Comments (45)
zhkl0228
commented on July 16, 2024
用ArrayObject
from unidbg.
linxiaozhi
commented on July 16, 2024
现在又有新的问题了
以下代码出现 ArrayIndexOutOfBoundsException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10401, new ArrayObject(new ArrayObject(new StringObject(vm, "123"),new StringObject(vm, "456"),new StringObject(vm, String.valueOf("7")),new StringObject(vm, ""))) );
以下代码出现 NullPointerException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10602, new ArrayObject(new ArrayObject(context, new StringObject(vm, "0"))) );
[11:07:51 281] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4016368d[libc.so]0x1668d started sp=unicorn@0xbffff7e4
[11:07:51 340] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4016368d[libc.so]0x1668d finished sp=unicorn@0xbffff7e4, offset=56ms
[11:07:51 341] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 started sp=unicorn@0xbffff7e4
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 finished sp=unicorn@0xbffff7e4, offset=53ms
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad started sp=unicorn@0xbffff7e4
[11:07:51 399] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:362) - handleInterrupt intno=2, NR=-1073744148, svcNumber=0x10e, PC=unicorn@0xfffe00bc, syscall=null
java.lang.NullPointerException
at cn.banny.unidbg.linux.android.dvm.DalvikVM$15.handle(DalvikVM.java:233)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:87)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.test.sign.TestSignso.test(MoonSignV2so.java:86)
at com.test.sign.TestSignso.main(MoonSignV2so.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
[11:07:51 401] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad finished sp=unicorn@0xbffff6dc, offset=7ms
hash:4294837784
destroy
Process finished with exit code 0
`
public class TestSignso extends AbstractJni {
private static LibraryResolver createLibraryResolver() {
return new AndroidResolver(23);
}
private static ARMEmulator createARMEmulator() {
return new AndroidARMEmulator("com.test.so");
}
private final ARMEmulator emulator;
private final VM vm;
private final Module module;
private final DvmClass Native;
private TestSignso() throws IOException {
Logger.getLogger("cn.banny.unidbg.AbstractEmulator").setLevel(Level.ALL);
emulator = createARMEmulator();
final Memory memory = emulator.getMemory();
memory.setLibraryResolver(createLibraryResolver());
memory.setCallInitFunction();
vm = emulator.createDalvikVM(null);
vm.setJni(this);
DalvikModule dm = vm.loadLibrary(new File("src/test/resources/example_binaries/libmain.so"), false);
dm.callJNI_OnLoad(emulator);
this.module = dm.getModule();
Native = vm.resolveClass("com.taobao.wireless.security.adapter.JNICLibrary".replace(".", "/"));
}
private void destroy() throws IOException {
emulator.close();
System.out.println("destroy");
}
public static void main(String[] args) throws Exception {
TestSignso test = new TestSignso();
test.test();
test.destroy();
}
private void test() throws IOException {
DvmObject context = vm.resolveClass("android/content/Context").newObject(null);
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10602,
new ArrayObject(new ArrayObject(context, new StringObject(vm, "0")))
);
long hash = ret.intValue() & 0xffffffffL;
System.out.println("hash:" + hash);
StringObject obj = vm.getObject(hash);
vm.deleteLocalRefs();
System.out.println(obj.getValue());
}
}
`
so文件
libmain.so.zip
from unidbg.
zhkl0228
commented on July 16, 2024
App是怎么调用的?发份调用参数我试下
from unidbg.
linxiaozhi
commented on July 16, 2024
调用libsgmainso-6.4.152.so
正常应该这么调用
JNICLibrary.doCommandNative(10401, new Object[]{"testval", "21549244", Integer.valueOf(7), ""});
from unidbg.
zhkl0228
commented on July 16, 2024
你试下这个调用
from unidbg.
linxiaozhi
commented on July 16, 2024
3q,这个文件执行出现如下内容
`
[15:50:08 023] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4019468d[libc.so]0x1668d started sp=unicorn@0xbffff7e4
[15:50:08 089] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4019468d[libc.so]0x1668d finished sp=unicorn@0xbffff7e4, offset=62ms
[15:50:08 091] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000fdf9[libmain.so]0xfdf9 started sp=unicorn@0xbffff7e4
[15:50:08 176] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000fdf9[libmain.so]0xfdf9 finished sp=unicorn@0xbffff7e4, offset=85ms
[15:50:08 178] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x40010231[libmain.so]0x10231 started sp=unicorn@0xbffff7e4
[15:50:08 184] WARN [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$2:60) - Throw object=unicorn@0x7e0ea639, dvmObject=DvmObject{value=[9905]}, class=com/alibaba/wireless/security/open/SecException
[15:50:08 185] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x40010231[libmain.so]0x10231 finished sp=unicorn@0xbffff7e4, offset=7ms
hash:0
[15:50:08 186] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x40010231[libmain.so]0x10231 started sp=unicorn@0xbffff7e4
[15:50:08 222] WARN [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$2:60) - Throw object=unicorn@0x96532d6, dvmObject=DvmObject{value=[10504]}, class=com/alibaba/wireless/security/open/SecException
[15:50:08 223] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x40010231[libmain.so]0x10231 finished sp=unicorn@0xbffff7e4, offset=36ms
hash:0
[15:50:08 223] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x40010231[libmain.so]0x10231 started sp=unicorn@0xbffff7e4
com/taobao/dp/util/CallbackHelper->onCallBack i1=0, str=null, i2=902
[15:50:08 244] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x40010231[libmain.so]0x10231 finished sp=unicorn@0xbffff7e4, offset=21ms
hash:0
Exception in thread "main" java.lang.NullPointerException
at com.taobao.taobao.TestSignso.test(TestSignso.java:93)
at com.taobao.taobao.TestSignso.main(TestSignso.java:59)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
Process finished with exit code 1
`
from unidbg.
zhkl0228
commented on July 16, 2024
执行没问题,抛了SecException异常,是不是需要调用什么类型的命令初始化?
from unidbg.
linxiaozhi
commented on July 16, 2024
调用初始化之后提示
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10101,
new ArrayObject(context, DvmInteger.valueOf(vm, 3), new StringObject(vm, ""), new StringObject(vm, "/data/user/0/com.taobao.taobao/app_SGLib"), new StringObject(vm, ""))
);
`
[20:56:13 683] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:362) - handleInterrupt intno=2, NR=163, svcNumber=0x0, PC=unicorn@0x401044c0[libc.so]0x204c0, syscall=null
unicorn.UnicornException: Invalid memory write (UC_ERR_WRITE_UNMAPPED)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.taobao.taobao.TestSignso.test(TestSignso.java:135)
at com.taobao.taobao.TestSignso.main(TestSignso.java:93)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
debugger break at: 0x400f3b40
r0=0x40690000 r1=0x406b1ff0 r2=0x7, r3=0x0 r4=0x40690000 r5=0x406b2000 r6=0x22000 r7=0x11000 sb=0x60 sl=0xd7 fp=0x31 ip=0x11000 sp=0xbfffec04 lr=0x400f3b3b pc=0x400f3b40 cpsr: N=0, Z=1, C=0, V=0, T=1, mode=0b10000
=> [ libc.so][0x0fb41][ 44 19 ]*0x400f3b40:*adds r4, r0, r5
[ libc.so] [0x0fb43] [ 75 1b ] 0x400f3b42: subs r5, r6, r5
[ libc.so] [0x0fb45] [ a5 f1 10 03 ] 0x400f3b44: sub.w r3, r5, #0x10
[ libc.so] [0x0fb49] [ 07 22 ] 0x400f3b48: movs r2, #7
[ libc.so] [0x0fb4b] [ e1 18 ] 0x400f3b4a: adds r1, r4, r3
[ libc.so] [0x0fb4d] [ 65 19 ] 0x400f3b4c: adds r5, r4, r5
[ libc.so] [0x0fb4f] [ 63 60 ] 0x400f3b4e: str r3, [r4, #4]
[ libc.so] [0x0fb51] [ 00 23 ] 0x400f3b50: movs r3, #0
[ libc.so] [0x0fb53] [ 4a 60 ] 0x400f3b52: str r2, [r1, #4]
[ libc.so] [0x0fb55] [ b0 49 ] 0x400f3b54: ldr r1, [pc, #0x2c0] => 0x3e622
`
from unidbg.
