环境
sudo apt install curlsudo apt-get install openjdk-8-jdksudo apt-get install pythonsudo apt-get install gitsudo apt install net-toolslibncurses.so.5sudo apt install libncurses*sudo apt-get install g++-multilib gcc-multilib lib32ncurses5-dev lib32z1-devsudo apt-get install libxml2-utils
ss客户端
ss客户端:https://caijinbo.tech/2020/05/07/ubuntu20.04-%E5%AE%89%E8%A3%85shadowsocks-qt5/👆报错:ss-qt5: error while loading shared libraries: libQtShadowsocks.so.2: cannot open shared object file: No such file or directoryapt install botan*再运行即可PATH=~/bin:$PATHexport REPO_URL='https://mirrors.tuna.tsinghua.edu.cn/git/git-repo'repo init -u https://mirrors.tuna.tsinghua.edu.cn/git/AOSP/platform/manifest -b android-8.0.0_r1
编译
source build/envsetup.shlunch 23lunch aosp_sailfish-userexport LC_ALL=Cvim prebuilts/sdk/tools/jack-admin
vim /etc/java-8-openjdk/security/java.security找到TLSv1这行,把TLSv1, TLSv1.1,删除后保存jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
487c487< JACK_SERVER_COMMAND="java -XX:MaxJavaStackTraceDepth=-1 -Djava.io.tmpdir=$TMPDIR $JACK_SERVER_VM_ARGUMENTS -cp $LAUNCHER_JAR $LAUNCHER_NAME"---> JACK_SERVER_COMMAND="java -XX:MaxJavaStackTraceDepth=-1 -Djava.io.tmpdir=$TMPDIR $JACK_SERVER_VM_ARGUMENTS -Xmx4096m -cp $LAUNCHER_JAR $LAUNCHER_NAME"
make -j8
ubuntu adb devices 没有列表:
> ls usb -> { Bus 001 Device 008: ID 18d1:4ee7 Google Inc. VMware Virtual USB Mouse }> 写入: `sudo gedit /etc/udev/rules.d/51-android.rules`SUBSYSTEM=="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="4ee7", MODE="0666", GROUP="plugdev"> sudo service udev restart> sudo adb kill-server> sudo adb start-server
clion
https://android.googlesource.com/platform/build/soong/+/HEAD/docs/clion.md
// 打开开关,编译时生成CMakeLists.txtexport SOONG_GEN_CMAKEFILES=1export SOONG_GEN_CMAKEFILES_DEBUG=1// 全编译make -j32// 或者编译单独模块make frameworks/native/service/libs/ui// CMakeLists.txt会生成在out/development/ide/clion/frameworks/native/libs/ui/libui-arm64-android/CMakeLists.txt
https://www.jianshu.com/p/9450806f38be (生成imr,ipr)
source build/envsetup.shlunchmmm development/tools/idegen/[报错的话:] make idegensh ./development/tools/idegen/idegen.sh
https://github.com/fashare2015/AOSP_Indexer (clion 打开android.ipr索引)
cMakeList.txt
(out/development/ide/clion/cMakeList.txt)# THIS FILE WAS AUTOMATICALY GENERATED!# ANY MODIFICATION WILL BE OVERWRITTEN!# To improve project view in Clion :# Tools > CMake > Change Project Rootcmake_minimum_required(VERSION 3.5)project(AOSP-Natives)# add_subdirectory(frameworks/native)add_subdirectory(art/runtime/libartd-arm64-android)# 查看是属于哪个cmakelist下面的# cd aosp/out/development/ide/clion# grep -ril interpreter# art/runtime/libartd-arm64-android/CMakeLists.txt# 就添加哪个目录同步即可
android studio
trace smali
在解释模式下,java函数的调用关系InvokeWithArgArrayjni的调用关系
art/runtime/jni_internal.cc@CallObjectMethod@CallObjectMethodV@CallObjectMethodA@CallBooleanMethod@......指向 @InvokeVirtualOrInterfaceWithVarArgs/home/zp/android/aosp/art/runtime/reflection.cc@InvokeVirtualOrInterfaceWithVarArgs@InvokeWithArgArray
static void InvokeWithArgArray(const ScopedObjectAccessAlreadyRunnable& soa, ArtMethod method, ArgArray argarray, JValue result, const char shorty) REQUIRES_SHARED(Locks::mutator_lock) { uint32_t args = arg_array->GetArray(); if (UNLIKELY(soa.Env()->check_jni)) { CheckMethodArguments(soa.Vm(), method->GetInterfaceMethodIfProxy(kRuntimePointerSize), args); } // add ArtMethod artMethod = nullptr; Thread self = Thread::Current(); const ManagedStack managedStack = self->GetManagedStack(); if( managedStack != nullptr ){ ArtMethod* tmpartmethod = managedStack->GetTopQuickFrame(); if( tmpartmethod != nullptr ){ artMethod = tmpartmethod; } } if( artMethod != nullptr ){ std::ostringstream oss; oss << “[InvokeWithArgArray]beforecall caller:” << artMethod->PrettyMethod() << “—-called:” << method->PrettyMethod(); if(strstr(oss.str().c_str(), “InvokeWithArgArrayBefore”)){ LOG(ERROR) << oss.str(); } } // add method->Invoke(soa.Self(), args, arg_array->GetNumBytes(), result, shorty); // add if( artMethod != nullptr ){ std::ostringstream oss; oss << “[InvokeWithArgArray]aftercall caller:” << artMethod->PrettyMethod() << “—-called:” << method->PrettyMethod(); if(strstr(oss.str().c_str(), “InvokeWithArrayAfter”)){ LOG(ERROR) << oss.str(); } } // add }
