├── anti_debug_old
    ├── new_maps
    ├── new_tcp
    ├── new_wchan
    ├── new_cmdline
    ├── new_status
    ├── inject
    ├── libdumpUPX.so
    ├── libHookUtil.so
    ├── libanti_debug.so
    ├── up_install.bat
    ├── install.bat
    ├── install-nosu.bat
    └── install-su.bat
├── README.md
├── ThomasKing
    ├── correctDump.bat
    ├── rebuildSection.bat
    ├── restoreSection.bat
    ├── Readme.txt
    ├── correctDump.exe
    ├── rebuild_section.exe
    ├── restore_section.exe
    └── elf section的一些思考.pdf
├── inject
├── modprop
├── libdumpUPX.so
├── 906_linker
    ├── linker
    └── linker_70.idb
├── install.bat
├── install_su.bat
├── py_fixdump.py
└── py_frida_dump_libDiag.py


/anti_debug_old/new_maps:
--------------------------------------------------------------------------------
1 | test


--------------------------------------------------------------------------------
/anti_debug_old/new_tcp:
--------------------------------------------------------------------------------
1 | test


--------------------------------------------------------------------------------
/anti_debug_old/new_wchan:
--------------------------------------------------------------------------------
1 | test


--------------------------------------------------------------------------------
/anti_debug_old/new_cmdline:
--------------------------------------------------------------------------------
1 | test


--------------------------------------------------------------------------------
/anti_debug_old/new_status:
--------------------------------------------------------------------------------
1 | test


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # UnpackUPX
2 | unpack UPX on android.
3 | 


--------------------------------------------------------------------------------
/ThomasKing/correctDump.bat:
--------------------------------------------------------------------------------
1 | correctDump.exe %~n1.so %~n1_new.so


--------------------------------------------------------------------------------
/inject:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/inject


--------------------------------------------------------------------------------
/modprop:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/modprop


--------------------------------------------------------------------------------
/ThomasKing/rebuildSection.bat:
--------------------------------------------------------------------------------
1 | rebuild_section.exe %~n1.so %~n1_full.so


--------------------------------------------------------------------------------
/libdumpUPX.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/libdumpUPX.so


--------------------------------------------------------------------------------
/906_linker/linker:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/906_linker/linker


--------------------------------------------------------------------------------
/ThomasKing/restoreSection.bat:
--------------------------------------------------------------------------------
1 | restore_section.exe dump_new.so apkso.so dump_new_full.so


--------------------------------------------------------------------------------
/ThomasKing/Readme.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/ThomasKing/Readme.txt


--------------------------------------------------------------------------------
/anti_debug_old/inject:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/anti_debug_old/inject


--------------------------------------------------------------------------------
/906_linker/linker_70.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/906_linker/linker_70.idb


--------------------------------------------------------------------------------
/ThomasKing/correctDump.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/ThomasKing/correctDump.exe


--------------------------------------------------------------------------------
/anti_debug_old/libdumpUPX.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/anti_debug_old/libdumpUPX.so


--------------------------------------------------------------------------------
/ThomasKing/rebuild_section.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/ThomasKing/rebuild_section.exe


--------------------------------------------------------------------------------
/ThomasKing/restore_section.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/ThomasKing/restore_section.exe


--------------------------------------------------------------------------------
/anti_debug_old/libHookUtil.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/anti_debug_old/libHookUtil.so


--------------------------------------------------------------------------------
/ThomasKing/elf section的一些思考.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/ThomasKing/elf section的一些思考.pdf


--------------------------------------------------------------------------------
/anti_debug_old/libanti_debug.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CCint3/UnpackUPX/HEAD/anti_debug_old/libanti_debug.so


--------------------------------------------------------------------------------
/install.bat:
--------------------------------------------------------------------------------
 1 | @echo on
 2 | adb push inject /data/local/tmp
 3 | adb push libdumpUPX.so /data/local/tmp
 4 | adb shell chmod 777 /data/local/tmp/inject
 5 | adb shell mkdir /data/local/tmp/unpack
 6 | adb shell rm -rf /data/local/tmp/unpack/*
 7 | adb push %1 /data/local/tmp/unpack
 8 | adb shell "/data/local/tmp/inject com.Autel.maxi /data/local/tmp/libdumpUPX.so %~nx1"
 9 | adb shell "chmod 777 /data/local/tmp/unpack/dump.so"
10 | adb pull /data/local/tmp/unpack/dump.so
11 | copy dump.so diag.so
12 | del dump.so
13 | 
14 | pause
15 | 
16 | 


