Frida hook 问题
小白一枚,因为项目需求正在学习逆向,因为刚接触所以在网上找到一个别人写好的hook代码,是采用frida注入js文件hook的,所以照猫画虎跟着做,但是在hook时出现问题,js内代码是和对方一样的,但是却不能hook到想要的方法(ps:对方是可以的)是否是环境问题,因为我是用模拟器不是真机?
以下是参照的hook代码与返回效果
function hook_RegisterNatives() {
var RegisterNatives_addr = null;
var symbols = Process.findModuleByName("libart.so").enumerateSymbols();
for (var i = 0; i < symbols.length; i++) {
var symbol = symbols.name;
if ((symbol.indexOf("CheckJNI") == -1) && (symbol.indexOf("JNI") >= 0)) {
if (symbol.indexOf("RegisterNatives") >= 0) {
RegisterNatives_addr = symbols.address;
console.log("RegisterNatives_addr: ", RegisterNatives_addr);
}
}
}
Interceptor.attach(RegisterNatives_addr, {
onEnter: function (args) {
var env = args;
var jclass = args;
var class_name = Java.vm.tryGetEnv().getClassName(jclass);
var methods_ptr = ptr(args);
var method_count = args.toInt32();
console.log("RegisterNatives method counts: ", method_count);
for (var i = 0; i < method_count; i++) {
var name = methods_ptr.add(i * Process.pointerSize * 3).readPointer().readCString();
var sig = methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize).readPointer().readCString();
var fnPtr_ptr = methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2).readPointer();
var find_module = Process.findModuleByAddress(fnPtr_ptr);
console.log("类: ", class_name, "方法: ", name, "签名: ", sig, "函数地址: ", fnPtr_ptr, "模块名: ", find_module.name, "函数偏移: ", ptr(fnPtr_ptr).sub(find_module.base));
}
},
onLeave: function (retval) {}
});
}
hook_RegisterNatives()
这是我hook到的
类:com.tencent.mmkv.MMKV 方法:onExit 签名:()V 函数地址:0x7fa869e06b70 模块名:null
类:com.tencent.mmkv.MMKV 方法:cryptKey 签名:()Ljava/lang/String; 函数地址:0x7fa869e06ac0 模块名:null
类:com.tencent.mmkv.MMKV 方法:reKey 签名:(Ljava/lang/String;)Z 函数地址:0x7fa869e06a10 模块名:null
类:com.tencent.mmkv.MMKV 方法:checkReSetCryptKey 签名:(Ljava/lang/String;)V 函数地址:0x7fa869e06960 模块名:null
类:com.tencent.mmkv.MMKV 方法:pageSize 签名:()I 函数地址:0x7fa869e068b0 模块名:null
类:com.tencent.mmkv.MMKV 方法:mmapID 签名:()Ljava/lang/String; 函数地址:0x7fa869e06800 模块名:null
类:com.tencent.mmkv.MMKV 方法:version 签名:()Ljava/lang/String; 函数地址:0x7fa869e06750 模块名:null
类:com.tencent.mmkv.MMKV 方法:lock 签名:()V 函数地址:0x7fa869e066a0 模块名:null
类:com.tencent.mmkv.MMKV 方法:unlock 签名:()V 函数地址:0x7fa869e065f0 模块名:null
类:com.tencent.mmkv.MMKV 方法:tryLock 签名:()Z 函数地址:0x7fa869e06540 模块名:null
类:com.tencent.mmkv.MMKV 方法:allKeys 签名:()[Ljava/lang/String; 函数地址:0x7fa869e06490 模块名:null
类:com.tencent.mmkv.MMKV 方法:removeValuesForKeys 签名:([Ljava/lang/String;)V 函数地址:0x7fa869e063e0 模块名:null
类:com.tencent.mmkv.MMKV 方法:clearAll 签名:()V 函数地址:0x7fa869e06330 模块名:null
类:com.tencent.mmkv.MMKV 方法:trim 签名:()V 函数地址:0x7fa869e06280 模块名:null
类:com.tencent.mmkv.MMKV 方法:close 签名:()V 函数地址:0x7fa869e061d0 模块名:null
类:com.tencent.mmkv.MMKV 方法:clearMemoryCache 签名:()V 函数地址:0x7fa869e06120 模块名:null
类:com.tencent.mmkv.MMKV 方法:sync 签名:(Z)V 函数地址:0x7fa869e06070 模块名:null
类:com.tencent.mmkv.MMKV 方法:isFileValid 签名:(Ljava/lang/String;Ljava/lang/String;)Z 函数地址:0x7fa869e04f90 模块名:null
