美文网首页
Android逆向 frida练习

Android逆向 frida练习

作者: LiuJP | 来源:发表于2020-06-20 10:33 被阅读0次

    多看官方文档https://frida.re/docs/javascript-api/

    飞智游戏厅server分析:
    hook 偏移地址

    setImmediate(function () {
    var base = Module.findBaseAddress("knife_server");
    console.log(base);
    var hh = base.add(0x311C).add(1);
    console.log("hh1:" + hh);
    Interceptor.attach(hh, {
        onEnter: function (args) {
            console.log("onEnter",args[0],args[1],args[2]);
        },
        onLeave: function (retval) {
            console.log("return:");
        },
    });
    Interceptor.attach(Module.findExportByName("libc.so", "read"), {
        onEnter: function (args) {
            console.log("read:", args[0],args[1], args[2]);
        },
        onLeave: function (retval) {
            console.log("ret:" + retval);
        }
    });
});

    hook java

    setImmediate(function () {
    //基地址
    // var base = Module.findBaseAddress("knife_server");
    // var hh = base.add(0x21B0);
    // console.log("hh:" + hh);

    // Interceptor.attach(ptr(hh), {
    //     onEnter: function (args) {
    //         console.log("Enter CheckSN()")
    //     },
    //     onLeave: function (retval) {
    //         console.log("return:");
    //     },
    // });
    // console.log("base:" + new NativePointer(base+0x12600).readU8());

    //export 变量符号
    // var sys_touchscreen_param = Module.findExportByName("libmotionelf_server.so", "sys_touchscreen_param");
    //读取 unsigned char U8
    // console.log(":" + ptr(sys_touchscreen_param).readU8());
    // var fd_x9e = Module.findExportByName("libmotionelf_server.so", "fd_x9e");
    // console.log("fd_x9e:", ptr(fd_x9e).readU8());
    // // var touch_fd = Module.findExportByName("libmotionelf_server.so", "touch_fd");
    // // console.log("touch_fd:", ptr(touch_fd).readU32());
    // var dev_touch = Module.findExportByName("libmotionelf_server.so", "dev_touch");
    // console.log("dev_touch:", ptr(dev_touch).readU32());

    // var sys_touchscreen_param = Module.findExportByName("libmotionelf_server.so", "sys_touchscreen_param");
    // console.log("sys_touchscreen_param:", ptr(sys_touchscreen_param).readU32());
    // var abs_b = Module.findExportByName("libmotionelf_server.so", "abs_b");
    // console.log("abs_b:", ptr(abs_b).readU8());
    // Interceptor.attach(Module.findExportByName("libmotionelf_server.so", "testX9eProp"), {
    //     onEnter: function (args) {
    //         console.log("testX9eProp called! args[0]", args[0]);
    //     },
    //     onLeave: function (retval) {
    //         console.log("ret:" + retval);
    //     }
    // });
    // Interceptor.attach(Module.findExportByName("libmotionelf_server.so", "jniSendRawTouch"), {
    //     onEnter: function (args) {
    //         //读取byte 数组
    //         console.log("jniSendRawTouch called! args[0]", Memory.readByteArray(args[0], 48))
    //     },
    //     onLeave: function (retval) {
    //         console.log("ret:" + retval);
    //     }
    // });

    // var real_touch_buf = Module.findExportByName("libmotionelf_server.so", "real_touch_buf");
    // console.log("real_touch_buf:", Memory.readByteArray(real_touch_buf, 24));
    // Thread.s/leep(500000);

    // var f1 = Module.findExportByName("libmotionelf_server.so", "send_data_to_app");
    // console.log("send_data_to_app:" + f1);
    // Interceptor.attach(f1, {
    //     onEnter: function (args) {
    //         console.log("send_data_to_app() called! args[0]\n", args[0]);
    //     },
    //     onLeave: function (retval) {
    //         console.log("ret:" + retval);
    //     }
    // });

    //  var f1 = Module.findExportByName("libmotionelf_server.so", "process_gamectrl_generic_data");
    // Interceptor.attach(f1, {
    //     onEnter: function (args) {
    //         console.log("process_gamectrl_generic_data() called! args[0] ", args[0]);
    //     },
    //     onLeave: function (retval) {
    //         // console.log("ret:" + retval);
    //     }
    // });
    // var f1 = Module.findExportByName("libmotionelf_server.so", "socket_client_write_udp");
    // Interceptor.attach(f1, {
    //     onEnter: function (args) {
    //         console.log("socket_client_write_udp() called! args[0]", args[0])
    //     },
    //     onLeave: function (retval) {
    //         console.log("ret:" + retval);
    //     }
    // });
    // Interceptor.attach(Module.findExportByName("libmotionelf_server.so", "thread_read_touch"), {
    //     onEnter: function (args) {
    //         console.log("thread_read_touch() called! args[0]", Memory.readByteArray(args[0], 48));
    //     },
    //     onLeave: function (retval) {
    //         console.log("thread_read_touch ret:" + retval);
    //     }
    // });
    // Interceptor.attach(Module.findExportByName("libmotionelf_server.so", "fd_find_event_key"), {
    //     onEnter: function (args) {
    //         console.log("fd_find_event_key() called! args[0]", args[0]);
    //     },
    //     onLeave: function (retval) {
    //         console.log("fd_find_event_key ret:" + retval);
    //         // var TouchEventBuf = Module.findExportByName("libmotionelf_server.so", "TouchEventBuf");
    //         // console.log("TouchEventBuf:args[0]", Memory.readByteArray(TouchEventBuf, 16));
    //     }
    // });
    // Interceptor.attach(Module.findExportByName("libmotionelf_server.so", "uinput_report_touch_reset_touch"), {
    //     onEnter: function (args) {
    //         console.log("uinput_report_touch_reset_touch() called! args[0]", args[0]);
    //     },
    //     onLeave: function (retval) {
    //         console.log("uinput_report_touch_reset_touch ret:" + retval);
    //     }
    // });
    // var dev_touch = Module.findExportByName("libmotionelf_server.so", "dev_touch");
    // console.log("dev_touch:"+ptr(dev_touch).readU32());