--------------------------------------------------------------------------------
/anti_debug_old/up_install.bat:
--------------------------------------------------------------------------------
 1 | @echo on
 2 | adb push inject /data/local/tmp
 3 | adb push libdumpUPX.so /data/local/tmp
 4 | adb shell su -c "chmod 777 /data/local/tmp/inject"
 5 | adb shell su -c "mkdir /data/local/tmp/unpack"
 6 | adb shell su -c "rm -rf /data/local/tmp/unpack/*"
 7 | adb push %1 /data/local/tmp/unpack
 8 | rem com.cnlaunch.x431.diag
 9 | rem com.Autel.maxi
10 | 
11 | adb shell su -c "data/local/tmp/inject com.Autel.maxi /data/local/tmp/libdumpUPX.so %~nx1"
12 | adb shell su -c "chmod 777 /data/local/tmp/unpack/dump.so"
13 | adb pull /data/local/tmp/unpack/dump.so
14 | 
15 | ren %~nx1 %~nx1.old
16 | ren dump.so %~n1.so
17 | 
18 | pause


--------------------------------------------------------------------------------
/anti_debug_old/install.bat:
--------------------------------------------------------------------------------
 1 | echo @off
 2 | adb shell mkdir /data/local/tmp/anti_debug
 3 | adb shell rm -rf /data/local/tmp/anti_debug/*
 4 | adb push inject /data/local/tmp/anti_debug/inject
 5 | adb push libHookUtil.so /data/local/tmp/anti_debug/libHookUtil.so
 6 | adb push libnewFunc.so /data/local/tmp/anti_debug/libanti_debug.so
 7 | adb push new_cmdline /data/local/tmp/anti_debug/new_cmdline
 8 | adb push new_maps /data/local/tmp/anti_debug/new_maps
 9 | adb push new_status /data/local/tmp/anti_debug/new_status
10 | adb push new_tcp /data/local/tmp/anti_debug/new_tcp
11 | adb push new_wchan /data/local/tmp/anti_debug/new_wchan
12 | adb shell chmod 777 /data/local/tmp/anti_debug/inject
13 | adb shell ./data/local/tmp/anti_debug/inject zygote /data/local/tmp/anti_debug/libanti_debug.so 1
14 | 


--------------------------------------------------------------------------------
/anti_debug_old/install-nosu.bat:
--------------------------------------------------------------------------------
 1 | echo @off
 2 | adb shell "mkdir /data/local/tmp/anti_debug"
 3 | adb shell "chmod 777 /data/local/tmp/anti_debug"
 4 | adb shell "rm -rf /data/local/tmp/anti_debug/*"
 5 | adb push inject /data/local/tmp/anti_debug/inject
 6 | adb push libHookUtil.so /data/local/tmp/anti_debug/libHookUtil.so
 7 | adb push libanti_debug.so /data/local/tmp/anti_debug/libanti_debug.so
 8 | adb push new_cmdline /data/local/tmp/anti_debug/new_cmdline
 9 | adb push new_maps /data/local/tmp/anti_debug/new_maps
10 | adb push new_status /data/local/tmp/anti_debug/new_status
11 | adb push new_tcp /data/local/tmp/anti_debug/new_tcp
12 | adb push new_wchan /data/local/tmp/anti_debug/new_wchan
13 | adb shell "chmod 777 /data/local/tmp/anti_debug/inject"
14 | adb shell "./data/local/tmp/anti_debug/inject zygote /data/local/tmp/anti_debug/libanti_debug.so 1"
15 | pause


--------------------------------------------------------------------------------
/install_su.bat:
--------------------------------------------------------------------------------
 1 | @echo on
 2 | adb push inject /data/local/tmp
 3 | adb push libdumpUPX.so /data/local/tmp
 4 | adb shell su -c chmod 777 /data/local/tmp/libdumpUPX.so
 5 | adb shell su -c chmod 777 /data/local/tmp/inject
 6 | 
 7 | adb shell su -c chown root:root /data/local/tmp/inject
 8 | adb shell su -c chown root:root /data/local/tmp/libdumpUPX.so
 9 | 
10 | adb shell su -c rm -rf /data/local/tmp/unpack
11 | adb shell su -c mkdir /data/local/tmp/unpack
12 | adb shell su -c chmod 777 /data/local/tmp/unpack
13 | adb push %1 /data/local/tmp/unpack
14 | REM adb shell su -c "/data/local/tmp/inject com.illuminate.texaspoker /data/local/tmp/libdumpUPX.so %~nx1"
15 | adb shell su -c "/data/local/tmp/inject com.Autel.maxi /data/local/tmp/libdumpUPX.so %~nx1"
16 | adb shell su -c "chmod 777 /data/local/tmp/unpack/dump.so"
17 | adb pull /data/local/tmp/unpack/dump.so
18 | copy dump.so diag.so
19 | del dump.so
20 | 
21 | pause
22 | 
23 | 


