G5t4r · May 23, 2019 11:44
diff --git a/frida_hook_sign.py b/frida_hook_sign.py
 import frida
 import sys,os

 #frida 12.5.7
 device = frida.get_usb_device()
 pid = device.spawn(["com.ylc2.qp.Pokermate"])
 session = device.attach(pid)
 device.resume(pid)
    
 # rdev = frida.get_remote_device()
 # session = rdev.attach("com.tc.tbnn")

 script = session.create_script("""

 var dlopen_ptr = Module.findExportByName(null, 'dlopen');
 console.log(dlopen_ptr);
 var need_hook = 0;
 Interceptor.attach(dlopen_ptr,
    {
        onEnter: function(args) 
        {
            // var name = Memory.readUtf8String(args[0]);
     
            var p = new NativePointer(''+args[0]);
            var name = p.readUtf8String()
            console.log('dlopen load:'+name);
            if(name.search('libcocos2dcpp.so')!=-1 && need_hook==0) //hook时机。。
            {
                need_hook = 1;
                console.log('dlopen libcocos2dcpp.so called from:\\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\\n'));
            }
        },
        onLeave: function(retval)
        {
            if(need_hook==1)
            {
                console.log("need_hook");
                need_hook = -1;
                getsaltsign();
                createSign();
            }
        }
    }
 );

 function getsaltsign() { //char ** getsaltsign()
    console.log("getsaltsign");
    var soaddr0 = Module.getExportByName("libcocos2dcpp.so", "_ZN4Tool10CreateSignESs");
    console.log("[+] so address0:" + soaddr0)
    var soaddr = Module.findBaseAddress('libcocos2dcpp.so').add(ptr('0x009DB27D'));
    console.log("[+] so address:" + soaddr)
    Interceptor.attach(soaddr, {
        onEnter: function(args) {},
        onLeave: function(retval) {
            //console.log("retval:" + readStdString(retval));
            //console.log("retval:" + hexdump(retval, { length: 100, ansi: true }));
            //console.log('add='+retval.add(ptr('4')).readU32())
            var p = ptr(''+retval.readU32());
            //console.log('p='+p)
            
            //console.log("retval:" + hexdump(p, {length: 100, ansi: true}));
            console.log("getsaltsign retval:"+ p.readCString())
        }
    });

 }

 function createSign() { //createSign(int a1,int a2, char **a3)
    console.log("createSign");
    var soaddr = Module.getExportByName("libcocos2dcpp.so", "_ZN4Tool10CreateSignESs");
    console.log("[+] createSign  address:" + soaddr)

    Interceptor.attach(soaddr, {
        onEnter: function(args) {
            //console.log("createSign args[2]:" + hexdump(args[2], { length: 100, ansi: true }));
            
            var p = ptr(''+args[2].add(ptr('0')).readU32());
           
            
            //console.log("createSign args[2]0:" + hexdump(p, {length: 100, ansi: true}));
            console.log("createSign args[2]:"+ p.readCString())
        },
        onLeave: function(retval) {
            /*
            //console.log("retval:" + readStdString(retval));
            console.log("retval:" + hexdump(retval, { length: 100, ansi: true }));
            console.log('add='+retval.add(ptr('4')).readU32())
            var p = ptr(''+retval.readU32());
            console.log('p='+p)
            
            console.log("retval:" + hexdump(p, {length: 100, ansi: true}));
            */
        }
    });

 }

 """)

 def write(path, content):
    print('write:', path)
    folder = os.path.dirname(path)
    if not os.path.exists(folder):
        os.makedirs(folder)
    # open(path, 'w+').write(str(content,'utf-8'))
    open(path, 'wb+').write(content)
        
 def on_message(message, data):
    # print(message)
    try:
        if message['payload']['name']:
            name = message['payload']['name'] #这里的name有可能不是lua脚本的名字,而是直接的lua脚本字符串
            if len(name)>100:
                print("ilg name:",name)
                the_comm = "/Users/ne0/Downloads/ddlua/the_comm"
                open(the_comm, 'a+').write(name)
                return
            name = "/Users/ne0/Downloads/ddlua/"+ name
            
            # print('name:', name)
            content = message['payload']['content'].encode('utf-8')
            dirName = os.path.dirname(name)
            if not os.path.exists(dirName):
                
                os.makedirs(os.path.dirname(name))
            # if name.endswith('.lua'):
            write(name, content)
    except Exception as e:
        pass

            
 script.on('message', on_message)
 script.load()
 sys.stdin.read()
	import frida
	import sys,os

