Comments (2)
抱歉,忘了贴上LOG:
"C:\Program Files\Java\jdk1.8.0_201\bin\java.exe" "-javaagent:D:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2019.1\lib\idea_rt.jar=59486:D:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2019.1\bin" -Dfile.encoding=UTF-8 -classpath "C:\Program Files\Java\jdk1.8.0_201\jre\lib\charsets.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\deploy.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\access-bridge-64.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\cldrdata.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\dnsns.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\jaccess.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\jfxrt.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\localedata.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\nashorn.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\sunec.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\sunjce_provider.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\sunmscapi.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\sunpkcs11.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\zipfs.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\javaws.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\jce.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\jfr.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\jfxswt.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\jsse.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\management-agent.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\plugin.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\resources.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\rt.jar;D:\Users\Desktop\unidbg-master\target\test-classes;D:\Users\Desktop\unidbg-master\target\classes;C:\Users\Admin.m2\repository\org\unicorn-engine\unicorn\1.0.1\unicorn-1.0.1.jar;C:\Users\Admin.m2\repository\org\capstone-engine\capstone\3.0.5\capstone-3.0.5.jar;C:\Users\Admin.m2\repository\keystone\java-bindings\0.9.1-2\java-bindings-0.9.1-2.jar;C:\Users\Admin.m2\repository\net\java\dev\jna\jna-platform\4.5.1\jna-platform-4.5.1.jar;C:\Users\Admin.m2\repository\cn\banny\utils\0.0.8\utils-0.0.8.jar;C:\Users\Admin.m2\repository\net\java\dev\jna\jna\4.5.2\jna-4.5.2.jar;C:\Users\Admin.m2\repository\commons-io\commons-io\2.4\commons-io-2.4.jar;C:\Users\Admin.m2\repository\commons-logging\commons-logging\1.1.3\commons-logging-1.1.3.jar;C:\Users\Admin.m2\repository\net\dongliu\apk-parser\2.6.4\apk-parser-2.6.4.jar;C:\Users\Admin.m2\repository\io\kaitai\kaitai-struct-runtime\0.8\kaitai-struct-runtime-0.8.jar;C:\Users\Admin.m2\repository\log4j\log4j\1.2.17\log4j-1.2.17.jar;C:\Users\Admin.m2\repository\junit\junit\3.8.2\junit-3.8.2.jar;C:\Users\Admin.m2\repository\commons-codec\commons-codec\1.11\commons-codec-1.11.jar;C:\Users\Admin.m2\repository\org\slf4j\slf4j-api\1.7.26\slf4j-api-1.7.26.jar;C:\Users\Admin.m2\repository\org\slf4j\slf4j-log4j12\1.7.26\slf4j-log4j12-1.7.26.jar;D:\Users\Desktop\unidbg-master\prebuilt\jar\capstone-3.0.5.jar;D:\Users\Desktop\unidbg-master\prebuilt\jar\java-bindings-0.9.1-2.jar;D:\Users\Desktop\unidbg-master\prebuilt\jar\unicorn-1.0.1.jar;D:\Users\Desktop\unidbg-master\prebuilt\jar\utils-0.0.8.jar" cn.passguard.PassGuardEncrypt
[16:37:36 774] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__modsi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24, offset=0x0
[16:37:36 777] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__umoddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c, offset=0x0
[16:37:36 777] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__moddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0, offset=0x0
[16:37:36 778] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__clear_cache, type=function, size=0] is missing relocationAddr=unicorn@0x413feed8[libLLVM.so]0x8fced8, offset=0x0
[16:37:36 778] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libbcc.so]symbol ElfSymbol[name=__clear_cache, type=function, size=0] is missing relocationAddr=unicorn@0x41427fec[libbcc.so]0x20fec, offset=0x0
