idapython-registernative

对registerNative函数进行下断

基本思路:通过idapython脚本对其下断

# -*- coding:utf-8 -*-import idaapiimport idautilsimport idcfrom keystone import *from idc import *__author__ = 'poi'# 查找模块def FindModule(module_name):    for m in idautils.Modules():        if module_name.lower() in m.name.lower():            base = m.base            size = m.size            print 'module_name is %s' % module_name            print hex(base)            #idaapi.analyze_area(base, base + size)            return base;    return None;def find_JNI_OnLoad_addr(base):    # .text:00050324 00 21                       MOVS            R1, #0    # .text:00050326 5A F8 00 20                 LDR.W           R2, [R10,R0] ; gDvmJni    # .text:0005032A 90 68                       LDR             R0, [R2,#8]    # .text:0005032C C0 47                       BLX             R8    # .text:0005032E 31 46                       MOV             R1, R6    # .text:00050330 80 46                       MOV             R8, R0    pattern = '00 21 5A F8 00 20 90 68 C0 47 31 46 80 46'    for x in range(0, 5):        addr = idc.FindBinary(base, SEARCH_DOWN | SEARCH_NEXT, pattern);        if addr != idc.BADADDR:            print hex(addr + 8), idc.GetDisasm(addr + 8)            addr = addr + 8            return addr;# 获取RegisterNatives函数地址def find_RegisterNatives_addr(base):#.text:0004DF18 2D E9 F0 4F                 PUSH.W          {R4-R11,LR}#.text:0004DF1C 06 46                       MOV             R6, R0#.text:0004DF1E 85 B0                       SUB             SP, SP, #0x14#text:0004DF20 0C 46                       MOV             R4, R1#.text:0004DF22 03 A8                       ADD             R0, SP, #0x38+var_2C#.text:0004DF24 31 46                       MOV             R1, R6    pattern = '2D E9 F0 4F 06 46 85 B0 0C 46 03 A8 31 46'    for x in range(0, 5):        addr = idc.FindBinary(base, SEARCH_DOWN | SEARCH_NEXT, pattern);        if addr != idc.BADADDR:            print hex(addr), idc.GetDisasm(addr)            return addr;# 内存中获取模块基地址base = FindModule('libdvm.so');# idb文件中获取基地址#base = MinEA();addr = find_JNI_OnLoad_addr(base);print "JNI_OnLoad addr = " + hex(addr);# 下断点AddBpt(addr);#AddBpt(base+0x4DF18);AddBpt(find_RegisterNatives_addr(base));