type
status
date
slug
summary
tags
category
icon
password
Property
Nov 17, 2022 10:16 AM
外挂分析报告
分析结论
外挂的组成结构
- 使用 Java 编写的界面
- 使用 C++ 编写的内存读取模块,sock1
外挂程序的储存位置
外挂的加密二进制文件保存在apk的assets目录下,启动后会解密并写出到 /data/user/0/com.tencent.esp/files
ELF启动原理
先原样写出 sock1, 然后读取解密再写出 sock1
cd 到 files 文件夹,然后传递两个参数 屏幕X 与 屏幕Y 执行 sock1
资源的加解密
以字符串 “gamesec” 生成密钥
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fe6620e26-4db7-4c29-9253-512c6ac3633f%2F%E6%88%AA%E5%B1%8F2022-04-23_19.54.37.png?table=block&id=9c571c54-931b-48d1-a840-8cda6d0b1739&t=9c571c54-931b-48d1-a840-8cda6d0b1739&width=1972&cache=v2)
解密并输出sock1
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ffafe507a-f2f3-4e85-ac8e-15306eec966f%2F%E6%88%AA%E5%B1%8F2022-04-23_19.55.28.png?table=block&id=f5038fb5-3a52-482b-ae7b-3fc28dde50d5&t=f5038fb5-3a52-482b-ae7b-3fc28dde50d5&width=1828&cache=v2)
密钥生成算法
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F7835d17d-1738-40aa-9e70-da7d1ddfb57c%2F%E6%88%AA%E5%B1%8F2022-04-23_19.56.01.png?table=block&id=c081b497-94ec-41f9-9ec4-ab4fb1821072&t=c081b497-94ec-41f9-9ec4-ab4fb1821072&width=924&cache=v2)
解密算法,一个简单的异或
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F43fbbe92-76bb-4590-be22-a28bb4efb7e7%2F%E6%88%AA%E5%B1%8F2022-04-23_19.56.54.png?table=block&id=5057b36f-892e-4fae-be35-7e19a58d12e4&t=5057b36f-892e-4fae-be35-7e19a58d12e4&width=1212&cache=v2)
反调试
- 检测 frida,ida 默认端口
- 检测 /proc/self/fd
- 检测 /proc/self/task
- 检测 frida 临时文件夹 re.frida.server
- 循环 BRKT
脱壳
单步调试至壳代码交还执行权时内存dump并修复即可
解混淆
使用 obpo 反混淆
实现外挂的原理
通过 GWorld 与 GName 基址
遍历 ActorList 找到目标 Actor 并读取坐标数据,以JSON的形式输出到 /sdcard/1A.txt
外挂APP在Java层读取1A.txt解析并绘制,而不是在so中进行绘制
外挂读内存的方式
process_vm_readv 系统调用
外挂访问游戏地址对应的含义
读取GWorld → UWorld → ULevel → ActorList 然后遍历 ActorList
找到所有的ThirdPersonCharacter ,读取 RootComponent → RelativeLocation
找到 PlayerCameraManager 读取 CameraCache → POV
分析过程
1. 判断外挂类型
打开安装包,经过分析可以知道该外挂是使用Java与C++开发的外挂。
对于此类外挂,我们需要着重关注so层逻辑,还有assets与res/raw文件下的内容。
2. 初步分析
使用IDA打开 libPutri.so 在到导出表可以观察到该so使用JNI静态注册了一些函数,在Java层寻找对应函数。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdaae6508-b637-4587-8bfb-9593016dc55f%2F%E6%88%AA%E5%B1%8F2022-04-23_11.06.37.png?table=block&id=a6d299b7-82f2-4ce0-adeb-1005e84f0c73&t=a6d299b7-82f2-4ce0-adeb-1005e84f0c73&width=3248&cache=v2)
使用JadxGUI打开APK,定位到 com.tencent.esp.Overlay 类,发现只有DrawOn方法被实际使用,其他方法并未使用。则DrawOn方法为核心绘图逻辑入口点。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F41022b33-1aad-4a32-9c30-2c8e8d2d6be4%2F%E6%88%AA%E5%B1%8F2022-04-23_11.08.38.png?table=block&id=558d5481-61e6-44a7-bbf8-0a4ee18d4582&t=558d5481-61e6-44a7-bbf8-0a4ee18d4582&width=3248&cache=v2)
经过对Java层反编译结果对阅读,该外挂Java层使用BlackObfuscator进行了混淆。