[16:37:36 843] INFO [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:1581) - openat dirfd=-100, pathname=/proc/filesystems, oflags=0x20000, mode=0
[16:37:36 893] INFO [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:1581) - openat dirfd=-100, pathname=/dev/smem_log, oflags=0x20002, mode=0
[16:37:36 895] INFO [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:1581) - openat dirfd=-100, pathname=/system/etc/qmi_fw.conf, oflags=0x20000, mode=0
[16:37:37 167] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:383) - handleInterrupt intno=2, NR=125, svcNumber=0x0, PC=unicorn@0x401cc284[libc.so]0x41284, syscall=null
unicorn.UnicornException: No memory available or memory not present (UC_ERR_NOMEM)
at unicorn.Unicorn.mem_protect(Native Method)
at cn.banny.unidbg.spi.AbstractLoader.mprotect(AbstractLoader.java:188)
at cn.banny.unidbg.linux.ARMSyscallHandler.mprotect(ARMSyscallHandler.java:1478)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:214)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:267)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:360)
at cn.banny.unidbg.arm.AbstractARMEmulator.eInit(AbstractARMEmulator.java:213)
at cn.banny.unidbg.linux.AbsoluteInitFunction.call(AbsoluteInitFunction.java:33)
at cn.banny.unidbg.linux.LinuxModule.callInitFunction(LinuxModule.java:46)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:171)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:30)
at cn.banny.unidbg.spi.AbstractLoader.load(AbstractLoader.java:211)
at cn.banny.unidbg.linux.android.dvm.BaseVM.loadLibrary(BaseVM.java:249)
at cn.passguard.PassGuardEncrypt.(PassGuardEncrypt.java:55)
at cn.passguard.PassGuardEncrypt.main(PassGuardEncrypt.java:68)
[16:37:37 172] WARN [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:271) - emulate unicorn@0x401a168d[libc.so]0x1668d failed: sp=unicorn@0xbffff69c, offset=363ms
unicorn.UnicornException: No memory available or memory not present (UC_ERR_NOMEM)
at unicorn.Unicorn.mem_protect(Native Method)
at cn.banny.unidbg.spi.AbstractLoader.mprotect(AbstractLoader.java:188)
at cn.banny.unidbg.linux.ARMSyscallHandler.mprotect(ARMSyscallHandler.java:1478)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:214)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:267)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:360)
at cn.banny.unidbg.arm.AbstractARMEmulator.eInit(AbstractARMEmulator.java:213)
at cn.banny.unidbg.linux.AbsoluteInitFunction.call(AbsoluteInitFunction.java:33)
at cn.banny.unidbg.linux.LinuxModule.callInitFunction(LinuxModule.java:46)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:171)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:30)
at cn.banny.unidbg.spi.AbstractLoader.load(AbstractLoader.java:211)
at cn.banny.unidbg.linux.android.dvm.BaseVM.loadLibrary(BaseVM.java:249)
at cn.passguard.PassGuardEncrypt.(PassGuardEncrypt.java:55)
at cn.passguard.PassGuardEncrypt.main(PassGuardEncrypt.java:68)
[16:37:37 172] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__modsi3 symbol is missing before init relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24
[16:37:37 173] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__umoddi3 symbol is missing before init relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c
[16:37:37 173] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__moddi3 symbol is missing before init relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0
[16:37:37 173] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__clear_cache symbol is missing before init relocationAddr=unicorn@0x413feed8[libLLVM.so]0x8fced8
[16:37:37 173] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libbcc.so]__clear_cache symbol is missing before init relocationAddr=unicorn@0x41427fec[libbcc.so]0x20fec
[16:37:37 177] INFO [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:460) - ptrace request=0x0, pid=0, addr=null, data=null
