Unidbg 调用方式对比

胡凯莉

Unidbg 调用方式对比

1、 签名调用

// 调用方法 StringObject---unidbg中
StringObject obj = cls.callStaticJniMethodObject(
    emulator,
    "get3desKey(Landroid/content/Context;)Ljava/lang/String;",
    ctxObject
);

2、callFunction 调用

2.1  基于符号的调用

• vm.addLocalObject(vm.resolveClass("com/yoloho/libcore/util/Crypt"))
  • 实现了把这个类的hash和内容 放入vm中
• number 类似内存地址
  • int result = number.intValue();  //得到内存地址
  • vm.getObject(result) //得到一个Unidbg中的StringObject  或者其他的Unidbg对象
  • vm.getObject(result).getValue() // 得到一个java中的String对象

Number number = module.callFunction(
    emulator,
    "Java_com_yoloho_libcore_util_Crypt_encrypt_1data",
    vm.getJNIEnv(),
    //vm.addLocalObject(vm.resolveClass("com/yoloho/libcore/util/Crypt").newObject(null)),
    vm.addLocalObject(vm.resolveClass("com/yoloho/libcore/util/Crypt")),
    0,
    vm.addLocalObject(new StringObject(vm, "64e6176e45397c5989504eHjtL0AQ==")),
    85
);
int result = number.intValue();
String v = (String) vm.getObject(result).getValue();
System.out.println(v);

2.2 基于偏移量的调用

• 直接写偏移量进行调用.
• 如果是32位的so文件  偏移量要+1

Number number = module.callFunction(
        emulator,
        0x2414,
        vm.getJNIEnv(),
        vm.addLocalObject(vm.resolveClass("com/yoloho/libcore/util/Crypt")),
        0,
        vm.addLocalObject(new StringObject(vm, "64e6176e45397c5...lKpHjtL0AQ==")),
        85
);
int result = number.intValue();
String v = (String) vm.getObject(result).getValue();
System.out.println(v);

3、执行so文件中C函数

 public void call_1() {
        int v7 = 0;

        UnidbgPointer v9 = memory.malloc(100, false).getPointer();
        v9.write("64e6176e45397c5989504e76f98ecf2e63b2679euser/login15131255555A4rE0CKaCsUMlKpHjtL0AQ==".getBytes());

        int v8 = 85;

        UnidbgPointer v11 = memory.malloc(100, false).getPointer();

        module.callFunction(
                emulator,
                0x1DA0,
                v7,
                v9,
                v8,
                v11
        );

        System.out.println(v11.getString(0));
        // byte[] bArr = v11.getByteArray(0,100);
        // Inspector.inspect(bArr,"结果");
    }

wapython

请问大佬，怎么判断签名啊

spawn_fly

非常感谢！！！！

zjunjie616

不错不错

胡凯莉

wapython 发表于 2023-6-24 13:33
请问大佬，怎么判断签名啊

jadx 下面有个smile代码 看一下就知道了

Daneellee

感谢楼主分享！

wapython

胡凯莉 发表于 2023-6-25 11:38
jadx 下面有个smile代码 看一下就知道了

哦哦，好，我弄弄，谢谢分享

zjh889

不错，谢谢大师分享！

sabirjan2023

libshell-superv.2019.so
libshell-supervbasic.2019.so
有点难度了

wasm2023

模拟执行报错如下：
JNIEnv->GetMethodID(java/lang/Boolean.booleanValue()Z) => 0x31f67dab was called from RX@0x40038588[libkwsgmain.so]0x38588
JNIEnv->CallBooleanMethodV(true, booleanValue() => true) was called from RX@0x400386b8[libkwsgmain.so]0x386b8
JNIEnv->GetObjectArrayElement([["82a9a01089d9dde7d24ff7d3ea0dbe9c"], "d7b7d042-d4f2-4012-be60-d97ff2429c17", java.lang.Integer@c038203, false, com.yxcorp.gifshow.App@cc285f4, null, true, "5059fbc5-cce9-4393-a49e-1dda976617c4"], 7) => "5059fbc5-cce9-4393-a49e-1dda976617c4" was called from RX@0x400422b4[libkwsgmain.so]0x422b4
JNIEnv->GetStringUtfChars("5059fbc5-cce9-4393-a49e-1dda976617c4") was called from RX@0x400422d4[libkwsgmain.so]0x422d4
JNIEnv->ReleaseStringUTFChars("5059fbc5-cce9-4393-a49e-1dda976617c4") was called from RX@0x400424a8[libkwsgmain.so]0x424a8
[18:19:45 964]  WARN [com.github.unidbg.arm.AbstractARM64Emulator] (AbstractARM64Emulator$1:66) - Fetch memory failed: address=0x9c00, size=1, value=0x0
[18:19:45 964]  WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:417) - emulate RX@0x40040cd4[libkwsgmain.so]0x40cd4 exception sp=unidbg@0xbfffeae0, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=18ms @ Runnable|Function64 address=0x40040cd4, arguments=[unidbg@0xfffe1640[libjnigraphics.so]0x640, 1734853116, 10418, 703504298]
Exception in thread "main" java.lang.NullPointerException
  at com.ks.Ks.callTarget(Ks.java:72)
  at com.ks.Ks.main(Ks.java:81)
这种说是unidbg的资源文件不支持arm64，请问大佬如何修改才能支持呢