环境
sudo apt install curl
sudo apt-get install openjdk-8-jdk
sudo apt-get install python
sudo apt-get install git
sudo apt install net-tools
libncurses.so.5
sudo apt install libncurses*
sudo apt-get install g++-multilib gcc-multilib lib32ncurses5-dev lib32z1-dev
sudo apt-get install libxml2-utils
ss客户端
ss客户端:
https://caijinbo.tech/2020/05/07/ubuntu20.04-%E5%AE%89%E8%A3%85shadowsocks-qt5/
👆报错:
ss-qt5: error while loading shared libraries: libQtShadowsocks.so.2: cannot open shared object file: No such file or directory
apt install botan*
再运行即可
PATH=~/bin:$PATH
export REPO_URL='https://mirrors.tuna.tsinghua.edu.cn/git/git-repo'
repo init -u https://mirrors.tuna.tsinghua.edu.cn/git/AOSP/platform/manifest -b android-8.0.0_r1
编译
source build/envsetup.sh
lunch 23
lunch aosp_sailfish-user
export LC_ALL=C
vim prebuilts/sdk/tools/jack-admin
vim /etc/java-8-openjdk/security/java.security
找到TLSv1这行,把TLSv1, TLSv1.1,删除后保存
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
487c487
< JACK_SERVER_COMMAND="java -XX:MaxJavaStackTraceDepth=-1 -Djava.io.tmpdir=$TMPDIR $JACK_SERVER_VM_ARGUMENTS -cp $LAUNCHER_JAR $LAUNCHER_NAME"
---
> JACK_SERVER_COMMAND="java -XX:MaxJavaStackTraceDepth=-1 -Djava.io.tmpdir=$TMPDIR $JACK_SERVER_VM_ARGUMENTS -Xmx4096m -cp $LAUNCHER_JAR $LAUNCHER_NAME"
make -j8
ubuntu adb devices 没有列表:
> ls usb -> { Bus 001 Device 008: ID 18d1:4ee7 Google Inc. VMware Virtual USB Mouse }
> 写入: `sudo gedit /etc/udev/rules.d/51-android.rules`
SUBSYSTEM=="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="4ee7", MODE="0666", GROUP="plugdev"
> sudo service udev restart
> sudo adb kill-server
> sudo adb start-server
clion
https://android.googlesource.com/platform/build/soong/+/HEAD/docs/clion.md
// 打开开关,编译时生成CMakeLists.txt
export SOONG_GEN_CMAKEFILES=1
export SOONG_GEN_CMAKEFILES_DEBUG=1
// 全编译
make -j32
// 或者编译单独模块
make frameworks/native/service/libs/ui
// CMakeLists.txt会生成在
out/development/ide/clion/frameworks/native/libs/ui/libui-arm64-android/CMakeLists.txt
https://www.jianshu.com/p/9450806f38be (生成imr,ipr)
source build/envsetup.sh
lunch
mmm development/tools/idegen/
[报错的话:] make idegen
sh ./development/tools/idegen/idegen.sh
https://github.com/fashare2015/AOSP_Indexer (clion 打开android.ipr索引)
cMakeList.txt
(out/development/ide/clion/cMakeList.txt)
# THIS FILE WAS AUTOMATICALY GENERATED!
# ANY MODIFICATION WILL BE OVERWRITTEN!
# To improve project view in Clion :
# Tools > CMake > Change Project Root
cmake_minimum_required(VERSION 3.5)
project(AOSP-Natives)
# add_subdirectory(frameworks/native)
add_subdirectory(art/runtime/libartd-arm64-android)
# 查看是属于哪个cmakelist下面的
# cd aosp/out/development/ide/clion
# grep -ril interpreter
# art/runtime/libartd-arm64-android/CMakeLists.txt
# 就添加哪个目录同步即可
android studio
trace smali
在解释模式下,java函数的调用关系InvokeWithArgArrayjni的调用关系
art/runtime/jni_internal.cc
@CallObjectMethod
@CallObjectMethodV
@CallObjectMethodA
@CallBooleanMethod
@......
