Linking must be done “manually”, by the binary code, before the methods are used.
Allows methods to have any name (read obfuscation!).
A fixed method (JNI_OnLoad) is called after the lib is loaded.
JNI_OnLoad
Library registers the mapping between Java methods and native methods using RegisterNatives.
RegisterNatives
Must do this once for each method called.
jint RegisterNatives(JNIEnv *env, jclass clazz, const JNINativeMethod *methods, jint nMethods); typedef struct { char *name; char *signature; void *fnPtr; } JNINativeMethod;
Reverse engineering of the library blob is the most viable alternative.
Some symbols must always be available: JNI_Load.
JNI_Load
The remaining symbols usually are available, although they may have obfuscated names.
Load the library in a tool: ghidra, IDA, BinaryNinja, R2, etc…
Find the JNI_Load method.
Determine when RegisterNatives is called.
Determine the arguments passed to the function.
This will allow determining the method mapping and the arguments of each function.
The arguments may also help identify the method.
Last updated 1 year ago