	#frida 12.5.7
	device = frida.get_usb_device()
	pid = device.spawn(["com.ylc2.qp.Pokermate"])
	session = device.attach(pid)
	device.resume(pid)

	# rdev = frida.get_remote_device()
	# session = rdev.attach("com.tc.tbnn")

	script = session.create_script("""

	var dlopen_ptr = Module.findExportByName(null, 'dlopen');
	console.log(dlopen_ptr);
	var need_hook = 0;
	Interceptor.attach(dlopen_ptr,
	{
	onEnter: function(args)
	{
	// var name = Memory.readUtf8String(args[0]);

	var p = new NativePointer(''+args[0]);
	var name = p.readUtf8String()
	console.log('dlopen load:'+name);
	if(name.search('libcocos2dcpp.so')!=-1 && need_hook==0) //hook时机。。
	{
	need_hook = 1;
	console.log('dlopen libcocos2dcpp.so called from:\\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\\n'));
	}
	},
	onLeave: function(retval)
	{
	if(need_hook==1)
	{
	console.log("need_hook");
	need_hook = -1;
	getsaltsign();
	createSign();
	}
	}
	}
	);

	function getsaltsign() { //char ** getsaltsign()
	console.log("getsaltsign");
	var soaddr0 = Module.getExportByName("libcocos2dcpp.so", "_ZN4Tool10CreateSignESs");
	console.log("[+] so address0:" + soaddr0)
	var soaddr = Module.findBaseAddress('libcocos2dcpp.so').add(ptr('0x009DB27D'));
	console.log("[+] so address:" + soaddr)
	Interceptor.attach(soaddr, {
	onEnter: function(args) {},
	onLeave: function(retval) {
	//console.log("retval:" + readStdString(retval));
	//console.log("retval:" + hexdump(retval, { length: 100, ansi: true }));
	//console.log('add='+retval.add(ptr('4')).readU32())
	var p = ptr(''+retval.readU32());
	//console.log('p='+p)

	//console.log("retval:" + hexdump(p, {length: 100, ansi: true}));
	console.log("getsaltsign retval:"+ p.readCString())
	}
	});

	}

	function createSign() { //createSign(int a1,int a2, char **a3)
	console.log("createSign");
	var soaddr = Module.getExportByName("libcocos2dcpp.so", "_ZN4Tool10CreateSignESs");
	console.log("[+] createSign address:" + soaddr)

	Interceptor.attach(soaddr, {
	onEnter: function(args) {
	//console.log("createSign args[2]:" + hexdump(args[2], { length: 100, ansi: true }));

	var p = ptr(''+args[2].add(ptr('0')).readU32());


	//console.log("createSign args[2]0:" + hexdump(p, {length: 100, ansi: true}));
	console.log("createSign args[2]:"+ p.readCString())
	},
	onLeave: function(retval) {
	/*
	//console.log("retval:" + readStdString(retval));
	console.log("retval:" + hexdump(retval, { length: 100, ansi: true }));
	console.log('add='+retval.add(ptr('4')).readU32())
	var p = ptr(''+retval.readU32());
	console.log('p='+p)

	console.log("retval:" + hexdump(p, {length: 100, ansi: true}));
	*/
	}
	});

	}

	""")

	def write(path, content):
	print('write:', path)
	folder = os.path.dirname(path)
	if not os.path.exists(folder):
	os.makedirs(folder)
	# open(path, 'w+').write(str(content,'utf-8'))
	open(path, 'wb+').write(content)

	def on_message(message, data):
	# print(message)
	try:
	if message['payload']['name']:
	name = message['payload']['name'] #这里的name有可能不是lua脚本的名字,而是直接的lua脚本字符串
	if len(name)>100:
	print("ilg name:",name)
	the_comm = "/Users/ne0/Downloads/ddlua/the_comm"
	open(the_comm, 'a+').write(name)
	return
	name = "/Users/ne0/Downloads/ddlua/"+ name

	# print('name:', name)
	content = message['payload']['content'].encode('utf-8')
	dirName = os.path.dirname(name)
	if not os.path.exists(dirName):

	os.makedirs(os.path.dirname(name))
	# if name.endswith('.lua'):
	write(name, content)
	except Exception as e:
	pass


	script.on('message', on_message)
	script.load()
	sys.stdin.read()