getKey:124268048476002231160546874792054445205859695541773682585510549341692856527133748338173673409724680644261254462092544451007823053290585560919751502040858723643650222704101093197109429006854655834856230931813529754840873403742860610007429079738487054902351423296508023834355690216104617853526135691550059952419&65537
[16:37:37 201] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__modsi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24, offset=0x0
[16:37:37 201] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__umoddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c, offset=0x0
[16:37:37 201] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__moddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0, offset=0x0
[16:37:37 201] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__clear_cache, type=function, size=0] is missing relocationAddr=unicorn@0x413feed8[libLLVM.so]0x8fced8, offset=0x0
[16:37:37 202] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libbcc.so]symbol ElfSymbol[name=__clear_cache, type=function, size=0] is missing relocationAddr=unicorn@0x41427fec[libbcc.so]0x20fec, offset=0x0
[16:37:37 202] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__modsi3 symbol is missing before init relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24
[16:37:37 202] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__umoddi3 symbol is missing before init relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c
[16:37:37 202] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__moddi3 symbol is missing before init relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0
[16:37:37 202] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__clear_cache symbol is missing before init relocationAddr=unicorn@0x413feed8[libLLVM.so]0x8fced8
[16:37:37 202] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libbcc.so]__clear_cache symbol is missing before init relocationAddr=unicorn@0x41427fec[libbcc.so]0x20fec
[16:37:37 286] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__modsi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24, offset=0x0
[16:37:37 288] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__umoddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c, offset=0x0
[16:37:37 289] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__moddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0, offset=0x0
[16:37:37 289] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__modsi3 symbol is missing before init relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24
[16:37:37 289] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__umoddi3 symbol is missing before init relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c
[16:37:37 290] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__moddi3 symbol is missing before init relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0
【 SM2Encrypt 】
SM2Encrypt arg0=00a61737d578677488bafb1a825b4426a31b760d73eb1edba10a86d3e608ee6c06|00d16a855df766e7e41540b76fb1dfcc68701e4761027f0fcec11390b4d1db88ca
SM2Encrypt arg1=aabbcc123
【 jstring2str 】
jstring2str arg0=
jstring2str arg1=����
jstring2str arg2=aabbcc123
[16:37:37 504] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:383) - handleInterrupt intno=2, NR=-130672, svcNumber=0x112, PC=unicorn@0xfffe01b4, syscall=null
unicorn.UnicornException: dvmObject=null, dvmClass=null, jmethodID=unicorn@0x318b4ca9
at cn.banny.unidbg.linux.android.dvm.DalvikVM$19.handle(DalvikVM.java:308)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:91)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:267)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:360)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at cn.passguard.PassGuardEncrypt.sig_1init(PassGuardEncrypt.java:203)
at cn.passguard.PassGuardEncrypt.main(PassGuardEncrypt.java:70)
[16:37:37 505] WARN [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:281) - emulate unicorn@0x40033c7d[libPassGuard.so]0x33c7d exception sp=unicorn@0xbffff684, msg=dvmObject=null, dvmClass=null, jmethodID=unicorn@0x318b4ca9, offset=11ms
destroy
Process finished with exit code 0
from unidbg.
发现参数的传值有问题,请更改PassGuardEncrypt.java为下面内容(更改后依旧出现上述问题):
package cn.passguard;
