Comments (45)
用ArrayObject
from unidbg.
现在又有新的问题了
以下代码出现 ArrayIndexOutOfBoundsException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10401, new ArrayObject(new ArrayObject(new StringObject(vm, "123"),new StringObject(vm, "456"),new StringObject(vm, String.valueOf("7")),new StringObject(vm, ""))) );
以下代码出现 NullPointerException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10602, new ArrayObject(new ArrayObject(context, new StringObject(vm, "0"))) );
[11:07:51 281] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4016368d[libc.so]0x1668d started sp=unicorn@0xbffff7e4
[11:07:51 340] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4016368d[libc.so]0x1668d finished sp=unicorn@0xbffff7e4, offset=56ms
[11:07:51 341] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 started sp=unicorn@0xbffff7e4
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 finished sp=unicorn@0xbffff7e4, offset=53ms
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad started sp=unicorn@0xbffff7e4
[11:07:51 399] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:362) - handleInterrupt intno=2, NR=-1073744148, svcNumber=0x10e, PC=unicorn@0xfffe00bc, syscall=null
java.lang.NullPointerException
at cn.banny.unidbg.linux.android.dvm.DalvikVM$15.handle(DalvikVM.java:233)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:87)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.test.sign.TestSignso.test(MoonSignV2so.java:86)
at com.test.sign.TestSignso.main(MoonSignV2so.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
[11:07:51 401] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad finished sp=unicorn@0xbffff6dc, offset=7ms
hash:4294837784
destroy
Process finished with exit code 0
`
public class TestSignso extends AbstractJni {
private static LibraryResolver createLibraryResolver() {
return new AndroidResolver(23);
}
private static ARMEmulator createARMEmulator() {
return new AndroidARMEmulator("com.test.so");
}
private final ARMEmulator emulator;
private final VM vm;
private final Module module;
private final DvmClass Native;
private TestSignso() throws IOException {
Logger.getLogger("cn.banny.unidbg.AbstractEmulator").setLevel(Level.ALL);
emulator = createARMEmulator();
final Memory memory = emulator.getMemory();
memory.setLibraryResolver(createLibraryResolver());
memory.setCallInitFunction();
vm = emulator.createDalvikVM(null);
vm.setJni(this);
DalvikModule dm = vm.loadLibrary(new File("src/test/resources/example_binaries/libmain.so"), false);
dm.callJNI_OnLoad(emulator);
this.module = dm.getModule();
Native = vm.resolveClass("com.taobao.wireless.security.adapter.JNICLibrary".replace(".", "/"));
}
private void destroy() throws IOException {
emulator.close();
System.out.println("destroy");
}
public static void main(String[] args) throws Exception {
TestSignso test = new TestSignso();
test.test();
test.destroy();
}
private void test() throws IOException {
DvmObject context = vm.resolveClass("android/content/Context").newObject(null);
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10602,
new ArrayObject(new ArrayObject(context, new StringObject(vm, "0")))
);
long hash = ret.intValue() & 0xffffffffL;
System.out.println("hash:" + hash);
StringObject obj = vm.getObject(hash);
vm.deleteLocalRefs();
System.out.println(obj.getValue());
}
}
`
so文件
libmain.so.zip
from unidbg.
App是怎么调用的?发份调用参数我试下
from unidbg.
调用libsgmainso-6.4.152.so
正常应该这么调用
JNICLibrary.doCommandNative(10401, new Object[]{"testval", "21549244", Integer.valueOf(7), ""});
from unidbg.
你试下这个调用
from unidbg.
3q,这个文件执行出现如下内容
`
[15:50:08 023] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4019468d[libc.so]0x1668d started sp=unicorn@0xbffff7e4
[15:50:08 089] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4019468d[libc.so]0x1668d finished sp=unicorn@0xbffff7e4, offset=62ms
[15:50:08 091] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000fdf9[libmain.so]0xfdf9 started sp=unicorn@0xbffff7e4
[15:50:08 176] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000fdf9[libmain.so]0xfdf9 finished sp=unicorn@0xbffff7e4, offset=85ms
[15:50:08 178] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x40010231[libmain.so]0x10231 started sp=unicorn@0xbffff7e4
[15:50:08 184] WARN [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$2:60) - Throw object=unicorn@0x7e0ea639, dvmObject=DvmObject{value=[9905]}, class=com/alibaba/wireless/security/open/SecException
[15:50:08 185] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x40010231[libmain.so]0x10231 finished sp=unicorn@0xbffff7e4, offset=7ms
hash:0
[15:50:08 186] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x40010231[libmain.so]0x10231 started sp=unicorn@0xbffff7e4
[15:50:08 222] WARN [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$2:60) - Throw object=unicorn@0x96532d6, dvmObject=DvmObject{value=[10504]}, class=com/alibaba/wireless/security/open/SecException
[15:50:08 223] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x40010231[libmain.so]0x10231 finished sp=unicorn@0xbffff7e4, offset=36ms
hash:0
[15:50:08 223] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x40010231[libmain.so]0x10231 started sp=unicorn@0xbffff7e4
com/taobao/dp/util/CallbackHelper->onCallBack i1=0, str=null, i2=902
[15:50:08 244] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x40010231[libmain.so]0x10231 finished sp=unicorn@0xbffff7e4, offset=21ms
hash:0
Exception in thread "main" java.lang.NullPointerException
at com.taobao.taobao.TestSignso.test(TestSignso.java:93)
at com.taobao.taobao.TestSignso.main(TestSignso.java:59)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
Process finished with exit code 1
`
from unidbg.
执行没问题,抛了SecException异常,是不是需要调用什么类型的命令初始化?
from unidbg.
调用初始化之后提示
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10101,
new ArrayObject(context, DvmInteger.valueOf(vm, 3), new StringObject(vm, ""), new StringObject(vm, "/data/user/0/com.taobao.taobao/app_SGLib"), new StringObject(vm, ""))
);
`
[20:56:13 683] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:362) - handleInterrupt intno=2, NR=163, svcNumber=0x0, PC=unicorn@0x401044c0[libc.so]0x204c0, syscall=null
unicorn.UnicornException: Invalid memory write (UC_ERR_WRITE_UNMAPPED)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.taobao.taobao.TestSignso.test(TestSignso.java:135)
at com.taobao.taobao.TestSignso.main(TestSignso.java:93)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
debugger break at: 0x400f3b40
r0=0x40690000 r1=0x406b1ff0 r2=0x7, r3=0x0 r4=0x40690000 r5=0x406b2000 r6=0x22000 r7=0x11000 sb=0x60 sl=0xd7 fp=0x31 ip=0x11000 sp=0xbfffec04 lr=0x400f3b3b pc=0x400f3b40 cpsr: N=0, Z=1, C=0, V=0, T=1, mode=0b10000
=> [ libc.so][0x0fb41][ 44 19 ]*0x400f3b40:*adds r4, r0, r5
[ libc.so] [0x0fb43] [ 75 1b ] 0x400f3b42: subs r5, r6, r5
[ libc.so] [0x0fb45] [ a5 f1 10 03 ] 0x400f3b44: sub.w r3, r5, #0x10
[ libc.so] [0x0fb49] [ 07 22 ] 0x400f3b48: movs r2, #7
[ libc.so] [0x0fb4b] [ e1 18 ] 0x400f3b4a: adds r1, r4, r3
[ libc.so] [0x0fb4d] [ 65 19 ] 0x400f3b4c: adds r5, r4, r5
[ libc.so] [0x0fb4f] [ 63 60 ] 0x400f3b4e: str r3, [r4, #4]
[ libc.so] [0x0fb51] [ 00 23 ] 0x400f3b50: movs r3, #0
[ libc.so] [0x0fb53] [ 4a 60 ] 0x400f3b52: str r2, [r1, #4]
[ libc.so] [0x0fb55] [ b0 49 ] 0x400f3b54: ldr r1, [pc, #0x2c0] => 0x3e622
`
from unidbg.
readFromSPUnified a1=StringObject{value=Soft}, a2=StringObject{value=SGSAFETOKEN_IN}, a3=null
这个调用返回什么?
from unidbg.
