先来了解一下 jni so 文件加载流程:加载so->链接so->初始化(init_proc)->数组初始化(init_array)->jni_onLoad
在本例中,libmsaoaidsec.so 会在初始化的时候创建 3 条检测 Frida 的线程,我们只需要让这 3 条线程不运行即可绕过检测,理论上支持所有使用 libmsaoaidsec.so 来反 Frida 调试的app
线程创建记录
#0x7749a83000 是模块基地址
#0x7749a9f544 是线程函数地址
函数地址 - 基地址 = 偏移
[Pixel 4::tv.danmaku.bili ]-> libmsaoaidsec.so --- 0x7749a83000
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x7749a9f544
The thread function address is 0x7749a9e8d4
The thread function address is 0x7749aa9e5c
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
The thread function address is 0x782b5394ec
Process terminatedfunction hook_dlopen(soName = '') {
Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),
{
onEnter: function (args) {
var pathptr = args[0];
if (pathptr !== undefined && pathptr != null) {
var path = ptr(pathptr).readCString();
// console.log(path)
if (path.indexOf(soName) >= 0) {
locate_init()
}
}
}
}
);
}
function locate_init() {
let secmodule = null
Interceptor.attach(Module.findExportByName(null, "__system_property_get"),
{
// _system_property_get("ro.build.version.sdk", v1);
onEnter: function (args) {
secmodule = Process.findModuleByName("libmsaoaidsec.so")
var name = args[0];
if (name !== undefined && name != null) {
name = ptr(name).readCString();
if (name.indexOf("ro.build.version.sdk") >= 0) {
// 这是.init_proc刚开始执行的地方,是一个比较早的时机点
// do something
hook_pthread_create()
}
}
}
}
);
}
let i = 0;
function hook_pthread_create() {
//只有三条检测线程被干掉之后才开始hook
if (i >= 3) {
hook()
}
let baseAddress = Process.findModuleByName("libmsaoaidsec.so").base;
console.log("libmsaoaidsec.so --- " + baseAddress);
Interceptor.replace(Module.findExportByName("libc.so", "pthread_create"), new NativeCallback(function (attr, start_routine, arg1, arg2) {
// console.log("The thread function address is ", arg1)
let func_addr = arg1.sub(baseAddress); // 计算相对地址
// 判断 func_addr 的值是否为指定的偏移
if (func_addr.equals(ptr(0x1B8D4)) || func_addr.equals(ptr(0x26E5C)) || func_addr.equals(ptr(0x1c544))) {
i++
console.log(func_addr, i)
//假装成功创建线程
return 0
}
// 获取系统库中的 pthread_create 函数并调用
let pthread_create = new NativeFunction(Module.findExportByName("libc.so", "pthread_create"), 'int', ['pointer', 'pointer', 'pointer', 'pointer']);
return pthread_create(attr, start_routine, arg1, arg2);
}, 'int', ['pointer', 'pointer', 'pointer', 'pointer']));
}
setImmediate(hook_dlopen, "libmsaoaidsec.so")
function hook() {
console.log("HOOK")
//x-bili-ticket 字段相关 hook
Java.perform(function () {
let C64171a = Java.use("com.bilibili.lib.ticket.internal.rpc.req.a");
C64171a["a"].implementation = function () {
console.log(`C64171a.m177035a is called`);
let result = this["a"]();
console.log(`C64171a.m177035a result=${result}`);
return result;
};
})
let C64170a = Java.use("com.bilibili.lib.ticket.internal.rpc.a");
C64170a["b"].implementation = function () {
console.log(`C64170a.m177037b is called`);
let result = this["b"]();
console.log(`C64170a.m177037b result=${result}`);
return result;
};
}
运行脚本 frida -U -f tv.danmaku.bili -l ./bilibili.js
参考文章:
佬也在找 app 端加密获取 ticket 的请求的 hmac 密钥么, 我印象里我在半年前已经扒出来发到 github 了, 不过还是感谢佬分享不用我再去扒一遍 frida 检测逻辑, 大半年没用frida都生疏了()