So confused file
First, the purpose of confusion
JNI uses in the development process corresponding to the formation javah cost function name similar java_com_XX this form, can easily be found by reverse when the reverse so the list in Exports IDA
as follows:
Our aim is to make this function can not easily find in IDA, increase the difficulty of guessing.
Second, confusion method
1. Principle
When we call System.loadLibrary (in Java xxx ) method when will tell the virtual machine to load libxxx.so link library. VM loads the library so when the first function is executed JNI_Onload do some initialization work from the Java layer into the local level. Meanwhile, in this function registers the native methods in Java layer, eventually calls RegisterNatives method can help us to method c / c ++ Implicit strikes native methods in Java, while naming format without having to follow a particular method.
. Java Jni conventional manner: 1 Java class prepared with native methods; ---> 2 .h header generating command file using javah; 3 coding method implemented in the header file ---> such "official. "process, we recognize that this will bring disadvantages java_com_xxxx so easily detected by reverse
So we confuse JNI native method function is RegisterNatives method invocation JNI provides a dynamic method for registering the native into the JVM
Dynamic registration steps:
l JNI_Onload custom function, by registerNativeMethods () function to replace the native function pointer and the header file.
L realize the function of the replaced native functions corresponding.
l hidden symbol table, add a file Android.mk LOCAL_CFLAGS in which: = -fvisibility = hidden
2. Implement
(C ++ for example, need a slight change Syntax C)
1) Create a cpp file name of any folder at jni
2) Copy the following code
//
// Created by libb on 2019/5/8.
//
#include<jni.h>
#include <stdio.h>
#include <log.h>
#include <assert.h>
#include "com_limushan_decomplieso_JniTest.h"
#define JNIREG_CLASS "com/limushan/decomplieso/JniTest"//指定要注册的类
jobject getApplication1(JNIEnv* env) {
jclass localClass = (env)->FindClass("android/app/ActivityThread");
if (localClass != NULL) {
// LOGI("class have find");
jmethodID getapplication = env->GetStaticMethodID(localClass, "currentApplication",
"()Landroid/app/Application;");
if (getapplication != NULL) {
jobject application = (env)->CallStaticObjectMethod(localClass, getapplication);
return application;
}
return NULL;
}
return NULL;
}
extern "C"
__attribute__((section (".mytext"))) JNICALL jobject _xxx_yyy1(JNIEnv *env, jclass obj) {
return getApplication1(env);
}
extern "C"
__attribute__((section (".mytext"))) JNICALL void _xxx_yyy2(JNIEnv *env, jclass obj,jint flag) {
jclass temp_clazz = NULL;
jmethodID mid_static_method;
// 1、从classpath路径下搜索ClassMethod这个类,并返回该类的Class对象
temp_clazz = env->FindClass("java/lang/System");
mid_static_method = env->GetStaticMethodID(temp_clazz, "exit", "(I)V");
(env)->CallStaticVoidMethod( temp_clazz, mid_static_method, flag);
(env)->DeleteLocalRef(temp_clazz);
}
extern "C"
__attribute__((section (".mytext"))) JNICALL jstring _xxx_yyy3(JNIEnv *env, jclass obj) {
jobject context = getApplication1(env);
jclass class_system = (env)->FindClass( "java/lang/System");
if (class_system == NULL) {
LOGD("class system is null");
}
jmethodID method_get_property = (env)->GetStaticMethodID(class_system, "getProperty", "(Ljava/lang/String;)Ljava/lang/String;");
if (method_get_property != NULL) {
LOGD("method is found...");
} else {
LOGD("method not found...");
}
jstring host = (env)->NewStringUTF("http.proxyHost");
jstring port = (env)->NewStringUTF("http.proxyPort");
jstring hostIp = (jstring)(env)->CallStaticObjectMethod(class_system, method_get_property, host);
jstring hostPort = (jstring)(env)->CallStaticObjectMethod(class_system, method_get_property, port);
if (hostIp != NULL || hostPort != NULL) {
LOGD("有代理,好危险!");
} else {
LOGD("环境正常,可以操作");
}
return hostPort;
}
/**
* Table of methods associated with a single class.
*/
//绑定,注意,V,Z签名的返回值不能有分号“;”
//这里就是把JAVA层的getStringFromC()函数绑定到Native层的getStringc()函数,就无需使用原生的Java_com_xx_xx_classname_methodname这种恶心的函数命名方式了
static JNINativeMethod gMethods[] = {
{ "getApplication", "()Ljava/lang/Object;", (void*)_xxx_yyy1},
{ "exitApplication", "(I)V", (void*)_xxx_yyy2},
{ "checkProxyExist", "()Ljava/lang/String;", (void*)_xxx_yyy3},
};
/*
* Register several native methods for one class.