类:com.tencent.mmkv.MMKV 方法:ashmemFD 签名:()I 函数地址:0x7fa869e04ee0 模块名:null
类:com.tencent.mmkv.MMKV 方法:ashmemMetaFD 签名:()I 函数地址:0x7fa869e04e30 模块名:null
类:com.tencent.mmkv.MMKV 方法:jniInitialize 签名:(Ljava/lang/String;Ljava/lang/String;I)V 函数地址:0x7fa869e04d80 模块名:null
类:com.tencent.mmkv.MMKV 方法:getMMKVWithID 签名:(Ljava/lang/String;ILjava/lang/String;Ljava/lang/String;)J 函数地址:0x7fa869e04cd0 模块名:null
类:com.tencent.mmkv.MMKV 方法:getMMKVWithIDAndSize 签名:(Ljava/lang/String;IILjava/lang/String;)J 函数地址:0x7fa869e04c20 模块名:null
类:com.tencent.mmkv.MMKV 方法:getDefaultMMKV 签名:(ILjava/lang/String;)J 函数地址:0x7fa869e04b70 模块名:null
类:com.tencent.mmkv.MMKV 方法:getMMKVWithAshmemFD 签名:(Ljava/lang/String;IILjava/lang/String;)J 函数地址:0x7fa869e04ac0 模块名:null
类:com.tencent.mmkv.MMKV 方法:encodeBool 签名:(JLjava/lang/String;Z)Z 函数地址:0x7fa869e04a10 模块名:null
类:com.tencent.mmkv.MMKV 方法:decodeBool 签名:(JLjava/lang/String;Z)Z 函数地址:0x7fa869e04960 模块名:null
类:com.tencent.mmkv.MMKV 方法:encodeInt 签名:(JLjava/lang/String;I)Z 函数地址:0x7fa869e048b0 模块名:null
类:com.tencent.mmkv.MMKV 方法:decodeInt 签名:(JLjava/lang/String;I)I 函数地址:0x7fa869e04800 模块名:null
类:com.tencent.mmkv.MMKV 方法:encodeLong 签名:(JLjava/lang/String;J)Z 函数地址:0x7fa869e04750 模块名:null
类:com.tencent.mmkv.MMKV 方法:decodeLong 签名:(JLjava/lang/String;J)J 函数地址:0x7fa869e046a0 模块名:null
类:com.tencent.mmkv.MMKV 方法:encodeFloat 签名:(JLjava/lang/String;F)Z 函数地址:0x7fa869e045f0 模块名:null
类:com.tencent.mmkv.MMKV 方法:decodeFloat 签名:(JLjava/lang/String;F)F 函数地址:0x7fa869e04540 模块名:null
类:com.tencent.mmkv.MMKV 方法:encodeDouble 签名:(JLjava/lang/String;D)Z 函数地址:0x7fa869e04490 模块名:null
类:com.tencent.mmkv.MMKV 方法:decodeDouble 签名:(JLjava/lang/String;D)D 函数地址:0x7fa869e043e0 模块名:null
类:com.tencent.mmkv.MMKV 方法:encodeString 签名:(JLjava/lang/String;Ljava/lang/String;)Z 函数地址:0x7fa869e04330 模块名:null
类:com.tencent.mmkv.MMKV 方法:decodeString 签名:(JLjava/lang/String;Ljava/lang/String;)Ljava/lang/String; 函数地址:0x7fa869e04280 模块名:null
类:com.tencent.mmkv.MMKV 方法:encodeSet 签名:(JLjava/lang/String;[Ljava/lang/String;)Z 函数地址:0x7fa869e041d0 模块名:null
类:com.tencent.mmkv.MMKV 方法:decodeStringSet 签名:(JLjava/lang/String;)[Ljava/lang/String; 函数地址:0x7fa869e04120 模块名:null
类:com.tencent.mmkv.MMKV 方法:encodeBytes 签名:(JLjava/lang/String;[B)Z 函数地址:0x7fa869e04070 模块名:null
类:com.tencent.mmkv.MMKV 方法:decodeBytes 签名:(JLjava/lang/String;)[B 函数地址:0x7fa869980f90 模块名:null
类:com.tencent.mmkv.MMKV 方法:containsKey 签名:(JLjava/lang/String;)Z 函数地址:0x7fa869980ee0 模块名:null
类:com.tencent.mmkv.MMKV 方法:count 签名:(J)J 函数地址:0x7fa869980e30 模块名:null
类:com.tencent.mmkv.MMKV 方法:totalSize 签名:(J)J 函数地址:0x7fa869980d80 模块名:null
类:com.tencent.mmkv.MMKV 方法:actualSize 签名:(J)J 函数地址:0x7fa869980cd0 模块名:null
类:com.tencent.mmkv.MMKV 方法:removeValueForKey 签名:(JLjava/lang/String;)V 函数地址:0x7fa869980c20 模块名:null
类:com.tencent.mmkv.MMKV 方法:valueSize 签名:(JLjava/lang/String;Z)I 函数地址:0x7fa869980b70 模块名:null
类:com.tencent.mmkv.MMKV 方法:setLogLevel 签名:(I)V 函数地址:0x7fa869980ac0 模块名:null
类:com.tencent.mmkv.MMKV 方法:setCallbackHandler 签名:(ZZ)V 函数地址:0x7fa869980a10 模块名:null
