search

apkunpacker / AntiFrida_Bypass

Generic Script To Bypass Some AntiFrida Checks
366 stars 107 forks source link

AntiFrida_Google.js Using CModule failed #6

Open 350030173 opened 3 months ago

350030173 commented 3 months ago

for AntiFrida_Google.js, I failed to hook using the following code because I thought it would be too slow to hook using javascript and could be faster using cmodule instead

const __android_log_print_ptr = Module.findExportByName(null, '__android_log_print')
const strlen = Module.getExportByName(null, 'strlen');
const malloc_ptr = Module.findExportByName(null, 'malloc')
const perror_ptr = Module.findExportByName(null, 'perror')
const exit_ptr = Module.findExportByName(null, 'exit')

Interceptor.attach(strlen, new CModule(`

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <gum/gumprocess.h>
#include <gum/guminterceptor.h>

extern void on_message(const gchar *message);
extern int __android_log_print(int prio, const char* tag, const char* fmt, ...);
extern void *malloc(size_t __byte_count);
extern void *perror(const char* tag);
extern int exit(int prio);

/**

字符串替换
如:
原字符串bigString:          79859ea000-79859ec000 rwxp 001a8000 07:90 118                            /apex/com.android.art/lib64/libart.so
查找的字符串oldSubString: "rwxp"
替换的字符串newSubString: "r-xp"
结果:                     79859ea000-79859ec000 r-xp 001a8000 07:90 118                            /apex/com.android.art/lib64/libart.so

*/
char *replaceSubstring(const char *bigString, const char *oldSubString, const char *newSubString) 
{
    size_t bigLen = strlen(bigString);
    size_t oldLen = strlen(oldSubString);
    size_t newLen = strlen(newSubString);
    char *result = NULL;
    const char *src = bigString;
    const char *oldSrc = oldSubString;
    char *dst = NULL;
    size_t count = 0;

    // 计算需要的总长度
    while (*src) {
        if (strstr(src, oldSrc) == src) {
            count++;
            src += oldLen;
        } else {
            src++;
        }
    }
    count *= (newLen - oldLen);
    size_t totalLen = bigLen + count;

    // 分配足够的内存
    result = (char *)malloc(totalLen + 1);
    if (!result) {
        perror("Memory allocation failed");
        exit(0);

    }
    // 复制和替换
    dst = result;
    src = bigString;
    while (*src) {
        if (strstr(src, oldSrc) == src) {
            memcpy(dst, newSubString, newLen);
            dst += newLen;
            src += oldLen;
        } else {
            *dst++ = *src++;
        }
    }
    *dst = '\\0';

    return result;
}

char oldSubString[] = "rwxp";
char newSubString[] = "r-xp";

    void onEnter (GumInvocationContext * ic)
    {
        char *str =  (char *)ic->cpu_context->x[0];

        char *position = strstr(str, oldSubString);

        //on_message((char *)ic->cpu_context->x[0]);//控制台输出所有信息
        if (position != NULL)
        {
            str = replaceSubstring(str,oldSubString,newSubString);
            (char *)ic->cpu_context->x[0] = str;
            on_message((char *)ic->cpu_context->x[0]);
        }

    }

`, { 

    malloc: malloc_ptr,
    perror: perror_ptr,
    exit: exit_ptr,
    __android_log_print: __android_log_print_ptr,
    on_message: new NativeCallback(function (strings)
    {
        console.log(strings.readUtf8String());
    }, 'void', ['pointer']),

 }));
350030173 commented 3 months ago

and the output is :

λ frida -U -l C:\Users\Administrator\Desktop\test.js -f com.xxxxxx
     ____
    / _  |   Frida 16.1.11 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to 22021211RC (id=9c5f9a93)
Spawned `com.xxxxxx`. Resuming main thread!
[22021211RC::com.xxxxxx ]->
7007a000-7007b000 r-xp 000ab000 fc:13 63                                 /apex/com.android.art/javalib/arm64/boot.oat

7ae1286000-7ae1287000 rwxp 00286000 fc:13 108                            /apex/com.android.art/lib64/libart.so
Process crashed: Bad access due to invalid address

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Redmi/munch/munch:12/SKQ1.211006.001/V13.0.5.1.22.DEV:user/release-keys'

Revision: '0'
ABI: 'arm64'
Timestamp: 2024-04-16 15:08:13.002795367+0800
Process uptime: 0s
Cmdline: com.xxxxxx
pid: 18268, tid: 18268, name: cksimulator2024  >>> com.xxxxxx <<<

uid: 12259
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2584db664f4faf
    x0  b400007abec9cd80  x1  00000000ffff0013  x2  000000000000002f  x3  0000000000000002

    x4  0000000000000008  x5  000000000000006f  x6  0000000000000036  x7  7f7f7f7f7f7f7fff

    x8  00000000000000b4  x9  c9780c52f2eb5598  x10 000000003f800000  x11 0000007a634b5b58

    x12 00000000ccf61ab3  x13 0000000000007b5f  x14 000000000000cb9b  x15 000000000000cb9d

    x16 0000007b73148d60  x17 0000007b73138874  x18 0000007b8c89c000  x19 0000007fd8c7ca00

    x20 b400007abec9cd80  x21 000000000001a94c  x22 86f1ef31d0362dbf  x23 00000000a46f434f

    x24 00000000f426db45  x25 0000000003a2c317  x26 00000000ffffe7d8  x27 ec6e5e4fb82999b0

    x28 3a2584db664f4fa7  x29 0000007fd8c7c9e8
    lr  0000007a63493fc8  sp  0000007fd8c7c910  pc  0000007a63493fe8  pst 0000000060001000

backtrace:
      #00 pc 000000000003ffe8  /data/app/~~7QtHL7iiKK_eHpMaUb0sXg==/com.xxxxxx-YNi9xiaFL7diArCnzmoVlQ==/lib/arm64/libpairipcore.so

***
[22021211RC::com.xxxxxx ]->

Thank you for using Frida!