没看到有这个啊
from unidbg.
com/taobao/wireless/security/adapter/common/SPUtility2->readFromSPUnified(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;
在c里面有通过jni调用这个函数,把正确的返回值发我,应该就差不多了
from unidbg.
这个又是返回什么com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge->utAvaiable()I
from unidbg.
readFromSPUnified 以||分割 1:方法参数1 2:方法参数2 3:方法参数3 4:返回值
dynamicreid||dynamicreid||null||6e69d97b54453eb
dynamicrsid||dynamicrsid||null||60d2f12c98e5470
Soft||SGSAFETOKEN||null||null
HARD-INFO-NEW||hardinfo||null||Zh5zA0XhhiwqlRJSvANa+w8P1WVc9nFnDuyQIqggik0tJK8l8ohh99Igtd/oSdUW
LOCAL_DEVICE_INFO||982c1b269b8e023e5aede2421cbf9c48||null||XKHv7CD9eo8DAEK9iP/JCGaG
DataReprot_Data||bdb13dc551d3db53||null||1560224326440
DynamicData||accs_ssl_key2_https://guide-acs.m.taobao.com_21646297%[B||null||nMZUWVtINU4eSGiWIsnaUKv2ty7AXvaXXKE4tXys6aLdNXTycPV+fSLaLnib7/STwIu5IzJYpHBRyidXzGn+0F/f38JpoZZ80wrxZ+/yPdcI47mPCs49Wj4w++PwdPZyvCADUVxzmakT972D8xFgKVlsQgSiQrEKIU9qhcMLihwcYXNfOnF3kYelqey3KL4vIHtfz069D+JFjwMuJJK7LfwrYctollWzWrmRUH1fcLRhfC3dDNKPHSHi8ysvHjNZ3r3UjKf1Vs8sG3wpmEi52dFNc8tzeDMooAcuAvn90qcjQ9APMRvnhKWzLbyRP2xpVuXlfHc2xWcKobUsbZBT50MGwAVcG+R5BPQFLCKLI4ygAMDdcSXEoksdVNjE0Py0mfsL+w6NNpDR25JNp3T4CjIs2/vT8rtOgn/9pj12QwnJcZxR1APHBAMIALTHpZGOP4AeaLXqsn9WZf6gKbCLKA==
HARD-INFO-NEW||hardinfo||null||Zh5zA0XhhiwqlRJSvANa+w8P1WVc9nFnDuyQIqggik0tJK8l8ohh99Igtd/oSdUW
LOCAL_DEVICE_INFO||982c1b269b8e023e5aede2421cbf9c48||null||XKHv7CD9eo8DAEK9iP/JCGaG
DynamicData||accs_ssl_key2_https://gw.alicdn.com_21646297%[B||null||c+GWq6YGwVtD1rF70loDJP/Y0CzcH87dtTZqmwCvPuWAoNXDb4lPooyWuH93KC1Hm/vdPMtMWHXZ+JJ6kA9yMJgP2rgC2QRbdkgcAY5fkkSzq9cNXt6/fV+hmkVplrZwV0MkskCYERK0yVlqYBAz8oLYzR+plkXcsjGte8TDt6GYyesn4uAIrHfbhCvKr7s9TX7TA4YDmNOHCYkVOkwHqzVACuyMlDdSQ0QPRdB/TTc315guZvM1/qAjneZEJzDey8iZ9PKc2sJHSCzpDZK26VZW1rnc8tJ/IWlWKu4Z85qfMNxaICcpB86HvEUYRN8T6ihWARLGPdaJp1DAEBhk3kMGwAVcG+R5BPQFLCKLI4x+eUeum7eYfYBDlP/xXJ5gMNvQnZJkxrHiFU1iDqup/kG7zMGUujzNeJ85CaYbj4SWRcoQU/X6ZP7p8B/0mhpvP4AeaLXqsn9WZf6gKbCLKA==
DataReprot_Data||bdb13dc551d3db53||null||1560224326440
dynamicrsid||dynamicrsid||null||60d2f12c98e5470
DynamicData||accs_ssl_key2_https://dorangesource.alicdn.com_21646297%[B||null||7KLcNtZdxPwPip9+z8iiErYZYGjKnrRHlh2T1xgBOpKFb0mXn0bY7C7OcOlnuhriHMmw1p7+XusxG9HwL3/a0iFPndd0Pgosg09eiS0BrBUovaRF6Wlgfou8ynsIWElrNKUeC49j63q5WGxs7UhfEPF+1rbQgr8ILNzgXrUmmUfHcINwtP6fkqRUwXkXbWjQqAMN0bvnjIfcB3m+YTlsbXVRrI7r/TP6/2l6ipgwDBamw3gWBSLFqvEKrh9UBpq+/rv1fo/VuFtvnANrERlWdawcg8FbhxXtK5vsHVaQg3ZKKqtqf82pRaCebmpc+fzB4mnvSVso/qzvD6CXUNt7TUMGwAVcG+R5BPQFLCKLI4zcz0+klh6j/Nb2pZjKqryzPqJhWhJ2s8+bxLSavqyvTiG4gLSoGrpqCBxYnygz5WAOw4eKRSYLdc4a0cah5oHkP4AeaLXqsn9WZf6gKbCLKA==
dynamicrsid||dynamicrsid||null||60d2f12c98e5470
DynamicData||accs_ssl_key2_https://ossgw.alicdn.com_21646297%[B||null||7KLcNtZdxPwPip9+z8iiEhkkjKuNuaCwLCktd03Nf46rhLxnQNraUnb8kXkYyWCQGLQSmTRNQ3ew2q/pkg3iPypANxn9HR5NBgxtyYxjawHd0J9T7M5lLwrz/yACO9v2f5nhmBGtK1iKXIYtLDoGcV4r76QeimwHYeFdwaxSvqIPvAv+DdCFlQ8/ONMizse3+jcybKiRQVfR739uIp7YcxKZFkgH3wep19MTL7u+rJBveg4qlSV/MqkapBOLCDpq95RgB3HjwzIE/6k7xo0ade9C5CqLdxaskkWdjlWCId76ZOtRGEdLZItYlzl5RjGyvs54p5T4yl44PwOg8AGOZkMGwAVcG+R5BPQFLCKLI4wKZakOzkP7S+kICCTdSBTcwHIm22WQGDI6BxXOeXH4hfz3m6wyp6tH+IHFdgS5wgBxGn/CrUkuee1vU09tjMQQP4AeaLXqsn9WZf6gKbCLKA==
DynamicData||accs_ssl_key2_https://market.m.taobao.com_21646297%[B||null||5rfawMUTiGx20MkzXltvWrTygsEUUQKFi8Zgj+bw7lfv509Z3zbDMfORkaXDTR+iAHvBFgzrpyAliBvBiE3eqUA3b0yut/nzJ1DNLBjAyv75C8KOVahhDQ+FLITQ7oGBAM7Hu/DoFNLvlvOOAVhqshGxH4Pxuz2qkmKsTqGmYmTidul7DNWWaHgi5aYawLxLkjWQK0a/av9YrOSZmP9OCo1Uiff+pO1jGeC9nP4Tl/ZbX6LLLmtWy7NMzgI+jyUTN1Va1LrkOx6msdKYaj/W2+mgIAL5ck0cbavoF/7h50v08NScGKND+33If4L9BJ56hVzc/pTun5eURHgvXOhv5kMGwAVcG+R5BPQFLCKLI4xm6zs4jxs/h88updmTRDj3K0PO9TO6uNdw7O+6Gu2Ab5pkd7lStolyCPGxG39fGFD03NIFUBAdC+zCr0gsGcPqP4AeaLXqsn9WZf6gKbCLKA==
dynamicreid||dynamicreid||null||6e69d97b54453eb
DynamicData||accs_ssl_key2_https://msgacs.m.taobao.com_21646297%[B||null||fHySnZPNpPZ7pTDf6jH6YEV7Lp8SSCayaJiIJ7SQtA/qznYxryP3m7Vtga68yYvIVnqfTQ7mIzhGiBTGm2fb4Uy/+DO7J/itHRFCuYLz73BJs1PVzgm7kkpD9BhTk/nqobW28/O1mfPCWjeQCzA/YDbfq8+jJG/G1cpFTkcPNf/W1WZDhPATXDAQuocwkbx4DaSDGEsZsmjMeME846pTNcErpzt8jqvBwefTvt6Sn9fL75lHmq244nsB/ILlAfqvMxFCbvupQ/3G/SYQHR0ZP9RDzXkDWWmvJS4X0WvZvxz99TG9s/UiYTfwl02bZpqxfoji8ZChm1MmVtZ3xwSWj0MGwAVcG+R5BPQFLCKLI4yao/9TfdN4YHp3DhRMqVD+dvZbO/07QgznEJ/qGamUJsOxabswK/1joJ6yAB2vzAA5TRMU2tTRSaJKQN1ptB9GP4AeaLXqsn9WZf6gKbCLKA==
SgDyUpdate||ac7123c301ca455b||null||1560224335
SgDyUpdate||fa641a486784d59b||null||null
DynamicData||accs_ssl_key2_https://g.alicdn.com_21646297%[B||null||null
DynamicData||accs_ssl_key2_https://img.alicdn.com_21646297%[B||null||TA4EkKsPs6YINGFPnM7rLHrhiCIATCZPmbz+dq0/fqHwKV+x5f484TZCszic7f1w9chBBzwMovGnYMSdz02elrloyMMccu33lac8vUMpwywBmVuGer0hp0HTdroSFgz/UxAGvezVD9GciJGwiAOUvcLtP5eMlWwMVxb1pjXSzpqGGrc0Bpr5zqrGoaAbWIK/wY8uGJ8E1LqPlILh/eqSg/h/M437kWoRXyfiecM9ZDmx7uGQfFf/C0jpjxEGQNA9R9JR42TbmMnoIPy27OynGDBVTxyemsCXfCKVEOlFa3a+Oj2NjrSIpHVVUP+t/IVeoF423jRtiRBKYuJwZ/5eHUMGwAVcG+R5BPQFLCKLI4zlfeLrP7Ofe0bpCfdv5xYYmPNItfGzF3gsTV7pZ1HzGvWL/M/o5Xx4+YPsnPb3AnSnjX+q90/3XVr1NB+v257mP4AeaLXqsn9WZf6gKbCLKA==
from unidbg.
com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer->doCommandForString(I)Ljava/lang/String;
