const base= Module.findBaseAddress(“xxxxxx”); //获取可执行程序的基址
const testadd = base.add(0x6688);//函数地址
Interceptor.attach(testadd, {
onEnter: function(args) {
this.x1 = this.context.x1;
console.log(this.x1 );//这里的x1是函数里面最开始的x1
};
onLeave: function onLeave(retval) {
this.x1 = this.context.x1;
console.log(this.x1 );//这里的x1是函数里面最后面的x1
}
如果我想打印中间某一个具体地址的x1怎么处理呢?
var module_name = 'boringssl';
/**
*
* Hook boringssl::SSL_write
*
*/
var bo_ssl_write = Module.getExportByName(module_name,'SSL_write');
console.log("bo_ssl_write @ " + bo_ssl_write.toString());
console.log("bo_ssl_write opcode:" + hexdump(bo_ssl_write, { length: 16, ansi: false }))
const ssl_fd_ptr = Module.getExportByName(module_name,'SSL_get_fd');
const ssl_fd_func = new NativeFunction(ssl_fd_ptr,'int',['pointer']);
const ssl_version_ptr = Module.getExportByName(module_name,'SSL_version');
const ssl_version_func = new NativeFunction(ssl_version_ptr,'int',['pointer']);
const ssl_is_dtls_ptr = Module.getExportByName(module_name,'SSL_is_dtls');
const ssl_is_dtls_func = new NativeFunction(ssl_is_dtls_ptr,'int',['pointer']);
const ssl_get_privatekey_ptr = Module.getExportByName(module_name,'SSL_get_privatekey');
const ssl_get_privatekey_func = new NativeFunction(ssl_get_privatekey_ptr,'pointer',['pointer']);
const ssl_ctx_get0_privatekey_func =new NativeFunction(pBoringssl.add(0x26BB0),'pointer',['pointer']);
function GetProtocolVersion(ssl) {
var version = ssl_version_func(ssl);
if (!ssl_is_dtls_func(ssl)) {
return version ;
}
return 0x0201 + ~version;
}
Interceptor.attach(bo_ssl_write,{
onEnter : function (args) {
var data_str = formatDate()
WTSend("\\r============================ boringssl::SSL_write start =============================")
WTSend(data_str + ' { SSL : ' + args[0].toString() + ' version : 0x' + GetProtocolVersion(args[0]).toString(16) +' }')
WTSend('fd : '+ ssl_fd_func(args[0]) + ' data : size(' + args[2].toInt32() + ') \r\n' +
hexdump(args[1], { length: args[2].toInt32(), ansi: false }))
// bt(this.context)
},
onLeave : function (retval) {
WTSend("============================ boringssl::SSL_write end =============================\\r")
}
});
/**
*
* Hook boringssl::SSL_do_handshake
*
*/
var bo_ssl_do_handshake = Module.getExportByName(module_name,'SSL_do_handshake');
Interceptor.attach(bo_ssl_do_handshake,{
onEnter : function (args) {
WTSend("\\r============================ boringssl::SSL_do_handshake start =============================")
WTSend('{ Handshake SSL : ' + args[0].toString() + ' privatekey : ' + ssl_get_privatekey_func(args[0]).toString() +' }')
// bt(this.context)
},
onLeave : function (retval) {
WTSend("============================ boringssl::SSL_do_handshake end =============================\\r")
}
});
没明白你所表达的意思。大体是这么获得!
0x00000001 函数()
{
0x00000002 x1
………………
0x00000008 x1
…………….
0x00000000C x1
}
Interceptor.attach(0x00000001) 这里attach的是函数的地址!
然后,
我现在想打印0x00000008 位置 寄存器 x1的值
GetProtocolVersion这个函数就是实现这个功能的。SSL_write函数中,有这个功能的实现。根据分析后,我自己实现了一个函数,达到这个效果,从而获得了version
利用强大的 Stalker 功能.可以跟踪每一步代码执行和寄存器变化.
const targetFunc = Module.findExportByName(null, "target_function_name");
if (targetFunc) {
Interceptor.attach(targetFunc, {
onEnter: function (args) {
console.log("Entering function, starting Stalker...");
this.funcStart = targetFunc;
this.funcEnd = targetFunc.add(0x20); // 要跟踪的范围大小
Stalker.follow(Process.getCurrentThreadId(), {
events: {
exec: true,
},
transform: function (iterator) {
let instruction = iterator.next();
while (instruction.address.compare(this.funcStart) < 0 ||
instruction.address.compare(this.funcEnd) >= 0) {
// 跳过不在目标范围内的指令
iterator.keep();
instruction = iterator.next();
}
// 插入日志
console.log(`[+] Instruction at ${instruction.address}`);
// 打印寄存器,结合 Instruction.parse 可动态实时反编译代码
dumpRegisters(this.context);
iterator.keep();
instruction = iterator.next();
}.bind(this)
});
},
onLeave: function (retval) {
console.log("Leaving function, stopping Stalker...");
Stalker.unfollow(Process.getCurrentThreadId());
}
});
} else {
console.log("Function not found!");
}