adb 转发命令
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
frida -U -f 包名 –no-pause 启动App 从最开始开始hook
frida -U -f 包名 –no-pause -l 脚本名称 和上面一样 但是加载了js脚本
再贴一个hook cocos 加载lua的脚本吧 会在加载so之后才会hook
Java.perform(function(){ var dayin = false; var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext"); console.log(android_dlopen_ext); if(android_dlopen_ext != null){ Interceptor.attach(android_dlopen_ext,{ onEnter: function(args){ var soName = args[0].readCString(); console.log(soName); if(soName.indexOf("libcocos2dlua.so") != -1){ this.hook = true; } }, onLeave: function(retval){ if(this.hook) { dlopentodo(); }; } }); } function dlopentodo(){ //加载lua文件函数 Interceptor.attach(Module.findExportByName("libcocos2dlua.so" , "luaL_loadbuffer"),{ onEnter:function (args){ this.fileout = "/storage/emulated/0/frida/lua/" + Memory.readCString(args[3]).split("/").join("."); console.log("read file from: "+this.fileout); var tmp = Memory.readByteArray(args[1], args[2].toInt32()); var file = new File(this.fileout, "w"); file.write(tmp); file.flush(); file.close(); console.log("lual_loadbuffer (" +Memory.readCString (args[3] ) +" ," +Memory.readCString (args[1])+")"); }, onLeave:function (retval){ //console.log(retval) } }); } }); //再贴个获取xxtea秘钥的 Interceptor.attach(Module.findExportByName("libcocos2dlua.so" , "_Z13xxtea_decryptPhjS_jPj"),{ onEnter:function (args){ console.log(Memory.readUtf8String(args[2])); console.log("\n"); }, onLeave:function (retval){ //console.log(retval) } });
Interceptor.attach(Module.findExportByName("libcocos2dlua.so" , "_ZN7cocos2d8LuaStack18setXXTEAKeyAndSignEPKciS2_i"),{ onEnter:function (args){ console.log("cocos2d::LuaStack::setXXTEAKeyAndSign"); that = args[0] console.log(hexdump(args[0], { offset: 56, length: 128, ansi: true, })); //this console.log(Memory.readCString(args[0])); //Key console.log(Memory.readCString(args[1])); //Key的长度 console.log(args[2].toInt32()); //sign console.log(Memory.readCString(args[3])); //sign的长度 console.log(args[4].toInt32()); }, onLeave:function (retval){ console.log(retval) console.log(hexdump(that, { offset: 56, length: 128, ansi: true, })); } }); var pngdata; Interceptor.attach(Module.findExportByName("libcocos2dlua.so" , "_ZN7cocos2d5Image17initWithImageDataEPKhl"),{ onEnter:function (args){ pngdata = args[1]; console.log(hexdump(args[1],{ offset: 0, length: 128, })) }, onLeave:function (retval){ console.log(hexdump(pngdata,{ offset: 0, length: 128, })) } });
评论前必须登录!
注册