这个也有调用,参数是135,返回值你这边看下是什么
from unidbg.
com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge->utAvaiable()I
这个返回值是多少?
from unidbg.
TestSignso.tar.gz
写了个能跑通的例子,细节自己去处理,还有很多细节
使用最新版unidbg
from unidbg.
更新最新 报错了啦
cn.banny.unidbg.ios.MachOLoader.mmap2
我直接在类添加了
public static final int MAP_ANONYMOUS = 0x20;
可以正常运行。但不知道是不是对的
Error:(1459, 23) java: 对MAP_ANONYMOUS的引用不明确
cn.banny.unidbg.spi.AbstractLoader 中的变量 MAP_ANONYMOUS 和 cn.banny.unidbg.ios.MachO 中的变量 MAP_ANONYMOUS 都匹配
from unidbg.
加载其它依赖so 报这错误 Invalid memory fetch (UC_ERR_FETCH_UNMAPPED),-_-
`DalvikModule dm = vm.loadLibrary("sgmainso-6.4.152", false);
dm.callJNI_OnLoad(emulator);
dm = vm.loadLibrary("sgsecuritybodyso-6.4.90", false);
dm.callJNI_OnLoad(emulator);
dm = vm.loadLibrary("sgavmpso-6.4.34", false);
dm.callJNI_OnLoad(emulator);
dm = vm.loadLibrary("sgmiscso-6.4.44", false);
dm.callJNI_OnLoad(emulator);
dm = vm.loadLibrary("sgsgmiddletierso-6.4.1", false);
dm.callJNI_OnLoad(emulator);
Native = vm.resolveClass("com.taobao.wireless.security.adapter.JNICLibrary".replace(".", "/"));
DvmObject context = vm.resolveClass("android/content/Context").newObject(null);
long start = System.currentTimeMillis();
Number ret;
long hash;
DvmObject dvmObject;
Map<String, String> map = new HashMap<>();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10101,
new ArrayObject(context, DvmInteger.valueOf(vm, 3), new StringObject(vm, ""), new StringObject(vm, new File("target/app_SGLib").getAbsolutePath()), new StringObject(vm, ""))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10102,
new ArrayObject(new StringObject(vm, "main"), new StringObject(vm, "6.4.152"), new StringObject(vm, new File("target/test-classes/example_binaries/tb/libsgmainso-6.4.152.so").getAbsolutePath()))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
12301,
new ArrayObject(DvmInteger.valueOf(vm, 0))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10102,
new ArrayObject(new StringObject(vm, "securitybody"), new StringObject(vm, "6.4.90"), new StringObject(vm, new File("target/test-classes/example_binaries/tb/libsgsecuritybodyso-6.4.90.so").getAbsolutePath()))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10102,
new ArrayObject(new StringObject(vm, "avmp"), new StringObject(vm, "6.4.34"), new StringObject(vm, new File("target/test-classes/example_binaries/tb/libsgavmpso-6.4.34.so").getAbsolutePath()))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
12605,
new ArrayObject(DvmInteger.valueOf(vm, 0))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10102,
new ArrayObject(new StringObject(vm, "sgmiddletier"), new StringObject(vm, "6.4.1"), new StringObject(vm, new File("target/test-classes/example_binaries/tb/libsgsgmiddletierso-6.4.1.so").getAbsolutePath()))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
//正常则返回int值
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
60901,
new ArrayObject(new StringObject(vm, "mwua"),new StringObject(vm, "sgcipher2"))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
//正常则返回int值
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
60901,
new ArrayObject(new StringObject(vm, "mwua"),new StringObject(vm, "sgcipher"))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
//正常返回str值
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
20102,
new ArrayObject(new StringObject(vm, "1560408692"),new StringObject(vm, "21646297"),DvmInteger.valueOf(vm, 8),new StringObject(vm, "null"),new StringObject(vm, "pageName=com.taobao.tao.TBMainActivity&pageId=http%3A%2F%2Fm.taobao.com%2Findex.htm"),DvmInteger.valueOf(vm, 0))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
`
unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:131)
at cn.banny.unidbg.linux.LinuxSymbol.call(LinuxSymbol.java:27)
at cn.banny.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:32)
at com.taobao.taobao.TestSignsoV3.(TestSignsoV3.java:64)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:81)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
debugger break at: 0x280
r0=0xfffe08a0 r1=0xc002d5d9 r2=0x24d12279, r3=0x280 r4=0xfffe08a0 r5=0xfffe0360 r6=0xc002d5d9 r7=0xbffff7b4 r8=0x4019c8ae r9=0xfffe0080 r10=0x36 fp=0x0 ip=0x9b sp=0xbffff79c lr=0x401c1049 pc=0x280 cpsr: N=0, Z=1, C=1, V=0, T=0, mode=0b10000
unicorn.UnicornException: Invalid memory read (UC_ERR_READ_UNMAPPED)
at unicorn.Unicorn.mem_read(Native Method)
at cn.banny.unidbg.arm.AbstractARMEmulator.disassemble(AbstractARMEmulator.java:175)
at cn.banny.unidbg.arm.AbstractARMDebugger.disassemble(AbstractARMDebugger.java:228)
at cn.banny.unidbg.arm.SimpleARMDebugger.loop(SimpleARMDebugger.java:33)
at cn.banny.unidbg.arm.AbstractARMDebugger.debug(AbstractARMDebugger.java:156)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:259)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:131)
at cn.banny.unidbg.linux.LinuxSymbol.call(LinuxSymbol.java:27)
at cn.banny.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:32)
at com.taobao.taobao.TestSignsoV3.(TestSignsoV3.java:64)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:81)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
from unidbg.
