hanbinglengyue/FridaManager

加载so库异常

Opened this issue · 6 comments

Zero09 commented

var verify = Module.findExportByName("libsscronet.so", "SSL_CTX_set_custom_verify");
配置好
启动app
verify都会是null
是有什么配置不对吗

hanbinglengyue commented
Zero09 commented

枚举下所有的符号和函数确认一下 Zero09 @.> 于 2023年12月27日周三 17:00写道:

var verify = Module.findExportByName("libsscronet.so", "SSL_CTX_set_custom_verify"); 配置好 启动app verify都会是null 是有什么配置不对吗 — Reply to this email directly, view it on GitHub <#11>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD4TPESZE2DV5DRG5HUN2RDYLPPTBAVCNFSM6AAAAABBEDUPA6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TOMJQGQ3TENI . You are receiving this because you are subscribed to this thread.Message ID: @.>

加载traceJNIRegisterNative这个脚本 也是无法成功 能帮忙解答下不

hanbinglengyue commented
Zero09 commented

使用fridagadget需要注意下时机的问题,要确定这个so加载以后,再去枚举,你可以先hook住so的加载流程函数,等这个so加载了以后再去枚举看看 Zero09 @.> 于2023年12月28日周四 16:40写道:

枚举下所有的符号和函数确认一下 Zero09 @. > 于 2023年12月27日周三 17:00写道: … <#m_-6594726359867502509_> var verify = Module.findExportByName("libsscronet.so", "SSL_CTX_set_custom_verify"); 配置好 启动app verify都会是null 是有什么配置不对吗 — Reply to this email directly, view it on GitHub <#11 <#11>>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD4TPESZE2DV5DRG5HUN2RDYLPPTBAVCNFSM6AAAAABBEDUPA6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TOMJQGQ3TENI https://github.com/notifications/unsubscribe-auth/AD4TPESZE2DV5DRG5HUN2RDYLPPTBAVCNFSM6AAAAABBEDUPA6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TOMJQGQ3TENI . You are receiving this because you are subscribed to this thread.Message ID: @.> 加载traceJNIRegisterNative这个脚本 也是无法成功 能帮忙解答下不 — Reply to this email directly, view it on GitHub <#11 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD4TPEQCKBAG5HBLVFTZ6QDYLUV7JAVCNFSM6AAAAABBEDUPA6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZQHE2DIMBYGQ . You are receiving this because you commented.Message ID: @.>

简单写个了脚本 您帮忙看看:

var modules = Process.enumerateModules();
for (var i in modules) {
var module = modules[i];
LOG(module.name);
if (module.name.indexOf("libprocessgroup.so") > -1) {
LOG("11111111111");
var baseAddr = Module.findBaseAddress("libprocessgroup.so");
LOG("2222222222222222222");
LOG(baseAddr);
}
}

log:
E/fridamanager: libimg_utils.so
E/fridamanager: libnetd_client.so
E/fridamanager: libsoundtrigger.so
E/fridamanager: libminikin.so
E/fridamanager: libprocessgroup.so
E/fridamanager: 11111111111
E/fridamanager: 2222222222222222222

LOG(baseAddr); 的打印还是空 这时候 libprocessgroup.so确实有找到的
所以问题还是在 Module.findBaseAddress
会不会版本问题 您这个版本的 frida-gum没有 findBaseAddress和findExportByName ???

hanbinglengyue commented
Zero09 commented

在枚举module的时候使用JSON.stringfy打印下module的信息,或者直接module.base看看基址 Zero09 @.> 于 2023年12月29日周五 15:11写道:

使用fridagadget需要注意下时机的问题,要确定这个so加载以后,再去枚举,你可以先hook住so的加载流程函数,等这个so加载了以后再去枚举看看 Zero09 @. > 于2023年12月28日周四 16:40写道: … <#m_-4629241560475757103_> 枚举下所有的符号和函数确认一下 Zero09 @. > 于 2023年12月27日周三 17:00写道: … <#m_-6594726359867502509_> var verify = Module.findExportByName("libsscronet.so", "SSL_CTX_set_custom_verify"); 配置好 启动app verify都会是null 是有什么配置不对吗 — Reply to this email directly, view it on GitHub <#11 <#11> <#11 <#11>>>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD4TPESZE2DV5DRG5HUN2RDYLPPTBAVCNFSM6AAAAABBEDUPA6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TOMJQGQ3TENI https://github.com/notifications/unsubscribe-auth/AD4TPESZE2DV5DRG5HUN2RDYLPPTBAVCNFSM6AAAAABBEDUPA6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TOMJQGQ3TENI https://github.com/notifications/unsubscribe-auth/AD4TPESZE2DV5DRG5HUN2RDYLPPTBAVCNFSM6AAAAABBEDUPA6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TOMJQGQ3TENI https://github.com/notifications/unsubscribe-auth/AD4TPESZE2DV5DRG5HUN2RDYLPPTBAVCNFSM6AAAAABBEDUPA6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TOMJQGQ3TENI . You are receiving this because you are subscribed to this thread.Message ID: @.> 加载traceJNIRegisterNative这个脚本 也是无法成功 能帮忙解答下不 — Reply to this email directly, view it on GitHub <#11 (comment) <#11 (comment)>>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD4TPEQCKBAG5HBLVFTZ6QDYLUV7JAVCNFSM6AAAAABBEDUPA6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZQHE2DIMBYGQ https://github.com/notifications/unsubscribe-auth/AD4TPEQCKBAG5HBLVFTZ6QDYLUV7JAVCNFSM6AAAAABBEDUPA6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZQHE2DIMBYGQ . You are receiving this because you commented.Message ID: @.> 简单写个了脚本 您帮忙看看: var modules = Process.enumerateModules(); for (var i in modules) { var module = modules[i]; LOG(module.name); if (module.name.indexOf("libprocessgroup.so") > -1) { LOG("11111111111"); var baseAddr = Module.findBaseAddress("libprocessgroup.so"); LOG("2222222222222222222"); LOG(baseAddr); } } log: E/fridamanager: libimg_utils.so E/fridamanager: libnetd_client.so E/fridamanager: libsoundtrigger.so E/fridamanager: libminikin.so E/fridamanager: libprocessgroup.so E/fridamanager: 11111111111 E/fridamanager: 2222222222222222222 LOG(baseAddr); 的打印还是空 这时候 libprocessgroup.so确实有找到的 所以问题还是在 Module.findBaseAddress 会不会版本问题 您这个版本的 frida-gum没有 findBaseAddress和findExportByName ??? — Reply to this email directly, view it on GitHub <#11 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD4TPEWKTYTXHZDLBIQJOSTYLZUIRAVCNFSM6AAAAABBEDUPA6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZRHAYDAMZZGQ . You are receiving this because you commented.Message ID: @.>

发现 android_dlopen_ext 执行之后 加载到 libreparo.so就不再往下执行了,但是app正常打开. 能否请教下该如何绕过这个so