Android逆向-Unidbg Cheatsheet

字数统计: 7.8k字   |   阅读时长≈ 41分

这里单独记录用的比较多的Unidbg代码片段.

Android逆向-Unidbg Cheatsheet

标准模板

代码模板

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
package com.kanxue.test2;

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.LibraryResolver;
import com.github.unidbg.Module;
import com.github.unidbg.Symbol;
import com.github.unidbg.arm.backend.DynarmicFactory;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.jni.ProxyDvmObject;
import com.github.unidbg.memory.Memory;

import java.io.File;
import java.util.ArrayList;
import java.util.List;

/**
 * https://bbs.pediy.com/thread-263345.htm
 */
public class MainActivity extends AbstractJni {

    public static void main(String[] args) {
        //long start = System.currentTimeMillis();
        MainActivity mainActivity = new MainActivity();
        //System.out.println("load offset=" + (System.currentTimeMillis() - start) + "ms");
        //mainActivity.crack();
    }

    private final AndroidEmulator emulator;
    private final VM vm;

    private final DalvikModule dm;
    private final Module module;
    private DvmClass MainActivityUtils;

    private MainActivity() {
        emulator = AndroidEmulatorBuilder
                .for32Bit()
                .addBackendFactory(new Unicorn2Factory(true))
            	.setProcessName("com.xxx.xxx")
                .build();
        Memory memory = emulator.getMemory();
        LibraryResolver resolver = new AndroidResolver(23);
        memory.setLibraryResolver(resolver);

        vm = emulator.createDalvikVM(new File("unidbg-android/src/test/java/com/right/lesson3/sinaInternational.apk"));
        vm.setVerbose(true);
        vm.setJni(this);
        dm = vm.loadLibrary(new File("unidbg-android/src/test/java/com/right/lesson3/libnet_crypto.so"), false);
        module = dm.getModule();
        dm.callJNI_OnLoad(emulator);
    }

    private static final char[] LETTERS = {
            'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
            'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
            'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
            'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'
    };

    private void crack2() {
        // ...
    }
    private void crack() {
        // ...
    }
}

初始化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
// 创建模拟器实例,建议使用实际进程名,可以规避进程名校验
emulator = AndroidEmulatorBuilder.for64Bit().setProcessName("com.xxx.xxx").build();
// 创建模拟器内存接口
final Memory memory = emulator.getMemory();
// 设置系统类库解析
memory.setLibraryResolver(new AndroidResolver(23));
// 创建 Android 虚拟机,传入 APK,unidbg 可以协助做一部分签名工作
vm = emulator.createDalvikVM(new File("unidbg-android/src/test/java/com/xxx/xxx.apk"));
// 创建 jobject, 如果没用到的话可以不写
cNative = vm.resolveClass("com/xxx/xxx");
// 加载 so 到虚拟内存,第二个参数的意思表示是否执行动态库的初始化代码
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/java/com/xxx/libxxx.so"),true);
// 获取 so 模块的句柄
module = dm.getModule();
// 设置 JNI 
vm.setJni(this);
// 打印日志
vm.setVerbose(true);
// 调用 JNI_Onload
dm.callJNI_OnLoad(emulator);

导入包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
// 导入通用且标准的类库
import com.github.unidbg.Emulator;
import com.github.unidbg.LibraryResolver;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.hook.hookzz.*;
import com.github.unidbg.linux.android.dvm.AbstractJni;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.memory.MemoryBlock;
import com.github.unidbg.pointer.UnidbgPointer;
import com.github.unidbg.utils.Inspector;
import com.sun.jna.Pointer;
import keystone.Keystone;
import keystone.KeystoneArchitecture;
import keystone.KeystoneEncoded;
import keystone.KeystoneMode;


import java.io.File;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.TreeMap;

开启日志

1
2
3
4
5
6
Logger.getLogger("com.github.unidbg.linux.ARM32SyscallHandler").setLevel(Level.DEBUG);
Logger.getLogger("com.github.unidbg.unix.UnixSyscallHandler").setLevel(Level.DEBUG);
Logger.getLogger("com.github.unidbg.AbstractEmulator").setLevel(Level.DEBUG);
Logger.getLogger("com.github.unidbg.linux.android.dvm.DalvikVM").setLevel(Level.DEBUG);
Logger.getLogger("com.github.unidbg.linux.android.dvm.BaseVM").setLevel(Level.DEBUG);
Logger.getLogger("com.github.unidbg.linux.android.dvm").setLevel(Level.DEBUG);

安卓模拟器(AndroidEmulator)

创建安卓模拟器(AndroidEmulator)

1
2
3
4
import com.github.unidbg.AndroidEmulator;
private final AndroidEmulator emulator;
// 创建模拟器实例,建议使用实际进程名,可以规避进程名校验
emulator = AndroidEmulatorBuilder.for64Bit().setProcessName("com.xxx.xxx").build();

创建Dalvik虚拟机(VM)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
VM createDalvikVM();

/**
 * @param apkFile 可为null
 */
VM createDalvikVM(File apkFile);

/**
 * jar as apk
 */
VM createDalvikVM(Class<?> callingClass);

// 创建 Android 虚拟机,传入 APK,unidbg 可以协助做一部分签名工作
vm = emulator.createDalvikVM(new File("unidbg-android/src/test/java/com/xxx/xxx.apk"));

创建内存(Memory)

1
2
// 创建模拟器内存接口
final Memory memory = emulator.getMemory();

启动多线程支持

[main]W/libc: pthread_create failed: clone failed: Out of memory · Issue #398 · zhkl0228/unidbg (github.com)

unidbg/unidbg-android/src/test/java/com/github/unidbg/android/SignalTest.java at 56c1397c639716817896766df9bbce9c3a0a15b9 · zhkl0228/unidbg

1
emulator.getSyscallHandler().setEnableThreadDispatcher(true);

跟踪(trace)

1
emulator.traceWrite(0xaaaaa, 0xdddddd)

Dalvik虚拟机(VM)

输出DEBUG日志

1
vm.setVerbose(true)

加载Java类

1
2
3
DvmClass cNative = vm.resolveClass("com/xxx/xxx");
// 一般还需要初始化为对象再进行使用
DvmObject<?> context = vm.resolveClass("android/content/Context").newObject(null);// context

加载so模块(DalvikModule)

1
2
// 加载 so 到虚拟内存,第二个参数的意思表示是否执行动态库的初始化代码
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/java/com/xxx/libxxx.so"),true);