/home/zp/aosp/222/art/runtime/art_method.cc@ArtMethod::Invoke
jni 执行前,与执行结束 #jnitrace #jni的调用关系
# jni 执行前art/runtime/entrypoints/quick/quick_jni_entrypoints.cc@JniMethodStartextern uint32_t JniMethodStart(Thread* self) {JNIEnvExt* env = self->GetJniEnv();DCHECK(env != nullptr);uint32_t saved_local_ref_cookie = bit_cast<uint32_t>(env->local_ref_cookie);env->local_ref_cookie = env->locals.GetSegmentState();ArtMethod* native_method = *self->GetManagedStack()->GetTopQuickFrame();// addstd::ostringstream oss;oss << "[JniMethodStart]name:" << native_method->PrettyMethod().c_str() << ", addr:" << native_method->GetEntryPointFromJni();if(strstr(oss.str().c_str(), "JniMethodStartflag") != nullptr){LOG(WARNING) << oss.str();}// addif (!native_method->IsFastNative()) {// When not fast JNI we transition out of runnable.self->TransitionFromRunnableToSuspended(kNative);}return saved_local_ref_cookie;}# 执行结束art/runtime/entrypoints/quick/quick_jni_entrypoints.cc@PopLocalReferencesstatic void PopLocalReferences(uint32_t saved_local_ref_cookie, Thread* self)REQUIRES_SHARED(Locks::mutator_lock_) {// add// jni函数执行结束以后要对局部引用删掉, 就会调用 PopLocalReferencesArtMethod* native_method = *self->GetManagedStack()->GetTopQuickFrame();std::ostringstream oss;oss << "[JniMethodEnd->PopLocalReferences]name:" << native_method->PrettyMethod().c_str() << ",addr:" << native_method->GetEntryPointFromJni();if( strstr(oss.str().c_str(), "JniMethodEndflag") != nullptr ){LOG(WARNING) << oss.str();}// addJNIEnvExt* env = self->GetJniEnv();if (UNLIKELY(env->check_jni)) {env->CheckNoHeldMonitors();}env->locals.SetSegmentState(env->local_ref_cookie);env->local_ref_cookie = bit_cast<IRTSegmentState>(saved_local_ref_cookie);self->PopHandleScope();}
registerNative 日志开启
/home/zp/aosp/222/art/runtime/art_method.cc@ArtMethod::RegisterNative
const void ArtMethod::RegisterNative(const void native_method, bool is_fast) {
CHECK(IsNative()) << PrettyMethod();
CHECK(!IsFastNative()) << PrettyMethod();
CHECK(native_method != nullptr) << PrettyMethod();
if (is_fast) {
AddAccessFlags(kAccFastNative);
}
// add
std::ostringstream oss;
oss << “[ArtMethod::RegisterNative]” << this->PrettyMethod() << “—addr:” << native_method;
if( strstr(oss.str().c_str(), “RegisterNativeflag”) != nullptr ){
LOG(ERROR)<
```<a name="iVlBX"></a>### 只对感兴趣的app开启switch模式```powershell/home/zp/aosp/222/art/runtime/interpreter/interpreter.cc@export
namespace art { // 强制开启switch模式 extern “C” void forceinterpreter(){ Runtime* runtime = Runtime::Current(); runtime->GetInstrumentation()->ForceInterpretOnly(); LOG(WARNING)<<”forceinterpreter is called”; }
```<a name="kBYfK"></a>## 刷机```powershell第一次:fastboot flashing unlockfastboot flash boot boot.imgfastboot flash ramdisk ramdisk.imgfastboot flash ramdisk-recovery ramdisk-recovery.imgfastboot flash system system.imgfastboot flash userdata userdata.imgfastboot flash vendor vendor.imgfastboot flash system_other system_other.imgfastboot reboot第二次及以后:system.imgsystem_other.imgfastboot flash system system.imgmagisk root 刷机:fastboot flash boot magisk_patched-22100_eHmmC.img
fastboot devices 找不到: https://blog.csdn.net/qq_33529867/article/details/113665717
frida 脚本配合使用