zhkl0228
commented on July 16, 2024
readFromSPUnified a1=StringObject{value=Soft}, a2=StringObject{value=SGSAFETOKEN_IN}, a3=null
这个调用返回什么?
from unidbg.
linxiaozhi
commented on July 16, 2024
没看到有这个啊
from unidbg.
zhkl0228
commented on July 16, 2024
com/taobao/wireless/security/adapter/common/SPUtility2->readFromSPUnified(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;
在c里面有通过jni调用这个函数,把正确的返回值发我,应该就差不多了
from unidbg.
zhkl0228
commented on July 16, 2024
这个又是返回什么com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge->utAvaiable()I
from unidbg.
linxiaozhi
commented on July 16, 2024
readFromSPUnified 以||分割 1:方法参数1 2:方法参数2 3:方法参数3 4:返回值
dynamicreid||dynamicreid||null||6e69d97b54453eb
dynamicrsid||dynamicrsid||null||60d2f12c98e5470
Soft||SGSAFETOKEN||null||null
HARD-INFO-NEW||hardinfo||null||Zh5zA0XhhiwqlRJSvANa+w8P1WVc9nFnDuyQIqggik0tJK8l8ohh99Igtd/oSdUW
LOCAL_DEVICE_INFO||982c1b269b8e023e5aede2421cbf9c48||null||XKHv7CD9eo8DAEK9iP/JCGaG
DataReprot_Data||bdb13dc551d3db53||null||1560224326440
DynamicData||accs_ssl_key2_https://guide-acs.m.taobao.com_21646297%[B||null||nMZUWVtINU4eSGiWIsnaUKv2ty7AXvaXXKE4tXys6aLdNXTycPV+fSLaLnib7/STwIu5IzJYpHBRyidXzGn+0F/f38JpoZZ80wrxZ+/yPdcI47mPCs49Wj4w++PwdPZyvCADUVxzmakT972D8xFgKVlsQgSiQrEKIU9qhcMLihwcYXNfOnF3kYelqey3KL4vIHtfz069D+JFjwMuJJK7LfwrYctollWzWrmRUH1fcLRhfC3dDNKPHSHi8ysvHjNZ3r3UjKf1Vs8sG3wpmEi52dFNc8tzeDMooAcuAvn90qcjQ9APMRvnhKWzLbyRP2xpVuXlfHc2xWcKobUsbZBT50MGwAVcG+R5BPQFLCKLI4ygAMDdcSXEoksdVNjE0Py0mfsL+w6NNpDR25JNp3T4CjIs2/vT8rtOgn/9pj12QwnJcZxR1APHBAMIALTHpZGOP4AeaLXqsn9WZf6gKbCLKA==
HARD-INFO-NEW||hardinfo||null||Zh5zA0XhhiwqlRJSvANa+w8P1WVc9nFnDuyQIqggik0tJK8l8ohh99Igtd/oSdUW
LOCAL_DEVICE_INFO||982c1b269b8e023e5aede2421cbf9c48||null||XKHv7CD9eo8DAEK9iP/JCGaG
DynamicData||accs_ssl_key2_https://gw.alicdn.com_21646297%[B||null||c+GWq6YGwVtD1rF70loDJP/Y0CzcH87dtTZqmwCvPuWAoNXDb4lPooyWuH93KC1Hm/vdPMtMWHXZ+JJ6kA9yMJgP2rgC2QRbdkgcAY5fkkSzq9cNXt6/fV+hmkVplrZwV0MkskCYERK0yVlqYBAz8oLYzR+plkXcsjGte8TDt6GYyesn4uAIrHfbhCvKr7s9TX7TA4YDmNOHCYkVOkwHqzVACuyMlDdSQ0QPRdB/TTc315guZvM1/qAjneZEJzDey8iZ9PKc2sJHSCzpDZK26VZW1rnc8tJ/IWlWKu4Z85qfMNxaICcpB86HvEUYRN8T6ihWARLGPdaJp1DAEBhk3kMGwAVcG+R5BPQFLCKLI4x+eUeum7eYfYBDlP/xXJ5gMNvQnZJkxrHiFU1iDqup/kG7zMGUujzNeJ85CaYbj4SWRcoQU/X6ZP7p8B/0mhpvP4AeaLXqsn9WZf6gKbCLKA==
DataReprot_Data||bdb13dc551d3db53||null||1560224326440
dynamicrsid||dynamicrsid||null||60d2f12c98e5470
DynamicData||accs_ssl_key2_https://dorangesource.alicdn.com_21646297%[B||null||7KLcNtZdxPwPip9+z8iiErYZYGjKnrRHlh2T1xgBOpKFb0mXn0bY7C7OcOlnuhriHMmw1p7+XusxG9HwL3/a0iFPndd0Pgosg09eiS0BrBUovaRF6Wlgfou8ynsIWElrNKUeC49j63q5WGxs7UhfEPF+1rbQgr8ILNzgXrUmmUfHcINwtP6fkqRUwXkXbWjQqAMN0bvnjIfcB3m+YTlsbXVRrI7r/TP6/2l6ipgwDBamw3gWBSLFqvEKrh9UBpq+/rv1fo/VuFtvnANrERlWdawcg8FbhxXtK5vsHVaQg3ZKKqtqf82pRaCebmpc+fzB4mnvSVso/qzvD6CXUNt7TUMGwAVcG+R5BPQFLCKLI4zcz0+klh6j/Nb2pZjKqryzPqJhWhJ2s8+bxLSavqyvTiG4gLSoGrpqCBxYnygz5WAOw4eKRSYLdc4a0cah5oHkP4AeaLXqsn9WZf6gKbCLKA==
dynamicrsid||dynamicrsid||null||60d2f12c98e5470
DynamicData||accs_ssl_key2_https://ossgw.alicdn.com_21646297%[B||null||7KLcNtZdxPwPip9+z8iiEhkkjKuNuaCwLCktd03Nf46rhLxnQNraUnb8kXkYyWCQGLQSmTRNQ3ew2q/pkg3iPypANxn9HR5NBgxtyYxjawHd0J9T7M5lLwrz/yACO9v2f5nhmBGtK1iKXIYtLDoGcV4r76QeimwHYeFdwaxSvqIPvAv+DdCFlQ8/ONMizse3+jcybKiRQVfR739uIp7YcxKZFkgH3wep19MTL7u+rJBveg4qlSV/MqkapBOLCDpq95RgB3HjwzIE/6k7xo0ade9C5CqLdxaskkWdjlWCId76ZOtRGEdLZItYlzl5RjGyvs54p5T4yl44PwOg8AGOZkMGwAVcG+R5BPQFLCKLI4wKZakOzkP7S+kICCTdSBTcwHIm22WQGDI6BxXOeXH4hfz3m6wyp6tH+IHFdgS5wgBxGn/CrUkuee1vU09tjMQQP4AeaLXqsn9WZf6gKbCLKA==
DynamicData||accs_ssl_key2_https://market.m.taobao.com_21646297%[B||null||5rfawMUTiGx20MkzXltvWrTygsEUUQKFi8Zgj+bw7lfv509Z3zbDMfORkaXDTR+iAHvBFgzrpyAliBvBiE3eqUA3b0yut/nzJ1DNLBjAyv75C8KOVahhDQ+FLITQ7oGBAM7Hu/DoFNLvlvOOAVhqshGxH4Pxuz2qkmKsTqGmYmTidul7DNWWaHgi5aYawLxLkjWQK0a/av9YrOSZmP9OCo1Uiff+pO1jGeC9nP4Tl/ZbX6LLLmtWy7NMzgI+jyUTN1Va1LrkOx6msdKYaj/W2+mgIAL5ck0cbavoF/7h50v08NScGKND+33If4L9BJ56hVzc/pTun5eURHgvXOhv5kMGwAVcG+R5BPQFLCKLI4xm6zs4jxs/h88updmTRDj3K0PO9TO6uNdw7O+6Gu2Ab5pkd7lStolyCPGxG39fGFD03NIFUBAdC+zCr0gsGcPqP4AeaLXqsn9WZf6gKbCLKA==
dynamicreid||dynamicreid||null||6e69d97b54453eb
DynamicData||accs_ssl_key2_https://msgacs.m.taobao.com_21646297%[B||null||fHySnZPNpPZ7pTDf6jH6YEV7Lp8SSCayaJiIJ7SQtA/qznYxryP3m7Vtga68yYvIVnqfTQ7mIzhGiBTGm2fb4Uy/+DO7J/itHRFCuYLz73BJs1PVzgm7kkpD9BhTk/nqobW28/O1mfPCWjeQCzA/YDbfq8+jJG/G1cpFTkcPNf/W1WZDhPATXDAQuocwkbx4DaSDGEsZsmjMeME846pTNcErpzt8jqvBwefTvt6Sn9fL75lHmq244nsB/ILlAfqvMxFCbvupQ/3G/SYQHR0ZP9RDzXkDWWmvJS4X0WvZvxz99TG9s/UiYTfwl02bZpqxfoji8ZChm1MmVtZ3xwSWj0MGwAVcG+R5BPQFLCKLI4yao/9TfdN4YHp3DhRMqVD+dvZbO/07QgznEJ/qGamUJsOxabswK/1joJ6yAB2vzAA5TRMU2tTRSaJKQN1ptB9GP4AeaLXqsn9WZf6gKbCLKA==
SgDyUpdate||ac7123c301ca455b||null||1560224335
SgDyUpdate||fa641a486784d59b||null||null
DynamicData||accs_ssl_key2_https://g.alicdn.com_21646297%[B||null||null
DynamicData||accs_ssl_key2_https://img.alicdn.com_21646297%[B||null||TA4EkKsPs6YINGFPnM7rLHrhiCIATCZPmbz+dq0/fqHwKV+x5f484TZCszic7f1w9chBBzwMovGnYMSdz02elrloyMMccu33lac8vUMpwywBmVuGer0hp0HTdroSFgz/UxAGvezVD9GciJGwiAOUvcLtP5eMlWwMVxb1pjXSzpqGGrc0Bpr5zqrGoaAbWIK/wY8uGJ8E1LqPlILh/eqSg/h/M437kWoRXyfiecM9ZDmx7uGQfFf/C0jpjxEGQNA9R9JR42TbmMnoIPy27OynGDBVTxyemsCXfCKVEOlFa3a+Oj2NjrSIpHVVUP+t/IVeoF423jRtiRBKYuJwZ/5eHUMGwAVcG+R5BPQFLCKLI4zlfeLrP7Ofe0bpCfdv5xYYmPNItfGzF3gsTV7pZ1HzGvWL/M/o5Xx4+YPsnPb3AnSnjX+q90/3XVr1NB+v257mP4AeaLXqsn9WZf6gKbCLKA==
from unidbg.