执行init

vm.loadLibrary第二个参数的意思表示是否执行动态库的初始化代码,即init段的函数。

设置JNI(调用so必须开启这个选项)⭐

1
2
3
4
// 设置 JNI 
// 首先必须保证主类是继承了AbstractJni的 
public class oasis extends AbstractJni {
vm.setJni(this);

打印debug日志

1
2
// 打印日志
vm.setVerbose(true);

内存(Memory)

解析安卓系统API

1
2
// 设置系统类库解析
memory.setLibraryResolver(new AndroidResolver(23));

DalvikModule

创建DalvikModule

1
2
// 加载 so 到虚拟内存,第二个参数的意思表示是否执行动态库的初始化代码
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/java/com/xxx/libxxx.so"),true);

获取Module句柄

1
2
// 获取 so 模块的句柄
module = dm.getModule();

有关获得具体的Module:

1
2
3
4
// 获取某个具体SO的句柄
Module yourModule = emulator.getMemory().findModule("yourModuleName");
// 打印其基地址
System.out.println("baseAddr:"+yourModule.base);

调用JNI_Onload函数

1
2
// 调用 JNI_Onload
dm.callJNI_OnLoad(emulator);

Module

获取模块基地址

1
module.base

如果只主动加载一个SO,其基址恒为0x40000000 ,这是一个检测Unidbg的点,因而可以在 com/github/unidbg/memory/Memory.java 中做修改:

1
2
3
4
5
6
7
8
9
10
11
public interface Memory extends IO, Loader, StackMemory {

    long STACK_BASE = 0xc0000000L;
    int STACK_SIZE_OF_PAGE = 256; // 1024k

    // 修改内存映射的起始地址
    long MMAP_BASE = 0x40000000L;

    UnidbgPointer allocateStack(int size);
    UnidbgPointer pointer(long address);
    void setStackPoint(long sp);

获取函数地址

获取导出函数地址

1
2
3
4
5
// 加载so到虚拟内存
DalvikModule dm = vm.loadLibrary("libnative-lib.so", true);
// 加载好的 libscmain.so对应为一个模块
module = dm.getModule();
int address = (int) module.findSymbolByName("funcName").getAddress();

获取非导出函数地址

1
2
3
4
5
6
7
8
// 加载so到虚拟内存
DalvikModule dm = vm.loadLibrary("libnative-lib.so", true);
// 加载好的so对应为一个模块
module = dm.getModule();
// offset,在IDA中查看
int offset = 0x1768;
// 真实地址 = baseAddr + offset
int address = (int) (module.base + offset);

主动调用

调用JNI_Onload函数

1
2
// 调用 JNI_Onload
dm.callJNI_OnLoad(emulator);

调用Native函数(构造传参表)(有符号or无符号,给地址)

构造函数原型和传参一直都是写这种脚本的头号问题,之前写Xposed插件,Frida插件时也遇到过这种问题.这里我也有点没搞懂,不过现就放在这里吧.

如果拥有完整APK的话,应该可以通过Jadx在smali里面直接找到现成定义.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
// 构建函数参数格式
List<Object> args = new ArrayList<>(10);
// 各种基本参数格式兼容
// 参数1:JNIEnv *env
args.add(vm.getJNIEnv());
// 参数2:jobject或jclass 用不到直接填0即可
// DvmObject<?> cnative = cNative.newObject(null);
// args.add(cnative.hashCode());
args.add(0);
// 参数3 字符串对象
String input = "abcdef";
args.add(vm.addLocalObject(new StringObject(vm, input)));
// 参数4 bytes 数组
String input = "abcdef";
byte[] input_bytes = input.getBytes(StandardCharsets.UTF_8);
ByteArray input_byte_array = new ByteArray(vm,input_bytes);
args.add(vm.addLocalObject(input_byte_array));
// 参数5 bool 
// false 填 0,true 填 1
args.add(1);
// unidbg 主动调用函数
// 第二个参数是函数偏移量(thumb 记得+1)
// 第三个参数是参数列表
Number number = module.callFunction(emulator,0x10618, args.toArray());
String result = vm.getObject(number.intValue()).getValue().toString();
// return result;

下面是一个另一个例子:

1
int __fastcall Java_com_kanxue_test2_MainActivity_jnitest(JNIEnv *env, jclass cls, jstring str);

下面是成功执行的脚本:

有符号

有符号也可以有两种形式:

1
2
3
4
5
6
7
8
9
10
11
12
13

Module mod = dm.getModule();
Symbol sym = mod.findSymbolByName("Java_com_kanxue_test2_MainActivity_jnitest");
long offset = sym.getValue();

List<Object> args = new ArrayList<>(3);
args.add(vm.getJNIEnv());
args.add(0);
args.add(vm.addLocalObject(new StringObject(vm, "XuE")));

// 直接传字符串
Number number = mod.callFunction(emulator, "Java_com_kanxue_test2_MainActivity_jnitest", args.toArray());
System.out.println(number.intValue());

以及:

1
2
3
4
5
6
7
8
9
10
11
12
13
Module mod = dm.getModule();
Symbol sym = mod.findSymbolByName("Java_com_kanxue_test2_MainActivity_jnitest");
long offset = sym.getValue();

List<Object> args = new ArrayList<>(3);
args.add(vm.getJNIEnv());
args.add(0);
args.add(vm.addLocalObject(new StringObject(vm, "XuE")));


//        Number number = mod.callFunction(emulator, "Java_com_kanxue_test2_MainActivity_jnitest", args.toArray());
Number number = mod.callFunction(emulator, offset, args.toArray());
System.out.println(number.intValue());

无符号,传地址(万金油)

没有符号的话就只能选择直接传入地址。

但是这样的话就需要注意,如果是THUMB指令,Hook时需要在IDA上的地址上再+1,Patch时不需要

1
2
3
4
5
6
7
8
9
10
Module mod = dm.getModule();
Symbol sym = mod.findSymbolByName("Java_com_kanxue_test2_MainActivity_jnitest");

List<Object> args = new ArrayList<>(3);
args.add(vm.getJNIEnv());
args.add(0);
args.add(vm.addLocalObject(new StringObject(vm, "XuE")));

Number number2 = mod.callFunction(emulator, 0x9180 + 1, args.toArray());	// +1是不可缺的
System.out.println(number2.intValue());

jclass/jobject⭐

函数第二个参数有可能就是这个,不过由于大概率不会用上,因此平常直接加个0就好了。

1
2
3
4
args.add(0)

