1. Objectives

When doing code restoration, sometimes you will analyze a set of results and hope to set a conditional breakpoint in the middle, such as triggering a breakpoint at code line 0x1234, R0=0x5678.

Let’s try it today.

Tip:

The Unidbg code has been synchronized to the latest official version, which already supports the display of floating-point registers.

2. Steps

Write a floatdemotwo first

Upgrade the ancestral algorithm

extern "C" JNIEXPORT jstring JNICALL
Java_com_h1yx_app_floatdemo_MainActivity_stringFromJNI(
        JNIEnv* env,
        jobject Obj, jdouble value) {
    std::string hello = "Hello from C++";

    double p=3.14159;
    double s,v,rc;

    for(int i=0 ; i< 10; i++){
        hello +="\n";

        v = 2*p* (value + i);
        s = p * (value + i) * (value + i);

        rc = v+s;

        hello += std::to_string(rc);

    }

    return env->NewStringUTF(hello.c_str());
}

Calculate the sum of the circumference and area of 10 circles.

1. Objectives

The author of Unidbg has been updating quite frequently recently. We have to keep up with him so as not to be left behind.

2. Analysis

Code comparison

Pull back the latest code first

git pull

Then compared with our previous code, it seems that there are a lot of changes. I merged 3-5 files manually and vomited blood…

git

As a certified senior programmer, I actually still merged codes manually, and my boss almost suspected that my senior certificate was issued in Zhongguancun.

1. Objectives

Today I would like to introduce a new friend to you, QBDI

It can be quickly integrated into your frida script to perform assembly-level trace

2. Steps

Install

It is very convenient to use QBDI on Android. First go to the official website to download the latest version

https://github.com/QBDI/QBDI/releases/download/v0.10.0/QBDI-0.10.0-android-AARCH64.tar.gz

For our use of Frida, there are mainly two files in itlibQBDI.soandfrida-qbdi.js, the former is the injection library, the latter is the js encapsulation

1. Objectives

Boss: AI has already done the work of code restoration. Do we still need to write a tutorial for code restoration?

Me: Of course I have to write it. AI is AI, it is a batch assembly line operation, how can it be as cool as my purely manual code? My code is warm.

A famous person once said: You can never make money beyond your cognitive scope. So You can’t command AI to do work beyond your cognitive scope.

1. Objectives

To capture App packages, you first need the App to trust the certificate of the capture software.

However, starting from Android 7.0, the system no longer trusts user CA certificates, so you need to install the CA certificate to the system CA certificate directory.

If you use Magisk jailbreak, this task is relatively simple. You only need to install a module Move Certificates.

But today’s story starts with me flashing a new ROM. This ROM is quite strange. After flashing, the adb connection is directly in root state, but the App cannot obtain the root state.