zhkl0228
commented on July 16, 2024
com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer->doCommandForString(I)Ljava/lang/String;
这个也有调用,参数是135,返回值你这边看下是什么
from unidbg.
zhkl0228
commented on July 16, 2024
com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge->utAvaiable()I
这个返回值是多少?
from unidbg.
zhkl0228
commented on July 16, 2024
TestSignso.tar.gz
写了个能跑通的例子,细节自己去处理,还有很多细节
使用最新版unidbg
from unidbg.
linxiaozhi
commented on July 16, 2024
更新最新 报错了啦
cn.banny.unidbg.ios.MachOLoader.mmap2
我直接在类添加了
public static final int MAP_ANONYMOUS = 0x20;
可以正常运行。但不知道是不是对的
Error:(1459, 23) java: 对MAP_ANONYMOUS的引用不明确
cn.banny.unidbg.spi.AbstractLoader 中的变量 MAP_ANONYMOUS 和 cn.banny.unidbg.ios.MachO 中的变量 MAP_ANONYMOUS 都匹配
from unidbg.
linxiaozhi
commented on July 16, 2024
加载其它依赖so 报这错误 Invalid memory fetch (UC_ERR_FETCH_UNMAPPED),-_-
`DalvikModule dm = vm.loadLibrary("sgmainso-6.4.152", false);
dm.callJNI_OnLoad(emulator);
dm = vm.loadLibrary("sgsecuritybodyso-6.4.90", false);
dm.callJNI_OnLoad(emulator);
dm = vm.loadLibrary("sgavmpso-6.4.34", false);
dm.callJNI_OnLoad(emulator);
dm = vm.loadLibrary("sgmiscso-6.4.44", false);
dm.callJNI_OnLoad(emulator);
dm = vm.loadLibrary("sgsgmiddletierso-6.4.1", false);
dm.callJNI_OnLoad(emulator);
Native = vm.resolveClass("com.taobao.wireless.security.adapter.JNICLibrary".replace(".", "/"));
DvmObject context = vm.resolveClass("android/content/Context").newObject(null);
long start = System.currentTimeMillis();
Number ret;
long hash;
DvmObject dvmObject;
Map<String, String> map = new HashMap<>();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10101,
new ArrayObject(context, DvmInteger.valueOf(vm, 3), new StringObject(vm, ""), new StringObject(vm, new File("target/app_SGLib").getAbsolutePath()), new StringObject(vm, ""))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10102,
new ArrayObject(new StringObject(vm, "main"), new StringObject(vm, "6.4.152"), new StringObject(vm, new File("target/test-classes/example_binaries/tb/libsgmainso-6.4.152.so").getAbsolutePath()))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
12301,
new ArrayObject(DvmInteger.valueOf(vm, 0))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10102,
new ArrayObject(new StringObject(vm, "securitybody"), new StringObject(vm, "6.4.90"), new StringObject(vm, new File("target/test-classes/example_binaries/tb/libsgsecuritybodyso-6.4.90.so").getAbsolutePath()))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10102,
new ArrayObject(new StringObject(vm, "avmp"), new StringObject(vm, "6.4.34"), new StringObject(vm, new File("target/test-classes/example_binaries/tb/libsgavmpso-6.4.34.so").getAbsolutePath()))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
12605,
new ArrayObject(DvmInteger.valueOf(vm, 0))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10102,
new ArrayObject(new StringObject(vm, "sgmiddletier"), new StringObject(vm, "6.4.1"), new StringObject(vm, new File("target/test-classes/example_binaries/tb/libsgsgmiddletierso-6.4.1.so").getAbsolutePath()))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
//正常则返回int值
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
60901,
new ArrayObject(new StringObject(vm, "mwua"),new StringObject(vm, "sgcipher2"))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
//正常则返回int值
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
60901,
new ArrayObject(new StringObject(vm, "mwua"),new StringObject(vm, "sgcipher"))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
//正常返回str值
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
20102,
new ArrayObject(new StringObject(vm, "1560408692"),new StringObject(vm, "21646297"),DvmInteger.valueOf(vm, 8),new StringObject(vm, "null"),new StringObject(vm, "pageName=com.taobao.tao.TBMainActivity&pageId=http%3A%2F%2Fm.taobao.com%2Findex.htm"),DvmInteger.valueOf(vm, 0))
);
hash = ret.intValue() & 0xffffffffL;
dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
vm.deleteLocalRefs();
`
unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:131)
at cn.banny.unidbg.linux.LinuxSymbol.call(LinuxSymbol.java:27)
at cn.banny.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:32)
at com.taobao.taobao.TestSignsoV3.(TestSignsoV3.java:64)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:81)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
debugger break at: 0x280
r0=0xfffe08a0 r1=0xc002d5d9 r2=0x24d12279, r3=0x280 r4=0xfffe08a0 r5=0xfffe0360 r6=0xc002d5d9 r7=0xbffff7b4 r8=0x4019c8ae r9=0xfffe0080 r10=0x36 fp=0x0 ip=0x9b sp=0xbffff79c lr=0x401c1049 pc=0x280 cpsr: N=0, Z=1, C=1, V=0, T=0, mode=0b10000
unicorn.UnicornException: Invalid memory read (UC_ERR_READ_UNMAPPED)
at unicorn.Unicorn.mem_read(Native Method)
at cn.banny.unidbg.arm.AbstractARMEmulator.disassemble(AbstractARMEmulator.java:175)
at cn.banny.unidbg.arm.AbstractARMDebugger.disassemble(AbstractARMDebugger.java:228)
at cn.banny.unidbg.arm.SimpleARMDebugger.loop(SimpleARMDebugger.java:33)
at cn.banny.unidbg.arm.AbstractARMDebugger.debug(AbstractARMDebugger.java:156)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:259)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:131)
at cn.banny.unidbg.linux.LinuxSymbol.call(LinuxSymbol.java:27)
at cn.banny.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:32)
at com.taobao.taobao.TestSignsoV3.(TestSignsoV3.java:64)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:81)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
from unidbg.
