Code Monkey home page Code Monkey logo

android-hook-pyasmpatch's Introduction

PyAsmPatch

Use lief, keystone and capstone to manually inline hook elf(libil2cpp.so) file

当前已完成功能

  1. 合并编译出的so中的指定节到我们待修改的so(MergeUtils中提供的 recordSymbols 屏蔽掉合并后函数地址的变化)
  2. UnityJumper.addHook 后当前pc已经准在了待写代码的位置,写完代码调用 UnityJumper.endHook()
  3. addHook中也支持查看hook位置的Regs值(printRegs=True),具体实现是读取进入hook代码前对所有用户态寄存器保存在堆栈的值(R11/FP)
  4. Hook InitArray 的第一个函数(Unity是hook il2cpp_init),在此处获取基址,并将GOT_TABLE中的每一项加上这个基址重新写回,0标识结束
  5. LDR 指令修复,其他PC相关指令后续再说 TODO .....
  6. 封装一些常用的函数 android_log_print mprotect callFunction Unity.JNI(单个参数没问题,多参数有bug)

TIPS:

  1. ins.addGOT() 和 ins.addPtr() :
    • addGOT 添加到 GOT_TABLE 启动时候会加基地址,用作blx Rx
    • addPtr 添加到 GLOBAL_TABLE ,仅用作存储,但是在 recordSymbol中也会用到addPtr,此处的调用会调用 addGOT
  2. ins.addBP() 添加一个死循环,IDA调式BUG的时候使用 (或者ins.resetPC(0x12345678) 后使用)

详见: https://bbs.pediy.com/thread-269601.htm

C:\ProgramData\Anaconda3\envs\APKUtils\python.exe C:\Users\pc\PycharmProjects\SoInject\scripts\射击之王_com_gzcc_zttnl_sjzw.py
[*] mergeSection => .inject => 0x1e8c000

[*] recordSym ---> GLOBAL_TABLE   	0x1e8dd28
[*] recordSym ---> STR_TABLE      	0x1e8e1dc
[*] recordSym ---> GOT_TABLE      	0x1e8e690
[*] recordSym ---> trampolines    	0x1e8d874
[*] recordSym ---> textCodes      	0x1e8d3c0


[*] recordSym ---> il2cpp_string_new        	0x1bd130   ---> 0x1be130
[*] recordSym ---> FindClass                	0xaea06c   ---> 0xaeb06c
[*] recordSym ---> GetStaticMethodID        	0xaea9d4   ---> 0xaeb9d4
[*] recordSym ---> CallStaticVoidMethod     	0xaebdb8   ---> 0xaecdb8
[*] recordSym ---> ShowSettings             	0xb69d4c   ---> 0xb6ad4c
[*] recordSym ---> ShowSettings1            	0xb69db4   ---> 0xb6adb4
[*] recordSym ---> readArgsReg    	0x1e8d3c0
[*] Create string at 0x1e8e1d8	ZZZ
[*] Create string at 0x1e8e1dc	
Break at 0x0 Registers ---> 
R0~R3:	%p %p %p %p 
R4~R10:	%p %p %p %p %p %p %p 
FP:%p IP:%p LR:%p SP:%p CPSR:%p
[*] Get string at 0x1e8e1d8	ZZZ
[*] Create string at 0x1e8e24c	mprotect ret = %d  args : %p %p %p
[*] Get string at 0x1e8e1d8	ZZZ
[*] Create string at 0x1e8e26f	soAddr -> %p
[*] Get string at 0x1e8e1d8	ZZZ
[*] Create string at 0x1e8e27c	GOT relocation %p ---> %p ---> %p
[*] Get string at 0x1e8e1d8	ZZZ
[*] Create string at 0x1e8e29e	Finished GOT relocation all:%d
[*] Get string at 0x1e8e1d8	ZZZ
[*] Create string at 0x1e8e2bd called this function
[*] Get string at 0x1e8e1d8	ZZZ
[*] Create string at 0x1e8e2e1	Text CAllED

android-hook-pyasmpatch's People

Contributors

axhlzy avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.