更新最新代码
from unidbg.
更新过后 so加载正常但调用securitybody指令开始继续报Invalid memory fetch (UC_ERR_FETCH_UNMAPPED),-_-
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10102,
new ArrayObject(new StringObject(vm, "securitybody"), new StringObject(vm, "6.4.90"), new StringObject(vm, new File("target/test-classes/example_binaries/tb/libsgsecuritybodyso-6.4.90.so").getAbsolutePath()))
);
unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.taobao.taobao.TestSignsoV3.test(TestSignsoV3.java:140)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
debugger break at: 0x25c
unicorn.UnicornException: Invalid memory read (UC_ERR_READ_UNMAPPED)
r0=0xfffe08b0 r1=0xc002d5d9 r2=0x24d12279, r3=0x25c r4=0xfffe08b0 r5=0xfffe0360 r6=0xbffff7b8 r7=0xbffff73c r8=0xfffe08b0 r9=0x80491e8 r10=0x8049210 fp=0x805d764 ip=0x1 sp=0xbffff68c lr=0x40010e3b pc=0x25c cpsr: N=0, Z=1, C=1, V=0, T=0, mode=0b10000
at unicorn.Unicorn.mem_read(Native Method)
at cn.banny.unidbg.arm.AbstractARMEmulator.disassemble(AbstractARMEmulator.java:175)
at cn.banny.unidbg.arm.AbstractARMDebugger.disassemble(AbstractARMDebugger.java:228)
at cn.banny.unidbg.arm.SimpleARMDebugger.loop(SimpleARMDebugger.java:33)
at cn.banny.unidbg.arm.AbstractARMDebugger.debug(AbstractARMDebugger.java:156)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:259)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.taobao.taobao.TestSignsoV3.test(TestSignsoV3.java:140)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
from unidbg.
非常感谢,这类问题大致知道什么问题了。再次感谢
from unidbg.
最新的提交实现了0x25c对应的jni函数
from unidbg.
@linxiaozhi
你好
你是怎么解决的:
debugger break at:0x4006e966
对不起,我的中文不好
sgmainso-6.4.152
from unidbg.
@ydaniels -_-好像没碰到
from unidbg.
@zhkl0228 。。。。又来一个不知道什么的了。。。
`
-----------------------------------------------------------------------------<
[15:31:15 139]gettimeofday tv after tv_sec=1560583875, tv_usec=139000, tv=unicorn@0xbfffef74, md5=5b2b5d651ba4d652d4920233c3f24ee2, hex=c39e045df81e0200
size: 8
0000: C3 9E 04 5D F8 1E 02 00 ...]....
^-----------------------------------------------------------------------------^r0=0x804c3e4 r1=0x81 r2=0x1, r3=0xffffffec r4=0x0 r5=0x0 r6=0x804ef70 r7=0xf0 r9=0x1 r10=0x408457dd fp=0x1 ip=0xbfffef9c sp=0xbfffef64 lr=0x400c54c8 pc=0x400d895c cpsr: N=0, Z=1, C=1, V=0, T=0, mode=0b10000
unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.taobao.taobao.TestSignsoV3.getSS(TestSignsoV3.java:203)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:140)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
unicorn.UnicornException: Invalid memory read (UC_ERR_READ_UNMAPPED)
at unicorn.Unicorn.mem_read(Native Method)
at cn.banny.unidbg.arm.AbstractARMEmulator.disassemble(AbstractARMEmulator.java:175)
at cn.banny.unidbg.arm.AbstractARMDebugger.disassemble(AbstractARMDebugger.java:228)
at cn.banny.unidbg.arm.SimpleARMDebugger.loop(SimpleARMDebugger.java:33)
at cn.banny.unidbg.arm.AbstractARMDebugger.debug(AbstractARMDebugger.java:156)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:259)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.taobao.taobao.TestSignsoV3.getSS(TestSignsoV3.java:203)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:140)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
debugger break at: 0x2b0
r0=0xfffe08d0 r1=0x1 r2=0x76f84423, r3=0x83d61724 r4=0xfffe08d0 r5=0x46607d73 r6=0x76f84423 r7=0xbfffefe4 r8=0x608da06e r9=0x1554909b r10=0x4e4e3b1c fp=0x83d61724 ip=0x2b0 sp=0xbfffef6c lr=0x40853815 pc=0x2b0 cpsr: N=0, Z=0, C=1, V=0, T=0, mode=0b10000
`
[15:36:36 201] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$17:264) - GetMethodID class=unicorn@0x4e4e3b1c, methodName=getWindow, args=()Landroid/view/Window; [15:36:36 201] DEBUG [cn.banny.unidbg.linux.android.dvm.DvmClass] (DvmClass:53) - getMethodID name=android/app/Activity->getWindow()Landroid/view/Window;, hash=0x4333f814 [15:36:36 201] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$17:264) - GetMethodID class=unicorn@0x755f7f39, methodName=getDecorView, args=()Landroid/view/View; [15:36:36 201] DEBUG [cn.banny.unidbg.linux.android.dvm.DvmClass] (DvmClass:53) - getMethodID name=android/view/Window->getDecorView()Landroid/view/View;, hash=0xe50b5118 [15:36:36 202] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$18:281) - CallObjectMethod object=unicorn@0x26ba2a48, jmethodID=unicorn@0x4333f814 [15:36:36 202] DEBUG [cn.banny.unidbg.linux.android.dvm.DvmMethod] (DvmMethod:41) - callObjectMethod signature=android/app/Activity->getWindow()Landroid/view/Window; [15:36:36 202] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$18:281) - CallObjectMethod object=unicorn@0x5f2050f6, jmethodID=unicorn@0xe50b5118 [15:36:36 202] DEBUG [cn.banny.unidbg.linux.android.dvm.DvmMethod] (DvmMethod:41) - callObjectMethod signature=android/view/Window->getDecorView()Landroid/view/View; [15:36:36 202] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$17:264) - GetMethodID class=unicorn@0x76f84423, methodName=getDeclaredMethod, args=(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method; [15:36:36 203] DEBUG [cn.banny.unidbg.linux.android.dvm.DvmClass] (DvmClass:53) - getMethodID name=java/lang/Class->getDeclaredMethod(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;, hash=0x46607d73 [15:36:36 203] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$63:1114) - NewStringUTF bytes=unicorn@0x4086b8da[libsecuritybody.so]0x2b8da, string=getDeclaredField [15:36:36 203] WARN [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:263) - emulate unicorn@0x4017d231[libmain.so]0x10231 exception sp=unicorn@0xbfffef6c, msg=Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=175ms wua hash:4294967295, dvmObject=null, offset=1460ms
from unidbg.
@ydaniels 你可以使用这个例子 没有发现sgmainso-6.4.152那个错误TestSignso.tar.gz
from unidbg.
@linxiaozhi 你的getSS测试代码发来测试下
from unidbg.
@zhkl0228
20102指令 出现debugger break at: 0x2b0
10502指令 出现 debugger break at: 0xfffe0474
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
20102,
new ArrayObject(
new StringObject(vm, "1560601343"),
new StringObject(vm, "21646297"),
DvmInteger.valueOf(vm, 8),
null,
new StringObject(vm, "pageName=&pageId="),
DvmInteger.valueOf(vm, 0))
);
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10502,
new ArrayObject(
DvmInteger.valueOf(vm, 5),
new StringObject(vm, "LString"),
DvmBoolean.valueOf(vm, false),
new StringObject(vm, "sutdid"),
new StringObject(vm, "XKHv7CD9eo8DAEK9iP/JCGaG")
)
);
from unidbg.
