ƽ - LCG - LSG |׿ƽ||ƽܛ|ŷƱ  www.ykwek.com

 һܴa
 ע[Register]

QQ

ֻһ_ʼ

: ctf Ó ̳
12һ
б l
鿴: 1569|؏: 19
һ} һ}

欧洲篮球联赛球队 : [Android ԭ] 8.1汾dexd̹Pӛ--ڶƪ:DexFile::OpencÓԭ

[朽]
L
Dָnj
L l 2020-3-3 08:29
ڿѩl52ٰlһͬW

BWdex_file.cc@Դa¸˴ЂhookÓwӹ̵ԭԭ
W˴angelTomshttps://bbs.pediy.com/thread-252828.htmchttps://bbs.pediy.com/thread-252284.htmYĺdex dȴֻ֮Ҫ뷽OҵDexFileČͿͨ^ĔYwӹ̵dex҂dex_file.ccԴa혱³ÓĻԭ?ʸ[һX?br />
[C++] ı鿴 ƴa
 ŷƱ  www.ykwek.com DexFile::Open(OpenDexFilesFromOatͨ^oatfile@dexfile@) 
{
 OpenCommon
}
 
DexFile::Open (OpenDexFilesFromOatͨ^oatfile@dexfileʧֱӴ_Դdex@dexfile@ )
{
 OpenAndReadMagic
 if zip
  OpenZip
  {
   OpenAllDexFilesFromZip
   {
    OpenOneDexFileFromZip
    {
     OpenCommon
    }
   }
  }
 else dex
  OpenFile
   {
    OpenCommon
   }
}

1.ȿDexFile::Openһ^ļԴaкÎׂd 
һOpenDexFilesFromOatͨ^oatfile@dexfileɹ{OpenDexFileDexFile::OpenąДOpenDexFilesFromOatͨ^oatfile@dexfileʧֱӴ_Դdex{OpenDexFilesFromOatDexFile::OpenąД
[Asm] ı鿴 ƴa
 static std::unique_ptr<const DexFile> Open(const uint8_t* base,
                                             size_t size,
                                             const std::string& location,
                                             uint32_t location_checksum,
                                             const OatDexFile* oat_dex_file,
                                             bool verify,
                                             bool verify_checksum,
                                             std::string* error_msg);//@OpenDexFilesFromOatͨ^oatfile@dexfile@OpenDexFileDexFile::OpenąДȥһƪ
 
  // Opens .dex file that has been memory-mapped by the caller.
  static std::unique_ptr<const DexFile> Open(const std::string& location,
                                             uint32_t location_checkum,
                                             std::unique_ptr<MemMap> mem_map,
                                             bool verify,
                                             bool verify_checksum,
                                             std::string* error_msg);//@Ǵ_ѽ{memory-mapped^
 
  // Opens all .dex files found in the file, guessing the container format based on file extension.
  static bool Open(const char* filename,
                   const std::string& location,
                   bool verify_checksum,
                   std::string* error_msg,
                   std::vector<std::unique_ptr<const DexFile>>* dex_files);//@OpenDexFilesFromOatͨ^oatfile@dexfileʧֱӴ_Դdex@OpenDexFilesFromOatDexFile::OpenąД

1.1@߀ǰOpenDexFilesFromOat@Nһwaǰһƪ
[Asm] ı鿴 ƴa
std::vector<std::unique_ptr<const DexFile>> OatFileManager::OpenDexFilesFromOat(
    const char* dex_location,
    jobject class_loader,
    jobjectArray dex_elements,
    const OatFile** out_oat_file,
    std::vector<std::string>* error_msgs) {

  
  // Get the oat file on disk.
  std::unique_ptr<const OatFile> oat_file(oat_file_assistant.GetBestOatFile().release());//@@oat_fileLoadDexFilesʹ@oat_file@dex_files
  
 
    if (accept_oat_file) {
      VLOG(class_linker) << "Registering " << oat_file->GetLocation();
      source_oat_file = RegisterOatFile(std::move(oat_file));//@oat_fileעԽosource_oat_file
      *out_oat_file = source_oat_file;
    }
  }
  
  std::vector<std::unique_ptr<const DexFile>> dex_files;
  
