2

I am reverse engineering a android app shared library (.so file) and I am trying to use frida to hook a non exported native function I am using this hook

const ghidraImageBase = 0x00100000; const moduleName = "libclient.so"; const moduleBaseAddress = Module.findBaseAddress(moduleName); const ghidraFunction = 0x0168a7c8; const functionRealAddress = moduleBaseAddress.add(ghidraFunction - ghidraImageBase); Interceptor.attach(functionRealAddress, { onEnter: function(args) { console.log("function called"); }, onLeave: function(ignored) {} });

However function called is never logged even though the function is getting called I am pretty sure something is wrong with the addresses so I tried hooking into a exported function using the address I got from ghidra

![pic

which is 0x014ccd08 and ghidra image base is equal to 0x00100000 meaning the offset of the function should be 0x014ccd08 - 0x00100000 = 0x013ccd08 however when I run

console.log("moduleBaseAddress:" + Module.findBaseAddress("libclient.so")) Module.enumerateExports("libclient.so", { onMatch: function(e) { if (e.type == 'function') { if (e.name == "Java_exported_function etc...") { console.log("Function found"); console.log(JSON.stringify(e)) } } }, onComplete: function() {} });

the above code execution result is

moduleBaseAddress:0xb6900000 Function recognized by name {"type":"function","name":"Java_exported_function...","address":"0xb755b9e1"}

the .so library is loaded at 0xb6900000 and the function address is at 0xb755b9e1 meaning the function offset is 0xb755b9e1 - 0xb6900000 = 0x00c5b9e1 entirely different from the 0x013ccd08 I found earlier.

  1. Can this issue be from the ghidra settings?
  2. How can I get the correct offset from ghidra?
Improve this question
3
  • Do you use an emulator or a real device? If you are using an emulator make sure not to use an x86 image with an armv7/arm64 app. The integrated arm emulation is incompatible with frida. Commented Aug 31, 2022 at 7:23
  • i am using a x86 image however frida does support hooking of native functions with arm translation as stated by its creator in this issue github.com/frida/frida/issues/1567 come to think of it now i dont know which version of arm library is being loaded since it has both arm64 and armeabi-v7a and the one i reversed on ghidra is arm64 is there a way to tell which one is loaded into memory Commented Aug 31, 2022 at 16:58
  • I can only recommend to you to use a real device or an ARM image. Commented Aug 31, 2022 at 18:23

1 Answer 1

Reset to default
0

turns out i decompiled the wrong library the emulator i was running is 32bit where as the library i decompiled in ghidra is 64bit decompiling the 32bit lib i get the correct offsests same as expected ones

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.