10502 指令到找原因了 调用方法没处理好导致
from unidbg.
@linxiaozhi 淘宝好像不行吧,淘宝有模拟器检测的,你这种方式可以调通但是通不过
from unidbg.
@junges521 暂时测试模拟器检测是通过的
from unidbg.
@linxiaozhi ,tb模拟器监测,登陆时会弹出一个恶心的苹果拖入购物车的验证
from unidbg.
@linxiaozhi 你能成功加载 libsgavmpso 然后调 60901 命令吗
from unidbg.
@linxiaozhi 你能成功加载 libsgavmpso 然后调 60901 命令吗
已找到原因
from unidbg.
java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
你遇到过报这个异常的吗?
from unidbg.
@linxiaozhi 你能成功加载 libsgavmpso 然后调 60901 命令吗
已找到原因
兄弟 是什么原因能分享下不
from unidbg.
@linxiaozhi 你能成功加载 libsgavmpso 然后调 60901 命令吗
已找到原因
也碰到了这个问题,如何解决的呢
from unidbg.
现在又有新的问题了
以下代码出现 ArrayIndexOutOfBoundsException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10401, new ArrayObject(new ArrayObject(new StringObject(vm, "123"),new StringObject(vm, "456"),new StringObject(vm, String.valueOf("7")),new StringObject(vm, ""))) );
以下代码出现 NullPointerException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10602, new ArrayObject(new ArrayObject(context, new StringObject(vm, "0"))) );
[11:07:51 281] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4016368d[libc.so]0x1668d started sp=unicorn@0xbffff7e4
[11:07:51 340] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4016368d[libc.so]0x1668d finished sp=unicorn@0xbffff7e4, offset=56ms
[11:07:51 341] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 started sp=unicorn@0xbffff7e4
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 finished sp=unicorn@0xbffff7e4, offset=53ms
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad started sp=unicorn@0xbffff7e4
[11:07:51 399] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:362) - handleInterrupt intno=2, NR=-1073744148, svcNumber=0x10e, PC=unicorn@0xfffe00bc, syscall=null
java.lang.NullPointerException
at cn.banny.unidbg.linux.android.dvm.DalvikVM$15.handle(DalvikVM.java:233)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:87)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.test.sign.TestSignso.test(MoonSignV2so.java:86)
at com.test.sign.TestSignso.main(MoonSignV2so.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
[11:07:51 401] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad finished sp=unicorn@0xbffff6dc, offset=7ms
hash:4294837784
destroyProcess finished with exit code 0
`
public class TestSignso extends AbstractJni {
private static LibraryResolver createLibraryResolver() { return new AndroidResolver(23); } private static ARMEmulator createARMEmulator() { return new AndroidARMEmulator("com.test.so"); } private final ARMEmulator emulator; private final VM vm; private final Module module; private final DvmClass Native; private TestSignso() throws IOException { Logger.getLogger("cn.banny.unidbg.AbstractEmulator").setLevel(Level.ALL); emulator = createARMEmulator(); final Memory memory = emulator.getMemory(); memory.setLibraryResolver(createLibraryResolver()); memory.setCallInitFunction(); vm = emulator.createDalvikVM(null); vm.setJni(this); DalvikModule dm = vm.loadLibrary(new File("src/test/resources/example_binaries/libmain.so"), false); dm.callJNI_OnLoad(emulator); this.module = dm.getModule(); Native = vm.resolveClass("com.taobao.wireless.security.adapter.JNICLibrary".replace(".", "/")); } private void destroy() throws IOException { emulator.close(); System.out.println("destroy"); } public static void main(String[] args) throws Exception { TestSignso test = new TestSignso(); test.test(); test.destroy(); } private void test() throws IOException { DvmObject context = vm.resolveClass("android/content/Context").newObject(null); Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10602, new ArrayObject(new ArrayObject(context, new StringObject(vm, "0"))) ); long hash = ret.intValue() & 0xffffffffL; System.out.println("hash:" + hash); StringObject obj = vm.getObject(hash); vm.deleteLocalRefs(); System.out.println(obj.getValue()); }
}
`
so文件
libmain.so.zip
朋友你能够通过这个获取x-sign哇,我返回一为空,是不是哪里不对呢,指点一下
from unidbg.
@linxiaozhi
你好,这个签名你搞定了没,如搞定可否将工程发我学习下
from unidbg.
from unidbg.
现在又有新的问题了
以下代码出现 ArrayIndexOutOfBoundsException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10401, new ArrayObject(new ArrayObject(new StringObject(vm, "123"),new StringObject(vm, "456"),new StringObject(vm, String.valueOf("7")),new StringObject(vm, ""))) );
以下代码出现 NullPointerException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10602, new ArrayObject(new ArrayObject(context, new StringObject(vm, "0"))) );
[11:07:51 281] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4016368d[libc.so]0x1668d started sp=unicorn@0xbffff7e4
[11:07:51 340] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4016368d[libc.so]0x1668d finished sp=unicorn@0xbffff7e4, offset=56ms
[11:07:51 341] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 started sp=unicorn@0xbffff7e4
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 finished sp=unicorn@0xbffff7e4, offset=53ms
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad started sp=unicorn@0xbffff7e4
[11:07:51 399] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:362) - handleInterrupt intno=2, NR=-1073744148, svcNumber=0x10e, PC=unicorn@0xfffe00bc, syscall=null
java.lang.NullPointerException
at cn.banny.unidbg.linux.android.dvm.DalvikVM$15.handle(DalvikVM.java:233)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:87)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.test.sign.TestSignso.test(MoonSignV2so.java:86)
at com.test.sign.TestSignso.main(MoonSignV2so.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
[11:07:51 401] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad finished sp=unicorn@0xbffff6dc, offset=7ms
hash:4294837784
destroyProcess finished with exit code 0
`
public class TestSignso extends AbstractJni {
private static LibraryResolver createLibraryResolver() { return new AndroidResolver(23); } private static ARMEmulator createARMEmulator() { return new AndroidARMEmulator("com.test.so"); } private final ARMEmulator emulator; private final VM vm; private final Module module; private final DvmClass Native; private TestSignso() throws IOException { Logger.getLogger("cn.banny.unidbg.AbstractEmulator").setLevel(Level.ALL); emulator = createARMEmulator(); final Memory memory = emulator.getMemory(); memory.setLibraryResolver(createLibraryResolver()); memory.setCallInitFunction(); vm = emulator.createDalvikVM(null); vm.setJni(this); DalvikModule dm = vm.loadLibrary(new File("src/test/resources/example_binaries/libmain.so"), false); dm.callJNI_OnLoad(emulator); this.module = dm.getModule(); Native = vm.resolveClass("com.taobao.wireless.security.adapter.JNICLibrary".replace(".", "/")); } private void destroy() throws IOException { emulator.close(); System.out.println("destroy"); } public static void main(String[] args) throws Exception { TestSignso test = new TestSignso(); test.test(); test.destroy(); } private void test() throws IOException { DvmObject context = vm.resolveClass("android/content/Context").newObject(null); Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10602, new ArrayObject(new ArrayObject(context, new StringObject(vm, "0"))) ); long hash = ret.intValue() & 0xffffffffL; System.out.println("hash:" + hash); StringObject obj = vm.getObject(hash); vm.deleteLocalRefs(); System.out.println(obj.getValue()); }
}
`
so文件
libmain.so.zip
不知道你的这个文件能否继续下载,
from unidbg.
