练习动态调试
IDA动态调试so已经是过去式了, 安卓系统不支持. 请转向FRIDA...
练习动态调试
用IDA进行动态调试的技术已经老掉牙哦, 换FRIDA吧
frida脚本
孵化一个app
1
frida -U -f 包名 -l 脚本.js
注意事项:
- 如果脚本包含中文, 请确保文件为UTF-8格式
- frida 17.x
findExportByName已失效,请使用Module.getGlobalExportByName("android_dlopen_ext")
android_dlopen_ext位于
1
/system/lib64/libdl.so
根据看雪教程, 该函数是加载app自带so的关键函数, 下面开始验证, 自编写一个App调用
1
2
3
static {
System.loadLibrary("tracerpid");
}
借助IDE跟踪loadLibrary函数
java.lang.System
此时已无法继续跟踪, 继续从AOSP官网查看源码
- libcore/ojluni/src/main/java/java/lang/Runtime.java
1
2
3
4
5
6
7
8
9
10
11
12
13
private synchronized void loadLibrary0(ClassLoader loader, Class<?> callerClass, String libname) {
if (libname.indexOf((int)File.separatorChar) != -1) {
throw new UnsatisfiedLinkError(
"Directory separator should not appear in library name: " + libname);
}
String libraryName = libname;
...
String filename = System.mapLibraryName(libraryName);
String error = nativeLoad(filename, loader, callerClass); //感觉这里才加载
if (error != null) {
throw new UnsatisfiedLinkError(error);
}
}
哦吼, 跟丢了 
AI
- libcore/libopenjdkjvm/src/main/cpp/jvm.cpp
借鉴了这篇文章, AI纯特么胡说八道, 我还是在最新源码中找不到java_lang_runtime.cpp文件, 继续参考看雪, 直接搜Runtime_nativeload
- libcore/ojluni/src/main/native/Runtime.c
对味了, 去掉env参数, 数量就对上了. 
- vm->LoadNativeLibrary
- art/runtime/jni/java_vm_ext.cc
额好多…好麻烦, 参见上述看雪的文章, 就是调用android_dlopen_ext, 那为什么不直接hooknativeLoad呢? 应该是不全面的问题, 接下来应该验证大部分应用在so库中, 又是如何加载so的. 接着问AI,1 2 3 4 5 6
#include <dlfcn.h> void* handle = dlopen(soPath, RTLD_LAZY); if (!handle) { LOGE("dlopen failed: %s", dlerror()); return; }
也就是dlopen这个函数在dlfcn.h中声明, 经证实, dlopen确实声明于dlfcn.h. 接下来需要证明
dlopen会调用android_dlopen_ext
frida hook 实测 MyApp
dlopen的结果
[LOAD] libopenjdkjvmti.so
[LOAD] libSchedAssistExtImpl.so
[LOAD] libSchedAssistExtImpl.so
[LOAD] libadreno_app_profiles.so
[LOAD] libEGL_adreno.so
[LOAD] libeglextimpl.so
[LOAD] libhwuiextimpl.so
[LOAD] /system_ext/lib64/liboplusextzawgyi.so
[LOAD] libadreno_utils.so
android_dlopen_ext的结果
[LOAD] libopenjdkjvmti.so
[LOAD] libSchedAssistExtImpl.so
[LOAD] libSchedAssistExtImpl.so
[LOAD] libadreno_app_profiles.so
[LOAD] libEGL_adreno.so
[LOAD] libeglextimpl.so
[LOAD] libhwuiextimpl.so
[LOAD] /system_ext/lib64/liboplusextzawgyi.so
[LOAD] libadreno_utils.so
一模一样…, 并不能证实什么东西…
Frida hook 实测 哔哩哔哩
dlopen
[LOAD] libc.so
[LOAD] libshadowhook_nothing.so
[LOAD] libdl.so
[LOAD] libc.so
[LOAD] libc.so
[LOAD] libnativehelper.so
[LOAD] libc.so
[LOAD] libSchedAssistExtImpl.so
[LOAD] libSchedAssistExtImpl.so
[LOAD] libadreno_app_profiles.so
[LOAD] libEGL_adreno.so
[LOAD] libeglextimpl.so
[LOAD] libhwuiextimpl.so
[LOAD] liblynxtrace.so
[LOAD] libadreno_utils.so
[LOAD] libsensorextimpl.so
[LOAD] /system_ext/lib64/liboplusextzawgyi.so
[LOAD] /data/app/~~uQuljrGEc_G5pnzr2azz7Q==/com.google.android.webview-DshesiY-aSYS4iyUnlsjqw==/base.apk!/lib/arm64-v8a/libwebviewchromium.so
[LOAD] libandroid.so
[LOAD] libc.so
[LOAD] libdolphin.so
[LOAD] libllvm-qgl.so
[LOAD] libc.so
[LOAD] libc.so
android_dlopen_ext的结果
[LOAD] libframework-connectivity-tiramisu-jni.so
[LOAD] /system/framework/oat/arm64/com.android.future.usb.accessory.odex
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/oat/arm64/base.odex
