Ghidra is one of the most powerful and popular reverse engineering frameworks used extensively today, which was developed by the NSA (National Security Agency) of the USA. It offers a user-friendly interface which permits users to reverse engineer binaries, debug code, and analyze code in many languages. It also includes several advanced features, such as code decompilation, scripting capabilities, and collaboration tools that allow multiple analysts to work together on the same project.
You just need Java.
https://github.com/NationalSecurityAgency/ghidra/releases
.so
The highlighted part is address of this function. But we can’t use it to hook it on memory. Why? Because of ASLR. By
Address Space Layout Randomization (ASLR) is a computer security technique that helps protect your computer or device from certain types of attacks. Imagine your computer's memory (RAM) is like a big neighborhood with houses where different programs and data live. ASLR is like a guard that rearranges the houses in the neighborhood every time you start your computer, so potential burglars (malicious software) have a harder time figuring out where things are located.
By shuffling the locations of where programs and data are stored in memory, ASLR makes it difficult for hackers to predict where vulnerable spots might be. This adds a layer of defense against attacks that rely on knowing the exact locations of specific functions or data in a computer's memory. ASLR makes it much trickier for malicious software to exploit these vulnerabilities, making your computer more secure.
The one thing which not altered by ASLR is function source offset. Therefore we need to find source offset of function and then scan the memory to find out the address where the module is store. After finding this address by adding function source offset to module base address we can find the function address in the device.
You can find function offset address here:
As an example in here the source offset address of xorEncryptDecrypt function is 3c6bc. The h character at the end mean it’s an Hexadecimal value.
Now hot getting module base address? Base address mean the location on memory that the module has been loaded. Frida make it for us very easy. Just we can call Module.getBaseAddress("libnativesecret.so").
To adding the function source offset we can simple use this code: