1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 | void injectSo(pid_t pid,char* so_path, char* function_name,char* parameter) { struct pt_regs old_regs,regs; long mmap_addr, dlopen_addr, dlsym_addr, dlclose_addr; //save old regs ptrace(PTRACE_GETREGS, pid, NULL, &old_regs); memcpy(®s, &old_regs, sizeof(regs)); //get remote addres printf("getting remote addres:\n"); mmap_addr = get_remote_addr(pid, libc_path, (void *)mmap); dlopen_addr = get_remote_addr( pid, libc_path, (void *)dlopen ); dlsym_addr = get_remote_addr( pid, libc_path, (void *)dlsym ); dlclose_addr = get_remote_addr( pid, libc_path, (void *)dlclose ); printf("mmap_addr=%p dlopen_addr=%p dlsym_addr=%p dlclose_addr=%p\n", (void*)mmap_addr,(void*)dlopen_addr,(void*)dlsym_addr,(void*)dlclose_addr); long parameters[10]; //mmap parameters[0] = 0; //address parameters[1] = 0x4000; //size parameters[2] = PROT_READ | PROT_WRITE | PROT_EXEC; //WRX parameters[3] = MAP_ANONYMOUS | MAP_PRIVATE; //flag parameters[4] = 0; //fd parameters[5] = 0; //offset ptrace_call(pid, mmap_addr, parameters, 6, ®s); ptrace(PTRACE_GETREGS, pid, NULL, ®s); long map_base = regs.ARM_r0; printf("map_base = %p\n", (void*)map_base); //dlopen printf("save so_path = %s to map_base = %p\n", so_path, (void*)map_base); putdata(pid, map_base, so_path, strlen(so_path) + 1); parameters[0] = map_base; parameters[1] = RTLD_NOW| RTLD_GLOBAL; ptrace_call(pid, dlopen_addr, parameters, 2, ®s); ptrace(PTRACE_GETREGS, pid, NULL, ®s); long handle = regs.ARM_r0; printf("handle = %p\n",(void*) handle); //dlsym printf("save function_name = %s to map_base = %p\n", function_name, (void*)map_base); putdata(pid, map_base, function_name, strlen(function_name) + 1); parameters[0] = handle; parameters[1] = map_base; ptrace_call(pid, dlsym_addr, parameters, 2, ®s); ptrace(PTRACE_GETREGS, pid, NULL, ®s); long function_ptr = regs.ARM_r0; printf("function_ptr = %p\n", (void*)function_ptr); //function_call printf("save parameter = %s to map_base = %p\n", parameter, (void*)map_base); putdata(pid, map_base, parameter, strlen(parameter) + 1); parameters[0] = map_base; ptrace_call(pid, function_ptr, parameters, 1, ®s); //restore old regs ptrace(PTRACE_SETREGS, pid, NULL, &old_regs); } |
1 2 3 4 5 6 7 8 9 10 | include $(CLEAR_VARS) LOCAL_MODULE := target LOCAL_SRC_FILES := target.c.arm include $(BUILD_EXECUTABLE) include $(CLEAR_VARS) LOCAL_MODULE := inject2 LOCAL_SRC_FILES := inject2.c.arm LOCAL_LDLIBS := -llog include $(BUILD_SHARED_LIBRARY) |
1 2 3 4 5 6 | struct hook_t { unsigned int jump[3]; //保存跳转指令 unsigned int store[3]; //保存原指令 unsigned int orig; //保存原函数地址 unsigned int patch; //保存hook函数地址 }; |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | int hook_direct(struct hook_t *h, unsigned int addr, void *hookf) { int i; printf("addr = %x\n", addr); printf("hookf = %x\n", (unsigned int)hookf); //mprotect mprotect((void*)0x8000, 0xa000-0x8000, PROT_READ|PROT_WRITE|PROT_EXEC); //modify function entry h->patch = (unsigned int)hookf; h->orig = addr; h->jump[0] = 0xe59ff000; // LDR pc, [pc, #0] h->jump[1] = h->patch; h->jump[2] = h->patch; for (i = 0; i < 3; i++) h->store = ((int*)h->orig); for (i = 0; i < 3; i++) ((int*)h->orig) = h->jump; //cacheflush hook_cacheflush((unsigned int)h->orig, (unsigned int)h->orig+sizeof(h->jump)); return 1; } |
