update

src/androidSystemLibrary/libart/RegisterNatives.ts

@@ -1,38 +1,36 @@
-"use strict";
+'use strict';
 
+import { Log } from '../../utils/logger.js';
 
 export function find_RegisterNatives() {
-  Process.getModuleByName("libart.so").enumerateSymbols().forEach(symbol => {
-    if (symbol.name.indexOf("art") >= 0 &&
-        symbol.name.indexOf("JNI") >= 0 &&
-        symbol.name.indexOf("RegisterNatives") >= 0 &&
-        symbol.name.indexOf("CheckJNI") < 0) {
-      console.log("RegisterNatives is at ", symbol.address, symbol.name);
-      if (!symbol.address) {
-        hook_RegisterNatives(symbol.address);
+  Process.getModuleByName('libart.so').enumerateSymbols()
+    .forEach(symbol => {
+      if (symbol.name.includes('art') &&
+        symbol.name.includes('JNI') &&
+        symbol.name.includes('RegisterNatives') &&
+        !symbol.name.includes('CheckJNI')) {
+        Log.d(`RegisterNatives`, JSON.stringify(symbol));
+        if (symbol.address) {
+          hook_RegisterNatives(symbol.address);
+        }
       }
-    }
-  });
+    });
 }
 
 function hook_RegisterNatives(register_natives_address: NativePointer) {
   Interceptor.attach(register_natives_address, {
-    onEnter(args): void {
-      console.log("[RegisterNatives] method_count:", args[3]);
-      let java_class = args[1];
-      let class_name = Java.vm.tryGetEnv().getClassName(java_class);
+    onEnter: function (args) {
+      const java_class = args[1];
+      const class_name = Java.vm.tryGetEnv().getClassName(java_class);
+      const methods_ptr = args[2].readPointer();
 
-      let methods_ptr: NativePointer = args[2].readPointer();
-      let method_count = parseInt(args[3] as any);
-      for (let i = 0; i < method_count; i++) {
-        let name_ptr = methods_ptr.add(i * Process.pointerSize * 3).readPointer();
-        let sig_ptr = methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize).readPointer();
-        let fnPtr_ptr = methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2).readPointer();
+      for (let i = 0; i < parseInt(args[3].toString()); i++) {
+        const name_ptr = methods_ptr.add(i * Process.pointerSize * 3);
+        const sig_ptr = methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize);
+        const fnPtr_ptr = methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2);
+        const symbol = DebugSymbol.fromAddress(fnPtr_ptr);
 
-        let name = name_ptr.readCString();
-        let sig = sig_ptr.readCString();
-        let symbol = DebugSymbol.fromAddress(fnPtr_ptr);
-        console.log("[RegisterNatives] java_class:", class_name, "name:", name, "sig:", sig, "fnPtr:", fnPtr_ptr, " fnOffset:", symbol, " callee:", DebugSymbol.fromAddress(this.returnAddress));
+        Log.i(`RegisterNatives`, `java_class ${class_name} name:${name_ptr.readCString()} sig:${sig_ptr.readCString()} fnPtr:${fnPtr_ptr} fnOffset:${symbol} callee: ${DebugSymbol.fromAddress(this.returnAddress)}`);
       }
     },
   });

src/androidSystemLibrary/libart/art.ts

@@ -3,7 +3,7 @@
 import { Log } from "../../utils/logger.js";
 
