eastpolar
/
alex-frida


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172
							import {logColor, LogColor} from "../logger";
const IS_SAVE_ALL_JS = false;
const TARGET_PACKAGE = "com.rbigkic.yyydsj";

const targetModuleName = "libcocos2djs.so";
let TAGET_DATA_FILES = `/data/data/${TARGET_PACKAGE}/files`;

// const RE_PROJECT_PATH = `${TAGET_DATA_FILES}/index.jsc`;
const RE_PROJECT_PATH = `/data/local/tmp/index.jsc`;
// 命令
// adb push D:\Project_Repostory\HookCli\yyyy_js\assets\main\index.jsc  /data/local/tmp/index.jsc

export let HookYDSJ = {
    start: function () {

        Java.perform(function () {
            Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), {
                onEnter: function (args) {
                    var soName = args[0].readCString();
                    // console.log("dlopen called with: " + soName);
                    // 获取正在加载的模块的名称
                    var moduleName = Memory.readUtf8String(args[0]);
                    this.isTargetModule = (moduleName.indexOf(targetModuleName) !== -1);
                },
                onLeave: function (ret) {
                    if (this.isTargetModule) {
                        HookYDSJ.hook();
                    }
                }
            });
        })
    }, hook: function () {
        logColor("HookLDGP start", LogColor.RED_BG);
        let addressBase = Module.findBaseAddress(targetModuleName);

        function createDir(saveFilePath) {
            let path = require('path'); // 引入path模块，假设Frida环境支持或者有类似的路径处理方法

            // 分离目录路径和文件名
            let dirPath = path.dirname(saveFilePath);
            let fileName = path.basename(saveFilePath);

            // 检查目录是否存在，不存在则创建
            Java.perform(function () {
                // 使用 Java 的 File 类
                var File = Java.use("java.io.File");

                // 目标目录路径

                // 创建 File 对象表示这个目录
                var targetDir = File.$new(dirPath);

                // 检查目录是否存在
                if (!targetDir.exists()) {
                    // 目录不存在，尝试创建目录
                    var success = targetDir.mkdirs();
                    if (success) {
                        logColor("目录创建成功:" + saveFilePath, LogColor.GREEN_TEXT)
                    } else {
                        logColor("目录创建失败:" + saveFilePath, LogColor.RED_TEXT)
                    }
                } else {
                    logColor("目录已存在:" + saveFilePath, LogColor.RED_TEXT)
                }
            });
        }
        function saveAllJs(args) {
            if (IS_SAVE_ALL_JS) {
                let saveFilePath = `${TAGET_DATA_FILES}/saved_js/`;
                //判断saveFilePath是否存在,不存在则创建
                if (!args[4].isNull()) {//这个应该是别名
                    var jsName = args[4].readUtf8String();
                    let filePath = `${saveFilePath}${jsName}`;
                    createDir(filePath);
                    var scriptString = args[1].readUtf8String();

                    logColor(`=======开始写入--${jsName}--========`, LogColor.GREEN_TEXT);
                    var file = new File(filePath, "wb");
                    file.write(scriptString);
                    file.flush();
                    file.close();
                    logColor(`=======写入--${jsName}--完成========`, LogColor.GREEN_TEXT);
                }
            }
            return IS_SAVE_ALL_JS;
        }

        try {
            logColor("addressBase: " + addressBase, LogColor.RED_BG);
            Module.ensureInitialized(targetModuleName);
            var targetFunctionAddress = addressBase.add(0x000008E3FE4);
            Interceptor.attach(targetFunctionAddress, {
                onEnter: function (args) {
                    // console.log("evalString Function called");
                    //判断args是否为空
                    if (args === null) {
                        console.log("evalString Function args is null");
                        return;
                    }

                    //用颜色打印所有的参数
                    if (!args[4].isNull()) {//这个应该是别名
                        var contextName = args[4].readUtf8String();
                        console.log("脚本别名" + contextName);
                        var scriptLength = args[2].toInt32();
                        console.log("Length of code: " + scriptLength);

                        if (saveAllJs(args)){
                            logColor("----------保存所有脚本-----", LogColor.RED_BG);
                            return;
                        }

                        if (contextName.indexOf("assets/main/index.jsc") !== -1) {
                            //保存最新的版本
                            // var scriptString = args[1].readUtf8String();
                            // console.log("JavaScript scriptString: " + scriptString);
                            // saveString(scriptString);
                            // return 1;

                            this.replaced = 1;
                            //获取当前时间
                            this.startTime = new Date().getTime();
                            // return 1;

                            var env = Java.vm.getEnv();

                            let libCliSo = Module.load("/data/data/com.rbigkic.yyydsj/files/libcli.so");
                            logColor("libCliSo: " + libCliSo, LogColor.GREEN_TEXT);
                            let readFileAddress = libCliSo.findExportByName("readFile");
                            logColor("readFile: " + readFileAddress, LogColor.GREEN_TEXT);
                            let readFile = new NativeFunction(readFileAddress, 'pointer', ['pointer', "pointer"]);
                            let filePath = Memory.allocUtf8String(RE_PROJECT_PATH);

                            let jByteArray = readFile(env.handle, filePath);
                            // 处理返回的 jbyteArray
                            var length = env.getArrayLength(jByteArray);
                            var buffer = env.getByteArrayElements(jByteArray, null);
                            args[1] = ptr(buffer);
                            args[2] = ptr(length);
                            // TraceTools.crash2Trace(this.context);

                            // var scriptEngine = args[0];
                            // console.log("JavaScript scriptEngine add: " + scriptEngine);
                            //
                            // var reProjectJs = readProjectJs();
                            // args[1] = reProjectJs.buffer;
                            // args[2] = reProjectJs.length;
                            // args[3] = reProjectJs.addPtr;
                            // logColor("reProjectJs: " + reProjectJs.length, LogColor.RED_BG);
                            //
                            var scriptLength = args[2].toInt32();
                            console.log("Length of code: " + scriptLength);
                            //
                            console.log("Result storage: " + args[3] + " typeof:" + typeof args[3]);
                        }
                    }
                },
                onLeave: function (retval) {
                    //尝试所有类型的返回值
                    if (this.replaced) {
                        console.log("json 替换结果:", retval.toInt32() === 1);
                        var endTime = new Date().getTime();
                        console.log("耗时: " + (endTime - this.startTime) + "ms");
                    }
                }
            });
        } catch (e) {

            console.log("error: " + e);
        }
    }
}