void regist(void
*
a,void
*
b,
int
c){
const char
*
ds
=
getartmethod((unsigned
int
*
)a);
if
(strstr(ds,
"xxxxxx"
)){
/
/
过滤函数名
st
=
b;
long
*
d
=
reinterpret_cast<
long
*
>(myreplace);
/
/
替换的注册函数
__android_log_print(
6
,
"r0ysue"
,
"%p"
,d);
__asm__(
"str %[input_n], [X18,#0x28]\r\n"
/
/
修改registernative的第二个参数,我这里用x18传的调用栈
:[result_m]
"=r"
(d)
:[input_n]
"r"
(d)
);
__android_log_print(
6
,
"r0ysue"
,
"register %s"
,ds);
}
}
void
*
myreplace(void
*
a,void
*
b,
int
c,void
*
d){
JNIEnv
*
env
=
static_cast<JNIEnv
*
>(a);
jobject aa
=
static_cast<jobject>((docomm(st))(a, b, reinterpret_cast<void
*
>(c), d));
/
/
直接调用原函数
if
(aa!
=
nullptr) {
/
/
由于返回值是一个jstring判断一下
env
-
>SetObjectArrayElement(static_cast<jobjectArray>(d),
2
, env
-
>NewStringUTF(
"4"
));
jobject opp
=
static_cast<jobject>((docomm(st))(a, b, reinterpret_cast<void
*
>(c), d));
/
/
调用将第
2
个字符串改为
4
之后的字符串
__android_log_print(
6
,
"r0ysue"
,
" 111111111111 %s"
,env
-
>GetStringUTFChars(
static_cast<jstring>(opp),
0
));
/
/
这个jobject数组是一个长度为
5
的字符串数组,就是说有
5
个字符串我随便改一个就好
const char
*
ss
=
getclassname(env,myclass);
if
(strstr(ss,
"String"
)) {
/
/
由于返回值是一个jstring判断一下再打印
printobjearry(env,(jobjectArray)d);
/
/
打印jobject数组
__android_log_print(
6
,
"r0ysue"
,
" ssssssss int:%x %s"
, c,env
-
>GetStringUTFChars(
static_cast<jstring>(aa),
0
));
}
}
return
aa;
}
void printobjearry (JNIEnv
*
env,jobjectArray a){
/
/
打印jobjet数组
int
size
=
env
-
>GetArrayLength(static_cast<jarray>(a));
for
(
int
n
=
0
;n<size;n
+
+
) {
jobject ax
=
env
-
>GetObjectArrayElement(static_cast<jobjectArray>(a), n);
if
(ax!
=
0
)
__android_log_print(
6
,
"r0ysue"
,
" ssssssss %d: %s"
,n, getclassname(env, ax));
}
}
const char
*
getartmethod(unsigned
int
*
a1){
/
/
ArtMethod中的getName函数直接从ida复制过来的
__int64 v12;
/
/
x20
__int64 v13;
/
/
x0
_QWORD
*
v14;
/
/
x8
__int64 v15;
/
/
x9
char
*
v16;
/
/
x8
const char
*
result;
/
/
x0
unsigned
int
*
*
v18;
/
/
x8
unsigned
int
*
v19;
/
/
x9
unsigned
int
*
v20;
/
/
x9
int
v21;
/
/
w10
const char
*
v22;
/
/
x9
const char
*
v23;
/
/
x8
unsigned
int
*
*
v24;
/
/
x20
__int64 v25;
/
/
x0
__int64 v26;
/
/
x0
unsigned
int
*
*
v27;
/
/
x20
__int64 v28;
/
/
x0
__int64 v29;
/
/
x0
unsigned
int
*
v30;
/
/
[xsp
+
48h
] [xbp
+
18h
]
unsigned
int
*
v31;
/
/
[xsp
+
48h
] [xbp
+
18h
]
v12
=
a1[
3
];
if
( (a1[
1
] &
0x40000
) !
=
0
) {
/
/
_ZN3art9ArtMethod19GetObsoleteDexCacheEv
return
"cxzcxzcxz"
;
}
else
v13
=
*
(unsigned
int
*
)(
*
a1
+
0x10LL
);
v14
=
*
(_QWORD
*
*
)(v13
+
16
);
v15
=
*
(unsigned
int
*
)(v14[
12
]
+
8
*
v12
+
4
);
if
( (_DWORD)v15
=
=
-
1
)
return
0LL
;
v16
=
(char
*
)(v14[
1
]
+
*
(unsigned
int
*
)(v14[
9
]
+
4
*
v15));
result
=
v16
+
1
;
if
( (
*
v16 &
0x80000000
) !
=
0
)
{
if
( (v16[
1
] &
0x80000000
) !
=
0
)
{
if
( (v16[
2
] &
0x80000000
) !
=
0
)
{
v21
=
v16[
3
];
v22
=
v16
+
4
;
v23
=
v16
+
5
;
if
( v21 >
=
0
)
result
=
v22;
else
result
=
v23;
}
else
{
result
=
v16
+
3
;
}
}
else
{
result
=
v16
+
2
;
}
}
return
result;
}