1 2 3 4 5 6 | # cat /proc/25298/maps 00008000-0000a000 rwxp 00000000 b3:1c 627105 /data/local/tmp/target 0000a000-0000b000 r--p 00001000 b3:1c 627105 /data/local/tmp/target 0000b000-0000c000 rw-p 00000000 00:00 0 0017f000-00180000 rw-p 00000000 00:00 0 [heap] …… |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | …… 84d4: e1a01000 mov r1, r0 84d8: e59f200c ldr r2, [pc, #12] ; 84ec <__cxa_type_match@plt+0xe4> 84dc: e59f000c ldr r0, [pc, #12] ; 84f0 <__cxa_type_match@plt+0xe8> 84e0: e08f2002 add r2, pc, r2 84e4: e08f0000 add r0, pc, r0 84e8: eaffffb1 b 83b4 <__cxa_atexit@plt> 84ec: 00002b18 andeq r2, r0, r8, lsl fp 84f0: ffffff58 ; <UNDEFINED> instruction: 0xffffff58 84f4: e1a02000 mov r2, r0 84f8: e59f100c ldr r1, [pc, #12] ; 850c <__cxa_type_match@plt+0x104> 84fc: e59f000c ldr r0, [pc, #12] ; 8510 <__cxa_type_match@plt+0x108> 8500: e08f1001 add r1, pc, r1 8504: e08f0000 add r0, pc, r0 8508: eaffffac b 83c0 <printf@plt> 850c: 00001080 andeq r1, r0, r0, lsl #1 8510: 00001074 andeq r1, r0, r4, ror r0 8514: b5006803 strlt r6, [r0, #-2051] ; 0xfffff7fd 8518: d503005a strle r0, [r3, #-90] ; 0xffffffa6 851c: 06122280 ldreq r2, [r2], -r0, lsl #5 …… |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | void inline hook_cacheflush(unsigned int begin, unsigned int end) { const int syscall = 0xf0002; __asm __volatile ( "mov r0, %0\n" "mov r1, %1\n" "mov r7, %2\n" "mov r2, #0x0\n" "svc 0x00000000\n" : : "r" (begin), "r" (end), "r" (syscall) : "r0", "r1", "r7" ); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 | void __attribute__ ((noinline)) my_sevenWeapons(int number) { printf("sevenWeapons() called, number = %d\n", number); number++; void (*orig_sevenWeapons)(int number); orig_sevenWeapons = (void*)eph.orig; hook_precall(&eph); orig_sevenWeapons(number); hook_postcall(&eph); } |
1 2 3 4 5 6 7 8 | void hook_precall(struct hook_t *h) { int i; for (i = 0; i < 3; i++) ((int*)h->orig) = h->store; hook_cacheflush((unsigned int)h->orig, (unsigned int)h->orig+sizeof(h->jump)*10); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | # ./target Hello,LiBieGou! 0 Hello,LiBieGou! 1 Hello,LiBieGou! 2 Hello,LiBieGou! 3 Hello,LiBieGou! 4 Hello,LiBieGou! 5 Hello,LiBieGou! 6 mzheng Hook pid = 18962 Hello sevenWeapons addr = 84f4 hookf = b6e73e88 sevenWeapons() called, number = 7 Hello,LiBieGou! 14 sevenWeapons() called, number = 8 Hello,LiBieGou! 16 sevenWeapons() called, number = 9 Hello,LiBieGou! 18 sevenWeapons() called, number = 10 Hello,LiBieGou! 20 sevenWeapons() called, number = 11 Hello,LiBieGou! 22 sevenWeapons() called, number = 12 Hello,LiBieGou! 24 sevenWeapons() called, number = 13 ./hook5 28922 getting remote addres: mmap_addr=0xb6f84c81 dlopen_addr=0xb6fd4f4d dlsym_addr=0xb6fd4e9d dlclose_addr=0xb6fd4e19 map_base = 0xb6f33000 save so_path = /data/local/tmp/libinject2.so to map_base = 0xb6f33000 handle = 0xb6fd1494 save function_name = mzhengHook to map_base = 0xb6f33000 function_ptr = 0xb6f2e368 save parameter = sevenWeapons to map_base = 0xb6f33000 |
