const base= Module.findBaseAddress(“xxxxxx”); //获取可执行程序的基址
const testadd = base.add(0x6688);//函数地址
Interceptor.attach(testadd, {
onEnter: function(args) {
this.x1 = this.context.x1;
console.log(this.x1 );//这里的x1是函数里面最开始的x1
};
onLeave: function onLeave(retval) {
this.x1 = this.context.x1;
console.log(this.x1 );//这里的x1是函数里面最后面的x1
}
如果我想打印中间某一个具体地址的x1怎么处理呢?
var module_name = 'boringssl';
/**
*
* Hook boringssl::SSL_write
*
*/
var bo_ssl_write = Module.getExportByName(module_name,'SSL_write');
console.log("bo_ssl_write @ " + bo_ssl_write.toString());
console.log("bo_ssl_write opcode:" + hexdump(bo_ssl_write, { length: 16, ansi: false }))
const ssl_fd_ptr = Module.getExportByName(module_name,'SSL_get_fd');
const ssl_fd_func = new NativeFunction(ssl_fd_ptr,'int',['pointer']);
const ssl_version_ptr = Module.getExportByName(module_name,'SSL_version');
const ssl_version_func = new NativeFunction(ssl_version_ptr,'int',['pointer']);
const ssl_is_dtls_ptr = Module.getExportByName(module_name,'SSL_is_dtls');
const ssl_is_dtls_func = new NativeFunction(ssl_is_dtls_ptr,'int',['pointer']);
const ssl_get_privatekey_ptr = Module.getExportByName(module_name,'SSL_get_privatekey');
const ssl_get_privatekey_func = new NativeFunction(ssl_get_privatekey_ptr,'pointer',['pointer']);
const ssl_ctx_get0_privatekey_func =new NativeFunction(pBoringssl.add(0x26BB0),'pointer',['pointer']);
function GetProtocolVersion(ssl) {
var version = ssl_version_func(ssl);
if (!ssl_is_dtls_func(ssl)) {
return version ;
}
return 0x0201 + ~version;
}
Interceptor.attach(bo_ssl_write,{
onEnter : function (args) {
var data_str = formatDate()
WTSend("\\r============================ boringssl::SSL_write start =============================")
WTSend(data_str + ' { SSL : ' + args[0].toString() + ' version : 0x' + GetProtocolVersion(args[0]).toString(16) +' }')
WTSend('fd : '+ ssl_fd_func(args[0]) + ' data : size(' + args[2].toInt32() + ') \r\n' +
hexdump(args[1], { length: args[2].toInt32(), ansi: false }))
// bt(this.context)
},
onLeave : function (retval) {
WTSend("============================ boringssl::SSL_write end =============================\\r")
}
});
/**
*
* Hook boringssl::SSL_do_handshake
*
*/
var bo_ssl_do_handshake = Module.getExportByName(module_name,'SSL_do_handshake');
Interceptor.attach(bo_ssl_do_handshake,{
onEnter : function (args) {
WTSend("\\r============================ boringssl::SSL_do_handshake start =============================")
WTSend('{ Handshake SSL : ' + args[0].toString() + ' privatekey : ' + ssl_get_privatekey_func(args[0]).toString() +' }')
// bt(this.context)
},
onLeave : function (retval) {
WTSend("============================ boringssl::SSL_do_handshake end =============================\\r")
}
});
没明白你所表达的意思。大体是这么获得!
0x00000001 函数()
{
0x00000002 x1
………………
0x00000008 x1
…………….
0x00000000C x1
}
Interceptor.attach(0x00000001) 这里attach的是函数的地址!
然后,
我现在想打印0x00000008 位置 寄存器 x1的值
GetProtocolVersion这个函数就是实现这个功能的。SSL_write函数中,有这个功能的实现。根据分析后,我自己实现了一个函数,达到这个效果,从而获得了version
(帖子已被作者删除)