准备工作

1. 手机：Google Pixel 3 Android 11, API 30
2. 工具：IDA 7.0、Android Studio
3. 电脑系统：win10

写一个C++ demo

稍微改动下代码，点击Hello World调用c++

class MainActivity : AppCompatActivity() {

    @SuppressLint("SetTextI18n")
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.activity_main)

        // Example of a call to a native method
        sample_text.setOnClickListener {
            sample_text.text = stringFromJNI() + intFromJNI()
        }
    }

    /**
     * A native method that is implemented by the 'native-lib' native library,
     * which is packaged with this application.
     */
    private external fun stringFromJNI(): String

    private external fun intFromJNI(): Int

    companion object {
        // Used to load the 'native-lib' library on application startup.
        init {
            System.loadLibrary("native-lib")
        }
    }
}
复制代码

native-lib.cpp代码

#include <jni.h>
#include <string>

int test_add();

extern "C" JNIEXPORT jstring JNICALL
Java_com_example_testcpp_MainActivity_stringFromJNI(
        JNIEnv *env,
        jobject /* this */) {
    std::string hello = "Hello from C++ ";
    return env->NewStringUTF(hello.c_str());
}

extern "C" JNIEXPORT jint JNICALL
Java_com_example_testcpp_MainActivity_intFromJNI(JNIEnv *env, jobject thiz) {
    int ret = test_add();
    return (jint)ret;
}

int test_add() {
    return 1 + 1;
}
复制代码

运行效果（左），点击后（右）

将IDA目录dbgsrv下的android_server64放到Android应用目录下

这里要注意看手机是多少位的，我是64位就用64位的android_server64

通过Android Studio的Device File Explorer upload到对应的应用目录下，这个目录没有root权限通过adb是不能push文件进去

打开终端进入adb shell启动android_server

C:\Users\Administrator\Desktop\fby>adb shell
* daemon not running; starting now at tcp:5037
* daemon started successfully
blueline:/ $
复制代码

这里有个关键步骤，如果直接进入到/data/data/com.example.testcpp是没有权限的，也就不能启动android_server

blueline:/ $ cd data/data/com.example.testcpp
/system/bin/sh: cd: /data/data/com.example.testcpp: Permission denied
复制代码

执行run-as com.example.testcpp，进入到了应用目录，ls看下当前目录，然后启动android_server

2|blueline:/ $ run-as com.example.testcpp
blueline:/data/user/0/com.example.testcpp $ ls
android_server64  cache  code_cache  databases  files  no_backup  shared_prefs
blueline:/data/user/0/com.example.testcpp $ ./android_server64
IDA Android 64-bit remote debug server(ST) v1.22. Hex-Rays (c) 2004-2017
Listening on 0.0.0.0:23946...
复制代码

再打开一个终端，转发端口23946

C:\Users\Administrator>adb forward tcp:23946 tcp:23946
23946
复制代码

打开IDA64 attch进程

点击ok进入到调试页面，这里已经进入断点，按F9让程序执行

在Modules窗口找到自己写的那个native-lib.so，下断点

app上点击Hello World，进入到断点