GithubHelp home page GithubHelp logo

Comments (9)

dh15178076212 avatar dh15178076212 commented on July 17, 2024

// 这里是代码
package com.tianyancha;

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.file.FileIO;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.AbstractJni;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.memory.Memory;

import java.io.File;
import java.security.MessageDigest;
import java.util.Arrays;

public class skyeye extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final DalvikModule dm;
private final Module module;

skyeye() {
    emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.tianyancha.skyeye").build();

    // 2.设置安卓sdk
    Memory memory = emulator.getMemory();
    memory.setLibraryResolver(new AndroidResolver(23));

    // 3.创建安卓虚拟机
    vm = emulator.createDalvikVM(new File("data/tyc2/tianyancha10.8.0.apk"));
    vm.setJni(this);
    vm.setVerbose(true); // 设置是否打印Jni调用细节, true / false

    // 4.加载目标so文件到 unicorn虚拟内存,加载成功以后会默认调用init_array等函数
    dm = vm.loadLibrary(new File("data/tyc2/libJMEncryptBox.so"), false);
    dm.callJNI_OnLoad(emulator); // 手动执行JNI_OnLoad函数 (静态注册无需执行这一步)
    module = dm.getModule();
}

public static void main(String[] args) throws Exception {
    skyeye skyeyeobj = new skyeye();
    byte[] inputByte = "imei-not-exist#@#0#@#1701937912731#@#tyc#@#78fe7353ce852fb0".getBytes();
    byte[] arr = skyeyeobj.encryptToBytesFromBytes(inputByte);
    System.out.println(Arrays.toString(arr));

// skyeyeobj.call_address();
}

public void call_address() {
    byte[] inputByte = "imei-not-exist#@#0#@#1701937912731#@#tyc#@#78fe7353ce852fb0".getBytes();
    Number number = module.callFunction(
            emulator,
            0x584d,
            vm.getJNIEnv(),
            vm.addLocalObject(new ByteArray(vm, inputByte))
    );
    byte[] resArr = (byte[]) vm.getObject(number.intValue()).getValue();

// System.out.println(Arrays.toString(resArr.getBytes()));
System.out.println(Arrays.toString(resArr));
}

public byte[] encryptToBytesFromBytes(byte[] bArr) throws Exception {
    DvmClass cls = vm.resolveClass("com/ijiami/JMEncryptBoxByRandom");
    String method = "encryptByRandomType2([B)[B";
    ByteArray arr = cls.callStaticJniMethodObject(
            emulator,
            method,
            new ByteArray(vm, bArr)
    );
    return arr.getValue();
}

@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
    if (signature.equals("android/app/ActivityThread->getApplication()Landroid/app/Application;")) {
        DvmClass cContext = vm.resolveClass("android/content/Context");
        DvmClass cContextWrapper = vm.resolveClass("android/content/ContextWrapper", cContext);
        DvmObject<?> cNative = vm.resolveClass("android/app/Application", cContextWrapper);
        return ((DvmClass) cNative).newObject(null);
    }
    return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}

@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
    JMEncryptBox jmbox = new JMEncryptBox();
    if (signature.equals("com/ijiami/JMEncryptBox->getFinger(Ljava/lang/String;[B)Ljava/lang/String;")) {
        return new StringObject(vm, jmbox.getFinger((String) vaList.getObjectArg(0).getValue(), (byte[]) vaList.getObjectArg(1).getValue()));
    }
    return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}

}

class JMEncryptBox {
public String getFinger(String s, byte[] arr_b) {
try {
return toHexString(MessageDigest.getInstance(s).digest(arr_b));
} catch (Exception exception0) {
exception0.printStackTrace();
System.out.println("ERROR2");
return "ERROR2";
}
}

public String toHexString(byte[] arr_b) {
    StringBuffer stringBuffer0 = new StringBuffer();
    int v;
    for (v = 0; v < arr_b.length; ++v) {
        byte2hex(arr_b[v], stringBuffer0);
    }

    return stringBuffer0.toString();
}

public static void byte2hex(byte b, StringBuffer stringBuffer0) {
    char[] arr_c = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};
    stringBuffer0.append(arr_c[(b & 0xF0) >> 4]);
    stringBuffer0.append(arr_c[b & 15]);
}

}

from unidbg.

dh15178076212 avatar dh15178076212 commented on July 17, 2024

资源链接: https://www.123pan.com/s/i7najv-bk6jv.html

from unidbg.

heckerstone avatar heckerstone commented on July 17, 2024

单独处理下NR=192

from unidbg.

dh15178076212 avatar dh15178076212 commented on July 17, 2024

@heckerstone NR=192 这个是什么? 求大佬指点

from unidbg.

huanglaoji365 avatar huanglaoji365 commented on July 17, 2024

同求大佬指点

from unidbg.

yangxiaopao avatar yangxiaopao commented on July 17, 2024

@heckerstone NR=192 这个是什么? 求大佬指点

https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md#arm-32_bit_EABI

nr表

from unidbg.

zcybupt avatar zcybupt commented on July 17, 2024

老哥后来搞定了吗?

from unidbg.

dh15178076212 avatar dh15178076212 commented on July 17, 2024

没有,不搞了,你呢

from unidbg.

zcybupt avatar zcybupt commented on July 17, 2024

没有,不搞了,你呢

我改用 Frida 调用了,能生成 Authorization 字段就行

from unidbg.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.