Fix few mistakes

README.md

@@ -70,7 +70,7 @@ adb shell chmod 755 /data/local/tmp/goauld-cli
 ## Examples
 
 Be sure you have the right to write into /proc/PID/mem (defined in this following variable):
-```
+```sh
 sudo sysctl kernel.yama.ptrace_scope=0
 ```
 
@@ -102,6 +102,12 @@ frida -H localhost Gadget -l examples/frida_gadget/test.js
 
 Find out the application to infect and use the cli binary to inject and run the frida gadget shared library for example:
 ```sh
+ps -A |grep package_name
+
+You can copy and change the context of the shared library (but the tool will do it):
+```sh
+adb push frida-gadget-16.3.3-android-arm64.so /data/local/tmp/frida-gadget-android-arm64.so
+chcon -v u:object_r:apk_data_file:s0 f/data/local/tmp/frida-gadget-android-arm64.so
 ```
 
 If you have injected the frida gadget library, in another terminal, you can connect with the frida command line to the Android Phone to the infected process,
@@ -110,6 +116,32 @@ like for example to display a tiny message, but you can also start to hijack any
 frida -U -f re.frida.Gadget -l toast.js
 ```
 
+```sh
+x:/data/local/tmp # cat frida-gadget-android-arm64.config
+{
+        "interaction" : {
+                "type": "script",
+                "path": "/data/local/tmp/test.js"
+        }
+}
+```
+
+```sh
+x:/data/local/tmp # cat test.js
+Java.perform(function () {
+    var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext();
+
+    Java.scheduleOnMainThread(function() {
+            var toast = Java.use("android.widget.Toast");
+            toast.makeText(Java.use("android.app.ActivityThread").currentApplication().getApplicationContext(), Java.use("java.lang.String").$new("Hello from your Goauld !"), 1).show();
+    });
+});
+```
+
+```sh
+x:/data/local/tmp # ./goauld-cli --pid PID --file frida-gadget-android-arm64.so
+```
+
 ## Caveats
 
 The tool has been tested on all supported architectures, but if you encounter any bugs, please create a new [issue](https://github.com/androguard/goauld/issues) to fix it.

bin/cli.rs

@@ -2,7 +2,6 @@ use clap::Parser;
 use log::{error, info, warn, LevelFilter};
 use simple_logger::SimpleLogger;
 
-
 /// Inject code into a running process using /proc/pid/mem
 #[derive(Parser, Debug)]
 #[command(version, about)]
@@ -42,9 +41,9 @@ fn main() {
     let args = Args::parse();
 
     SimpleLogger::new()
-    .with_level(LevelFilter::Debug)
-    .init()
-    .unwrap();
+        .with_level(LevelFilter::Info)
+        .init()
+        .unwrap();
 
     let mut target_pid = args.pid.unwrap_or(0);
 
@@ -71,7 +70,6 @@ fn main() {
         }
     };
 
-
     match injector.set_file_path(args.file) {
         Ok(_) => {}
         Err(e) => {
@@ -89,7 +87,7 @@ fn main() {
             std::process::exit(1);
         }
     }
-    
+
     if let Some(func_sym) = &args.func_sym {
         let sym_pair: Vec<&str> = func_sym.split('!').collect();
         if sym_pair.len() != 2 {
@@ -141,4 +139,4 @@ fn main() {
             std::process::exit(1);
         }
     }
-}
+}

src/lib.rs

@@ -193,11 +193,12 @@ impl Injector {
         loop {
             std::thread::sleep(std::time::Duration::from_millis(1));
             let data = mem.read(self.target_var_sym_addr, 0x8)?;
-            debug!("Waiting ... {:?}", data);
+            //debug!("Waiting ... {:?}", data);
 
             // u64 from val
             new_map = u64::from_le_bytes(data[0..8].try_into().unwrap());
             if (new_map & 0x1 != 0) && (new_map & 0xffff_ffff_ffff_fff0 != 0) {
+                info!("Boom ... 0x{:x}", new_map);
                 break;
             }
         }
@@ -212,7 +213,7 @@ impl Injector {
             mem.write(self.target_func_sym_addr, &self_jmp_stage)?;
         }
 
-        std::thread::sleep(std::time::Duration::from_millis(10000));
+        std::thread::sleep(std::time::Duration::from_millis(1000));
 
         info!("restore original bytes");
         mem.write(self.target_func_sym_addr, &func_original_bytes)?;

src/payloads/aarch64.rs

@@ -3,12 +3,12 @@ use crate::error::InjectionError;
 use dynasmrt::{dynasm, DynasmApi, DynasmLabelApi};
 
 pub fn first_shellcode(var_addr: usize, alloc_len: usize) -> Result<Vec<u8>, InjectionError> {
-    debug!("first_shellcode x64");
+    debug!("first_shellcode aarch64");
 
     let mut ops = dynasmrt::aarch64::Assembler::new().unwrap();
     dynasm!(ops
         ; .arch aarch64
-        
+
         ; ->start:
         // check if the bit is set
         ; ldr x6, ->var_addr
@@ -94,7 +94,11 @@ pub fn first_shellcode(var_addr: usize, alloc_len: usize) -> Result<Vec<u8>, Inj
     }
 }
 
-pub fn raw_dlopen_shellcode(dlopen_addr: usize, dlopen_path: String, jmp_addr: usize) -> Result<Vec<u8>, InjectionError> {
+pub fn raw_dlopen_shellcode(
+    dlopen_addr: usize,
+    dlopen_path: String,
+    jmp_addr: usize,
+) -> Result<Vec<u8>, InjectionError> {
     debug!("raw_dlopen_shellcode aarch64");
 
     let mut ops = dynasmrt::aarch64::Assembler::new().unwrap();
@@ -184,4 +188,4 @@ pub fn self_jmp() -> Result<Vec<u8>, InjectionError> {
         Ok(shellcode) => Ok(shellcode.to_vec()),
         Err(_) => Err(InjectionError::ShellcodeError),
     }
-}
+}