search

nowsecure / r2frida

Radare2 and Frida better together.
MIT License
1.18k stars 121 forks source link

No_message_afl_android10 #229

Closed BurningTeng closed 4 years ago

BurningTeng commented 4 years ago

no_message_afl_android10

I want to debug so file on Android10. I use commandr2 -d frida://usb//25654(Chrome), Then I use command \dm* to show all so files. Then I use commands as following, but there is no message when I use r2 command afl. [0x00000000]> \iE* libjnigraphics.so f sym.fun.AndroidBitmap_getInfo = 0xde0a8013 f sym.fun.AndroidBitmap_lockPixels = 0xde0a8039 f sym.fun.AndroidBitmap_unlockPixels = 0xde0a8065 [0x00000000]> s 0xde0a8013 [0xde0a8013]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) [Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x [x] Analyze function calls (aac) [Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x [x] find and analyze function preludes (aap) [x] Analyze len bytes of instructions for references (aar) [x] Check for objc references [x] Check for vtables [x] Finding xrefs in noncode section with anal.in=io.maps [x] Analyze value pointers (aav) [Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x [x] Emulate code to find computed references (aae) [TOFIX: aaft can't run in debugger mode.ions (aaft) [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis. [0xde0a8013]> afl

trufae commented 4 years ago

Theres no code at address 0. Thats expected. Imports the flags from the agent side seek there and use af @@ sym* or use the boundaries to tell from where to where to analyze

On 4 May 2020, at 04:51, 18345093167 notifications@github.com wrote:



I want to debug so file on Android10. I use command r2 -d frida://usb//25654(Chrome), Then I use command \dm to show all so files. Then I use commands as following, but there is no message when is use r2 command afl [0x00000000]> \iE libjnigraphics.so f sym.fun.AndroidBitmap_getInfo = 0xde0a8013 f sym.fun.AndroidBitmap_lockPixels = 0xde0a8039 f sym.fun.AndroidBitmap_unlockPixels = 0xde0a8065 [0x00000000]> s 0xde0a8013 [0xde0a8013]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) [Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x [x] Analyze function calls (aac) [Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x [x] find and analyze function preludes (aap) [x] Analyze len bytes of instructions for references (aar) [x] Check for objc references [x] Check for vtables [x] Finding xrefs in noncode section with anal.in=io.maps [x] Analyze value pointers (aav) [Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x [x] Emulate code to find computed references (aae) [TOFIX: aaft can't run in debugger mode.ions (aaft) [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis. [0xde0a8013]> afl

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

BurningTeng commented 4 years ago

[0x00000000]> s 0xde0a8013 [0xde0a8013]> aaa From above, I have used s to forward the address. And it is 0xde0a8013 not 0. What is wrong for my operation?

On the other hand, I want to know how to "Imports the flags from the agent side seek there and use af @@ sym or use the boundaries to tell from where to where to analyze"? I have tried like this but afl still show nothing : [0x00000000]> \iE libjnigraphics.so f sym.fun.AndroidBitmap_getInfo = 0xddfc7013 f sym.fun.AndroidBitmap_lockPixels = 0xddfc7039 f sym.fun.AndroidBitmap_unlockPixels = 0xddfc7065 [0x00000000]> afl 0xddfc7013 [0x00000000]> afl 0xddfc7039 [0x00000000]>

enovella commented 4 years ago

Hi,

r2 static commands like aaa and afl are not a great idea dealing with dynamic memory at runtime. 

[0x00000000]> \iE* libjnigraphics.so
f sym.fun.AndroidBitmap_getInfo = 0xddfc7013
f sym.fun.AndroidBitmap_lockPixels = 0xddfc7039
f sym.fun.AndroidBitmap_unlockPixels = 0xddfc7065
[0x00000000]> s 0xddfc7013
[0xddfc7013]> af
[0xddfc7013]> pdf

Just in case of doubt, you might want to read this wiki: https://github.com/enovella/r2frida-wiki

BurningTeng commented 4 years ago

Thanks very much. But I have a question, if I want to see assembly code of so file , how to do?

trufae commented 4 years ago

You seek there and use pd to disassemble

On 4 May 2020, at 12:07, 18345093167 notifications@github.com wrote:

 Thanks very much. But I have a question, if I want to see assembly code of so file , how to do?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.