0%

2020-06-05-Frida辅助分析OLLVM混淆的算法

发表于 更新于 分类于
本文字数: 21k 阅读时长 ≈ 19 分钟

看雪的安卓培训网课例子动手做了一遍,记录下Frida辅助分析OLLVM混淆的相关方法,,(自己记录总结备忘用的,详细的讲解还是推荐去听看雪的课,附件先暂不提供下载)。

L4: Frida 辅助分析OLLVM字符串混淆

hook_l4.js:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
function print_str(addr)
{
    var base_libjni = Module.findBaseAddress("libhello-jni.so");
    var addr_str = base_libjni.add(addr);
    console.log("str:",addr_str,ptr(addr_str).readCString());
}

function hook_native_001()
{
    //v6 = off_33D60,
    print_str(0x37070);
    print_str(0x37080);


    print_str(0x37010);
    print_str(0x37050);
    print_str(0x370A8);
    print_str(0x370C0);
}

function hook_native_002()
{

    // *(_QWORD *)&v6 = byte_3E1BA;
    // *((_QWORD *)&v6 + 1) = sub_6E4C;
    // *(_QWORD *)&xmmword_3E1E8 = &dword_3E1B4;
    // *(__int128 *)((char *)&xmmword_3E1E8 + 8) = v6;
    print_str(0x3E1B4);
    print_str(0x3E1BA);
}
function hook_libart()
{
    //symbol   (no checkjni)
    var module_libart = Process.findModuleByName("libart.so");
    //or?const hooks = Module.load('libc.so');   var Symbol = hooks.enumerateSymbols();
    var symbols = module_libart.enumerateSymbols();
    
    var addr_GetStringUTFChars = null;
    var addr_FindClass = null;
    var addr_GetStaticFieldID = null;
    var addr_SetStaticIntField = null;
    var addr_RegisterNatives = null;

    for(var i = 0; i < symbols.length;i++)
    {
        if (symbols[i].name.indexOf("art") != -1) {
            if (symbols[i].name.indexOf("CheckJNI") == -1) {
                if (symbols[i].name.indexOf("GetStringUTFChars") != -1) {
                    addr_GetStringUTFChars = symbols[i].address;
                    console.log(symbols[i].name,addr_GetStringUTFChars);
                }
                if (symbols[i].name.indexOf("art3JNI9FindClass") != -1) {
                    addr_FindClass = symbols[i].address;
                    console.log(symbols[i].name,addr_FindClass);
                }
                if (symbols[i].name.indexOf("GetStaticFieldID") != -1) {
                    addr_GetStaticFieldID = symbols[i].address;
                    console.log(symbols[i].name,addr_GetStaticFieldID);
                }
                if (symbols[i].name.indexOf("SetStaticIntField") != -1) {
                    addr_SetStaticIntField = symbols[i].address;
                    console.log(symbols[i].name,addr_SetStaticIntField);
                }
                if (symbols[i].name.indexOf("RegisterNatives") != -1) {
                    addr_RegisterNatives = symbols[i].address;
                    console.log(symbols[i].name,addr_RegisterNatives);
                }
            }
        }
    }
    //print str 
    
    // //print so stack  :  FUZZY and ACCURATE
    // if (addr_GetStringUTFChars) {
    //     Interceptor.attach(addr_GetStringUTFChars,{
    //         onEnter : function(args){
    //             // console.log('addr_GetStringUTFChars onEnter called from:\n' +
    //             //     Thread.backtrace(this.context, Backtracer.FUZZY)
    //             //         .map(DebugSymbol.fromAddress).join('\n') + '\n');
    //         },
    //         onLeave : function(retval){
    //             console.log("GetStringUTFChars:",ptr(retval).readCString())
    //         }
    //     });
    // }
    
    // if (addr_FindClass) {
    //     Interceptor.attach(addr_FindClass,{
    //         onEnter : function(args){
    //             console.log("FindClass Arg:", ptr(args[1]).readCString());
    //         },
    //         onLeave : function(retval){
    //         }
    //     });
    // }
    
