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
if (android_dlopen_ext) {
Interceptor.attach(android_dlopen_ext, {
onEnter: function(args) {
try {
if (args[0] && !args[0].isNull()) {
var path = args[0].readCString();
if (path) {
console.log("\n 加载:", path);
// 显示调用栈,找出是哪个 so 调用的
printStackTrace.call(this);
}
}
} catch(e) {}
}
});
console.log("[+] android_dlopen_ext Hook 成功");
}
// Hook dlopen
var dlopen_addr = Module.findExportByName(null, "dlopen");
if (dlopen_addr) {
Interceptor.attach(dlopen_addr, {
onEnter: function(args) {
try {
if (args[0] && !args[0].isNull()) {
var path = args[0].readCString();
if (path) {
console.log("\n 加载:", path);
// 显示调用栈
printStackTrace.call(this);
}
}
} catch(e) {}
}
});
console.log("[+] dlopen Hook 成功");
}
// Hook __loader_dlopen (Android 7.0+)
var loader_dlopen = Module.findExportByName(null, "__loader_dlopen");
if (loader_dlopen) {
Interceptor.attach(loader_dlopen, {
onEnter: function(args) {
try {
if (args[0] && !args[0].isNull()) {
var path = args[0].readCString();
if (path) {
console.log("\n 加载:", path);
printStackTrace.call(this);
}
}
} catch(e) {}
}
});
console.log("[+] __loader_dlopen Hook 成功");
}
// Hook dlopen 的 onLeave,监控加载后的 so,尝试 Hook JNI_OnLoad
var dlopen_for_jni = Module.findExportByName(null, "android_dlopen_ext") || Module.findExportByName(null, "dlopen");
if (dlopen_for_jni) {
Interceptor.attach(dlopen_for_jni, {
onLeave: function(retval) {
try {
if (retval && !retval.isNull()) {
// so 加载成功,尝试 Hook JNI_OnLoad
setTimeout(function() {
try {
var modules = Process.enumerateModules();
for (var i = 0; i < modules.length; i++) {
var mod = modules[i];
if (mod.name.indexOf("libexec") > -1 ||
mod.name.indexOf("ijiami") > -1 ||
mod.name.indexOf("libmain") > -1) {
var jniOnLoad = mod.getExportByName("JNI_OnLoad");
if (jniOnLoad) {
console.log("\n[!] 发现 JNI_OnLoad:", mod.name);
Interceptor.attach(jniOnLoad, {
onEnter: function(args) {
console.log("\n 被调用,so:", mod.name);
printStackTrace.call(this);
}
});
}
}
}
} catch(e) {}
}, 100);
}
} catch(e) {}
}
});
}
脱壳已解决 frida已解决。现在有一个新的问题,我脱壳后得到dex文件,没办法弄回apk。只能frida 加固包。hook加固包找不到原始的类,frida暂时也没弄出来。写了个检测脚本到这里不行了
页:
[1]