TestSignso.tar.gz
写了个能跑通的例子,细节自己去处理,还有很多细节
使用最新版unidbg
能不能用最新版的代码写一份能跑的代码,利用最新版还是抛SecException
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.file.FileResult;
import com.github.unidbg.file.IOResolver;
import com.github.unidbg.file.linux.AndroidFileIO;
import com.github.unidbg.linux.android.AndroidARMEmulator;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.;
import com.github.unidbg.linux.android.dvm.Enumeration;
import com.github.unidbg.linux.android.dvm.api.;
import com.github.unidbg.linux.android.dvm.api.ClassLoader;
import com.github.unidbg.linux.android.dvm.array.ArrayObject;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.linux.android.dvm.wrapper.DvmBoolean;
import com.github.unidbg.linux.android.dvm.wrapper.DvmInteger;
import com.github.unidbg.linux.file.ByteArrayFileIO;
import com.github.unidbg.linux.file.DirectoryFileIO;
import com.github.unidbg.linux.file.MapsFileIO;
import com.github.unidbg.linux.file.SimpleFileIO;
import com.github.unidbg.memory.Memory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import java.io.File;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
public class Taobao extends AbstractJni implements IOResolver {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
private final DvmClass Native;
private final boolean logging;
Taobao(boolean logging) throws IOException {
this.logging = logging;
// 创建模拟器实例,要模拟32位或者64位,在这里区分
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.tmall.wireless").build();
final Memory memory = emulator.getMemory(); // 模拟器的内存操作接口
memory.setLibraryResolver(new AndroidResolver(23)); // 设置系统类库解析
vm = emulator.createDalvikVM(APK_FILE); // 创建Android虚拟机
vm.setVerbose(logging); // 设置是否打印Jni调用细节
vm.setJni(this);
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/resources/taobao/libsgmainso-6.4.152.so"), false); // 加载libttEncrypt.so到unicorn虚拟内存,加载成功以后会默认调用init_array等函数
dm.callJNI_OnLoad(emulator); // 手动执行JNI_OnLoad函数
module = dm.getModule(); // 加载好的libttEncrypt.so对应为一个模块
Native = vm.resolveClass("com.taobao.wireless.security.adapter.JNICLibrary".replace(".", "/"));
}
private static final String APK_INSTALL_PATH = "/data/app/test.apk";
private static final File APK_FILE = new File("unidbg-android/src/test/resources/taobao/taobao8.8.apk");
@Override
public FileResult<AndroidFileIO> resolve(Emulator<AndroidFileIO> emulator, String pathname, int oflags) {
if (pathname.equals(APK_INSTALL_PATH)) {
return FileResult.<AndroidFileIO>success(new SimpleFileIO(oflags, APK_FILE, pathname));
}
if (("/proc/self/status").equals(pathname)) {
return FileResult.<AndroidFileIO>success(new ByteArrayFileIO(oflags, pathname, (emulator.getPid() + " (a.out) R 6723 6873 6723 34819 6873 8388608 77 0 0 0 41958 31 0 0 25 0 3 0 5882654 1409024 56 4294967295 134512640 134513720 3215579040 0 2097798 0 0 0 0 0 0 0 17 0 0 0\n").getBytes()));
}
if (("/proc/" + emulator.getPid() + "/stat").equals(pathname)) {
return FileResult.<AndroidFileIO>success(new ByteArrayFileIO(oflags, pathname, (emulator.getPid() + " (a.out) R 6723 6873 6723 34819 6873 8388608 77 0 0 0 41958 31 0 0 25 0 3 0 5882654 1409024 56 4294967295 134512640 134513720 3215579040 0 2097798 0 0 0 0 0 0 0 17 0 0 0\n").getBytes()));
}
if (("/proc/" + emulator.getPid() + "/wchan").equals(pathname)) {
return FileResult.<AndroidFileIO>success(new ByteArrayFileIO(oflags, pathname, "sys_epoll".getBytes()));
}
return null;
}
private void destroy() throws IOException {
emulator.close();
System.out.println("destroy");
}
public static void main(String[] args) throws Exception {
Taobao test = new Taobao(true);
test.test();
test.destroy();
}
private void test() {
DvmObject context = vm.resolveClass("android/content/Context").newObject(null);
long start = System.currentTimeMillis();
int hash = Native.callStaticJniMethodInt(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10101,
new ArrayObject(context, DvmInteger.valueOf(vm, 3), new StringObject(vm, ""), new StringObject(vm, new File("target/app_SGLib").getAbsolutePath()), new StringObject(vm, ""))
);
DvmObject dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
// Map<String, String> map = new HashMap<>();
// map.put("INPUT", "XPDlGfM+zOoDAMHyPLa9+Okq&&&21646297&99914b932bd37a50b983c5e7c90ae93b&1560149480&mtop.common.gettimestamp&*&&231200@taobao_android_8.8.0&AjA1TIyT9T8vcuFw8Osrli35ALbE3ZW2SHLZNuihw8Ku&&&27&&&&&&&");
// start = System.currentTimeMillis();
// DvmObject res = Native.callStaticJniMethodObject(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
// 10401,
// new ArrayObject(vm.resolveClass("java/util/HashMap").newObject(map),
// new StringObject(vm, "21646297"), DvmInteger.valueOf(vm, 7), null, DvmBoolean.valueOf(vm, true)));
//
//
// System.out.println("dvmObject=" + res + ", offset=" + (System.currentTimeMillis() - start) + "ms");
}
@Override
public DvmObject<?> callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin->getMainPluginClassLoader()Ljava/lang/ClassLoader;":
return vm.resolveClass("java/lang/ClassLoader").newObject(null);
case "com/taobao/wireless/security/adapter/common/SPUtility2->readFromSPUnified(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;":
StringObject a1 = varArg.getObject(0);
StringObject a2 = varArg.getObject(1);
StringObject a3 = varArg.getObject(2);
System.out.println("readFromSPUnified a1=" + a1 + ", a2=" + a2 + ", a3=" + a3);
return null;
case "com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer->doCommandForString(I)Ljava/lang/String;":
int value = varArg.getInt(0);
System.out.println("com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer->doCommandForString value=" + value);
return null;
}
return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}
@Override
public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "com/alibaba/wireless/security/open/SecException-><init>(Ljava/lang/String;I)V": {
StringObject msg = varArg.getObject(0);
int value = varArg.getInt(1);
System.out.println("\n------------------------------\n"+msg.getValue()+"\n------------------------------\n");
return dvmClass.newObject(msg.getValue() + "[" + value + "]");
}
case "java/lang/Integer-><init>(I)V":
int value = varArg.getInt(0);
return DvmInteger.valueOf(vm, value);
}
return super.newObject(vm, dvmClass, signature, varArg);
}
@Override
public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
switch (signature) {
case "java/util/HashMap->keySet()Ljava/util/Set;": {
HashMap map = (HashMap) dvmObject.getValue();
return vm.resolveClass("java/util/Set").newObject(map.keySet());
}
case "java/util/Set->toArray()[Ljava/lang/Object;":
Set set = (Set) dvmObject.getValue();
Object[] array = set.toArray();
DvmObject[] objects = new DvmObject[array.length];
for (int i = 0; i < array.length; i++) {
if(array[i] instanceof String) {
objects[i] = new StringObject(vm, (String) array[i]);
} else {
throw new IllegalStateException("array=" + array[i]);
}
}
return new ArrayObject(objects);
case "java/util/HashMap->get(Ljava/lang/Object;)Ljava/lang/Object;": {
HashMap map = (HashMap) dvmObject.getValue();
Object key = varArg.getObject(0).getValue();
Object obj = map.get(key);
if(obj instanceof String) {
return new StringObject(vm, (String) obj);
} else {
throw new IllegalStateException("array=" + obj);
}
}
case "android/content/Context->getPackageCodePath()Ljava/lang/String;":
return new StringObject(vm, APK_INSTALL_PATH);
