int CAirLogEx::GetPointsPenaltyBlock(LPPOINTSPENALTY lpPointsPenalty) // 获取PointsPenalty区块
{
BOOL bRet = FALSE;
int cellIdx = 0;
for (int i = 0, size = m_airMemoryArr.size(); i < size; ++ i)
{
for (int cidx = 0, csize = lstrlenA(m_airMemoryArr[i].lpMmeory)
; cidx < csize
; ++ cidx)
{
if ( memicmp(m_airMemoryArr[i].lpMmeory + cidx, BLOCK_POINTSPENALTY, lstrlenA(BLOCK_POINTSPENALTY)) == 0 )
{
cellIdx = i;
bRet = TRUE;
break;
}
}
}
if ( ! bRet )
{ //如果没找到该区块,说明不是人机,消除 lpPointsPenalty 无用的多余部分
for (int i = 0, size = m_airMemoryArr.size(); i < size; ++ i)
{
for (int cidx = 0, csize = lstrlenA(m_airMemoryArr[i].lpMmeory)
; cidx < csize
; ++ cidx)
{
if ( memicmp(m_airMemoryArr[i].lpMmeory + cidx, BLOCK_POINTSPENALTY_2, lstrlenA(BLOCK_POINTSPENALTY_2)) == 0 )
{
cellIdx = i;
std::vector<AIRMEMORY>::iterator itr = m_airMemoryArr.begin();
itr += cellIdx; // itr 赋好值
// 消除 lpPointsPenalty 无用的多余部分
int tmpIdx = getTypeIdx(itr, SWF_DOUBLE, 0+1);
cellIdx = getStrIdx(itr, "\n\r", tmpIdx+1);
if (SWF_ERR_INT != cellIdx)
FreeAirMemory(itr+tmpIdx+1, cellIdx-tmpIdx);
cellIdx = getTypeIdx(itr, SWF_STR, 0+1);
if ( SWF_ERR_INT == cellIdx )
return SWF_ERR_INT;
else
return itr[cellIdx].idx; // 返回 OtherTeam 开始地址索引
}
}
}
return SWF_ERR_INT;
}
else
cellIdx += 1; // +1 跳过标记
std::vector<AIRMEMORY>::iterator itr;
itr = m_airMemoryArr.begin();
itr += cellIdx;
int idx = 0;
idx = getTypeIdx(itr, SWF_STR, 0);
if (SWF_ERR_INT == idx) return SWF_ERR_INT;
else strcpy_s(lpPointsPenalty->type, sizeof(lpPointsPenalty->type), getSWF_str(itr[idx].lpMmeory));
idx = getTypeIdx(itr, SWF_DOUBLE, idx+1);
if (SWF_ERR_INT == idx) return SWF_ERR_INT;
else lpPointsPenalty->penalty = getSWF_double(itr[idx].lpMmeory);
idx = getTypeIdx(itr, SWF_INT, idx+1);
if (SWF_ERR_INT == idx) return SWF_ERR_INT;
else lpPointsPenalty->unKnowAddr = getSWF_int(itr[idx].lpMmeory);
if ( SWF_SEG == itr[idx+1].lpMmeory[0] )
idx += 1;
++idx;
FreeAirMemory(itr, idx);
itr = m_airMemoryArr.begin(), itr += cellIdx;
return itr->idx;
}
JNIEXPORT jint JNICALL Java_com_example_selfmodify_MainActivity_selfmodify(JNIEnv *env, jobject thisObj) {
jint result = 1;
char *s;
void *start;
void *end;
FILE *fp;
fp = fopen("/proc/self/maps", "r");
if(fp!=NULL)
{
char line [ 2048 ];
while ( fgets ( line, sizeof line, fp ) != NULL ) /* read a line */
{
if (strstr(line, "/data/dalvik-cache/data@[email protected]") != NULL)
{
if (strstr(line, "classes.dex") != NULL)
{
s = strchr(line, '-');
if (s == NULL)
LOGD(" Error: string NULL");
*s++ = '\0';
start = (void *)strtoul(line, NULL, 16);
end = (void *)strtoul(s, NULL, 16);
LOGD(" startAddress = %x", (unsigned int)start);
LOGD(" endAddress = %x", (unsigned int)end);
}
}
}
fclose ( fp);
}
long page_size = sysconf(39);
unsigned int start_address = (unsigned int)start;
unsigned int end_address = (unsigned int)end;
int search_start_page;
unsigned int dex_search_start = end_address;
int search_start_position;
search_start_page = dex_search_start - dex_search_start % page_size;
do{
search_start_page -= page_size;
search_start_position = search_start_page + 40;
}while(!findmagic( (void *)(search_start_page + 40) ) );
LOGD(" search_start_page = %x", search_start_page);
LOGD(" search_start_position = %x", search_start_position);
LOGD("string = %s", (char *)search_start_position);
int class_strIdx=0;
class_strIdx = getStrIdx(search_start_position,"Lcom/example/selfmodify/TestAdd;",strlen("Lcom/example/selfmodify/TestAdd;"));
LOGD("class_strIdx = %x", class_strIdx);
int method_strIdx=0;
method_strIdx = getStrIdx(search_start_position,"add",3);
LOGD("method_strIdx = %x", method_strIdx);
int class_typeIdx=0;
class_typeIdx = getTypeIdx(search_start_position,class_strIdx);
LOGD("class_typeIdx = %x", class_typeIdx);
int class_def_item_address = 0;
class_def_item_address = getClassItem(search_start_position,class_typeIdx);
LOGD("class_def_item_address = %x", class_def_item_address);
int methodIdx = 0;
methodIdx = getMethodIdx(search_start_position,method_strIdx,class_typeIdx);
LOGD("methodIdx = %x", methodIdx);
int codeItem_address = 0;
codeItem_address = getCodeItem(search_start_position,class_def_item_address,methodIdx);
LOGD("codeItem_address = %x", codeItem_address);
void *code_insns_address;
code_insns_address = (void *)(codeItem_address+16);
LOGD("code_insns_address = %x", code_insns_address);
void *codeinsns_page_address = (void *)(codeItem_address + 16 - (codeItem_address + 16) % (unsigned int)page_size );
LOGD("codeinsns_page_address = %x",codeinsns_page_address);
mprotect(codeinsns_page_address,page_size,3);
char inject[]={0x90,0x00,0x02,0x03,0x0f,0x00};
memcpy(code_insns_address,&inject,6);
return result;
}