ROM级打桩日志

ROM级打桩的优势主要其是在系统源码层打印日志，只要应用不崩溃，就能看到启动过程中的特定位置输出的日志信息。后面可能会根据其他需求，继续延申ROM级打桩的功能。下面看看已有的几种打桩

ROM级打桩

加密函数打印

该功能主要是对java层常见加密算法进行输出，byte数组输出格式为hex展示，其输出结果会保存在logs目录中，也可直接logcat查看。下面开启该功能后，输出日志如下。

2024-03-09 12:56:13    d    mikrom_Cipher    Cipher.init 加密模式 key:31373039393838393731393431
2024-03-09 12:56:13    d    mikrom_Cipher    Cipher.update 323032342D30332D30395F32303A35363A31332E313338207069643D3136353634207469643D31363536342849292D546273496E7374616C6C65722D5442533A697350726570617265546273436F72652023312320636F72655F73686172655F6261636B75705F746D700A
2024-03-09 12:56:13    d    mikrom_Cipher    =============Cipher.getInstance start tid:2=============
Cipher.getInstance 填充模式:RC4
=============Cipher.getInstance end tid:2=============
2024-03-09 12:56:13    d    mikrom_SecretKeySpec    =============SecretKeySpec.SecretKeySpec start tid:2=============
SecretKeySpec.SecretKeySpec 算法名:RC4 密钥key:31373039393838393731393431
=============SecretKeySpec.SecretKeySpec end tid:2=============
2024-03-09 12:56:13    d    mikrom_Cipher    Cipher.init 加密模式 key:31373039393838393731393431
2024-03-09 12:56:13    d    mikrom_Cipher    Cipher.update 323032342D30332D30395F32303A35363A31332E313430207069643D3136353634207469643D31363536342849292D546273496E7374616C6C65722D5442533A697350726570617265546273436F72652023312320636F72655F636F70795F746D700A

加密函数堆栈打印

和上面的功能相同，开启后会输出加解密函数的调用堆栈，便于排查问题，日志输出如下所示。

=============MessageDigest.digest end tid:2=============
2024-03-10 03:34:48    d    mikrom_MessageDigest    =============MessageDigest.digest start tid:2=============
stack:  java.lang.RuntimeException: stack_info
        at cn.mik.kmodule.callback.MessageDigest.update(MessageDigest.java:44)
        at java.lang.reflect.Method.invoke(Native Method)
        at java.lang.krom.Reflect.on(Reflect.java:156)
        at java.lang.krom.Reflect.call(Reflect.java:407)
        at java.lang.krom.KCommon.CallInjectMethod(KCommon.java:115)
        at java.security.MessageDigest.update(MessageDigest.java:394)
        at com.android.org.bouncycastle.crypto.digests.OpenSSLDigest.update(OpenSSLDigest.java:65)
        at com.android.org.bouncycastle.crypto.macs.HMac.doFinal(HMac.java:194)
        at com.android.org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator.F(PKCS5S2ParametersGenerator.java:72)
        at com.android.org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator.generateDerivedKey(PKCS5S2ParametersGenerator.java:103)
        at com.android.org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator.generateDerivedParameters(PKCS5S2ParametersGenerator.java:122)
        at com.android.org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator.generateDerivedMacParameters(PKCS5S2ParametersGenerator.java:158)
        at com.android.org.bouncycastle.jcajce.provider.symmetric.util.PBE$Util.makePBEMacParameters(PBE.java:431)
        at com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$BasePBKDF2.engineGenerateSecret(PBEPBKDF2.java:260)
        at javax.crypto.SecretKeyFactory.generateSecret(SecretKeyFactory.java:524)
        at com.huawei.agconnect.config.impl.i.a(Unknown Source:36)
        at com.huawei.agconnect.config.impl.f.<init>(Unknown Source:29)
        at com.huawei.agconnect.config.impl.k.<init>(Unknown Source:56)
        at com.huawei.agconnect.config.impl.c.a(Unknown Source:45)
        at com.huawei.agconnect.config.impl.c.getRoutePolicy(Unknown Source:18)
        at com.huawei.agconnect.core.a.b.a(Unknown Source:61)
        at com.huawei.agconnect.core.a.b.a(Unknown Source:24)
        at com.huawei.agconnect.AGConnectInstance.initialize(Unknown Source:10)
        at com.huawei.agconnect.core.provider.AGConnectInitializeProvider.onCreate(Native Method)
        at android.content.ContentProvider.attachInfo(ContentProvider.java:2451)
        at android.content.ContentProvider.attachInfo(ContentProvider.java:2421)
        at android.app.ActivityThread.installProvider(ActivityThread.java:7605)
        at android.app.ActivityThread.installContentProviders(ActivityThread.java:7121)
        at s.h.e.l.l.N.r(Native Method)
        at s.h.e.l.l.S.attachBaseContext(Unknown Source:39)
        at android.app.Application.attach(Application.java:346)
        at android.app.Instrumentation.newApplication(Instrumentation.java:1246)
        at android.app.LoadedApk.makeApplicationInner(LoadedApk.java:1462)
        at android.app.LoadedApk.makeApplicationInner(LoadedApk.java:1399)
        at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6812)
        at android.app.ActivityThread.-$$Nest$mhandleBindApplication(Unknown Source:0)
        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2138)
        at android.os.Handler.dispatchMessage(Handler.java:106)
        at android.os.Looper.loopOnce(Looper.java:201)
        at android.os.Looper.loop(Looper.java:288)
        at android.app.ActivityThread.main(ActivityThread.java:8015)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:942)

