现在可以运行了hooker,但只要输入包名,app就会死掉。
gtict112 opened this issue · comments
3187 剑与远征 com.lilithgames.afk.aligames
23587 媒体存储 com.android.providers.media
3218 微信 com.tencent.mm
25374 用户字典 com.android.providers.userdictionary
25458 电话 com.google.android.dialer
1876 电话和短信存储 com.android.providers.telephony
1876 电话服务 com.android.phone
1547 系统界面 com.android.systemui
25374 联系人存储 com.android.providers.contacts
1058 设置存储 com.android.providers.settings
1819 谷歌拼音输入法 com.google.android.inputmethod.pinyin
26025 软件包安装程序 com.google.android.packageinstaller
1058 通话管理 com.android.server.telecom
22228 部落冲突 com.supercell.clashofclans
Enter the need to attach package.
: com.lilithgames.afk.aligames
It's com.lilithgames.afk.aligames that you have attached app.
Please enter e, s, j, c or ex command.
a: Discovering activities.
b: Discovering services.
c: Discovering object. eg:'c {objectId}'
d: Object2Explain. eg:'d {objectId}'
v: Discovering view. eg:'v {viewId}'
e: Determines whether a class exists. eg:'e android.app.Application'
s: Discovering classes by a class'regex. eg:'s com.tencent.mm.Message.*'
t: Discovering offspring classes by a class'name. eg:'t com.tencent.mm.BasicActivity'
j: Generating hooked js. eg:'j okhttp3.Request$Builder:build'
k: Generating hooked the string generation js with a keyword. eg:'k {YourKeyword}'
l: Generating hooked the param generation js with a param keyword. eg:'l {YourKeyword}'
m: Discovering so module.
ex: Exit to the upper layer. eg:'ex'
:
这个时候app已经死掉了
--------下面是原因
--------- beginning of crash
05-07 09:55:29.427 28006-28425/? A/libc: Fatal signal 11 (SIGSEGV), code 0, fault addr 0x6d66 in tid 28425 (Thread-2014)
05-07 09:55:29.487 459-459/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
05-07 09:55:29.488 459-459/? A/DEBUG: Build fingerprint: 'google/shamu/shamu:6.0.1/MMB29K/2419427:user/release-keys'
05-07 09:55:29.488 459-459/? A/DEBUG: Revision: '0'
05-07 09:55:29.488 459-459/? A/DEBUG: ABI: 'arm'
05-07 09:55:29.488 459-459/? A/DEBUG: pid: 28006, tid: 28425, name: Thread-2014 >>> com.lilithgames.afk.aligames <<<
05-07 09:55:29.488 459-459/? A/DEBUG: signal 11 (SIGSEGV), code 0 (SI_USER), fault addr 0x9c
05-07 09:55:29.499 459-459/? W/debuggerd: type=1400 audit(0.0:304982): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.499 459-459/? W/debuggerd: type=1400 audit(0.0:304983): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.509 459-459/? W/debuggerd: type=1400 audit(0.0:304984): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.529 459-459/? W/debuggerd: type=1400 audit(0.0:304985): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.529 459-459/? W/debuggerd: type=1400 audit(0.0:304986): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.529 459-459/? W/debuggerd: type=1400 audit(0.0:304987): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.529 459-459/? W/debuggerd: type=1400 audit(0.0:304988): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.539 459-459/? W/debuggerd: type=1400 audit(0.0:304989): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.539 459-459/? W/debuggerd: type=1400 audit(0.0:304990): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.549 459-459/? W/debuggerd: type=1400 audit(0.0:304991): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.549 459-459/? W/debuggerd: type=1400 audit(0.0:304992): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.549 459-459/? W/debuggerd: type=1400 audit(0.0:304993): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.549 459-459/? W/debuggerd: type=1400 audit(0.0:304994): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.549 459-459/? W/debuggerd: type=1400 audit(0.0:304995): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.559 459-459/? W/debuggerd: type=1400 audit(0.0:304996): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.610 459-459/? A/DEBUG: Abort message: 'art/runtime/thread.cc:1237] Native thread exited without calling
------问下怎么看到js log----
[('-p', 'com.android.settings'), ('-b', 'true')]
injecting radar.dex failure.
radar注入失败
换frida12.8
其它的工具要不要换,server这类的工具
其它的工具要不要换,server这类的工具
本地frida-tools换成12.8配套的那个版本好像是9.x,mobile-deploy目录下的frida-server文件换成12.8的。挺麻烦的
换个手机试试?
要换成什么版本的手机,,手上只有谷歌亲儿子。现在系统是6.0
现在的夜神模拟器支持arm了,试试模拟器
不习惯用模拟器,刚刚换了frida版本也是不行,同样的问题就是奔溃。找找原因先
纯frida命令attach正常吗?
可以,完全不会发生崩溃。frida版本都用的你提供的版本。
----下面是js hook log
GetStringUTFChars] result:CursorWindowStats
[GetStringUTFChars] result:SQLiteCursor
[NewStringUTF] bytes:org/cocos2dx/lib/Cocos2dxLocalStorage
[GetStringUTFChars] result:org/cocos2dx/lib/Cocos2dxLocalStorage
[GetStaticMethodID] name:getItem, sig:(Ljava/lang/String;)Ljava/lang/String;
[NewStringUTF] bytes:perform_activity1
[GetStringUTFChars] result:/data/user/0/com.lilithgames.afk.aligames/databases/jsb.sqlite
[GetStringUTFChars] result:CursorWindowStat
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_usb_device().attach('com.lilithgames.afk.aligames')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()
像他这个问题:#22
我建议你手动push radar.dex文件
adb push radar.dex /data/user/0/{packageName}/radar.dex
adb shell
su
chmod 777 /data/user/0/{packageName}/radar.dex
6.0系统确实没测过,我用的最低的都是7.1.2