Comments (9)
// 这里是代码
package com.tianyancha;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.file.FileIO;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.AbstractJni;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.memory.Memory;
import java.io.File;
import java.security.MessageDigest;
import java.util.Arrays;
public class skyeye extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final DalvikModule dm;
private final Module module;
skyeye() {
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.tianyancha.skyeye").build();
// 2.设置安卓sdk
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
// 3.创建安卓虚拟机
vm = emulator.createDalvikVM(new File("data/tyc2/tianyancha10.8.0.apk"));
vm.setJni(this);
vm.setVerbose(true); // 设置是否打印Jni调用细节, true / false
// 4.加载目标so文件到 unicorn虚拟内存,加载成功以后会默认调用init_array等函数
dm = vm.loadLibrary(new File("data/tyc2/libJMEncryptBox.so"), false);
dm.callJNI_OnLoad(emulator); // 手动执行JNI_OnLoad函数 (静态注册无需执行这一步)
module = dm.getModule();
}
public static void main(String[] args) throws Exception {
skyeye skyeyeobj = new skyeye();
byte[] inputByte = "imei-not-exist#@#0#@#1701937912731#@#tyc#@#78fe7353ce852fb0".getBytes();
byte[] arr = skyeyeobj.encryptToBytesFromBytes(inputByte);
System.out.println(Arrays.toString(arr));
// skyeyeobj.call_address();
}
public void call_address() {
byte[] inputByte = "imei-not-exist#@#0#@#1701937912731#@#tyc#@#78fe7353ce852fb0".getBytes();
Number number = module.callFunction(
emulator,
0x584d,
vm.getJNIEnv(),
vm.addLocalObject(new ByteArray(vm, inputByte))
);
byte[] resArr = (byte[]) vm.getObject(number.intValue()).getValue();
// System.out.println(Arrays.toString(resArr.getBytes()));
System.out.println(Arrays.toString(resArr));
}
public byte[] encryptToBytesFromBytes(byte[] bArr) throws Exception {
DvmClass cls = vm.resolveClass("com/ijiami/JMEncryptBoxByRandom");
String method = "encryptByRandomType2([B)[B";
ByteArray arr = cls.callStaticJniMethodObject(
emulator,
method,
new ByteArray(vm, bArr)
);
return arr.getValue();
}
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
if (signature.equals("android/app/ActivityThread->getApplication()Landroid/app/Application;")) {
DvmClass cContext = vm.resolveClass("android/content/Context");
DvmClass cContextWrapper = vm.resolveClass("android/content/ContextWrapper", cContext);
DvmObject<?> cNative = vm.resolveClass("android/app/Application", cContextWrapper);
return ((DvmClass) cNative).newObject(null);
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
JMEncryptBox jmbox = new JMEncryptBox();
if (signature.equals("com/ijiami/JMEncryptBox->getFinger(Ljava/lang/String;[B)Ljava/lang/String;")) {
return new StringObject(vm, jmbox.getFinger((String) vaList.getObjectArg(0).getValue(), (byte[]) vaList.getObjectArg(1).getValue()));
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
}
class JMEncryptBox {
public String getFinger(String s, byte[] arr_b) {
try {
return toHexString(MessageDigest.getInstance(s).digest(arr_b));
} catch (Exception exception0) {
exception0.printStackTrace();
System.out.println("ERROR2");
return "ERROR2";
}
}
public String toHexString(byte[] arr_b) {
StringBuffer stringBuffer0 = new StringBuffer();
int v;
for (v = 0; v < arr_b.length; ++v) {
byte2hex(arr_b[v], stringBuffer0);
}
return stringBuffer0.toString();
}
public static void byte2hex(byte b, StringBuffer stringBuffer0) {
char[] arr_c = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};
stringBuffer0.append(arr_c[(b & 0xF0) >> 4]);
stringBuffer0.append(arr_c[b & 15]);
}
}
from unidbg.
资源链接: https://www.123pan.com/s/i7najv-bk6jv.html
from unidbg.
单独处理下NR=192
from unidbg.
@heckerstone NR=192 这个是什么? 求大佬指点
from unidbg.
同求大佬指点
from unidbg.
@heckerstone NR=192 这个是什么? 求大佬指点
https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md#arm-32_bit_EABI
nr表
from unidbg.
老哥后来搞定了吗?
from unidbg.
没有,不搞了,你呢
from unidbg.
没有,不搞了,你呢
我改用 Frida 调用了,能生成 Authorization 字段就行
from unidbg.
Related Issues (20)
- 调用问题
- 运行报错DalvikVM64$128.handle,怎么解决呀 HOT 2
- 小白的第一个unidbg
- 运行其他示例正常,运行anjuke示例报错了,用了unidbg-0.9.7 HOT 3
- 请问,如何补GetStringCritical jni 方法呢
- 补了环境还是报错 WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:405) - handleInterrupt intno=2, NR=0, svcNumber=0x107, PC=unidbg@0xfffe0104 java.lang.UnsupportedOperationException at com.github.unidbg.linux.android.dvm.DalvikVM64$8.handle(DalvikVM64.java:168) HOT 1
- com.github.unidbg.arm.backend.BackendException: dvmObject="two", dvmClass=class java/lang/String, jmethodID=unidbg@0xffffffffd6cb375b HOT 11
- 执行结果返回空JNIEnv->SetByteArrayRegion([B@0x, 0, 0, unidbg@0xbffff6b1) was called from RX@0x400d55dc[libfekit.so]0xd55dc
- unidbg-boot-server报错,求大佬帮看看
- 怎样移除断点
- 大佬们这个环境要咋补呢,init方法它没得返回值,必然会调用callVoidMethod这个方法,这个方法只有一个出路就是抛出异常 HOT 1
- 系统调用找不到,提示127,怎么解决呀。0.9。7版本 HOT 2
- 多线程支持
- unidbg调用so层函数Refmd5sec报错BackendException,(Refmd5sec是反射调用了java层的一个生成md5的方法)
- 多线程pthread_attr_setstacksize执行异常
- 如何补一个返回 HashMap 的环境?
- 黑盒调用so文件种函数的问题请教,数组参数该如何传入
- Map<String, List<String>>参数如何构造啊啊啊啊,求解 HOT 2
- 如何补 KeyStore 的环境? HOT 1
- 非标准文件该怎样补
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unidbg.