--------------------------------------------------------------------------------
/anti_debug_old/install-su.bat:
--------------------------------------------------------------------------------
 1 | echo @off
 2 | set sumode=su -c
 3 | adb shell %sumode% "mkdir      /data/local/tmp/anti_debug"
 4 | adb shell %sumode% "chmod 777  /data/local/tmp/anti_debug"
 5 | adb shell %sumode% "rm -rf     /data/local/tmp/anti_debug/*"
 6 | 
 7 | adb push inject           /data/local/tmp/anti_debug/inject
 8 | adb push libHookUtil.so   /data/local/tmp/anti_debug/libHookUtil.so
 9 | adb push libanti_debug.so /data/local/tmp/anti_debug/libanti_debug.so
10 | adb push new_cmdline      /data/local/tmp/anti_debug/new_cmdline
11 | adb push new_maps         /data/local/tmp/anti_debug/new_maps
12 | adb push new_status       /data/local/tmp/anti_debug/new_status
13 | adb push new_tcp          /data/local/tmp/anti_debug/new_tcp
14 | adb push new_wchan        /data/local/tmp/anti_debug/new_wchan
15 | 
16 | adb shell %sumode% "chmod 777 /data/local/tmp/anti_debug/inject"
17 | adb shell %sumode% "/data/local/tmp/anti_debug/inject zygote /data/local/tmp/anti_debug/libanti_debug.so 1"
18 | pause


