SeeFlowerX SeeFlowerX
SeeFlowerX
/ calltest.js
Created
November 23, 2021 03:33
验证hook NativeFunction原地址后,再通过NativeFunction对象调用是否会陷入死循环。结果:会。
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let gettid_ptr = Module.getExportByName(null, 'gettid'); | |
| let my_gettid = new NativeFunction(gettid_ptr, 'int', []); | |
| Interceptor.attach(gettid_ptr, { | |
| onEnter: function (args) { | |
| console.log(`ddddhm`); | |
| } | |
| }); | |
| let jnienv_addr = Java.vm.getEnv().handle.readPointer(); | |
| let findclass_addr = jnienv_addr.add(6 * Process.pointerSize).readPointer(); |
SeeFlowerX
/ error.log
Created
November 23, 2021 10:03
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 11-23 18:02:50.363 22621 22621 F art : art/runtime/indirect_reference_table.cc:82] JNI ERROR (app bug): accessed stale Local 0x55847a90ad (index 42027 in a table of size 209) | |
| 11-23 18:02:50.386 22621 22621 F art : art/runtime/runtime.cc:438] Runtime aborting... | |
| 11-23 18:02:50.386 22621 22621 F art : art/runtime/runtime.cc:438] Aborting thread: | |
| 11-23 18:02:50.386 22621 22621 F art : art/runtime/runtime.cc:438] "main" prio=5 tid=1 Runnable | |
| 11-23 18:02:50.386 22621 22621 F art : art/runtime/runtime.cc:438] | group="" sCount=0 dsCount=0 obj=0x12c041f0 self=0x7f942cba00 | |
| 11-23 18:02:50.386 22621 22621 F art : art/runtime/runtime.cc:438] | sysTid=22621 nice=0 cgrp=default sched=0/0 handle=0x7f94b2cab0 | |
| 11-23 18:02:50.386 22621 22621 F art : art/runtime/runtime.cc:438] | state=R schedstat=( 682180112 4030261 62 ) utm=49 stm=19 core=6 HZ=100 | |
| 11-23 18:02:50.386 22621 22621 F art : art/runtime/runtime.cc:438] | stack=0x7fde1a8000-0x7fde1aa000 stackSize=8MB | |
| 11-23 18:02:50.386 22621 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| . | |
| ├── [4.0K] bin | |
| │ ├── [ 24K] autopoint | |
| │ ├── [125K] envsubst | |
| │ ├── [ 28K] gapplication | |
| │ ├── [ 81K] gdbus | |
| │ ├── [2.0K] gdbus-codegen | |
| │ ├── [121K] gettext | |
| │ ├── [ 42K] gettextize | |
| │ ├── [4.5K] gettext.sh |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Interceptor.attach(dlopenRef, { | |
| onEnter:function(args){ | |
| this.path = args[0].readCString(); | |
| },onLeave:function(retval){ | |
| if (this.path != null) { | |
| if (checkLibrary(this.path)) { | |
| trackedLibs.set(retval.toString(), true); | |
| } | |
| else { | |
| libBlacklist.set(retval.toString(), true); |
SeeFlowerX
/ UI信息.md
Created
December 16, 2021 02:13
setprop persist.device_config.runtime_native.usap_pool_enabled false
SeeFlowerX
/ frida-extract-keystore.py
Created
January 5, 2022 03:02
— forked from ceres-c/frida-extract-keystore.py
Automatically extract KeyStore objects and relative password from Android applications with Frida - Read more: https://ceres-c.it/2018/12/16/frida-android-keystore/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| ''' | |
| author: ceres-c | |
| usage: ./frida-extract-keystore.py | |
| Once the keystore(s) have been exported you have to convert them to PKCS12 using keytool | |
| ''' | |
| import frida, sys, time |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://pastebin.com/eYeUt5X8 |
简要说明:
将定义为std::string ArtMethod::PrettyMethod(ArtMethod* m, bool with_signature)的方法
通过NativeFunction绑定,将返回值设为单个pointer,尝试读取对应的string内容
发现对返回的pointer分步读取(即打印readPointer结果)的值会产生变化
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function readStdString(str: NativePointer) { | |
| const isTiny = (str.readU8() & 1) === 0; | |
| if (isTiny) { | |
| return str.add(1).readUtf8String(); | |
| } | |
| return str.add(2 * Process.pointerSize).readPointer().readUtf8String(); | |
| } | |
| function get_PrettyMethod(){ | |
| let PrettyMethod_ptr = Module.findExportByName("libart.so", "_ZN3art9ArtMethod12PrettyMethodEPS0_b"); |