开发demo
写一个简单的字符串加密处理,将字符串字符转成ASCII十六进制值
std::string StrToHex(std::string str){unsigned char c;char buf[3];std::string result = "";std::stringstream ss;ss << str;while (ss.read((char *)(&c), sizeof(c))){sprintf(buf, "%02X", c);result += buf;}return result;
}
明文:Hello from C++
转换后:48656C6C6F2066726F6D20432B2B
再写一个转回明文的
std::string HexToStr(std::string str){std::string hex = str;long len = hex.length();std::string newString;for (long i = 0; i < len; i += 2){std::string byte = hex.substr(i, 2);char chr = (char)(int)strtol(byte.c_str(), NULL, 16);newString.push_back(chr);}return newString;
}
逆向分析
ida 反编译
__int64 __fastcall Java_com_android_nativedemo3_MainActivity_stringFromJNI(_JNIEnv *a1)
{__int64 v2; // [xsp+18h] [xbp-98h]char v4[24]; // [xsp+48h] [xbp-68h] BYREFchar v5[24]; // [xsp+60h] [xbp-50h] BYREFchar v6[24]; // [xsp+78h] [xbp-38h] BYREFchar v7[24]; // [xsp+90h] [xbp-20h] BYREF__int64 v8; // [xsp+A8h] [xbp-8h]v8 = *(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);sub_6A34C(v6, "Hello from C++");StrToHex(v6);std::string::~string(v6);std::string::basic_string(v4, v7);HexToStr(v4);std::string::~string(v4);__android_log_print(4, "JNI_LOG", "hexHello: %s", v7);__android_log_print(4, "JNI_LOG", "hello: %s", v5);v2 = _JNIEnv::NewStringUTF(a1, v5);std::string::~string(v5);std::string::~string(v7);_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));return v2;
}
hook StrToHex 和 HexToStr 这两个函数打印字符串
找到这两个函数的导出函数名
Module.getExportByName 通过导出函数名hook,当然也可以计算地址hook
脚本代码: https://download.csdn.net/download/u013170888/89699231
运行打印结果:可以看到参数1就是明文字符串
我这里还顺带hook打印了sp 和 x1
