Android reinforcement series-5. Learn to crack before reinforcement, hook (hook) jni layer system api, androidjni

Android reinforcement series-5. Learn to crack before reinforcement, hook (hook) jni layer system api, androidjni

[All Rights Reserved. For more information, see the source. Source: http://www.cnblogs.com/joey-#/p/5138585.html]

Key code of crackme project jni (for the Project address, see the bottom of the article), get the package name com. example. shelldemo and com. example. compared with nocrack, the normal running result is this app is illegal. Here the content of the attack is the hook strcmp function to modify the function return value and change the program to running successfully.

 

1. Tool Introduction

Eclipse + ndk, compile jni source code

Cmd window

 

2. Preparations

Mobile phone root.

Before compiling the following c files, you need to modify them by yourself.

 

Com. example. crackme-2 may be com. example. crackme-1

A. compile and transmit inject. c

Input in Android. mk and compile and generate inject:

LOCAL_PATH := $(call my-dir)  include $(CLEAR_VARS)  LOCAL_MODULE := inject   LOCAL_SRC_FILES := inject.c   LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog  include $(BUILD_EXECUTABLE)

 

Open the cmd command window, enter the directory of the file, and enter:

Adb push inject/data/local/tmp

Push the file inject to the/data/local/tmp directory of the mobile phone.

 

B. compile and transmit mystrcmp. c

Input and compile libmystrcmp. so in Android. mk:

LOCAL_PATH := $(call my-dir)  include $(CLEAR_VARS)  LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog -lEGL  LOCAL_MODULE    := mystrcmp  LOCAL_SRC_FILES := mystrcmp.c  include $(BUILD_SHARED_LIBRARY)

 

In the command window, enter:

Adb push libmystrcmp. so/data/local/tmp

 

 

3. Start hook

Start crackme on your phone, open a new command window on the pc, and enter:

Adb shell

Su

Cd/data/local/tmp

Chmod 777 *

Ps | grep com. example. crackme

./Inject 3166 (here it corresponds to the pid of your process)

 

At this time, observe the INJECT label of eclipse logcat and you will find

 

Observe com. example. crackme

 

It indicates that the injection is successful and the strcmp function is found. The complete meaning is that our libstrcmp. so has been injected into the com. example. crackme process. In addition, we replaced the strcmp function address with the strcmp function address. Please refer to the key code:

got_item = *(uint32_t *)(out_addr + i);                    if (got_item  == old_strcmp) {                        LOGD("Found strcmp in got\n");                        got_found = 1;                        uint32_t page_size = getpagesize();                        uint32_t entry_page_start = (out_addr + i) & (~(page_size - 1));                        mprotect((uint32_t *)entry_page_start, page_size, PROT_READ | PROT_WRITE);                        *(uint32_t *)(out_addr + i) = new_strcmp;

Now it has succeeded, so run it. First, press enter in the Command window.

 

Then, click "check for crack" on the phone"

 

In this case, the custom strcmp is called and two passed string parameters are obtained, and the success 0 is always returned. See the key code:

 

The program has been cracked.

 

 

【Crackme Project address]

【Hook Project address]