    // if (addr_GetStaticFieldID) {
    //     Interceptor.attach(addr_GetStaticFieldID,{
    //         onEnter : function(args){
    //             console.log("GetStaticFieldID Arg3:", ptr(args[2]).readCString(),"Arg4:",ptr(args[3]).readCString());
    //         },
    //         onLeave : function(retval){
    //         }
    //     });
    // }
    
    // if (addr_SetStaticIntField) {
    //     Interceptor.attach(addr_SetStaticIntField,{
    //         onEnter : function(args){
    //             console.log("SetStaticIntField Arg4:",args[3]);
    //         },
    //         onLeave : function(retval){
    //         }
    //     });
    // }
    // //hook findclass getstaticfiledid 
    if (addr_RegisterNatives) {
        Interceptor.attach(addr_RegisterNatives,{
            onEnter : function(args){
                console.log("addr_RegisterNatives:\n",hexdump(args[2]));
                console.log("addr_RegisterNatives name:",ptr(args[2]).readPointer().readCString());
                console.log("addr_RegisterNatives sign:",ptr(args[2]).add(Process.pointerSize).readPointer().readCString());
            },
            onLeave : function(retval){

            }
        });
    }
    
}
function inline_hook()
{
    //arm64稳定  arm32不稳定,x32可能会有2字节的thumb指令
    var base_libjni = Module.findBaseAddress("libhello-jni.so");
    console.log("base_libjni",base_libjni);
    if (base_libjni != null) {
        var addr_hook = base_libjni.add(0x7320);
        Interceptor.attach(addr_hook,{
            onEnter : function (args){
                //w13 x13
                console.log("xor:",this.context.x13);
            },
            onLeave : function(retval){
                
            }
        })
    }
}

function hook_dlopen()
{
    //android 6.0
    var addr_dlopen = Module.findExportByName(null,"dlopen");
    Interceptor.attach(addr_dlopen,{
        onEnter : function (args){
            this.flag = false;
            var dlopen_name = ptr(args[0]).readCString();
            console.log("android_dlopen_ext:",dlopen_name);
            if(dlopen_name.indexOf("libhello-jni.so") >= 0){
                this.flag = true;
            }
        },
        onLeave : function(retval){
            if(this.flag){
                inline_hook();
            }
        }
    });
    // 高版本Android系统
    var addr_android_dlopen_ext = Module.findExportByName(null,"android_dlopen_ext");
    Interceptor.attach(addr_android_dlopen_ext,{
        onEnter : function (args){
            this.flag = false;
            var dlopen_name = ptr(args[0]).readCString();
            console.log("android_dlopen_ext:",dlopen_name);
            if(dlopen_name.indexOf("libhello-jni.so") >= 0){
                this.flag = true;
            }
        },
        onLeave : function(retval){
            if(this.flag){
                inline_hook();
            }
        }
    });
}

function main()
{
    hook_dlopen()
    hook_libart()
    //hook_native_001();
    //hook_native_002();
}

setImmediate(main)

L5: Frida 辅助分析OLLVM 控制流平坦化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
function hook_java() {
    Java.perform(function(){
        var hello_jni = Java.use("com.example.hellojni.HelloJni");
        hello_jni.sign2.implementation = function(str,str2){
            var ret = this.sign2(str,str2);
            console.log("sign2 arg1:",str,"arg2:",str2,"ret:",ret);
            return ret;
        }
    });
}

function call_sign2()
{
    //设置固定值注定调用
    Java.perform(function(){
        Java.choose("com.example.hellojni.HelloJni",{
            onMatch:function(instance){
                console.log("instance:",instance.sign2("0123456789","abcdefgh"))
            },
            onComplete:function(ret)
            {
            }
        });
    })
}

function hook_native() {
    var base_libjni = Module.findBaseAddress("libhello-jni.so");
    var sub_13558 = base_libjni.add(0x13558);
    //根据输入及返回结果交叉引用,首要分析sub函数。
    // Interceptor.attach(sub_13558,{
    //     onEnter:function(args){
    //         this.arg0 = args[0];
    //         console.log("sub_13558 OnEnter: arg1=",ptr(args[1]).readCString(),"arg2=",args[2]);
    //     },
    //     onLeave:function(retval){
    //         console.log("sub_13558 onLeave: arg0=",ptr(this.arg0).add(1).readCString());
    //         console.log("sub_13558 onLeave: retval=",ptr(retval).readCString());
    //     }
    // })

