Android逆向-Dobby

字数统计: 2.2k字   |   阅读时长≈ 11分

Dobby

Android逆向-Dobby

简介

Dobby是一个轻量的inlinehook库。

这里用到了两个分支,一个是原来的jmpews,另一个是BeplnExfork出来的。一开始用jmpews的总是报错还以为不行了,不过后面发现实际上似乎是静态链接的问题。

BepInEx/Dobby: Fork of jmpews/Dobby with stability edits for Windows (github.com)

环境搭建(jmpews)

环境

Ubuntu22

下载源码

1
git clone https://github.com/jmpews/Dobby

下载Release

Release latest · jmpews/Dobby (github.com)

编译源码

Dobby/docs/compile.md at master · jmpews/Dobby (github.com)

Linux

首先安装cmake-3.25.2cmake-3.25.2。这两个可以自己安装,也可以用Dobby自己提供的脚本来安装。关于LLVM15的自行安装单独放在一个post里面。下面用脚本:

1
2
# prepare and download cmake/llvm
sh scripts/setup_linux_cross_compile.sh

这样,它会在Ubuntu22上面安装cmakellvm,以及ndk

然后执行以下脚本就能自动编译了:

1
python3 scripts/platform_builder.py --platform=linux --arch=all --cmake_dir=$HOME/opt/cmake-3.25.2 --llvm_dir=$HOME/opt/llvm-15.0.6

当然,在我的具体情况中,LLVM15在下载解压的时候报错了,所以最后我还是自己编译了一份LLVM,然后将--llvm_dir指向了自己的LLVM的build文件夹。

Android⭐

在前面跑了脚本,安装好cmakellvmndk后,执行:

1
python3 scripts/platform_builder.py --platform=android --arch=all --cmake_dir=$HOME/opt/cmake-3.25.2 --llvm_dir=$HOME/opt/llvm-15.0.6 --android_ndk_dir=$HOME/opt/ndk-r25b

环境搭建(BepInEx)

下载源码

https://github.com/BepInEx/Dobby.git

下载Release

Release Version 1.0.5 · BepInEx/Dobby (github.com)

这里偷懒就不编译了,直接拿现成的。

使用

Linux x64

下面我们创建一个Demo代码文件test1.cpp,假设里面写了一些需要用Dobby进行Hook的代码。

为了能够编译使用,文件结构大概如下:

1
2
3
dobby.h
libdobby.so
test1.cpp

反正就是要把so文件链接进来。

编译:

1
g++ -o test1 test1.cpp -L ./ -ldobby

然后执行前也要做一些操作:

首先是赋予权限:

1
2
chmod 777 ./libdobby.so
chmod 777 ./test1

然后要添加这个so所在的路径,防止找不到:

1
export LD_LIBRARY_PATH=/path/to/so:$LD_LIBRARY_PATH

最后执行:

1
./test1

API(BeplnEx)

看它暴露了哪些API,其实只要看dobby.h就好了。

jmpewsBeplnExdobby.h有一些区别。现在学习后者的。

CodePatch⭐

1
MemoryOperationError CodePatch(void *address, uint8_t *buffer, uint32_t buffer_size);

修改一个指定地址的内存数据,用自己定义的Buffer替换。可以用于Patch字节码

RegisterContext

寄存器结构。

HookEntryInfo

记录了Hook入口点的数据。

DobbyHook⭐

1
2
// hook and commit function
int DobbyHook(void *address, void *replace_call, void **origin_call);

Hook一个函数,并立刻挂钩。具体的使用例子如下:

1
2
3
4
5
6
7
8
9
10
11
12
extern "C" {
  extern int DobbyHook(void *function_address, void *replace_call, void **origin_call);
}

size_t (*origin_fread)(void * ptr, size_t size, size_t nitems, FILE * stream);

size_t (fake_fread)(void * ptr, size_t size, size_t nitems, FILE * stream) {
    // Do What you Want.
    return origin_fread(ptr, size, nitems, stream);
}

DobbyHook((void *)fread, (void *)fake_fread, (void **)&origin_fread);

更细节的例子可以看install_hook_name宏函数。

DobbyPrepare

1
2
// prepare trampoline
int DobbyPrepare(void *address, void *replace_call, void **origin_call);

DobbyCommit

1
2
// commit hook
int DobbyCommit(void *address);

DobbyInstrument⭐(BeplnEx中没有被导出)

这个函数比DobbyHook更细节一些,可以具体操作寄存器。

1
2
3
4
5
// dynamic binary instrument for instruction
// [!!! READ ME !!!]
// for Arm64, can't access q8 - q31, unless you enable full floating-point register pack
typedef void (*DBICallTy)(RegisterContext *ctx, const HookEntryInfo *info);
int DobbyInstrument(void *address, DBICallTy dbi_call);

