Frida dump cocos2dlua 脚本源码

adb 转发命令

adb forward tcp:27042 tcp:27042

adb forward tcp:27043 tcp:27043

frida -U -f 包名 –no-pause 启动App 从最开始开始hook
frida -U -f 包名 –no-pause -l 脚本名称 和上面一样 但是加载了js脚本

再贴一个hook cocos 加载lua的脚本吧 会在加载so之后才会hook

Java.perform(function(){

	var dayin = false;
	var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
	console.log(android_dlopen_ext);
	if(android_dlopen_ext != null){
		Interceptor.attach(android_dlopen_ext,{
			onEnter: function(args){
				var soName = args[0].readCString();
				console.log(soName);
				if(soName.indexOf("libcocos2dlua.so") != -1){
					this.hook = true;
				}
			},
			onLeave: function(retval){
				if(this.hook) {
					dlopentodo();
				};
			}
		});
	}

	function dlopentodo(){
		//加载lua文件函数
		Interceptor.attach(Module.findExportByName("libcocos2dlua.so" , "luaL_loadbuffer"),{
			onEnter:function (args){
			       this.fileout = "/storage/emulated/0/frida/lua/" + Memory.readCString(args[3]).split("/").join(".");
				console.log("read file from: "+this.fileout);
				var tmp = Memory.readByteArray(args[1], args[2].toInt32());
				var file = new File(this.fileout, "w");
				file.write(tmp);
				file.flush();
				file.close();

				console.log("lual_loadbuffer (" +Memory.readCString (args[3] ) +" ，" +Memory.readCString (args[1])+")");
			},
			onLeave:function (retval){
				//console.log(retval)
			}
		});
	}

});


//再贴个获取xxtea秘钥的
		Interceptor.attach(Module.findExportByName("libcocos2dlua.so" , "_Z13xxtea_decryptPhjS_jPj"),{
			onEnter:function (args){
				console.log(Memory.readUtf8String(args[2]));
				console.log("\n");
			},
			onLeave:function (retval){
				//console.log(retval)
			}
		});

		Interceptor.attach(Module.findExportByName("libcocos2dlua.so" , "_ZN7cocos2d8LuaStack18setXXTEAKeyAndSignEPKciS2_i"),{
			onEnter:function (args){
                console.log("cocos2d::LuaStack::setXXTEAKeyAndSign");
                that = args[0]

                console.log(hexdump(args[0], {
                    offset: 56,
                    length: 128,
                    ansi: true,
                  }));

                //this
                console.log(Memory.readCString(args[0]));
                //Key
                console.log(Memory.readCString(args[1]));
                //Key的长度
                console.log(args[2].toInt32());
                //sign
                console.log(Memory.readCString(args[3]));
                //sign的长度
                console.log(args[4].toInt32());
			},
			onLeave:function (retval){
				console.log(retval)
                console.log(hexdump(that, {
                    offset: 56,
                    length: 128,
                    ansi: true,
                  }));


			}
		});


        var pngdata;

        Interceptor.attach(Module.findExportByName("libcocos2dlua.so" , "_ZN7cocos2d5Image17initWithImageDataEPKhl"),{
			onEnter:function (args){
                pngdata = args[1];
                console.log(hexdump(args[1],{
                    offset: 0,
                    length: 128,
                }))
			},
			onLeave:function (retval){
                console.log(hexdump(pngdata,{
                    offset: 0,
                    length: 128,
                }))
			}
		});