Skip to main content

Other Tools

misskingAbout 2 min

Auxiliary functions are mainly some commonly used analysis methods when analyzing applications. Since the functions are relatively complicated, they are collectively placed in the auxiliary functions. In the later stage, these functions may be refined, the interface adjusted, and various functions re-divided. Let’s take a look at the current version of the accessibility interface.

Other Tools
Other Tools

native函数睡眠

Used for anti-debugging, debugging detection is usually performed when the application is started. Basically, it will detect whether it is debugged before the function that needs to be debugged is executed. This function will let the target function wait for 30 seconds before continuing to execute it. At this time we attach it for debugging, which can bypass some anti-debugging methods. Just fill in the native function name in this field.

smali trace

Used to analyze java functions and print out the smali instructions executed by them. Let's look at an example of using the function sortUrlParam to output the smali trace output log. The function source code is as follows.

public static String sortUrlParam(String url) {
    String[] params = url.split("&");
    List<String> resList = new ArrayList<>();
    for (String param : params) {
        String[] kv = param.split("=");
        String val="";
        if(kv.length>=2){
            val=kv[1];
        }
        resList.add(kv[0] + "=" + val);
    }
    Collections.sort(resList);
    return String.join("&", resList);
}

The trace result log of smali is as follows.

mikrom Execute strstr traceMethod success:java.lang.String com.example.codemgr.common.OtherTools.sortUrlParam(java.lang.String)	sortUrlParam
java.lang.String com.example.codemgr.common.OtherTools.sortUrlParam(java.lang.String)
mikrom smaliTrace 0x0: const-string v0, "&" // string@5	 // vreg0=0x00000000 vreg1=0x00000000 vreg2=0x00000000 vreg3=0x00000000 vreg4=0x00000000 vreg5=0x00000000 vreg6=0x00000000 vreg7=0x00000000 vreg8=0x00000000 vreg9=0x00000000 vreg10=0x00000000 vreg11=0x00000000 vreg12=0x131A7920/java.lang.String "datatype=-1&status=-1&num=0"
java.lang.String com.example.codemgr.common.OtherTools.sortUrlParam(java.lang.String)
mikrom smaliTrace 0x2: invoke-virtual {v12, v0}, java.lang.String[] java.lang.String.split(java.lang.String) // method@88	 // vreg0=0x6F4367D0/java.lang.String "&" vreg1=0x00000000 vreg2=0x00000000 vreg3=0x00000000 vreg4=0x00000000 vreg5=0x00000000 vreg6=0x00000000 vreg7=0x00000000 vreg8=0x00000000 vreg9=0x00000000 vreg10=0x00000000 vreg11=0x00000000 vreg12=0x131A7920/java.lang.String "datatype=-1&status=-1&num=0"
java.lang.String com.example.codemgr.common.OtherTools.sortUrlParam(java.lang.String)
mikrom smaliTrace 0x5: move-result-object v1	 // vreg0=0x6F4367D0/java.lang.String "&" vreg1=0x00000000 vreg2=0x00000000 vreg3=0x00000000 vreg4=0x00000000 vreg5=0x00000000 vreg6=0x00000000 vreg7=0x00000000 vreg8=0x00000000 vreg9=0x00000000 vreg10=0x00000000 vreg11=0x00000000 vreg12=0x131A7920/java.lang.String "datatype=-1&status=-1&num=0"
java.lang.String com.example.codemgr.common.OtherTools.sortUrlParam(java.lang.String)
mikrom smaliTrace 0x6: new-instance v2, java.util.ArrayList // type@TypeIndex[54]	 // vreg0=0x6F4367D0/java.lang.String "&" vreg1=0x131A7950/java.lang.String[] vreg2=0x00000000 vreg3=0x00000000 vreg4=0x00000000 vreg5=0x00000000 vreg6=0x00000000 vreg7=0x00000000 vreg8=0x00000000 vreg9=0x00000000 vreg10=0x00000000 vreg11=0x00000000 vreg12=0x131A7920/java.lang.String "datatype=-1&status=-1&num=0"
java.lang.String com.example.codemgr.common.OtherTools.sortUrlParam(java.lang.String)
...

ArtMethod Invoke

This function originally belonged to the ROM-level piling column. In order to facilitate flexible control, it was moved to the auxiliary function column. The invoke function is a must for most functions. Refer to the frida_hook_libartopen in new window project to output the log. If you enter *, all will be output by default (except those starting with android. and java.), otherwise the execution function found by fuzzy matching will be output. Below is the output log.

mikrom ArtMethod invoke androidx.emoji2.text.flatbuffer.MetadataList.<init>
mikrom ArtMethod invoke androidx.emoji2.text.flatbuffer.Utf8Safe.<init>
mikrom ArtMethod invoke androidx.emoji2.text.flatbuffer.MetadataList.getRootAsMetadataList
mikrom ArtMethod invoke androidx.emoji2.text.MetadataRepo.<init>
mikrom ArtMethod invoke androidx.emoji2.text.EmojiMetadata.<clinit>
mikrom ArtMethod invoke androidx.core.os.TraceCompat.endSection

so fixer

This function will dump the target so from the memory 30 seconds after starting the application, and use SoFixer to repair it. The final result will be saved in the /data/mikrom/dumpSo directory. Multiple target files can be separated using ,

frida-gadget

This function is to inject frida-gadget.so. You can choose the gadget compiled by yourself. If you do not choose it, the 16.0.3 version of gadget that comes with the system will be used by default. If the port option is 0, then use frida default port, otherwise user-defined port is used.

Monitoring is actually attach. Listening and blocking means spawn attachment. It will block when starting the application and wait for the user to attach before continuing execution. Selecting the script is a persistent use that does not require PC-side interaction.