实现Android Native端爆破源码

Posted 2020-11-01 gradyjiang的技术博客

尝试在移动端so侧做一些内存修改，使之走向不通的逻辑，一下为将要爆破的APP源码

JAVA侧：

 1 package com.example.grady.sectestone;
 2 
 3 import android.os.Handler;
 4 import android.os.Message;
 5 import android.support.v7.app.AppCompatActivity;
 6 import android.os.Bundle;
 7 import android.widget.TextView;
 8 
 9 import java.util.Timer;
10 import java.util.TimerTask;
11 
12 public class MainActivity extends AppCompatActivity {
13 
14     // Used to load the ‘native-lib‘ library on application startup.
15     static {
16         System.loadLibrary("native-lib");
17     }
18 
19     private TextView tv;
20     private Timer timer;
21     private int count = 0;
22 
23 
24     private Handler mHandler = new Handler(){
25         @Override
26         public void handleMessage(Message msg) {
27             super.handleMessage(msg);
28             //tv.setText((String)(msg.getData().get("time")));
29             String str = stringFromJNI();
30             tv.setText(str);
31         }
32     };
33 
34     @Override
35     protected void onCreate(Bundle savedInstanceState) {
36         super.onCreate(savedInstanceState);
37         setContentView(R.layout.activity_main);
38 
39         // Example of a call to a native method
40         tv = (TextView) findViewById(R.id.sample_text);
41         tv.setText(stringFromJNI());
42 
43         timer = new Timer();
44         TimerTask timerTask = new TimerTask() {
45             @Override
46             public void run() {
47                 count++;
48                 Message msg = new Message();
49                 msg.getData().putCharSequence("time", String.valueOf(count));
50                 mHandler.sendMessage(msg);
51             }
52         };
53         timer.schedule(timerTask, 1000, 1000);
54     }
55 
56     @Override
57     protected void onDestroy() {
58         super.onDestroy();
59         timer.cancel();
60         timer = null;
61     }
62 
63     /**
64      * A native method that is implemented by the ‘native-lib‘ native library,
65      * which is packaged with this application.
66      */
67     public native String stringFromJNI();
68 }

View Code

Native侧

#include <jni.h>
#include <string>
#include <sstream>

static int count = 0;

extern "C"

JNIEXPORT jstring

JNICALL
Java_com_example_grady_sectestone_MainActivity_stringFromJNI(
        JNIEnv *env,
        jobject /* this */) {
    std::string hello;
    count++;
    std::stringstream ss;
    if (count > 30)
    {
        hello = "Grady JNI Count > 30 :count = ";
    }
    else if (count < 30 && count >= 0)
    {
        hello = "Grady JNI Check it : count = " ;
    }
    else
    {
        hello = "Grady Boom it !!!!! count < 0 : count = ";
    }

    ss << count;
    std::string countStr;
    ss >> countStr;
    std::string result = hello + countStr;


    return env->NewStringUTF(result.c_str());
}

在此是永远走不进彩蛋 count < 0 的逻辑中的；

后面将通过一定手段走入到彩蛋逻辑中