DvmObject<?> context = vm.resolveClass("android/content/Context").newObject(null);// context
list.add(vm.addLocalObject(context));

调用JNI方法

上面刚刚其实也是对一个JNI方法进行了尝试,但是是把他当成一个一般函数来使用的。下面使用JNI方法的专用调用方法,来简化过程:

1
2
DvmObject<?> obj = ProxyDvmObject.createObject(vm, this);
boolean success = obj.callJniMethodBoolean(emulator, "jnitest(Ljava/lang/String;)Z", str);

这里创建Dvm对象的时候,有个this,是把这个脚本的类映射到了虚拟机里面。因而这样调用JNI方法,实际上就确实是这个以这个脚本的名义去调用。

除此之外还有其他方法。

调用静态JNI方法

通过vm.resolveClass获取类对象,然后通过callStaticJniMethodObject方法来执行。

1
2
3
4
5
6
7
private final DvmClass TTEncryptUtils;
TTEncryptUtils = vm.resolveClass("com/bytedance/frameworks/core/encrypt/TTEncryptUtils");   // 获取Java类对象


byte[] data = new byte[16];
ByteArray array = TTEncryptUtils.callStaticJniMethodObject(emulator, "ttEncrypt([BI)[B", new ByteArray(vm, data), data.length); // 执行Jni方法
return array.getValue();

又有:

1
2
3
4
private DvmClass MainActivityUtils;
MainActivityUtils = vm.resolveClass("com/kanxue/test2/MainActivity");
long z = MainActivityUtils.callStaticJniMethodLong(emulator, "jnitest(Ljava/lang/String;)Z", "XuE");
System.out.println(z);

函数调用返回值

上接构造参数,并强制调用函数一节.最后通过module.callFunction强制调用了一个Native函数,并得到了返回值number.

1
2
// 获取最终返回值,同时运行过程中的汇编代码和寄存器值会写入到文件中
return vm.getObject(number.intValue()).getValue().toString();

Trace(很好用!)

1
2
3
4
5
6
7
8
9
10
// unicorn trace(贼好用!!!堪比 ida trace!!!)
String traceFile = "trace.txt";
PrintStream traceStream = null;
try{
    traceStream = new PrintStream(new FileOutputStream(traceFile), true);
} catch (FileNotFoundException e) {
    e.printStackTrace();
}
// 核心 trace 开启代码,也可以自己指定函数地址和偏移量
emulator.traceCode(module.base,module.base+module.size).setRedirect(traceStream);

这样,在模拟执行so的时候,就会把每一步执行的trace流也给记录下来.后期排查的时候也很好用.

Symbol获取so符号表

只要在IDA的Names界面里面有,就可以导出符号。

1
Symbol sbox0 = module.findSymbolByName("sbox0");

通过符号得到地址引用

1
2
3
4
5
6
Symbol sbox0 = module.findSymbolByName("sbox0"); // 在libttEncrypt.so模块中查找sbox0导出符号
Symbol sbox1 = module.findSymbolByName("sbox1");
Pointer sbox0_ref = sbox0.createPointer(emulator);	// 符号-->地址
Pointer sbox1_ref = sbox1.createPointer(emulator);
byte[] sbox0_array = sbox0_ref.getByteArray(0, 256); // 从地址指针获取数据
byte[] sbox1_array = sbox1_ref.getByteArray(0, 256);

指针

创建指针

1
2
3
4
// Memory.pointer方法
emulator.getMemory().pointer(0xaaaaa)
    
//

从指针读取数据

get作为前缀的一系列方法:

1
2
byte[] sbox0_array = sbox0_ref.getByteArray(0, 256); // 从地址指针获取数据
byte[] sbox1_array = sbox1_ref.getByteArray(0, 256);

修改数据

setInt等一系列方法:

1
2
3
4
public void patchVerify(){
    int patchCode = 0x4FF00100; // 
    emulator.getMemory().pointer(module.base + 0x1E86).setInt(0,patchCode);
}

写入数据

1
ptr.write("aaa".getBytes());

Inspect监视内存数据

1
Inspector.inspect(data, "ttEncrypt");

IDA附加

1
2
3
if (logging) {
	emulator.attach(DebuggerType.ANDROID_SERVER_V7); // 附加IDA android_server,可输入c命令取消附加继续运行
}

好像暂时只能附加IDA7.4的

Hook

HookZz wrap&instrument

这是最好用的。就用这个。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
IHookZz hookZz = HookZz.getInstance(emulator); // 加载HookZz,支持inline hook,文档看https://github.com/jmpews/HookZz
hookZz.enable_arm_arm64_b_branch(); // 测试enable_arm_arm64_b_branch,可有可无
hookZz.wrap(module.findSymbolByName("ss_encrypt"), new WrapCallback<RegisterContext>() { // inline wrap导出函数
    @Override
    public void preCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {
        Pointer pointer = ctx.getPointerArg(2);
        int length = ctx.getIntArg(3);
        byte[] key = pointer.getByteArray(0, length);
        Inspector.inspect(key, "ss_encrypt key");
    }
    @Override
    public void postCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {
        System.out.println("ss_encrypt.postCall R0=" + ctx.getLongArg(0));
    }
});
hookZz.disable_arm_arm64_b_branch();
hookZz.instrument(module.base + 0x00000F5C + 1, new InstrumentCallback<Arm32RegisterContext>() {
    @Override
    public void dbiCall(Emulator<?> emulator, Arm32RegisterContext ctx, HookEntryInfo info) { // 通过base+offset inline wrap内部函数,在IDA看到为sub_xxx那些
        // 根据调试,这里的getLongArg(3)就是getR3Long()
        System.out.println("R3=" + ctx.getLongArg(3) + ", R10=0x" + Long.toHexString(ctx.getR10Long()));
    }
});

以及

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
public void hook_312E0(){
    // 获取HookZz对象
    IHookZz hookZz = HookZz.getInstance(emulator); // 加载HookZz,支持inline hook,文档看https://github.com/jmpews/HookZz
    // enable hook
    hookZz.enable_arm_arm64_b_branch(); // 测试enable_arm_arm64_b_branch,可有可无
    // hook MDStringOld
    hookZz.wrap(module.base + 0x312E0 + 1, new WrapCallback<HookZzArm32RegisterContext>() { // inline wrap导出函数
        @Override
        // 方法执行前
        public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
            Pointer input = ctx.getPointerArg(0);
            byte[] inputhex = input.getByteArray(0, ctx.getR2Int());
            Inspector.inspect(inputhex, "input");

