unidbg入门笔记

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

package com.kanxue.test2;

import com.github.unidbg.AndroidEmulator;

import com.github.unidbg.Module;

import com.github.unidbg.arm.backend.DynarmicFactory;

import com.github.unidbg.linux.android.AndroidEmulatorBuilder;

import com.github.unidbg.linux.android.AndroidResolver;

import com.github.unidbg.linux.android.dvm.AbstractJni;

import com.github.unidbg.linux.android.dvm.DalvikModule;

import com.github.unidbg.linux.android.dvm.VM;

import com.github.unidbg.memory.Memory;

import java.io.File;

public class Test05 extends AbstractJni {

    private final AndroidEmulator emulator;

    private final VM vm;

    private final Module module;

    Test05(){

        // 创建模拟器

        emulator = AndroidEmulatorBuilder

                .for32Bit().addBackendFactory(new DynarmicFactory(true))

                .setProcessName("cc.ccc.cc")

                .build();

        // 内存调用

        Memory memory = emulator.getMemory();

        // 设定 SDK 版本

        memory.setLibraryResolver(new AndroidResolver(23));

        //创建虚拟机

        vm = emulator.createDalvikVM(new File("sssss.apk"));

        //jni 日志打印

        vm.setVerbose(true);

        // jni 设置

        vm.setJni(this);

        // 执行so文件

        DalvikModule dm = vm.loadLibrary(new File("ssss.so"), true);

        // 获取so 文件模块

        module = dm.getModule();

        //调用JNI——onload 函数

        vm.callJNI_OnLoad(emulator,module);

        // dm.callJNI_OnLoad(module);

    }

}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

// 获取内存操作接口

Memory memory1 = emulator.getMemory();

// 获取进程id

int pid = emulator.getPid();

//创建虚拟机

VM dalvikVM = emulator.createDalvikVM();

//创建虚拟机并指定文件

VM dalvikVM1 = emulator.createDalvikVM(new File("ss/ss/apk"));

//获取已经创建的虚拟机

VM dalvikVM2 = emulator.getDalvikVM();

//显示当前寄存器的状态 可指定寄存器

emulator.showRegs();

// 获取后端CPU

Backend backend = emulator.getBackend();

//获取进程名

String processName = emulator.getProcessName();

// 获取寄存器

RegisterContext context = emulator.getContext();

//Trace 读取内存

emulator.traceRead(1,0);

// trace 写内存

emulator.traceWrite(1,0);

//trace 汇编

emulator.traceCode(1,0);

// 是否在运行

boolean running = emulator.isRunning();

1

2

3

4

5

6

7

8

9

10

11

12

13

14

// 指定安卓sdk  版本 只支持 19 和 23

memory.setLibraryResolver(new AndroidResolver(23));

// 拿到一个指针 指向内存地址 通过该指针可操作内存

UnidbgPointer pointer = memory.pointer(0x11111111);

//获取当前内存映射的情况

Collection<MemoryMap> memoryMap = memory1.getMemoryMap();

//根据模块名 来拿某个模块

Module sss = memory1.findModule("sss");

// 根据地址 来拿某个模块

Module moduleByAddress = memory1.findModuleByAddress(0x111111);

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

//推荐指定apk 文件 unidbg会自动做许多固定的操作

VM vvm = emulator.createDalvikVM(new File("ssss.apk"));

// 是否输出jni 运行日志

vvm.setVerbose(true);

//加载so模块 参数二设置是否自动调用init函数

DalvikModule dalvikModule = vvm.loadLibrary(new File("ss.so"), true);

// 设置jni 交互接口 参数需要实现jni接口 推荐使用this 继承AbstractJni

vvm.setJni(this);

//获取JNIEnv 指针 可以作为参数传递

Pointer jniEnv = vm.getJNIEnv();

//获取JavaVM 指针

Pointer javaVM = vm.getJavaVM();

//调用jni_onload函数

dalvikModule.callJNI_OnLoad(emulator);

vm.callJNI_OnLoad(emulator,dalvikModule.getModule());

