Android under Jni_onload entry function breakpoint Dynamic debug So Library

In general, many of the APK checksum code will automatically load some dynamic so libraries when the program runs, and then execute the checksum code in those libraries. So in order to be able to pass the program's checksum, we must place the breakpoint before executing these functions-the ideal method is to break the breakpoint under the Jni_onload entry function.

The detailed steps in the 2.3.3 Simulator are as follows:

① Enter the ADB shell into the phone in the console, then use the AM start-d-N Package Name/class name to wait for the debug mode to start the APK app;

What you need to explain here is the "package name/Class name" Method of writing:

# AM Start-n {Package] name}/{package name}. {Activity name}

The entry class of the program can be obtained from each application's Androidmanifest.xml file, with the calculator (calculator) as an example, its

<manifest xmlns:android= "Http://schemas.android.com/apk/res/android" ...

Package= "Com.android.calculator2" ...

The starting method for this calculator (calculator) is: # AM Start-n com.android.calculator2/com.android.calculator2.calculator

For the helloactivity example project, Androidmanifest.xml looks like this:

<manifest ...

Package= "Com.example.android.helloactivity" ...>

The starting method for this is:

# AM Start-n com.example.android.helloactivity/com.example.android.helloactivity.helloactivity

② uses ADB to transfer android_server from Ida (my 6.1) to the/DATA/LOCAL/TMP directory of the phone:

ADB push android_server/data/local/tmp

# Give permission again

ADB shell

Cd/data/local/tmp

chmod 777 Android_server

#运行android_server

./android_server

③ Another cmd window, using the command adb forward tcp:23946 tcp:23946 for window forwarding

④ start Ida Main program, click the menu debugger->attach->remote armlinux/android Debugger, open the Debugger dialog box, enter localhost in the hostname column,

Click OK, then in the IDA Pop-up window, select the process you want to attach and click OK.

⑤ Click menu Debugger->debugger opitions in the events of the Popup Debugger Setup window, select Stop on thread start/exit and stop on library Load/unloa D, then click OK to exit. This allows you to set the program to automatically break when creating new threads and loading so.

⑥ Gets the port number of the corresponding process through DDMS, and then uses the Jdb-connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700 (the port number to which the DDMS is queried, are generally 8700);

After the ⑦ connection is successful, the "Waiting for debugger" prompt on the phone after pressing F9 will automatically disappear, which should have been broken in the new thread or loaded so.

⑧ can now press the shortcut key CTRL + S in IDA to see if the so you want to debug has already been loaded, if not F9, until it has been loaded, and if so, write down the start position of the so and then open an IDA analysis. So library, find the offset address of the Jni_onload , then the real address of the Jni_onload function in the process is So.start + jni_onload_offset.

Here is to explain: it is possible in the shortcut key CTRL + S out of the window there are two of the same name so, we should choose the right to rx this, RX is usually the code snippet, RW is generally the data segment.

After getting the real address, press the shortcut G in Ida to jump to this address, and then press the shortcut key F2 to complete the breakpoint at the entrance of the Jni_onload function.