            Pointer out = ctx.getPointerArg(1);
            ctx.push(out);
        };

        @Override
        // 方法执行后
        public void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
            Pointer output = ctx.pop();
            byte[] outputhex = output.getByteArray(0, 20);
            Inspector.inspect(outputhex, "output");
        }
    });
    hookZz.disable_arm_arm64_b_branch();
};


Dobby replace

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Dobby dobby = Dobby.getInstance(emulator);
//            dobby.enable_arm_arm64_b_branch();
//            dobby.wrap(module.findSymbolByName("ss_encrypt"), new WrapCallback<RegisterContext>() {
//                @Override
//                public void preCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {
//                    Pointer pointer = ctx.getPointerArg(2);
//                    int length = ctx.getIntArg(3);
//                    byte[] key = pointer.getByteArray(0, length);
//                    Inspector.inspect(key, "ss_encrypt key");
//                }
//
//                public void postCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {
//                    System.out.println("ss_encrypt.postCall R0=" + ctx.getLongArg(0));
//                }
//            });
//            dobby.disable_arm_arm64_b_branch();
//            dobby.instrument(module.base + 0xF5C + 1, new InstrumentCallback<Arm32RegisterContext>() {
//                @Override
//                public void dbiCall(Emulator<?> emulator, Arm32RegisterContext ctx, HookEntryInfo info) {
//                    System.out.println("R3=" + ctx.getLongArg(3) + ", R10=0x" + Long.toHexString(ctx.getR10Long()));
//                }
//            });

dobby.replace(module.findSymbolByName("ss_encrypted_size"), new ReplaceCallback() { // 使用Dobby inline hook导出函数
    @Override
    public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
        System.out.println("ss_encrypted_size.onCall arg0=" + context.getIntArg(0) + ", originFunction=0x" + Long.toHexString(originFunction));
        return HookStatus.RET(emulator, originFunction);
    }
    @Override
    public void postCall(Emulator<?> emulator, HookContext context) {
        System.out.println("ss_encrypted_size.postCall ret=" + context.getIntArg(0));
    }
}, true);

xHook PLT hook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
IxHook xHook = XHookImpl.getInstance(emulator); // 加载xHook,支持Import hook,文档看https://github.com/iqiyi/xHook
xHook.register("libttEncrypt.so", "strlen", new ReplaceCallback() { // hook libttEncrypt.so的导入函数strlen
    @Override
    public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
        Pointer pointer = context.getPointerArg(0); // r0寄存器,是字符串指针
        String str = pointer.getString(0);
        System.out.println("strlen=" + str);
//                    context.push(4546564);
//                    context.push("114514");
        return HookStatus.RET(emulator, originFunction);
    }
    @Override
    public void postCall(Emulator<?> emulator, HookContext context) {
//                    System.out.println("strlen=" + context.pop() + ", ret=" + context.getIntArg(0));
        System.out.println(", ret=" + context.getIntArg(0));
    }
}, true);
xHook.register("libttEncrypt.so", "memmove", new ReplaceCallback() {
    @Override
    public HookStatus onCall(Emulator<?> emulator, long originFunction) {
        RegisterContext context = emulator.getContext();
        Pointer dest = context.getPointerArg(0);
        Pointer src = context.getPointerArg(1);
        int length = context.getIntArg(2);
        Inspector.inspect(src.getByteArray(0, length), "memmove dest=" + dest);
        return HookStatus.RET(emulator, originFunction);
    }
});
xHook.register("libttEncrypt.so", "memcpy", new ReplaceCallback() {
    @Override
    public HookStatus onCall(Emulator<?> emulator, long originFunction) {
        RegisterContext context = emulator.getContext();
        Pointer dest = context.getPointerArg(0);
        Pointer src = context.getPointerArg(1);
        int length = context.getIntArg(2);
        Inspector.inspect(src.getByteArray(0, length), "memcpy dest=" + dest);
        return HookStatus.RET(emulator, originFunction);
    }
});
xHook.refresh(); // 使Import hook生效

Unicorn Hook

用Unicorn自带的Hook code方法。

Android逆向-实战so分析-某洲_v3.5.8_unidbg学习_android逆向so分析_哔哩哩!的博客-CSDN博客

这是一个代码级别Hook

1
2
3
4
5
6
7
8
9
10
11
12
13
emulator.getBackend().hook_add_new(new CodeHook() {
            @Override
            public void onAttach(Unicorn.UnHook unHook) { }

            @Override
            public void detach() { }

            @Override
            public void hook(Backend backend, long address, int size, Object user) {
                // 打印当前指令地址,注意需要将实际地址减去so基地址得到代码在文件中的偏移
                System.out.println(String.format("0x%x",address-module.base));
            }
        },module.base+0x8C50,module.base+0x42ED4,null);  // 指定监控起始地址与结束地址,记得加上so基址

获取寄存器的值

1
2
3
public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
ctx.getR1Long()
emulator.getBackend().reg_read(ArmConst.UC_ARM_REG_R0) // 一样

执行引擎

Dynarmic

1
2
3
4
5
6
private static AndroidEmulator createARMEmulator() {
    return AndroidEmulatorBuilder.for32Bit()
            // 切换为Dynarmic引擎
            .addBackendFactory(new DynarmicFactory(true))
            .build();
}

Unicorn2

默认情况下自动使用

1
2
3
4
5
private static AndroidEmulator createARMEmulator() {
    return AndroidEmulatorBuilder.for32Bit()
    		.addBackendFactory(new Unicorn2Factory(true))
            .build();
}

Unicorn2的执行速度比Dynarmic应该有慢几十倍。Dynarmic跑一个爆破结果5s能结束,Unicorn2跑了1分钟多没反应。

参数构造

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
// 构建函数参数格式
List<Object> args = new ArrayList<>(10);

// 各种基本参数格式兼容
// 参数1:JNIEnv *env
args.add(vm.getJNIEnv());

// 参数2:jobject或jclass 用不到直接填0即可
DvmObject<?> context = vm.resolveClass("android/content/Context").newObject(null);// context
args.add(0);
// args.add(vm.addLocalObject(context))
// list.add(cnative.hashCode());	// 如果是jobject的话就传hashcode进去