///<reference path='F:\rf-android\frida\test3\u\frida-gum.d.ts'/>/*adb -s FA7130303354 rootadb -s FA7130303354 shell /data/local/tmp/friadb shell dumpsys window | findstr mCurrentFocusadb shell input text asdf & adb shell input tap 879 1671logcat -G 256mip.tool.lu*/// frida -U -F com.whatsapp.w4b -l trace.js --no-pause// frida -U -f com.whatsapp.w4b -l trace.js --no-pause// frida -U -f com.p1.mobile.putong -l trace.js --no-pause/*# 加载插件 (Wallbreaker)objection -g com.whatsapp.w4b:push explore -P E:\objpluplugin wallbreaker objectsearch com.tencent.mars.stn.StnLogicplugin wallbreaker objectdump 0x2d46objection -g com.whatsapp.w4b exploreobjection -g com.whatsapp.w4b explore -c xxxx.jsobjection -g com.whatsapp.w4b explore --startup-command 'android hooking watch xxx'android hooking search classes Interceptorandroid hooking watch class com.one.tomato.thirdpart.csdc.CsdcSdkUtilandroid hooking watch class_method okhttp3.logging.HttpLoggingInterceptor.intercept --dump-args --dump-backtrace --dump-return*/function forceinterpreter(){var libartmodule = Process.getModuleByName("libart.so");var forceinterpreter_addr = libartmodule.getExportByName("forceinterpreter");console.log("forceinterpreter_addr: "+forceinterpreter_addr);var forceinterpreter = new NativeFunction(forceinterpreter_addr, "void", []);Interceptor.attach(forceinterpreter_addr, {onEnter: function(){console.log("go into forceinterpreter");},onLeave: function(){console.log("leave forceinterpreter");}})}function hookStrstr(){var libcmodule = Process.getModuleByName("libc.so");var strstr_addr = libcmodule.getExportByName("strstr");Interceptor.attach(strstr_addr, {onEnter: function(args){this.btn = false;// console.log("go into forceinterpreter");this.arg0 = ptr(args[0]).readUtf8String();this.arg1 = ptr(args[1]).readUtf8String();if( this.arg1.indexOf("InvokeWithArgArray") != -1 ){console.log("["+Process.getCurrentThreadId()+"]"+this.arg1 + "--" + this.arg0);this.btn = true;}if( this.arg1.indexOf("RegisterNative") != -1 ){console.log("["+Process.getCurrentThreadId()+"]"+this.arg1 + "--" + this.arg0);this.btn = true;}if( this.arg1.indexOf("PerformCall") != -1 ){console.log("["+Process.getCurrentThreadId()+"]"+this.arg1 + "--" + this.arg0);this.btn = true;}if( this.arg1.indexOf("JniMethodStart") != -1 ){console.log("["+Process.getCurrentThreadId()+"]"+this.arg1 + "--" + this.arg0);this.btn = true;}if( this.arg1.indexOf("JniMethodEnd") != -1 ){console.log("["+Process.getCurrentThreadId()+"]"+this.arg1 + "--" + this.arg0);this.btn = true;}},onLeave: function(retVal){if( this.btn == true ){this.context.r0 = 0x111;}// console.log("leave forceinterpreter");}})Java.perform(function(){var aaa = Java.use("java.lang.System");aaa.loadLibrary.overload('java.lang.String').implementation = function(a1){var Log = Java.use("android.util.Log")Log.e("[loadLibrary]", "re loadLibrary --------------> : " + a1);console.error("re loadLibrary --------------> : " + a1);var ret = this.loadLibrary(a1)console.log("re loadLibrary : " + ret);return ret;}})}function main(){// forceinterpreter()forceinterpreter()hookStrstr()}function print_stack(){Java.perform(function() {var Exception = Java.use("java.lang.Exception")var instance = Exception.$new("print_stack")var stack = instance.getStackTrace();console.log(stack)instance.$dispose();})}function thread_stack(This){// Module.findBaseAddress("libwhatsapp.so")console.log('thread called from:\n' +Thread.backtrace(This.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');}// dword显示function showDword(address, num, dump){if(dump) console.error( hexdump(address, {length:num*4}) );for(var i=0;i<num;i++){var ui = (i*4).toString(16);console.log("\t", "(0x"+ui+")"+"["+address.add(i*4)+"]:"+address.add(i*4).readPointer());}}function clear(){// adb shell pm clear com.whatsapp.w4bInterceptor.detachAll()}function thread_stack(This){// Module.findBaseAddress("libwhatsapp.so")console.log('thread called from:\n' +Thread.backtrace(This.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');}setTimeout(main, 1)
若有收获,就点个赞吧
0 人点赞
