Lend you a pair of insight, Frida native trace

One 、 The goal is

Boss Li ： Fly hard , I haven't updated much recently ？

Fly hard ： Current KPI You don't know if it's reasonable AC Count ？ I'll start to write the weekly report from Wednesday , Otherwise, the new comer will lose his job .

In the classical world PC Internet age , Me too OD、IDA It's very smooth .

One day's drinking is very enjoyable , A whim ,IDA Identify all the functions , And then lead it out to OD, Break these functions , Log after triggering , And then automatically cancel the breakpoint . In this way, the process of program running will come out ？

Actually run up and find , Some functions are called frequently , This makes the program easy to feign death or crash , So there needs to be a convenient filter , Filter out frequently called functions .

It's got PEStalker after , There is no way to hide the running process of the program .

But times have changed , Mobile Internet era AppStalker How make ？

Two 、 step

frida-trace

Mustache actually wants to go with us , He made a mistake frida-trace, You can monitor a bunch of function addresses at one time .

And then you can print out a beautiful tree view , Not only can the calling process be displayed , It also shows the call hierarchy . And the results of different thread calls are distinguished by different colors .

Now there's a lack of data sources , hold IDA The result of the recognition is derived .

trace_natives

https://github.com/Pr0214/trace_natives Yes , The boss has written it , We can go whoring again .

Run

• download traceNatives.py Put it in ida Of plugins Under the path , I am a mac On the /Applications/IDA Pro 7.0/idabin/plugins Catalog
• Pr0214 It could be IDA 7.x+ and python 3.x Environment , In my IDA7.0 and python2 We need to fine tune the code

# search_result = [f"-a '{so_name}!{offset}'" for offset in search_result]
search_result = ["-a '{}!{}'".format(so_name,offset) for offset in search_result]

# with open(save_path, "w", encoding="utf-8")as F:
with open(save_path, "w")as F:

# print(f"frida-trace -UF -O {save_path}")
print("frida-trace -UF -O {} !".format(save_path))

• IDA Before opening http://91fans.com.cn/post/ldqsignone/ Inside libxxbitmapkit.so, Edit -> Plugins -> traceNatives . Then it will be generated under the analysis directory libxxbitmapkit_16250177xx.txt This is it. frida-trace Data to import
• Let's start with the App Run , Then order

frida-trace -UF -O /Users/fenfei/Desktop/xx/armeabi-v7a_9_4_6/libjdbitmapkit_1625017920.txt

Just run , Please note that There is no Chinese path here , Maybe mine frida-trace Is in python2.7 Running down , If the Chinese path appears, the loading will fail .

Last Just click on the product details page

It turned out to be beautiful .

Enhance

Boss Li ： Android Of so Trace That's all right. ,ios Of App Why not ？

Fly hard ： RTFS

Android so Code segment name yes .text, ios Code segment name yes __text , So we are getSegAddr Add a judgment to it

...
if (idc.get_segm_name(seg)).lower() == '.text' or (
        idc.get_segm_name(seg)).lower() == 'text' or (
        idc.get_segm_name(seg)).lower() == '__text' :
...

Boss Li ： I have a function , The first entry must be 2, But I don't know which one ？ Sure Trace Will you come out? ？

Fly hard ： ……&*%￥%……)(%$

We can modify it handlers/libxxbitmapkit.so/xxx.js Here's a script to do something special , For example Trace The first parameter is 2 Pick out the function of .

  onEnter(log, args, state) {
    log('sub_10d71()');
  },

//  Change to 

  onEnter(log, args, state) {
	if(args[0] == 2){
		log(" ======== I am here! ========");
	}
    log('sub_10d71()');
  },

Of course, thousands of functions , Manual modification , Boss Li will laugh at me .

def alter(file,old_str,new_str):
    """
     Replace the string in the file 
    :param file: file name 
    :param old_str: Just strings 
    :param new_str: New string 
    :return:
    
    """
    file_data = ""
    with open(file, "r", encoding="utf-8") as f:
        for line in f:
            if old_str in line:
                line = line.replace(old_str,new_str)
            file_data += line
    with open(file,"w",encoding="utf-8") as f:
        f.write(file_data)

def findAllFile(base):
    for root, ds, fs in os.walk(base):
        for f in fs:
            yield f

def main():
    strPath = '/Users/fenfei/Desktop/work/blogCode/trace/__handlers__/libxxbitmapkit.so'
    
    for i in findAllFile(strPath):
        print(i)
        alter(strPath +"/" + i, "onEnter(log, args, state) {", 'onEnter(log, args, state) { if(args[0] == 2){ log(" ======== I am here! ========");}')

Life is too short , Quick use Python. Call it a day .

3、 ... and 、 summary

and PEStalker The problem is the same ,hook There are too many functions for ,App It's easy to break down , There has to be a convenient filter , Put some frequently called , Unimportant functions filter out . I haven't figured out how to do this yet .

Mustache has a toy called https://github.com/oleavr/art-tracer It's said that it's better , You can study .

Don't say the , I went to write the weekly .

I hate two kinds of people most in my life , One is optional , The other is not to let me add . Eat the melon

TIP: The only purpose of this paper is to learn more reverse skills and ideas , If someone uses this technology to carry out illegal business, the legal responsibility brought by the profit is borne by the operator himself , It has nothing to do with this article and the author , The code projects involved in this article can go to Feifei friends The planet of knowledge takes itself , Welcome to the knowledge planet to learn and explore technology . If you have any questions, you can add me wx: fenfei331 Under discussion .

Pay attention to WeChat public number : It's safe to fly , Latest technology real time push of dry goods