zhkl0228
commented on July 16, 2024
更新最新代码
from unidbg.
linxiaozhi
commented on July 16, 2024
更新过后 so加载正常但调用securitybody指令开始继续报Invalid memory fetch (UC_ERR_FETCH_UNMAPPED),-_-
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10102,
new ArrayObject(new StringObject(vm, "securitybody"), new StringObject(vm, "6.4.90"), new StringObject(vm, new File("target/test-classes/example_binaries/tb/libsgsecuritybodyso-6.4.90.so").getAbsolutePath()))
);
unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.taobao.taobao.TestSignsoV3.test(TestSignsoV3.java:140)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
debugger break at: 0x25c
unicorn.UnicornException: Invalid memory read (UC_ERR_READ_UNMAPPED)
r0=0xfffe08b0 r1=0xc002d5d9 r2=0x24d12279, r3=0x25c r4=0xfffe08b0 r5=0xfffe0360 r6=0xbffff7b8 r7=0xbffff73c r8=0xfffe08b0 r9=0x80491e8 r10=0x8049210 fp=0x805d764 ip=0x1 sp=0xbffff68c lr=0x40010e3b pc=0x25c cpsr: N=0, Z=1, C=1, V=0, T=0, mode=0b10000
at unicorn.Unicorn.mem_read(Native Method)
at cn.banny.unidbg.arm.AbstractARMEmulator.disassemble(AbstractARMEmulator.java:175)
at cn.banny.unidbg.arm.AbstractARMDebugger.disassemble(AbstractARMDebugger.java:228)
at cn.banny.unidbg.arm.SimpleARMDebugger.loop(SimpleARMDebugger.java:33)
at cn.banny.unidbg.arm.AbstractARMDebugger.debug(AbstractARMDebugger.java:156)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:259)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.taobao.taobao.TestSignsoV3.test(TestSignsoV3.java:140)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
from unidbg.
linxiaozhi
commented on July 16, 2024
非常感谢,这类问题大致知道什么问题了。再次感谢
from unidbg.
zhkl0228
commented on July 16, 2024
最新的提交实现了0x25c对应的jni函数
from unidbg.
ydaniels
commented on July 16, 2024
@linxiaozhi
你好
你是怎么解决的:
debugger break at:0x4006e966
对不起,我的中文不好
sgmainso-6.4.152
from unidbg.
linxiaozhi
commented on July 16, 2024
@ydaniels -_-好像没碰到
from unidbg.
linxiaozhi
commented on July 16, 2024
@zhkl0228 。。。。又来一个不知道什么的了。。。
`
-----------------------------------------------------------------------------<
[15:31:15 139]gettimeofday tv after tv_sec=1560583875, tv_usec=139000, tv=unicorn@0xbfffef74, md5=5b2b5d651ba4d652d4920233c3f24ee2, hex=c39e045df81e0200
size: 8
0000: C3 9E 04 5D F8 1E 02 00 ...]....
^-----------------------------------------------------------------------------^r0=0x804c3e4 r1=0x81 r2=0x1, r3=0xffffffec r4=0x0 r5=0x0 r6=0x804ef70 r7=0xf0 r9=0x1 r10=0x408457dd fp=0x1 ip=0xbfffef9c sp=0xbfffef64 lr=0x400c54c8 pc=0x400d895c cpsr: N=0, Z=1, C=1, V=0, T=0, mode=0b10000
unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.taobao.taobao.TestSignsoV3.getSS(TestSignsoV3.java:203)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:140)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
unicorn.UnicornException: Invalid memory read (UC_ERR_READ_UNMAPPED)
at unicorn.Unicorn.mem_read(Native Method)
at cn.banny.unidbg.arm.AbstractARMEmulator.disassemble(AbstractARMEmulator.java:175)
at cn.banny.unidbg.arm.AbstractARMDebugger.disassemble(AbstractARMDebugger.java:228)
at cn.banny.unidbg.arm.SimpleARMDebugger.loop(SimpleARMDebugger.java:33)
at cn.banny.unidbg.arm.AbstractARMDebugger.debug(AbstractARMDebugger.java:156)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:259)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.taobao.taobao.TestSignsoV3.getSS(TestSignsoV3.java:203)
at com.taobao.taobao.TestSignsoV3.main(TestSignsoV3.java:140)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
debugger break at: 0x2b0
r0=0xfffe08d0 r1=0x1 r2=0x76f84423, r3=0x83d61724 r4=0xfffe08d0 r5=0x46607d73 r6=0x76f84423 r7=0xbfffefe4 r8=0x608da06e r9=0x1554909b r10=0x4e4e3b1c fp=0x83d61724 ip=0x2b0 sp=0xbfffef6c lr=0x40853815 pc=0x2b0 cpsr: N=0, Z=0, C=1, V=0, T=0, mode=0b10000
`
[15:36:36 201] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$17:264) - GetMethodID class=unicorn@0x4e4e3b1c, methodName=getWindow, args=()Landroid/view/Window; [15:36:36 201] DEBUG [cn.banny.unidbg.linux.android.dvm.DvmClass] (DvmClass:53) - getMethodID name=android/app/Activity->getWindow()Landroid/view/Window;, hash=0x4333f814 [15:36:36 201] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$17:264) - GetMethodID class=unicorn@0x755f7f39, methodName=getDecorView, args=()Landroid/view/View; [15:36:36 201] DEBUG [cn.banny.unidbg.linux.android.dvm.DvmClass] (DvmClass:53) - getMethodID name=android/view/Window->getDecorView()Landroid/view/View;, hash=0xe50b5118 [15:36:36 202] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$18:281) - CallObjectMethod object=unicorn@0x26ba2a48, jmethodID=unicorn@0x4333f814 [15:36:36 202] DEBUG [cn.banny.unidbg.linux.android.dvm.DvmMethod] (DvmMethod:41) - callObjectMethod signature=android/app/Activity->getWindow()Landroid/view/Window; [15:36:36 202] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$18:281) - CallObjectMethod object=unicorn@0x5f2050f6, jmethodID=unicorn@0xe50b5118 [15:36:36 202] DEBUG [cn.banny.unidbg.linux.android.dvm.DvmMethod] (DvmMethod:41) - callObjectMethod signature=android/view/Window->getDecorView()Landroid/view/View; [15:36:36 202] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$17:264) - GetMethodID class=unicorn@0x76f84423, methodName=getDeclaredMethod, args=(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method; [15:36:36 203] DEBUG [cn.banny.unidbg.linux.android.dvm.DvmClass] (DvmClass:53) - getMethodID name=java/lang/Class->getDeclaredMethod(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;, hash=0x46607d73 [15:36:36 203] DEBUG [cn.banny.unidbg.linux.android.dvm.DalvikVM] (DalvikVM$63:1114) - NewStringUTF bytes=unicorn@0x4086b8da[libsecuritybody.so]0x2b8da, string=getDeclaredField [15:36:36 203] WARN [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:263) - emulate unicorn@0x4017d231[libmain.so]0x10231 exception sp=unicorn@0xbfffef6c, msg=Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=175ms wua hash:4294967295, dvmObject=null, offset=1460ms
from unidbg.
linxiaozhi
commented on July 16, 2024
@ydaniels 你可以使用这个例子 没有发现sgmainso-6.4.152那个错误TestSignso.tar.gz
from unidbg.
zhkl0228
commented on July 16, 2024
@linxiaozhi 你的getSS测试代码发来测试下
from unidbg.
linxiaozhi
commented on July 16, 2024
@zhkl0228
20102指令 出现debugger break at: 0x2b0
10502指令 出现 debugger break at: 0xfffe0474
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
20102,
new ArrayObject(
new StringObject(vm, "1560601343"),
new StringObject(vm, "21646297"),
DvmInteger.valueOf(vm, 8),
null,
new StringObject(vm, "pageName=&pageId="),
DvmInteger.valueOf(vm, 0))
);
ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10502,
new ArrayObject(
DvmInteger.valueOf(vm, 5),
new StringObject(vm, "LString"),
DvmBoolean.valueOf(vm, false),
new StringObject(vm, "sutdid"),
new StringObject(vm, "XKHv7CD9eo8DAEK9iP/JCGaG")
)
);
from unidbg.
linxiaozhi
commented on July 16, 2024
10502 指令到找原因了 调用方法没处理好导致
from unidbg.
junges521
commented on July 16, 2024
@linxiaozhi 淘宝好像不行吧,淘宝有模拟器检测的,你这种方式可以调通但是通不过
from unidbg.
linxiaozhi
commented on July 16, 2024
@junges521 暂时测试模拟器检测是通过的
from unidbg.
junges521
commented on July 16, 2024
@linxiaozhi ,tb模拟器监测,登陆时会弹出一个恶心的苹果拖入购物车的验证
from unidbg.
poping520
commented on July 16, 2024
@linxiaozhi 你能成功加载 libsgavmpso 然后调 60901 命令吗
from unidbg.
poping520
commented on July 16, 2024
@linxiaozhi 你能成功加载 libsgavmpso 然后调 60901 命令吗
已找到原因
from unidbg.