1 2 3 4 5 6 | extern jstring my_Java_com_mzheng_libiegou_test2_MainActivity_stringFromJNI(JNIEnv* env,jobject thiz,jint a,jint b); jstring my_Java_com_mzheng_libiegou_test2_MainActivity_stringFromJNI_arm(JNIEnv* env,jobject thiz,jint a,jint b) { return my_Java_com_mzheng_libiegou_test2_MainActivity_stringFromJNI(env, thiz, a, b); } |
1 2 3 4 5 6 7 | include $(CLEAR_VARS) LOCAL_MODULE := libexample LOCAL_SRC_FILES := ../hookjni.c ../hookjni_arm.c.arm LOCAL_CFLAGS := -g LOCAL_SHARED_LIBRARIES := dl LOCAL_STATIC_LIBRARIES := base include $(BUILD_SHARED_LIBRARY) |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | jstring my_Java_com_mzheng_libiegou_test2_MainActivity_stringFromJNI(JNIEnv* env,jobject thiz,jint a,jint b) { jstring (*orig_stringFromJNI)(JNIEnv* env,jobject thiz,jint a,jint b); orig_stringFromJNI = (void*)eph.orig; a = 10; b = 10; hook_precall(&eph); jstring res = orig_stringFromJNI(env, thiz, a, b); if (counter) { hook_postcall(&eph); log("stringFromJNI() called\n"); counter--; if (!counter) log("removing hook for stringFromJNI()\n"); } return res; } void my_init(void) { counter = 3; log("%s started\n", __FILE__) set_logfunction(my_log); hook(&eph, getpid(), "libhello-jni.", "Java_com_mzheng_libiegou_test2_MainActivity_stringFromJNI", my_Java_com_mzheng_libiegou_test2_MainActivity_stringFromJNI_arm, my_Java_com_mzheng_libiegou_test2_MainActivity_stringFromJNI); } |
1 2 3 4 5 6 7 8 9 10 11 12 | adbi-master$ ./build.sh [armeabi] Compile arm : hijack <= hijack.c [armeabi] Executable : hijack [armeabi] Install : hijack => libs/armeabi/hijack [armeabi] Compile arm : base <= util.c [armeabi] Compile arm : base <= hook.c [armeabi] Compile arm : base <= base.c [armeabi] StaticLibrary : libbase.a [armeabi] Compile thumb : example <= hookjni.c [armeabi] Compile arm : example <= hookjni_arm.c [armeabi] SharedLibrary : libexample.so [armeabi] Install : libexample.so => libs/armeabi/libexample.so |
1 2 3 4 5 6 7 8 9 10 | #./hijack -d -p 21734 -l /data/local/tmp/libexample.so mprotect: 0x4011c444 dlopen: 0x400d5f4d pc=4011d6e0 lr=4018588b sp=bed65308 fp=bed6549c r0=fffffffc r1=bed65328 r2=10 r3=ffffffff stack: 0xbed45000-0xbed66000 leng = 135168 executing injection code at 0xbed652b8 calling mprotect library injection completed! |
1 2 3 4 5 6 7 | #cat adbi_example.log /home/aliray/7weapons/libiegou/adbi-master/instruments/example/jni/../hookjni.c started hooking: Java_com_mzheng_libiegou_test2_MainActivity_stringFromJNI = 0x7538ecc5 THUMB using 0x763c9581 stringFromJNI() called stringFromJNI() called stringFromJNI() called removing hook for stringFromJNI() |
1 2 3 4 5 6 7 8 9 10 11 12 13 | from M2Crypto.EVP import Cipher from base64 import b64encode, b64decode key = b64decode('H5jOqyCXcO+odcJFhT7Odh+Yzqsgl3Dv') iv = b64decode('AAoKCgoCAqo=') ciphertext = '5458d715704493d8e6b9bd38f8b6be0e'.decode('hex') decipher = Cipher(alg='des_ede3_cbc', key=key, op=0, iv=iv) plaintext = decipher.update(ciphertext) plaintext += decipher.final() print plaintext $ python decrypt.py 日天@土侸 |
欢迎光临 让生活充满乐趣 (http://www.ofunny.com/) | Powered by Discuz! 7.0.0 |