类:com.tencent.mmkv.MMKV 方法:setWantModeCheck 签名:(Z)V 函数地址:0x7fa869980960 模块名:null
类:com.tencent.mmkv.MMKV 方法:createNB 签名:(I)J 函数地址:0x7fa8699808b0 模块名:null
类:com.tencent.mmkv.MMKV 方法:destroyNB 签名:(JI)V 函数地址:0x7fa869980800 模块名:null
类:com.tencent.mmkv.MMKV 方法:writeValueToNB 签名:(JLjava/lang/String;JI)I 函数地址:0x7fa869980750 模块名:null类:com.tencent.mmkv.MMKV 方法:setWantsContentChangeNotify 签名:(Z)V 函数地址:0x7fa8699806a0 模块名:null
类:com.tencent.mmkv.MMKV 方法:setLoadOnNecessaryEnable 签名:(Z)V 函数地址:0x7fa8699805f0 模块名:null
类:com.tencent.mmkv.MMKV 方法:setSharedLockFirstWhenReload 签名:(Z)V 函数地址:0x7fa869980540 模块名:null
类:com.tencent.mmkv.MMKV 方法:checkContentChangedByOuterProcess 签名:()V 函数地址:0x7fa869980490 模块名:null
类:com.tencent.mmkv.MMKV 方法:checkProcessMode 签名:(J)Z 函数地址:0x7fa8699803e0 模块名:null
类:com.tencent.mmkv.MMKV 方法:backupOneToDirectory 签名:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Z 函数地址:0x7fa869980330 模块名:null
类:com.tencent.mmkv.MMKV 方法:restoreOneMMKVFromDirectory 签名:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Z 函数地址:0x7fa869980280 模块名:null
类:com.tencent.mmkv.MMKV 方法:backupAllToDirectory 签名:(Ljava/lang/String;)J 函数地址:0x7fa8699801d0 模块名:null
类:com.tencent.mmkv.MMKV 方法:restoreAllFromDirectory 签名:(Ljava/lang/String;)J 函数地址:0x7fa869980120 模块名:null
RegisterNatives method counts:15
类:com.tencent.qimei.uin.U 方法:r 签名:(ZIILjava/lang/String;I[Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; 函数地址:0x7fa8692f7cd0 模块名:null
类:com.tencent.qimei.uin.U 方法:d 签名:(Ljava/lang/String;)[B 函数地址:0x7fa8692f7c20 模块名:null
类:com.tencent.qimei.uin.U 方法:e 签名:(Ljava/lang/String;Ljava/lang/String;)B 函数地址:0x7fa8692f7b70 模块名:null
类:com.tencent.qimei.uin.U 方法:n 签名:(Landroid/content/Context;Ljava/lang/String;[Ljava/lang/Object;)V 函数地址:0x7fa8692f7ac0 模块名:null
类:com.tencent.qimei.uin.U 方法:m 签名:(I)Ljava/lang/String; 函数地址:0x7fa8692f7a10 模块名:null
类:com.tencent.qimei.uin.U 方法:z 签名:(Landroid/content/Context;)Ljava/lang/String; 函数地址:0x7fa8692f7960 模块名:null
类:com.tencent.qimei.uin.U 方法:z2 签名:(Landroid/content/Context;I)Ljava/lang/String; 函数地址:0x7fa8692f78b0 模块名:null
类:com.tencent.qimei.uin.U 方法:o 签名:()Ljava/lang/String; 函数地址:0x7fa8692f7800 模块名:null
类:com.tencent.qimei.uin.U 方法:x 签名:(Ljava/lang/String;)Ljava/lang/String; 函数地址:0x7fa8692f7750 模块名:null
类:com.tencent.qimei.uin.U 方法:u 签名:()Ljava/lang/String; 函数地址:0x7fa8692f76a0 模块名:null
类:com.tencent.qimei.uin.U 方法:a 签名:(I[B[B[B)[B 函数地址:0x7fa8692f75f0 模块名:null
类:com.tencent.qimei.uin.U 方法:p 签名:()Ljava/lang/String; 函数地址:0x7fa8692f7540 模块名:null
类:com.tencent.qimei.uin.U 方法:b 签名:()Z 函数地址:0x7fa8692f7490 模块名:null
类:com.tencent.qimei.uin.U 方法:r4 签名:([BI[BI)[B 函数地址:0x7fa8692f73e0 模块名:null
类:com.tencent.qimei.uin.U 方法:w 签名:(Ljava/lang/String;)Z 函数地址:0x7fa8692f7330 模块名:null
RegisterNatives method counts:1
类:com.tencent.mobileqq.nativememorymonitor.library.ClassToFindJniOffset 方法:mark 签名:()V 函数地址:0x7fa8692f71d0 模块名:null
RegisterNatives method counts:9
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:nativeJniHookInit 签名:(JJ)V 函数地址:0x7fa8692f7120 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:nativeSoLoadHook 签名:(Ljava/lang/String;Ljava/lang/String;JZ)V 函数地址:0x7fa8692f7070 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:nativeFileHook 签名:(JJ)V 函数地址:0x7fa82479ff90 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:nativeOpenFileHook 签名:(J)V 函数地址:0x7fa82479fee0 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:nativeJavaFieldHook 签名:([Ljava/lang/Class;[Ljava/lang/String;[Ljava/lang/String;[Lcom/tencent/mobileqq/nativememorymonitor/library/AccessFieldCallback;[Ljava/lang/Class;[Ljava/lang/String;[Ljava/lang/String;[Lcom/tencent/mobileqq/nativememorymonitor/library/AccessFieldCallback;)V 函数地址:0x7fa82479fe30 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:nativeJavaMethodHook 签名:([Ljava/lang/Class;[Ljava/lang/String;[Ljava/lang/String;[Lcom/tencent/mobileqq/nativememorymonitor/library/CallMethodCallback;[Ljava/lang/Class;[Ljava/lang/String;[Ljava/lang/String;[Lcom/tencent/mobileqq/nativememorymonitor/library/CallMethodCallback;)V 函数地址:0x7fa82479fd80 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:nativeInit 签名:(J[Ljava/lang/String;JJJ)V 函数地址:0x7fa82479fcd0 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:nativeDump 签名:()V 函数地址:0x7fa82479fc20 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:applyHiddenApiPolicyCrack 签名:(Landroid/content/pm/ApplicationInfo;)Z 函数地址:0x7fa82479fb70 模块名:null
RegisterNatives method counts:2
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:nativeGetJavaThreadPeakCount 签名:()I 函数地址:0x7fa82479fac0 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:nativeThreadHook 签名:()V 函数地址:0x7fa82479fa10 模块名:null
RegisterNatives method counts:1
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:nativeThreadCreateHookInit 签名:(Ljava/lang/String;)V 函数地址:0x7fa82479f960 模块名:null
RegisterNatives method counts:1
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:setupASanCallback 签名:()V 函数地址:0x7fa82479f8b0 模块名:null
RegisterNatives method counts:1
类:com.tencent.mobileqq.nativememorymonitor.library.NativeMemoryMonitor 方法:getUndetachThreads 签名:()Ljava/lang/String; 函数地址:0x7fa82479f800 模块名:null
RegisterNatives method counts:7
类:com.tencent.mobileqq.nativememorymonitor.library.trafficmonitor.NativeTrafficMonitor 方法:nativeTrafficMonitorInit 签名:(Ljava/lang/Object;)V 函数地址:0x7fa82479f750 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.trafficmonitor.NativeTrafficMonitor 方法:nativeSetNetStateIsMobile 签名:(Z)V 函数地址:0x7fa82479f6a0 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.trafficmonitor.NativeTrafficMonitor 方法:nativeEnableDetailMonitor 签名:(Z)V 函数地址:0x7fa82479f5f0 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.trafficmonitor.NativeTrafficMonitor 方法:nativeEnableGlobalMonitor 签名:(Z)V 函数地址:0x7fa82479f540 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.trafficmonitor.NativeTrafficMonitor 方法:nativeSetReportThreshold 签名:(JJJJ)V 函数地址:0x7fa82479f490 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.trafficmonitor.NativeTrafficMonitor 方法:nativeSetGloBalMonitorThreshold 签名:(JJJJJJ)V 函数地址:0x7fa82479f3e0 模块名:null
