-
Notifications
You must be signed in to change notification settings - Fork 3
/
hook_after_registration.js
66 lines (49 loc) · 2.27 KB
/
hook_after_registration.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
var RevealNativeMethods = function () {
var ptr_size = Process.pointerSize;
var env = Java.vm.getEnv();
var RegisterNatives = 215, FindClassIndex = 6; // https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/functions.html
var registered = false;
var hooked_class = "com/smt/smt/smt";
var lib_name = "libsmt.so";
var raw_address = 0x5920c + 0x01;
// Find pointer to native Java method
function getNativeAddress(idx) {
return env.handle.readPointer().add(idx * ptr_size).readPointer();
}
// Check every FindClass call
Interceptor.attach(getNativeAddress(FindClassIndex), {
onEnter: function (args) {
// console.log(args[1].readCString());
if (hooked_class == args[1].readCString() && !registered) {
/* Attach to fucntion */
var base_pointer = Module.findBaseAddress(lib_name);
if (base_pointer == null) {
console.log("Faield to attach to lib");
return;
}
console.log(args[1].readCString());
console.log(base_pointer);
Interceptor.attach(new NativePointer(base_pointer.add(raw_address)),
{
onEnter: function (args) {
console.log("Inside Native Function onEnter ...");
console.log('Context information:');
console.log('Context : ' + JSON.stringify(this.context));
console.log('Return : ' + this.returnAddress);
console.log('Return f : ' + this.returnAddress.sub(base_pointer));
console.log(args[0]);
console.log(args[1]);
console.log(args[2]);
console.log(args[3]);
console.log(args[4]);
},
onLeave: function (retval) {
console.log("return: " + retval);
}
});
registered = true;
}
}
});
}
Java.perform(RevealNativeMethods);