  // Load the dex files from the oat file.
  
      dex_files = oat_file_assistant.LoadDexFiles(*source_oat_file, dex_location);//@ͨ^dsource_oat_file@dex_filesK{DexFile::Open@DexFile::Openһd
  
  // Fall back to running out of the original dex file if we couldn't load any
  // dex_files from the oat file.
  if (dex_files.empty()) {
    if (oat_file_assistant.HasOriginalDexFiles()) {
      if (Runtime::Current()->IsDexFileFallbackEnabled()) {
        static constexpr bool kVerifyChecksum = true;
        if (!DexFile::Open(
            dex_location, dex_location, kVerifyChecksum, /*out*/ &error_msg, &dex_files)) {//LoadDexFiles]Ы@dex_filesֱDexFile::Open_dԭʼdexfile@DexFile::Openһd
          LOG(WARNING) << error_msg;
          error_msgs->push_back("Failed to open dex files from " + std::string(dex_location)
                                + " because: " + error_msg);
        }
  
  
  return dex_files;
}

1.2@oatfile@dexfile·DexFile::Open]ɶֱ{OpenCommon

[Asm] ı鿴 ƴa
std::unique_ptr<const DexFile> DexFile::Open(const uint8_t* base,
                                             size_t size,
                                             const std::string& location,
                                             uint32_t location_checksum,
                                             const OatDexFile* oat_dex_file,//@һƪthisoat_dex_fileǏ@ҳdex_fileŶ2dǏoat_dex_fileҵdex_fileԿ϶]{
                                             bool verify,
                                             bool verify_checksum,
                                             std::string* error_msg) {
  ScopedTrace trace(std::string("Open dex file from RAM ") + location);
  return OpenCommon(base,
                    size,
                    location,
                    location_checksum,
                    oat_dex_file,
                    verify,
                    verify_checksum,
                    error_msg);
}

2.@Dzͨ^oat_fileֱӴ_dexļDexFile::Open΢sһcД_zips߀dexK䌍Ҳ{OpenCommon
[Asm] ı鿴 ƴa
bool DexFile::Open(const char* filename,
                   const std::string& location,
                   bool verify_checksum,
                   std::string* error_msg,
                   std::vector<std::unique_ptr<const DexFile>>* dex_files) {
  ScopedTrace trace(std::string("Open dex file ") + std::string(location));
  DCHECK(dex_files != nullptr) << "DexFile::Open: out-param is nullptr";
  uint32_t magic;
  File fd = OpenAndReadMagic(filename, &magic, error_msg);//OpenAndReadMagicҲһÓcֱӴ_dex@@ﱻ{
  if (fd.Fd() == -1) {
    DCHECK(!error_msg->empty());
    return false;
  }
  if (IsZipMagic(magic)) {
    return DexFile::OpenZip(fd.Release(), location, verify_checksum, error_msg, dex_files);//Zip{DexFile::OpenZip
  }
  if (IsDexMagic(magic)) {
    std::unique_ptr<const DexFile> dex_file(DexFile::OpenFile(fd.Release(),
                                                              location,
                                                              /* verify */ true,
                                                              verify_checksum,
                                                              error_msg));//Dex{DexFile::OpenFile
    if (dex_file.get() != nullptr) {
      dex_files->push_back(std::move(dex_file));
      return true;
    } else {
      return false;
    }
  }
  *error_msg = StringPrintf("Expected valid zip or dex file: '%s'", filename);
  return false;
}

2.1ȿOpenZip߉݋ͨ^fdļ@ZipArchiveָʹ@ָ{OpenAllDexFilesFromZip̎ZipArchive

[Asm] ı鿴 ƴa
bool DexFile::OpenZip(int fd,
                      const std::string& location,
                      bool verify_checksum,
                      std::string* error_msg,
                      std::vector<std::unique_ptr<const DexFile>>* dex_files) {
  ScopedTrace trace("Dex file open Zip " + std::string(location));
  DCHECK(dex_files != nullptr) << "DexFile::OpenZip: out-param is nullptr";
  std::unique_ptr<ZipArchive> zip_archive(ZipArchive::OpenFromFd(fd, location.c_str(), error_msg));
  if (zip_archive.get() == nullptr) {
    DCHECK(!error_msg->empty());
    return false;
  }
  return DexFile::OpenAllDexFilesFromZip(*zip_archive,
                                         location,
                                         verify_checksum,
                                         error_msg,
                                         dex_files);
}

