Created
May 23, 2019 11:44
-
-
Save G5t4r/7e64d017f57d9d802f59c24151505ce5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import frida | |
import sys,os | |
#frida 12.5.7 | |
device = frida.get_usb_device() | |
pid = device.spawn(["com.ylc2.qp.Pokermate"]) | |
session = device.attach(pid) | |
device.resume(pid) | |
# rdev = frida.get_remote_device() | |
# session = rdev.attach("com.tc.tbnn") | |
script = session.create_script(""" | |
var dlopen_ptr = Module.findExportByName(null, 'dlopen'); | |
console.log(dlopen_ptr); | |
var need_hook = 0; | |
Interceptor.attach(dlopen_ptr, | |
{ | |
onEnter: function(args) | |
{ | |
// var name = Memory.readUtf8String(args[0]); | |
var p = new NativePointer(''+args[0]); | |
var name = p.readUtf8String() | |
console.log('dlopen load:'+name); | |
if(name.search('libcocos2dcpp.so')!=-1 && need_hook==0) //hook时机。。 | |
{ | |
need_hook = 1; | |
console.log('dlopen libcocos2dcpp.so called from:\\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\\n')); | |
} | |
}, | |
onLeave: function(retval) | |
{ | |
if(need_hook==1) | |
{ | |
console.log("need_hook"); | |
need_hook = -1; | |
getsaltsign(); | |
createSign(); | |
} | |
} | |
} | |
); | |
function getsaltsign() { //char ** getsaltsign() | |
console.log("getsaltsign"); | |
var soaddr0 = Module.getExportByName("libcocos2dcpp.so", "_ZN4Tool10CreateSignESs"); | |
console.log("[+] so address0:" + soaddr0) | |
var soaddr = Module.findBaseAddress('libcocos2dcpp.so').add(ptr('0x009DB27D')); | |
console.log("[+] so address:" + soaddr) | |
Interceptor.attach(soaddr, { | |
onEnter: function(args) {}, | |
onLeave: function(retval) { | |
//console.log("retval:" + readStdString(retval)); | |
//console.log("retval:" + hexdump(retval, { length: 100, ansi: true })); | |
//console.log('add='+retval.add(ptr('4')).readU32()) | |
var p = ptr(''+retval.readU32()); | |
//console.log('p='+p) | |
//console.log("retval:" + hexdump(p, {length: 100, ansi: true})); | |
console.log("getsaltsign retval:"+ p.readCString()) | |
} | |
}); | |
} | |
function createSign() { //createSign(int a1,int a2, char **a3) | |
console.log("createSign"); | |
var soaddr = Module.getExportByName("libcocos2dcpp.so", "_ZN4Tool10CreateSignESs"); | |
console.log("[+] createSign address:" + soaddr) | |
Interceptor.attach(soaddr, { | |
onEnter: function(args) { | |
//console.log("createSign args[2]:" + hexdump(args[2], { length: 100, ansi: true })); | |
var p = ptr(''+args[2].add(ptr('0')).readU32()); | |
//console.log("createSign args[2]0:" + hexdump(p, {length: 100, ansi: true})); | |
console.log("createSign args[2]:"+ p.readCString()) | |
}, | |
onLeave: function(retval) { | |
/* | |
//console.log("retval:" + readStdString(retval)); | |
console.log("retval:" + hexdump(retval, { length: 100, ansi: true })); | |
console.log('add='+retval.add(ptr('4')).readU32()) | |
var p = ptr(''+retval.readU32()); | |
console.log('p='+p) | |
console.log("retval:" + hexdump(p, {length: 100, ansi: true})); | |
*/ | |
} | |
}); | |
} | |
""") | |
def write(path, content): | |
print('write:', path) | |
folder = os.path.dirname(path) | |
if not os.path.exists(folder): | |
os.makedirs(folder) | |
# open(path, 'w+').write(str(content,'utf-8')) | |
open(path, 'wb+').write(content) | |
def on_message(message, data): | |
# print(message) | |
try: | |
if message['payload']['name']: | |
name = message['payload']['name'] #这里的name有可能不是lua脚本的名字,而是直接的lua脚本字符串 | |
if len(name)>100: | |
print("ilg name:",name) | |
the_comm = "/Users/ne0/Downloads/ddlua/the_comm" | |
open(the_comm, 'a+').write(name) | |
return | |
name = "/Users/ne0/Downloads/ddlua/"+ name | |
# print('name:', name) | |
content = message['payload']['content'].encode('utf-8') | |
dirName = os.path.dirname(name) | |
if not os.path.exists(dirName): | |
os.makedirs(os.path.dirname(name)) | |
# if name.endswith('.lua'): | |
write(name, content) | |
except Exception as e: | |
pass | |
script.on('message', on_message) | |
script.load() | |
sys.stdin.read() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment