Follow ghost Brother to learn how to modify so. 2. Perform the article, so

Follow ghost Brother to learn how to modify so. 2. Perform the article, so

Figure/story

Continue with the above content ----------------------------------

0x1: writing test files

After the basic learning of the previous article, we start to use it.

Now that we can define a String in so, we can also define data of the int type. Here we define a getCoin method, and the return value is of the int type. As follows:

JNIEXPORT jint JNICALL Java_com_ggndktest1_JniGg_getCoin

(JNIEnv * env, jobject this)

{

 

Int c = 100;

 

Return c;

 

}

 

Write java code at the same time:

 

Static public native int getCoin ();

 

You can add these two methods on the basis of our previous article. Of course, to be proficient in creating an ndk project, you can also recreate the project.

Then we switch to the project root directory under shell:

 

In this way, the so file is successfully generated.

Then we simply define the layout in xml, simple, and directly under layout.

<TextView

Android: id = "@ + id/coin"

Android: layout_width = "wrap_content"

Android: layout_height = "wrap_content"

Android: text = ""/>

Add a TextView, set the id to coin, and then reference it in the main class.

In this case, run the program and check the effect.

0x2: Clear task

Now we need to do a task to modify the number of gold coins in the above program.

We take out the unsigned apk directly under the bin directory of the project. We can ignore the signature in the analysis. We will take out the so file under lib/armeabi and drag it into IDA for analysis.

 

0x3: suspend IDA for analysis

(Assume that we do not know the source code of the program)

Through the run above, we can analyze the keyword "Current Coin". We searched for the decompiled program and found that it only exists in the so file. In this way, we can search for strings in IDA directly.

Shortcut Key Shift + F12

Locate its reference

I have nothing to explain. I Just load the string and have no important information. I cannot find out where the gold coins are defined. So let's take a look at the references.

It is found that there is no function in the so file to call this method, so we will return to java to see how the java statement calls it and what the context is.

After checking that the printhello method is defined in JniGg. smali and called in MainActivity, let's look at the code in detail:

After a simple description, you can see it clearly.

Here we find a key function, the getCoin method, which is also found in the so file by searching up. Now we will return to IDA again:

Enable General in Options, that is, the first option. The settings are as follows:

Then we can see:

This is the Thumb command, so we need to use Thumb for modification.

To define a value in one byte, we can only use the maximum ff, that is, 255, So open it in the hexadecimal Editor, jump to the c04 location, change to FF 20, then put back the program, sign, run.

Okay, it indicates that our modification is successful.

0x4: Reflection

Since we are writing our own source code, we can make a good comparison and consideration. This process is left for the students to think for themselves. please spend 10 minutes, compare the methods written in the Code with the de-assembly code in so to enhance the familiarity.

In addition:

In the above apk, there are other cracking methods, that is, we have found the call to the java layer, so we can directly modify the return value of the method called at the java layer, and the effect is also the same. It can be changed to an infinitely large value.

Attachment address:

Http://pan.baidu.com/s/1i3wzetf

The article is also submitted to www.pd521.com for initial release. Please indicate the source for reprinting.