case "android/content/Context->getFilesDir()Ljava/io/File;":
return vm.resolveClass("java/io/File").newObject(new File("target"));
case "java/io/File->getAbsolutePath()Ljava/lang/String;":
File file = (File) dvmObject.getValue();
return new StringObject(vm, file.getAbsolutePath());
}
return super.callObjectMethod(vm, dvmObject, signature, varArg);
}
@Override
public void callStaticVoidMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "com/taobao/dp/util/CallbackHelper->onCallBack(ILjava/lang/String;I)V":
int i1 = varArg.getInt(0);
StringObject str = varArg.getObject(1);
int i2 = varArg.getInt(2);
System.out.println("com/taobao/dp/util/CallbackHelper->onCallBack i1=" + i1 + ", str=" + str + ", i2=" + i2);
return;
case "com/alibaba/wireless/security/open/edgecomputing/ECMiscInfo->registerAppLifeCyCleCallBack()V":
System.out.println("registerAppLifeCyCleCallBack");
return;
}
super.callStaticVoidMethod(vm, dvmClass, signature, varArg);
}
@Override
public DvmObject<?> getObjectField(BaseVM vm, DvmObject<?> dvmObject, String signature) {
switch (signature) {
case "android/content/pm/ApplicationInfo->nativeLibraryDir:Ljava/lang/String;":
return new StringObject(vm, new File("target").getAbsolutePath());
}
return super.getObjectField(vm, dvmObject, signature);
}
@Override
public int callStaticIntMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge->utAvaiable()I":
return 1;
case "com/taobao/wireless/security/adapter/common/SPUtility2->saveToFileUnifiedForNative(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Z)I":
StringObject a1 = varArg.getObject(0);
StringObject a2 = varArg.getObject(1);
StringObject a3 = varArg.getObject(2);
boolean b4 = varArg.getInt(3) != 0;
System.out.println("saveToFileUnifiedForNative a1=" + a1 + ", a2=" + a2 + ", a3=" + a3 + ", b4=" + b4);
}
return super.callStaticIntMethod(vm, dvmClass, signature, varArg);
}
}
JNIEnv->FindClass(java/lang/Boolean) was called from RX@0x400b3099[libmain.so]0xb3099
JNIEnv->FindClass(java/lang/Integer) was called from RX@0x400b30b3[libmain.so]0xb30b3
JNIEnv->FindClass(java/lang/String) was called from RX@0x400b30cd[libmain.so]0xb30cd
JNIEnv->FindClass(com/taobao/wireless/security/adapter/common/HttpUtil) was called from RX@0x400aa5fb[libmain.so]0xaa5fb
JNIEnv->FindClass(com/taobao/wireless/security/adapter/umid/UmidAdapter) was called from RX@0x400aac2f[libmain.so]0xaac2f
JNIEnv->FindClass(com/taobao/wireless/security/adapter/JNICLibrary) was called from RX@0x4000fed5[libmain.so]0xfed5
JNIEnv->FindClass(com/taobao/wireless/security/adapter/common/SPUtility2) was called from RX@0x400a93bb[libmain.so]0xa93bb
JNIEnv->FindClass(com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer) was called from RX@0x40013c63[libmain.so]0x13c63
JNIEnv->FindClass(com/taobao/wireless/security/adapter/datareport/DataReportJniBridge) was called from RX@0x40017c7d[libmain.so]0x17c7d
JNIEnv->FindClass(android/content/Context) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/content/pm/PackageManager) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/content/pm/PackageInfo) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/content/pm/ApplicationInfo) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/provider/Settings$Secure) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(java/util/List) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/net/wifi/WifiConfiguration) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/net/wifi/WifiManager) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/net/DhcpInfo) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(com/taobao/dp/util/ZipUtils) was called from RX@0x4003736b[libmain.so]0x3736b
JNIEnv->FindClass(com/taobao/dp/util/CallbackHelper) was called from RX@0x400373af[libmain.so]0x373af
JNIEnv->FindClass(android/content/Context) was called from RX@0x400374cb[libmain.so]0x374cb
JNIEnv->FindClass(android/content/pm/PackageManager) was called from RX@0x400374ff[libmain.so]0x374ff
JNIEnv->FindClass(android/content/pm/PackageInfo) was called from RX@0x40037535[libmain.so]0x37535
JNIEnv->FindClass(android/content/pm/ApplicationInfo) was called from RX@0x4003759d[libmain.so]0x3759d
JNIEnv->FindClass(android/os/Environment) was called from RX@0x4003871d[libmain.so]0x3871d
JNIEnv->FindClass(java/io/File) was called from RX@0x4003875b[libmain.so]0x3875b
JNIEnv->FindClass(android/content/Context) was called from RX@0x400387ab[libmain.so]0x387ab
JNIEnv->FindClass(com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin) was called from RX@0x400569c9[libmain.so]0x569c9
JNIEnv->CallStaticObjectMethod(class com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin, getMainPluginClassLoader()Ljava/lang/ClassLoader;) was called from RX@0x40056a13[libmain.so]0x56a13
JNIEnv->FindClass(com/alibaba/wireless/security/open/edgecomputing/ECMiscInfo) was called from RX@0x40056421[libmain.so]0x56421
JNIEnv->FindClass(com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge) was called from RX@0x400289bb[libmain.so]0x289bb
JNIEnv->RegisterNatives(com/taobao/wireless/security/adapter/JNICLibrary, unidbg@0xbffff6d8, 1) was called from RX@0x400104e9[libmain.so]0x104e9
RegisterNative(com/taobao/wireless/security/adapter/JNICLibrary, doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;, RX@0x40010231[libmain.so]0x10231)
JNIEnv->FindClass(java/lang/Integer) was called from RX@0x400b4b77[libmain.so]0xb4b77
JNIEnv->FindClass(java/lang/Float) was called from RX@0x400b4b77[libmain.so]0xb4b77
JNIEnv->FindClass(java/lang/String) was called from RX@0x400b4b77[libmain.so]0xb4b77
JNIEnv->FindClass([B) was called from RX@0x400b4b77[libmain.so]0xb4b77
JNIEnv->FindClass(java/util/HashMap) was called from RX@0x400b4b77[libmain.so]0xb4b77
JNIEnv->FindClass(java/util/Set) was called from RX@0x400b4b77[libmain.so]0xb4b77
Find native function Java_com_taobao_wireless_security_adapter_JNICLibrary_doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object; => RX@0x40010231[libmain.so]0x10231
JNIEnv->GetObjectArrayElement([android.content.Context@4141d797, 0x3, "", "/home/cyoung/github/unidbg/target/app_SGLib", ""], 0) was called from RX@0x40010787[libmain.so]0x10787
JNIEnv->GetObjectArrayElement([android.content.Context@4141d797, 0x3, "", "/home/cyoung/github/unidbg/target/app_SGLib", ""], 1) was called from RX@0x400b4861[libmain.so]0xb4861
JNIEnv->CallIntMethod(java/lang/Integer, intValue()I => 0x3) was called from RX@0x400107b3[libmain.so]0x107b3
JNIEnv->CallObjectMethod(android/content/Context, getPackageCodePath()Ljava/lang/String; => "/data/app/test.apk") was called from RX@0x4001135b[libmain.so]0x1135b
JNIEnv->GetStringUtfChars("/data/app/test.apk") was called from RX@0x400b32f5[libmain.so]0xb32f5
JNIEnv->ReleaseStringUTFChars("/data/app/test.apk") was called from RX@0x400b333f[libmain.so]0xb333f
JNIEnv->CallObjectMethod(android/content/Context, getFilesDir()Ljava/io/File; => java.io.File@19e1023e) was called from RX@0x400114c5[libmain.so]0x114c5
JNIEnv->CallObjectMethod(java/io/File, getAbsolutePath()Ljava/lang/String; => "/home/cyoung/github/unidbg/target") was called from RX@0x40011509[libmain.so]0x11509
JNIEnv->GetStringUtfChars("/home/cyoung/github/unidbg/target") was called from RX@0x400b32f5[libmain.so]0xb32f5
JNIEnv->ReleaseStringUTFChars("/home/cyoung/github/unidbg/target") was called from RX@0x400b333f[libmain.so]0xb333f
