so Android

Android 非Root设备下调试so

准备工作

手机：Google Pixel 3 Android 11, API 30
工具：IDA 7.0、Android Studio
电脑系统：win10

写一个C++ demo

稍微改动下代码，点击Hello World调用c++

class MainActivity : AppCompatActivity() {

@SuppressLint("SetTextI18n")
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)

        setContentView(R.layout.activity_main)

// Example of a call to a native method

        sample_text.setOnClickListener {

            sample_text.text = stringFromJNI() + intFromJNI()

        }

    }

/**

     * A native method that is implemented by the 'native-lib' native library,

     * which is packaged with this application.

     */
private external fun stringFromJNI(): String

private external fun intFromJNI(): Int

companion object {
// Used to load the 'native-lib' library on application startup.
init {

            System.loadLibrary("native-lib")

        }

    }

}

native-lib.cpp代码

#include <jni.h>
#include <string>

int test_add();

extern "C" JNIEXPORT jstring JNICALL
Java_com_example_testcpp_MainActivity_stringFromJNI(

        JNIEnv *env,

        jobject /* this */) {

    std::string hello = "Hello from C++ ";
return env->NewStringUTF(hello.c_str());

}

extern "C" JNIEXPORT jint JNICALL
Java_com_example_testcpp_MainActivity_intFromJNI(JNIEnv *env, jobject thiz) {
int ret = test_add();
return (jint)ret;

}

int test_add() {
return 1 + 1;

}

运行效果（左），点击后（右）

74262ef7fa7f4b3c9519db36c5553336~tplv-k3u1fbpfcp-watermark.awebp

28471f0ad96c481a8c87b00e54ad7fe4~tplv-k3u1fbpfcp-watermark.awebp

将IDA目录dbgsrv下的android_server64放到Android应用目录下

这里要注意看手机是多少位的，我是64位就用64位的android_server64

通过Android Studio的Device File Explorer upload到对应的应用目录下，这个目录没有root权限通过adb是不能push文件进去

打开终端进入adb shell启动android_server

C:\Users\Administrator\Desktop\fby>adb shell

* daemon not running; starting now at tcp:5037

* daemon started successfully

blueline:/ $

这里有个关键步骤，如果直接进入到/data/data/com.example.testcpp是没有权限的，也就不能启动android_server

blueline:/ $ cd data/data/com.example.testcpp

/system/bin/sh: cd: /data/data/com.example.testcpp: Permission denied

执行run-as com.example.testcpp，进入到了应用目录，ls看下当前目录，然后启动android_server

2|blueline:/ $ run-as com.example.testcpp

blueline:/data/user/0/com.example.testcpp $ ls

android_server64  cache  code_cache  databases  files  no_backup  shared_prefs

blueline:/data/user/0/com.example.testcpp $ ./android_server64

IDA Android 64-bit remote debug server(ST) v1.22. Hex-Rays (c) 2004-2017

Listening on 0.0.0.0:23946...

再打开一个终端，转发端口23946

C:\Users\Administrator>adb forward tcp:23946 tcp:23946

23946

打开IDA64 attch进程

点击ok进入到调试页面，这里已经进入断点，按F9让程序执行

在Modules窗口找到自己写的那个native-lib.so，下断点

app上点击Hello World，进入到断点

0

2021-09-09

0 个评论

要回复文章请先登录或注册