RADARE2+FRIDA=R2FRIDA Best Dynamic Debugging Tool

最新推荐文章于 2024-11-14 12:29:50 发布

x2hhhhhhhhhh1z

最新推荐文章于 2024-11-14 12:29:50 发布

阅读量1.4k

点赞数

CC 4.0 BY-SA版权

分类专栏：逆向爬虫 Python

本文链接：https://blog.youkuaiyun.com/qq_21692945/article/details/103658483

本文介绍了如何结合RADARE2和FRIDA（R2FRIDA）进行动态调试，包括安装步骤、常用命令的使用，如帮助、内存信息获取、导出函数查看、动态分析中的内存分配和函数跟踪等。通过示例详细解析了如何在内存中搜索数据、分配内存、动态追踪函数，并展示了如何在Java、Golang、C++和Python中还原算法。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

前言

演示例子:

Sina wb

Xiao hs

参考资料: r2wiki、enovella wiki

正文

0x1 安装

首先安装radare2，Windows用户可以在这里下载可执行文件安装

然后安装r2frida，自行克隆安装

用frida-ls-devices工具获取 usb device id

接着用frida-ps -U | grep xhs获取完整包名

然后根据id和package name用radare连接frida:

r2 frida://c0e668cc/com.xingin.xhs

然后你会得到一个r2dare的交互模式

❯ r2 frida://c0e668cc/com.xingin.xhs
WARNING: r_bin_open_buf: assertion '(st64)opt->sz >= 0' failed (line 250)
 -- SSAbotage from ISIL
[0x00000000]>

0x2 使用

0x2.1> help

首先介绍怎么使用help；对了，要使用r2frida的命令，得在命令的前面加上 \ 或 =!；比如获取help

# =!? or \?
[0x00000000]> =!?
r2frida commands available via =! or \ prefix
. script                   Run script
  frida-expression         Run given expression inside the agent
/[x][j] <string|hexpairs>  Search hex/string pattern in memory ranges (see search.in=?)
/v[1248][j] value          Search for a value honoring `e cfg.bigendian` of given width
/w[j] string               Search wide string
<space> code..             Evaluate Cycript code
?                          Show this help
?V                         Show target Frida version
chcon file                 Change SELinux context (dl might require this)
d.                         Start the chrome tools debugger
db (<addr>|<sym>)          List or place breakpoint
db- (<addr>|<sym>)|*       Remove breakpoint(s)
dc                         Continue breakpoints or resume a spawned process
dd[j-][fd] ([newfd])       List, dup2 or close filedescriptors (ddj for JSON)
di[0,1,-1] [addr]          Intercept and replace return value of address
dk ([pid]) [sig]           Send specific signal to specific pid in the remote system
dkr                        Print the crash report (if the app has crashed)
dl libname                 Dlopen a library (Android see chcon)
dl2 libname [main]         Inject library using Frida's >= 8.2 new API
dm[.|j|*]                  Show memory regions
dma <size>                 Allocate <size> bytes on the heap, address is returned
... 有点长

这是获取所有命令的帮助，如果想要获取某个字母有哪些命令只需要在其后面加 ? 即可

例如我想知道i字母开头的有哪些命令，都是干嘛的

[0x00000000]> \i?
 i	dump info
 i*	dump info r2
 iAE	list all exports
 iAE*	list all exports r2
 iAEj	list all exports json
 iAn	list all classes natives
 iAs	list all symbols
 iAs*	list all symbols r2
 iAsj	list all symbols json
 iE	list exports
 iE*	list exports r2
 iE.	lookup symbol here
 iEa	lookup export
 iEa*	lookup export r2
 ...

0x2.2> dm

简单介绍下常用命令。首先是获取so的信息命令 dm，比如地址。这里用到的匹配符~，这个符号类似grep命令

[0x00000000]> \dm~shield
0xc5a1a000 - 0xc5a95000 r-x /data/app/com.xingin.xhs-9gUqbwWzalUnAgU88apeTQ==/lib/arm/libshield.so
0xc5a95000 - 0xc5a99000 r-- /data/app/com.xingin.xhs-9gUqbwWzalUnAgU88apeTQ==/lib/arm/libshield.so
0xc5a99000 - 0xc5a9a000 rw- /data/app/com.xingin.xhs-9gUqbwWzalUnAgU88apeTQ==/lib/arm/libshield.so
[0x00000000]>