import cn.banny.auxiliary.Inspector;
import cn.banny.unidbg.Emulator;
import cn.banny.unidbg.LibraryResolver;
import cn.banny.unidbg.Module;
import cn.banny.unidbg.Symbol;
import cn.banny.unidbg.arm.ARMEmulator;
import cn.banny.unidbg.arm.HookStatus;
import cn.banny.unidbg.arm.context.RegisterContext;
import cn.banny.unidbg.hook.ReplaceCallback;
import cn.banny.unidbg.hook.hookzz.HookEntryInfo;
import cn.banny.unidbg.hook.hookzz.HookZz;
import cn.banny.unidbg.hook.hookzz.IHookZz;
import cn.banny.unidbg.hook.hookzz.WrapCallback;
import cn.banny.unidbg.hook.whale.IWhale;
import cn.banny.unidbg.hook.whale.Whale;
import cn.banny.unidbg.linux.android.AndroidARMEmulator;
import cn.banny.unidbg.linux.android.AndroidResolver;
import cn.banny.unidbg.linux.android.dvm.*;
import cn.banny.unidbg.memory.Memory;
import com.sun.jna.Pointer;
import utils.SignatureGen;
import java.io.File;
import java.io.IOException;
public class PassGuardEncrypt extends AbstractJni {
private static final String APP_PACKAGE_NAME = "io.dcloud.H59193852";
private static LibraryResolver createLibraryResolver() {
return new AndroidResolver(23);
}
private static ARMEmulator createARMEmulator() {
return new AndroidARMEmulator(APP_PACKAGE_NAME);
}
private final ARMEmulator emulator;
private final VM vm;
private final Module module;
private final DvmClass PassGuardEncrypt;
private PassGuardEncrypt() throws IOException {
emulator = createARMEmulator();
final Memory memory = emulator.getMemory();
memory.setLibraryResolver(createLibraryResolver());
memory.setCallInitFunction();
vm = emulator.createDalvikVM(null);
DalvikModule dm = vm.loadLibrary(new File("src/test/resources/example_binaries/armeabi-v7a/libPassGuard.so"), false);
dm.callJNI_OnLoad(emulator);
module = dm.getModule();
PassGuardEncrypt = vm.resolveClass("cn/passguard/PassGuardEncrypt");
}
private void destroy() throws IOException {
emulator.close();
System.out.println("destroy");
}
public static void main(String[] args) throws Exception {
PassGuardEncrypt test = new PassGuardEncrypt();
test.sig_1init();
test.destroy();
}
private void sig_1init() throws IOException {
Number ret = PassGuardEncrypt.callStaticJniMethod(emulator, "getKey()Ljava/lang/String;");
long hash = ret.intValue() & 0xffffffffL;
StringObject checksum = vm.getObject(hash);
System.out.println("getKey:" + checksum.getValue());
IHookZz hookZz = HookZz.getInstance(emulator);
// System.out.println("reg1:" + hookZz);
// System.out.println("reg2:" + module);
// SM2Encrypt
hookZz.wrap(module.findSymbolByName("_Z32BB636C2CFA9E4B8ABE0FA1432BEBBBA4P7_JNIEnvP8_jobjectP8_jstringS4_"), new WrapCallback<RegisterContext>() {
@Override
public void preCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
System.out.println("【 SM2Encrypt 】");
Pointer pointer = ctx.getPointerArg(2);
String str = pointer.getString(0);
System.out.println("SM2Encrypt arg0=" + str);
pointer = ctx.getPointerArg(3);
str = pointer.getString(0);
System.out.println("SM2Encrypt arg1=" + str);
}
@Override
public void postCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
System.out.println("realsm2 arg=");
}
});
// realsm2
IWhale whale = Whale.getInstance(emulator);
Symbol free = emulator.getMemory().findModule("libPassGuard.so").findSymbolByName("_Z7realsm2RKSsS0_");
whale.WInlineHookFunction(free, new ReplaceCallback() {
@Override
public HookStatus onCall(Emulator emulator, long originFunction) {
System.out.println("【 realsm2 】");
System.out.println("WInlineHookFunction free1=");
Pointer pointer = emulator.getContext().getPointerArg(0);
String str = pointer.getString(0);
System.out.println("WInlineHookFunction free=" + str);
return HookStatus.RET(emulator, originFunction);
}
});
// jstring2str
hookZz.wrap(module.findSymbolByName("_Z11jstring2strP7_JNIEnvP8_jstring"), new WrapCallback<RegisterContext>() {
@Override
public void preCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
System.out.println("【 jstring2str 】");
Pointer pointer = ctx.getPointerArg(0);
String str = pointer.getString(0);
System.out.println("jstring2str arg0=" + str);
pointer = ctx.getPointerArg(1);
