某团系 mtgsig 2.4 unidbg 初始化512是什么原因引起的
package com.bytedance.frameworks.core.encrypt;import com.alibaba.fastjson.util.IOUtils;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.file.FileResult;
import com.github.unidbg.file.IOResolver;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.ArrayObject;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.linux.android.dvm.wrapper.DvmInteger;
import com.github.unidbg.linux.android.dvm.wrapper.DvmLong;
import com.github.unidbg.linux.file.SimpleFileIO;
import com.github.unidbg.memory.Memory;
import java.io.File;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.List;
public class SignInit extends AbstractJni{
private final AndroidEmulator emulator;
@Override
public DvmObject<?> getObjectField(BaseVM vm, DvmObject<?> dvmObject, String signature) {
switch (signature) {
case "android/content/pm/ApplicationInfo->sourceDir:Ljava/lang/String;": {
// 可能有问题
return new StringObject(vm, "/data/app/com.dianping.v1-qwNJHM8GgyD0JLDf5_jT2A==/base.apk");
}
}
return super.getObjectField(vm, dvmObject, signature);
}
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
switch (signature) {
case "java/lang/ClassLoader->loadClass(Ljava/lang/String;)Ljava/lang/Class;": {
return dvmObject.getObjectType();
}
case "android/app/ContextImpl->getPackageManager()Landroid/content/pm/PackageManager;":{
return vm.resolveClass("android/content/pm/PackageManager").newObject(null);
}
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}
@Override
public DvmObject<?> getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature) {
switch (signature) {
case "android/os/Build->BRAND:Ljava/lang/String;": {
return new StringObject(vm, "OnePlus");//品牌
}
case "android/os/Build->TYPE:Ljava/lang/String;":{
return new StringObject(vm, "user");
}
case "android/os/Build->HARDWARE:Ljava/lang/String;":{
return new StringObject(vm, "qcom");//硬件
}
case "android/os/Build->MODEL:Ljava/lang/String;":{
return new StringObject(vm, "GM1910");//型号
}
case "android/os/Build->TAGS:Ljava/lang/String;":{
return new StringObject(vm, "release-keys");
}
case "android/os/Build$VERSION->RELEASE:Ljava/lang/String;":{
// android 系统号
return new StringObject(vm, "10");
}
// case "android/os/Build->BOARD:Ljava/lang/String;":{
// return new StringObject(vm, "msmnile");
// }
// case "java/lang/ClassLoader->PERMISSION_PHONE_READ:Ljava/lang/String;":{
// return new StringObject(vm, "Phone.read");
// }
// case "android/os/Build->SERIAL:Ljava/lang/String;":{
// return new StringObject(vm, "unknown");
// }
// case "android/os/Build->HOST:Ljava/lang/String;":{
// return new StringObject(vm, "ubuntu-12");
//
// }
}
return super.getStaticObjectField(vm, dvmClass, signature);
}
@Override
public boolean callBooleanMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
switch (signature){
case "java/io/File->canRead()Z":{
return false;
}
}
return super.callBooleanMethodV(vm, dvmObject, signature, vaList);
}
@Override
public DvmObject<?> newObjectV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
switch (signature) {
case "java/io/File-><init>(Ljava/lang/String;)V": {
// 可能有问题
return vm.resolveClass("java/io/File").newObject(new File(vaList.getObjectArg(0).toString()));
}
}
return super.newObjectV(vm, dvmClass, signature, vaList);
}
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
switch (signature) {
case "com/meituan/android/common/mtguard/NBridge->getClassLoader()Ljava/lang/ClassLoader;": {
return vm.resolveClass("java/lang/ClassLoader").newObject(signature);
}
case "java/lang/ClassLoader->main2(I:{
int num = vaList.getIntArg(0);
System.out.println("fuck Num:" + num);
switch (num) {
case 1: {
return new StringObject(vm, "com.dianping.v1");
