多看官方文档https://frida.re/docs/javascript-api/
飞智游戏厅server分析:
hook 偏移地址
setImmediate(function () {
var base = Module.findBaseAddress("knife_server");
console.log(base);
var hh = base.add(0x311C).add(1);
console.log("hh1:" + hh);
Interceptor.attach(hh, {
onEnter: function (args) {
console.log("onEnter",args[0],args[1],args[2]);
},
onLeave: function (retval) {
console.log("return:");
},
});
Interceptor.attach(Module.findExportByName("libc.so", "read"), {
onEnter: function (args) {
console.log("read:", args[0],args[1], args[2]);
},
onLeave: function (retval) {
console.log("ret:" + retval);
}
});
});
hook java
setImmediate(function () {
//基地址
// var base = Module.findBaseAddress("knife_server");
// var hh = base.add(0x21B0);
// console.log("hh:" + hh);
// Interceptor.attach(ptr(hh), {
// onEnter: function (args) {
// console.log("Enter CheckSN()")
// },
// onLeave: function (retval) {
// console.log("return:");
// },
// });
// console.log("base:" + new NativePointer(base+0x12600).readU8());
//export 变量符号
// var sys_touchscreen_param = Module.findExportByName("libmotionelf_server.so", "sys_touchscreen_param");
//读取 unsigned char U8
// console.log(":" + ptr(sys_touchscreen_param).readU8());
// var fd_x9e = Module.findExportByName("libmotionelf_server.so", "fd_x9e");
// console.log("fd_x9e:", ptr(fd_x9e).readU8());
// // var touch_fd = Module.findExportByName("libmotionelf_server.so", "touch_fd");
// // console.log("touch_fd:", ptr(touch_fd).readU32());
// var dev_touch = Module.findExportByName("libmotionelf_server.so", "dev_touch");
// console.log("dev_touch:", ptr(dev_touch).readU32());
// var sys_touchscreen_param = Module.findExportByName("libmotionelf_server.so", "sys_touchscreen_param");
// console.log("sys_touchscreen_param:", ptr(sys_touchscreen_param).readU32());
// var abs_b = Module.findExportByName("libmotionelf_server.so", "abs_b");
// console.log("abs_b:", ptr(abs_b).readU8());
// Interceptor.attach(Module.findExportByName("libmotionelf_server.so", "testX9eProp"), {
// onEnter: function (args) {
// console.log("testX9eProp called! args[0]", args[0]);
// },
// onLeave: function (retval) {
// console.log("ret:" + retval);
// }
// });
// Interceptor.attach(Module.findExportByName("libmotionelf_server.so", "jniSendRawTouch"), {
// onEnter: function (args) {
// //读取byte 数组
// console.log("jniSendRawTouch called! args[0]", Memory.readByteArray(args[0], 48))
// },
// onLeave: function (retval) {
// console.log("ret:" + retval);
// }
// });
// var real_touch_buf = Module.findExportByName("libmotionelf_server.so", "real_touch_buf");
// console.log("real_touch_buf:", Memory.readByteArray(real_touch_buf, 24));
// Thread.s/leep(500000);
// var f1 = Module.findExportByName("libmotionelf_server.so", "send_data_to_app");
// console.log("send_data_to_app:" + f1);
// Interceptor.attach(f1, {
// onEnter: function (args) {
// console.log("send_data_to_app() called! args[0]\n", args[0]);
// },
// onLeave: function (retval) {
// console.log("ret:" + retval);
// }
// });
// var f1 = Module.findExportByName("libmotionelf_server.so", "process_gamectrl_generic_data");
// Interceptor.attach(f1, {
// onEnter: function (args) {
// console.log("process_gamectrl_generic_data() called! args[0] ", args[0]);
// },
// onLeave: function (retval) {
// // console.log("ret:" + retval);
// }
// });
// var f1 = Module.findExportByName("libmotionelf_server.so", "socket_client_write_udp");
// Interceptor.attach(f1, {
// onEnter: function (args) {
// console.log("socket_client_write_udp() called! args[0]", args[0])
// },
// onLeave: function (retval) {
// console.log("ret:" + retval);
// }
// });
// Interceptor.attach(Module.findExportByName("libmotionelf_server.so", "thread_read_touch"), {
// onEnter: function (args) {
// console.log("thread_read_touch() called! args[0]", Memory.readByteArray(args[0], 48));
// },
// onLeave: function (retval) {
// console.log("thread_read_touch ret:" + retval);
// }
// });
// Interceptor.attach(Module.findExportByName("libmotionelf_server.so", "fd_find_event_key"), {
// onEnter: function (args) {
// console.log("fd_find_event_key() called! args[0]", args[0]);
// },
// onLeave: function (retval) {
// console.log("fd_find_event_key ret:" + retval);
// // var TouchEventBuf = Module.findExportByName("libmotionelf_server.so", "TouchEventBuf");
// // console.log("TouchEventBuf:args[0]", Memory.readByteArray(TouchEventBuf, 16));
// }
// });
// Interceptor.attach(Module.findExportByName("libmotionelf_server.so", "uinput_report_touch_reset_touch"), {
// onEnter: function (args) {
// console.log("uinput_report_touch_reset_touch() called! args[0]", args[0]);
// },
// onLeave: function (retval) {
// console.log("uinput_report_touch_reset_touch ret:" + retval);