该程序SO层无加密无混淆,简单分析过后未发现外挂内存读取主逻辑。该SO主要承担绘图功能。通过socket接收相关数据并对其进行绘制。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fb238e6ff-794e-49bf-848f-d6720ea47ad8%2F%E6%88%AA%E5%B1%8F2022-04-23_13.18.56.png?table=block&id=d4002b95-a595-4346-b52b-6bc017d62bdb&t=d4002b95-a595-4346-b52b-6bc017d62bdb&width=3024&cache=v2)
在手机上安装外挂和游戏,外挂功能正常,重新分析Java层,在MainActivity中发现运行sock1文件
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F332037e0-5b81-4fbe-b523-5eff0ac6b794%2F%E6%88%AA%E5%B1%8F2022-04-23_13.15.37.png?table=block&id=656c2453-1c93-4182-ba4d-92d49332a0c9&t=656c2453-1c93-4182-ba4d-92d49332a0c9&width=1198&cache=v2)
在手机上运行外挂,查看名为sock1的进程,即可定位到外挂内存读取逻辑所在的elf文件
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F7b7b4b65-635f-4d1b-92c5-0e304b8bd897%2F%E6%88%AA%E5%B1%8F2022-04-23_13.15.16.png?table=block&id=ed666df2-766e-4c65-a9da-33274990f63d&t=ed666df2-766e-4c65-a9da-33274990f63d&width=1336&cache=v2)
因此Java层的混淆使得反编译后的Java结果不再可靠,重新分析Java层,直接查看smali代码。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf5badfc-4049-4c14-96e9-f65c90a842f3%2F%E6%88%AA%E5%B1%8F2022-04-23_13.26.36.png?table=block&id=70f86c99-e00d-4264-bcb4-648ea3f4ba71&t=70f86c99-e00d-4264-bcb4-648ea3f4ba71&width=1950&cache=v2)
发现sock1文件的写出,由于二进制文件已直接写出,直接分析二进制文件即可,解密算法无需手动还原。
使用IDA载入,发现有壳。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fc3695c88-2f4b-4e4c-adbb-16f641d3881f%2F%E6%88%AA%E5%B1%8F2022-04-23_13.30.06.png?table=block&id=e621ff97-4609-479c-a3d6-4150eb5a23db&t=e621ff97-4609-479c-a3d6-4150eb5a23db&width=3024&cache=v2)
搜索所有的SVC 0指令,并下断
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F93c15941-16af-4a68-821d-d941c884b0ea%2F%E6%88%AA%E5%B1%8F2022-04-23_13.31.48.png?table=block&id=ccadccf3-5c52-4853-96ba-a9b5de29eab1&t=ccadccf3-5c52-4853-96ba-a9b5de29eab1&width=590&cache=v2)
结合arm64系统调用表分析可得,从上往下依次为ARM_cacheflush,mmap2,mmap2,mprotect
在调试执行之前,先手动执行一遍程序。出现段错误,说明该二进制文件可能被运行后就被修改,或者有参数未传递。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F79e218f7-022c-4dbc-aafb-7c99eef8c623%2F%E6%88%AA%E5%B1%8F2022-04-23_14.26.14.png?table=block&id=7e382af8-e19b-44bb-b09b-0001d218c136&t=7e382af8-e19b-44bb-b09b-0001d218c136&width=948&cache=v2)
2. 找出sock1的运行方法
使用Frida Hook Runtime.exec与 DataOutput.write
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F0de06ced-a2c5-4f68-b7b9-38f123ac3fc1%2F%E6%88%AA%E5%B1%8F2022-04-23_15.02.04.png?table=block&id=1e7a4eeb-aa59-499c-a0c4-b9c5eceb3db2&t=1e7a4eeb-aa59-499c-a0c4-b9c5eceb3db2&width=1670&cache=v2)
由此可以得知,在执行sock1的时候传递了屏幕分辨率,不过X有一些减小。再次手动运行sock1,可以发现,在 /data/local/tmp 目录下运行的时候会出现null FILE*,说明sock001等文件也是必需的。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F458d0314-f91b-4568-8743-2ad4fc4f46c6%2F%E6%88%AA%E5%B1%8F2022-04-23_15.01.43.png?table=block&id=bfc61a94-8e95-4363-98a1-7b4ae767df62&t=bfc61a94-8e95-4363-98a1-7b4ae767df62&width=1370&cache=v2)
3. 外挂核心二进制文件sock1的脱壳