类:com.tencent.mobileqq.nativememorymonitor.library.trafficmonitor.NativeTrafficMonitor 方法:nativeSetAppIsOnForeground 签名:(Z)V 函数地址:0x7fa82479f330 模块名:null
RegisterNatives method counts:5
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:regist 签名:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;ZIJ)Ljava/lang/String; 函数地址:0x7fa823799ee0 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:unregist 签名:()Ljava/lang/String; 函数地址:0x7fa823799e30 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:testCrash 签名:()V 函数地址:0x7fa823799d80 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:setAdditionalAttachmentPathsNative 签名:([Ljava/lang/String;)V 函数地址:0x7fa823799cd0 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:saveAdditionalAttachmentPathsNative 签名:(Ljava/lang/String;)V 函数地址:0x7fa823799c20 模块名:null
RegisterNatives method counts:3
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:appendNativeLog 签名:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Z 函数地址:0x7fa823799b70 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:getNativeLog 签名:()Ljava/lang/String; 函数地址:0x7fa823799ac0 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:appendWholeNativeLog 签名:(Ljava/lang/String;)Z 函数地址:0x7fa823799a10 模块名:null
RegisterNatives method counts:3
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:putNativeKeyValue 签名:(Ljava/lang/String;Ljava/lang/String;)Z 函数地址:0x7fa823799960 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:getNativeKeyValueList 签名:()Ljava/lang/String; 函数地址:0x7fa8237998b0 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:removeNativeKeyValue 签名:(Ljava/lang/String;)Ljava/lang/String; 函数地址:0x7fa823799800 模块名:null
RegisterNatives method counts:1
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:setNativeInfo 签名:(ILjava/lang/String;)V 函数地址:0x7fa823799750 模块名:null
RegisterNatives method counts:1
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:getSoCpuAbi 签名:()Ljava/lang/String; 函数地址:0x7fa8237996a0 模块名:null
RegisterNatives method counts:3
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:recordProcessingState 签名:(Ljava/lang/String;I)V 函数地址:0x7fa8237995f0 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:modifyProcessingState 签名:(IZZ)V 函数地址:0x7fa823799540 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:setCrashProcessingInfo 签名:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)V 函数地址:0x7fa823799490 模块名:null
RegisterNatives method counts:3
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:getFd 签名:()V 函数地址:0x7fa8237993e0 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:getProcessInfoAnr 签名:()V 函数地址:0x7fa823799330 模块名:null
类:com.tencent.bugly.crashreport.crash.jni.NativeCrashHandler 方法:getProperties 签名:(Ljava/lang/String;)Ljava/lang/String; 函数地址:0x7fa823799280 模块名:null