}
case 2:{
DvmObject<?> context = vm.resolveClass("android/content/Context").newObject(null);// context
return context;
}
case 4: {
return new StringObject(vm, "ms_com.dianping.v1.png");
}
case 5: {
return new StringObject(vm, "ppd_com.dianping.v1.xbt");
}
case 6: {
return new StringObject(vm, "5.16.6");
}
case 3:
case 41: {
return null;
}
}
}
case "java/lang/System->getProperty(Ljava/lang/String;)Ljava/lang/String;":{
String propertyKey = vm.getObject(vaList.getObjectArg(0).hashCode()).getValue().toString();
System.out.println(propertyKey);
System.out.println("propertyKey :"+vaList.getObjectArg(0).getValue());
switch (propertyKey){
case "http.proxyHost":
case "https.proxyHost": {
return new StringObject(vm, "null");
}
case "java.io.tmpdir":{
return new StringObject(vm, "/data/user/0/com.dianping.v1/cache");
}
}
break;
}
case "android/os/SystemProperties->get(Ljava/lang/String;)Ljava/lang/String;":{
String propertyKey = vm.getObject(vaList.getObjectArg(0).hashCode()).getValue().toString();
System.out.println("SystemProperties: "+propertyKey);
switch (propertyKey) {
case "ro.build.id": {
return new StringObject(vm, "QKQ1.190716.003");
}
case "persist.sys.usb.config":{
// 可能有问题 firda hook:adb
return new StringObject(vm, "diag,serial_cdev,rmnet,adb");
}
case "sys.usb.config":
case "sys.usb.state": {
// 可能有问题 firda hook:adb
return new StringObject(vm, "ptp,adb");
}
}
// return new StringObject(vm, "");
}
break;
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
private final boolean logging;
private final VM vm;
private final Module module;
private final DvmClass NBridge;
SignInit(boolean logging) {
this.logging = logging;
// 创建模拟器实例,建议使用实际进程名,可以规避进程名校验
emulator = AndroidEmulatorBuilder.for64Bit().setProcessName("com.dianping.v1").build();
final Memory memory = emulator.getMemory(); // 模拟器的内存操作接口
memory.setLibraryResolver(new AndroidResolver(23)); // 设置系统类库解析
vm = emulator.createDalvikVM(new File("unidbg-android/src/test/java/com/dianp_11_0_23.apk")); // 创建Android虚拟机
vm.setVerbose(logging); // 设置是否打印Jni调用细节
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/java/com/libmtguard.so"), false); // libmtguard.so到unicorn虚拟内存,加载成功以后会默认调用init_array等函数
vm.setJni(this);
module = dm.getModule(); // libmtguard.so对应为一个模块
dm.callJNI_OnLoad(emulator); // 手动执行JNI_OnLoad函数
NBridge = vm.resolveClass("com/meituan/android/common/mtguard/NBridge");
}
void destroy() {
IOUtils.close(emulator);
if (logging) {
System.out.println("destroy");
}
}
private void callInit() {
ArrayObject dvmObject = NBridge.callStaticJniMethodObject(emulator,
"main(I,
1,
ArrayObject.newStringArray(vm, "4069cb78-e02b-45f6-9f0a-b34ddccf389c"));
String ret = dvmObject.getValue()[0].getValue().toString();
int code = Integer.parseInt(ret);
if (code != 0) {
throw new RuntimeException("init失败: " + code);
}
System.out.println("init成功.");
}
public static void main(String[] args) throws Exception {
SignInit test = new SignInit(true);
test.callInit();
test.destroy();
}
}
apk 是:com.dianping.v1_11.0.23_liqucn.com.apk 大概率是初始化的时候被检测到环境不正常 漁滒 发表于 2024-2-1 10:43
大概率是初始化的时候被检测到环境不正常
解决方式就只能看 so 源码了吗
mt的吗? 黄色土豆 发表于 2024-2-1 11:47
mt的吗?
对 2.4版本 的
DreamMark 发表于 2024-2-1 11:36
解决方式就只能看 so 源码了吗
最好当然是动静态一起分析,同时不排除有一些逻辑unidbg还没有实现,还需要自己实现才能跑 漁滒 发表于 2024-2-1 15:45
最好当然是动静态一起分析,同时不排除有一些逻辑unidbg还没有实现,还需要自己实现才能跑
unidbg 还有这种坑啊, 难搞, 我先 调rpc 把 M团的mt2.4好像Unidbg模拟就可以正常执行,不过里面的设备信息是不对的,dfp和xid是要请求返回的,a2签名算法是对的。 shmilyaxy 发表于 2024-2-20 17:16
M团的mt2.4好像Unidbg模拟就可以正常执行,不过里面的设备信息是不对的,dfp和xid是要请求返回的,a2签名算 ...
不行的 ,初始化 就过不去。 我试过了。现在改为rpc 调用了
DreamMark 发表于 2024-2-20 18:06
不行的 ,初始化 就过不去。 我试过了。现在改为rpc 调用了
unidbg2.4 2.5都可以跑通,一年前我就试了。但是里面就像之前楼说的。 dfp什么的,是通过请求返回。风控过不去还是一堆无法用
页:
[1]