frida_scripts/nativeTimeout.js at main · uforever/frida_scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
const targetLib = "libroysue.so";

function HookNative() {
    console.log("-------- Start Hooking --------");

    // 寻找目标库的基址
    // const baseAddress = Module.findBaseAddress(targetLib);
    // console.log("baseAddress: " + baseAddress);

    // 直接寻找导出函数
    // if (baseAddress) {
    //     const funcAddr = Module.findExportByName(targetLib, '_Z4fuckP7_JNIEnvP7_jclassP8_jstring');
    //     console.log("funcAddr: " + funcAddr);
    //     console.log(`offset: 0x${(funcAddr - baseAddress).toString(16)}`);
    // }

    // 枚举导出
    // const exports = Module.enumerateExports(targetLib);
    // for (const iterator of exports) {
    //     console.log(JSON.stringify(iterator))
    // }

    // 枚举符号 非导出函数要在这里找
    const symbols = Module.enumerateSymbols(targetLib);
    for (const iterator of symbols) {
        // if (iterator.name === "ll11lll1l1" && iterator.type === "function") {
        // target function
        if (iterator.name === "ll11lll1l1") {
            const targetFuncAddr = iterator.address;
            Interceptor.attach(targetFuncAddr, {
                onLeave: function (result) {
                    console.log('key: ', result.readCString());
                },
            });
        }

        // another function
        if (iterator.name === "ll11l1l1l1") {
            const targetFuncAddr = iterator.address;
            Interceptor.attach(targetFuncAddr, {
                onLeave: function (result) {
                    console.log('iv: ', result.readUtf8String());
                },
            });
        }
    }

}

// 这里最好设置延迟 否则可能加载不到
setTimeout(HookNative, 3000);