启动android_server,使用IDA调试启动sock1
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fbd6bb5c2-e833-4652-84c0-edc4c6ef2410%2F%E6%88%AA%E5%B1%8F2022-04-23_13.55.26.png?table=block&id=317e8566-b7c4-4cc7-9bdc-a3814492eb0f&t=317e8566-b7c4-4cc7-9bdc-a3814492eb0f&width=886&cache=v2)
提示文件是动态链接库无法执行,使用010editor将文件类型改成可执行文件。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F5f1c3fc9-45d3-4819-9998-e6b4edf132d8%2F%E6%88%AA%E5%B1%8F2022-04-23_13.57.25.png?table=block&id=858c9fda-e821-43ae-9edf-53a8fe25b4d1&t=858c9fda-e821-43ae-9edf-53a8fe25b4d1&width=3024&cache=v2)
修改调试参数,启动
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fe7b6d5fb-4e35-465d-a2a0-55644808a0c9%2F%E6%88%AA%E5%B1%8F2022-04-23_15.09.00.png?table=block&id=9835665b-290e-46bf-b0c0-53846310028a&t=9835665b-290e-46bf-b0c0-53846310028a&width=1072&cache=v2)
一路F9,运行到了反调试代码处,此时查看LR寄存器,跳转过去
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F6dbe6853-789f-4579-80f6-c087f8a5b62b%2F%E6%88%AA%E5%B1%8F2022-04-23_15.20.07.png?table=block&id=5c7c7e3a-9cc8-470b-a9a8-88dd9505ed06&t=5c7c7e3a-9cc8-470b-a9a8-88dd9505ed06&width=1646&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F755f0bbe-51ab-465d-8520-0a9e74eac0f8%2F%E6%88%AA%E5%B1%8F2022-04-23_15.20.48.png?table=block&id=b5603a9f-95e0-45dc-b40c-95fed4e2a246&t=b5603a9f-95e0-45dc-b40c-95fed4e2a246&width=1252&cache=v2)
在maps中找到基址, 修复ELF Magic
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F9c06241c-17ac-486e-9945-6700cc3fd2c5%2F%E6%88%AA%E5%B1%8F2022-04-23_15.16.15.png?table=block&id=01b58373-8bf6-4670-87bc-4a0b5c54e821&t=01b58373-8bf6-4670-87bc-4a0b5c54e821&width=1910&cache=v2)
使用 https://github.com/maiyao1988/elf-dump-fix dump下来二进制文件并修复,再分析脱壳后代码
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F4a2d312a-b5bb-407e-9533-fa29de40ab8f%2F%E6%88%AA%E5%B1%8F2022-04-23_15.17.03.png?table=block&id=66b4bae9-71ca-4aeb-8dbf-f67235e48f6c&t=66b4bae9-71ca-4aeb-8dbf-f67235e48f6c&width=1136&cache=v2)
4. 外挂核心ELF分析
使用IDA打开so,首先关注导入表。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fc9c28821-301b-4a80-b96a-67f480609a7d%2F%E6%88%AA%E5%B1%8F2022-04-23_15.33.11.png?table=block&id=d6a714a0-14ae-4681-8348-2a7f376fa567&t=d6a714a0-14ae-4681-8348-2a7f376fa567&width=1468&cache=v2)
导入表缺少process_vm_readv等函数,dlopen与dlsym显得十分可疑,查找其引用
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F25a5638f-dbe0-4b34-991b-ecfd1412dc2f%2F%E6%88%AA%E5%B1%8F2022-04-23_15.36.08.png?table=block&id=e0ee3dc4-f6af-4088-9b2b-012fa60f565f&t=e0ee3dc4-f6af-4088-9b2b-012fa60f565f&width=1556&cache=v2)
dlopen并未实际使用。查看Graph Overview有明显的OLLVM特征,可以使用 https://github.com/obpo-project/obpo-plugin 反混淆。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F31184c55-3750-4d35-b640-b39a9894af9a%2F%E6%88%AA%E5%B1%8F2022-04-23_15.36.50.png?table=block&id=13948bcb-fe0c-42e5-820e-de67aa8cbd44&t=13948bcb-fe0c-42e5-820e-de67aa8cbd44&width=604&cache=v2)
