let enablePrintStackTrace = true
Java.perform(function x() {
console.log('重新加载脚本');
hookAndroidId();
exportSoMethod("libart.so");
})
function hookAndroidId() {
var ANDROID_ID = "android_id"
var Secure = Java.use("android.provider.Settings$Secure")
Secure.getString.implementation = function (resolver, name) {
var result = this.getString(resolver, name);
if (ANDROID_ID == name) {
console.log("getString 获取 androidID: " + result)
log();
}
return result;
}
}
function exportSoMethod(module_name) {
const module = Process.findModuleByName(module_name);
const symbols = module.enumerateSymbols();
symbols.forEach(sym => {
//env->GetStaticMethodID(secureClass, "getString","(Landroid/content/ContentResolver;Ljava/lang/String;)Ljava/lang/String;");
if (sym.name.includes("GetStaticMethodID")) {
var address = sym.address;
console.log(`[name]: ${sym.name} \n\t[address]: ${address}\n`);
if (address) {
Interceptor.attach(address, {
onEnter: function (args) {
const targetClass = args[1];
const methodName = args[2].readCString();
const methodSig = args[3].readCString();
if (methodName === "getString") {
console.log(`[targetClass]: ${targetClass} [methodName]: ${methodName} [methodSig]: ${methodSig}\n`);
// Backtracer.ACCURATE 提供更详细的堆栈,但可能略慢
// Backtracer.FUZZY 更快,但可能不那么准确
const nativeStack = Thread.backtrace(this.context, Backtracer.FUZZY)
.map(DebugSymbol.fromAddress)
.join('\n');
console.log(`[nativeStack]: ${nativeStack}\n`);
}
}
})
}
}
});
}
function log() {
if (enablePrintStackTrace) {
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
}
}
日志输出示例:
[V2183A::com.dz.gslsz.honor ]-> 重新加载脚本
[name]: _ZN3art12_GLOBAL__N_18CheckJNI17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS7_.llvm.15913410659909574214
[address]: 0x6ef284b390
[name]: _ZN3art3JNIILb0EE17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS7_
[address]: 0x6ef28a0fb0
[name]: _ZN3art3JNIILb1EE17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS7_
[address]: 0x6ef2904a30
[V2183A::com.dz.gslsz.honor ]-> [targetClass]: 0xc5 [methodName]: getString [methodSig]: (Landroid/content/ContentResolver;Ljava/lang/String;)Ljava/lang/String;
[nativeStack]: 0x6e3cd4860c libnative-lib.so!0x112960c
0x6e3cd64594 libnative-lib.so!0x1145594
0x6e7c3fc740
0x6e7c3fc754
0x6e7c48f0bc
0x6e7c48f084
0x6e7c479260
0x6ef2b59f14 libart.so!NterpGetStaticField+0x84
0x6ef2b5a5d8 libart.so!NterpGetInstanceFieldOffset+0x68
0x6e3cd50ccc libnative-lib.so!0x1131ccc
0x6e3cd50cb4 libnative-lib.so!0x1131cb4
0x6ef260a258 libart.so!nterp_helper+0xf58
0x71929184 boot-framework.oat!0x406184
0x6ef2610970 libart.so!art_quick_invoke_stub+0x230
0x6ef267bbbc libart.so!_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+0xbc
0x6ef2a2cf48 libart.so!_ZN3art35InvokeVirtualOrInterfaceWithVarArgsIPNS_9ArtMethodEEENS_6JValueERKNS_33ScopedObjectAccessAlreadyRunnableEP8_jobjectT_St9__va_list+0x1d8
getString 获取 androidID: e3ab5e5a1d6e2063
java.lang.Throwable
at android.provider.Settings$Secure.getString(Native Method)
getString 获取 androidID: e3ab5e5a1d6e2063
java.lang.Throwable
at android.provider.Settings$Secure.getString(Native Method)
at com.umeng.commonsdk.statistics.common.DeviceConfig.getAndroidId(SourceFile:7)
at com.umeng.commonsdk.statistics.idtracking.b.f(SourceFile:1)
at com.umeng.commonsdk.statistics.idtracking.a.g(SourceFile:4)
at com.umeng.commonsdk.statistics.idtracking.a.a(SourceFile:1)
at com.umeng.commonsdk.statistics.idtracking.f.b(SourceFile:5)
at com.umeng.commonsdk.statistics.b.a(SourceFile:40)
at com.umeng.commonsdk.framework.UMEnvelopeBuild.buildEnvelopeWithExtHeader(SourceFile:18)
