某小说App的Stalker用法
参考:
的Stalker示例代码:
function trace_entry(baseAddr, tatgetAddr) {
Interceptor.attach(tatgetAddr, {
onEnter: function (args) {
console.log("enter tatgetAddr====================================================================");
this.pid = Process.getCurrentThreadId();
Stalker.follow(this.pid, {
events: {
// 暂时不需要这些 events
call: false,
ret: false,
exec: false,
block: false,
compile: false
},
onReceive: function (events) {
},
transform: function (iterator) {
var instruction = iterator.next();
const startAddress = instruction.address;
// 从ida里面 找到 Java_com_baidu_searchbox_NativeBds_dae1 函数的 代码 在 0xE84 和 0x126C 之间
var isModule = startAddress.compare(baseAddr.add(0xE84)) >= 0 && startAddress.compare(baseAddr.add(0x126C)) < 0;
do {
if (isModule) {
console.log(instruction.address.sub(baseAddr) + "\t:\t" + instruction);
if(instruction.address.sub(baseAddr) == 0xfb8){
iterator.putCallout((context) => {
var string = Memory.readCString(context["x21"]);
console.log("#### key = " + string)
})
}
}
iterator.keep();
} while ((instruction = iterator.next()) !== null);
},
onCallSummary: function (summary) {
}
});
}, onLeave: function (retval) {
Stalker.unfollow(this.pid);
console.log("retval:" + retval);
console.log("leave tatgetAddr====================================================================");
}
});
}
部分输出日志:
0xfb4 : add x21, x21, x0, lsr #1
0xfb8 : mov x0, x21
0xfbc : ldr x22, [x8, #0x580]
0xfc0 : bl #0x7a751c55f0
#### key = D0CD8B760CE07BC3
0xfc4 : mov x1, x0
0xfc8 : mov x0, x20
0xfcc : blr x22
0xfd0 : ldr x8, [x20]