    // var sub_12D70 = base_libjni.add(0x12D70);
    // Interceptor.attach(sub_12D70,{
    //     onEnter:function(args){
    //         this.str1 = args[0];
    //         this.str2 = args[1];
    //         this.v51 = args[2];
    //         console.log("sub_12D70 arg0:",ptr(args[0]).add(1).readCString(),"arg1:",ptr(args[1]).add(1).readCString(),"\n");
    //     },
    //     onLeave(retval){
    //         console.log("sub_12D70 ret arg0:",ptr(this.str1).add(1).readCString(),"arg1:",ptr(this.str2).add(1).readCString(),"\n");
    //         console.log("sub_12D70 ret arg2:\n",hexdump(ptr(this.v51).readPointer()));      
    //     }
    // })

    var sub_162b8 = base_libjni.add(0x162b8);
    // Interceptor.attach(sub_162b8,{
    //     onEnter:function(args){
    //         this.arg0 = args[0];
    //         this.arg1 = args[1];
    //         this.arg2 = args[2];
    //         console.log("sub_162b8 arg0:\n",ptr(args[0]).readCString(),"\narg1:\n",args[1],"\n");
    //     },
    //     onLeave(retval){
    //         //console.log("sub_162b8 ret arg0:",hexdump(this.arg0),"arg1:",hexdump(this.arg1),"\n");
    //         console.log("sub_162b8 ret arg2:\n",ptr(this.arg2).readLong());      
            
    //         console.log("sub_162b8 retval\n",ptr(retval).readCString());
    //     }
    // })

    var sub_130F0 = base_libjni.add(0x130F0);
    // Interceptor.attach(sub_130F0,{
    //     onEnter:function(args){
    //         this.arg0 = args[0];
    //         console.log("sub_130F0 arg0:\n",hexdump(args[0],{ offset: 0, length: 64, header: true, ansi: true }),"\narg1:\n",ptr(args[1]).readCString(),"\narg2:\n",args[2]);
    //     },
    //     onLeave(retval){
    //         console.log("sub_130F0 ret arg0:\n",hexdump(this.arg0,{ offset: 0, length: 64, header: true, ansi: true }));      
    //     }
    // })

    var sub_154D4 = base_libjni.add(0x154D4);
    Interceptor.attach(sub_154D4,{
        onEnter:function(args){
            this.arg0 = args[0];
            this.arg1 = args[1];
            this.arg2 = args[2];
            console.log("sub_154D4 OnEnter: arg0=",hexdump(this.arg0,{ offset: 0, length: 64, header: true, ansi: true }));   
            console.log("sub_154D4 OnEnter: arg1=",hexdump(this.arg1,{ offset: 0, length: 64, header: true, ansi: true }));   
            console.log("sub_154D4 OnEnter: arg2=",args[2]);
        },
        onLeave(retval){
            console.log("sub_154D4 OnLeave: arg0=",hexdump(this.arg0,{ offset: 0, length: 64, header: true, ansi: true }));   
            console.log("sub_154D4 OnLeave: arg1=",hexdump(this.arg1,{ offset: 0, length: 64, header: true, ansi: true }));   
        }
    })

    var sub_14844 = base_libjni.add(0x14844);
    Interceptor.attach(sub_14844,{
        onEnter:function(args){
            this.arg0 = args[0];
            this.arg1 = args[1];
            console.log("sub_14844 OnEnter: arg0=",hexdump(this.arg0,{ offset: 0, length: 64, header: true, ansi: true }));   
            console.log("sub_14844 OnEnter: arg1=",hexdump(this.arg1,{ offset: 0, length: 64, header: true, ansi: true }));   
        },
        onLeave(retval){
            console.log("sub_14844 OnLeave: arg0=",hexdump(this.arg0,{ offset: 0, length: 64, header: true, ansi: true }));   
            console.log("sub_14844 OnLeave: arg1=",hexdump(this.arg1,{ offset: 0, length: 64, header: true, ansi: true }));   
        }
    })