指向 @InvokeVirtualOrInterfaceWithVarArgs
/home/zp/android/aosp/art/runtime/reflection.cc
@InvokeVirtualOrInterfaceWithVarArgs
@InvokeWithArgArray
static void InvokeWithArgArray(const ScopedObjectAccessAlreadyRunnable& soa, ArtMethod method, ArgArray argarray, JValue result, const char shorty) REQUIRES_SHARED(Locks::mutator_lock) { uint32_t args = arg_array->GetArray(); if (UNLIKELY(soa.Env()->check_jni)) { CheckMethodArguments(soa.Vm(), method->GetInterfaceMethodIfProxy(kRuntimePointerSize), args); } // add ArtMethod artMethod = nullptr; Thread self = Thread::Current(); const ManagedStack managedStack = self->GetManagedStack(); if( managedStack != nullptr ){ ArtMethod* tmpartmethod = managedStack->GetTopQuickFrame(); if( tmpartmethod != nullptr ){ artMethod = tmpartmethod; } } if( artMethod != nullptr ){ std::ostringstream oss; oss << “[InvokeWithArgArray]beforecall caller:” << artMethod->PrettyMethod() << “—-called:” << method->PrettyMethod(); if(strstr(oss.str().c_str(), “InvokeWithArgArrayBefore”)){ LOG(ERROR) << oss.str(); } } // add method->Invoke(soa.Self(), args, arg_array->GetNumBytes(), result, shorty); // add if( artMethod != nullptr ){ std::ostringstream oss; oss << “[InvokeWithArgArray]aftercall caller:” << artMethod->PrettyMethod() << “—-called:” << method->PrettyMethod(); if(strstr(oss.str().c_str(), “InvokeWithArrayAfter”)){ LOG(ERROR) << oss.str(); } } // add }
/home/zp/aosp/222/art/runtime/art_method.cc
@ArtMethod::Invoke
jni 执行前,与执行结束 #jnitrace #jni的调用关系
# jni 执行前
art/runtime/entrypoints/quick/quick_jni_entrypoints.cc
@JniMethodStart
extern uint32_t JniMethodStart(Thread* self) {
JNIEnvExt* env = self->GetJniEnv();
DCHECK(env != nullptr);
uint32_t saved_local_ref_cookie = bit_cast<uint32_t>(env->local_ref_cookie);
env->local_ref_cookie = env->locals.GetSegmentState();
ArtMethod* native_method = *self->GetManagedStack()->GetTopQuickFrame();
// add
std::ostringstream oss;
oss << "[JniMethodStart]name:" << native_method->PrettyMethod().c_str() << ", addr:" << native_method->GetEntryPointFromJni();
if(strstr(oss.str().c_str(), "JniMethodStartflag") != nullptr){
LOG(WARNING) << oss.str();
}
// add
if (!native_method->IsFastNative()) {
// When not fast JNI we transition out of runnable.
self->TransitionFromRunnableToSuspended(kNative);
}
return saved_local_ref_cookie;
}
# 执行结束
art/runtime/entrypoints/quick/quick_jni_entrypoints.cc
@PopLocalReferences
static void PopLocalReferences(uint32_t saved_local_ref_cookie, Thread* self)
REQUIRES_SHARED(Locks::mutator_lock_) {
// add
// jni函数执行结束以后要对局部引用删掉, 就会调用 PopLocalReferences
ArtMethod* native_method = *self->GetManagedStack()->GetTopQuickFrame();
std::ostringstream oss;
oss << "[JniMethodEnd->PopLocalReferences]name:" << native_method->PrettyMethod().c_str() << ",addr:" << native_method->GetEntryPointFromJni();
if( strstr(oss.str().c_str(), "JniMethodEndflag") != nullptr ){
LOG(WARNING) << oss.str();
}
// add
JNIEnvExt* env = self->GetJniEnv();
if (UNLIKELY(env->check_jni)) {
env->CheckNoHeldMonitors();
}
env->locals.SetSegmentState(env->local_ref_cookie);
env->local_ref_cookie = bit_cast<IRTSegmentState>(saved_local_ref_cookie);
self->PopHandleScope();
}
registerNative 日志开启
/home/zp/aosp/222/art/runtime/art_method.cc
@ArtMethod::RegisterNative
const void ArtMethod::RegisterNative(const void native_method, bool is_fast) {
CHECK(IsNative()) << PrettyMethod();
CHECK(!IsFastNative()) << PrettyMethod();
CHECK(native_method != nullptr) << PrettyMethod();
if (is_fast) {
AddAccessFlags(kAccFastNative);
}
// add
std::ostringstream oss;
oss << “[ArtMethod::RegisterNative]” << this->PrettyMethod() << “—addr:” << native_method;
if( strstr(oss.str().c_str(), “RegisterNativeflag”) != nullptr ){
LOG(ERROR)<
```
<a name="iVlBX"></a>
### 只对感兴趣的app开启switch模式
```powershell
/home/zp/aosp/222/art/runtime/interpreter/interpreter.cc
@export
namespace art { // 强制开启switch模式 extern “C” void forceinterpreter(){ Runtime* runtime = Runtime::Current(); runtime->GetInstrumentation()->ForceInterpretOnly(); LOG(WARNING)<<”forceinterpreter is called”; }
```
<a name="kBYfK"></a>
## 刷机
```powershell
第一次:
fastboot flashing unlock
fastboot flash boot boot.img
fastboot flash ramdisk ramdisk.img
fastboot flash ramdisk-recovery ramdisk-recovery.img
fastboot flash system system.img
fastboot flash userdata userdata.img
fastboot flash vendor vendor.img
fastboot flash system_other system_other.img
