11

.gitignore

@@ -0,0 +1,10 @@
+# ---> Linux
+*~
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+/node_modules/

.idea/.gitignore

@@ -0,0 +1,5 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/

.idea/frida-agent.iml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="WEB_MODULE" version="4">
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$">
+      <excludeFolder url="file://$MODULE_DIR$/.tmp" />
+      <excludeFolder url="file://$MODULE_DIR$/temp" />
+      <excludeFolder url="file://$MODULE_DIR$/tmp" />
+    </content>
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>

.idea/modules.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/frida-agent.iml" filepath="$PROJECT_DIR$/.idea/frida-agent.iml" />
+    </modules>
+  </component>
+</project>

.idea/vcs.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$" vcs="Git" />
+  </component>
+</project>

README.md

@@ -0,0 +1,3 @@
+# Imy
+
+frida

agent/HookImpl.js

@@ -0,0 +1,26 @@
+import {logHHex} from "./logger";
+
+
+export let HookImpl = {
+
+    start: function () {
+        let module = Process.findModuleByName("libil2cpp.so");
+        Interceptor.attach(module.base.add(0x6A65EC), {
+            onEnter: function (args) {
+                var pointer = args[0];
+
+                pointer.add(0x18).writeU32(100);
+                //101
+                console.log("pointer " + pointer)
+                logHHex(pointer)
+                this.ptr =pointer;
+            },
+            onLeave: function (ret) {
+                console.log("level");
+                logHHex(this.ptr)
+                return ret;
+            }
+            //32
+        })
+    }
+}

agent/hooklinker.js

@@ -0,0 +1,24 @@
+import {HookImpl} from "./HookImpl";
+
+
+export let hooklinker = {
+
+    start:function (){
+        // linker64 arm64
+        if (Process.pointerSize===8){
+            let module = Process.findModuleByName("linker64");
+            Interceptor.attach(module.base.add(0xb5b48),{
+                onEnter:function (args){
+                    var path= args[3].readCString();
+                    console.log("path "+path);
+                    if (path.includes("libil2cpp.so")){
+                      HookImpl.start();
+                    }
+                }
+            })
+        }else {
+            //linker
+        }
+
+    }
+}

agent/index.ts

@@ -0,0 +1,14 @@
+import {hooklinker} from "./hooklinker";
+
+setImmediate(main)
+
+function main() {
+
+
+    // init_array 通用模板的注入
+
+    hooklinker.start();
+}
+
+
+

agent/logger.ts

@@ -0,0 +1,132 @@
+
+const DEBUG: boolean = false;
+const INTOOLS: boolean=true;
+export function log(msg: string): void {
+    if (DEBUG) {
+        log4Android(msg);
+    } else {
+
+        console.log(msg);
+    }
+}
+export function log4AndroidD(msg: string,tag:string): void {
+    let log = "android.util.Log";
+    let log_cls = Java.use(log);
+    log_cls.d(tag, msg);
+}
+export function log4AndroidV(msg: string,tag:string): void {
+    let log = "android.util.Log";
+    let log_cls = Java.use(log);
+    log_cls.v(tag, msg);
+}
+export function log4AndroidI(msg: string,tag:string): void {
+    let log = "android.util.Log";
+    let log_cls = Java.use(log);
+    log_cls.i(tag, msg);
+}
+export function log4AndroidW(msg: string,tag:string): void {
+    let log = "android.util.Log";
+    let log_cls = Java.use(log);
+    log_cls.w(tag, msg);
+}
+export function log4AndroidE(msg: string,tag:string): void {
+    let log = "android.util.Log";
+    let log_cls = Java.use(log);
+    log_cls.e(tag, msg);
+}
+export function log4Android(msg: string): void {
+    let log = "android.util.Log";
+    let log_cls = Java.use(log);
+    log_cls.w("Dumper", msg);
+}
+export function  logHHex(pointer :NativePointer) :void {
+    let s = hexdump(pointer, {
+        offset: 0,
+        length: 64,
+        header: true,
+        ansi: true
+    });
+
+    console.log(s);
+}
+export function  logHHexLength(pointer :NativePointer,length: number) :void {
+    console.log(hexdump(pointer, {
+        offset: 0,
+        length: length,
+        header: true,
+        ansi: true
+    }));
+}
+export function logColor(message: string, type: number): void {
+
+    if (DEBUG) {
+        log4Android(message);
+        return;
+    }
+    if (INTOOLS){
+        log(message)
+        return;
+    }
+    if (type == undefined) {
+        log(message)
+
+        return;
+    }
+    switch (type) {
+        case LogColor.WHITE:
+            log(message);
+            break;
+        case LogColor.RED:
+            console.error(message);
+            break;
+        case LogColor.YELLOW:
+            console.warn(message);
+            break;
+        default:
+            console.log("\x1b[" + type + "m" + message + "\x1b[0m");
+            break;
+
+    }
+
+}
+
+export var LogColor = {
+    WHITE: 0,
+    RED: 1,
+    YELLOW: 3,
+    C31: 31,
+    C32: 32,
+    C33: 33,
+    C34: 34,
+    C35: 35,
+    C36: 36,
+    C41: 41,
+    C42: 42,
+    C43: 43,
+    C44: 44,
+    C45: 45,
+    C46: 46,
+    C90: 90,
+    C91: 91,
+    C92: 92,
+    C93: 93,
+    C94: 94,
+    C95: 95,
+    C96: 96,
+    C97: 97,
+    C100: 100,
+    C101: 101,
+    C102: 102,
+    C103: 103,
+    C104: 104,
+    C105: 105,
+    C106: 106,
+    C107: 107
+}
+
+
+
+
+
+
+

package.json

@@ -0,0 +1,23 @@
+{
+  "name": "frida-agent-example",
+  "version": "1.0.0",
+  "description": "Example Frida agent written in TypeScript",
+  "private": true,
+  "main": "agent/index.ts",
+  "scripts": {
+    "prepare": "npm run build",
+    "build": "frida-compile agent/index.ts -o _agent.js -c ",
+    "watch": "frida-compile agent/index.ts -o _agent.js -w",
+    "lint": "eslint agent/**/*.ts"
+  },
+  "devDependencies": {
+    "@types/frida-gum": "^17.2.0",
+    "@types/node": "^16.11.12",
+    "@typescript-eslint/eslint-plugin": "^2.27.0",
+    "@typescript-eslint/parser": "^2.27.0",
+    "frida-compile": "^10.2.5"
+  },
+  "dependencies": {
+    "jnitrace-engine": "^1.1.0"
+  }
+}

tsconfig.json

@@ -0,0 +1,11 @@
+{
+  "compilerOptions": {
+    "target": "es2020",
+    "lib": ["es2020"],
+    "allowJs": true,
+    "noEmit": true,
+    "strict": true,
+    "esModuleInterop": true,
+    "moduleResolution": "Node"
+  }
+}