eastpolar
/
alex-frida


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108
							export let SafeSelf = {

    start: function () {

        let nativePointer = Module.findExportByName(null, "open");

        Interceptor.attach(nativePointer, {
            onEnter: function (args) {
                let path = args[0].readCString();
                // log("open path:"+path);
            }
        })

        let connect = Module.findExportByName(null, "connect");
        if (connect != null) {
            Interceptor.attach(connect, {
                onEnter: function (args) {
                    let arg = args[1];
                    let port = arg.add(0x2).readUShort();
                    if (port === 41577
                        || port === 35421) {
                        //写值
                        // logHHex(arg)
                        arg.add(0x2).writeUShort(26151);

                    }


                }
            })
        }

    },
    hook_dlopen: function (soName = '') {
        Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),
            {
                onEnter: function (args) {
                    var pathptr = args[0];
                    if (pathptr !== undefined && pathptr != null) {
                        var path = ptr(pathptr).readCString();
                        if (path.indexOf(soName) >= 0) {
                            locate_init()
                        }
                    }
                }
            }
        );
    }

}


function locate_init() {
    let secmodule = null
    Interceptor.attach(Module.findExportByName(null, "__system_property_get"),
        {
            // _system_property_get("ro.build.version.sdk", v1);
            onEnter: function (args) {
                secmodule = Process.findModuleByName("libmsaoaidsec.so")
                var name = args[0];
                if (secmodule != null && name !== undefined && name != null) {
                    name = ptr(name).readCString();
                    if (name.indexOf("ro.build.version.sdk") >= 0) {
                        // 这是.init_proc刚开始执行的地方，是一个比较早的时机点
                        // do something
                        // hook_pthread_create()
                        bypass()
                    }
                }
            }
        }
    );
}

function hook_pthread_create() {
    console.log("libmsaoaidsec.so --- " + Process.findModuleByName("libmsaoaidsec.so").base)
    Interceptor.attach(Module.findExportByName("libc.so", "pthread_create"), {
        onEnter(args) {
            let func_addr = args[2]
            console.log("The thread function address is " + func_addr)
        }
    })
}

function bypass() {
    let module = Process.findModuleByName("libmsaoaidsec.so")
    if (module !== null) {
        console.log("找到libmsaoaidsec.so")
        nop(module.base.add(0x175F8))
        nop(module.base.add(0x16D30))
    }
}


function nop(addr) {
    Memory.patchCode(ptr(addr), 16, code => {
        //创建arm64指令集的操作对象
        const cw = new Arm64Writer(code, {pc: ptr(addr)});
        //nop指令
        cw.putNop();
        cw.putNop();
        cw.putNop();
        cw.putNop();
        console.log("nop at " + addr)
        //写入
        cw.flush();
    });
}