刚翻了下gumcodeallocator.c和gumarmwriter.c,看的比较迷,好像只把汇编保存到了对象里,后续的commit、flush等函数也没有调用写内存的相关函数。请大佬指点一下!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
好理解, 看这 Hook 两个函数的例子.
gum_interceptor_begin_transaction (interceptor); gum_interceptor_attach (interceptor, GSIZE_TO_POINTER (gum_module_find_export_by_name (NULL, "open")), listener, GSIZE_TO_POINTER (EXAMPLE_HOOK_OPEN)); gum_interceptor_attach (interceptor, GSIZE_TO_POINTER (gum_module_find_export_by_name (NULL, "close")), listener, GSIZE_TO_POINTER (EXAMPLE_HOOK_CLOSE)); gum_interceptor_end_transaction (interceptor);
gum_interceptor_attach 调 gum_interceptor_instrument 调 _gum_interceptor_backend_create_trampoline 创建跳板, 你要的 bl 就在这里面. 根据平台不同, 举例 mips 吧就在 ef2K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6X3M7X3W2V1j5g2)9J5c8X3k6J5K9h3c8S2i4K6u0V1k6%4g2E0i4K6u0r3j5X3I4G2j5W2)9J5c8U0f1$3k6r3b7&6j5X3p5K6k6h3f1&6j5e0f1#2x3e0q4T1y4r3t1H3j5K6j5J5z5e0x3&6y4r3u0X3x3e0t1J5y4K6M7#2k6U0q4S2j5U0N6Q4x3V1k6Y4N6h3#2Q4x3V1k6T1j5h3y4C8k6h3&6V1i4K6u0V1L8h3W2H3M7#2)9J5c8X3N6#2L8h3W2F1N6r3g2J5j5$3g2H3N6r3!0J5i4K6u0V1L8h3W2H3M7#2)9J5k6h3y4Q4x3U0y4x3x3e0j5I4
另, 这些都是准备跳板, 最终执行写入的在
gum_interceptor_end_transaction
这行代码里, 进去搜 memcpy 就看到了.