1

2

3

4

5

6

7

8

9

10

11

// 创建一个vm 对象，相当于 java 层去调用native函数类的实例对象

// DvmObject obj = ProxyDvmObject.createObject(vm,this); // 默认获取MainActivity 当有很多类的时候，防止默认指定错误，可以以下指定

DvmObject<?> obj = vm.resolveClass("com/example/demo01/MainActivity").newObject(null);

String signSting = "123456";

DvmObject dvmObject = obj.callJniMethodObject(emulator, "jniMd52([B)Ljava/lang/String;", signSting.getBytes(StandardCharsets.UTF_8));

String result = (String) dvmObject.getValue();

System.out.println("[symble] Call the so md5 function result is ==> " + result);

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

ArrayList<Object> args = new ArrayList<>();

Pointer jniEnv = vm.getJNIEnv();

DvmObject object1 = ProxyDvmObject.createObject(vm, this);

// DvmObject<?> dvmObject = vm.resolveClass("com/xx/xx/MainActivity").newObject(null);

args.add(jniEnv);

// args.add(vm.addLocalObject(object1));// args.add(null)

 args.add(null);

args.add(vm.addLocalObject(new StringObject(vm, "123456")));

Number number = module.callFunction(emulator, 0x11AE8 + 1, args.toArray());// 是个地址

System.out.println("[addr] number is ==> " + number.intValue());

DvmObject<?> object = vm.getObject(number.intValue());

System.out.println("[addr] Call the so md5 function result is ==> " + object.getValue());

1

2

DvmObject<?> context = vm.resolveClass("android/content/Context").newObject(null);

list.add(vm.addLocalObject(context));

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

IHookZz hookZz = HookZz.getInstance(emulator); // 加载HookZz，支持inline hook

hookZz.enable_arm_arm64_b_branch(); // 测试enable_arm_arm64_b_branch，可有可无

hookZz.wrap(module.findSymbolByName("ss_encrypt"), new WrapCallback<RegisterContext>() { // inline wrap导出函数

    @Override

    public void preCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {

        Pointer pointer = ctx.getPointerArg(2);

        int length = ctx.getIntArg(3);

        byte[] key = pointer.getByteArray(0, length);

        Inspector.inspect(key, "ss_encrypt key");

    }

    @Override

    public void postCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {

        System.out.println("ss_encrypt.postCall R0=" + ctx.getLongArg(0));

    }

});

hookZz.disable_arm_arm64_b_branch();

hookZz.instrument(module.base + 0x00000F5C + 1, new InstrumentCallback<Arm32RegisterContext>() {

    @Override

    public void dbiCall(Emulator<?> emulator, Arm32RegisterContext ctx, HookEntryInfo info) { // 通过base+offset inline wrap内部函数，在IDA看到为sub_xxx那些

        System.out.println("R3=" + ctx.getLongArg(3) + ", R10=0x" + Long.toHexString(ctx.getR10Long()));

    }

});

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

// 加载HookZz

IHookZz hookZz = HookZz.getInstance(emulator);

hookZz.wrap(module.base + 0x1BD0 + 1, new WrapCallback<HookZzArm32RegisterContext>() { // inline wrap导出函数

    @Override

    // 类似于 frida onEnter

    public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {

        // 类似于Frida args[0]

        Pointer input = ctx.getPointerArg(0);

        System.out.println("input:" + input.getString(0));

    };

    @Override

    // 类似于 frida onLeave

    public void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {

        Pointer result = ctx.getPointerArg(0);

        System.out.println("input:" + result.getString(0));

    }

});

1

2

3

4

5

6

7

8

9

10

11

12

Dobby dobby = Dobby.getInstance(emulator);

dobby.replace(module.findSymbolByName("ss_encrypted_size"), new ReplaceCallback() { // 使用Dobby inline hook导出函数

    @Override

    public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {

        System.out.println("ss_encrypted_size.onCall arg0=" + context.getIntArg(0) + ", originFunction=0x" + Long.toHexString(originFunction));

        return HookStatus.RET(emulator, originFunction);

