# fridaJs_android_framewrok

**Repository Path**: imagg/fridaJs_android_framewrok

## Basic Information

- **Project Name**: fridaJs_android_framewrok
- **Description**: 初始代码来自 https://gitee.com/repok/frida_analyze_app_src--frida_js.git
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: release
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2024-10-21
- **Last Updated**: 2024-10-24

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README



fridaJs分析android_framework源码中的文本显示

#### 前提


要求 oneplus3t手机：  开发者模式、usb调试、bootloader解锁、magisk27 root(magisk自身应用名随机 用以隐藏magisk)、 tian--eadb(启动frida-server-arm64)


oneplus3t手机以usb连接到PC电脑


https://github.com/frida/frida/releases/download/16.5.5/frida-server-16.5.5-android-arm64.xz




`/app4/lineage16_oneplus3t/frameworks/base` 替换为:  https://gitlab.com/LineageOS-z/android_frameworks_base.git  的 分支 `m/lineage-16.0`


#### 预备
elf/依赖的x.so/fnName 查找  ： https://gitee.com/imagg/fridaJs_android_framewrok/blob/release/elf_so_fn_grep.md





#### frida打印函数`android::Canvas::drawText` 的参数(貌似不是坐标)

根据 [elf_so_fn_grep.md](https://gitee.com/imagg/fridaJs_android_framewrok/blob/release/elf_so_fn_grep.md) 
其中有 ` _ZN7android6Canvas8drawTextEPKtiiiffN7minikin4BidiERKNS_5PaintEPKNS_8TypefaceEPNS3_12MeasuredTextE  :  android::Canvas::drawText(unsigned short const*, int, int, int, float, float, minikin::Bidi, android::Paint const&, android::Typeface const*, minikin::MeasuredText*)`

以下 用frida打印该函数参数



```bash
cd /fridaAnlzAp/frida_js/

#配置 修改为 qq 、  函数 `android::Canvas::drawText` 、 函数`android::MinikinUtils::measureText`
jq '.android_app_name="com.tencent.mobileqq" | .funcNamePatternLs=["_ZN7android6Canvas8drawTextEPKtiiiffN7minikin4BidiERKNS_5PaintEPKNS_8TypefaceEPNS3_12MeasuredTextE","_ZN7android12MinikinUtils11measureTextEPKNS_5PaintEN7minikin4BidiEPKNS_8TypefaceEPKtmmmPf"] '  config.json | sponge config.json


#adb shell --> /usr/bin/su --> `/data/eadb/run /data/eadb/debian`  --> 执行以下命令 以启动frida服务端
#  cd /data/local/tmp/frida_home/; frida-server-16.5.5-android-arm64 &

adb shell "pidof frida-server-16.5.5-android-arm64" && exit 13 #若android手机中的frida-server未启动 则直接推出

#PC电脑上启动frida客户端
bash fridaJs_runApp.sh

#手机qq上划一划、点一点、进不同的窗口, 会看到上一行PC的frida客户端上打印了android手机qq窗口上的文本
```




函数`android::Canvas::drawText` :   http://androidxref.com/9.0.0_r3/xref/frameworks/base/libs/hwui/hwui/Canvas.cpp#159

```c++
void Canvas::drawText(const uint16_t* text, int start, int count, int contextCount, float x,
                      float y, minikin::Bidi bidiFlags, const Paint& origPaint,
                      const Typeface* typeface, minikin::MeasuredText* mt) {
    // minikin may modify the original paint
    Paint paint(origPaint);

    minikin::Layout layout =
            MinikinUtils::doLayout(&paint, bidiFlags, typeface, text, start, count, contextCount,
                                   mt);

    x += MinikinUtils::xOffsetForTextAlign(&paint, layout);

    minikin::MinikinRect bounds;
    layout.getBounds(&bounds);
    if (!drawTextAbsolutePos()) {
        bounds.offset(x, y);
    }

    // Set align to left for drawing, as we don't want individual
    // glyphs centered or right-aligned; the offset above takes
    // care of all alignment.
    paint.setTextAlign(Paint::kLeft_Align);

    DrawTextFunctor f(layout, this, paint, x, y, bounds, layout.getAdvance());
    MinikinUtils::forFontRun(layout, &paint, f);
}
   
```