【Android逆向】frida hook so 函数

android,逆向,frida,hook,so,函数 · 浏览次数 : 420

小编点评

## Summary of the content This content describes a Java program that uses Frida to remotely call a native method named `sayHello4` in a C++ library. **Steps involved:** 1. **APK download and decompilation:** - The program downloads an APK from the given link. - It then decompresses the APK and extracts the so file (app-debug.apk3). 2. **Using JniTest library:** - The program finds the base address of the JniTest library. - It then retrieves the addresses of the `Java_com_jwxdxnx06_myJNI_sayHello` method and the `__fastcall Java_com_jwxdxnx06_myJNI_sayHello` function. 3. **Hooking the function:** - An interceptor is set to hook the `Java_com_jwxdxnx06_myJNI_sayHello` function. - The interceptor receives the function arguments and returns a modified return value. 4. **Executing the function:** - The program retrieves the return value from the hooked function. - It prints the returned string to the console. 5. **Running Frida script:** - The program starts a Frida server and runs the script named "lesson04.js". - This script uses Frida to connect to the server and execute the `sayHello4` method. - The script captures the return value and prints it to the console. **Key points:** - The program uses Frida to dynamically load and execute code from an APK. - It hooks the `Java_com_jwxdxnx06_myJNI_sayHello` method to modify the return value. - Frida server is used to execute the script and capture the return value. **Additional notes:** - The content mentions the library name as "JniTest", but it is not defined anywhere in the code. - The specific method signature and return type may vary depending on the actual library implementation.

正文

1. apk来自52pojie

链接：https://pan.baidu.com/s/1vKC1SevvHfeI7f0d2c6IqQ 密码：u1an

2.apktool反编译apk，拿到so文件

java -jar ../apktool_2.2.4.jar d app-debug.apk

3. 用jadx 打开apk文件，观察到apk调用了一个native方法`com.jwxdxnx06.myJNI.sayHello`

4. ida 打开so文件，在导出函数表中可以看到这个对应的静态注册的函数

jstring __fastcall Java_com_jwxdxnx06_myJNI_sayHello(JNIEnv *env)
{
  return (*env)->NewStringUTF(env, "hello 52pojie!");
}

5. 编写frida脚本，主动调用这个函数

function main() {
    Java.perform(function () {

        var libJniTest_addr = Module.findBaseAddress("libJniTest.so")
        console.log("libJniTest 地址：", libJniTest_addr);

        if (libJniTest_addr) {
            var func_sayHello_addr = Module.findExportByName("libJniTest.so", "Java_com_jwxdxnx06_myJNI_sayHello");
            console.log("Java_com_jwxdxnx06_myJNI_sayHello 地址：", func_sayHello_addr);
                    
            // 主动调用
            //创建新函数,参数1：函数地址，参数2：返回值类型，参数3：函数参数类型
            var func = new NativeFunction(func_sayHello_addr, 'pointer', ['pointer'])
			// 通过Java.vm获得env
            var retVal = func(Java.vm.getEnv())
            var ret = Java.vm.getEnv().getStringUtfChars(retVal, null).readCString();
            console.log(ret)
            
        }
    })

}

setTimeout(main)

5. 尝试hook函数，改变函数的输出

function main() {
    Java.perform(function () {

        var libJniTest_addr = Module.findBaseAddress("libJniTest.so")
        console.log("libJniTest 地址：", libJniTest_addr);

        if (libJniTest_addr) {
            var func_sayHello_addr = Module.findExportByName("libJniTest.so", "Java_com_jwxdxnx06_myJNI_sayHello");
            console.log("Java_com_jwxdxnx06_myJNI_sayHello 地址：", func_sayHello_addr);
        	//hook
            Interceptor.attach(func_sayHello_addr, {
                onEnter: function(args) {
                    var env = args[0];
                    console.log("=== env: " + env)
                },
                onLeave: function(retVal) {
                    console.log("=== retVal: " + retVal)
                    var j_str = Java.vm.getEnv().newStringUtf("helloworld123")
                    retVal.replace(ptr(j_str))
                }
            })

            // 主动调用
            //创建新函数,参数1：函数地址，参数2：返回值类型，参数3：函数参数类型
            var func = new NativeFunction(func_sayHello_addr, 'pointer', ['pointer'])
            var retVal = func(Java.vm.getEnv())
            var ret = Java.vm.getEnv().getStringUtfChars(retVal, null).readCString();
            console.log(ret)
        }

    })

}

setTimeout(main)

6. 执行命令

frida -UF com.jwxdxnx06 -l lesson04.js --no-pause

日志

libJniTest 地址： 0xc73c3000
Java_com_jwxdxnx06_myJNI_sayHello 地址： 0xc73c3c5d
=== env: 0xdc411c40
=== retVal: 0x9
helloworld123