libDexHelper调试

libDexHelper调试

JNI_OnLoad

libart.so位置是在 /system/lib/libart.so

adb pull /system/lib/libart.so .

Exports里面搜索: LoadNativeLibrary

获取地址: 0x002516F0

然后在strings窗口里搜索 Calling JNI_OnLoad

点进去右击查看交叉引用,点第一个进去

进去后点最下面的B

进来之后是R6位置,下面的 BLX R5 记住这里的地址 0x00251E66

用这里的地址减去前面搜索 LoadNativeLibrary 拿到的地址

0x00251E66 - 0x002516F0 得到偏移 0x776

然后以后动态调试的时候,先确认你需要的so加载进来了,然后在libart.so中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
libart.so:00000076CFBA25C0 BLR             X8
libart.so:00000076CFBA25C4 MOV             X28, X0
libart.so:00000076CFBA25C8 MOV             X0, X21
libart.so:00000076CFBA25CC MOV             X1, X19
libart.so:00000076CFBA25D0 BL              _ZN3art6Thread22SetClassLoaderOverrideEP8_jobject
libart.so:00000076CFBA25D4 LDRB            W8, [X22,#(byte_7754839248 - 0x7754839240)]
libart.so:00000076CFBA25D8 CBNZ            W8, loc_76CFBA2DC4
libart.so:00000076CFBA25DC
libart.so:00000076CFBA25DC loc_76CFBA25DC                          ; CODE XREF: _ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP7_jclassPS9_+1488↓j
libart.so:00000076CFBA25DC                                         ; _ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP7_jclassPS9_+1510↓j
libart.so:00000076CFBA25DC MOV             X0, X27
libart.so:00000076CFBA25E0 MOV             X1, #0
libart.so:00000076CFBA25E4 BLR             X24 ;<--------------------------------
libart.so:00000076CFBA25E8 LDR             X8, [X27,#8]
libart.so:00000076CFBA25EC LDR             W8, [X8,#0x458]
libart.so:00000076CFBA25F0 SUB             W8, W8, #1
libart.so:00000076CFBA25F4 MOV             W24, W0
libart.so:00000076CFBA25F8 CMP             W8, #0x14
libart.so:00000076CFBA25FC B.HI            loc_76CFBA2608
libart.so:00000076CFBA2600 MOV             W0, #0xB
libart.so:00000076CFBA2604 BL              unk_76CFDDEBE0
libart.so:00000076CFBA2608
libart.so:00000076CFBA2608 loc_76CFBA2608                          ; CODE XREF: _ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP7_jclassPS9_+CB8↑j
libart.so:00000076CFBA2608 LDR             X0, [SP,#0x140+var_E8]
libart.so:00000076CFBA260C MOV             X1, X28
libart.so:00000076CFBA2610 BL              _ZN3art6Thread22SetClassLoaderOverrideEP8_jobject

image-20230207150716306

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
libart.so:ECFDF0FA
libart.so:ECFDF0FA loc_ECFDF0FA                            ; CODE XREF: _ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP7_jclassPS9_+98E↑j
libart.so:ECFDF0FA CBZ             R6, loc_ECFDF17A
libart.so:ECFDF0FC MOV             R8, R10
libart.so:ECFDF0FE LDR.W           R10, [SP,#0x6C]
libart.so:ECFDF102 LDR.W           R1, [R9,#0xE0]
libart.so:ECFDF106 LDR.W           R0, [R10]
libart.so:ECFDF10A LDR             R2, [R0,#0x64]
libart.so:ECFDF10C MOV             R0, R10
libart.so:ECFDF10E BLX             R2
libart.so:ECFDF110 STR             R0, [SP,#0x44]
libart.so:ECFDF112 MOV             R0, R9
libart.so:ECFDF114 MOV             R1, R5
libart.so:ECFDF116 BL              _ZN3art6Thread22SetClassLoaderOverrideEP8_jobject
libart.so:ECFDF11A LDRB            R0, [R4,#8]
libart.so:ECFDF11C CMP             R0, #0
libart.so:ECFDF11E BNE.W           loc_ECFDF792
libart.so:ECFDF122
libart.so:ECFDF122 loc_ECFDF122                            ; CODE XREF: _ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP7_jclassPS9_+1034↓j
libart.so:ECFDF122                                         ; _ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP7_jclassPS9_+10AA↓j
libart.so:ECFDF122 MOV             R0, R8
libart.so:ECFDF124 MOVS            R1, #0
libart.so:ECFDF126 BLX             R6 ;<----------------------------------------------
libart.so:ECFDF128 MOV             R5, R0
libart.so:ECFDF12A LDR.W           R0, [R8,#4]
libart.so:ECFDF12E LDR.W           R0, [R0,#0x280]
libart.so:ECFDF132 SUBS            R0, #1
libart.so:ECFDF134 CMP             R0, #0x14
libart.so:ECFDF136 BHI             loc_ECFDF13E
libart.so:ECFDF138 MOVS            R0, #0xB
libart.so:ECFDF13A BLX             unk_ED189B80
libart.so:ECFDF13E
libart.so:ECFDF13E loc_ECFDF13E                            ; CODE XREF: _ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP7_jclassPS9_+9D2↑j
libart.so:ECFDF13E LDR             R7, [SP,#0x44]
libart.so:ECFDF140 MOV             R0, R9
libart.so:ECFDF142 MOV             R1, R7
libart.so:ECFDF144 BL              _ZN3art6Thread22SetClassLoaderOverrideEP8_jobject
libart.so:ECFDF148 MOV             R0, #0xFFFEFFFE
libart.so:ECFDF14C ADD             R0, R5
libart.so:ECFDF14E CMP             R0, #4
libart.so:ECFDF150 BHI             loc_ECFDF15E

image-20230209161551115

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
package com.ccb.common.net.httpconnection;

import com.ccb.common.log.MbsLogManager;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.X509HostnameVerifier;

public class MbsX509TrustManager implements X509TrustManager {
    X509TrustManager myJSSEX509TrustManager;

    public MbsX509TrustManager() throws Exception {
        KeyStore v0 = KeyStore.getInstance("BKS");
        TrustManagerFactory v1 = TrustManagerFactory.getInstance("X509");
        v1.init(v0);
        TrustManager[] v0_1 = v1.getTrustManagers();
        int v1_1;
        for(v1_1 = 0; v1_1 < v0_1.length; ++v1_1) {
            if((v0_1[v1_1] instanceof X509TrustManager)) {
                this.myJSSEX509TrustManager = (X509TrustManager)v0_1[v1_1];
                return;
            }
        }
    }

    @Override  // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] arg1, String arg2) throws CertificateException {
    }

    @Override  // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] arg1, String arg2) throws CertificateException {
    }

    @Override  // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

    public static void httpsAllowHostNameVerifier() {
        try {
            X509HostnameVerifier v0_1 = SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
            TrustManager[] v2 = new TrustManager[]{new MbsX509TrustManager()};
            SSLContext v1 = SSLContext.getInstance("TLS");
            v1.init(null, v2, new SecureRandom());
            if(v1 != null) {
                HttpsURLConnection.setDefaultSSLSocketFactory(v1.getSocketFactory());
            }

            HttpsURLConnection.setDefaultHostnameVerifier(v0_1);
        }
        catch(Exception v0) {
            MbsLogManager.logE(v0.toString());
        }
    }
}