Unidbg 调用方式对比
# Unidbg 调用方式对比## 1、 签名调用
```java
// 调用方法 StringObject---unidbg中
StringObject obj = cls.callStaticJniMethodObject(
emulator,
"get3desKey(Landroid/content/Context;)Ljava/lang/String;",
ctxObject
);
```
## 2、callFunction 调用
### 2.1基于符号的调用
- vm.addLocalObject(vm.resolveClass("com/yoloho/libcore/util/Crypt"))
- 实现了把这个类的hash和内容 放入vm中
- number 类似内存地址
- int result = number.intValue();//得到内存地址
- vm.getObject(result) //得到一个Unidbg中的StringObject或者其他的Unidbg对象
- vm.getObject(result).getValue() // 得到一个java中的String对象
```java
Number number = module.callFunction(
emulator,
"Java_com_yoloho_libcore_util_Crypt_encrypt_1data",
vm.getJNIEnv(),
//vm.addLocalObject(vm.resolveClass("com/yoloho/libcore/util/Crypt").newObject(null)),
vm.addLocalObject(vm.resolveClass("com/yoloho/libcore/util/Crypt")),
0,
vm.addLocalObject(new StringObject(vm, "64e6176e45397c5989504eHjtL0AQ==")),
85
);
int result = number.intValue();
String v = (String) vm.getObject(result).getValue();
System.out.println(v);
```
!(https://img-pool-own.oss-cn-shanghai.aliyuncs.com/img/image-20230621143307974.png)
!(https://img-pool-own.oss-cn-shanghai.aliyuncs.com/img/image-20230621143629456.png)
### 2.2 基于偏移量的调用
- 直接写**偏移量**进行调用.
- 如果是32位的so文件偏移量要+1
```java
Number number = module.callFunction(
emulator,
0x2414,
vm.getJNIEnv(),
vm.addLocalObject(vm.resolveClass("com/yoloho/libcore/util/Crypt")),
0,
vm.addLocalObject(new StringObject(vm, "64e6176e45397c5...lKpHjtL0AQ==")),
85
);
int result = number.intValue();
String v = (String) vm.getObject(result).getValue();
System.out.println(v);
```
## 3、执行so文件中C函数
```java
public void call_1() {
int v7 = 0;
UnidbgPointer v9 = memory.malloc(100, false).getPointer();
v9.write("64e6176e45397c5989504e76f98ecf2e63b2679euser/login15131255555A4rE0CKaCsUMlKpHjtL0AQ==".getBytes());
int v8 = 85;
UnidbgPointer v11 = memory.malloc(100, false).getPointer();
module.callFunction(
emulator,
0x1DA0,
v7,
v9,
v8,
v11
);
System.out.println(v11.getString(0));
// byte[] bArr = v11.getByteArray(0,100);
// Inspector.inspect(bArr,"结果");
}
``` 请问大佬,怎么判断签名啊 非常感谢!!!! 不错不错 wapython 发表于 2023-6-24 13:33
请问大佬,怎么判断签名啊
jadx 下面有个smile代码 看一下就知道了 感谢楼主分享! 胡凯莉 发表于 2023-6-25 11:38
jadx 下面有个smile代码 看一下就知道了
哦哦,好,我弄弄,谢谢分享 不错,谢谢大师分享! libshell-superv.2019.so
libshell-supervbasic.2019.so
有点难度了
模拟执行报错如下:
JNIEnv->GetMethodID(java/lang/Boolean.booleanValue()Z) => 0x31f67dab was called from RX@0x400385880x38588
JNIEnv->CallBooleanMethodV(true, booleanValue() => true) was called from RX@0x400386b80x386b8
JNIEnv->GetObjectArrayElement([["82a9a01089d9dde7d24ff7d3ea0dbe9c"], "d7b7d042-d4f2-4012-be60-d97ff2429c17", java.lang.Integer@c038203, false, com.yxcorp.gifshow.App@cc285f4, null, true, "5059fbc5-cce9-4393-a49e-1dda976617c4"], 7) => "5059fbc5-cce9-4393-a49e-1dda976617c4" was called from RX@0x400422b40x422b4
JNIEnv->GetStringUtfChars("5059fbc5-cce9-4393-a49e-1dda976617c4") was called from RX@0x400422d40x422d4
JNIEnv->ReleaseStringUTFChars("5059fbc5-cce9-4393-a49e-1dda976617c4") was called from RX@0x400424a80x424a8
WARN (AbstractARM64Emulator$1:66) - Fetch memory failed: address=0x9c00, size=1, value=0x0
WARN (AbstractEmulator:417) - emulate RX@0x40040cd40x40cd4 exception sp=unidbg@0xbfffeae0, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=18ms @ Runnable|Function64 address=0x40040cd4, arguments=0x640, 1734853116, 10418, 703504298]
Exception in thread "main" java.lang.NullPointerException
at com.ks.Ks.callTarget(Ks.java:72)
at com.ks.Ks.main(Ks.java:81)
这种说是unidbg的资源文件不支持arm64,请问大佬如何修改才能支持呢
页:
[1]