Jackiexiaolu
commented on July 16, 2024
java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
你遇到过报这个异常的吗?
from unidbg.
progzgq
commented on July 16, 2024
@linxiaozhi 你能成功加载 libsgavmpso 然后调 60901 命令吗
已找到原因
兄弟 是什么原因能分享下不
from unidbg.
cysdxy2
commented on July 16, 2024
@linxiaozhi 你能成功加载 libsgavmpso 然后调 60901 命令吗
已找到原因
也碰到了这个问题,如何解决的呢
from unidbg.
HotYounger
commented on July 16, 2024
现在又有新的问题了
以下代码出现 ArrayIndexOutOfBoundsException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10401, new ArrayObject(new ArrayObject(new StringObject(vm, "123"),new StringObject(vm, "456"),new StringObject(vm, String.valueOf("7")),new StringObject(vm, ""))) );以下代码出现 NullPointerException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10602, new ArrayObject(new ArrayObject(context, new StringObject(vm, "0"))) );[11:07:51 281] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4016368d[libc.so]0x1668d started sp=unicorn@0xbffff7e4
[11:07:51 340] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4016368d[libc.so]0x1668d finished sp=unicorn@0xbffff7e4, offset=56ms
[11:07:51 341] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 started sp=unicorn@0xbffff7e4
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 finished sp=unicorn@0xbffff7e4, offset=53ms
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad started sp=unicorn@0xbffff7e4
[11:07:51 399] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:362) - handleInterrupt intno=2, NR=-1073744148, svcNumber=0x10e, PC=unicorn@0xfffe00bc, syscall=null
java.lang.NullPointerException
at cn.banny.unidbg.linux.android.dvm.DalvikVM$15.handle(DalvikVM.java:233)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:87)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.test.sign.TestSignso.test(MoonSignV2so.java:86)
at com.test.sign.TestSignso.main(MoonSignV2so.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
[11:07:51 401] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad finished sp=unicorn@0xbffff6dc, offset=7ms
hash:4294837784
destroyProcess finished with exit code 0
`
public class TestSignso extends AbstractJni {
private static LibraryResolver createLibraryResolver() { return new AndroidResolver(23); } private static ARMEmulator createARMEmulator() { return new AndroidARMEmulator("com.test.so"); } private final ARMEmulator emulator; private final VM vm; private final Module module; private final DvmClass Native; private TestSignso() throws IOException { Logger.getLogger("cn.banny.unidbg.AbstractEmulator").setLevel(Level.ALL); emulator = createARMEmulator(); final Memory memory = emulator.getMemory(); memory.setLibraryResolver(createLibraryResolver()); memory.setCallInitFunction(); vm = emulator.createDalvikVM(null); vm.setJni(this); DalvikModule dm = vm.loadLibrary(new File("src/test/resources/example_binaries/libmain.so"), false); dm.callJNI_OnLoad(emulator); this.module = dm.getModule(); Native = vm.resolveClass("com.taobao.wireless.security.adapter.JNICLibrary".replace(".", "/")); } private void destroy() throws IOException { emulator.close(); System.out.println("destroy"); } public static void main(String[] args) throws Exception { TestSignso test = new TestSignso(); test.test(); test.destroy(); } private void test() throws IOException { DvmObject context = vm.resolveClass("android/content/Context").newObject(null); Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10602, new ArrayObject(new ArrayObject(context, new StringObject(vm, "0"))) ); long hash = ret.intValue() & 0xffffffffL; System.out.println("hash:" + hash); StringObject obj = vm.getObject(hash); vm.deleteLocalRefs(); System.out.println(obj.getValue()); }}
`
so文件
libmain.so.zip
朋友你能够通过这个获取x-sign哇,我返回一为空,是不是哪里不对呢,指点一下
from unidbg.
nantian-dog
commented on July 16, 2024
@linxiaozhi
你好,这个签名你搞定了没,如搞定可否将工程发我学习下
from unidbg.
HotYounger
commented on July 16, 2024
没有哦,早就没搞了,里面的人都不帮助
…------------------ 原始邮件 ------------------
发件人: "zhkl0228/unidbg" <[email protected]>;
发送时间: 2020年12月6日(星期天) 中午12:34
收件人: "zhkl0228/unidbg"<[email protected]>;
抄送: "西西"<[email protected]>;"Comment"<[email protected]>;
主题: Re: [zhkl0228/unidbg] Object...调用问题 (#20)
@linxiaozhi
你好,这个签名你搞定了没,如搞定可否将工程发我学习下
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
from unidbg.
LeToNode
commented on July 16, 2024
现在又有新的问题了
以下代码出现 ArrayIndexOutOfBoundsException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10401, new ArrayObject(new ArrayObject(new StringObject(vm, "123"),new StringObject(vm, "456"),new StringObject(vm, String.valueOf("7")),new StringObject(vm, ""))) );以下代码出现 NullPointerException
Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10602, new ArrayObject(new ArrayObject(context, new StringObject(vm, "0"))) );[11:07:51 281] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4016368d[libc.so]0x1668d started sp=unicorn@0xbffff7e4
[11:07:51 340] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4016368d[libc.so]0x1668d finished sp=unicorn@0xbffff7e4, offset=56ms
[11:07:51 341] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 started sp=unicorn@0xbffff7e4
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000cd25[libmain.so]0xcd25 finished sp=unicorn@0xbffff7e4, offset=53ms
[11:07:51 394] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:247) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad started sp=unicorn@0xbffff7e4
[11:07:51 399] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:362) - handleInterrupt intno=2, NR=-1073744148, svcNumber=0x10e, PC=unicorn@0xfffe00bc, syscall=null
java.lang.NullPointerException
at cn.banny.unidbg.linux.android.dvm.DalvikVM$15.handle(DalvikVM.java:233)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:87)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:249)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:340)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at com.test.sign.TestSignso.test(MoonSignV2so.java:86)
at com.test.sign.TestSignso.main(MoonSignV2so.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
[11:07:51 401] DEBUG [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:275) - emulate unicorn@0x4000e3ad[libmain.so]0xe3ad finished sp=unicorn@0xbffff6dc, offset=7ms
hash:4294837784
destroyProcess finished with exit code 0
`
public class TestSignso extends AbstractJni {
private static LibraryResolver createLibraryResolver() { return new AndroidResolver(23); } private static ARMEmulator createARMEmulator() { return new AndroidARMEmulator("com.test.so"); } private final ARMEmulator emulator; private final VM vm; private final Module module; private final DvmClass Native; private TestSignso() throws IOException { Logger.getLogger("cn.banny.unidbg.AbstractEmulator").setLevel(Level.ALL); emulator = createARMEmulator(); final Memory memory = emulator.getMemory(); memory.setLibraryResolver(createLibraryResolver()); memory.setCallInitFunction(); vm = emulator.createDalvikVM(null); vm.setJni(this); DalvikModule dm = vm.loadLibrary(new File("src/test/resources/example_binaries/libmain.so"), false); dm.callJNI_OnLoad(emulator); this.module = dm.getModule(); Native = vm.resolveClass("com.taobao.wireless.security.adapter.JNICLibrary".replace(".", "/")); } private void destroy() throws IOException { emulator.close(); System.out.println("destroy"); } public static void main(String[] args) throws Exception { TestSignso test = new TestSignso(); test.test(); test.destroy(); } private void test() throws IOException { DvmObject context = vm.resolveClass("android/content/Context").newObject(null); Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10602, new ArrayObject(new ArrayObject(context, new StringObject(vm, "0"))) ); long hash = ret.intValue() & 0xffffffffL; System.out.println("hash:" + hash); StringObject obj = vm.getObject(hash); vm.deleteLocalRefs(); System.out.println(obj.getValue()); }}
`
so文件
libmain.so.zip
不知道你的这个文件能否继续下载,
from unidbg.
