Android reinforcement series-5. Learn to crack before reinforcement, hook (hook) jni layer system api, androidjni
[All Rights Reserved. For more information, see the source. Source: http://www.cnblogs.com/joey-#/p/5138585.html]
Key code of crackme project jni (for the Project address, see the bottom of the article), get the package name com. example. shelldemo and com. example. compared with nocrack, the normal running result is this app is illegal. Here the content of the attack is the hook strcmp function to modify the function return value and change the program to running successfully.
1. Tool Introduction
Eclipse + ndk, compile jni source code
Cmd window
2. Preparations
Mobile phone root.
Before compiling the following c files, you need to modify them by yourself.
Com. example. crackme-2 may be com. example. crackme-1
A. compile and transmit inject. c
Input in Android. mk and compile and generate inject:
LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) LOCAL_MODULE := inject LOCAL_SRC_FILES := inject.c LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog include $(BUILD_EXECUTABLE)
Open the cmd command window, enter the directory of the file, and enter:
Adb push inject/data/local/tmp
Push the file inject to the/data/local/tmp directory of the mobile phone.
B. compile and transmit mystrcmp. c
Input and compile libmystrcmp. so in Android. mk:
LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog -lEGL LOCAL_MODULE := mystrcmp LOCAL_SRC_FILES := mystrcmp.c include $(BUILD_SHARED_LIBRARY)
In the command window, enter:
Adb push libmystrcmp. so/data/local/tmp
3. Start hook
Start crackme on your phone, open a new command window on the pc, and enter:
Adb shell
Su
Cd/data/local/tmp
Chmod 777 *
Ps | grep com. example. crackme
./Inject 3166 (here it corresponds to the pid of your process)
At this time, observe the INJECT label of eclipse logcat and you will find
Observe com. example. crackme
It indicates that the injection is successful and the strcmp function is found. The complete meaning is that our libstrcmp. so has been injected into the com. example. crackme process. In addition, we replaced the strcmp function address with the strcmp function address. Please refer to the key code:
got_item = *(uint32_t *)(out_addr + i); if (got_item == old_strcmp) { LOGD("Found strcmp in got\n"); got_found = 1; uint32_t page_size = getpagesize(); uint32_t entry_page_start = (out_addr + i) & (~(page_size - 1)); mprotect((uint32_t *)entry_page_start, page_size, PROT_READ | PROT_WRITE); *(uint32_t *)(out_addr + i) = new_strcmp;
Now it has succeeded, so run it. First, press enter in the Command window.
Then, click "check for crack" on the phone"
In this case, the custom strcmp is called and two passed string parameters are obtained, and the success 0 is always returned. See the key code:
The program has been cracked.
【Crackme Project address]
【Hook Project address]