    var sub_158AC = base_libjni.add(0x158AC);
    Interceptor.attach(sub_158AC,{
        onEnter:function(args){
            this.arg0 = args[0];
            this.arg1 = args[1];
            console.log("sub_158AC OnEnter: arg0=",hexdump(this.arg0,{ offset: 0, length: 64, header: true, ansi: true }));      
            console.log("sub_158AC OnEnter: arg1=",hexdump(this.arg1,{ offset: 0, length: 64, header: true, ansi: true }));      
        },
        onLeave(retval){
            console.log("sub_158AC OnLeave: arg0=",hexdump(this.arg0,{ offset: 0, length: 64, header: true, ansi: true })); 
            console.log("sub_158AC OnLeave: arg1=",hexdump(this.arg1,{ offset: 0, length: 64, header: true, ansi: true }));      
        }
    })

    var sub_15F1C = base_libjni.add(0x15F1C);
    // Interceptor.attach(sub_15F1C,{
    //     onEnter:function(args){
    //         this.arg0 = args[0];
    //         this.arg2 = args[2];
    //         console.log("sub_15F1C OnEnter: arg0=",ptr(args[0]).readCString(),"arg1=",args[1],"arg2=",args[2]);
    //     },
    //     onLeave(retval){
    //         console.log("sub_15F1C OnLeave: arg2=\n",hexdump(this.arg2,{ offset: 0, length: 64, header: true, ansi: true }));      
    //     }
    // })
}

function main() {
    hook_java()
    hook_native();
}

setImmediate(main);

L6.1: Frida 辅助分析OLLVM 指令替换

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
function hook_java()
{
    // Java.perform(function(){
    //     var hellojni = Java.use("com.example.hellojni.HelloJni");
    //     hellojni.sign2.implementation = function(str1,str2){
    //         var ret = this.sign2(str1,str2);
    //         console.log("sign2: arg1=",str1," arg2=",str2," ret=",ret);
    //         return ret;
    //     }
    // });
}

function call_sign2()
{
    Java.perform(function(){
        Java.choose("com.example.hellojni.HelloJni",{
            onMatch:function(instance){
                instance.sign2("0123456789","abcdefgh")
            },
            onComplete:function(ret)
            {
                
            }
        })
    });
}

function hook_native()
{
    var libjni_base = Module.findBaseAddress("libhello-jni.so");
    var sign2 = Module.findExportByName("libhello-jni.so","Java_com_example_hellojni_HelloJni_sign2");
    console.log("base:",libjni_base,"sign2:",sign2);
    Interceptor.attach(sign2,{
        onEnter:function(args){
            this.str1 = args[2];
            this.str2 = args[3];
            //https://github.com/frida/frida-java-bridge/search?q=GetStringUTFChars&unscoped_q=GetStringUTFChars
            console.log("Native: str1=",ptr(Java.vm.tryGetEnv().getStringUtfChars(this.str1)).readCString()," str2=",ptr(Java.vm.tryGetEnv().getStringUtfChars(this.str2)).readCString());
        },
        onLeave:function(retval){
            console.log("Native: retval=",ptr(Java.vm.tryGetEnv().getStringUtfChars(retval)).readCString());
        }
    })

    var sub_1DFB4 = libjni_base.add(0x1DFB4);
    // Interceptor.attach(sub_1DFB4,{
    //     onEnter:function(args){
    //         this.arg0 = args[0];
    //         this.arg1 = args[1];
    //         //ida 里面可能识别的不对,需要分析下参数传递是否正确
    //         //void __usercall sub_1DFB4(_QWORD *a1@<X0>, _QWORD *a2@<X1>)
    //         console.log("sub_1DFB4 onEnter: str1=",ptr(this.arg0).add(1).readCString()," str2=",ptr(this.arg1).add(1).readCString());
    //     },
    //     onLeave:function(retval){
    //         console.log("sub_1DFB4 onLeave: retval=",ptr(retval).readCString());
    //     }
    // })