你也可以以radare的格式输出，只需要在命令后面加个 * 符号

[0x00000000]> \dm*~shield
f map.0xc5a1a000 = 0xc5a1a000 # r-x /data/app/com.xingin.xhs-9gUqbwWzalUnAgU88apeTQ==/lib/arm/libshield.so
f map.0xc5a95000 = 0xc5a95000 # r-- /data/app/com.xingin.xhs-9gUqbwWzalUnAgU88apeTQ==/lib/arm/libshield.so
f map.0xc5a99000 = 0xc5a99000 # rw- /data/app/com.xingin.xhs-9gUqbwWzalUnAgU88apeTQ==/lib/arm/libshield.so

然后呢，如果你想更方便的把获取到的数据直接使用，可以输出为json格式，只需要在命令后面加j

[0x00000000]> \dmj~shield
Do you want to print 1 lines? (y/N) y
[{
   "base":"0x12c00000","size":3145728,"protection":"rw-","file":{
   "path":"/dev/ashmem/dalvik-main space (region space) (deleted)","offset":0,"size":0}},{
   "base":"0x12f00000","size":4456448,"protection":"---","file":{
   "path":"/dev/ashmem/dalvik-main space (region space) (deleted)","offset":3145728,"size":0}},{
   "base":"0x13340000","size":262144,"protection":"rw-","file":{
   "path":"/dev/ashmem/dalvik-main space (region space) (deleted)","offset":7602176,"size":0}},{
   "base":"0x13380000","size":262144,"protection":"---","file":{
   "path":"/dev/ashmem/dalvik-main space (region space) (deleted)",...

0x2.3> iE

然后是获取so文件的所有导出函数命令 iE，应该是 info exports （我猜的

[0x00000000]> \iE* libshield.so
f sym.fun._Znaj = 0xc5a3f8b5
f sym.fun._ZdaPv = 0xc5a3e579
f sym.fun._ZdlPv = 0xc5a3e575
f sym.fun.__cxa_begin_catch = 0xc5a3ebd5
f sym.fun._ZSt9terminatev = 0xc5a3f4bd
f sym.fun._Znwj = 0xc5a3f861
f sym.var._ZTVN10__cxxabiv117__class_type_infoE = 0xc5a97290
f sym.fun.JNI_OnLoad = 0xc5a257a9
f sym.fun.__cxa_allocate_exception = 0xc5a3e655
f sym.fun.__cxa_throw = 0xc5a3f571
f sym.fun.__cxa_free_exception = 0xc5a3e6fd
f sym.fun.__cxa_rethrow = 0xc5a3f5f1
f sym.fun.__cxa_end_catch = 0xc5a3ec65
f sym.var._ZSt7nothrow = 0xc5a94138
f sym.fun._ZNSt8_Rb_treeISsSsSt9_IdentityISsESt4lessISsESaISsEE5clearEv = 0xc5a36c99
f sym.fun._ZNSt8_Rb_treeISsSsSt9_IdentityISsESt4lessISsESaISsEE16_M_insert_uniqueISsEESt4pairISt17_Rb_tree_iteratorISsEbEOT_ = 0xc5a36d3d
f sym.fun._ZNSt8_Rb_treeISsSsSt9_IdentityISsESt4lessISsESaISsEE4findERKSs = 0xc5a38701
f sym.fun._ZNSt6vectorISsSaISsEED2Ev = 0xc5a2df71
f sym.fun._ZNSt8_Rb_treeISsSsSt9_IdentityISsESt4lessISsESaISsEED2Ev = 0xc5a36f11
f sym.fun._ZNSt6vectorISsSaISsEE7reserveEj = 0xc5a32455
f sym.fun._ZNSt6vectorISsSaISsEE19_M_emplace_back_auxIJSsEEEvDpOT_ = 0xc5a39361
f sym.fun.__cxa_guard_acquire = 0xc5a3f665
f sym.fun.__cxa_guard_release = 0xc5a3f7dd
f sym.fun._ZNSt9exceptionD2Ev = 0xc5a3ed01
...

0x.24> \/

搜索内存中的数据 \/；首先看看help

[0x00000000]> \?~^/
/[x][j] <string|hexpairs>  Search hex/string pattern in memory ranges (see search.in=?)
/v[1248][j] value          Search for a value honoring `e cfg.bigendian` of given width
/w[j] string               Search wide string
[0x00000000]>

基础使用方法：\/ keyword

比如我要搜索…emmmmmm：TracerPid；首先是一顿输出，然后会出现找到的个数，比如这里的12个，然后对应着地址和内容

[0x00000000]> \/ TracerPid
Searching 9 bytes: 54 72 61 63 65 72 50 69 64

最低0.47元/天解锁文章