frida打印函数寄存器的问题!!

const base= Module.findBaseAddress(“xxxxxx”); //获取可执行程序的基址
const testadd = base.add(0x6688);//函数地址

Interceptor.attach(testadd, {
onEnter: function(args) {
this.x1 = this.context.x1;

console.log(this.x1 );//这里的x1是函数里面最开始的x1

};
onLeave: function onLeave(retval) {
this.x1 = this.context.x1;

console.log(this.x1 );//这里的x1是函数里面最后面的x1

}
如果我想打印中间某一个具体地址的x1怎么处理呢?

    var module_name = 'boringssl';
    /**
     * 
     * Hook boringssl::SSL_write
     * 
     */
    var bo_ssl_write = Module.getExportByName(module_name,'SSL_write');
    console.log("bo_ssl_write @ " + bo_ssl_write.toString());
    console.log("bo_ssl_write opcode:" + hexdump(bo_ssl_write, { length: 16, ansi: false }))

    const ssl_fd_ptr = Module.getExportByName(module_name,'SSL_get_fd');
    const ssl_fd_func = new NativeFunction(ssl_fd_ptr,'int',['pointer']);

    const ssl_version_ptr = Module.getExportByName(module_name,'SSL_version');
    const ssl_version_func = new NativeFunction(ssl_version_ptr,'int',['pointer']);

    const ssl_is_dtls_ptr = Module.getExportByName(module_name,'SSL_is_dtls');
    const ssl_is_dtls_func = new NativeFunction(ssl_is_dtls_ptr,'int',['pointer']);

    const ssl_get_privatekey_ptr = Module.getExportByName(module_name,'SSL_get_privatekey');
    const ssl_get_privatekey_func = new NativeFunction(ssl_get_privatekey_ptr,'pointer',['pointer']);

    const ssl_ctx_get0_privatekey_func =new NativeFunction(pBoringssl.add(0x26BB0),'pointer',['pointer']);

    function GetProtocolVersion(ssl) {
        var version = ssl_version_func(ssl);
        if (!ssl_is_dtls_func(ssl)) {
            return version ;
        }
        return 0x0201 + ~version;
    }

    Interceptor.attach(bo_ssl_write,{
        onEnter : function (args) {
            var data_str = formatDate()
            WTSend("\\r============================ boringssl::SSL_write start =============================")
            WTSend(data_str + ' { SSL : ' + args[0].toString() + ' version : 0x' + GetProtocolVersion(args[0]).toString(16) +' }')
            WTSend('fd : '+ ssl_fd_func(args[0]) + ' data : size(' + args[2].toInt32() + ') \r\n' + 
                    hexdump(args[1], { length: args[2].toInt32(), ansi: false }))

            // bt(this.context)
        },
        onLeave : function (retval) {
            WTSend("============================ boringssl::SSL_write end =============================\\r")
        }
    });


    /**
     * 
     * Hook boringssl::SSL_do_handshake
     * 
     */  
    var bo_ssl_do_handshake = Module.getExportByName(module_name,'SSL_do_handshake');
    Interceptor.attach(bo_ssl_do_handshake,{
        onEnter : function (args) {
            WTSend("\\r============================ boringssl::SSL_do_handshake start =============================")
            WTSend('{ Handshake SSL : ' + args[0].toString() + ' privatekey : ' + ssl_get_privatekey_func(args[0]).toString() +' }')

            // bt(this.context)
        },
        onLeave : function (retval) {
            WTSend("============================ boringssl::SSL_do_handshake end =============================\\r")
        }
    });

没明白你所表达的意思。大体是这么获得!

0x00000001 函数()
{

0x00000002 x1

………………

0x00000008 x1

…………….

0x00000000C x1

}

Interceptor.attach(0x00000001) 这里attach的是函数的地址!

然后,

我现在想打印0x00000008 位置 寄存器 x1的值

GetProtocolVersion这个函数就是实现这个功能的。SSL_write函数中,有这个功能的实现。根据分析后,我自己实现了一个函数,达到这个效果,从而获得了version

利用强大的 Stalker 功能.可以跟踪每一步代码执行和寄存器变化.

const targetFunc = Module.findExportByName(null, "target_function_name");

if (targetFunc) {
    Interceptor.attach(targetFunc, {
        onEnter: function (args) {
            console.log("Entering function, starting Stalker...");

            this.funcStart = targetFunc;
            this.funcEnd = targetFunc.add(0x20); // 要跟踪的范围大小

            Stalker.follow(Process.getCurrentThreadId(), {
                events: {
                    exec: true,
                },
                transform: function (iterator) {
                    let instruction = iterator.next();

                    while (instruction.address.compare(this.funcStart) < 0 ||
                           instruction.address.compare(this.funcEnd) >= 0) {
                        // 跳过不在目标范围内的指令
                        iterator.keep();
                        instruction = iterator.next();
                    }

                    // 插入日志
                    console.log(`[+] Instruction at ${instruction.address}`);
                    // 打印寄存器,结合 Instruction.parse 可动态实时反编译代码
                    dumpRegisters(this.context);

                    iterator.keep();
                    instruction = iterator.next();
                }.bind(this)
            });
        },
        onLeave: function (retval) {
            console.log("Leaving function, stopping Stalker...");
            Stalker.unfollow(Process.getCurrentThreadId());
        }
    });
} else {
    console.log("Function not found!");
}