例子:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

uintptr_t getCallFirstArg(RegisterContext *ctx) {
  uintptr_t result;
#if defined(_M_X64) || defined(__x86_64__)
#if defined(_WIN32)
  result = ctx->general.regs.rcx;
#else
  result = ctx->general.regs.rdi;
#endif
#elif defined(__arm64__) || defined(__aarch64__)
  result = ctx->general.regs.x0;
#elif defined(__arm__)
  result = ctx->general.regs.r0;
#else
#error "Not Support Architecture."
#endif
  return result;
}

void format_integer_manually(char *buf, uint64_t integer) {
  int tmp = 0;
  for (tmp = integer; tmp > 0; tmp = (tmp >> 4)) {
    buf += (tmp % 16);
    buf--;
  }
}

// [ATTENTION]:
// printf will call 'malloc' internally, and will crash in a loop.
// so, use 'puts' is a better choice.
void malloc_handler(RegisterContext *ctx, const HookEntryInfo *info) {
  size_t size_ = 0;
  size_        = getCallFirstArg(ctx);
  char *buffer = "[-] function malloc first arg: 0x00000000.\n";
  format_integer_manually(strchr(buffer, '.') - 1, size_);
  puts(buffer);
}

DobbyInstrument((void *)malloc, malloc_handler)

DobbyDestroy

1
2
// destory and restore hook
int DobbyDestroy(void *address);

DobbySymbolResolver⭐

解析符号字符串。

1
2
// iterate symbol table and find symbol
void *DobbySymbolResolver(const char *image_name, const char *symbol_name);

DobbyGlobalOffsetTableReplace

1
2
// global offset table
int DobbyGlobalOffsetTableReplace(char *image_name, char *symbol_name, void *fake_func, void **orig_func);

dobby_enable(disable)_near_branch_trampoline

1
2
3
4
5
6
7
// [!!! READ ME !!!]
// for arm, Arm64, dobby will use b xxx instead of ldr absolute indirect branch
// for x64, dobby always use absolute indirect jump
#if defined(__arm__) || defined(__arm64__) || defined(__aarch64__) || defined(_M_X64) || defined(__x86_64__)
void dobby_enable_near_branch_trampoline();
void dobby_disable_near_branch_trampoline();
#endif

dobby_register_image_load_callback

1
2
3
// register linker load image callback
typedef void (*linker_load_callback_t)(const char *image_name, void *handle);
void dobby_register_image_load_callback(linker_load_callback_t func);

API(jmpews)

install_hook_name

这是jmpews的Dobby里面有的一个宏函数,挺好用的。

1
2
3
4
5
6
7
8
9
#define install_hook_name(name, fn_ret_t, fn_args_t...)                                                                \
  static fn_ret_t fake_##name(fn_args_t);                                                                              \
  static fn_ret_t (*orig_##name)(fn_args_t);                                                                           \
  /* __attribute__((constructor)) */ static void install_hook_##name(void *sym_addr) {                                 \
    DobbyHook(sym_addr, (void*)fake_##name, (void**)&orig_##name);                          \
    return;                                                                                                            \
  }                                                                                                                    \
  fn_ret_t fake_##name(fn_args_t)

传入函数名,返回参数类型,传参类型。比如我要准备Hookint add(int a, int b)函数,则我应该这样调用函数:

1
2
3
4
install_hook_name(add, int, int a, int b) {
    // 实现fake_add的逻辑。
    return a * b;
}

这样能创建一个fake_add函数指针,一个orig_add函数指针,一个install_hook_add函数。然后后面紧跟着fn_ret_t fake_##name(fn_args_t)就是让人直接在后面套个大括号,直接实现fake_add的实现逻辑。这样搞定后,我们模拟进行宏展开,即这个宏函数实际上让我们得到了:

1
2
3
4
5
6
7
8
9
static int fake_add(int a, int b);
static int orig_add(int a, int b);
static void install_hook_add(void *sym_addr) {
	DobbyHook(sym_addr, (void*)fake_add, (void* *)&orig_add);
	return;    
}
int fake_add(int a, int b) {
    return a * b;
}

因此这个宏函数很巧妙的帮我们把需要的一些函数和变量都定义好了,剩下的就是真正地去调用了,即:

1
2
// 必须在main函数或其他执行点写这块代码
install_hook_add((void*)add);

示例

DobbyHook替换函数

DobbyHook_replace.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#include <iostream>
#include "dobby.h"
#include <stdio.h>


extern "C" int add(int a, int b) {
    return a + b;
}

// #define pac_strip(symbol)

