概要
libil2cpp使用のモバイルセキュリティ診断時、よく使えるFRIDA用スクリプト
メソッドのoffset(今回は0x000068)把握後、でReturnの値を0にする。
コード
arm64-v8a
change64.js
Java.perform(function() {
console.log("hooking start");
var maxPatchSize = 4;
var targetAddr = Module.findBaseAddress('libil2cpp.so').add(0x000068)
var patchHex = 0x000080D2 // opcode: mov x0,#0x0
Memory.patchCode(targetAddr, maxPatchSize, function(code) {
var cw = new Arm64Writer(code, { pc: targetAddr });
cw.putInstruction(patchHex);
cw.flush();
});
var targetAddr2 = Module.findBaseAddress('libil2cpp.so').add(0x00006C)
var patchHex2 = 0xc0035fd6 // opcode: ret
Memory.patchCode(targetAddr2, maxPatchSize, function(code) {
var cw2 = new Arm64Writer(code, { pc: targetAddr2 });
cw2.putInstruction(patchHex2);
cw2.flush();
});
});
armeabi-v7a
change32.js
Java.perform(function() {
console.log("hooking start");
var maxPatchSize = 4;
var targetAddr = Module.findBaseAddress('libil2cpp.so').add(0x000068)
var patchHex = 0x0000A0E3 // opcode: mov r0,#0x0
Memory.patchCode(targetAddr, maxPatchSize, function(code) {
var cw = new ArmWriter(code, { pc: targetAddr });
cw.putInstruction(patchHex);
cw.flush();
});
var targetAddr2 = Module.findBaseAddress('libil2cpp.so').add(0x00006C)
var patchHex2 = 0x1EFF2FE1 // opcode: bx lr
Memory.patchCode(targetAddr2, maxPatchSize, function(code) {
var cw2 = new ArmWriter(code, { pc: targetAddr2 });
cw2.putInstruction(patchHex2);
cw2.flush();
});
});