    var sub_1E298 = libjni_base.add(0x1E298);
    // Interceptor.attach(sub_1E298,{
    //     onEnter:function(args){
    //         this.arg0 = args[0];
    //         this.arg1 = args[1];
    //         this.arg2 = args[2];
    //         console.log("sub_1E298 onEnter: str1=",ptr(this.arg0).add(1).readCString()," str2=",ptr(this.arg1).add(1).readCString());
    //     },
    //     onLeave:function(retval){
    //         console.log("sub_1E298 onLeave: retval=",ptr(retval).add(1).readCString());
    //         console.log("sub_1E298 onLeave: arg2=",hexdump(ptr(this.arg2).readPointer()));
    //     }
    // })

    var sub_1AB4C = libjni_base.add(0x1AB4C);
    Interceptor.attach(sub_1AB4C,{
        onEnter:function(args){
            this.arg0 = args[0];
            this.arg1 = args[1];
            this.arg2 = args[2];
            console.log("sub_1AB4C onEnter: arg0=",ptr(this.arg0).readCString()," arg1=",this.arg1);
        },
        onLeave:function(retval){
            console.log("sub_1AB4C onLeave: arg2=",hexdump(this.arg2,{ offset: 0, length: 16, header: true, ansi: true }));
        }
    })

    var sub_171C4 = libjni_base.add(0x171C4);
    Interceptor.attach(sub_171C4,{
        onEnter:function(args){
            this.arg0 = args[0];
            this.arg1 = args[1];
            console.log("sub_171C4 onEnter: arg0=",hexdump(this.arg0,{ offset: 0, length: 80, header: true, ansi: true }));
            console.log("sub_171C4 onEnter: arg1=",hexdump(this.arg1,{ offset: 0, length: 80, header: true, ansi: true }));
        },
        onLeave:function(retval){
            console.log("sub_171C4 onLeave: retval=",hexdump(retval,{ offset: 0, length: 80, header: true, ansi: true }));
        }
    })

    
    var sub_18490 = libjni_base.add(0x18490);
    Interceptor.attach(sub_18490,{
        onEnter:function(args){
            this.arg0 = args[0];
            this.arg1 = args[1];
            console.log("sub_18490 onEnter: arg0=",hexdump(this.arg0,{ offset: 0, length: 80, header: true, ansi: true }));
            console.log("sub_18490 onEnter: arg1=",hexdump(this.arg1,{ offset: 0, length: 80, header: true, ansi: true }));
        },
        onLeave:function(retval){ 
            console.log("sub_18490 onLeave: arg0=",hexdump(this.arg0,{ offset: 0, length: 80, header: true, ansi: true }));
            console.log("sub_18490 onLeave: arg1=",hexdump(this.arg1,{ offset: 0, length: 80, header: true, ansi: true }));
        }
    })
}

function main()
{
    hook_java();
    hook_native();
}
setImmediate(main)

L6.2: Frida 辅助分析OLLVM 控制流混淆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
function hook_java()
{
    Java.perform(function(){
        var hello_jni = Java.use("com.example.hellojni.HelloJni");
        hello_jni.sign2.implementation = function(str1,str2){
            var ret = this.sign2(str1,str2);
            console.log("sign2: arg1=",str1,"arg2=",str2,"ret=",ret);
            return ret;
        }
    })
}

function call_sign2()
{
    Java.perform(function(){
        Java.choose("com.example.hellojni.HelloJni",{
            onMatch:function(instance){
                instance.sign2("0123456789","abcdefgh")
            },
            onComplete:function(ret){

            }
        })
    })
}

function hook_native()
{
    var libjni_base = Module.findBaseAddress("libhello-jni.so");
    var sign2 = Module.findExportByName("libhello-jni.so","Java_com_example_hellojni_HelloJni_sign2");
    console.log("base:",libjni_base,"sign2:",sign2);

    var sub_12B44 = libjni_base.add(0x12B44);
    Interceptor.attach(sub_12B44,{
        onEnter:function(args){
            this.arg1 = args[0];
            this.arg2 = args[1];
            console.log("sub_12B44 onEnter: arg1=",ptr(this.arg1).readCString(),"arg2=",ptr(this.arg2).readCString());
        },
        onLeave:function(retval){
            console.log("sub_12B44 onLeave: arg1=",ptr(this.arg1).add(1).readCString());
            //console.log("sub_12B44 onLeave: ret =",ptr(retval).readCString());
        }
    })