// 参数3 字符串对象
String input = "abcdef";
args.add(vm.addLocalObject(new StringObject(vm, input)));

// 参数4 bytes 数组
String input = "abcdef";
byte[] input_bytes = input.getBytes(StandardCharsets.UTF_8);
ByteArray input_byte_array = new ByteArray(vm,input_bytes);
args.add(vm.addLocalObject(input_byte_array));

// 参数5 bool 
// false 填 0,true 填 1
args.add(1);
// unidbg 主动调用函数
// 第二个参数是函数偏移量(thumb 记得+1)
// 第三个参数是参数列表
Number number = module.callFunction(emulator,0x10618, args.toArray());
String result = vm.getObject(number.intValue()).getValue().toString();
// return result;

TreeMap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
public void s(){
    List<Object> list = new ArrayList<>(10);
    list.add(vm.getJNIEnv()); // 第一个参数是env
    list.add(0); // 第二个参数,实例方法是jobject,静态方法是jclazz,直接填0,一般用不到。

    TreeMap<String, String> keymap = new TreeMap<String, String>();
    keymap.put("ad_extra", "E1133C23F36571A3F1FDE6B325B17419AAD45287455E5292A19CF51300EAF0F2664C808E2C407FBD9E50BD48F8ED17334F4E2D3A07153630BF62F10DC5E53C42E32274C6076A5593C23EE6587F453F57B8457654CB3DCE90FAE943E2AF5FFAE78E574D02B8BBDFE640AE98B8F0247EC0970D2FD46D84B958E877628A8E90F7181CC16DD22A41AE9E1C2B9CB993F33B65E0B287312E8351ADC4A9515123966ACF8031FF4440EC4C472C78C8B0C6C8D5EA9AB9E579966AD4B9D23F65C40661A73958130E4D71F564B27C4533C14335EA64DD6E28C29CD92D5A8037DCD04C8CCEAEBECCE10EAAE0FAC91C788ECD424D8473CAA67D424450431467491B34A1450A781F341ABB8073C68DBCCC9863F829457C74DBD89C7A867C8B619EBB21F313D3021007D23D3776DA083A7E09CBA5A9875944C745BB691971BFE943BD468138BD727BF861869A68EA274719D66276BD2C3BB57867F45B11D6B1A778E7051B317967F8A5EAF132607242B12C9020328C80A1BBBF28E2E228C8C7CDACD1F6CC7500A08BA24C4B9E4BC9B69E039216AA8B0566B0C50A07F65255CE38F92124CB91D1C1C39A3C5F7D50E57DCD25C6684A57E1F56489AE39BDBC5CFE13C540CA025C42A3F0F3DA9882F2A1D0B5B1B36F020935FD64D58A47EF83213949130B956F12DB92B0546DADC1B605D9A3ED242C8D7EF02433A6C8E3C402C669447A7F151866E66383172A8A846CE49ACE61AD00C1E42223");
    keymap.put("appkey", "1d8b6e7d45233436");
    keymap.put("autoplay_card", "11");
    keymap.put("banner_hash", "10687342131252771522");
    keymap.put("build", "6180500");
    keymap.put("c_locale", "zh_CN");
    keymap.put("channel", "shenma117");
    keymap.put("column", "2");
    keymap.put("device_name", "MIX2S");
    keymap.put("device_type", "0");
    keymap.put("flush", "6");
    keymap.put("ts", "1612693177");

    DvmClass Map = vm.resolveClass("java/util/Map");
    DvmClass AbstractMap = vm.resolveClass("java/util/AbstractMap",Map);
    DvmObject<?> input_map = vm.resolveClass("java/util/TreeMap", AbstractMap).newObject(keymap);
    list.add(vm.addLocalObject(input_map));
    Number number = module.callFunction(emulator, 0x1c97, list.toArray());
    DvmObject result = vm.getObject(number.intValue());
}

Int封装类

1
DvmInteger input2_3 = DvmInteger.valueOf(vm, 2);

ArrayObject

1
2
3
4
5
6
7
8
9
10
11
12
List<Object> list = new ArrayList<>(10);
list.add(vm.getJNIEnv()); // 第一个参数是env
list.add(0); // 第二个参数,实例方法是jobject,静态方法是jclazz,直接填0,一般用不到。
list.add(203);
StringObject input2_1 = new StringObject(vm, "9b69f861-e054-4bc4-9daf-d36ae205ed3e");
ByteArray input2_2 = new ByteArray(vm, "GET /aggroup/homepage/display __r0ysue".getBytes(StandardCharsets.UTF_8));
DvmInteger input2_3 = DvmInteger.valueOf(vm, 2);
vm.addLocalObject(input2_1);
vm.addLocalObject(input2_2);
vm.addLocalObject(input2_3);
// 完整的参数2
list.add(vm.addLocalObject(new ArrayObject(input2_1, input2_2, input2_3)));

汇编Patch

简单点的:

1
2
3
4
public void patchVerify(){
    int patchCode = 0x4FF00100; // 
    emulator.getMemory().pointer(module.base + 0x1E86).setInt(0,patchCode);
}

复杂点的考虑用Keystone做辅助:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
public void patchVerify1(){
    Pointer pointer = UnidbgPointer.pointer(emulator, module.base + 0x1E86);
    assert pointer != null;
    byte[] code = pointer.getByteArray(0, 4);
    if (!Arrays.equals(code, new byte[]{ (byte)0xFF, (byte) 0xF7, (byte) 0xEB, (byte) 0xFE })) { // BL sub_1C60
        throw new IllegalStateException(Inspector.inspectString(code, "patch32 code=" + Arrays.toString(code)));
    }
    try (Keystone keystone = new Keystone(KeystoneArchitecture.Arm, KeystoneMode.ArmThumb)) {
        KeystoneEncoded encoded = keystone.assemble("mov r0,1");
        byte[] patch = encoded.getMachineCode();
        if (patch.length != code.length) {
            throw new IllegalStateException(Inspector.inspectString(patch, "patch32 length=" + patch.length));
        }
        pointer.write(0, patch, 0, patch.length);
    }
};

补环境⭐

一般是补全AbstractJni里的方法。如果一个so调用了自定义的方法,Unidbg没有实现,那么就得自己去补全。

两种方法:

  1. 在源码AbstractJni.java/callStaticObjectMethodV里面补全,添加一个switch-case。
  2. 在脚本里面补全,因为为了调用Jni方法,首先主类必须继承AbstractJni。效果是一样的。
1
2
3
case "com/izuiyou/common/base/BaseApplication->getAppContext()Landroid/content/Context;": {
    System.out.println("TODO");
}

然后具体看一下该补什么:用Jadx看一下代码:

1
2
3
4
5
6
@NonNull
public static Context getAppContext() {
    PatchProxyResult proxy = PatchProxy.proxy(new Object[0], null, changeQuickRedirect, true, 45329, new Class[0], Context.class);
    return proxy.isSupported ? (Context) proxy.result : ___APPLICATION.getApplicationContext();
}

Proxy什么的我们不管,那么最后返回的应该是正常的getApplicationContext

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
@Override
public int callStaticIntMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
    switch (signature){
        case "com/izuiyou/common/base/BaseApplication->getAppContext()Landroid/content/Context;":{                
            return vm.resolveClass("android/content/Context").newObject(null);
        }

        case "android/content/Context->getClass()Ljava/lang/Class;":{
            return dvmObject.getObjectType();
        }
        case "java/lang/Class->getSimpleName()Ljava/lang/String;":{
            return new StringObject(vm, "AppController");
        }
        case "android/content/Context->getFilesDir()Ljava/io/File;":
        case "java/lang/String->getAbsolutePath()Ljava/lang/String;": {
            return new StringObject(vm, "/data/user/0/cn.xiaochuankeji.tieba/files");
        }
        case "android/os/Debug->isDebuggerConnected()Z":{
            return false;
        }
        case "android/os/Process->myPid()I":{
            return emulator.getPid();
        }

    }
    throw new UnsupportedOperationException(signature);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
@Override
public boolean callBooleanMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
    if ("java/util/Map->isEmpty()Z".equals(signature)) {
        TreeMap<String, String> treeMap = (TreeMap<String, String>)dvmObject.getValue();
        return treeMap.isEmpty();
    }

    return super.callBooleanMethod(vm, dvmObject, signature, varArg);
}

@Override
public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
    switch (signature) {
        case "java/util/Map->get(Ljava/lang/Object;)Ljava/lang/Object;": {
            StringObject keyobj = varArg.getObjectArg(0);
            String key = keyobj.getValue();

            TreeMap<String, String> treeMap = (TreeMap<String, String>) dvmObject.getValue();

            String value = treeMap.get(key);
            return new StringObject(vm, value);
        }
    }

    throw new UnsupportedOperationException(signature);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
    switch (signature) {
        case "com/meituan/android/common/mtguard/NBridge->getPicName()Ljava/lang/String;":{
            return new StringObject(vm, "ms_com.sankuai.meituan");
        }
        case "com/meituan/android/common/mtguard/NBridge->getSecName()Ljava/lang/String;":{
            return new StringObject(vm, "ppd_com.sankuai.meituan.xbt");
        }
        case "com/meituan/android/common/mtguard/NBridge->getAppContext()Landroid/content/Context;":{
            return vm.resolveClass("android/content/Context").newObject(null);
        }
        case "com/meituan/android/common/mtguard/NBridge->getMtgVN()Ljava/lang/String;": {
            return new StringObject(vm, "4.4.7.3");
        }
    }
    return super.callStaticObjectMethodV(vm, dvmClass, signature,vaList);
}

@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
    switch (signature) {
        case "android/content/Context->getPackageCodePath()Ljava/lang/String;":{
            return new StringObject(vm, "/data/app/com.sankuai.meituan-TEfTAIBttUmUzuVbwRK1DQ==/base.apk");
        }
    }
    return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}

@Override
public int getIntField(BaseVM vm, DvmObject<?> dvmObject, String signature) {
    switch (signature){
        case "android/content/pm/PackageInfo->versionCode:I":{
            return 1100090405;
        }
    };
    return super.getIntField(vm, dvmObject, signature);
}

@Override
public DvmObject<?> newObjectV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
    switch (signature) {
        case "java/lang/Integer-><init>(I)V":
            int input = vaList.getInt(0);
            return new DvmInteger(vm, input);
    }
    return super.newObjectV(vm, dvmClass, signature, vaList);
}

还可以单独写个utils.java来直接在Java里面实现一些函数的功能(直接赋值jadx的伪代码)

1
2
3
4
5
6
7
8
9
10
11
12
@Override
public DvmObject<?> callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
    switch (signature){
        case "com/bilibili/nativelibrary/SignedQuery->r(Ljava/util/Map;)Ljava/lang/String;":{
            DvmObject<?> mapObject = varArg.getObjectArg(0);
            TreeMap<String, String> mymap = (TreeMap<String, String>) mapObject.getValue();
            String result = utils.r(mymap);
            return new StringObject(vm, result);
        }
    }
    return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}

反射

主类不继承AbstractJni,同时不用vm.setJni(this)

使用:

1
vm.setDvmClassFactory(new ProxyClassFactory());

然后把缺失的Java类直接从Jadx里面复制过来,以包的形式复制到com/或者相应的文件夹下。

文件读写

重定向到了

1
C:/users/<>/AppData/Local/Temp/rootfs/default

也可以让主类自行实现IOResolver接口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
// 1
public class NBridge extends AbstractJni implements IOResolver {
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;


    NBridge(){
        emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.meituan").build();
        final Memory memory = emulator.getMemory(); // 模拟器的内存操作接口
        memory.setLibraryResolver(new AndroidResolver(23)); // 设置系统类库解析

        vm = emulator.createDalvikVM(new File("C:\\Users\\pr0214\\Desktop\\DTA\\unidbg\\versions\\unidbg-2021-5-17\\unidbg-master\\unidbg-android\\src\\test\\java\\com\\lession7\\mt.apk")); // 创建Android虚拟机
        // 2
        emulator.getSyscallHandler().addIOResolver(this);
        vm.setVerbose(true); // 设置是否打印Jni调用细节
        DalvikModule dm = vm.loadLibrary(new File("C:\\Users\\pr0214\\Desktop\\DTA\\unidbg\\versions\\unidbg-2021-5-17\\unidbg-master\\unidbg-android\\src\\test\\java\\com\\lession7\\libmtguard.so"), true);

        module = dm.getModule(); //

        vm.setJni(this);
        dm.callJNI_OnLoad(emulator);
    }

    // 3
    @Override
    public FileResult resolve(Emulator emulator, String pathname, int oflags) {
        if (("/data/app/com.sankuai.meituan-TEfTAIBttUmUzuVbwRK1DQ==/base.apk").equals(pathname)) {
            // 填入想要重定位的文件
            return FileResult.success(new SimpleFileIO(oflags, new File("unidbg-android\\src\\test\\java\\com\\lession10\\mt.apk"), pathname));
        }
        return null;
    }