Cyoung7
commented on July 16, 2024
TestSignso.tar.gz
写了个能跑通的例子,细节自己去处理,还有很多细节
使用最新版unidbg
能不能用最新版的代码写一份能跑的代码,利用最新版还是抛SecException
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.file.FileResult;
import com.github.unidbg.file.IOResolver;
import com.github.unidbg.file.linux.AndroidFileIO;
import com.github.unidbg.linux.android.AndroidARMEmulator;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.;
import com.github.unidbg.linux.android.dvm.Enumeration;
import com.github.unidbg.linux.android.dvm.api.;
import com.github.unidbg.linux.android.dvm.api.ClassLoader;
import com.github.unidbg.linux.android.dvm.array.ArrayObject;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.linux.android.dvm.wrapper.DvmBoolean;
import com.github.unidbg.linux.android.dvm.wrapper.DvmInteger;
import com.github.unidbg.linux.file.ByteArrayFileIO;
import com.github.unidbg.linux.file.DirectoryFileIO;
import com.github.unidbg.linux.file.MapsFileIO;
import com.github.unidbg.linux.file.SimpleFileIO;
import com.github.unidbg.memory.Memory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import java.io.File;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
public class Taobao extends AbstractJni implements IOResolver {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
private final DvmClass Native;
private final boolean logging;
Taobao(boolean logging) throws IOException {
this.logging = logging;
// 创建模拟器实例,要模拟32位或者64位,在这里区分
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.tmall.wireless").build();
final Memory memory = emulator.getMemory(); // 模拟器的内存操作接口
memory.setLibraryResolver(new AndroidResolver(23)); // 设置系统类库解析
vm = emulator.createDalvikVM(APK_FILE); // 创建Android虚拟机
vm.setVerbose(logging); // 设置是否打印Jni调用细节
vm.setJni(this);
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/resources/taobao/libsgmainso-6.4.152.so"), false); // 加载libttEncrypt.so到unicorn虚拟内存,加载成功以后会默认调用init_array等函数
dm.callJNI_OnLoad(emulator); // 手动执行JNI_OnLoad函数
module = dm.getModule(); // 加载好的libttEncrypt.so对应为一个模块
Native = vm.resolveClass("com.taobao.wireless.security.adapter.JNICLibrary".replace(".", "/"));
}
private static final String APK_INSTALL_PATH = "/data/app/test.apk";
private static final File APK_FILE = new File("unidbg-android/src/test/resources/taobao/taobao8.8.apk");
@Override
public FileResult<AndroidFileIO> resolve(Emulator<AndroidFileIO> emulator, String pathname, int oflags) {
if (pathname.equals(APK_INSTALL_PATH)) {
return FileResult.<AndroidFileIO>success(new SimpleFileIO(oflags, APK_FILE, pathname));
}
if (("/proc/self/status").equals(pathname)) {
return FileResult.<AndroidFileIO>success(new ByteArrayFileIO(oflags, pathname, (emulator.getPid() + " (a.out) R 6723 6873 6723 34819 6873 8388608 77 0 0 0 41958 31 0 0 25 0 3 0 5882654 1409024 56 4294967295 134512640 134513720 3215579040 0 2097798 0 0 0 0 0 0 0 17 0 0 0\n").getBytes()));
}
if (("/proc/" + emulator.getPid() + "/stat").equals(pathname)) {
return FileResult.<AndroidFileIO>success(new ByteArrayFileIO(oflags, pathname, (emulator.getPid() + " (a.out) R 6723 6873 6723 34819 6873 8388608 77 0 0 0 41958 31 0 0 25 0 3 0 5882654 1409024 56 4294967295 134512640 134513720 3215579040 0 2097798 0 0 0 0 0 0 0 17 0 0 0\n").getBytes()));
}
if (("/proc/" + emulator.getPid() + "/wchan").equals(pathname)) {
return FileResult.<AndroidFileIO>success(new ByteArrayFileIO(oflags, pathname, "sys_epoll".getBytes()));
}
return null;
}
private void destroy() throws IOException {
emulator.close();
System.out.println("destroy");
}
public static void main(String[] args) throws Exception {
Taobao test = new Taobao(true);
test.test();
test.destroy();
}
private void test() {
DvmObject context = vm.resolveClass("android/content/Context").newObject(null);
long start = System.currentTimeMillis();
int hash = Native.callStaticJniMethodInt(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
10101,
new ArrayObject(context, DvmInteger.valueOf(vm, 3), new StringObject(vm, ""), new StringObject(vm, new File("target/app_SGLib").getAbsolutePath()), new StringObject(vm, ""))
);
DvmObject dvmObject = vm.getObject(hash);
System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
// Map<String, String> map = new HashMap<>();
// map.put("INPUT", "XPDlGfM+zOoDAMHyPLa9+Okq&&&21646297&99914b932bd37a50b983c5e7c90ae93b&1560149480&mtop.common.gettimestamp&*&&231200@taobao_android_8.8.0&AjA1TIyT9T8vcuFw8Osrli35ALbE3ZW2SHLZNuihw8Ku&&&27&&&&&&&");
// start = System.currentTimeMillis();
// DvmObject res = Native.callStaticJniMethodObject(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
// 10401,
// new ArrayObject(vm.resolveClass("java/util/HashMap").newObject(map),
// new StringObject(vm, "21646297"), DvmInteger.valueOf(vm, 7), null, DvmBoolean.valueOf(vm, true)));
//
//
// System.out.println("dvmObject=" + res + ", offset=" + (System.currentTimeMillis() - start) + "ms");
}
@Override
public DvmObject<?> callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin->getMainPluginClassLoader()Ljava/lang/ClassLoader;":
return vm.resolveClass("java/lang/ClassLoader").newObject(null);
case "com/taobao/wireless/security/adapter/common/SPUtility2->readFromSPUnified(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;":
StringObject a1 = varArg.getObject(0);
StringObject a2 = varArg.getObject(1);
StringObject a3 = varArg.getObject(2);
System.out.println("readFromSPUnified a1=" + a1 + ", a2=" + a2 + ", a3=" + a3);
return null;
case "com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer->doCommandForString(I)Ljava/lang/String;":
int value = varArg.getInt(0);
System.out.println("com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer->doCommandForString value=" + value);
return null;
}
return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}
@Override
public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "com/alibaba/wireless/security/open/SecException-><init>(Ljava/lang/String;I)V": {
StringObject msg = varArg.getObject(0);
int value = varArg.getInt(1);
System.out.println("\n------------------------------\n"+msg.getValue()+"\n------------------------------\n");
return dvmClass.newObject(msg.getValue() + "[" + value + "]");
}
case "java/lang/Integer-><init>(I)V":
int value = varArg.getInt(0);
return DvmInteger.valueOf(vm, value);
}
return super.newObject(vm, dvmClass, signature, varArg);
}
@Override
public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
switch (signature) {
case "java/util/HashMap->keySet()Ljava/util/Set;": {
HashMap map = (HashMap) dvmObject.getValue();
return vm.resolveClass("java/util/Set").newObject(map.keySet());
}
case "java/util/Set->toArray()[Ljava/lang/Object;":
Set set = (Set) dvmObject.getValue();
Object[] array = set.toArray();
DvmObject[] objects = new DvmObject[array.length];
for (int i = 0; i < array.length; i++) {
if(array[i] instanceof String) {
objects[i] = new StringObject(vm, (String) array[i]);
} else {
throw new IllegalStateException("array=" + array[i]);
}
}
return new ArrayObject(objects);
case "java/util/HashMap->get(Ljava/lang/Object;)Ljava/lang/Object;": {
HashMap map = (HashMap) dvmObject.getValue();
Object key = varArg.getObject(0).getValue();
Object obj = map.get(key);
if(obj instanceof String) {
return new StringObject(vm, (String) obj);
} else {
throw new IllegalStateException("array=" + obj);
}
}
case "android/content/Context->getPackageCodePath()Ljava/lang/String;":
return new StringObject(vm, APK_INSTALL_PATH);