at com.umeng.commonsdk.framework.UMEnvelopeBuild.buildEnvelopeWithExtHeader(SourceFile:3)
at com.umeng.analytics.pro.q.j(SourceFile:6)
at com.umeng.analytics.pro.q.a(SourceFile:136)
at com.umeng.analytics.pro.q.c(SourceFile:3)
at com.umeng.analytics.pro.q.a(SourceFile:76)
at com.umeng.analytics.CoreProtocol.workEvent(SourceFile:1)
at com.umeng.commonsdk.framework.UMWorkDispatch.handleEvent(SourceFile:5)
at com.umeng.commonsdk.framework.UMWorkDispatch.access$000(SourceFile:1)
at com.umeng.commonsdk.framework.UMWorkDispatch$1.handleMessage(SourceFile:5)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loopOnce(Looper.java:223)
at android.os.Looper.loop(Looper.java:324)
at android.os.HandlerThread.run(HandlerThread.java:67)
getString 获取 androidID: e3ab5e5a1d6e2063
java.lang.Throwable
at android.provider.Settings$Secure.getString(Native Method)
at com.reyun.tracking.a.a.c(Unknown Source:13)
at com.reyun.tracking.a.h.a(Unknown Source:151)
at com.reyun.tracking.a.h.a(Unknown Source:38)
at com.reyun.tracking.sdk.Tracking.setStartupInternal(Unknown Source:19)
at com.reyun.tracking.sdk.d.handleMessage(Unknown Source:139)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loopOnce(Looper.java:223)
at android.os.Looper.loop(Looper.java:324)
at android.app.ActivityThread.main(ActivityThread.java:8524)
at android.app.ActivityThread.main(ActivityThread.java:8524)
at java.lang.reflect.Method.invoke(Native Method)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:582)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:582)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1059)
[targetClass]: 0x73da [methodName]: getString [methodSig]: (Landroid/content/ContentResolver;Ljava/lang/String;)Ljava/lang/String;
[targetClass]: 0x73da [methodName]: getString [methodSig]: (Landroid/content/ContentResolver;Ljava/lang/String;)Ljava/lang/String;
[nativeStack]: 0x6e39cd4d44 libunity.so!0x9e4d44
0x71708098 boot-framework.oat!0x1e5098
0x6e66ba69a8 base.odex!0xe39a8
0x6e66f2d674 base.odex!0x46a674
0x6e66f2d674 base.odex!0x46a674
0x6e66db99f0 base.odex!0x2f69f0
0x71b3c788 boot-framework.oat!0x619788
0x71b3fe28 boot-framework.oat!0x61ce28
0x71b3f948 boot-framework.oat!0x61c948
0x71b3bf6c boot-framework.oat!0x618f6c
0x6e66dba488 base.odex!0x2f7488
0x6ef2a771a0 libart.so!_ZN3art6Thread25InstallImplicitProtectionEv+0x80
0x6ef2610970 libart.so!art_quick_invoke_stub+0x230
0x6ef267bbbc libart.so!_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+0xbc
0x6ef267bbbc libart.so!_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+0xbc
0x718ce51468 libc.so!scudo_malloc+0x28
0x718ce512a8 libc.so!_ZN5scudo9AllocatorINS_13AndroidConfigEXadL_Z21scudo_malloc_postinitEEE10deallocateEPvNS_5Chunk6OriginEmm+0xd8
0x6ef2a2caf0 libart.so!_ZN3art35InvokeVirtualOrInterfaceWithJValuesIPNS_9ArtMethodEEENS_6JValueERKNS_33ScopedObjectAccessAlreadyRunnableEP8_jobjectT_PK6jvalue+0x1d0
getString 获取 androidID: e3ab5e5a1d6e2063
java.lang.Throwable
at android.provider.Settings$Secure.getString(Native Method)
at com.unity3d.player.UnityPlayer.nativeRender(Native Method)
at com.unity3d.player.UnityPlayer.access$300(Unknown Source:0)
at com.unity3d.player.UnityPlayer$e$1.handleMessage(Unknown Source:83)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loopOnce(Looper.java:223)
at android.os.Looper.loop(Looper.java:324)
at com.unity3d.player.UnityPlayer$e.run(Unknown Source:20)
[V2183A::com.dz.gslsz.honor ]->
小结
综上日志可得
存在两个 so 库 native 侧获取 Android ID
- libnative-lib.so
- libunity.so
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