 
-export function libart(filterSoName: string) {
+export function hook_libart(filterSoName: string) {
   Process.getModuleByName("libart.so").enumerateSymbols().forEach(symbol => {
     if (symbol.name.includes("_ZN3art3JNIILb0")
         && symbol.name.includes("JNI")

src/androidSystemLibrary/libart/artMethod.ts

@@ -1,31 +0,0 @@
-// "use strict";
-//
-//
-//
-// export function hook_native() {
-//   Process.getModuleByName("libart.so").enumerateSymbols().forEach(symbol => {
-//
-//     if (symbol.name.includes("ArtMethod")
-//         && symbol.name.includes("Invoke")
-//         && symbol.name.includes("Thread")
-//         && symbol.name.indexOf("ArtMethod") < symbol.name.indexOf("Invoke")
-//         && symbol.name.indexOf("Invoke") < symbol.name.indexOf("Thread")
-//     ) {
-//       console.log(symbol.name);
-//       Interceptor.attach(symbol.address, {
-//         onEnter: function (args) {
-//           const method_name = prettyMethod(args[0], 0);
-//           if (!method_name.startsWith("java.")
-//               || !method_name.startsWith("java.")
-//           ) {
-//             console.log("ArtMethod Invoke:" + method_name + "  called from:\n" +
-//                 Thread.backtrace(this.context, Backtracer.ACCURATE)
-//                 .map(DebugSymbol.fromAddress).join("\n") + "\n");
-//
-//           }
-//         },
-//       });
-//     }
-//   });
-// }
-//

src/main.ts

@@ -1,20 +1,14 @@
 'use strict';
 
-import { enumerateMethod } from './utils/classMethodRoam.js';
 import { Log } from './utils/logger.js';
+import { find_RegisterNatives } from './androidSystemLibrary/libart/RegisterNatives.js';
 
 setImmediate(function main() {
   Log.d(``, `Frida Injection successful!!!`);
   try {
-    if (Java.available) {
-      JavaHandler();
-    }
-    if (Kernel.available) {
-      KernelHandler()
-    }
-    if (ObjC.available) {
-      ObjCHandler()
-    }
+    JavaHandler();
+    KernelHandler();
+    ObjCHandler();
   } catch (e) {
     Log.e(`main error`, e);
   }
@@ -25,25 +19,25 @@ function JavaHandler() {
   Java.perform(function () {
     Watch();
     // ActivityInfo();
-    const results = enumerateMethod(Java.use('java.lang.String'));
-    results.forEach(result => {
-      Log.i(`enumerateMethod`, `java.lang.String method name: ${result}`);
-    });
+    // const results = enumerateMethod(Java.use('java.lang.String'));
+    // results.forEach(result => {
+    //   Log.i(`enumerateMethod`, `java.lang.String method name: ${result}`);
+    // });
   });
 }
+
 function Watch() {
   // throw new Error("Function not implemented.");
   // todo: from jadx generate hook code
 }
 
-
 // // ### KernelHandler ###
-function KernelHandler():void {
-
+function KernelHandler(): void {
+  find_RegisterNatives();
 }
 
 // // ### ObjCHandler ###
-function ObjCHandler():void {
+function ObjCHandler(): void {
 
 }
 

src/utils/logger.ts

@@ -11,7 +11,7 @@ export class Log {
    * @param str
    */
   static t(tag: String, str: any): void {
-    console.trace(`${formatDateWithMilliseconds()} [TRACE] ${tag} ${str}`);
+    console.trace(`${formatDateWithMilliseconds()} [TRACE] [${tag}] ${str}`);
   }
 
   /**
@@ -20,7 +20,7 @@ export class Log {
    * @param str
    */
   static d(tag: String, str: any): void {
-    console.debug(`${formatDateWithMilliseconds()} [DEBUG] ${tag} ${str}`);
+    console.debug(`${formatDateWithMilliseconds()} [DEBUG] [${tag}] ${str}`);
   }
 
   /**
@@ -29,7 +29,7 @@ export class Log {
    * @param str
    */
   static i(tag: string, str: any): void {
-    console.info(`${formatDateWithMilliseconds()} [INFO] ${tag} ${str}`);
+    console.info(`${formatDateWithMilliseconds()} [INFO] [${tag}] ${str}`);
   }
 
 
@@ -39,7 +39,7 @@ export class Log {
    * @param str
    */
   static w(tag: String, str: any): void {
-    console.warn(`${formatDateWithMilliseconds()} [WARM] ${tag} ${str}`);
+    console.warn(`${formatDateWithMilliseconds()} [WARM] [${tag}] ${str}`);
   }
 