case "android/content/Context->getFilesDir()Ljava/io/File;":
return vm.resolveClass("java/io/File").newObject(new File("target"));
case "java/io/File->getAbsolutePath()Ljava/lang/String;":
File file = (File) dvmObject.getValue();
return new StringObject(vm, file.getAbsolutePath());
}
return super.callObjectMethod(vm, dvmObject, signature, varArg);
}
@Override
public void callStaticVoidMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "com/taobao/dp/util/CallbackHelper->onCallBack(ILjava/lang/String;I)V":
int i1 = varArg.getInt(0);
StringObject str = varArg.getObject(1);
int i2 = varArg.getInt(2);
System.out.println("com/taobao/dp/util/CallbackHelper->onCallBack i1=" + i1 + ", str=" + str + ", i2=" + i2);
return;
case "com/alibaba/wireless/security/open/edgecomputing/ECMiscInfo->registerAppLifeCyCleCallBack()V":
System.out.println("registerAppLifeCyCleCallBack");
return;
}
super.callStaticVoidMethod(vm, dvmClass, signature, varArg);
}
@Override
public DvmObject<?> getObjectField(BaseVM vm, DvmObject<?> dvmObject, String signature) {
switch (signature) {
case "android/content/pm/ApplicationInfo->nativeLibraryDir:Ljava/lang/String;":
return new StringObject(vm, new File("target").getAbsolutePath());
}
return super.getObjectField(vm, dvmObject, signature);
}
@Override
public int callStaticIntMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge->utAvaiable()I":
return 1;
case "com/taobao/wireless/security/adapter/common/SPUtility2->saveToFileUnifiedForNative(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Z)I":
StringObject a1 = varArg.getObject(0);
StringObject a2 = varArg.getObject(1);
StringObject a3 = varArg.getObject(2);
boolean b4 = varArg.getInt(3) != 0;
System.out.println("saveToFileUnifiedForNative a1=" + a1 + ", a2=" + a2 + ", a3=" + a3 + ", b4=" + b4);
}
return super.callStaticIntMethod(vm, dvmClass, signature, varArg);
}
}
JNIEnv->FindClass(java/lang/Boolean) was called from RX@0x400b3099[libmain.so]0xb3099
JNIEnv->FindClass(java/lang/Integer) was called from RX@0x400b30b3[libmain.so]0xb30b3
JNIEnv->FindClass(java/lang/String) was called from RX@0x400b30cd[libmain.so]0xb30cd
JNIEnv->FindClass(com/taobao/wireless/security/adapter/common/HttpUtil) was called from RX@0x400aa5fb[libmain.so]0xaa5fb
JNIEnv->FindClass(com/taobao/wireless/security/adapter/umid/UmidAdapter) was called from RX@0x400aac2f[libmain.so]0xaac2f
JNIEnv->FindClass(com/taobao/wireless/security/adapter/JNICLibrary) was called from RX@0x4000fed5[libmain.so]0xfed5
JNIEnv->FindClass(com/taobao/wireless/security/adapter/common/SPUtility2) was called from RX@0x400a93bb[libmain.so]0xa93bb
JNIEnv->FindClass(com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer) was called from RX@0x40013c63[libmain.so]0x13c63
JNIEnv->FindClass(com/taobao/wireless/security/adapter/datareport/DataReportJniBridge) was called from RX@0x40017c7d[libmain.so]0x17c7d
JNIEnv->FindClass(android/content/Context) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/content/pm/PackageManager) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/content/pm/PackageInfo) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/content/pm/ApplicationInfo) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/provider/Settings$Secure) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(java/util/List) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/net/wifi/WifiConfiguration) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/net/wifi/WifiManager) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(android/net/DhcpInfo) was called from RX@0x400b9107[libmain.so]0xb9107
JNIEnv->FindClass(com/taobao/dp/util/ZipUtils) was called from RX@0x4003736b[libmain.so]0x3736b
JNIEnv->FindClass(com/taobao/dp/util/CallbackHelper) was called from RX@0x400373af[libmain.so]0x373af
JNIEnv->FindClass(android/content/Context) was called from RX@0x400374cb[libmain.so]0x374cb
JNIEnv->FindClass(android/content/pm/PackageManager) was called from RX@0x400374ff[libmain.so]0x374ff
JNIEnv->FindClass(android/content/pm/PackageInfo) was called from RX@0x40037535[libmain.so]0x37535
JNIEnv->FindClass(android/content/pm/ApplicationInfo) was called from RX@0x4003759d[libmain.so]0x3759d
JNIEnv->FindClass(android/os/Environment) was called from RX@0x4003871d[libmain.so]0x3871d
JNIEnv->FindClass(java/io/File) was called from RX@0x4003875b[libmain.so]0x3875b
JNIEnv->FindClass(android/content/Context) was called from RX@0x400387ab[libmain.so]0x387ab
JNIEnv->FindClass(com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin) was called from RX@0x400569c9[libmain.so]0x569c9
JNIEnv->CallStaticObjectMethod(class com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin, getMainPluginClassLoader()Ljava/lang/ClassLoader;) was called from RX@0x40056a13[libmain.so]0x56a13
JNIEnv->FindClass(com/alibaba/wireless/security/open/edgecomputing/ECMiscInfo) was called from RX@0x40056421[libmain.so]0x56421
JNIEnv->FindClass(com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge) was called from RX@0x400289bb[libmain.so]0x289bb
JNIEnv->RegisterNatives(com/taobao/wireless/security/adapter/JNICLibrary, unidbg@0xbffff6d8, 1) was called from RX@0x400104e9[libmain.so]0x104e9
RegisterNative(com/taobao/wireless/security/adapter/JNICLibrary, doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;, RX@0x40010231[libmain.so]0x10231)
JNIEnv->FindClass(java/lang/Integer) was called from RX@0x400b4b77[libmain.so]0xb4b77
JNIEnv->FindClass(java/lang/Float) was called from RX@0x400b4b77[libmain.so]0xb4b77
JNIEnv->FindClass(java/lang/String) was called from RX@0x400b4b77[libmain.so]0xb4b77
JNIEnv->FindClass([B) was called from RX@0x400b4b77[libmain.so]0xb4b77
JNIEnv->FindClass(java/util/HashMap) was called from RX@0x400b4b77[libmain.so]0xb4b77
JNIEnv->FindClass(java/util/Set) was called from RX@0x400b4b77[libmain.so]0xb4b77
Find native function Java_com_taobao_wireless_security_adapter_JNICLibrary_doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object; => RX@0x40010231[libmain.so]0x10231
JNIEnv->GetObjectArrayElement([android.content.Context@4141d797, 0x3, "", "/home/cyoung/github/unidbg/target/app_SGLib", ""], 0) was called from RX@0x40010787[libmain.so]0x10787
JNIEnv->GetObjectArrayElement([android.content.Context@4141d797, 0x3, "", "/home/cyoung/github/unidbg/target/app_SGLib", ""], 1) was called from RX@0x400b4861[libmain.so]0xb4861
JNIEnv->CallIntMethod(java/lang/Integer, intValue()I => 0x3) was called from RX@0x400107b3[libmain.so]0x107b3
JNIEnv->CallObjectMethod(android/content/Context, getPackageCodePath()Ljava/lang/String; => "/data/app/test.apk") was called from RX@0x4001135b[libmain.so]0x1135b
JNIEnv->GetStringUtfChars("/data/app/test.apk") was called from RX@0x400b32f5[libmain.so]0xb32f5
JNIEnv->ReleaseStringUTFChars("/data/app/test.apk") was called from RX@0x400b333f[libmain.so]0xb333f
JNIEnv->CallObjectMethod(android/content/Context, getFilesDir()Ljava/io/File; => java.io.File@19e1023e) was called from RX@0x400114c5[libmain.so]0x114c5
JNIEnv->CallObjectMethod(java/io/File, getAbsolutePath()Ljava/lang/String; => "/home/cyoung/github/unidbg/target") was called from RX@0x40011509[libmain.so]0x11509
JNIEnv->GetStringUtfChars("/home/cyoung/github/unidbg/target") was called from RX@0x400b32f5[libmain.so]0xb32f5
JNIEnv->ReleaseStringUTFChars("/home/cyoung/github/unidbg/target") was called from RX@0x400b333f[libmain.so]0xb333f