MessageDigest.update input hexstr:6A196A6D1D6D6A1D1A186D1D181F6D6A18641F6F1D1F181A1A6C186A1D656A645C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5CEDF43E1AAC2CA41215F8AD3B27023B84E6740739
=============MessageDigest.update end tid:2=============

RegisterNative函数打印

会输出目标应用静态注册和动态注册的native函数，输出日志如下。

mikrom ClassLinker::RegisterNative void J.N.MP48r$4B(long, int) native_ptr:0x7016d43ed4 method_idx:0x220 offset:0x50d5ed4 module_name:/data/app/~~Zui0KYYtvHL5CVqIOm3VCQ==/com.google.android.webview-0TQXdjuHeYI14JIKsnB00A==/WebViewGoogle.apk!/lib/arm64-v8a/libmonochrome.so
mikrom ClassLinker::RegisterNative void J.N.Mdl6A1eo(boolean, boolean) native_ptr:0x7015a744e0 method_idx:0x356 offset:0x3e064e0 module_name:/data/app/~~Zui0KYYtvHL5CVqIOm3VCQ==/com.google.android.webview-0TQXdjuHeYI14JIKsnB00A==/WebViewGoogle.apk!/lib/arm64-v8a/libmonochrome.so
mikrom ClassLinker::RegisterNative void J.N.MGnQU$47(long, java.lang.Object, long, java.lang.String) native_ptr:0x70148bd5cc method_idx:0x164 offset:0x2c4f5cc module_name:/data/app/~~Zui0KYYtvHL5CVqIOm3VCQ==/com.google.android.webview-0TQXdjuHeYI14JIKsnB00A==/WebViewGoogle.apk!/lib/arm64-v8a/libmonochrome.so
mikrom ClassLinker::RegisterNative java.lang.String[] J.N.MdQEl6jg(java.lang.String, java.lang.String) native_ptr:0x7016edfe38 method_idx:0x349 offset:0x5271e38 module_name:/data/app/~~Zui0KYYtvHL5CVqIOm3VCQ==/com.google.android.webview-0TQXdjuHeYI14JIKsnB00A==/WebViewGoogle.apk!/lib/arm64-v8a/libmonochrome.so

Native函数打印

在native函数执行以及离开时，进行日志输出，输出日志如下。

mikrom leave jni byte[] libcore.util.CharsetUtils.toUtf8Bytes(java.lang.String, int, int) 0x71ede500f0
mikrom leave jni java.lang.Class java.lang.Class.classForName(java.lang.String, boolean, java.lang.ClassLoader) 0x71ede500f0
mikrom leave jni java.lang.reflect.Method java.lang.Class.getDeclaredMethodInternal(java.lang.String, java.lang.Class[]) 0x71ede500f0
mikrom leave jni java.lang.Class java.lang.reflect.Executable.getMethodReturnTypeInternal() 0x71ede500f0
mikrom leave jni java.lang.Object java.lang.reflect.Array.createObjectArray(java.lang.Class, int) 0x71ede500f0
mikrom leave jni java.lang.reflect.Constructor java.lang.Class.getDeclaredConstructorInternal(java.lang.Class[]) 0x71ede500f0
mikrom enter jni long com.android.org.conscrypt.NativeCrypto.EVP_CIPHER_CTX_new() 0x71ede500f0