SharedPreferences

1
2
3
4
5
6
7
8
9
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="name">lilac</string>
</map>

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="location">china</string>
</map>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
    switch (signature) {
        case "android/content/Context->getSharedPreferences(Ljava/lang/String;I)Landroid/content/SharedPreferences;":
            return vm.resolveClass("android/content/SharedPreferences").newObject(vaList.getObject(0));
        case "android/content/SharedPreferences->getString(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;": {
            // 如果是one.xml
            if(((StringObject) dvmObject.getValue()).getValue().equals("one")){
                // 如果键是name
                if (vaList.getObject(0).getValue().equals("name")) {
                    return new StringObject(vm, "lilac");
                }
            }
        }
    }

    return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}

Syscall Open

开启下面的系统调用Logger,然后这里实现:

1
2
3
4
5
6
7
@Override
public FileResult resolve(Emulator emulator, String pathname, int oflags) {
    if ("/data/data/com.roysue.readsp/shared_prefs/two.xml".equals(pathname)) {
        return FileResult.success(new ByteArrayFileIO(oflags, pathname, "mytest".getBytes()));
    }
    return null;
}

两种方式补文件访问

1是Unidbg提供的rootfs虚拟文件系统,2是代码方式文件重定向 大家自行选择,有人可能会问,如果我不想传入文件,能不能只传入”字符串“,当然可以,从SimpleFileIO换成ByteArrayFileIO即可。

APK资源文件加载

可能会加载libandroid.so这样没有被Unidbg实现的so。

  • Patch/Hook 这个不支持的SO所使用的函数
  • 使用Unidbg VirtualModule
1
2
// 加载时间要在模块so之前
new AndroidModule(emulator, vm).register(memory);

系统调用

1
Logger.getLogger("com.github.unidbg.linux.ARM32SyscallHandler").setLevel(Level.DEBUG);

自定义系统调用

【精选】Unidbg适合做算法还原吗?(一)_douyin unidbg_白龙~的博客-CSDN博客

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
package com.learnproperty;

import com.github.unidbg.Emulator;
import com.github.unidbg.arm.context.EditableArm32RegisterContext;
import com.github.unidbg.linux.file.ByteArrayFileIO;
import com.github.unidbg.linux.file.DumpFileIO;
import com.github.unidbg.memory.SvcMemory;
import com.sun.jna.Pointer;

import java.util.concurrent.ThreadLocalRandom;

public class MyARMSyscallHandler extends com.github.unidbg.linux.ARM32SyscallHandler {
    public MyARMSyscallHandler(SvcMemory svcMemory) {
        super(svcMemory);
    }
    @Override
    protected boolean handleUnknownSyscall(Emulator emulator, int NR) {
        switch (NR) {
            case 190:
                vfork(emulator);
                return true;
            case 359:
                pipe2(emulator);
                return true;
        }

        return super.handleUnknownSyscall(emulator, NR);
    }

    private void vfork(Emulator<?> emulator) {
        EditableArm32RegisterContext context = (EditableArm32RegisterContext) emulator.getContext();
        int childPid = emulator.getPid() + ThreadLocalRandom.current().nextInt(256);
        int r0 = 0;
        r0 = childPid;
        System.out.println("vfork pid=" + r0);
        context.setR0(r0);
    }

    private void pipe2(Emulator<?> emulator) {
        EditableArm32RegisterContext context = (EditableArm32RegisterContext) emulator.getContext();
        Pointer pipefd = context.getPointerArg(0);
        int flags = context.getIntArg(1);
        int write = getMinFd();
        this.fdMap.put(write, new DumpFileIO(write));
        int read = getMinFd();
        String stdout = "myid\n"; // getprop ro.build.id
        this.fdMap.put(read, new ByteArrayFileIO(0, "pipe2_read_side", stdout.getBytes()));
        pipefd.setInt(0, read);
        pipefd.setInt(4, write);
        System.out.println("pipe2 pipefd=" + pipefd + ", flags=0x" + flags + ", read=" + read + ", write=" + write + ", stdout=" + stdout);
        context.setR0(0);
    }
}


调试器

1
2
3
4
// 初始化debugger
Debugger debugger = emulator.attach();
// 添加断点
debugger.addBreakPoint(module.base + 0x1ecc + 1);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
c: continue
n: step over
bt: back trace

st hex: search stack
shw hex: search writable heap
shr hex: search readable heap
shx hex: search executable heap

nb: break at next block
s|si: step into
s[decimal]: execute specified amount instruction
s(blx): execute util BLX mnemonic, low performance

m(op) [size]: show memory, default size is 0x70, size may hex or decimal
mr0-mr7, mfp, mip, msp [size]: show memory of specified register
m(address) [size]: show memory of specified address, address must start with 0x

wr0-wr7, wfp, wip, wsp : write specified register
wb(address), ws(address), wi(address) : write (byte, short, integer) memory of specified address, address must start with 0x
wx(address) : write bytes to memory at specified address, address must start with 0x

b(address): add temporarily breakpoint, address must start with 0x, can be module offset
b: add breakpoint of register PC
r: remove breakpoint of register PC
blr: add temporarily breakpoint of register LR

p (assembly): patch assembly at PC address
where: show java stack trace

trace [begin end]: Set trace instructions
traceRead [begin end]: Set trace memory read
traceWrite [begin end]: Set trace memory write
vm: view loaded modules
vbs: view breakpoints
d|dis: show disassemble
d(0x): show disassemble at specify address
stop: stop emulation
run [arg]: run test
cc size: convert asm from 0x40001ddc - 0x40001ddc + size bytes to c function
c: continue
n: step over
bt: back trace

st hex: search stack
shw hex: search writable heap
shr hex: search readable heap
shx hex: search executable heap

nb: break at next block
s|si: step into
s[decimal]: execute specified amount instruction
s(blx): execute util BLX mnemonic, low performance

m(op) [size]: show memory, default size is 0x70, size may hex or decimal
mr0-mr7, mfp, mip, msp [size]: show memory of specified register
m(address) [size]: show memory of specified address, address must start with 0x

wr0-wr7, wfp, wip, wsp : write specified register
wb(address), ws(address), wi(address) : write (byte, short, integer) memory of specified address, address must start with 0x
wx(address) : write bytes to memory at specified address, address must start with 0x

b(address): add temporarily breakpoint, address must start with 0x, can be module offset
b: add breakpoint of register PC
r: remove breakpoint of register PC
blr: add temporarily breakpoint of register LR

p (assembly): patch assembly at PC address
where: show java stack trace

trace [begin end]: Set trace instructions
traceRead [begin end]: Set trace memory read
traceWrite [begin end]: Set trace memory write
vm: view loaded modules
vbs: view breakpoints
d|dis: show disassemble
d(0x): show disassemble at specify address
stop: stop emulation
run [arg]: run test
cc size: convert asm from 0x40001ddc - 0x40001ddc + size bytes to c function