分析此sub_29B0函数可以得知,外挂使用dlsym动态解析出部分关键函数的地址并保存到全局的函数表 off_502E4 中。
使用dump出来的文件作为断点参考,直接调试 sock1
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F9cbfb485-93ca-471e-8459-ebd0f721bedb%2F%E6%88%AA%E5%B1%8F2022-04-23_21.00.09.png?table=block&id=03203321-8d93-41cc-b9de-72241ee3596e&t=03203321-8d93-41cc-b9de-72241ee3596e&width=3024&cache=v2)
sub_26798为main函数
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F91eaed24-c831-47d5-8d45-6c7f4c084133%2F%E6%88%AA%E5%B1%8F2022-04-23_21.09.27.png?table=block&id=4527b1ff-c985-4aaf-adf0-b40619c7e036&t=4527b1ff-c985-4aaf-adf0-b40619c7e036&width=1496&cache=v2)
sub_26378 函数中创建了反调试线程,在sub_26060中循环调用反调试函数sub_25E94 并 sleep 3秒,反调试函数sub_25E94中调用5个子函数进行反调试
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fcceb5b6c-13e0-4992-8b14-b689601437ba%2F%E6%88%AA%E5%B1%8F2022-04-23_21.11.52.png?table=block&id=5b8b1ce5-2caf-4ec4-b956-271fb4f2fdb7&t=5b8b1ce5-2caf-4ec4-b956-271fb4f2fdb7&width=492&cache=v2)
在调试中可以直接NOP掉 sub_26378,即可过掉反调试。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F07027ed3-f69f-4bd1-8f2c-e583a0bcc787%2F%E6%88%AA%E5%B1%8F2022-04-23_21.18.16.png?table=block&id=8b35defb-be37-4607-b0e9-ca65b9271a5a&t=8b35defb-be37-4607-b0e9-ca65b9271a5a&width=1372&cache=v2)
根据全局函数表对应的函数,在调试中找到对应函数下断点即可分析。不过有更方便的办法,该外挂未检测ptrace可以直接使用strace分析系统调用。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F90d30e57-cd28-40b3-bd84-7c3915b01ff7%2F%E6%88%AA%E5%B1%8F2022-04-23_22.06.31.png?table=block&id=808c22bb-5bc7-4f0f-af46-5ecb81f9d973&t=808c22bb-5bc7-4f0f-af46-5ecb81f9d973&width=1200&cache=v2)
游戏主要读内存逻辑在 anon:libc_malloc 内存中
在 strstr strcmp open fopen 下断点
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fe5b0cd8f-e731-496f-b182-bc8618c20ac4%2F%E6%88%AA%E5%B1%8F2022-04-23_22.10.47.png?table=block&id=721aa2c2-5503-4522-94ee-98501ae3b154&t=721aa2c2-5503-4522-94ee-98501ae3b154&width=1422&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fad6eda57-3f25-4333-8e46-ae9284e08437%2F%E6%88%AA%E5%B1%8F2022-04-23_22.12.18.png?table=block&id=9d8d7e5c-5eba-4172-8a69-28e9821478e8&t=9d8d7e5c-5eba-4172-8a69-28e9821478e8&width=1562&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fe8ea7305-b2fd-472e-a8a9-2316d54b9908%2F%E6%88%AA%E5%B1%8F2022-04-23_22.15.09.png?table=block&id=490e890b-a256-4629-8713-a07edefe1587&t=490e890b-a256-4629-8713-a07edefe1587&width=1652&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F035657cc-6d19-40f5-8db2-5716de16660b%2F%E6%88%AA%E5%B1%8F2022-04-23_22.19.02.png?table=block&id=469a1db9-a7e0-4c43-bd04-09ec74d78100&t=469a1db9-a7e0-4c43-bd04-09ec74d78100&width=1656&cache=v2)
loc_F737F42C 为读取坐标的代码块