--------------------------------------------------------------------------------
/py_fixdump.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | import struct
  3 | import os
  4 | 
  5 | class Elf32_Ehdr:
  6 |   fmt_str = "<16sHHIIIIIHHHHHH"
  7 |   sizeof = struct.calcsize(fmt_str)
  8 | 
  9 |   def __init__(self):
 10 |     self.e_ident = ""
 11 |     self.e_type = 0
 12 |     self.e_machine = 0
 13 |     self.e_version = 0
 14 |     self.e_entry = 0
 15 |     self.e_phoff = 0
 16 |     self.e_shoff = 0
 17 |     self.e_flags = 0
 18 |     self.e_ehsize = 0
 19 |     self.e_phentsize = 0
 20 |     self.e_phnum = 0
 21 |     self.e_shentsize = 0
 22 |     self.e_shnum = 0
 23 |     self.e_shstrndx = 0
 24 | 
 25 |   def setFields(self, data):
 26 |     data = struct.unpack(self.fmt_str, data)
 27 |     self.e_ident = data[0]
 28 |     self.e_type = data[1]
 29 |     self.e_machine = data[2]
 30 |     self.e_version = data[3]
 31 |     self.e_entry = data[4]
 32 |     self.e_phoff = data[5]
 33 |     self.e_shoff = data[6]
 34 |     self.e_flags = data[7]
 35 |     self.e_ehsize = data[8]
 36 |     self.e_phentsize = data[9]
 37 |     self.e_phnum = data[10]
 38 |     self.e_shentsize = data[11]
 39 |     self.e_shnum = data[12]
 40 |     self.e_shstrndx = data[13]
 41 | 
 42 |   def getFields(self):
 43 |     return struct.pack(self.fmt_str, \
 44 |                 self.e_ident, \
 45 |                 self.e_type, \
 46 |                 self.e_machine, \
 47 |                 self.e_version, \
 48 |                 self.e_entry, \
 49 |                 self.e_phoff, \
 50 |                 self.e_shoff, \
 51 |                 self.e_flags, \
 52 |                 self.e_ehsize, \
 53 |                 self.e_phentsize, \
 54 |                 self.e_phnum, \
 55 |                 self.e_shentsize, \
 56 |                 self.e_shnum, \
 57 |                 self.e_shstrndx)
 58 | 
 59 |   def fix(self, data = None, offset = 0):
 60 |     self.e_shoff = 0
 61 |     self.e_shnum = 0
 62 |     self.e_shstrndx = 0
 63 |     self.e_shentsize = 0
 64 |     if data != None:
 65 |       self_data = self.getFields()
 66 |       return data[0 : offset] + self_data + data[offset + self.sizeof : len(data)]
 67 |     return data
 68 | 
 69 | 
 70 | class Elf32_Phdr:
 71 |   fmt_str = "<IIIIIIII"
 72 |   sizeof = struct.calcsize(fmt_str)
 73 | 
 74 |   def __init__(self):
 75 |     self.p_type = 0
 76 |     self.p_offset = 0
 77 |     self.p_vaddr = 0
 78 |     self.p_paddr = 0
 79 |     self.p_filesz = 0
 80 |     self.p_memsz = 0
 81 |     self.p_flags = 0
 82 |     self.p_align = 0
 83 | 
 84 |   def setFields(self, data):
 85 |     data = struct.unpack(self.fmt_str, data)
 86 |     self.p_type = data[0]
 87 |     self.p_offset = data[1]
 88 |     self.p_vaddr = data[2]
 89 |     self.p_paddr = data[3]
 90 |     self.p_filesz = data[4]
 91 |     self.p_memsz = data[5]
 92 |     self.p_flags = data[6]
 93 |     self.p_align = data[7]
 94 | 
 95 |   def getFields(self):
 96 |     return struct.pack(self.fmt_str, \
 97 |                 self.p_type, \
 98 |                 self.p_offset, \
 99 |                 self.p_vaddr, \
100 |                 self.p_paddr, \
101 |                 self.p_filesz, \
102 |                 self.p_memsz, \
103 |                 self.p_flags, \
104 |                 self.p_align)
105 | 
106 |   def fix(self, data = None, offset = 0):
107 |     self.p_filesz = self.p_memsz
108 |     self.p_offset = self.p_vaddr
109 |     if data != None:
110 |       self_data = self.getFields()
111 |       return data[0 : offset] + self_data + data[offset + self.sizeof : len(data)]
112 |     return data
113 | 
114 | class Elf32_Dyn:
115 |   fmt_str = "<II"
116 |   sizeof = struct.calcsize(fmt_str)
117 | 
118 |   def __init__(self):
119 |     self.d_tag = 0
120 |     self.d_val = 0
121 | 
122 |   def setFields(self, data):
123 |     data = struct.unpack(self.fmt_str, data)
124 |     self.d_tag = data[0]
125 |     self.d_val = data[1]
126 | 
127 |   def getFields(self):
128 |     return struct.pack(self.fmt_str, self.d_tag, self.d_val)
129 | 
130 |   def fix(self, data = None, offset = 0):
