高中生
- 金币
- 904
- 好评
- 8
- 贡献
- 0
|
本帖最后由 天边之云 于 2021-2-6 15:49 编辑
第一种:内存暴力搜索global-metadata.dat的前四个字节:AF 1B B1 FA.
- [hide]function scandat() {
- console.log(" scan start...");
- Process.enumerateRanges('r--').forEach(function (range) {
- // if (range.size<56798444) return;
- try {
- Memory.scan(range.base,range.size,"AF 1B B1 FA",{
- onMatch:function (address, size) {
- //9828196
- var DefinitionsOffset = parseInt(address, 16) + 0x108;
- var DefinitionsOffset_size = Memory.readInt(ptr(DefinitionsOffset));
- var DefinitionsCount = parseInt(address, 16) + 0x10C;
- var DefinitionsCount_size = Memory.readInt(ptr(DefinitionsCount));
- //根据两个偏移得出global-metadata大小
- var global_metadata_size = DefinitionsOffset_size + DefinitionsCount_size
- console.log("大小:", global_metadata_size);
- var path = "/data/data/" + get_self_process_name() + "/global-metadata.dat";
- var file = new File(path, "wb");
- file.write(Memory.readByteArray(address, global_metadata_size));
- file.flush();
- file.close();
- console.log('导出完毕:path:',path);
- },
- onError:function (reason) {
- console.error("scan error :" + reason);
- },
- onComplete:function () {
- //console.log("scan onComplete")
- }
- })
- }catch (e) {
- console.error(e)
- }
- })
- }[/hide]
第二种:基于/proc/self/maps 过滤global-metadata.dat 保存
- [hide]function getLibraryMap() {
- const SoName = "global-metadata.dat";
- var fopen = new NativeFunction(Module.findExportByName(null,"fopen"),'pointer',['pointer','pointer']);
- var fgets = new NativeFunction(Module.findExportByName(null,"fgets"),'pointer', ['pointer', 'int', 'pointer']);
- var fwrite = new NativeFunction(Module.findExportByName(null,"fwrite"),'int',['pointer','int','int','pointer']);
- var fclose = new NativeFunction(Module.findExportByName(null,"fclose"),'int', ['pointer']);
- var line = Memory.alloc(512);
- var fp = fopen(Memory.allocUtf8String("/proc/self/maps"),Memory.allocUtf8String("rt"));
- if (fp){
- while (fgets(line,512,fp)){
- if (line.readUtf8String().includes(SoName)){
- console.log(line.readUtf8String());
- var str = line.readUtf8String();
- var strs = str.split("-");
- var startaddr ="0x"+ strs[0];
- var endaddr ="0x"+ strs[1];
- var size = ptr(endaddr).sub(ptr(startaddr)).toInt32();
- var process_name = get_self_process_name();
- var mode_ptr = Memory.allocUtf8String("wb+");
- try {
- var path = "/sdcard/" + SoName + "_" + startaddr;
- var path_ptr = Memory.allocUtf8String(path)
- var fp2 = fopen(path_ptr,mode_ptr);
- Memory.protect(ptr(startaddr),size,'rwx');
- fwrite(ptr(startaddr),size,1,fp2)
- fclose(fp2);
- console.log('dump_so_path:', path);
- }catch (e) {
- console.error(e);
- var path = process_name + SoName + "_" + startaddr;
- var path_ptr = Memory.allocUtf8String(path)
- var fp2 = fopen(path_ptr,mode_ptr);
- Memory.protect(ptr(startaddr),size.toInt32(),'rwx');
- fwrite(ptr(startaddr),size.toInt32(),1,fp2)
- fclose(fp2);
- console.log('dump_so_path:', path);
- }
- break;
- }
- }
- }
- fclose(fp);
- }[/hide]
此法参考FateHack 。
第三种:反编译libil2cpp.so,在字符串窗口搜索 global-metadata.dat 获取global-metadata.dat加载的函数,根据偏移再去 dump。
- [hide]function starthook() {
- var baseaddr = Module.findBaseAddress("libil2cpp.so");
- console.log("baseaddr:",baseaddr);
- Interceptor.attach(baseaddr.add(0x64EB74),{ // 加载后返回 global-metadata.dat 的首地址。
- onEnter:function (args) {
- },
- onLeave:function (returnValue) {
- address = returnValue; //
- var DefinitionsOffset = parseInt(address, 16) + 0x108;
- var DefinitionsOffset_size = Memory.readInt(ptr(DefinitionsOffset));
- var DefinitionsCount = parseInt(address, 16) + 0x10C;
- var DefinitionsCount_size = Memory.readInt(ptr(DefinitionsCount));
- //根据两个偏移得出global-metadata大小
- var global_metadata_size = DefinitionsOffset_size + DefinitionsCount_size
- console.log("大小:", global_metadata_size);
- var path = "/data/data/" + get_self_process_name() + "/global-metadata.dat";
- var file = new File(path, "wb");
- file.write(Memory.readByteArray(address, global_metadata_size));
- file.flush();
- file.close();
- console.log('导出完毕:path:',path);
- }
- })
- }[/hide]
最后,别问我怎么用?会了也不告诉你。。。
来自群组: 安卓逆向分析破解 |
-
查看全部评分
总评分:好评 +2
金币 +2
|
