def dump_module(name):
module_base = get_module_base(name)
if None != module_base:
module_size = idc.GetModuleSize(module_base)
print '[*] libart.so base=>0x%08X, Size=0x%08X' % (module_base,
module_size)
data = idaapi.dbg_read_memory(module_base, module_size)
fp = open('C:\\Users\\Administrator\\Desktop\\art.so', 'wb+')
fp.write(data)
fp.close()
def dynamic_breakpoint(targe_type):
has_linker = False
module_base = idc.GetFirstModule()
while module_base != None:
module_name = idc.GetModuleName(module_base)
if module_name.find('linker') >= 0:
has_linker = True
break
module_base = idc.GetNextModule(module_base)
if has_linker == False:
print '[*]unable to find linker module base'
return
module_size = idc.GetModuleSize(module_base)
print '[*]found linker base=>0x%08X, Size=0x%08X' % (module_base,
module_size)
print("\t[-]begin to search DT_INIT")
init_func_ea = 0
init_array_ea = 0
# bytecode=b'\x53\x1e\x73\xb5\x03\x33\x06\x46\x0d\x46\x14\x46\x24\xd8\x13\x48\x78\x44\x01\x68\x01\x29'
bytecode = [
0x14, 0x49, 0x04, 0x20, 0x23, 0x46, 0x14, 0x4A, 0x79, 0x44, 0x7A, 0x44
]
findcode = True
for ea_offset in range(module_base, module_base + module_size):
findcode = True
for i in xrange(len(bytecode)):
if idaapi.get_byte(ea_offset + i) != bytecode[i]:
findcode = False
break
if (findcode == True):
init_func_ea = ea_offset + 0x1A
init_array_ea = ea_offset + 0x30
break
if (findcode == False):
print("can't find bytecode")
return
print "\t[-]found INIT=>0x%08X INIT_ARRAY=>0x%08X" % (init_func_ea,
init_array_ea)
print("\t[-]try set breakpoint there")
if targe_type == 12:
idc.AddBpt(init_func_ea)
if targe_type == 25:
idc.AddBpt(init_array_ea)
print("[*]script finish")
def make_fun_name(): #修改函数名称
libDexHelp = 'libDexHelper.so'
DexHelperModuleBase = get_module_base(libDexHelp)
if DexHelperModuleBase != None:
moduleSize = idc.GetModuleSize(DexHelperModuleBase)
print '[*] libDexHelper.so base=>0x%08X, Size=0x%08X' % (
DexHelperModuleBase, moduleSize)
# idc.MakeName(DexHelperModuleBase + 0xD0E4 ,"strcpy")
# idc.MakeName(DexHelperModuleBase + 0xD09C, "memset")
# idc.MakeName(DexHelperModuleBase + 0xD060, "strlen")
# idc.MakeName(DexHelperModuleBase + 0xD0A8, "getpid")
# idc.MakeName(DexHelperModuleBase + 0xD1A4, "sprintf")
# idc.MakeName(DexHelperModuleBase + 0xD18C, "opendir")
# idc.MakeName(DexHelperModuleBase + 0xD198, "readdir")
# idc.MakeName(DexHelperModuleBase + 0xD1C8, "atoi")
# idc.MakeName(DexHelperModuleBase + 0xD2E8, "readlink")
# idc.MakeName(DexHelperModuleBase + 0xD15C, "strstr")
# idc.MakeName(DexHelperModuleBase + 0xD120, "fopen")
# idc.MakeName(DexHelperModuleBase + 0xD168, "fgets")
# idc.MakeName(DexHelperModuleBase + 0xD258, "fread")
# idc.MakeName(DexHelperModuleBase + 0xD150, "fclose")
# idc.MakeName(DexHelperModuleBase + 0xD228, "memcmp")
# idc.MakeName(DexHelperModuleBase + 0xD228, "memcmp")
# idc.MakeName(DexHelperModuleBase + 0xD090, "malloc")
# idc.MakeName(DexHelperModuleBase + 0xD1BC, "closedir")
# idc.MakeName(DexHelperModuleBase + 0x100CC, "StrDecrypt")
idc.AddBpt(DexHelperModuleBase + 0x1CCC4) #反调试点上一行 挂了
idc.AddBpt(DexHelperModuleBase + 0x1CCFE) #反调试点上一行 挂了
#idc.AddBpt(DexHelperModuleBase + 0X1CCC4) #反调试点
#idc.AddBpt(DexHelperModuleBase + 0X34DD0) #启动反调试线程
#idc.AddBpt(DexHelperModuleBase + 0X34FF6) #启动反调试线程
idc.PatchDword(DexHelperModuleBase, 0x00BF00BF)
else:
print ""
def add_breakpointer():
print '[*]Find linker begin...'
libart = 'libjdbitmapkit.so'
linker = 'linker'
#JNI_OnLoad 下断点
art_module_base = get_module_base(libart)
if art_module_base != None:
module_size = idc.GetModuleSize(art_module_base)
print '[*] %s base=>0x%08X, Size=0x%08X' % (libart, art_module_base,
module_size)
# 小米6
# addr = art_module_base + 0x234FC8 #0x23FFC8
# idc.AddBpt(addr)
# addr = art_module_base + 0x23FFC8 #0x23FFC8
# idc.AddBpt(addr)
#大佬手机 art jni_load
#addr = art_module_base + 0x00012F4C
offset = 0x000114E0 #######加密函数点first_challenge->switch:sub_114E0开始
addr = art_module_base + offset
print "bp : %08X,%08X" % (addr, offset)
idc.AddBpt(addr)
offset = 0x00012D2E ####这个是114E0加密后
addr = art_module_base + offset # 乘法
print "bp : %08X,%08X" % (addr, offset)
idc.AddBpt(addr)
###########################这个是特殊点。永远不会触发的。在这里设置是为了测试这个
offset = 0x00013522 #####sub_13478 下边的v6==0的情况。理论上200% 不会触发这个断点
addr = art_module_base + offset # gettimeofday
print "bp : %08X,%08X" % (addr, offset)
idc.AddBpt(addr)