开发demo
写一个简单的字符串加密处理,将字符串字符转成ASCII十六进制值
std::string StrToHex(std::string str){
unsigned char c;
char buf[3];
std::string result = "";
std::stringstream ss;
ss << str;
while (ss.read((char *)(&c), sizeof(c))){
sprintf(buf, "%02X", c);
result += buf;
}
return result;
}
明文:Hello from C++
转换后:48656C6C6F2066726F6D20432B2B
再写一个转回明文的
std::string HexToStr(std::string str){
std::string hex = str;
long len = hex.length();
std::string newString;
for (long i = 0; i < len; i += 2){
std::string byte = hex.substr(i, 2);
char chr = (char)(int)strtol(byte.c_str(), NULL, 16);
newString.push_back(chr);
}
return newString;
}
逆向分析
ida 反编译
__int64 __fastcall Java_com_android_nativedemo3_MainActivity_stringFromJNI(_JNIEnv *a1)
{
__int64 v2; // [xsp+18h] [xbp-98h]
char v4[24]; // [xsp+48h] [xbp-68h] BYREF
char v5[24]; // [xsp+60h] [xbp-50h] BYREF
char v6[24]; // [xsp+78h] [xbp-38h] BYREF
char v7[24]; // [xsp+90h] [xbp-20h] BYREF
__int64 v8; // [xsp+A8h] [xbp-8h]
v8 = *(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
sub_6A34C(v6, "Hello from C++");
StrToHex(v6);
std::string::~string(v6);
std::string::basic_string(v4, v7);
HexToStr(v4);
std::string::~string(v4);
__android_log_print(4, "JNI_LOG", "hexHello: %s", v7);
__android_log_print(4, "JNI_LOG", "hello: %s", v5);
v2 = _JNIEnv::NewStringUTF(a1, v5);
std::string::~string(v5);
std::string::~string(v7);
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
return v2;
}
hook StrToHex 和 HexToStr 这两个函数打印字符串
找到这两个函数的导出函数名
Module.getExportByName 通过导出函数名hook,当然也可以计算地址hook
脚本代码: https://download.csdn.net/download/u013170888/89699231
运行打印结果:可以看到参数1就是明文字符串
我这里还顺带hook打印了sp 和 x1