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fc634cb20-4d81-4d35-9add-ef25596f7fec%2F%E6%88%AA%E5%B1%8F2022-04-23_22.49.27.png?table=block&id=7f84cb4c-40ff-4025-bda3-25554de52dff&t=7f84cb4c-40ff-4025-bda3-25554de52dff&width=1752&cache=v2)
写出结果
5. 分析外挂原理以及访问游戏地址对应的含义
- 使用 strace 查看该外挂系统调用
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fa7c73ab6-cdab-4d6e-9e6f-ed1a3fbdd784%2F%E6%88%AA%E5%B1%8F2022-04-23_15.52.58.png?table=block&id=907b41ce-1f09-4958-91f6-840f3d969527&t=907b41ce-1f09-4958-91f6-840f3d969527&width=1396&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F5eeb19c2-2a79-46e0-b0ad-acd8ad93a966%2F%E6%88%AA%E5%B1%8F2022-04-23_15.51.44.png?table=block&id=f1f29d45-5014-4375-9744-87a76d54fd30&t=f1f29d45-5014-4375-9744-87a76d54fd30&width=2374&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F24ac3d1c-06e9-4785-bc21-e16937341491%2F%E6%88%AA%E5%B1%8F2022-04-23_16.42.02.png?table=block&id=9ddfa1f4-ef84-419e-b3dc-124aad9e49ff&t=9ddfa1f4-ef84-419e-b3dc-124aad9e49ff&width=2386&cache=v2)
- 寻找GWorld与GName,然后使用 UE4Dumper 导出游戏的SDK。
使用IDA打开游戏的 libUE4.so,搜索GWorld和GNameEntryPoolAllocator
GName = GNameEntryPoolAllocator+0x14
结果:
- GWorld = 0x491E6F0
- GName = 0x48711B4
使用UE4Dumper 导出SDK与actorlist
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fedc78b74-b570-4844-8c46-461a67f1e4e4%2F%E6%88%AA%E5%B1%8F2022-04-23_16.41.07.png?table=block&id=1f77eabb-07da-444e-b61f-2d770077a461&t=1f77eabb-07da-444e-b61f-2d770077a461&width=828&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff93946d7-d628-4c51-af07-304f8eb504cb%2F%E6%88%AA%E5%B1%8F2022-04-23_16.42.22.png?table=block&id=d34d994e-a4a6-408e-bffa-60a428f0e748&t=d34d994e-a4a6-408e-bffa-60a428f0e748&width=510&cache=v2)
该外挂还是读取GWorld → UWorld → ULevel → ActorList 然后遍历 ActorList
找到所有的ThirdPersonCharacter ,读取 RootComponent → RelativeLocation
找到 PlayerCameraManager 读取 CameraCache → POV
然后外挂将结果转换为JSON,输出到 /sdcard/1A.txt
Java中读取输出结果:
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F35285159-6527-41a7-bf05-34c95e9ef58e%2F%E6%88%AA%E5%B1%8F2022-04-23_21.35.30.png?table=block&id=690ec797-2a5b-4d2f-94db-24db1be8d3ae&t=690ec797-2a5b-4d2f-94db-24db1be8d3ae&width=1882&cache=v2)
Java 绘制函数:
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F914c6af1-10e2-404c-a567-f3b3a6ade2f6%2F%E6%88%AA%E5%B1%8F2022-04-23_21.34.21.png?table=block&id=64de0630-1757-4943-904b-c1f1c54349b7&t=64de0630-1757-4943-904b-c1f1c54349b7&width=1942&cache=v2)
外挂复现
使用Android Studio开发,process_vm_readv读取内存。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F09383645-f5ce-4fe2-b0f3-41d0037687f8%2F%E6%88%AA%E5%B1%8F2022-04-23_19.04.06.png?table=block&id=56808a54-4aa8-4816-8766-7f47cf2b947e&t=56808a54-4aa8-4816-8766-7f47cf2b947e&width=3056&cache=v2)
PS:复现完才发现不需要复现,属实是没仔细看清楚题目。。。