    var sub_1391C = libjni_base.add(0x1391C);
    Interceptor.attach(sub_1391C,{
        onEnter:function(args){
            this.arg1 = args[0];
            this.arg2 = args[1];
            //console.log("sub_1391C onEnter: arg1=",ptr(this.arg1).readCString(),"arg2=",ptr(this.arg2).readCString());
        },
        onLeave:function(retval){
            console.log("sub_1391C onLeave: arg1=",ptr(this.arg1).add(1).readCString());
            //console.log("sub_1391C onLeave: ret =",ptr(retval).readCString());
        }
    })

    var sub_18D30 = libjni_base.add(0x18D30);
    Interceptor.attach(sub_18D30,{
        onEnter:function(args){
            this.arg1 = args[0];
            this.arg2 = args[1];
            this.arg3 = args[2];
            console.log("sub_18D30 onEnter: arg1=",ptr(this.arg1).readCString(),"arg2=",ptr(this.arg2).readCString());
        },
        onLeave:function(retval){
            console.log("sub_18D30 onLeave: retval=",hexdump(retval));
        }
    })

    var sub_18AB0 = libjni_base.add(0x18AB0);
    Interceptor.attach(sub_18AB0,{
        onEnter:function(args){
            this.arg1 = args[0];
            this.arg2 = args[1];
            this.x8 = this.context.x8;
            //方法的返回值一般都在 x0 上;如果方法返回值是一个较大的数据结构时,结果会存在 x8 执行的地址上。
            //如果打印X0没有结果,可以看汇编查看是否是X8存储的结果(jstring结构体+0x10指针)
            console.log("sub_18AB0 onEnter: arg1=",ptr(this.arg1).add(1).readCString(),"arg2=",ptr(this.arg2).add(1).readCString());
        },
        onLeave:function(retval){
            //console.log("sub_18AB0 onLeave: arg1=",ptr(this.arg1).add(1).readCString());
            console.log("sub_18AB0 onLeave: retx8 =",hexdump(ptr(this.x8).add(Process.pointerSize*2).readPointer()));
        }
    })

    var sub_12CF4 = libjni_base.add(0x12CF4);
    Interceptor.attach(sub_12CF4,{
        onEnter:function(args){
            this.arg1 = args[0];
            console.log("sub_12CF4 onEnter: arg1=",ptr(this.arg1).add(1).readCString());
        },
        onLeave:function(retval){
            console.log("sub_12CF4 onLeave: arg1=",ptr(this.arg1).add(1).readCString());
            //console.log("sub_12CF4 onLeave: ret =",ptr(retval).readCString());
        }
    })
    
    var sub_16900 = libjni_base.add(0x16900);
    Interceptor.attach(sub_16900,{
        onEnter:function(args){
            this.arg1 = args[0];
            this.arg2 = args[1];
            this.arg3 = args[2];
            console.log("sub_16900 onEnter: arg1=",ptr(this.arg1).readCString());
            console.log("sub_16900 onEnter: arg2=",this.arg2);
            console.log("sub_16900 onEnter: arg3=",ptr(this.arg3).readCString());
        },
        onLeave:function(retval){
            console.log("sub_16900 onLeave: arg1=",ptr(this.arg1).readCString());
            console.log("sub_16900 onLeave: arg2=",this.arg2);
            console.log("sub_16900 onLeave: arg3=",hexdump(this.arg3));
            //console.log("sub_16900 onLeave: ret =",ptr(retval).readCString());
        }
    })
}

function main()
{
    hook_java()
    hook_native()
}
setImmediate(main)

L7:Frida 辅助分析非标准算法

L8:IDA Trace 辅助分析非标准算法

L9:IDA Trace辅助分析OOLVM混淆的非标准算法

后面三课的内容涉及的Frida用法不多,而且之前也都已经涉及到,后面有空了连同上一篇补充下细节。

小结

  1. 个人感觉Frida辅助分析OLLVM主要在于运行时HOOK获取到解密后的字符串,以及通过交叉引用获取到程序的参数。

附件下载:链接