2018-09-30 Frida luaL_loadbuffer 扒代码

# -*- coding: utf-8 -*

import frida, sys, os

"""
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
"""

package_id = 'xx' # 隐去

dev = frida.get_remote_device()
process = dev.attach(package_id)

# luaL_loadbuffer
src = '''

var addr = Module.findExportByName(
null,
'luaL_loadbuffer'
);

Interceptor.attach(addr, {
    onEnter: function(args) {
        var name = Memory.readUtf8String(args[3]);
        var obj = {}
        obj.size = args[2].toInt32()
        obj.name = name;
        obj.content = Memory.readCString(args[1], obj.size);
        send(obj);
    }
} )
'''

def write(path, content):
    print('write:', path)
    folder = os.path.dirname(path)
    if not os.path.exists(folder):
        os.makedirs(folder)
    open(path, 'w').write(content)

script = process.create_script(src)
def on_message(message, data):
    # print 'message:',message
    name = message['payload']['name']
    content = message['payload']['content'].encode('utf-8')
    if name.endswith('.lua'):
        write(name, content)

script.on('message', on_message)
script.load()
sys.stdin.read()

居然,能看见 lua 的代码!!

你可能感兴趣的:(2018-09-30 Frida luaL_loadbuffer 扒代码)