简书链接:fridahooknative地址的计算
文章字数:141,阅读全文大约需要1分钟
1
2
| ps |grep cn.qssq666.testjni
//第二个数字为进程
|
根据进程定位so 的相对地址 然后加上so的基地址
1
2
| cat /proc/pid/maps|grep libmylib.so
//第一个列表的开始就是
|
代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| //find app class. frida -U -l hookc2.js cn.qssq666.testjni
//74A1D79470 = ida的基地址+
// cat /proc/23912/maps |grep libmylib.so的地址
setImmediate(function() {
console.log("[*] Starting script");
Java.perform(function () {
//****************************************************************************//
//********************************hook native*********************************//
// public static native String getMagic(Context context, int i);
//hook export function
var nativePointer = Module.findExportByName("libmylib.so" , "Java_cn_qssq666_testjni_MainActivity_calcAdd");
send("method pointer:"+nativePointer);
//create JNIEnv.NewStringUTF Function
//var newStringFunc = new NativeFunction(fun_pointer, 'pointer', ['pointer', 'pointer']);
var envPointer;
Interceptor.attach(nativePointer, {
onEnter: function(args) {
envPointer = args[0];
send("calc add : "+args[0]+", "+args[1]);
},
onLeave:function(retval){
send("gifcore so result value: "+retval);
//var strPointer = Memory.allocUtf8String("XXXXXXX");
//return newStringFunc(envPointer, strPointer);
}
});
function revertHex(hexStr){
var str = "";
str = str + hexStr[6];
str = str + hexStr[7];
str = str + hexStr[4];
str = str + hexStr[5];
str = str + hexStr[2];
str = str + hexStr[3];
str = str + hexStr[0];
str = str + hexStr[1];
return str;
}
});
});
|
alipay
wechat