Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

为什么我找不到libkernel.so了 #44

Closed
kungoodbye opened this issue Oct 6, 2024 · 6 comments
Closed

为什么我找不到libkernel.so了 #44

kungoodbye opened this issue Oct 6, 2024 · 6 comments

Comments

@kungoodbye
Copy link

Uploading a18c7a79131478055b3afd111197704b.png…
求助,我想要从头安卓定位到生成数据库+和hook到生成密钥,但我刚安装后都无法检测到到libkernel.so和libbasic_share.so,但是目录下的nt_msg.db我是解析出来聊天记录了
@kungoodbye
Copy link
Author

使用默认版本注入脚本
仍在测试...
请先关闭 Magisk Hide 与 Shamiko
请先禁用 SELinux
请先打开 QQ 并登录,进入主界面,然后运行该脚本,等待数秒后退出登录并重新登录。
若失败,可尝试彻底关闭 QQ 后直接运行
理论支持 Termux 与 桌面操作系统 运行
请勿使用 x86 或 x64 系统上的安卓模拟器。
适用版本:
https://downv6.qq.com/qqweb/QQ_1/android_apk/qq_8.9.58.11050_64.apk
https://github.com/QQBackup/QQ-History-Backup/issues/9
Termux 环境具体命令:
sudo friendly # 重命名后的 frida-server
python android_get_key.py

com.tencent.mobileqq is already running 8230
QQ running!! pid = 8230
libkernel.so not loaded. exit.
Frida script injected.

@Young-Lord
Copy link
Member

不报版本你让我算命?
我刚去官网下的9.1.0版本,这两个库都有。如果你是说无法检测到,那可能是因为 #29 中所述的函数位置更改。你可能需要手动把libkernel换成libbasic_share,并且把single_function那个特征识别改用findExportByName
image

@kungoodbye
Copy link
Author

kungoodbye commented Oct 6, 2024
edited
Loading

不报版本你让我算命? 我刚去官网下的9.1.0版本,这两个库都有。如果你是说无法检测到,那可能是因为 #29 中所述的函数位置更改。你可能需要手动把libkernel换成libbasic_share,并且把single_function那个特征识别改用findExportByName image

8.9.58和最新的都不行,有没可能是frida版本太高16.4的和模拟器的关系呢,不是apk里没有,是frida hook不到,检测不到加载了so,没描述清楚不好意思

@Young-Lord
Copy link
Member

模拟器?如果是一般的模拟器都会走一个兼容层,把arm64的库转码成x86_64来执行,所以Frida可能hook不到。如果你需要确认,可以在终端里输个getprop | grep 64,然后把输出发上来给我确认。

@kungoodbye
Copy link
Author

模拟器?如果是一般的模拟器都会走一个兼容层,把arm64的库转码成x86_64来执行,所以Frida可能hook不到。如果你需要确认,可以在终端里输个getprop | grep 64,然后把输出发上来给我确认。

marlin:/ $ getprop | grep 64
[dalvik.vm.dex2oat-Xms]: [64m]
[dalvik.vm.image-dex2oat-Xms]: [64m]
[dalvik.vm.image-dex2oat-Xmx]: [64m]
[dalvik.vm.isa.x86_64.features]: [default]
[dalvik.vm.isa.x86_64.variant]: [silvermont]
[ro.boottime.8PryIza8W567iugz]: [816413110]
[ro.boottime.vendor.configstore-hal]: [1010647268]
[ro.boottime.vendor.oemlock-hal-1-0]: [1016647697]
[ro.dalvik.vm.isa.arm64]: [x86_64]
[ro.enable.native.bridge.exec64]: [1]
[ro.logd.size.stats]: [64K]
[ro.product.cpu.abi]: [x86_64]
[ro.product.cpu.abilist]: [x86_64,x86,arm64-v8a,armeabi-v7a,armeabi]
[ro.product.cpu.abilist64]: [x86_64,arm64-v8a]
[ro.vendor.product.cpu.abilist]: [x86_64,x86,arm64-v8a,armeabi-v7a,armeabi]
[ro.vendor.product.cpu.abilist64]: [x86_64,arm64-v8a]
[ro.zygote]: [zygote64_32]
[vendor.rild.libpath]: [/vendor/lib64/libmtk-ril.so]

@Young-Lord
Copy link
Member

ro.enable.native.bridge.exec64
确实是,不行。

@Young-Lord Young-Lord closed this as not planned Won't fix, can't repro, duplicate, stale Oct 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kungoodbye @Young-Lord