Skip to content

Instantly share code, notes, and snippets.

Avatar

SeeFlowerX SeeFlowerX

294 followers · 217 following
View GitHub Profile
@SeeFlowerX
SeeFlowerX / objectdump.js
Last active May 30, 2023 04:44
参考了Wallbreaker,把全部父类的的field也打印了,可以直接在hook脚本接入,不需要额外代码
View objectdump.js
function log(msg) {
console.log(msg);
}
let handleCache = [];
function getRealClassName(object) {
const objClass = Java.use("java.lang.Object").getClass.apply(object);
return Java.use("java.lang.Class").getName.apply(objClass)
}
@SeeFlowerX
SeeFlowerX / poc_frida_bug.js
Created May 26, 2023 08:45
使用Java.retain出现了非常诡异的现象,最后发现是因为没有把Java.retain的结果赋值给全局变量导致的...
View poc_frida_bug.js
function log(msg) {
console.log(msg);
}
function getRealClassNameByHandle (handle) {
let obj = Java.use("java.lang.Object");
log(`[getRealClassNameByHandle] obj => ${obj}`);
let jObject = Java.cast(ptr(handle), obj);
log(`[getRealClassNameByHandle] jObject => ${jObject}`);
let objClass = jObject.getClass();
@SeeFlowerX
SeeFlowerX / LLDB动态调试步骤.md
Last active May 11, 2023 13:58
View LLDB动态调试步骤.md

和IDA类似,记录一些内容

全局调试,root下

magisk resetprop ro.debuggable 1
stop
start
@SeeFlowerX
SeeFlowerX / IDA动态调试步骤.md
Last active May 8, 2023 01:54
IDA动态调试步骤
View IDA动态调试步骤.md
  1. dbgsrv/android_server64推送到/data/local/tmp
adb push android_server64 /data/local/tmp/ida_android_server64
  1. 授予权限
adb shell chmod +x /data/local/tmp/ida_android_server64
@SeeFlowerX
SeeFlowerX / crash.log
Created April 23, 2023 15:26
微信二维码扫描崩溃堆栈,测试版本:weixin8016android2040_arm64.apk
View crash.log
04-23 23:23:31.322 10756 10756 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
04-23 23:23:31.322 10756 10756 F DEBUG : Build fingerprint: 'google/flame/flame:11/RQ3A.210805.001.A1/7474174:user/release-keys'
04-23 23:23:31.322 10756 10756 F DEBUG : Revision: 'MP1.0'
04-23 23:23:31.322 10756 10756 F DEBUG : ABI: 'arm64'
04-23 23:23:31.323 10756 10756 F DEBUG : Timestamp: 2023-04-23 23:23:31+0800
04-23 23:23:31.323 10756 10756 F DEBUG : pid: 10736, tid: 10736, name: main >>> ./wxharness <<<
04-23 23:23:31.323 10756 10756 F DEBUG : uid: 0
04-23 23:23:31.323 10756 10756 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
04-23 23:23:31.323 10756 10756 F DEBUG : Cause: null pointer dereference
04-23 23:23:31.323 10756 10756 F DEBUG : x0 b4000075d0d7c48f x1 0000000000000000 x2 0000000000000001 x3 616600474f4c5241
@SeeFlowerX
SeeFlowerX / InMemoryDexClassLoaderFactory.java
Created March 29, 2023 03:11 — forked from vvb2060/InMemoryDexClassLoaderFactory.java
View InMemoryDexClassLoaderFactory.java
import android.app.AppComponentFactory;
import android.content.pm.ApplicationInfo;
import android.util.Log;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.Channels;
import java.util.ArrayList;
import java.util.List;
import java.util.zip.ZipFile;
@SeeFlowerX
SeeFlowerX / test.js
Created March 27, 2023 08:30
问题 无法构造参数类型为 java.lang.CharSequence 的对象进行主动调用
View test.js
function main() {
// hook test
Java.perform(function() {
let Uri = Java.use("android.net.Uri");
let StringCls = Java.use("java.lang.String");
let CharSequence = Java.use("java.lang.CharSequence");
let ClipData = Java.use("android.content.ClipData");
let ClipDataItem = Java.use("android.content.ClipData$Item");
let label = StringCls.$new("hhh");
@SeeFlowerX
SeeFlowerX / clean.sh
Last active June 1, 2023 14:11
clash透明代理抓包配置文件
View clean.sh
#!/system/bin/sh
set -ex
ip rule del fwmark 666 table 666 || true
ip route del local 0.0.0.0/0 dev lo table 666 || true
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
@SeeFlowerX
SeeFlowerX / logcat_crash.log
Created January 18, 2023 06:08
偶然遇到大量APP打开后在进入某些界面出现崩溃,Pixel 6 Android 12, SQ1D.220205.0004,记录日志如下,手机重启后恢复
View logcat_crash.log
01-18 14:03:04.217 1510 3211 V ActivityManager: Got obituary of 22855:com.google.android.gms.persistent
01-18 14:03:04.219 1510 2130 D ContextHubClientManager: Unregistered client with host endpoint ID 12285
01-18 14:03:04.219 1510 1538 I ServiceWatcher: [RealLocationTimeZoneProviderProxy] disconnected from 10141/com.google.android.gms/.geotimezone.GeoTimeZoneService@1
01-18 14:03:04.219 1510 1960 D ContextHubClientManager: Unregistered client with host endpoint ID 12284
01-18 14:03:04.219 1510 3108 D ContextHubClientManager: Unregistered client with host endpoint ID 12286
01-18 14:03:04.219 1510 1538 I ServiceWatcher: [network] disconnected from 10141/com.google.android.gms/com.google.android.location.network.NetworkLocationService@2
01-18 14:03:04.219 1510 1538 I ServiceWatcher: [GeocoderProxy] disconnected from 10141/com.google.android.gms/.location.geocode.GeocodeService@2
01-18 14:03:04.220 687 687 I Zygote : Process 22855 exited due to signal 9 (Killed)
01-18 14:03:04.220 1510 4669
@SeeFlowerX
SeeFlowerX / get_lr_info.js
Last active January 5, 2023 11:22
frida 获取 lr 信息
View get_lr_info.js
export function get_lr_info(ctx: Arm64CpuContext) {
let mm = new ModuleMap();
let lr_info = mm.find(ctx.lr);
if (lr_info == null) return "";
return ` ${lr_info.name}!${ctx.lr.sub(lr_info.base)}`;
}