idapython-jni_onload

对Jni_onload断点进行下都断

基本思路：找到其jni_onload在libdvm.so中的偏移

# -*- coding:utf-8 -*-import idaapiimport idautilsimport idcfrom keystone import *from idc import *__author__ = 'lantie@15PB'# 查找模块def FindModule(module_name):    for m in idautils.Modules():        if module_name.lower() in m.name.lower():            base = m.base            size = m.size            print 'module_name is %s' % module_name            print hex(base)            #idaapi.analyze_area(base, base + size)            return base;    return None;# 获取JNI_OnLoad函数地址def find_JNI_OnLoad_addr(base):# .text:00050324 00 21                       MOVS            R1, #0# .text:00050326 5A F8 00 20                 LDR.W           R2, [R10,R0] ; gDvmJni# .text:0005032A 90 68                       LDR             R0, [R2,#8]# .text:0005032C C0 47                       BLX             R8# .text:0005032E 31 46                       MOV             R1, R6# .text:00050330 80 46                       MOV             R8, R0    pattern = '00 21 5A F8 00 20 90 68 C0 47 31 46 80 46'    for x in range(0, 5):        addr = idc.FindBinary(base, SEARCH_DOWN | SEARCH_NEXT, pattern);        if addr != idc.BADADDR:            print hex(addr + 8), idc.GetDisasm(addr + 8)            addr = addr + 8            return addr;# 内存中获取模块基地址base = FindModule('libdvm.so');# idb文件中获取基地址#base = MinEA();addr = find_JNI_OnLoad_addr(base);print "JNI_OnLoad addr = " + hex(addr);# 下断点AddBpt(addr);