    //立刻执行
    Java.performNow(function () {
        //  var FZToolMain = Java.use('com.flydigi.tool.FZToolMain');
        var InputManager = Java.use('android.hardware.input.InputManager');
        // var e = Java.use("com.coffee.injectmotionevent.d.e");
        // var a = Java.use("com.coffee.injectmotionevent.e.a");

        var MotionEvent = Java.use("android.view.MotionEvent");
        // var String = Java.use("java.lang.String");
        var PointerProperties = Java.use('android.view.MotionEvent$PointerProperties');
        var PointerCoords = Java.use('android.view.MotionEvent$PointerCoords');
        MotionEvent.obtain.overload('long', 'long', 'int', 'int', '[Landroid.view.MotionEvent$PointerProperties;', '[Landroid.view.MotionEvent$PointerCoords;', 'int', 'int', 'float', 'float', 'int', 'int', 'int', 'int').implementation = function (a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13) {
            console.log("action", a2);
            console.log("count", a3);
            // var a44 = Java.cast(a4[0], PointerProperties);
            console.log("properties" + a4[0]);
            console.log("coords" + a5.length);
            var a55 = Java.cast(a5[0], PointerCoords);
            console.log("coords x:", a55.getAxisValue(0));
            console.log("coords y:", a55.getAxisValue(1));
            console.log("coords pressure", a55.getAxisValue(2));
            console.log("coords size", a55.getAxisValue(3));
            console.log("coords touchMajor", a55.getAxisValue(4));
            console.log("coords touchMinor", a55.getAxisValue(5));
            console.log("coords toolMajor", a55.getAxisValue(6));
            console.log("coords toolMinor", a55.getAxisValue(7));
            console.log("coords orientation", a55.getAxisValue(8));
            console.log("meta", a6);
            console.log("button", a7);
            console.log("xP", a8);
            console.log("yP", a9);
            console.log("devId", a10);
            console.log("edgeflag", a11);
            console.log("source", a12);
            console.log("flag", a13);
            return this.obtain(a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13);
        };
        // var members = MotionEvent.class.getDeclaredMethods();
        // var method;
        // members.forEach(function (member) {
        //     // console.log("member: ", member.getParameterCount());
        //     if (member.getName() == "obtain" && member.getParameterCount()==14) {

        //         method = member;
        //     }
        // });
        // console.log("member: 1 ", method);

        // method.implementation = function(a0,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13){
        //     // method.in
        // }
        // String.$init.overload('[C', 'int', 'int').implementation = function(a0,a1,a2){
        //     console.log("!!",this);
        //     var ret  =  this.$init(a0,a1,a2);
        //     return ret;
        // }
        // String.split.overload('java.lang.String').implementation = function(a0){
        //     console.log("~~",this);
        //     return this.split(a0);
        // }
        // e.a.overload('com.coffee.injectmotionevent.bean.DeviceInfo', 'int', 'int', 'float', 'float').implementation = function (a0, a1, a2, a3, a4) {
        //     console.log("??", a0, a1, a2, a3, a4);
        //     console.log(Process.getCurrentThreadId());
        //     console.log(Process.id);
        //     return this.a(a0, a1, a2, a3, a4);
        // };
        // e.a.overload('java.lang.String').implementation = function (args0) {
        //     console.log("?:", args0);
        //     return this.a(args0);
        // };
        InputManager.injectInputEvent.overload("android.view.InputEvent", "int").implementation = function (args0, args1) {
            console.log("injectInputEvent: ", args0, args1);
            console.log(Process.getCurrentThreadId());
            console.log(Process.id);
            return this.injectInputEvent(args0, args1);
        };
        // var enumerateThreads = Process.enumerateThreads();
        // for (var i = 0; i < enumerateThreads.length; i++) {
        //     console.log("");
        //     console.log("id:", enumerateThreads[i].id);
        //     console.log("state:", enumerateThreads[i].state);
        //     console.log("context:", JSON.stringify(enumerateThreads[i].context));
        // }
        // var Exception = Java.use('java.lang.Exception');
        //  overload 指定参数类型
        // FZToolMain.receiveTouchData.overload('[B').implementation = function (args) {
        //     console.log('receiveTouchData() ', bytesToHex(args));
        //     // console.log("FZToolMain ", Process.getCurrentThreadId());
        //     this.receiveTouchData(args);
        // };
        //     var KeyEvent = Java.use("android.view.KeyEvent");
        //     FZToolMain.injectEvent.overload('android.view.KeyEvent').implementation = function (args) {
        //         var m = Java.cast(args, KeyEvent);
        //         console.log("\ninjectKeyEvent:", m);
        //         this.injectEvent(args);
        //     };

        // FZToolMain.InjectUp.implementation = function (args) {
        // //     // var m=Java.cast(args,KeyEvent);
        //     console.log("\n InjectUp:", args);
        //     this.InjectUp(args);
        // };

        // console.log("Java.available args[0]", Java.enumerateLoadedClassesSync());
        // Java.enumerateLoadedClasses({
        //     onMatch: function (className) {
        //         console.log(className);
        //     },
        //     onComplete: function () {
        //         console.log("done");
        //     }
        // });
    });
});

    相关文章

      网友评论

          本文标题:Android逆向 frida练习

          本文链接:https://www.haomeiwen.com/subject/xrswxktx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|Android逆向 frida练习|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!