// install_hook_name(add, int, int a, int b) {
//     return a ^ b;
// }
static int fake_add(int a, int b); 
static int (*orig_add)(int a, int b); 
static void install_hook_add(void *sym_addr) { 
    DobbyHook(sym_addr, (void*)fake_add, (void**)&orig_add); 
    return; 
} 

static int fake_add(int a, int b) {
    printf("a:%d, b:%d\n", a, b);
    // return orig_add(a, b);
    return a ^ b;
}

int main(void) {
    std::cout << add(114514, 1919810) << std::endl;
    std::cout << "trying to hook..." << std::endl;
    // orig_add = add;
    // auto what = DobbySymbolResolver(NULL, "add");
    // // std::cout << "what:" << what << std::endl;
    // // std::cout << "add:" << add << std::endl;
    // printf("what:%p\n", what);
    printf("add:%p\n", add);
    install_hook_add((void*)add);
    std::cout << "Hook successfull" << std::endl;
    std::cout << add(114514, 1919810) << std::endl;
    return 0;
}

DobbyHook记录函数调用

DobbyHook_log.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#include <iostream>
#include "dobby.h"
#include <stdio.h>


extern "C" int add(int a, int b) {
    return a + b;
}

// #define pac_strip(symbol)

// install_hook_name(add, int, int a, int b) {
//     return a ^ b;
// }
static int fake_add(int a, int b); 
static int (*orig_add)(int a, int b); 
static void install_hook_add(void *sym_addr) { 
    DobbyHook(sym_addr, (void*)fake_add, (void**)&orig_add); 
    return; 
} 

static int fake_add(int a, int b) {
    printf("a:%d, b:%d\n", a, b);
    return orig_add(a, b);
    // return a ^ b;
}

int main(void) {
    std::cout << add(114514, 1919810) << std::endl;
    std::cout << "trying to hook..." << std::endl;
    // orig_add = add;
    // auto what = DobbySymbolResolver(NULL, "add");
    // // std::cout << "what:" << what << std::endl;
    // // std::cout << "add:" << add << std::endl;
    // printf("what:%p\n", what);
    printf("add:%p\n", add);
    install_hook_add((void*)add);
    std::cout << "Hook successfull" << std::endl;
    std::cout << add(114514, 1919810) << std::endl;
    return 0;
}

DobbyInstrument

DobbyInstrument_log.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <iostream>
#include "dobby.h"
#include <stdio.h>


extern "C" int add(int a, int b) {
    return a + b;
}

void add_handler(RegisterContext *ctx, const HookEntryInfo *info) {
    int a = (int)ctx->general.regs.rdi;
    int b = (int)ctx->general.regs.rsi;
    printf("add(a:%d, b:%d)\n", a, b);
}

int main(void) {
    std::cout << add(114514, 1919810) << std::endl;
    std::cout << "trying to hook..." << std::endl;
    // orig_add = add;
    // auto what = DobbySymbolResolver(NULL, "add");
    // // std::cout << "what:" << what << std::endl;
    // // std::cout << "add:" << add << std::endl;
    // printf("what:%p\n", what);
    printf("add:%p\n", add);
    int ret = DobbyInstrument((void*)add, add_handler);
    std::cout << "Hook successfull" << std::endl;
    std::cout << add(114514, 1919810) << std::endl;
    return 0;
}

当然,这里似乎寄存器用错了,打印出来的值很怪异。不过确实有示范作用。

DobbySymbolResolver解析符号

这就是用来解析符号的,从一个符号字符串获得它代表的函数地址。不过要注意C与C++符号的区别。比如这里的"add"就应该是C函数,在CPP文件里面我是用extern "C"前缀声明的。C++符号更复杂,这里不描述。

1
2
3
void * sym = DobbySymbolResolver(NULL, "add");
printf("sym:%p\n", sym);
DobbyHook(sym, (void*)fake_add, (void**)&orig_add);

参考

BepInEx/Dobby: Fork of jmpews/Dobby with stability edits for Windows (github.com)

InlineHook新秀Dobby框架-腾讯云开发者社区-腾讯云 (tencent.com)

15.Inlinehook:Dobby - RyukieDev (gitbook.io)

Android Ptrace 绕过策略 :: HACKCATML (tistory.com)

Release Version 1.0.5 · BepInEx/Dobby (github.com)

Dobby/docs/get-started-android.md at master · BepInEx/Dobby (github.com)

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

A junior undergraduate
studying in the college of cyber science and engineering
in Sichuan University
in Sichuan , China.
Pronouns:He/him.
A core member of 0x401 CTF team
majorly focus on Reverse Engineering chanllenges.