Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hook_Registernatives.js fnoffset计算的问题 #13

Open
Ossianaa opened this issue Aug 11, 2022 · 5 comments
Open

hook_Registernatives.js fnoffset计算的问题 #13

Ossianaa opened this issue Aug 11, 2022 · 5 comments

Comments

@Ossianaa
Copy link

commit c42bb2e0beb00f51b13a9482641fbeda0e2c4dba里
把上一条修改fnOffset的地方回退了
" fnOffset:", ptr(fnPtr_ptr).sub(find_module.base)

现在:
" fnOffset:", symbol,
@lasting-yang
Copy link
Owner

symbol这里有模块名,有地址或符号名,

把你的样本发我看看,

@Yooi
Copy link

Yooi commented Aug 31, 2022

[RegisterNatives] java_class: tv.danmaku.ijk.media.player.cache.WBCacheManager name: nativeCheckCacheExist sig: (Ljava/lang/String;Ljava/lang/String;)I fnPtr: 0xd1e841c4 fnOffset: 0xd1e841c4 callee: 0xb9599579 libhoudini.so!0x212579
[RegisterNatives] java_class: tv.danmaku.ijk.media.player.cache.WBCacheManager name: nativeGetCacheFullPath sig: (Ljava/lang/String;)Ljava/lang/String; fnPtr: 0xd1e8418c fnOffset: 0xd1e8418c callee: 0xb9599579 libhoudini.so!0x212579
[RegisterNatives] java_class: tv.danmaku.ijk.media.player.cache.WBCacheManager name: nativeGetCacheTraceLogString sig: (Ljava/lang/String;)Ljava/lang/String; fnPtr: 0xd1e84154 fnOffset: 0xd1e84154 callee: 0xb9599579 libhoudini.so!0x212579

两个值都是一样的,而且callee没有返回 调用的lib 返回的 libhoudini.so 是系统的

@lasting-yang
Copy link
Owner

[RegisterNatives] java_class: tv.danmaku.ijk.media.player.cache.WBCacheManager name: nativeCheckCacheExist sig: (Ljava/lang/String;Ljava/lang/String;)I fnPtr: 0xd1e841c4 fnOffset: 0xd1e841c4 callee: 0xb9599579 libhoudini.so!0x212579 [RegisterNatives] java_class: tv.danmaku.ijk.media.player.cache.WBCacheManager name: nativeGetCacheFullPath sig: (Ljava/lang/String;)Ljava/lang/String; fnPtr: 0xd1e8418c fnOffset: 0xd1e8418c callee: 0xb9599579 libhoudini.so!0x212579 [RegisterNatives] java_class: tv.danmaku.ijk.media.player.cache.WBCacheManager name: nativeGetCacheTraceLogString sig: (Ljava/lang/String;)Ljava/lang/String; fnPtr: 0xd1e84154 fnOffset: 0xd1e84154 callee: 0xb9599579 libhoudini.so!0x212579

两个值都是一样的,而且callee没有返回 调用的lib 返回的 libhoudini.so 是系统的

libhoudini.so 是模拟器翻译arm的模块,建议换真机

@ys1231
Copy link

ys1231 commented Oct 26, 2022

我有两个问题:

  1. 在查找符号的时候 if (symbol.name.indexOf("art") >= 0 && symbol.name.indexOf("JNI") >= 0 && symbol.name.indexOf("RegisterNatives") >= 0
    这样做以ida分析的符号是有的 但是 在frida里面 直接打印出来name的时候 是 没有上面的符号的 . 想请教一下
  2. 在获取 typedef struct { const char* name; const char* signature; void* fnPtr; } JNINativeMethod;
    这些地址的时候 我没有明白 为什么是 let name_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3)); let sig_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize)); let fnPtr_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2));
  • 3 可以帮我解惑吗?

@lasting-yang
Copy link
Owner

  1. 可能不同手机的符号有一些差异,ida分析出来的符号是经过格式化的函数名,frida里找出来的符号是名称粉碎的
  2. Process.pointerSize 是为了适配32位和64位so

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Yooi @lasting-yang @ys1231 @Ossianaa