131 |     if data != None:
132 |       self_data = self.getFields()
133 |       return data[0 : offset] + self_data + data[offset + self.sizeof : len(data)]
134 |     return data
135 | 
136 | class Elf32_Rel:
137 |   fmt_str = "<II"
138 |   sizeof = struct.calcsize(fmt_str)
139 | 
140 |   def __init__(self):
141 |     self.r_offset = 0
142 |     self.r_info = 0
143 | 
144 |   def setFields(self, data):
145 |     data = struct.unpack(self.fmt_str, data)
146 |     self.r_offset = data[0]
147 |     self.r_info = data[1]
148 | 
149 |   def getFields(self):
150 |     return struct.pack(self.fmt_str, self.r_offset, self.r_info)
151 | 
152 |   def fix(self, data = None, offset = 0):
153 |     if data != None:
154 |       self_data = self.getFields()
155 |       return data[0 : offset] + self_data + data[offset + self.sizeof : len(data)]
156 |     return data
157 | 
158 | 
159 | def get_ehdr(data, offset = 0):
160 |   ehdr = Elf32_Ehdr()
161 |   ehdr.setFields(data[offset : offset + Elf32_Ehdr.sizeof])
162 |   return ehdr
163 | 
164 | def get_phdr(data, offset = 0):
165 |   phdr = Elf32_Phdr()
166 |   phdr.setFields(data[offset : offset + Elf32_Phdr.sizeof])
167 |   return phdr
168 | 
169 | def get_dynamic(data, offset = 0):
170 |   dyn = Elf32_Dyn()
171 |   dyn.setFields(data[offset : offset + Elf32_Dyn.sizeof])
172 |   return dyn
173 | 
174 | def get_rel(data, offset = 0):
175 |   rel = Elf32_Rel()
176 |   rel.setFields(data[offset : offset + Elf32_Rel.sizeof])
177 |   return rel
178 | 
179 | def get_phdrs(data, ehdr):
180 |   phdrs = []
181 |   for i in range(ehdr.e_phnum):
182 |     phdrs.append(get_phdr(data, ehdr.e_phoff + i * Elf32_Phdr.sizeof))
183 |   return phdrs
184 | 
185 | def get_dynamics(data, phdr):
186 |   dynamics = []
187 |   i = 0
188 |   while True:
189 |     dyn = get_dynamic(data, phdr.p_vaddr + i * Elf32_Dyn.sizeof)
190 |     if dyn.d_tag == 0:
191 |       break
192 |     i += 1
193 |     dynamics.append(dyn)
194 |   return dynamics
195 | 
196 | def get_rels(data, offset, relsz):
197 |   rels = []
198 |   for i in range(relsz / 8):
199 |     rel = get_rel(data, offset + i * Elf32_Rel.sizeof)
200 |     rels.append(rel)
201 |   return rels
202 | 
203 | def on_dump_end(data):
204 |   ehdr  = get_ehdr(data, 0)
205 |   data = ehdr.fix(data, 0)
206 | 
207 |   phdrs = get_phdrs(data, ehdr)
208 |   dynamic_phdr = None
209 |   dynamics = None
210 |   rels = None
211 |   global_offset_table = 0
212 |   plt_rel_sz = 0
213 |   jmp_rel = 0
214 |   for i in range(len(phdrs)):
215 |     phdr = phdrs[i]
216 |     data = phdr.fix(data, ehdr.e_phoff + i * phdr.sizeof)
217 |     if phdr.p_type == 2: # PT_DYNAMIC
218 |       dynamic_phdr = phdr
219 |       dynamics = get_dynamics(data, phdr)
220 | 
221 |   if dynamics == None:
222 |     print "not found PT_DYNAMIC"
223 |     return
224 |   for i in range(len(dynamics)):
225 |     dyn = dynamics[i]
226 |     if dyn.d_tag == 3: # DT_PLTGOT
227 |       global_offset_table = dyn.d_val
228 |     elif dyn.d_tag == 2: # DT_PLTRELSZ
229 |       plt_rel_sz = dyn.d_val
230 |     elif dyn.d_tag == 0x17: # DT_JMPREL
231 |       jmp_rel = dyn.d_val
232 |     elif dyn.d_tag == 0x0C: # DT_INIT
233 |       dyn.d_tag = 0x10
234 |       dyn.d_val = 0
235 |       data = dyn.fix(data, dynamic_phdr.p_vaddr + i * dyn.sizeof)
236 | 
237 |   if plt_rel_sz != 0 and jmp_rel != 0:
238 |     rels = get_rels(data, jmp_rel, plt_rel_sz)
239 |   if global_offset_table != 0 and rels != None:
240 |     for i in range(len(rels)):
241 |       rels[i].r_offset = global_offset_table + 0xC + i * 4
242 |       data = rels[i].fix(data, jmp_rel + i * Elf32_Rel.sizeof)
243 |   with open("./fixed_dump.so", "w+b") as fd:
244 |     fd.write(data)
245 | 
246 | 
247 | def main():
248 |   if len(sys.argv) < 2:
249 |     print "please input dump file name."
250 |     return
251 |   filepath = sys.argv[1]
252 |   #filepath = "E:\\Vehicle\\AutelLib_20190509\\libMaxiDas.sodump"
253 |   filedata = ""
254 |   with open(filepath, "rb") as fd:
255 |     for line in fd:
256 |       filedata += line
257 |   on_dump_end(filedata)
258 | 
259 | 
260 | 
261 | if __name__ == "__main__":
262 |     main()


