原理介绍：https://www.anquanke.com/post/id/85996

setImmediate(function () {
    Java.perform(function () {
        console.log("[*] Hooking calls to System.exit");
        try {
            var exitClass = Java.use("java.lang.System");
            exitClass.exit.implementation = function () {
                console.log("[*] System.exit called");
            }
        } catch (e) {
            console.log('exitClass err', e)
        }

        var strncmp = undefined;
        var imports = Module.enumerateImportsSync("libfoo.so");

        for (var i = 0; i < imports.length; i++) {
            if (imports[i].name == "strncmp") {
                strncmp = imports[i].address;
                break;
            }

        }

        //Get base address of library
        var libfoo = Module.findBaseAddress("libfoo.so");
        //Calculate address of variable
        if (libfoo !== null) {
            var initialized = libfoo.add(ptr("0x400C"));

            //Write 1 to the variable
            Memory.writeInt(initialized, 1);
        }else {
            console.log('libfoo is null')
        }

        if (strncmp !== undefined) {
            Interceptor.attach(strncmp, {
                onEnter: function (args) {
                    if (args[2].toInt32() == 23 && Memory.readUtf8String(args[0], 23) == "01234567890123456789012") {
                        console.log("[*] Secret string at " + args[1] + ": " + Memory.readUtf8String(args[1], 23));
                    }
                },
            });
            console.log("[*] Intercepting strncmp");
        }else {
            console.log('strncmp is undefined')
        }

    });
});

转载于 小小咸鱼YwY