// }
// });
// var dev_touch = Module.findExportByName("libmotionelf_server.so", "dev_touch");
// console.log("dev_touch:"+ptr(dev_touch).readU32());
//立刻执行
Java.performNow(function () {
// var FZToolMain = Java.use('com.flydigi.tool.FZToolMain');
var InputManager = Java.use('android.hardware.input.InputManager');
// var e = Java.use("com.coffee.injectmotionevent.d.e");
// var a = Java.use("com.coffee.injectmotionevent.e.a");
var MotionEvent = Java.use("android.view.MotionEvent");
// var String = Java.use("java.lang.String");
var PointerProperties = Java.use('android.view.MotionEvent$PointerProperties');
var PointerCoords = Java.use('android.view.MotionEvent$PointerCoords');
MotionEvent.obtain.overload('long', 'long', 'int', 'int', '[Landroid.view.MotionEvent$PointerProperties;', '[Landroid.view.MotionEvent$PointerCoords;', 'int', 'int', 'float', 'float', 'int', 'int', 'int', 'int').implementation = function (a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13) {
console.log("action", a2);
console.log("count", a3);
// var a44 = Java.cast(a4[0], PointerProperties);
console.log("properties" + a4[0]);
console.log("coords" + a5.length);
var a55 = Java.cast(a5[0], PointerCoords);
console.log("coords x:", a55.getAxisValue(0));
console.log("coords y:", a55.getAxisValue(1));
console.log("coords pressure", a55.getAxisValue(2));
console.log("coords size", a55.getAxisValue(3));
console.log("coords touchMajor", a55.getAxisValue(4));
console.log("coords touchMinor", a55.getAxisValue(5));
console.log("coords toolMajor", a55.getAxisValue(6));
console.log("coords toolMinor", a55.getAxisValue(7));
console.log("coords orientation", a55.getAxisValue(8));
console.log("meta", a6);
console.log("button", a7);
console.log("xP", a8);
console.log("yP", a9);
console.log("devId", a10);
console.log("edgeflag", a11);
console.log("source", a12);
console.log("flag", a13);
return this.obtain(a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13);
};
// var members = MotionEvent.class.getDeclaredMethods();
// var method;
// members.forEach(function (member) {
// // console.log("member: ", member.getParameterCount());
// if (member.getName() == "obtain" && member.getParameterCount()==14) {
// method = member;
// }
// });
// console.log("member: 1 ", method);
// method.implementation = function(a0,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13){
// // method.in
// }
// String.$init.overload('[C', 'int', 'int').implementation = function(a0,a1,a2){
// console.log("!!",this);
// var ret = this.$init(a0,a1,a2);
// return ret;
// }
// String.split.overload('java.lang.String').implementation = function(a0){
// console.log("~~",this);
// return this.split(a0);
// }
// e.a.overload('com.coffee.injectmotionevent.bean.DeviceInfo', 'int', 'int', 'float', 'float').implementation = function (a0, a1, a2, a3, a4) {
// console.log("??", a0, a1, a2, a3, a4);
// console.log(Process.getCurrentThreadId());
// console.log(Process.id);
// return this.a(a0, a1, a2, a3, a4);
// };
// e.a.overload('java.lang.String').implementation = function (args0) {
// console.log("?:", args0);
// return this.a(args0);
// };
InputManager.injectInputEvent.overload("android.view.InputEvent", "int").implementation = function (args0, args1) {
console.log("injectInputEvent: ", args0, args1);
console.log(Process.getCurrentThreadId());
console.log(Process.id);
return this.injectInputEvent(args0, args1);
};
// var enumerateThreads = Process.enumerateThreads();
// for (var i = 0; i < enumerateThreads.length; i++) {
// console.log("");
// console.log("id:", enumerateThreads[i].id);
// console.log("state:", enumerateThreads[i].state);
// console.log("context:", JSON.stringify(enumerateThreads[i].context));
// }
// var Exception = Java.use('java.lang.Exception');
// overload 指定参数类型
// FZToolMain.receiveTouchData.overload('[B').implementation = function (args) {
// console.log('receiveTouchData() ', bytesToHex(args));
// // console.log("FZToolMain ", Process.getCurrentThreadId());
// this.receiveTouchData(args);
// };
// var KeyEvent = Java.use("android.view.KeyEvent");
// FZToolMain.injectEvent.overload('android.view.KeyEvent').implementation = function (args) {
// var m = Java.cast(args, KeyEvent);
// console.log("\ninjectKeyEvent:", m);
// this.injectEvent(args);
// };
// FZToolMain.InjectUp.implementation = function (args) {
// // // var m=Java.cast(args,KeyEvent);
// console.log("\n InjectUp:", args);
// this.InjectUp(args);
// };
// console.log("Java.available args[0]", Java.enumerateLoadedClassesSync());
// Java.enumerateLoadedClasses({
// onMatch: function (className) {
// console.log(className);
// },
// onComplete: function () {
// console.log("done");
// }
// });
});
});
网友评论