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libblkv.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libblog.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libshadowhook.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libbytehook.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libbili_core.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libbreflect.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libbili.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libignet.so
[LOAD] /data/app/~~uQuljrGEc_G5pnzr2azz7Q==/com.google.android.webview-DshesiY-aSYS4iyUnlsjqw==/oat/arm64/base.odex
[LOAD] libwebviewchromium.so
[LOAD] /data/app/~~uQuljrGEc_G5pnzr2azz7Q==/com.google.android.webview-DshesiY-aSYS4iyUnlsjqw==/base.apk!/lib/arm64-v8a/libwebviewchromium.so
[LOAD] /system/lib64/libwebviewchromium_plat_support.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libijkffmpeg.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libavif.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libadjni.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libtf.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libBugly.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libtencentloc.so
[LOAD] libjnirtk.so
[LOAD] /vendor/lib64/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
[LOAD] /vendor/lib64/hw/gralloc.default.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/liblynxbase.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libquick.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/liblynx.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/liblynxtrace.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libimagepipeline.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libbiliid.so
[LOAD] /vendor/lib64/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libstatic-webp.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libmnn_predictor.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libc++_shared.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libnirvana.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libsqliteJni.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libbvc-xcode-tools.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libbili-upload.so
[LOAD] /data/app/~~Xgn5NUXu-8vevYMhiXyvSw==/tv.danmaku.bili-k47x7A7qMI5B0XgKB-ZL4w==/lib/arm64/libgifimage.so
很明显, hook android_dlopen_ext的结果要多一些
hook dlopen卡闪退, android_dlopen_ext却没有
有趣的事情是:
- https://bbs.kanxue.com/thread-281584-1.htm 这篇文章中利用hook
android_dlopen_ext会卡闪退, 而现在却没有. 显然BILIBILI做了防范, 不让我们检测到卡闪退的代码在哪个so里面…
有点好奇, 问下AI解决思路是什么, 算了, 既然它升级了, 就主动给他去去广告(8.84.0) 通过AutoJs6分析界面元素的广告字样, 在jadx中找到了相关的类
1
com.bilibili.p165ad.adview.widget.marker.AdMarkLayout
java的hook代码必须放在
Java.perform里面, 不然会显示类找不到
奇怪, 一开启hook, 它就不推广告了? 调皮
那就搞开屏广告, 清单XML中找android.intent.category.LAUNCHER 
1
tv.danmaku.bili.MainActivityV2
开屏广告就在这里面, 总之跑不掉了吧 一路跟踪父类->tv.danmaku.bili.q->com.bilibili.lib.ui.BaseAppCompatActivity->com.bilibili.lib.spy.generated.d 看看都有哪些Activity被创建
1
2
3
4
5
let d = Java.use("com.bilibili.lib.spy.generated.d");
d["onCreate"].implementation = function (bundle) {
console.log(`d.onCreate is called: bundle=${bundle}`);
this["onCreate"](bundle);
};
啥也没看出来, 好几年没练了, 逆向技术脱节了, 歇会儿吧 2026年3月18日16点46分
本文由作者按照 CC BY 4.0 进行授权