JEFFREY

feiworks.com

windbg调试

符号配置

SRV*d:\Symbols*http://msdl.microsoft.com/download/symbols


启动自动附加

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe]

"Debugger"="\"D:\\WinDbg(x64)\\windbg.exe\""


加载模块断点:

sxe ld:[dll name]

所有模块:sxe ld:*

卸载模块断点:

sxe ud:[dll name]

所有模块:sxe ud:*


py2exe打包的程序解包

1. 二进制搜索12 34 56 78,往后偏移8字节后开始的4字节是code_bytes长度,之后是库文件名,以00结尾,之后就是code_bytes。

si = struct.pack("iiii",
    0x78563412, # a magic value,
    self.optimize,
    self.unbuffered,
    len(code_bytes),
) + relative_arcname + "\000"
script_bytes = si + code_bytes + '\000\000'

2.把code_bytes拿出来,在python中反序列化后找到需要code obj的再序列化。code obj可能嵌套code obj,用inspect.getmembers(code_obj)去找到list中的code obj位置,再dump出来。

>>>import marshal
>>>mylist=marshal.load(open("dumpfile", "r"))
>>>marshal.dump(mylist[1], open("main.pyo","w"))

3.pyo文件加上8字节header就可以反编译了。前 4 个字节代表 Python 版本号,后 4 个字节是 timestamp。文件头可以是:03 F3 0D 0A 37 77 83 56 。


Dalvik opcodes

Dalvik opcodes

Author:Gabor Paller


Vx values in the table denote a Dalvik register. Depending on the instruction, 16, 256 or 64k registers can be accessed. Operations on long and double values use two registers, e.g. a double value addressed in the V0 register occupies the V0 and V1 registers.

Boolean values are stored as 1 for true and 0 for false. Operations on booleans are translated into integer operations.

All the examples are in hig-endian format, e.g. 0F00 0A00 is coded as
0F, 00, 0A, 00 sequence.

Note there are no explanation/example at some instructions. This means that I have not seen that instruction "in the wild" and its presence/name is only known from Android opcode constant list.

Android smali代码注入

1.增加log信息

变量为string类型
const-string v3,"message"
invoke-static {v3,v0}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I
变量为int类型
const-string v3, "message"
invoke-static {v1}, Ljava/lang/Integer;->toString(I)Ljava/lang/String;
move-result-object v4
invoke-static {v3, v4}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I
变量为bool类型
const-string v3, "message"
invoke-static {v1}, Ljava/lang/Boolean;->toString(Z)Ljava/lang/String;
move-result-object v4
invoke-static {v3, v4}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I


2.弹出消息框

new AlertDialog.Builder(self)
.setTitle("普通对话框")
.setMessage("你好,Android!")
.show();
new-instance v1,Landroid/app/AlertDialog$Builder;
invoke-direct {v1,p0}, Landroid/app/AlertDialog$Builder;-><init>(Landroid/content/Context;)V
.local v1,builder:Landroid/app/AlertDialog$Builder;

const-string v2,"\u666e\u901a\u5bf9\u8bdd\u6846"
invoke-virtual {v1,v2}, Landroid/app/AlertDialog$Builder;->setTitle(Ljava/lang/CharSequence;)Landroid/app/AlertDialog$Builder;

const-string v2,"\u4f60\u597d\uff0cAndroid!"
invoke-virtual {v1,v2},Landroid/app/AlertDialog$Builder;->setMessage(Ljava/lang/CharSequence;)Landroid/app/AlertDialog$Builder;

invoke-virtual {v1},Landroid/app/AlertDialog$Builder;->create()Landroid/app/AlertDialog;
move-result-object v2
invoke-virtual {v2},Landroid/app/AlertDialog;->show()V

 

android ramdisk编辑

mkdir /etc/mm
mount -o rw -t ext4 /dev/block/sda3 /etc/mm
cp /etc/mm/ramdisk /data/local/tmp/ramdisk.img.gz
cd /data/local/tmp/
gunzip ramdisk.img.gz
mkdir ramdisk
cd ramdisk
cpio -i -F ../ramdisk.img
cpio -i -t -F ../ramdisk.img > list

cat list|cpio -o -H newc|gzip > ramdisk.img.gz
cp ramdisk.img.gz /etc/mm/ramdisk
umount /etc/mm

Powered By Z-BlogPHP 1.5 Zero

Copyright @ 2014-2019 All Rights Reserved.
feiworks.com