首先要定位lua_loadbuffer,直接搜就行了
luaL_loadbuffer
然后直接上脚本提取:
[Python] 纯文本查看 复制代码 import frida
import sys
import os
import time
"""
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
"""
package_id = 'com.gale.sanguokill.hd' # 隐去
dev = frida.get_remote_device()
pid = dev.spawn(package_id)
dev.resume(pid)
time.sleep(1)
process = dev.attach(pid)
# luaL_loadbuffer
src = '''
var addr = Module.findBaseAddress('libgame.so').add(0x00C72CB8)
Interceptor.attach(addr, {
onEnter: function(args) {
var name = Memory.readUtf8String(args[3]);
var obj = {}
obj.size = args[2].toInt32()
obj.name = name;
obj.content = Memory.readCString(args[1], obj.size);
send(obj);
}
} )
'''
def write(path, content):
print('write:', path)
folder = os.path.dirname(path)
if not os.path.exists(folder):
os.makedirs(folder)
open(path, 'w').write(content)
script = process.create_script(src)
def on_message(message, data):
if message['payload']['name']:
name = message['payload']['name']
name = "./app/" + name
content = message['payload']['content']
dirName = os.path.dirname(name)
if not os.path.exists(dirName):
os.makedirs(os.path.dirname(name))
write(name, content)
script.on('message', on_message)
script.load()
sys.stdin.read()
运行效果:
frida
可以看到的代码:
code
样本下载地址:
http://sgk.ufile.ucloud.com.cn/update/sgk-home-5.7.2-051201.apk | 
发表于 2022-7-1 11:33
