In order to facilitate the use of xposed and unidbg calls later, let's first analyze how tlv544 locates key codes in the java layer and so layer.
1. TLV544: Java layer positioning
Since there is no confusion in qq, you can directly search for related tlv classes by opening jadx, as follows.
Through this row of class names, we can find some related strings of tlv544, as follows.
Through the trace of the tlv_t544 class, it can be found that it is indeed called to generate tlv544, as follows.
Continue to track and analyze...
It was found that the call was made to the class com.tencent.mobileqq.qsec.qsecdandelionsdk.Dandelion. Call the energy method through the fly method to return the encryption result of tlv544, and this function exists in the native layer.
2. TLV544: So layer positioning
We found that in this class, the loading function of so is not called in the static block, so it must be so loaded in other classes. It caused trouble for us to find the jni function.
1) Statically registered jni function location
We still use frida to find the hook, the code is as follows.
// 静态函数搜索
function hook_dlsym(){
// 获取dlsym函数的地址
let dlsymAddr = Module.findExportByName("libdl.so","dlsym");
console.log(dlsymAddr);
// hook dlsym
Interceptor.attach(dlsymAddr,{
onEnter:function(args){
this.args1 = args[1];
},
onLeave:function(retval){
let md= Process.findModuleByAddress(retval);
if(md==null)return;
console.log("函数:"+this.args1.readCString(),"模块:"+md.name,"地址:"+retval,"偏移:"+retval.sub(module1.base));
}
})
}
hook_dlsym();The dlsym function will be called at runtime. It passes in two parameters, one is handle (which is useless to us), and the other is symbol (this is our function symbol), which will return the address of the current function. .
The effect is as follows (if it is blurry, double-click to view it):
Through the search, we found that the energy function we wanted was not found. Don't worry, there is another way.
2) Dynamically registered jni function location
As we all know, there are two ways to register jni functions. If the static method does not work, then the hook is dynamic. Let's hook the RegisterNatives function, and use it to get the methods in the JNINativeMethod array. The frida code is as follows:
function hook_RegisterNatives() {
var RegisterNatives_addr = null;
var symbols = Process.findModuleByName("libart.so").enumerateSymbols();
for (var i = 0; i < symbols.length; i++) {
var symbol = symbols[i].name;
if ((symbol.indexOf("CheckJNI") == -1) && (symbol.indexOf("JNI") >= 0)) {
if (symbol.indexOf("RegisterNatives") >= 0) {
RegisterNatives_addr = symbols[i].address;
console.log("RegisterNatives_addr: ", RegisterNatives_addr);
}
}
}
Interceptor.attach(RegisterNatives_addr, {
onEnter: function (args) {
var env = args[0];
var jclass = args[1];
var class_name = Java.vm.tryGetEnv().getClassName(jclass);
var methods_ptr = ptr(args[2]);
var method_count = args[3].toInt32();
console.log("RegisterNatives method counts: ", method_count);
for (var i = 0; i < method_count; i++) {
var name = methods_ptr.add(i * Process.pointerSize * 3).readPointer().readCString();
var sig = methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize).readPointer().readCString();
var fnPtr_ptr = methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2).readPointer();
var find_module = Process.findModuleByAddress(fnPtr_ptr);
console.log("类: ", class_name, "方法: ", name, "签名: ", sig, "函数地址: ", fnPtr_ptr, "模块名: ", find_module.name, "函数偏移: ", ptr(fnPtr_ptr).sub(find_module.base));
}
},
onLeave: function (retval) {}
});
}
hook_RegisterNatives()Then we search to find our energy function, which is located at offset 0x79134 in libfekit.so, as follows.
Drag into ida to view, as follows:
Come here first, the next one will be more exciting, and later we will analyze how to use xposed to call this tlv544.