--------------------------------------------------------------------------------
/py_frida_dump_libDiag.py:
--------------------------------------------------------------------------------
  1 | import frida
  2 | import sys
  3 | import struct
  4 | import os
  5 | 
  6 | class Elf32_Ehdr:
  7 |   fmt_str = "<16sHHIIIIIHHHHHH"
  8 |   sizeof = struct.calcsize(fmt_str)
  9 | 
 10 |   def __init__(self):
 11 |     self.e_ident = ""
 12 |     self.e_type = 0
 13 |     self.e_machine = 0
 14 |     self.e_version = 0
 15 |     self.e_entry = 0
 16 |     self.e_phoff = 0
 17 |     self.e_shoff = 0
 18 |     self.e_flags = 0
 19 |     self.e_ehsize = 0
 20 |     self.e_phentsize = 0
 21 |     self.e_phnum = 0
 22 |     self.e_shentsize = 0
 23 |     self.e_shnum = 0
 24 |     self.e_shstrndx = 0
 25 | 
 26 |   def setFields(self, data):
 27 |     data = struct.unpack(self.fmt_str, data)
 28 |     self.e_ident = data[0]
 29 |     self.e_type = data[1]
 30 |     self.e_machine = data[2]
 31 |     self.e_version = data[3]
 32 |     self.e_entry = data[4]
 33 |     self.e_phoff = data[5]
 34 |     self.e_shoff = data[6]
 35 |     self.e_flags = data[7]
 36 |     self.e_ehsize = data[8]
 37 |     self.e_phentsize = data[9]
 38 |     self.e_phnum = data[10]
 39 |     self.e_shentsize = data[11]
 40 |     self.e_shnum = data[12]
 41 |     self.e_shstrndx = data[13]
 42 | 
 43 |   def getFields(self):
 44 |     return struct.pack(self.fmt_str, \
 45 |                 self.e_ident, \
 46 |                 self.e_type, \
 47 |                 self.e_machine, \
 48 |                 self.e_version, \
 49 |                 self.e_entry, \
 50 |                 self.e_phoff, \
 51 |                 self.e_shoff, \
 52 |                 self.e_flags, \
 53 |                 self.e_ehsize, \
 54 |                 self.e_phentsize, \
 55 |                 self.e_phnum, \
 56 |                 self.e_shentsize, \
 57 |                 self.e_shnum, \
 58 |                 self.e_shstrndx)
 59 | 
 60 |   def fix(self, data = None, offset = 0):
 61 |     self.e_shoff = 0
 62 |     self.e_shnum = 0
 63 |     self.e_shstrndx = 0
 64 |     self.e_shentsize = 0
 65 |     if data != None:
 66 |       self_data = self.getFields()
 67 |       return data[0 : offset] + self_data + data[offset + self.sizeof : len(data)]
 68 |     return data
 69 | 
 70 | 
 71 | class Elf32_Phdr:
 72 |   fmt_str = "<IIIIIIII"
 73 |   sizeof = struct.calcsize(fmt_str)
 74 | 
 75 |   def __init__(self):
 76 |     self.p_type = 0
 77 |     self.p_offset = 0
 78 |     self.p_vaddr = 0
 79 |     self.p_paddr = 0
 80 |     self.p_filesz = 0
 81 |     self.p_memsz = 0
 82 |     self.p_flags = 0
 83 |     self.p_align = 0
 84 | 
 85 |   def setFields(self, data):
 86 |     data = struct.unpack(self.fmt_str, data)
 87 |     self.p_type = data[0]
 88 |     self.p_offset = data[1]
 89 |     self.p_vaddr = data[2]
 90 |     self.p_paddr = data[3]
 91 |     self.p_filesz = data[4]
 92 |     self.p_memsz = data[5]
 93 |     self.p_flags = data[6]
 94 |     self.p_align = data[7]
 95 | 
 96 |   def getFields(self):
 97 |     return struct.pack(self.fmt_str, \
 98 |                 self.p_type, \
 99 |                 self.p_offset, \
100 |                 self.p_vaddr, \
101 |                 self.p_paddr, \
102 |                 self.p_filesz, \
103 |                 self.p_memsz, \
104 |                 self.p_flags, \
105 |                 self.p_align)
106 | 
107 |   def fix(self, data = None, offset = 0):
108 |     self.p_filesz = self.p_memsz
109 |     self.p_offset = self.p_vaddr
110 |     if data != None:
111 |       self_data = self.getFields()
112 |       return data[0 : offset] + self_data + data[offset + self.sizeof : len(data)]
113 |     return data
114 | 
115 | class Elf32_Dyn:
116 |   fmt_str = "<II"
117 |   sizeof = struct.calcsize(fmt_str)
118 | 
119 |   def __init__(self):
120 |     self.d_tag = 0
121 |     self.d_val = 0
122 | 
123 |   def setFields(self, data):
124 |     data = struct.unpack(self.fmt_str, data)
125 |     self.d_tag = data[0]
126 |     self.d_val = data[1]
127 | 
128 |   def getFields(self):
129 |     return struct.pack(self.fmt_str, self.d_tag, self.d_val)
130 | 
131 |   def fix(self, data = None, offset = 0):
132 |     if data != None:
133 |       self_data = self.getFields()
134 |       return data[0 : offset] + self_data + data[offset + self.sizeof : len(data)]
135 |     return data
136 | 
137 | class Elf32_Rel:
138 |   fmt_str = "<II"
139 |   sizeof = struct.calcsize(fmt_str)
140 | 
141 |   def __init__(self):
142 |     self.r_offset = 0
143 |     self.r_info = 0
144 | 
145 |   def setFields(self, data):
146 |     data = struct.unpack(self.fmt_str, data)
147 |     self.r_offset = data[0]
148 |     self.r_info = data[1]
149 | 
150 |   def getFields(self):
151 |     return struct.pack(self.fmt_str, self.r_offset, self.r_info)
152 | 
153 |   def fix(self, data = None, offset = 0):
154 |     if data != None:
155 |       self_data = self.getFields()
156 |       return data[0 : offset] + self_data + data[offset + self.sizeof : len(data)]
157 |     return data
158 | 
159 | 
160 | def get_ehdr(data, offset = 0):
161 |   ehdr = Elf32_Ehdr()
162 |   ehdr.setFields(data[offset : offset + Elf32_Ehdr.sizeof])
163 |   return ehdr
164 | 
165 | def get_phdr(data, offset = 0):
166 |   phdr = Elf32_Phdr()
167 |   phdr.setFields(data[offset : offset + Elf32_Phdr.sizeof])
168 |   return phdr
169 | 
170 | def get_dynamic(data, offset = 0):
171 |   dyn = Elf32_Dyn()
172 |   dyn.setFields(data[offset : offset + Elf32_Dyn.sizeof])
173 |   return dyn
174 | 
175 | def get_rel(data, offset = 0):
176 |   rel = Elf32_Rel()
177 |   rel.setFields(data[offset : offset + Elf32_Rel.sizeof])
178 |   return rel
179 | 
180 | def get_phdrs(data, ehdr):
181 |   phdrs = []
182 |   for i in range(ehdr.e_phnum):
183 |     phdrs.append(get_phdr(data, ehdr.e_phoff + i * Elf32_Phdr.sizeof))
184 |   return phdrs
185 | 
186 | def get_dynamics(data, phdr):
187 |   dynamics = []
188 |   i = 0
189 |   while True:
190 |     dyn = get_dynamic(data, phdr.p_vaddr + i * Elf32_Dyn.sizeof)
191 |     if dyn.d_tag == 0:
192 |       break
193 |     i += 1
194 |     dynamics.append(dyn)
195 |   return dynamics
196 | 
197 | def get_rels(data, offset, relsz):
198 |   rels = []
199 |   for i in range(relsz / 8):
200 |     rel = get_rel(data, offset + i * Elf32_Rel.sizeof)
201 |     rels.append(rel)
202 |   return rels
203 | 
204 | def on_dump_end(data):
205 |   with open("./dump_libPubFunctional.so", "w+b") as fd:
206 |     fd.write(data)
207 |   ehdr  = get_ehdr(data, 0)
208 |   data = ehdr.fix(data, 0)
209 | 
210 |   phdrs = get_phdrs(data, ehdr)
211 |   dynamic_phdr = None
212 |   dynamics = None
213 |   rels = None
214 |   global_offset_table = 0
215 |   plt_rel_sz = 0
216 |   jmp_rel = 0
217 |   for i in range(len(phdrs)):
218 |     phdr = phdrs[i]
219 |     data = phdr.fix(data, ehdr.e_phoff + i * phdr.sizeof)
220 |     if phdr.p_type == 2: # PT_DYNAMIC
221 |       dynamic_phdr = phdr
222 |       dynamics = get_dynamics(data, phdr)
223 | 
224 |   if dynamics == None:
225 |     print "not found PT_DYNAMIC"
226 |     return
227 |   for i in range(len(dynamics)):
228 |     dyn = dynamics[i]
229 |     if dyn.d_tag == 3: # DT_PLTGOT
230 |       global_offset_table = dyn.d_val
231 |     elif dyn.d_tag == 2: # DT_PLTRELSZ
232 |       plt_rel_sz = dyn.d_val
233 |     elif dyn.d_tag == 0x17: # DT_JMPREL
234 |       jmp_rel = dyn.d_val
235 |     elif dyn.d_tag == 0x0C: # DT_INIT
236 |       dyn.d_tag = 0x10
237 |       dyn.d_val = 0
238 |       data = dyn.fix(data, dynamic_phdr.p_vaddr + i * dyn.sizeof)
239 | 
240 |   if plt_rel_sz != 0 and jmp_rel != 0:
241 |     rels = get_rels(data, jmp_rel, plt_rel_sz)
242 |   if global_offset_table != 0 and rels != None:
243 |     for i in range(len(rels)):
244 |       rels[i].r_offset = global_offset_table + 0xC + i * 4
245 |       data = rels[i].fix(data, jmp_rel + i * Elf32_Rel.sizeof)
246 |   with open("./dump_libPubFunctional.so", "w+b") as fd:
247 |     fd.write(data)
248 | 
249 | def on_message(message, data):
250 |   if message['type'] == 'send':
251 |     msg = message['payload']
252 |     if msg == "dump_end":
253 |       on_dump_end(data)
254 | 
255 | jscode = """
256 | var module_base_linker = Module.findBaseAddress("linker");
257 | 
258 | var func_offset_relocate = 0x1468;
259 | var func_ptr_relocate = ptr(parseInt(module_base_linker) + func_offset_relocate + 1);
260 | var func_relocate = new NativeFunction(func_ptr_relocate, 'int', ['pointer', 'pointer', 'uint32', 'pointer']);
261 | Interceptor.replace(func_ptr_relocate, new NativeCallback(function (si, rel, count, needed) {
262 |     var txt_log = "relocate:\\n";
263 |     var library_name = Memory.readCString(si);
264 |     var ret_val = 0;
265 |     txt_log += "  relocating library name: " + library_name + "\\n";
266 |     if (library_name == "libPubFunctional.so") {
267 |       txt_log += "  the libPubFunctional.so relocate is ignored.\\n";
268 |       //ret_val = func_relocate(si, rel, count, needed);
269 |     } else {
270 |       ret_val = func_relocate(si, rel, count, needed);
271 |     }
272 |     txt_log += "  return value: " + ret_val + "\\n";
273 |     console.log(txt_log);
274 |     return ret_val;
275 | }, 'int', ['pointer', 'pointer', 'uint32', 'pointer']));
276 | 
277 | var func_offset_CallFunction = 0x2744;
278 | var func_ptr_CallFunction = ptr(parseInt(module_base_linker) + func_offset_CallFunction + 1);
279 | var func_CallFunction = new NativeFunction(func_ptr_CallFunction, 'void', ['pointer', 'pointer', 'pointer']);
280 | Interceptor.replace(func_ptr_CallFunction, new NativeCallback(function (si, func_name, func_ptr) {
281 |     var txt_log = "CallFunction:\\n";
282 |     var library_name = Memory.readCString(si);
283 |     var calling_func_name = Memory.readCString(func_name);
284 | 
285 |     txt_log += "  calling " + calling_func_name + " in library " + library_name + "\\n";
286 |     func_CallFunction(si, func_name, func_ptr);
287 | 
288 |     if (library_name == "libPubFunctional.so" && calling_func_name == "DT_INIT") {
289 |       var so_base = Memory.readPointer(ptr(parseInt(si) + 0x8C)); // read soinfo::base;
290 |       var so_size = Memory.readU32(ptr(parseInt(si) + 0x90));     // read soinfo::size;
291 |       txt_log += "  begin dump libPubFunctional.so --------------------------------------\\n";
292 |       txt_log += "  soinfo.base: " + so_base + ", soinfo.size: " + so_size + "\\n";
293 | 
294 |       Memory.protect(so_base, so_size, "rwx");
295 | 
296 |       send("dump_end", Memory.readByteArray(so_base, so_size));
297 | 
298 |       txt_log += "  thread sleep for send data to python.\\n";
299 |       Thread.sleep(1)
300 |       txt_log += "  end dump libPubFunctional.so ----------------------------------------\\n";
301 |     }
302 | 
303 |     console.log(txt_log);
304 | }, 'void', ['pointer', 'pointer', 'pointer']));
305 | """
306 | 
307 | #jscode = ""
308 | #with open("Hook_linker.js") as fd:
309 | #  line = fd.readline()
310 | #  while line:
311 | #    jscode += str(line)
312 | #    line = fd.readline()
313 | #  jscode += str(line)
314 | 
315 | 
316 | 
317 | def main():
318 |   devices = None
319 |   try:
320 |     devices = frida.enumerate_devices()
321 |   except:
322 |     pass
323 |   if devices == None:
324 |     print "frida can't enumerate devices. please check the frida connect."
325 |     return
326 | 
327 |   autel_device = None
328 |   for device in devices:
329 |     print device
330 |     if device.name.find("Autel") != -1:
331 |       autel_device = frida.get_device(device.id)
332 |       print "\nuse: %s" %autel_device
333 |       break
334 |   if autel_device == None:
335 |     print "frida not found autel device."
336 |     return
337 | 
338 |   try:
339 |     target = autel_device.spawn("com.Autel.maxi")
340 |     session = autel_device.attach(target)
341 |     script = session.create_script(jscode)
342 |     script.on('message', on_message)
343 |     print('[*] Running Python Script.')
344 |     script.load()
345 |     autel_device.resume(target)
346 |   except BaseException as e:
347 |     print e
348 | 
349 |   sys.stdin.read()
350 | 
351 |   #with open("c:\\dmp.xx", "rb") as fd:
352 |   #  data = fd.read(os.path.getsize("c:\\dmp.xx"))
353 |   #  on_dump_end(data)
354 | 
355 | if __name__ == "__main__":
356 |   try:
357 |     main()
358 |   finally:
359 |     pass


--------------------------------------------------------------------------------