fastboot reboot
第二次及以后:
system.img
system_other.img
fastboot flash system system.img
magisk root 刷机:
fastboot flash boot magisk_patched-22100_eHmmC.img
fastboot devices 找不到: https://blog.csdn.net/qq_33529867/article/details/113665717
frida 脚本配合使用
///<reference path='F:\rf-android\frida\test3\u\frida-gum.d.ts'/>
/*
adb -s FA7130303354 root
adb -s FA7130303354 shell /data/local/tmp/fri
adb shell dumpsys window | findstr mCurrentFocus
adb shell input text asdf & adb shell input tap 879 1671
logcat -G 256m
ip.tool.lu
*/
// frida -U -F com.whatsapp.w4b -l trace.js --no-pause
// frida -U -f com.whatsapp.w4b -l trace.js --no-pause
// frida -U -f com.p1.mobile.putong -l trace.js --no-pause
/*
# 加载插件 (Wallbreaker)
objection -g com.whatsapp.w4b:push explore -P E:\objplu
plugin wallbreaker objectsearch com.tencent.mars.stn.StnLogic
plugin wallbreaker objectdump 0x2d46
objection -g com.whatsapp.w4b explore
objection -g com.whatsapp.w4b explore -c xxxx.js
objection -g com.whatsapp.w4b explore --startup-command 'android hooking watch xxx'
android hooking search classes Interceptor
android hooking watch class com.one.tomato.thirdpart.csdc.CsdcSdkUtil
android hooking watch class_method okhttp3.logging.HttpLoggingInterceptor.intercept --dump-args --dump-backtrace --dump-return
*/
function forceinterpreter()
{
var libartmodule = Process.getModuleByName("libart.so");
var forceinterpreter_addr = libartmodule.getExportByName("forceinterpreter");
console.log("forceinterpreter_addr: "+forceinterpreter_addr);
var forceinterpreter = new NativeFunction(forceinterpreter_addr, "void", []);
Interceptor.attach(forceinterpreter_addr, {
onEnter: function(){
console.log("go into forceinterpreter");
},onLeave: function(){
console.log("leave forceinterpreter");
}
})
}
function hookStrstr(){
var libcmodule = Process.getModuleByName("libc.so");
var strstr_addr = libcmodule.getExportByName("strstr");
Interceptor.attach(strstr_addr, {
onEnter: function(args){
this.btn = false;
// console.log("go into forceinterpreter");
this.arg0 = ptr(args[0]).readUtf8String();
this.arg1 = ptr(args[1]).readUtf8String();
if( this.arg1.indexOf("InvokeWithArgArray") != -1 ){
console.log("["+Process.getCurrentThreadId()+"]"+this.arg1 + "--" + this.arg0);
this.btn = true;
}
if( this.arg1.indexOf("RegisterNative") != -1 ){
console.log("["+Process.getCurrentThreadId()+"]"+this.arg1 + "--" + this.arg0);
this.btn = true;
}
if( this.arg1.indexOf("PerformCall") != -1 ){
console.log("["+Process.getCurrentThreadId()+"]"+this.arg1 + "--" + this.arg0);
this.btn = true;
}
if( this.arg1.indexOf("JniMethodStart") != -1 ){
console.log("["+Process.getCurrentThreadId()+"]"+this.arg1 + "--" + this.arg0);
this.btn = true;
}
if( this.arg1.indexOf("JniMethodEnd") != -1 ){
console.log("["+Process.getCurrentThreadId()+"]"+this.arg1 + "--" + this.arg0);
this.btn = true;
}
},onLeave: function(retVal){
if( this.btn == true ){
this.context.r0 = 0x111;
}
// console.log("leave forceinterpreter");
}
})
Java.perform(function(){
var aaa = Java.use("java.lang.System");
aaa.loadLibrary.overload('java.lang.String').implementation = function(a1){
var Log = Java.use("android.util.Log")
Log.e("[loadLibrary]", "re loadLibrary --------------> : " + a1);
console.error("re loadLibrary --------------> : " + a1);
var ret = this.loadLibrary(a1)
console.log("re loadLibrary : " + ret);
return ret;
}
})
}
function main(){
// forceinterpreter()
forceinterpreter()
hookStrstr()
}
function print_stack(){
Java.perform(function() {
var Exception = Java.use("java.lang.Exception")
var instance = Exception.$new("print_stack")
var stack = instance.getStackTrace();
console.log(stack)
instance.$dispose();
})
}
function thread_stack(This){
// Module.findBaseAddress("libwhatsapp.so")
console.log('thread called from:\n' +
Thread.backtrace(This.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
}
// dword显示
function showDword(address, num, dump){
if(dump) console.error( hexdump(address, {length:num*4}) );
for(var i=0;i<num;i++){
var ui = (i*4).toString(16);
console.log("\t", "(0x"+ui+")"+"["+address.add(i*4)+"]:"+address.add(i*4).readPointer());
}
}
function clear(){
// adb shell pm clear com.whatsapp.w4b
Interceptor.detachAll()
}
function thread_stack(This){
// Module.findBaseAddress("libwhatsapp.so")
console.log('thread called from:\n' +
Thread.backtrace(This.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
}
setTimeout(main, 1)