Skip to content

Instantly share code, notes, and snippets.

@G5t4r

G5t4r/frida_hook_sign.py

Created May 23, 2019 11:44
Show Gist options
  • Save G5t4r/7e64d017f57d9d802f59c24151505ce5 to your computer and use it in GitHub Desktop.
Save G5t4r/7e64d017f57d9d802f59c24151505ce5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
frida_hook_sign.py
import frida
import sys,os
#frida 12.5.7
device = frida.get_usb_device()
pid = device.spawn(["com.ylc2.qp.Pokermate"])
session = device.attach(pid)
device.resume(pid)
# rdev = frida.get_remote_device()
# session = rdev.attach("com.tc.tbnn")
script = session.create_script("""
var dlopen_ptr = Module.findExportByName(null, 'dlopen');
console.log(dlopen_ptr);
var need_hook = 0;
Interceptor.attach(dlopen_ptr,
{
onEnter: function(args)
{
// var name = Memory.readUtf8String(args[0]);
var p = new NativePointer(''+args[0]);
var name = p.readUtf8String()
console.log('dlopen load:'+name);
if(name.search('libcocos2dcpp.so')!=-1 && need_hook==0) //hook时机。。
{
need_hook = 1;
console.log('dlopen libcocos2dcpp.so called from:\\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\\n'));
}
},
onLeave: function(retval)
{
if(need_hook==1)
{
console.log("need_hook");
need_hook = -1;
getsaltsign();
createSign();
}
}
}
);
function getsaltsign() { //char ** getsaltsign()
console.log("getsaltsign");
var soaddr0 = Module.getExportByName("libcocos2dcpp.so", "_ZN4Tool10CreateSignESs");
console.log("[+] so address0:" + soaddr0)
var soaddr = Module.findBaseAddress('libcocos2dcpp.so').add(ptr('0x009DB27D'));
console.log("[+] so address:" + soaddr)
Interceptor.attach(soaddr, {
onEnter: function(args) {},
onLeave: function(retval) {
//console.log("retval:" + readStdString(retval));
//console.log("retval:" + hexdump(retval, { length: 100, ansi: true }));
//console.log('add='+retval.add(ptr('4')).readU32())
var p = ptr(''+retval.readU32());
//console.log('p='+p)
//console.log("retval:" + hexdump(p, {length: 100, ansi: true}));
console.log("getsaltsign retval:"+ p.readCString())
}
});
}
function createSign() { //createSign(int a1,int a2, char **a3)
console.log("createSign");
var soaddr = Module.getExportByName("libcocos2dcpp.so", "_ZN4Tool10CreateSignESs");
console.log("[+] createSign address:" + soaddr)
Interceptor.attach(soaddr, {
onEnter: function(args) {
//console.log("createSign args[2]:" + hexdump(args[2], { length: 100, ansi: true }));
var p = ptr(''+args[2].add(ptr('0')).readU32());
//console.log("createSign args[2]0:" + hexdump(p, {length: 100, ansi: true}));
console.log("createSign args[2]:"+ p.readCString())
},
onLeave: function(retval) {
/*
//console.log("retval:" + readStdString(retval));
console.log("retval:" + hexdump(retval, { length: 100, ansi: true }));
console.log('add='+retval.add(ptr('4')).readU32())
var p = ptr(''+retval.readU32());
console.log('p='+p)
console.log("retval:" + hexdump(p, {length: 100, ansi: true}));
*/
}
});
}
""")
def write(path, content):
print('write:', path)
folder = os.path.dirname(path)
if not os.path.exists(folder):
os.makedirs(folder)
# open(path, 'w+').write(str(content,'utf-8'))
open(path, 'wb+').write(content)
def on_message(message, data):
# print(message)
try:
if message['payload']['name']:
name = message['payload']['name'] #这里的name有可能不是lua脚本的名字,而是直接的lua脚本字符串
if len(name)>100:
print("ilg name:",name)
the_comm = "/Users/ne0/Downloads/ddlua/the_comm"
open(the_comm, 'a+').write(name)
return
name = "/Users/ne0/Downloads/ddlua/"+ name
# print('name:', name)
content = message['payload']['content'].encode('utf-8')
dirName = os.path.dirname(name)
if not os.path.exists(dirName):
os.makedirs(os.path.dirname(name))
# if name.endswith('.lua'):
write(name, content)
except Exception as e:
pass
script.on('message', on_message)
script.load()
sys.stdin.read()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment