使用 radare2/iaito 移除 frida 检测

eBPF on Android之使用stackplz拯救你的frida

原理在引用的这篇文章里，这里主要记录下 radare2 的使用方法，毕竟 IDA 太贵了。

radare2 是一个开源逆向框架，提供命令行工具。iaito 是 radare2 的一个 GUI 工具，开源免费，万岁。

接下来，有请我们今天的主角，libmsaoaidsec.so，看起来是 oaid 的 so，没想到是它在检测 frida。

步骤:

定位可疑调用位置
找到关键检测逻辑
使用 radare2 修改 so
替换 so，测试 frida

定位可疑调用位置

挑个看得顺眼的应用，并没有特别多逆向经验，直接根据原文，找 libmsaoaidsec.so 相关日志。

1	./stackplz --name com.zhihu.android stack --symbol strstr --regs --stack

stack_2022/12/08 06:21:05 StackMod      perf event ring buffer full, dropped 6 samples, libc.so + strstr                                                                                                            
stack_2022/12/08 06:21:05 [libc.so + strstr] PID:10435, Comm:ZH_RxCachedThre, TID:10503, Regs:                                                                                                                      
{"lr":"0x6ed246da7c","pc":"0x71f4897300","sp":"0x6ed23447c0","x0":"0x6ed23447d8","x1":"0x6ed249804a","x10":"0x1ea","x11":"0x1","x12":"0x6ed2343dda","x13":"0xafbda102","x14":"0x10","x15":"0x0","x16":"0x6ed2496ac0"
Stackinfo:                                                                                                                                
  #00 pc 0000000000095300  /apex/com.android.runtime/lib64/bionic/libc.so (strstr)                                                        
  #01 pc 000000000001aa78  /data/app/~~EpW7Q_NNKlVh9bZXN1dcWQ==/com.zhihu.android-Zt48AaNHSi4nYrZ8qtxQvg==/lib/arm64/libmsaoaidsec.so                                                                               
  #02 pc 000000000001b870  /data/app/~~EpW7Q_NNKlVh9bZXN1dcWQ==/com.zhihu.android-Zt48AaNHSi4nYrZ8qtxQvg==/lib/arm64/libmsaoaidsec.so                                                                               
  #03 pc 00000000000b1790  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204)                                                                                                              
  #04 pc 00000000000511ac  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64)                                                                                                                       
                                                                                                                                                                                                                    
stack_2022/12/08 06:21:05 [libc.so + strstr] PID:10435, Comm:ZH_RxCachedThre, TID:10503, Regs:                                                                                                                      
{"lr":"0x6ed246da8c","pc":"0x71f4897300","sp":"0x6ed23447c0","x0":"0x6ed23447d8","x1":"0x6ed2498056","x10":"0x1ea","x11":"0x1","x12":"0x6ed2343dda","x13":"0xafbda102","x14":"0x10","x15":"0x0","x16":"0x6ed2496ac0"
Stackinfo:                                                                                                                                                                                                          
  #00 pc 0000000000095300  /apex/com.android.runtime/lib64/bionic/libc.so (strstr)                                                                                                                                  
  #01 pc 000000000001aa88  /data/app/~~EpW7Q_NNKlVh9bZXN1dcWQ==/com.zhihu.android-Zt48AaNHSi4nYrZ8qtxQvg==/lib/arm64/libmsaoaidsec.so                                                                               
  #02 pc 000000000001b870  /data/app/~~EpW7Q_NNKlVh9bZXN1dcWQ==/com.zhihu.android-Zt48AaNHSi4nYrZ8qtxQvg==/lib/arm64/libmsaoaidsec.so                                                                               
  #03 pc 00000000000b1790  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204)                                                                                                              
  #04 pc 00000000000511ac  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64)