疑问

  1. init段的执行是在vm.loadLibrary时指定的,那么如果init段里面有函数需要被hook什么的该怎么处理,能够提前使用Unicorn Hook嘛?(已解决,在问题总结里)
  2. JNI函数都是自动Log的(通过setVerbose),那么能不能自定义JNI行为?(Frida我就没找到方法去进一步自定义JNIEnv里的函数)

问题总结

Unidbg 问题汇总(一)_unidbg byte-CSDN博客

Long参数的传递

在编译成arm32的SO时,long一定概率会被转成两个int.

jbytearray 怎么查看

Frida:

1
hexdump(ptr(Java.vm.tryGetEnv().getByteArrayElements(args[0])))

Unidbg:

1
2
3
4
5
6
7
8
9
public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
    UnidbgPointer jbytearrayptr = ctx.getPointerArg(2);

    DvmObject<?> dvmbytes = vm.getObject(jbytearrayptr.toIntPeer());
    // 取出byte
    byte[] result = (byte[]) dvmbytes.getValue();
    // 转换成String 或者按需转成其他
    System.out.println(new String(result));
};

std::string 的读写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public String readStdString(Pointer strptr){
    Boolean isTiny = (strptr.getByte(0) & 1) == 0;
    if(isTiny){
        return strptr.getString(1);
    }
    return strptr.getPointer(emulator.getPointerSize()* 2L).getString(0);
}

public void writeStdString(Pointer strptr, String content){
    Boolean isTiny = (strptr.getByte(0) & 1) == 0;
    if(isTiny){
        strptr.write(1, content.getBytes(StandardCharsets.UTF_8), 0, content.length());
    }
    strptr.getPointer(emulator.getPointerSize()* 2L).write(0, content.getBytes(StandardCharsets.UTF_8), 0, content.length());
};

TraceCode为什么trace不到module init中的指令

init段的自动加载是在loadLibrary函数里面的。然而一般实现执行这个函数,再执行traceCode

因此可以第一次先用loadLibrary得到基址和结束地址,然后调换一下位置。

HOOK 框架使用问题

Unidbg作者在注释中写道:HookZz在arm32位上支持较好,Dobby在64位上支持较好.(因此将两者,或者说Dobby以及其前身HookZz作为两个独立Hook工具)

类型继承

需要打通继承链,否则容易莫名其妙报错,找不到报错的位置

1
2
3
4
5
DvmClass Map = vm.resolveClass("java/util/Map");
DvmObject<?> input_map = vm.resolveClass("java/util/TreeMap", Map).newObject(keymap);
list.add(vm.addLocalObject(input_map));
Number number = module.callFunction(emulator, 0x9044 + 1, list.toArray())

getenv

Unidbg的env默认是空的,如果有so里面调用getenv这种函数,那就可能会报错。

二选一:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
public void setEnv(){
    Symbol setenv = module.findSymbolByName("setenv", true);
    setenv.call(emulator, "PATH", "/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin", 0);
};

public void hookgetEnv(){
    IHookZz hookZz = HookZz.getInstance(emulator);

    hookZz.wrap(module.findSymbolByName("getenv"), new WrapCallback<EditableArm32RegisterContext>() {
        String name;
        @Override
        public void preCall(Emulator<?> emulator, EditableArm32RegisterContext ctx, HookEntryInfo info) {
            name = ctx.getPointerArg(0).getString(0);
        }
        @Override
        public void postCall(Emulator<?> emulator, EditableArm32RegisterContext ctx, HookEntryInfo info) {
            switch (name){
                case "PATH":{
                    Pointer result = ctx.getPointerArg(0);
                    result.setString(0, "/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin");
                    
                }
            }

        }
    });
};

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
public void hookgetEnv(){
    IHookZz hookZz = HookZz.getInstance(emulator);

    hookZz.wrap(module.findSymbolByName("getenv"), new WrapCallback<EditableArm32RegisterContext>() {
        String name;
        @Override
        public void preCall(Emulator<?> emulator, EditableArm32RegisterContext ctx, HookEntryInfo info) {
            name = ctx.getPointerArg(0).getString(0);
        }
        @Override
        public void postCall(Emulator<?> emulator, EditableArm32RegisterContext ctx, HookEntryInfo info) {
            switch (name){
                case "PATH":{
                    MemoryBlock replaceBlock = memory.malloc(0x100, true);
                    UnidbgPointer replacePtr = replaceBlock.getPointer();
                    String pathValue = "/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin";
                    replacePtr.write(0, pathValue.getBytes(StandardCharsets.UTF_8), 0, pathValue.length());
                    ctx.setR0(replacePtr.toIntPeer());
                }
            }

        }
    });
};

其他

有关ARM&Thumb指令

Thumb指令下,Hook时需要地址+1,而patch时不需要。

参考

unidbg 入门-1 - 知乎 (zhihu.com)

逆向工具之unidbg(在pc端模拟执行so文件中的函数)_so逆向添加函数_hestyle的博客-CSDN博客

SO逆向入门实战教程一:OASIS-CSDN博客

Android逆向-实战so分析-某洲_v3.5.8_unidbg学习_android逆向so分析_哔哩哩!的博客-CSDN博客

SO逆向入门实战教程二:calculateS_nativenewcalculates 算法_白龙~的博客-CSDN博客

unidbg 简介、基本使用、调用so中方法、unidbg-web_unicorn unidbg-CSDN博客(用的版本太老了,很多的代码不具有参考价值)

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

A junior undergraduate
studying in the college of cyber science and engineering
in Sichuan University
in Sichuan , China.
Pronouns:He/him.
A core member of 0x401 CTF team
majorly focus on Reverse Engineering chanllenges.