2.2ٿOpenAllDexFilesFromZip{OpenOneDexFileFromZipжdexδ_
[Asm] ı鿴 ƴa
std::unique_ptr<DexFile> DexFile::OpenCommon(const uint8_t* base,//@dex_ʼ
                                             size_t size,//@dexĴС
                                             const std::string& location,//@ǵַ
                                             uint32_t location_checksum,
                                             const OatDexFile* oat_dex_file,//ֱӴ_ļͨ^oatļ@dex@kNoOatDexFilehookӡ@ͿДһЩǷŗoatļdex\
                                             bool verify,
                                             bool verify_checksum,
                                             std::string* error_msg,
                                             VerifyResult* verify_result) {
  if (verify_result != nullptr) {
    *verify_result = VerifyResult::kVerifyNotAttempted;
  }
  std::unique_ptr<DexFile> dex_file(new DexFile(base,
                                                size,
                                                location,
                                                location_checksum,
                                                oat_dex_file));//@newһdex_filedex_filedY
  if (dex_file == nullptr) {
    *error_msg = StringPrintf("Failed to open dex file '%s' from memory: %s", location.c_str(),
                              error_msg->c_str());
    return nullptr;
  }
  if (!dex_file->Init(error_msg)) {//initʼ
    dex_file.reset();
    return nullptr;
  }
  if (verify && !DexFileVerifier::Verify(dex_file.get(),
                                         dex_file->Begin(),
                                         dex_file->Size(),
                                         location.c_str(),
                                         verify_checksum,
                                         error_msg)) {//VerifyC
    if (verify_result != nullptr) {
      *verify_result = VerifyResult::kVerifyFailed;
    }
    return nullptr;
  }
  if (verify_result != nullptr) {
    *verify_result = VerifyResult::kVerifySucceeded;
  }
  return dex_file;
}

ȻǮªĈDoԼ



4.NһfrIDA hookÓ_ܺÿһҶעϴΆҵͬWмһ߀ʲô}һddexK@_opencommonhookh^кڳ”cֱhookۙDz
[JavaScript] ı鿴 ƴa
/*  static std::unique_ptr<DexFile> OpenCommon(const uint8_t* base,
                                             size_t size,
                                             const std::string& location,
                                             uint32_t location_checksum,
                                             const OatDexFile* oat_dex_file,
                                             bool verify,
                                             bool verify_checksum,
                                             std::string* error_msg,
                                            VerifyResult* verify_result = nullptr); */
//@ǰ׿8.1ͬ汾һԼpulllibart.so_ida
var OpenCommon = Module.findExportByName("libart.so", "_ZN3art7DexFile10OpenCommonEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPKNS_10OatDexFileEbbPS9_PNS0_12VerifyResultE");
console.log("[*] Opencommon method addr: " + OpenCommon);
Interceptor.attach(OpenCommon, {
    onEnter: function (args) {
        console.log("[*] begin = " + args[1]);//dexļbeginĵַ
        console.log("[*] size = " + args[2]);//䌍baseͿsize@Ҳ@]
        var begin = args[1];
                console.log("magic : " + Memory.readUtf8String(begin)); //ӡmagicDzdex
        var address = parseInt(begin,16) + 0x20;//ͨ^beginӋsizeַ
        var dex_size = Memory.readInt(ptr(address));//xsizeС
        console.log("sizee : " + dex_size);//^lFargs[2]һӵCbeginÓ
        var dex_file = new File("/data/data/com.xxx.xxx/" + dex_size.toString() + ".dex", "wb");//@Լ޸·÷apkԼdataĿȻԺҲ
        dex_file.write(Memory.readByteArray(begin, dex_size));//@ﰴֹdex
        dex_file.flush();
        dex_file.close();
        console.log("dump dex success");
    },
    onLeave: function (retval) {
        //@Ҳͨ^retval@dex_fileͨ^dexYҵbeginsizedump     
    }
});

