def dump_module(name): module_base = get_module_base(name) if None != module_base: module_size = idc.GetModuleSize(module_base) print '[*] libart.so base=>0x%08X, Size=0x%08X' % (module_base, module_size) data = idaapi.dbg_read_memory(module_base, module_size) fp = open('C:\\Users\\Administrator\\Desktop\\art.so', 'wb+') fp.write(data) fp.close()
def dynamic_breakpoint(targe_type): has_linker = False module_base = idc.GetFirstModule() while module_base != None: module_name = idc.GetModuleName(module_base) if module_name.find('linker') >= 0: has_linker = True break module_base = idc.GetNextModule(module_base) if has_linker == False: print '[*]unable to find linker module base' return module_size = idc.GetModuleSize(module_base) print '[*]found linker base=>0x%08X, Size=0x%08X' % (module_base, module_size) print("\t[-]begin to search DT_INIT") init_func_ea = 0 init_array_ea = 0 # bytecode=b'\x53\x1e\x73\xb5\x03\x33\x06\x46\x0d\x46\x14\x46\x24\xd8\x13\x48\x78\x44\x01\x68\x01\x29' bytecode = [ 0x14, 0x49, 0x04, 0x20, 0x23, 0x46, 0x14, 0x4A, 0x79, 0x44, 0x7A, 0x44 ] findcode = True for ea_offset in range(module_base, module_base + module_size): findcode = True for i in xrange(len(bytecode)): if idaapi.get_byte(ea_offset + i) != bytecode[i]: findcode = False break if (findcode == True): init_func_ea = ea_offset + 0x1A init_array_ea = ea_offset + 0x30 break if (findcode == False): print("can't find bytecode") return print "\t[-]found INIT=>0x%08X INIT_ARRAY=>0x%08X" % (init_func_ea, init_array_ea) print("\t[-]try set breakpoint there") if targe_type == 12: idc.AddBpt(init_func_ea) if targe_type == 25: idc.AddBpt(init_array_ea) print("[*]script finish")
def make_fun_name(): #修改函数名称 libDexHelp = 'libDexHelper.so' DexHelperModuleBase = get_module_base(libDexHelp) if DexHelperModuleBase != None: moduleSize = idc.GetModuleSize(DexHelperModuleBase) print '[*] libDexHelper.so base=>0x%08X, Size=0x%08X' % ( DexHelperModuleBase, moduleSize) # idc.MakeName(DexHelperModuleBase + 0xD0E4 ,"strcpy") # idc.MakeName(DexHelperModuleBase + 0xD09C, "memset") # idc.MakeName(DexHelperModuleBase + 0xD060, "strlen") # idc.MakeName(DexHelperModuleBase + 0xD0A8, "getpid") # idc.MakeName(DexHelperModuleBase + 0xD1A4, "sprintf") # idc.MakeName(DexHelperModuleBase + 0xD18C, "opendir") # idc.MakeName(DexHelperModuleBase + 0xD198, "readdir") # idc.MakeName(DexHelperModuleBase + 0xD1C8, "atoi") # idc.MakeName(DexHelperModuleBase + 0xD2E8, "readlink") # idc.MakeName(DexHelperModuleBase + 0xD15C, "strstr") # idc.MakeName(DexHelperModuleBase + 0xD120, "fopen") # idc.MakeName(DexHelperModuleBase + 0xD168, "fgets") # idc.MakeName(DexHelperModuleBase + 0xD258, "fread") # idc.MakeName(DexHelperModuleBase + 0xD150, "fclose") # idc.MakeName(DexHelperModuleBase + 0xD228, "memcmp") # idc.MakeName(DexHelperModuleBase + 0xD228, "memcmp") # idc.MakeName(DexHelperModuleBase + 0xD090, "malloc") # idc.MakeName(DexHelperModuleBase + 0xD1BC, "closedir") # idc.MakeName(DexHelperModuleBase + 0x100CC, "StrDecrypt") idc.AddBpt(DexHelperModuleBase + 0x1CCC4) #反调试点上一行 挂了 idc.AddBpt(DexHelperModuleBase + 0x1CCFE) #反调试点上一行 挂了 #idc.AddBpt(DexHelperModuleBase + 0X1CCC4) #反调试点 #idc.AddBpt(DexHelperModuleBase + 0X34DD0) #启动反调试线程 #idc.AddBpt(DexHelperModuleBase + 0X34FF6) #启动反调试线程 idc.PatchDword(DexHelperModuleBase, 0x00BF00BF) else: print ""
def add_breakpointer(): print '[*]Find linker begin...' libart = 'libjdbitmapkit.so' linker = 'linker' #JNI_OnLoad 下断点 art_module_base = get_module_base(libart) if art_module_base != None: module_size = idc.GetModuleSize(art_module_base) print '[*] %s base=>0x%08X, Size=0x%08X' % (libart, art_module_base, module_size) # 小米6 # addr = art_module_base + 0x234FC8 #0x23FFC8 # idc.AddBpt(addr) # addr = art_module_base + 0x23FFC8 #0x23FFC8 # idc.AddBpt(addr) #大佬手机 art jni_load #addr = art_module_base + 0x00012F4C offset = 0x000114E0 #######加密函数点first_challenge->switch:sub_114E0开始 addr = art_module_base + offset print "bp : %08X,%08X" % (addr, offset) idc.AddBpt(addr) offset = 0x00012D2E ####这个是114E0加密后 addr = art_module_base + offset # 乘法 print "bp : %08X,%08X" % (addr, offset) idc.AddBpt(addr) ###########################这个是特殊点。永远不会触发的。在这里设置是为了测试这个 offset = 0x00013522 #####sub_13478 下边的v6==0的情况。理论上200% 不会触发这个断点 addr = art_module_base + offset # gettimeofday print "bp : %08X,%08X" % (addr, offset) idc.AddBpt(addr)