alex hook

agent/HookGameCenter.js

@@ -0,0 +1,18 @@
+export let HookGameCenter = {
+    startHook: function () {
+        Java.perform(()=>{
+            console.log("hook start")
+            //todo
+            //hook TextView的setText方法
+            let CharSequence = Java.use("java.lang.CharSequence");
+            //new CharSequence
+
+            let charSequence = Java.cast(Java.use("java.lang.String").$new("嘿嘿嘿"),CharSequence);
+            Java.use("android.widget.TextView").setText.overload("java.lang.CharSequence").implementation = function (x) {
+                console.log("hook setText",x)
+                return this.setText(charSequence)
+            }
+            console.log("hook end")
+        })
+    }
+}

agent/index.ts

@@ -1,14 +1,22 @@
 import {hooklinker} from "./hooklinker";
 import {SafeSelf} from "./safeSelf";
 import {dumper} from "./dumper";
+import {HookGameCenter} from "./HookGameCenter";
 
+// SafeSelf.start();
+// SafeSelf.hook_dlopen();
+SafeSelf.hook_dlopen("libmsaoaidsec.so");
 setImmediate(main)
 
 function main() {
 
 
+    setTimeout(() => {
+        Java.perform(() => {
+            HookGameCenter.startHook()
+        })
+    }, 3000);
     // init_array 通用模板的注入
-    SafeSelf.start();
     hooklinker.start();
     // dumper.start();
 }

agent/safeSelf.js

@@ -1,7 +1,15 @@
+export let SafeSelf = {
 
-export let SafeSelf ={
+    start: function () {
 
-    start:function (){
+        let nativePointer = Module.findExportByName(null, "open");
+
+        Interceptor.attach(nativePointer, {
+            onEnter: function (args) {
+                let path = args[0].readCString();
+                // log("open path:"+path);
+            }
+        })
 
         let connect = Module.findExportByName(null, "connect");
         if (connect != null) {
@@ -22,5 +30,79 @@ export let SafeSelf ={
             })
         }
 
+    },
+    hook_dlopen: function (soName = '') {
+        Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),
+            {
+                onEnter: function (args) {
+                    var pathptr = args[0];
+                    if (pathptr !== undefined && pathptr != null) {
+                        var path = ptr(pathptr).readCString();
+                        if (path.indexOf(soName) >= 0) {
+                            locate_init()
+                        }
+                    }
+                }
+            }
+        );
+    }
+
+}
+
+
+function locate_init() {
+    let secmodule = null
+    Interceptor.attach(Module.findExportByName(null, "__system_property_get"),
+        {
+            // _system_property_get("ro.build.version.sdk", v1);
+            onEnter: function (args) {
+                secmodule = Process.findModuleByName("libmsaoaidsec.so")
+                var name = args[0];
+                if (secmodule != null && name !== undefined && name != null) {
+                    name = ptr(name).readCString();
+                    if (name.indexOf("ro.build.version.sdk") >= 0) {
+                        // 这是.init_proc刚开始执行的地方，是一个比较早的时机点
+                        // do something
+                        // hook_pthread_create()
+                        bypass()
+                    }
+                }
+            }
+        }
+    );
+}
+
+function hook_pthread_create() {
+    console.log("libmsaoaidsec.so --- " + Process.findModuleByName("libmsaoaidsec.so").base)
+    Interceptor.attach(Module.findExportByName("libc.so", "pthread_create"), {
+        onEnter(args) {
+            let func_addr = args[2]
+            console.log("The thread function address is " + func_addr)
+        }
+    })
+}
+
+function bypass() {
+    let module = Process.findModuleByName("libmsaoaidsec.so")
+    if (module !== null) {
+        console.log("找到libmsaoaidsec.so")
+        nop(module.base.add(0x175F8))
+        nop(module.base.add(0x16D30))
     }
-}
+}
+
+
+function nop(addr) {
+    Memory.patchCode(ptr(addr), 4, code => {
+        //创建arm64指令集的操作对象
+        const cw = new Arm64Writer(code, {pc: ptr(addr)});
+        //nop指令
+        cw.putNop();
+        cw.putNop();
+        cw.putNop();
+        cw.putNop();
+        console.log("nop at " + addr)
+        //写入
+        cw.flush();
+    });
+}

package-lock.json

@@ -8,7 +8,8 @@
       "name": "frida-agent-example",
       "version": "1.0.0",
       "dependencies": {
-        "jnitrace-engine": "^1.1.0"
+        "jnitrace-engine": "^1.1.0",
+        "source-map": "^0.7.4"
       },
       "devDependencies": {
         "@types/frida-gum": "^17.2.0",
@@ -3785,10 +3786,9 @@
       }
     },
     "node_modules/source-map": {
-      "version": "0.7.3",
-      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.7.3.tgz",
-      "integrity": "sha512-CkCj6giN3S+n9qrYiBTX5gystlENnRW5jZeNLHpe6aue+SrHcG5VYwujhW9s4dY31mEGsxBDrHR6oI69fTXsaQ==",
-      "dev": true,
+      "version": "0.7.4",
+      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.7.4.tgz",
+      "integrity": "sha512-l3BikUxvPOcn5E74dZiq5BGsTb5yEwhaTSzccU6t4sDOH8NWJCstKO5QT2CvtFoK6F0saL7p9xHAqHOlCPJygA==",
       "engines": {
         "node": ">= 8"
       }
@@ -7537,10 +7537,9 @@
       }
     },
     "source-map": {
-      "version": "0.7.3",
-      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.7.3.tgz",
-      "integrity": "sha512-CkCj6giN3S+n9qrYiBTX5gystlENnRW5jZeNLHpe6aue+SrHcG5VYwujhW9s4dY31mEGsxBDrHR6oI69fTXsaQ==",
-      "dev": true
+      "version": "0.7.4",
+      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.7.4.tgz",
+      "integrity": "sha512-l3BikUxvPOcn5E74dZiq5BGsTb5yEwhaTSzccU6t4sDOH8NWJCstKO5QT2CvtFoK6F0saL7p9xHAqHOlCPJygA=="
     },
     "source-map-support": {
       "version": "0.5.21",

package.json

@@ -18,6 +18,7 @@
     "frida-compile": "^10.2.5"
   },
   "dependencies": {
-    "jnitrace-engine": "^1.1.0"
+    "jnitrace-engine": "^1.1.0",
+    "source-map": "^0.7.4"
   }
 }