JNIEnv->CallObjectMethod(android/content/Context, getApplicationInfo()Landroid/content/pm/ApplicationInfo; => android.content.pm.ApplicationInfo@64b8f8f4) was called from RX@0x40011737[libmain.so]0x11737
JNIEnv->GetObjectField(android.content.pm.ApplicationInfo@64b8f8f4, nativeLibraryDir Ljava/lang/String; => "/home/cyoung/github/unidbg/target") was called from RX@0x400117df[libmain.so]0x117df
JNIEnv->GetStringUtfChars("/home/cyoung/github/unidbg/target") was called from RX@0x400b32f5[libmain.so]0xb32f5
JNIEnv->ReleaseStringUTFChars("/home/cyoung/github/unidbg/target") was called from RX@0x400b333f[libmain.so]0xb333f
JNIEnv->GetObjectArrayElement([android.content.Context@4141d797, 0x3, "", "/home/cyoung/github/unidbg/target/app_SGLib", ""], 2) was called from RX@0x400b4829[libmain.so]0xb4829
JNIEnv->GetStringUtfChars("") was called from RX@0x400b3367[libmain.so]0xb3367
JNIEnv->ReleaseStringUTFChars("") was called from RX@0x400b337d[libmain.so]0xb337d
JNIEnv->GetObjectArrayElement([android.content.Context@4141d797, 0x3, "", "/home/cyoung/github/unidbg/target/app_SGLib", ""], 3) was called from RX@0x400b4829[libmain.so]0xb4829
JNIEnv->GetStringUtfChars("/home/cyoung/github/unidbg/target/app_SGLib") was called from RX@0x400b3367[libmain.so]0xb3367
JNIEnv->ReleaseStringUTFChars("/home/cyoung/github/unidbg/target/app_SGLib") was called from RX@0x400b337d[libmain.so]0xb337d
JNIEnv->GetObjectArrayElement([android.content.Context@4141d797, 0x3, "", "/home/cyoung/github/unidbg/target/app_SGLib", ""], 4) was called from RX@0x400b4829[libmain.so]0xb4829
JNIEnv->GetStringUtfChars("") was called from RX@0x400b3367[libmain.so]0xb3367
JNIEnv->ReleaseStringUTFChars("") was called from RX@0x400b337d[libmain.so]0xb337d
JNIEnv->FindClass(com/taobao/wireless/security/adapter/datareport/DataReportJniBridge) was called from RX@0x4002202d[libmain.so]0x2202d
JNIEnv->FindClass(com/taobao/wireless/security/adapter/datareport/DataReportJniBridge) was called from RX@0x40025377[libmain.so]0x25377
[16:21:40 476] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:810) - pthread_clone child_stack=RW@0x403fe930, thread_id=1, fn=RX@0x401bd7f5[libc.so]0x3f7f5, arg=RW@0x403fe930, flags=[CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_THREAD, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID]
[16:21:40 554] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1038) - stat64 pathname=/data/app/test.apk, LR=RX@0x4000f471[libmain.so]0xf471
[16:21:40 554] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1825) - faccessat dirfd=-100, pathname=/home/cyoung/github/unidbg/target/storage/com.taobao.maindex, oflags=0x0, mode=0
[16:21:40 628] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:810) - pthread_clone child_stack=RW@0x404fd930, thread_id=2, fn=RX@0x401bd7f5[libc.so]0x3f7f5, arg=RW@0x404fd930, flags=[CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_THREAD, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID]
[16:21:40 639] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:810) - pthread_clone child_stack=RW@0x405fc930, thread_id=3, fn=RX@0x401bd7f5[libc.so]0x3f7f5, arg=RW@0x405fc930, flags=[CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_THREAD, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID]
[16:21:40 648] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:810) - pthread_clone child_stack=RW@0x406fb930, thread_id=4, fn=RX@0x401bd7f5[libc.so]0x3f7f5, arg=RW@0x406fb930, flags=[CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_THREAD, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID]
[16:21:40 669] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1038) - stat64 pathname=/home/cyoung/github/unidbg/target/Q0VSVC5SU0EK.txt, LR=RX@0x4007331f[libmain.so]0x7331f
[16:21:40 686] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1886) - openat dirfd=-100, pathname=/data/app/test.apk, oflags=0x20000, mode=0
[16:21:40 687] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1886) - openat dirfd=-100, pathname=/data/app/test.apk, oflags=0x20000, mode=0
[16:21:40 689] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1886) - openat dirfd=-100, pathname=/data/app/test.apk, oflags=0x20000, mode=0
JNIEnv->FindClass(com/alibaba/wireless/security/open/SecException) was called from RX@0x400b37d3[libmain.so]0xb37d3
JNIEnv->NewStringUTF("") was called from RX@0x400b37f7[libmain.so]0xb37f7
JNIEnv->NewObject(com/alibaba/wireless/security/open/SecException, ) was called from RX@0x400b380b[libmain.so]0xb380b
from unidbg.
9.0.1淘宝,你们这套unidbg,都跑不通了,一直返回null,哪位大佬能看一下!!! @zhkl0228
from unidbg.
[19:51:16 930] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:313) - handleInterrupt intno=2, NR=-130448, svcNumber=0x11e, PC=unidbg@0xfffe0274, LR=RX@0x400da418[libmain.so]0xda418, syscall=null
com.github.unidbg.arm.backend.BackendException
at com.github.unidbg.linux.android.dvm.DalvikVM64$31.handle(DalvikVM64.java:499)
at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:92)
at com.github.unidbg.arm.backend.UnicornBackend$10.hook(UnicornBackend.java:323)
at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128)
at unicorn.Unicorn.emu_start(Native Method)
at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:354)
at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:370)
at com.github.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:446)
at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:220)
at com.github.unidbg.Module.emulateFunction(Module.java:159)
at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:133)
at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:292)
at com.taobao.taobao.XSign.getXSign(XSign.java:180)
at com.taobao.taobao.XSign.main(XSign.java:107)
[19:51:16 933] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:389) - emulate RX@0x40016bc0[libmain.so]0x16bc0 exception sp=unidbg@0xbfffdc00, msg=null, offset=99ms @zhkl0228 能帮忙看一下吗
from unidbg.
Hi guys, I have one question about this library. Is it possible to use this lib on Windows, trough Java, Like install Java, load library there and have access from my C# by Java API or something?
from unidbg.
Related Issues (20)
- ExceptionRaised[dynarmic.cpp->ExceptionRaised:231] HOT 3
- 执行报错:Read memory failed和 Invalid memory read (UC_ERR_READ_UNMAPPED) HOT 1
- Dynarmic link in README is gone
- 有没有大佬知道java/lang/String->toCharArray()[C该怎么补啊?求解
- BackendException on CallObjectMethodV
- 大佬们,看看 这种怎么补啊 "android/os/Parcel->setDataPosition(I)V"
- libopenjdk.so
- 需要api文档 HOT 1
- 最新版代码32位好像不支持Unicorn2Factory? HOT 1
- dump模拟执行时候发现的错误
- 怎么重写读取目录下所有文件的io HOT 1
- 调用问题
- 运行报错DalvikVM64$128.handle,怎么解决呀 HOT 2
- 小白的第一个unidbg
- 运行其他示例正常,运行anjuke示例报错了,用了unidbg-0.9.7 HOT 3
- 请问,如何补GetStringCritical jni 方法呢
- 补了环境还是报错 WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:405) - handleInterrupt intno=2, NR=0, svcNumber=0x107, PC=unidbg@0xfffe0104 java.lang.UnsupportedOperationException at com.github.unidbg.linux.android.dvm.DalvikVM64$8.handle(DalvikVM64.java:168) HOT 1
- com.github.unidbg.arm.backend.BackendException: dvmObject="two", dvmClass=class java/lang/String, jmethodID=unidbg@0xffffffffd6cb375b HOT 11
- 执行结果返回空JNIEnv->SetByteArrayRegion([B@0x, 0, 0, unidbg@0xbffff6b1) was called from RX@0x400d55dc[libfekit.so]0xd55dc
- unidbg-boot-server报错,求大佬帮看看
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unidbg.