Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- attach进程的两种方式,第一种是重新运行游戏
- device = frida.get_usb_device()
- pid = device.spawn("com.cocos2d.fishingfun.uc")
- session = device.attach(pid)
- device.resume(pid)
- 第二种是运行之后附加
- device = frida.get_usb_device()
- session = device.attach("com.cocos2d.fishingfun.uc")
- dumplua两种方式
- 第一种是等待进入游戏,确保我们要hook的so被加载之后,进行hook
- var fun = Module.findExportByName("libd2eam.so", "luaL_loadbuffer")
- if (!fun) {
- console.log("Can't find fun")
- } else {
- console.log('find fun')
- hook_dump_fun(fun)
- }
- function hook_dump_fun(fun) {
- Interceptor.attach(fun, {
- onEnter: function(args) {
- console.log('--------script start --------')
- console.log('name: ' + Memory.readUtf8String(args[3]))
- console.log('len: ' + args[2].toInt32())
- console.log('script: \n' + Memory.readUtf8String(args[1]))
- console.log('--------script end --------')
- }
- })
- }
- 第二种是我们hook dlopen函数。判断参数0是我们要hook的so。确定加载之后进行hook操作
- var didHookApis = false
- Interceptor.attach(Module.findExportByName(null, "dlopen"), {
- onEnter: function(args) {
- this.path = Memory.readUtf8String(args[0])
- console.log(this.path)
- },
- onLeave: function(retval) {
- if (!retval.isNull() && this.path.indexOf('libd2eam.so') !== -1 && !didHookApis) {
- didHookApis = true
- var fun = Module.findExportByName('libd2eam.so', 'luaL_loadbuffer')
- if (!fun) {
- console.log("still can't find fun???")
- } else {
- hook_dump_fun(fun)
- }
- }
- }
- })
- function hook_dump_fun(fun) {
- Interceptor.attach(fun, {
- onEnter: function(args) {
- console.log('--------script start --------')
- console.log('name: ' + Memory.readCString(args[3]))
- console.log('len: ' + args[2].toInt32())
- console.log('script: \n' + Memory.readCString(args[1]))
- console.log('--------script end --------')
- }
- })
- }
Add Comment
Please, Sign In to add comment
