反調(diào)試一般都是在os文件中實(shí)現(xiàn),app在加載過程中,so文件會在內(nèi)部檢驗(yàn)是否使用frida.如果檢測到frida進(jìn)程,app就會直接關(guān)閉掉.
利用腳本輸出app加載過程中都執(zhí)行了那些so文件,分析是那個so文件執(zhí)行過程中關(guān)閉app的.
import frida
import sys
rdev = frida.get_remote_device()
pid = rdev.spawn(["com.app.name"])
session = rdev.attach(pid)
scr = """
Java.perform(function () {
var dlopen = Module.findExportByName(null, "dlopen");
var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
Interceptor.attach(dlopen, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen:]", path);
},
onLeave: function (retval) {
}
});
Interceptor.attach(android_dlopen_ext, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen_ext:]", path);
},
onLeave: function (retval) {
}
});
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
rdev.resume(pid)
sys.stdin.read()
根據(jù)輸入日志顯示判斷,檢測frida進(jìn)程的so文件應(yīng)該就是后面幾個,刪掉最后一個so文件好使了.
如果刪掉最后一個文件不好使再刪掉倒數(shù)第二個.
[dlopen:] /system/lib64/libc.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libvcnverify.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libvcnverifylite.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libavmdlbase.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libavmdl.so
[dlopen:] libandroid.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libvcnverify.so
[dlopen:] libc.so
[dlopen:] libandroid.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libsgmiddletierso-5.5.53.so
[dlopen:] libc.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libaliadtanx-lib.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libmsaoaidsec.so