*/
static int registerNativeMethods(JNIEnv* env, const char* className,
JNINativeMethod* gMethods, int numMethods)
{
jclass clazz;
clazz = (env)->FindClass(className);
if (clazz == NULL) {
return JNI_FALSE;
}
if ((env)->RegisterNatives(clazz, gMethods, numMethods) < 0) {
return JNI_FALSE;
}
return JNI_TRUE;
}
/*
* Register native methods for all classes we know about.
*/
static int registerNatives(JNIEnv* env)
{
if (!registerNativeMethods(env, JNIREG_CLASS, gMethods,
sizeof(gMethods) / sizeof(gMethods[0])))
return JNI_FALSE;
return JNI_TRUE;
}
/*
* Set some test stuff up.
*
* Returns the JNI version on success, -1 on failure.
*/
jint JNI_OnLoad(JavaVM* vm, void* reserved)
{
JNIEnv* env = NULL;
jint result = -1;
if ((vm)->GetEnv( (void**) &env, JNI_VERSION_1_4) != JNI_OK) {
return -1;
}
assert(env != NULL);
if (!registerNatives(env)) {//注册
return -1;
}
/* success -- return valid version number */
result = JNI_VERSION_1_4;
return result;
We RegisterNatives get local dynamic method
3) modification method correspondence table
/**
* Table of methods associated with a single class.
*/
//绑定,注意,V,Z签名的返回值不能有分号“;”
//这里就是把JAVA层的getApplication函数绑定到Native层的_xxx_yyy1函数,
//就无需使用原生的Java_com_xx_xx_classname_methodname这种恶心的函数命名方式了
static JNINativeMethod gMethods[] = {
{ "getApplication", "()Ljava/lang/Object;", (void*)_xxx_yyy1},
{ "exitApplication", "(I)V", (void*)_xxx_yyy2},
{ "checkProxyExist", "()Ljava/lang/String;", (void*)_xxx_yyy3},
};
This is an array, this correspondence mapping between Java native methods and our local functions. Each function represents a specific JNINativeMethodstructure, the following official definition:
typedef struct {
const char* name;
const char* signature;
void* fnPtr;
} JNINativeMethod;
- The first name is the name of a variable in Java function.
- The second variable signature, a character string is described in Java function parameters and return values
- FnPtr third variable is a function pointer to a native function. Front must be connected (void *)
- The first parameter is the way we write, the third is the .h file inside the method, mainly the second argument is more complex. Brackets indicates the type, in brackets after the parameter represents the return value.
"()" Indicates the character parameters, return value represents the back. E.g:
"() V" says void xxx ();
"(I) V" represents the void xxx (int a);
"(II) I" 表示 you xxx (you're a, you b);
"()Ljava/lang/String;" 表示String xxx();
These types of parameters and function map of characters as follows:
?????
V void void
the Z jboolean Boolean
the I int jint
J jlong Long
D jdouble Double
F. Jfloat a float
B jbyte byte
C char jchar
S jshort Short
array uses a "[" Start, represents a n-dimensional array with two characters, is in front of the number "[" just as "[[[D" denotes "Double [] [] []")
[the I jintArray int []
[F. jfloatArray a float []
[B jbyteArray byte []
[C jcharArray char []
[S jshortArray Short []
[jdoubleArray Double D []
[J jlongArray Long []
[the Z jbooleanArray Boolean []
Reference types: start with "L", with ";" ends, with an intermediate "/" separated. ";" Class names are a plurality of separators
Ljava / lang / String; String the jstring
Ljava / lang / Object; Object jobject
···
4) Replace function corresponding native functions implemented
Examples are as follows: The name can be arbitrarily taken here, which needs to be replaced to achieve your own implementation
extern "C"
__attribute__((section (".mytext"))) JNICALL void _xxx_yyy2(JNIEnv *env, jclass obj,jint flag) {
jclass temp_clazz = NULL;
jmethodID mid_static_method;
// 1、从classpath路径下搜索ClassMethod这个类,并返回该类的Class对象
temp_clazz = env->FindClass("java/lang/System");
mid_static_method = env->GetStaticMethodID(temp_clazz, "exit", "(I)V");
(env)->CallStaticVoidMethod( temp_clazz, mid_static_method, flag);
(env)->DeleteLocalRef(temp_clazz);
}
In a function with the attribute ((section ( ".mytext"))), this is the case, the translation of this function will be compiled into named ".mytext" section inside the custom, since we do not have the java layer this function is therefore to be written to define a custom section inside
5) statement to be registered category
???
#define JNIREG_CLASS "COM / limushan / decomplieso / JNITest" // specify the class you want to register
???
6) was added in one LOCAL_CFLAGS document which Android.mk: = -fvisibility = hidden symbol table Hide
7) other steps to develop consistent and JNI
8) ndk build so-Build file
Specific results are as follows, the function name in the method name is not found in the index table calls. Only find self-defined section area to the next step to resolve