str = pointer.getString(0);
System.out.println("jstring2str arg1=" + str);
pointer = ctx.getPointerArg(2);
str = pointer.getString(0);
System.out.println("jstring2str arg2=" + str);
}
@Override
public void postCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
}
});
// realsm2
hookZz.wrap(module.findSymbolByName("_Z7realsm2RKSsS0_"), new WrapCallback<RegisterContext>() {
@Override
public void preCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
System.out.println("【 realsm2 】");
Pointer pointer = ctx.getPointerArg(2);
String str = pointer.getString(0);
System.out.println("realsm2 arg0=" + str);
}
@Override
public void postCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
}
});
// str2jstring
hookZz.wrap(module.findSymbolByName("_Z11str2jstringP7_JNIEnvPKc"), new WrapCallback<RegisterContext>() {
@Override
public void preCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
System.out.println("【 str2jstring 】");
Pointer pointer = ctx.getPointerArg(0);
String str = pointer.getString(0);
System.out.println("str2jstring arg0=" + str);
pointer = ctx.getPointerArg(1);
str = pointer.getString(0);
System.out.println("str2jstring arg1=" + str);
pointer = ctx.getPointerArg(2);
str = pointer.getString(0);
System.out.println("str2jstring arg2=" + str);
}
@Override
public void postCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
}
});
// free = emulator.getMemory().findModule("libPassGuard.so").findSymbolByName("sub_32A06");
// System.out.println("【 sub_32A06 】" + free);
// whale.WInlineHookFunction(free, new ReplaceCallback() {
// @OverRide
// public HookStatus onCall(Emulator emulator, long originFunction) {
// System.out.println("【 sub_32A06 】2");
//
// System.out.println("WInlineHookFunction free1=");
// Pointer pointer = emulator.getContext().getPointerArg(0);
// String str = pointer.getString(0);
// System.out.println("WInlineHookFunction free=" + str);
// return HookStatus.RET(emulator, originFunction);
// }
// });
final String key = "00a61737d578677488bafb1a825b4426a31b760d73eb1edba10a86d3e608ee6c06|00d16a855df766e7e41540b76fb1dfcc68701e4761027f0fcec11390b4d1db88ca";
final String psw = "aabbcc123";
ret = PassGuardEncrypt.callStaticJniMethod(emulator,
"SM2Encrypt(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",
vm.addLocalObject(new StringObject(vm, key)),
vm.addLocalObject(new StringObject(vm, psw)));
vm.deleteLocalRefs();
System.out.println("SM2Encrypt ret:" + ret);
// long hash2 = ret.intValue() & 0xffffffffL;
// StringObject checksum2 = vm.getObject(hash2);
// vm.deleteLocalRefs();
// System.out.println("SM2Encrypt value:" + checksum2.getValue());
}
@Override
public DvmObject callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
if ("java/lang/System->getProperty(Ljava/lang/String;)Ljava/lang/String;".equals(signature)) {
StringObject string = varArg.getObject(0);
return new StringObject(vm, System.getProperty(string.getValue()));
}
return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}
}
from unidbg.
Related Issues (20)
- How to analyze this error, can you achieve this for error
- 使用unidbg搞的第一个app就如此艰难,大佬能看下这个问题,快崩溃了, app是加固的 HOT 6
- getIFaceFlags: tun0 这个应该怎么搞 HOT 1
- so 加壳了 unidbg 能跑起来吗
- 关于unidbg模拟执行mtguard.so之mt3.0问题
- unidbg 执行SO里面的一个方法空指针异常
- 执行错误 HOT 2
- Can I changed emulator info?
- 这个环境怎么补啊,android/content/pm/Signature->toChars()[C
- nativeInitialize mmap failed[dynarmic.cpp->Java_com_github_unidbg_arm_backend_dynarmic_Dynarmic_nativeInitialize:583] size=0x8000000, errno=1455, msg=Unknown error terminate called after throwing an instance of 'Xbyak::Error' what(): can't alloc
- 开始模板启动就断点是什么情况啊?求大佬解答
- so 里面ftruncate方法时会报错
- 调用so的方法后怎么释放内存?我看这些都是GCRoot,调用次数多了直接内存吃满了
- ExceptionRaised[dynarmic.cpp->ExceptionRaised:231] HOT 3
- 执行报错:Read memory failed和 Invalid memory read (UC_ERR_READ_UNMAPPED) HOT 1
- Dynarmic link in README is gone
- 有没有大佬知道java/lang/String->toCharArray()[C该怎么补啊?求解
- BackendException on CallObjectMethodV
- 大佬们,看看 这种怎么补啊 "android/os/Parcel->setDataPosition(I)V"
- libopenjdk.so
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unidbg.