psBִֵxԴaԼ`һAndroidfÓC--                                                                                                                                                                angelTomsеhttps://bbs.pediy.com/thread-252284.htm˼һwӹ̵ÓҪŽׂl¼ٱyyp
1.rCҪһҪdexȫdȴвȫӁ(oat_filedex_fileoatȫdҲ韩һc),ڼd֮ǰÓÓĿǚҲDzdex
2.ÓҪľdexļbeginַõ@ַļYͿҵsizeLͿÓ
3.ֻҪÓrCһпõdexļbeginַĵطÓw
begin惦dex_fileһпõdex_fileYĵطÓw
dex_fileY惦oat_dex_file Yһпõoat_dex_fileYĵطÓw
oat_dex_fileY惦oat_file Yһпõoat_fileYĵطÓw

4.@˼·ֻÓdexwӹȡӹ̵ȲBxdexdͷĈԴaٌ֮W
5.һƪBٌWoatļdԴa
Դa߀ǽhԭNd@https://bbs.pediy.com/thread-257917.htm

dexfile.zip

25.61 KB, dΔ: 4, de: ێ -1 CB

ۃr: 1 CBێ  [ӛ]

Mu

3ێ +3 ֵ +2
Ϯ + 1 Ļ؏
 L + 1 + 1 x[email protected]
sushangyu + 1 + 1 x[email protected]

鿴ȫu

lǰҪՓܕҪҵĴ𰸻ѽ˰l^ͬՈ؏Ͱl

؏

e

L
]
 | L l 2020-3-3 09:51 <
L 2020-3-3 09:53 ݋

Ϯ l 2020-3-3 09:42
С׵֙Cmax3 miui10 8.9.20 , 8.1

С׿ħ  libart.soЛ]opencommon@
оhook DexFile::Open  һҲbeginƫ0x20sizeһӵҵ_Ă
_ZN3art7DexFile4OpenEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPKNS_10OatDexFileEbbPS9_
L
]
 | L l 2020-3-3 11:11 <
Ҵ¿һ so ]ɶ}hook DexFile::Openһӿdump һҲbeginƫ0x20sizeһӵҵ_Ă
_ZN3art7DexFile4OpenEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPKNS_10OatDexFileEbbPS9_
]ԭ̫@߅߀ԭĭh߀ÿԼ{ԇ
ɳl
hu007 l 2020-3-3 08:35
L
3#
 | L l 2020-3-3 08:47 <
ƺͬW֪ô|lhook@3xxܞ
1.隤ܛД3xxĚjadx_dexcom.qihoo.utilƵlibjiagu.so
2._һcmdfrida -U -f com.xxx.xxx A
3._һcmd_frida -U -l tkk.js com.xxx.xxx
4.صһcmdresume֏app
5.пÓʾ
4#
Ϯ l 2020-3-3 08:47
Kځ ţ
^
5#
 L l 2020-3-3 08:50
ʾ: ֹ߱h Ԅ
6#
Ϯ l 2020-3-3 08:52
ܲ܁킀8.1dumpĽ̳  S㌑apk Ȼdump dex ڸȥ
L
7#
 | L l 2020-3-3 09:11 <
L 2020-3-3 09:21 ݋
Ϯ l 2020-3-3 08:52
ܲ܁킀8.1dumpĽ̳  S㌑apk Ȼdump dex ڸȥ

_ѽ ևN ֱ@_Ϳdump м
8#
Ϯ l 2020-3-3 09:40
ǂD openCommon к
9#
Ϯ l 2020-3-3 09:42
С׵֙Cmax3 miui10 8.9.20 , 8.1
12һ
б l

eҎt 棺Kֹˮ؏c}oP`P

ٻ؏ ղ б

RSSӆ|С|“ϵ҂|ŷƱ ( ICP16042023̖ | W 11010502030087̖ )

GMT+8, 2020-4-3 15:32

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

ٻ؏ ŷƱ б