xiongzhu
/
frida-rcs-hack


			
				
					
						
						
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889
							function trace(tag) {
    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
}

class Log {
    static TAG = '[GMS]'
    static Debug = false
    static format(...msg) {
        let m = []
        for (let i = 0; i < msg.length; i++) {
            if (typeof msg[i] === 'object') {
                m.push(msg[i] + '')
            } else {
                m.push(msg[i])
            }
        }
        m = m.join(' ')
        return m
    }
    static i(...msg) {
        if (!this.Debug) return
        console.log(`\x1b[30m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static w(...msg) {
        console.log(`\x1b[33m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static e(...msg) {
        console.log(`\x1b[31m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static s(...msg) {
        console.log(`\x1b[32m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
}

Java.perform(function () {
    const System = Java.use('java.lang.System')
    // System.load.overload('java.lang.String').implementation = function (library) {
    //     Log.e('Loading library:', library)
    //     return this.load(library)
    // }
    // System.loadLibrary.overload('java.lang.String').implementation = function (library) {
    //     Log.e('Loading library1:', library)
    //     return this.loadLibrary(library)
    // }
    // 定位 __system_property_read_callback 函数地址
    // 假设我们已经 hook 了 __system_property_read_callback，并获得参数 args[0] 为 pi
    Interceptor.attach(Module.findExportByName(null, '__system_property_read_callback'), {
        onEnter: function (args) {
            var pi = args[0]
            console.log('-------------------------')
            console.log('prop_info 地址: ' + pi)

            // 读取 serial（4 字节）
            var serial = Memory.readU32(pi)
            console.log('serial: ' + serial)

            // 定义 offset 值，PROP_VALUE_MAX 一般为 92
            var PROP_VALUE_MAX = 92

            // 读取 name，name 在 union 后，即 pi + 4 + PROP_VALUE_MAX
            var namePtr = pi.add(4 + PROP_VALUE_MAX)
            var nameStr = Memory.readCString(namePtr)
            console.log('name: ' + nameStr)

            var valueStr = ''
            // 判断是否为 long 属性（is_long() 判断逻辑）
            if ((serial & (1 << 16)) !== 0) {
                // long 属性: offset 存在于 union.long_property.offset，
                // offset 地址 = pi + 4 (union 开始) + 56（error_message 长度）
                var offset = Memory.readU32(pi.add(4 + 56))
                var longValuePtr = pi.add(offset)
                console.log('long_property.offset: ' + offset)
                try {
                    valueStr = Memory.readCString(longValuePtr)
                } catch (e) {
                    valueStr = '读取 long_value 出错: ' + e
                }
            } else {
                // 非 long 属性，值直接存储在 union.value 中，起始于 pi + 4
                try {
                    valueStr = Memory.readCString(pi.add(4))
                } catch (e) {
                    valueStr = '读取 inline value 出错: ' + e
                }
            }
            console.log('value: ' + valueStr)
        }
    })
})