RegisterNatives method counts:11
类:com.tencent.turingfd.sdk.xq.TNative$aa 方法:a87_F4D9D65F3914B121 签名:(Landroid/util/SparseArray;Landroid/content/Context;Ljava/util/Map;Ljava/util/Map;I)Landroid/util/SparseArray; 函数地址:0x7fa8203bdac0 模块名:null
类:com.tencent.turingfd.sdk.xq.TNative$aa 方法:b87_F4D9D65F3914B121 签名:(Landroid/util/SparseArray;[BLjava/util/Map;I)Landroid/util/SparseArray; 函数地址:0x7fa8203bda10 模块名:null
类:com.tencent.turingfd.sdk.xq.TNative$aa 方法:c87_F4D9D65F3914B121 签名:(Landroid/util/SparseArray;Landroid/content/Context;)Landroid/util/SparseArray; 函数地址:0x7fa8203bd960 模块名:null
类:com.tencent.turingfd.sdk.xq.TNative$aa 方法:d87_F4D9D65F3914B121 签名:(Landroid/util/SparseArray;Landroid/content/Context;I)Landroid/util/SparseArray; 函数地址:0x7fa8203bd8b0 模块名:null
类:com.tencent.turingfd.sdk.xq.TNative$aa 方法:e87_F4D9D65F3914B121 签名:(Landroid/util/SparseArray;Landroid/content/Context;Ljava/util/Map;I)Landroid/util/SparseArray; 函数地址:0x7fa8203bd800 模块名:null
类:com.tencent.turingfd.sdk.xq.TNative$aa 方法:f87_F4D9D65F3914B121 签名:(Landroid/util/SparseArray;[BI)Landroid/util/SparseArray; 函数地址:0x7fa8203bd750 模块名:null
类:com.tencent.turingfd.sdk.xq.TNative$aa 方法:g87_F4D9D65F3914B121 签名:(Landroid/util/SparseArray;Landroid/content/Context;Ljava/util/Map;I)Landroid/util/SparseArray; 函数地址:0x7fa8203bd6a0 模块名:null
类:com.tencent.turingfd.sdk.xq.TNative$aa 方法:h87_F4D9D65F3914B121 签名:(Landroid/util/SparseArray;Landroid/content/Context;Ljava/util/Map;I)Landroid/util/SparseArray; 函数地址:0x7fa8203bd5f0 模块名:null
类:com.tencent.turingfd.sdk.xq.TNative$aa 方法:i87_F4D9D65F3914B121 签名:(Landroid/util/SparseArray;Landroid/content/Context;Ljava/util/Map;Ljava/lang/Object;Ljava/lang/Object;)Landroid/util/SparseArray; 函数地址:0x7fa8203bd540模块名:null
类:com.tencent.turingfd.sdk.xq.TNative$aa 方法:j87_F4D9D65F3914B121 签名:()Ljava/lang/String; 函数地址:0x7fa8203bd490 模块名:null
类:com.tencent.turingfd.sdk.xq.TNative$aa 方法:k87_F4D9D65F3914B121 签名:([B)[B 函数地址:0x7fa8203bd3e0 模块名:null
RegisterNatives method counts:1
类:com.tencent.turingfd.sdk.xq.TNative$aa$bb 方法:onServiceConnected 签名:(Landroid/content/ComponentName;Landroid/os/IBinder;)V 函数地址:0x7fa8203bd330 模块名:null
RegisterNatives method counts:4
类:com.tencent.image.ApngImage 方法:nativeGetNextFrame 签名:(JJLandroid/graphics/Bitmap;[I)J 函数地址:0x7fa8203bd120 模块名:null
类:com.tencent.image.ApngImage 方法:nativeStartDecode 签名:(Ljava/lang/String;[II)J 函数地址:0x7fa8203bd070 模块名:null
类:com.tencent.image.ApngImage 方法:nativeFreeFrame 签名:(J)V 函数地址:0x7fa82a461f90 模块名:null
类:com.tencent.image.ApngImage 方法:nativeFreeImage 签名:(J)V 函数地址:0x7fa82a461ee0 模块名:null
可能是:1.版本不同。2.时机不同。 x86模拟器对so hook不能很好支持 试一下我这课里的脚本,以spawn的方式去挂起
《安卓逆向这档事》十七、你的RPCvs佬的RPC
https://www.52pojie.cn/thread-1892127-1-1.html
(出处: 吾爱破解论坛)
正己 发表于 2024-5-9 13:47
试一下我这课里的脚本,以spawn的方式去挂起
《安卓逆向这档事》十七、你的RPCvs佬的RPC
https://www.52p ...
大佬脚本很好用,不会出现null了,但还是遍历不到想要的so模块(确认so被调用了),请教下有没有可能被加固了之类的原因 还在学习呢 发表于 2024-5-10 17:40
大佬脚本很好用,不会出现null了,但还是遍历不到想要的so模块(确认so被调用了),请教下有没有可能被加 ...
你ida静态分析看一下,有可能
页:
[1]