反调试一般都是在os文件中实现,app在加载过程中,so文件会在内部检验是否使用frida.如果检测到frida进程,app就会直接关闭掉.
利用脚本输出app加载过程中都执行了那些so文件,分析是那个so文件执行过程中关闭app的.
import frida
import sys
rdev = frida.get_remote_device()
pid = rdev.spawn(["com.app.name"])
session = rdev.attach(pid)
scr = """
Java.perform(function () {
var dlopen = Module.findExportByName(null, "dlopen");
var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
Interceptor.attach(dlopen, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen:]", path);
},
onLeave: function (retval) {
}
});
Interceptor.attach(android_dlopen_ext, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen_ext:]", path);
},
onLeave: function (retval) {
}
});
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
rdev.resume(pid)
sys.stdin.read()
根据输入日志显示判断,检测frida进程的so文件应该就是后面几个,删掉最后一个so文件好使了.
如果删掉最后一个文件不好使再删掉倒数第二个.
[dlopen:] /system/lib64/libc.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libvcnverify.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libvcnverifylite.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libavmdlbase.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libavmdl.so
[dlopen:] libandroid.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libvcnverify.so
[dlopen:] libc.so
[dlopen:] libandroid.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libsgmiddletierso-5.5.53.so
[dlopen:] libc.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libaliadtanx-lib.so
[dlopen_ext:] /data/app/com.hupu.shihuo-8I4NSUy8Hpu776OgExLkYw==/lib/arm64/libmsaoaidsec.so