   /**
@@ -48,7 +48,7 @@ export class Log {
    * @param str
    */
   static e(tag: String, str: any): void {
-    console.error(`${formatDateWithMilliseconds()} [ERROR] ${tag} ${str}`);
+    console.error(`${formatDateWithMilliseconds()} [ERROR] [${tag}] ${str}`);
   }
 }
 

src/utils/typeConversion.ts

@@ -0,0 +1,64 @@
+'use strict';
+
+/**
+ * utf8ByteToUnicodeStr
+ * @see https://github.com/saucer-man/frida_example
+ * @param {[]} utf8Bytes
+ * @returns {string}
+ */
+export function utf8ByteToUnicodeStr(utf8Bytes: []) {
+  let unicodeStr = '';
+  for (let pos = 0; pos < utf8Bytes.length;) {
+    let flag = utf8Bytes[pos];
+    let unicode = 0;
+    if ((flag >>> 7) === 0) {
+      unicodeStr += String.fromCharCode(utf8Bytes[pos]);
+      pos += 1;
+
+    } else if ((flag & 0xFC) === 0xFC) {
+      unicode = (utf8Bytes[pos] & 0x3) << 30;
+      unicode |= (utf8Bytes[pos + 1] & 0x3F) << 24;
+      unicode |= (utf8Bytes[pos + 2] & 0x3F) << 18;
+      unicode |= (utf8Bytes[pos + 3] & 0x3F) << 12;
+      unicode |= (utf8Bytes[pos + 4] & 0x3F) << 6;
+      unicode |= (utf8Bytes[pos + 5] & 0x3F);
+      unicodeStr += String.fromCharCode(unicode);
+      pos += 6;
+
+    } else if ((flag & 0xF8) === 0xF8) {
+      unicode = (utf8Bytes[pos] & 0x7) << 24;
+      unicode |= (utf8Bytes[pos + 1] & 0x3F) << 18;
+      unicode |= (utf8Bytes[pos + 2] & 0x3F) << 12;
+      unicode |= (utf8Bytes[pos + 3] & 0x3F) << 6;
+      unicode |= (utf8Bytes[pos + 4] & 0x3F);
+      unicodeStr += String.fromCharCode(unicode);
+      pos += 5;
+
+    } else if ((flag & 0xF0) === 0xF0) {
+      unicode = (utf8Bytes[pos] & 0xF) << 18;
+      unicode |= (utf8Bytes[pos + 1] & 0x3F) << 12;
+      unicode |= (utf8Bytes[pos + 2] & 0x3F) << 6;
+      unicode |= (utf8Bytes[pos + 3] & 0x3F);
+      unicodeStr += String.fromCharCode(unicode);
+      pos += 4;
+
+    } else if ((flag & 0xE0) === 0xE0) {
+      unicode = (utf8Bytes[pos] & 0x1F) << 12;
+      unicode |= (utf8Bytes[pos + 1] & 0x3F) << 6;
+      unicode |= (utf8Bytes[pos + 2] & 0x3F);
+      unicodeStr += String.fromCharCode(unicode);
+      pos += 3;
+
+    } else if ((flag & 0xC0) === 0xC0) { //110
+      unicode = (utf8Bytes[pos] & 0x3F) << 6;
+      unicode |= (utf8Bytes[pos + 1] & 0x3F);
+      unicodeStr += String.fromCharCode(unicode);
+      pos += 2;
+
+    } else {
+      unicodeStr += String.fromCharCode(utf8Bytes[pos]);
+      pos += 1;
+    }
+  }
+  return unicodeStr;
+}

tsconfig.json

@@ -1,9 +1,9 @@
 {
   "compilerOptions": {
     "incremental": true,
-    "target": "ES2021",
+    "target": "ES6",
     "lib": [
-      "ES2021"
+      "ES6"
     ],
     "module": "Node16",
     "moduleResolution": "Node16",