////////////////// 1 /////////////////////// // console.log("v8_inspector::V8ProfilerAgentImpl::startProfiling(v8_inspector::String16 "); // const f1 = Module.getExportByName('libmmv8.so', '_ZN12v8_inspector19V8ProfilerAgentImpl14startProfilingERKNS_8String16E') // if(f1 == null){ // console.log("Function not found"); // } // console.log("Function found: "+ f1); // try{ // var startProfiling = new NativeFunction(f1, 'pointer',['pointer']); // var para2 = createString16('Haseeb'); // var s = startProfiling(para2); // console.log("startProfiling called"); // console.log("startProfiling2: "+ s); // } // catch(err){ // console.log("Error: "+err.stack); // } ////////////////// 2 //////////////////////// // working with string parameter // console.log(" _ZN2v88internal22TracingCpuProfilerImpl14StartProfilingEv") // const f2 = Module.getExportByName('libmmv8.so', '_ZN2v88internal22TracingCpuProfilerImpl14StartProfilingEv') // if(f2 == null){ // console.log("Function not found"); // } // console.log("Function found: "+ f2); // try{ // var startProfiling = new NativeFunction(f2, 'void',['pointer']); // var para2 = createString8(''); // startProfiling(para2); // Error: Error: access violation accessing 0xd671e3f4 // console.log("startProfiling called"); // } // catch(err){ // console.log("Error: "+err.stack); // } ////////////////// 3 //////////////////////// // console.log("_ZNK2v810CpuProfile15GetSamplesCountEv") // const f3 = Module.getExportByName('libmmv8.so', '_ZNK2v810CpuProfile15GetSamplesCountEv') // // const f3 = new NativeFunction(ptr("0x746ce9cc08"), 'int',[]); // if(f3 == null){ // console.log("Function not found"); // } // console.log("Function found: "+ f3); // console.log("0x746ce9cc08") // try{ // var startProfiling = new NativeFunction(f3, 'int',['pointer']); // var pointer = Memory.allocUtf8String('Haseeb'); // var s = startProfiling(pointer); // console.log("startProfiling called"); // console.log("startProfiling2: "+ s); // } // catch(err){ // console.log("Error: "+err.stack); // } ////////////////// 4 //////////////////////// // console.log("_ZN2v811CpuProfiler14StartProfilingENS_5LocalINS_6StringEEEb") // const f4 = Module.getExportByName('libmmv8.so', '_ZN2v811CpuProfiler14StartProfilingENS_5LocalINS_6StringEEEb') // if(f4 == null){ // console.log("Function not found"); // } // console.log("Function found: " + f4); // try{ // var startProfiling = new NativeFunction(f4, 'void',['pointer','pointer','bool']); // var para1 = Memory.allocUtf16String(' '); // var para2 = Memory.allocUtf8String('Haseeb'); // // var somebool = 1; // var somebool = 1; // var s = startProfiling(para1, para2, 23); // console.log("startProfiling called"); // console.log("startProfiling222: "+ s); // } // catch(err){ // console.log("Error: "+err.stack); // } var v8Initialised = false // if(!v8Initialised){ // console.log("_ZN2v82V810InitializeEi") // const f = Module.getExportByName('libmmv8.so', '_ZN2v82V810InitializeEi') // if(f == null){ // console.log("Function not found"); // } // console.log("Function found: "+ f); // try{ // var v8Init = new NativeFunction(f, 'bool',['int']); // console.log("v8Init called"); // v8Init(0); // v8Initialised = true; // console.log("v8Initialised: "+ v8Initialised); // } // catch(err){ // console.log("Error: "+err.stack); // } // } // var v8IsolateEnter = "_ZN2v87Isolate5EnterEv" // waitForModule('libmmv8.so', interceptV8Initialize); // for (var i = 184; i < 1000; i++) { // setTimeout(initialiseParam(i), 5000); // } // waitForModule('libmmv8.so', interceptV8Initialize); // interceptV8Initialize(); initialiseParam(185) function interceptIsolateEnter(){ console.log("_ZN2v87Isolate5EnterEv") const f = Module.getExportByName('libmmv8.so', '_ZN2v87Isolate5EnterEv') if(f == null){ console.log("Function not found"); } else{ console.log("Function found: "+ f); Interceptor.attach(f, { onEnter: function (args) { console.log("v8::Isolate::Enter called"); }, onLeave: function (retval) { console.log("v8::Isolate::Enter returned"); } }); } } function interceptnewIsolate(){ console.log("_ZN2v87Isolate3NewERKNS0_12CreateParamsE") const f = Module.getExportByName('libmmv8.so', '_ZN2v87Isolate8AllocateEv') if(f == null){ console.log("Function not found"); } else{ console.log("Function found: "+ f); Interceptor.attach(f, { onEnter: function (args) { console.log("v8::Isolate::New called"); }, onLeave: function (retval) { console.log("v8::Isolate::New returned"); var isolate = retval; console.log("isolate: "+ isolate); } }); } } function interceptV8Initialize() { if (!v8Initialised) { console.log("Attempting to intercept v8::V8::Initialize..."); const f = Module.getExportByName('libmmv8.so', '_ZN2v82V810InitializeEi'); if (f == null) { console.log("Function not found"); } else { console.log("Function found: " + f); Interceptor.attach(f, { onEnter: function (args) { console.log("v8::V8::Initialize called with arg: " + args[0].toInt32()); }, onLeave: function (retval) { console.log("v8::V8::Initialize returned"); v8Initialised = true; console.log("v8Initialised: " + retval.toInt32()); // getCurrent(); // setTimeout(()=>getCurrent(),1000) // Now that V8 is initialized, we can proceed create an Isolate // setTimeout(()=>initialiseParam(184),5000) setTimeout(()=>initialiseParam(185),5000) } }); } } } function newIsolate(paramPointer){ console.log("_ZN2v87Isolate3NewERKNS0_12CreateParamsE") const f = Module.getExportByName('libmmv8.so', '_ZN2v87Isolate3NewERKNS0_12CreateParamsE') if(f == null){ console.log("Function not found"); } else{ try{ console.log("Function found: "+ f); var isolatepointer = new NativeFunction(f, 'pointer',['pointer']); console.log("isolatepointer called"); var isolatepointer = isolatepointer(paramPointer); console.log("isolatepointer: "+ isolatepointer); }catch(err){ console.log("Error: "+err.stack); }} } function interceptv8ContextCreate() { console.log("_ZN2v87Context3NewEPNS_7IsolateEPNS_22ExtensionConfigurationENS_10MaybeLocalINS_14ObjectTemplateEEENS5_INS_5ValueEEENS_33DeserializeInternalFieldsCallbackEPNS_14MicrotaskQueueE") const f = Module.getExportByName('libmmv8.so', '_ZN2v87Context3NewEPNS_7IsolateEPNS_22ExtensionConfigurationENS_10MaybeLocalINS_14ObjectTemplateEEENS5_INS_5ValueEEENS_33DeserializeInternalFieldsCallbackEPNS_14MicrotaskQueueE') var context = null; if(f == null){ console.log("Function not found"); } else{ console.log("Function found: "+ f); Interceptor.attach(f, { onEnter: function (args) { console.log("v8::Context::New called"); }, onLeave: function (retval) { console.log("v8::Context::New returned"); context = retval; } }); } } function waitForModule(moduleName, callback) { var module = Process.findModuleByName(moduleName); if (module !== null) { console.log(moduleName + " module found"); callback(); } else { console.log(moduleName + " module not found, waiting..."); setTimeout(function () { waitForModule(moduleName, callback); }, 10); // Check every 1 second } } // Wait for libmmv8.so to be loaded before initializing V8 // waitForModule('libmmv8.so', interceptV8Initialize); // waitForModule('libmmv8.so', interceptV8Initialize); function CreateIsolate() { ////////////////// 4.5 //////////////////////// // if (v8Initialised && !haveIsolatePointer) { console.log("_ZN2v87Isolate8AllocateEv") const f45 = Module.getExportByName('libmmv8.so', '_ZN2v87Isolate8AllocateEv') if(f45 == null){ console.log("Function not found"); } console.log("Function found: " + f45); try{ var isolatepointer = new NativeFunction(f45, 'pointer',[]); console.log("isolatepointer called"); var isolatepointer = isolatepointer(); // haveIsolatePointer = true; console.log("isolatepointer: "+ isolatepointer); // CreateCpuProfile(isolatepointer); initialiseParam(184); } catch(err){ console.log("Error: "+err.stack); } // } } function getCurrentContext(isolatepointer){ console.log("_ZN2v87Isolate17GetCurrentContextEv") const f = Module.getExportByName('libmmv8.so', '_ZN2v87Isolate17GetCurrentContextEv') if(f == null){ console.log("Function not found"); } else{ console.log("Function found: "+ f); try{ var getCurrentContext = new NativeFunction(f, 'pointer',['pointer']); console.log("getCurrentContext called"); var context = getCurrentContext(isolatepointer); console.log("getCurrentContext: "+ context); } catch(err){ console.log("Error: "+err.stack); } } } function getCurrent(){ console.log("_ZN2v87Isolate10GetCurrentEv") const f = Module.getExportByName('libmmv8.so', '_ZN2v87Isolate10GetCurrentEv') if(f == null){ console.log("Function not found"); } else{ console.log("Function found: "+ f); try{ var getCurrent = new NativeFunction(f, 'pointer',[]); console.log("getCurrent called"); var context = getCurrent(); console.log("getCurrent: "+ context); } catch(err){ console.log("Error: "+err.stack); } } } function initialiseParam(size){ // console.log("_ZN2v87Isolate12CreateParamsC2Ev") const f = Module.getExportByName('libmmv8.so', '_ZN2v87Isolate12CreateParamsC2Ev') if(f == null){ console.log("Function not found"); } // console.log("Function found: "+ f); try{ var createParams = new NativeFunction(f, 'void',['pointer']); // console.log("createParams called"); // var createParamsSize = // var paramsPointer = createParams(); // console.log("createParams = " + paramsPointer); // console.log("param: "+ param); // const createParamsSize = 184; // Adjust this value if necessary // const createParamsSize = 184; const createParamsPtr = Memory.alloc(size); console.log("createParamsPtr: "+ createParamsPtr); // Call the constructor createParams(createParamsPtr); // createParamsPtr now points to the initialized CreateParams object console.log("CreateParams object pointer:", createParamsPtr); console.log("worked with size:", size); newIsolate(createParamsPtr); } catch(err){ // console.log("Error: "+err.stack); console.log(size) console.log("Error: "+err); } } function CreateCpuProfile(isolatepointer) { // if (haveIsolatePointer && !haveCpuProfilePointer){ console.log("_ZN2v811CpuProfiler3NewEPNS_7IsolateENS_22CpuProfilingNamingModeENS_23CpuProfilingLoggingModeE") const f47 = Module.getExportByName('libmmv8.so', '_ZN2v811CpuProfiler3NewEPNS_7IsolateENS_22CpuProfilingNamingModeENS_23CpuProfilingLoggingModeE') if(f47 == null){ console.log("Function not found"); } console.log("Function found: " + f47); try{ var cpuProfilepointer = new NativeFunction(f47, 'pointer',['pointer','int','int']); console.log("cpuProfilepointer called"); var cpuProfilerpointer = cpuProfilepointer(isolatepointer, 1, 1); // verbosenames, // eagerlogging haveCpuProfilePointer = true; console.log("cpuProfilepointer: "+ cpuProfilerpointer); } catch(err){ console.log("Error: "+err.stack); } // } } ////////////////// 5 //////////////////////// // console.log("_ZN2v88internal11CpuProfiler16GetProfilesCountEv") // const f5 = Module.getExportByName('libmmv8.so', '_ZN2v88internal11CpuProfiler16GetProfilesCountEv') // if(f5 == null){ // console.log("Function not found"); // } // console.log("Function found: "+ f5); // try{ // var getProfiles = new NativeFunction(f5, 'int',['pointer']); // var para = createString8(''); // console.log("para: "+ para); // var s = getProfiles(para); // console.log("getProfiles called"); // console.log("getProfiles: "+ s); // } // catch(err){ // console.log("Error: "+err.stack); // } ////////////////// 6 //////////////////////// // console.log("_ZN2v88internal11CpuProfiler10GetProfileEi") // const f6 = Module.getExportByName('libmmv8.so', '_ZN2v88internal11CpuProfiler10GetProfileEi') // if (f6 == null) { // console.log("Function not found"); // } // console.log("Function found: " + f6); // try { // // var getProfile = new NativeFunction(f6, 'pointer', ['pointer', 'int']); // // var para = createString8(''); // // var profilepointer = getProfile(para, 1); // // console.log("getProfile called"); // // console.log("getProfile: " + profilepointer); // console.log("_ZN2v88internal11CpuProfiler16GetProfilesCountEv") // const f5 = Module.getExportByName('libmmv8.so', '_ZN2v88internal11CpuProfiler16GetProfilesCountEv') // if (f5 == null) { // console.log("Function not found"); // } // console.log("Function found: " + f5); // try { // var getProfiles = new NativeFunction(f5, 'int', ['pointer']); // // var para = createString8(''); // // console.log("para: " + para); // var s = getProfiles(new NativePointer('0x75dc296ba0')); // console.log("getProfiles called"); // console.log("getProfiles: " + s); // } // catch (err) { // console.log("Error: " + err); // } // } // catch (err) { // console.log("Error1" + err); // } // Java.perform(()=>{ // console.log("Hooking startProfiling"); // const activity = Java.use('android.app.Instrumentation'); // var original = activity.startProfiling.overload(); // activity.startProfiling.implementation = function(){ // console.log("startProfiling called"); // return original.call(this); // } // }) // Java.perform(() => { // try { // Java.choose('android.app.Instrumentation', { // onMatch: function(instance) { // console.log('Found instance of android.app.Instrumentation'); // instance.startProfiling(); // console.log('startProfiling called'); // // Stop profiling after 5 seconds // setTimeout(() => { // instance.stopProfiling(); // console.log('stopProfiling called'); // }, 5000); // }, // onComplete: function() {} // }); // } catch (err) { // console.log('Error: ' + err); // } // }); // working with string parameter // Java.perform(()=>{ // const f = Module.getExportByName('libmmv8.so', '_ZN12v8_inspector19V8ProfilerAgentImpl5startEv') // if(f == null){ // console.log("Function not found"); // return; // } // var startProfiling = new NativeFunction(f, 'pointer',['pointer']); // console.log("startProfiling: "+startProfiling); // try{ // // var param1 = Memory.allocUtf8String('Haseeb'); // // var para2 = createString16('Haseeb'); // // var somebool = 1; // var s = startProfiling(createString16('Haseeb')); // console.log("startProfiling called"); // console.log("startProfiling2: "+ s); // }catch(err){ // console.log("Error: "+err.stack); // } // }) function createString16(jsString) { // Encode the JavaScript string as UTF-16 var utf16String = Memory.allocUtf16String(jsString); var utf16Length = jsString.length; // Allocate memory for the String16 object // Assuming the size of String16 is the same as the size of a pointer (this might not be accurate) var string16Ptr = Memory.alloc(Process.pointerSize); // Write the pointer to the UTF-16 data and the length into the String16 object // This assumes the layout of String16 is [pointer to data, length] // You might need to adjust this based on the actual memory layout of String16 Memory.writePointer(string16Ptr, utf16String); Memory.writeU64(string16Ptr.add(Process.pointerSize), utf16Length); return string16Ptr; } function createString8(jsString) { // Encode the JavaScript string as UTF-8 var utf8String = Memory.allocUtf8String(jsString); var utf8Length = jsString.length; // Allocate memory for the String8 object // Assuming the size of String8 is the same as the size of a pointer (this might not be accurate) var string8Ptr = Memory.alloc(Process.pointerSize); // Write the pointer to the UTF-8 data and the length into the String8 object // This assumes the layout of String8 is [pointer to data, length] // You might need to adjust this based on the actual memory layout of String8 Memory.writePointer(string8Ptr, utf8String); Memory.writeU64(string8Ptr.add(Process.pointerSize), utf8Length); return string8Ptr; } // Java.perform(() => { // const moduleName = 'libmmv8.so'; // Replace with the actual module name // const functionName = '_ZN12v8_inspector19V8ProfilerAgentImpl4stopEPNSt6__ndk110unique_ptrINS_8protocol8Profiler7ProfileENS1_14default_deleteIS5_EEEE'; // Mangled name // const functionAddress = Module.findExportByName(moduleName, functionName); // if (!functionAddress) { // console.error(`Function ${functionName} not found.`); // return; // } // console.log(`Found function at address: ${functionAddress}`); // // Assuming you have an instance of V8ProfilerAgentImpl // // const instance = /* code to obtain or create an instance of V8ProfilerAgentImpl */; // // Create a NativeFunction for the stop method // const stopProfiling = new NativeFunction(functionAddress, 'void', [ 'pointer', 'pointer']); // // Prepare a unique_ptr for the Profile object // const profilePtr = Memory.alloc(Process.pointerSize); // Allocate memory for the pointer // // Memory.writePointer(profilePtr); // Initialize the unique_ptr to null // console.log("Calling stop function..."); // try { // stopProfiling(createString16('Haseeb'),profilePtr); // console.log("stopProfiling called"); // // You might need to extract the Profile object from the unique_ptr here // // and handle the profiling data as needed. // } catch (err) { // console.error(`Error calling function: ${err.stack}`); // } // }); // })