JNIEnv->CallObjectMethod(android/content/Context, getApplicationInfo()Landroid/content/pm/ApplicationInfo; => android.content.pm.ApplicationInfo@64b8f8f4) was called from RX@0x40011737[libmain.so]0x11737
JNIEnv->GetObjectField(android.content.pm.ApplicationInfo@64b8f8f4, nativeLibraryDir Ljava/lang/String; => "/home/cyoung/github/unidbg/target") was called from RX@0x400117df[libmain.so]0x117df
JNIEnv->GetStringUtfChars("/home/cyoung/github/unidbg/target") was called from RX@0x400b32f5[libmain.so]0xb32f5
JNIEnv->ReleaseStringUTFChars("/home/cyoung/github/unidbg/target") was called from RX@0x400b333f[libmain.so]0xb333f
JNIEnv->GetObjectArrayElement([android.content.Context@4141d797, 0x3, "", "/home/cyoung/github/unidbg/target/app_SGLib", ""], 2) was called from RX@0x400b4829[libmain.so]0xb4829
JNIEnv->GetStringUtfChars("") was called from RX@0x400b3367[libmain.so]0xb3367
JNIEnv->ReleaseStringUTFChars("") was called from RX@0x400b337d[libmain.so]0xb337d
JNIEnv->GetObjectArrayElement([android.content.Context@4141d797, 0x3, "", "/home/cyoung/github/unidbg/target/app_SGLib", ""], 3) was called from RX@0x400b4829[libmain.so]0xb4829
JNIEnv->GetStringUtfChars("/home/cyoung/github/unidbg/target/app_SGLib") was called from RX@0x400b3367[libmain.so]0xb3367
JNIEnv->ReleaseStringUTFChars("/home/cyoung/github/unidbg/target/app_SGLib") was called from RX@0x400b337d[libmain.so]0xb337d
JNIEnv->GetObjectArrayElement([android.content.Context@4141d797, 0x3, "", "/home/cyoung/github/unidbg/target/app_SGLib", ""], 4) was called from RX@0x400b4829[libmain.so]0xb4829
JNIEnv->GetStringUtfChars("") was called from RX@0x400b3367[libmain.so]0xb3367
JNIEnv->ReleaseStringUTFChars("") was called from RX@0x400b337d[libmain.so]0xb337d
JNIEnv->FindClass(com/taobao/wireless/security/adapter/datareport/DataReportJniBridge) was called from RX@0x4002202d[libmain.so]0x2202d
JNIEnv->FindClass(com/taobao/wireless/security/adapter/datareport/DataReportJniBridge) was called from RX@0x40025377[libmain.so]0x25377
[16:21:40 476] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:810) - pthread_clone child_stack=RW@0x403fe930, thread_id=1, fn=RX@0x401bd7f5[libc.so]0x3f7f5, arg=RW@0x403fe930, flags=[CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_THREAD, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID]
[16:21:40 554] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1038) - stat64 pathname=/data/app/test.apk, LR=RX@0x4000f471[libmain.so]0xf471
[16:21:40 554] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1825) - faccessat dirfd=-100, pathname=/home/cyoung/github/unidbg/target/storage/com.taobao.maindex, oflags=0x0, mode=0
[16:21:40 628] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:810) - pthread_clone child_stack=RW@0x404fd930, thread_id=2, fn=RX@0x401bd7f5[libc.so]0x3f7f5, arg=RW@0x404fd930, flags=[CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_THREAD, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID]
[16:21:40 639] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:810) - pthread_clone child_stack=RW@0x405fc930, thread_id=3, fn=RX@0x401bd7f5[libc.so]0x3f7f5, arg=RW@0x405fc930, flags=[CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_THREAD, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID]
[16:21:40 648] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:810) - pthread_clone child_stack=RW@0x406fb930, thread_id=4, fn=RX@0x401bd7f5[libc.so]0x3f7f5, arg=RW@0x406fb930, flags=[CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_THREAD, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID]
[16:21:40 669] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1038) - stat64 pathname=/home/cyoung/github/unidbg/target/Q0VSVC5SU0EK.txt, LR=RX@0x4007331f[libmain.so]0x7331f
[16:21:40 686] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1886) - openat dirfd=-100, pathname=/data/app/test.apk, oflags=0x20000, mode=0
[16:21:40 687] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1886) - openat dirfd=-100, pathname=/data/app/test.apk, oflags=0x20000, mode=0
[16:21:40 689] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:1886) - openat dirfd=-100, pathname=/data/app/test.apk, oflags=0x20000, mode=0
JNIEnv->FindClass(com/alibaba/wireless/security/open/SecException) was called from RX@0x400b37d3[libmain.so]0xb37d3
JNIEnv->NewStringUTF("") was called from RX@0x400b37f7[libmain.so]0xb37f7
JNIEnv->NewObject(com/alibaba/wireless/security/open/SecException, ) was called from RX@0x400b380b[libmain.so]0xb380b
from unidbg.
stathamcheng
commented on July 16, 2024
9.0.1淘宝,你们这套unidbg,都跑不通了,一直返回null,哪位大佬能看一下!!! @zhkl0228
from unidbg.
stathamcheng
commented on July 16, 2024
[19:51:16 930] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:313) - handleInterrupt intno=2, NR=-130448, svcNumber=0x11e, PC=unidbg@0xfffe0274, LR=RX@0x400da418[libmain.so]0xda418, syscall=null
com.github.unidbg.arm.backend.BackendException
at com.github.unidbg.linux.android.dvm.DalvikVM64$31.handle(DalvikVM64.java:499)
at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:92)
at com.github.unidbg.arm.backend.UnicornBackend$10.hook(UnicornBackend.java:323)
at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128)
at unicorn.Unicorn.emu_start(Native Method)
at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:354)
at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:370)
at com.github.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:446)
at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:220)
at com.github.unidbg.Module.emulateFunction(Module.java:159)
at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:133)
at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:292)
at com.taobao.taobao.XSign.getXSign(XSign.java:180)
at com.taobao.taobao.XSign.main(XSign.java:107)
[19:51:16 933] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:389) - emulate RX@0x40016bc0[libmain.so]0x16bc0 exception sp=unidbg@0xbfffdc00, msg=null, offset=99ms @zhkl0228 能帮忙看一下吗
from unidbg.
SiriusED
commented on July 16, 2024
Hi guys, I have one question about this library. Is it possible to use this lib on Windows, trough Java, Like install Java, load library there and have access from my C# by Java API or something?
from unidbg.
Related Issues (20)
- ExceptionRaised[dynarmic.cpp->ExceptionRaised:231] HOT 3
- 执行报错:Read memory failed和 Invalid memory read (UC_ERR_READ_UNMAPPED) HOT 1
- Dynarmic link in README is gone
- 有没有大佬知道java/lang/String->toCharArray()[C该怎么补啊?求解
- BackendException on CallObjectMethodV
- 大佬们,看看 这种怎么补啊 "android/os/Parcel->setDataPosition(I)V"
- libopenjdk.so
- 需要api文档 HOT 1
- 最新版代码32位好像不支持Unicorn2Factory? HOT 1
- dump模拟执行时候发现的错误
- 怎么重写读取目录下所有文件的io HOT 1
- 调用问题
- 运行报错DalvikVM64$128.handle,怎么解决呀 HOT 2
- 小白的第一个unidbg
- 运行其他示例正常,运行anjuke示例报错了,用了unidbg-0.9.7 HOT 3
- 请问,如何补GetStringCritical jni 方法呢
- 补了环境还是报错 WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:405) - handleInterrupt intno=2, NR=0, svcNumber=0x107, PC=unidbg@0xfffe0104 java.lang.UnsupportedOperationException at com.github.unidbg.linux.android.dvm.DalvikVM64$8.handle(DalvikVM64.java:168) HOT 1
- com.github.unidbg.arm.backend.BackendException: dvmObject="two", dvmClass=class java/lang/String, jmethodID=unidbg@0xffffffffd6cb375b HOT 11
- 执行结果返回空JNIEnv->SetByteArrayRegion([B@0x, 0, 0, unidbg@0xbffff6b1) was called from RX@0x400d55dc[libfekit.so]0xd55dc
- unidbg-boot-server报错,求大佬帮看看
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unidbg.