Frida native 使用

Interceptor使用

native函数原型

long total;

template<typename T>
T addNum(T const x, T const y) {
    return x + y;
}

extern "C"
jint getNum(JNIEnv *env, jobject thiz, jint x) {
    int now = x * x + addNum(x, x);
    total += now;
    return now;
}

extern "C"
jlong getTotal(JNIEnv *env, jobject thiz){
    return total;
}

var lib_addr = Module.findBaseAddress("libdynamic.so")

function frida_Interceptor() {

    Interceptor.attach(Module.findExportByName('libdynamic.so', "getNum"), {
        onEnter: function (args) {
            //args[2]对应函数原型中第三个参数
            console.log("getNum: " + args[2].toInt32());

            // //输出
            // console.log('Context information:');
            // //输出上下文因其是一个Objection对象，需要它进行接送、转换才能正常看到值
            // console.log('Context  : ' + JSON.stringify(this.context));
            // //输出返回地址
            // console.log('Return   : ' + this.returnAddress);
            // //输出线程id
            // console.log('ThreadId : ' + this.threadId);
            // console.log('Depth    : ' + this.depth);
            // console.log('Errornr  : ' + this.err);
        },
        onLeave: function (retval) {
            //打印返回值, 转成int32
            console.log("retval:" + retval.toInt32())
            
            console.log("lib_addr")
            console.log(hexdump(ptr(lib_addr), {
                length: 16,
                header: true,
                ansi: true
            }))
            
            //total	0000000000002FE8	
            var total_addr = lib_addr.add(0x02FE8);
            
            console.log("total_addr")
            console.log(hexdump(ptr(total_addr), {
                length: 16,
                header: true,
                ansi: true
            }))
            
           
            //var buf = Memory.readByteArray(total_addr, 4);
            console.log("total " +  total_addr.readLong());
        }
    });

}

输出结果

getNum: 43
getNum: 43
retval:1935
lib_addr
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7f067ea000  7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00  .ELF............
total_addr
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7f067ecfe8  6d 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00  mM..............
total 19821
retval:1935
lib_addr
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7f067ea000  7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00  .ELF............
total_addr
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7f067ecfe8  6d 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00  mM..............
total 19821

App效果

总结

通过Module.findBaseAddress("libdynamic.so")，我们拿到libdynamic.so的地址，后面我们hexdump了此地址，与ida也一致

通过Interceptor.attach()中设置回调，我们获取了getNum函数传入的参数，通过args[2].toInt32()获取参数值

0x02FE8 是total的地址 ，利用lib_addr.add(0x02FE8);偏移到total的地址，通过total_addr.readLong()读取total的值