    }

    @Override

    public void postCall(Emulator<?> emulator, HookContext context) {

        System.out.println("ss_encrypted_size.postCall ret=" + context.getIntArg(0));

    }

}, true);

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

IxHook xHook = XHookImpl.getInstance(emulator); // 加载xHook，支持Import hook，

xHook.register("libttEncrypt.so", "strlen", new ReplaceCallback() { // hook libttEncrypt.so的导入函数strlen

    @Override

    public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {

        Pointer pointer = context.getPointerArg(0);

        String str = pointer.getString(0);

        System.out.println("strlen=" + str);

        context.push(str);

        return HookStatus.RET(emulator, originFunction);

    }

    @Override

    public void postCall(Emulator<?> emulator, HookContext context) {

        System.out.println("strlen=" + context.pop() + ", ret=" + context.getIntArg(0));

    }

}, true);

xHook.register("libttEncrypt.so", "memmove", new ReplaceCallback() {

    @Override

    public HookStatus onCall(Emulator<?> emulator, long originFunction) {

        RegisterContext context = emulator.getContext();

        Pointer dest = context.getPointerArg(0);

        Pointer src = context.getPointerArg(1);

        int length = context.getIntArg(2);

        Inspector.inspect(src.getByteArray(0, length), "memmove dest=" + dest);

        return HookStatus.RET(emulator, originFunction);

    }

});

xHook.register("libttEncrypt.so", "memcpy", new ReplaceCallback() {

    @Override

    public HookStatus onCall(Emulator<?> emulator, long originFunction) {

        RegisterContext context = emulator.getContext();

        Pointer dest = context.getPointerArg(0);

        Pointer src = context.getPointerArg(1);

        int length = context.getIntArg(2);

        Inspector.inspect(src.getByteArray(0, length), "memcpy dest=" + dest);

        return HookStatus.RET(emulator, originFunction);

    }

});

xHook.refresh(); // 使Import hook生效

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

emulator.getBackend().hook_add_new(new CodeHook() {

    @Override

    public void hook(Backend backend, long address, int size, Object user) {

        RegisterContext context = emulator.getContext();

        //System.out.println(user);

        //System.out.println(size);

        if (address == module.base + 0x1FF4){

            Pointer md5Ctx = context.getPointerArg(0);

            Inspector.inspect(md5Ctx.getByteArray(0, 32), "md5Ctx");

            Pointer plainText = context.getPointerArg(1);

            int length = context.getIntArg(2);

            Inspector.inspect(plainText.getByteArray(0, length), "plainText");

        }else if (address == module.base + 0x2004){

            Pointer cipherText = context.getPointerArg(1);

            Inspector.inspect(cipherText.getByteArray(0, 16), "cipherText");

        }

    }

    @Override

    public void onAttach(UnHook unHook) {

    }

    @Override

    public void detach() {

    }

}, module.base + 0x1FE8, module.base + 0x2004, "xxxxzzzz");

1

emulator.getUnwinder().unwind();

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

public void callFunc() {

    emulator.getBackend().hook_add_new(new CodeHook() {

        @Override

        public void hook(Backend backend, long address, int size, Object user) {

            System.out.println("开始--------------------------");

            System.out.println(user);

            System.out.println(size);

            emulator.getUnwinder().unwind();

            System.out.println("===============================");

        }

        @Override

        public void onAttach(UnHook unHook) {

        }

        @Override

        public void detach() {

        }

    },module.base+0xAD40,module.base+0xAD40,"xibei");

}

1

2

Debugger attach = emulator.attach();

attach.addBreakPoint(module.base + 0xC365); //断点地址

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

c： 继续

n： 跨过

bt：回溯

st hex：搜索堆栈

shw hex:搜索可写堆

shr hex：搜索可读堆

shx-hex：搜索可执行堆

nb：在下一个街区破发

s|si:步入

s[decimal]：执行指定的金额指令

s（blx）：执行util blx助记符，性能低

m（op）[size]：显示内存，默认大小为0x70，大小可以是十六进制或十进制

mr0-mr7，mfp，mip，msp[size]：显示指定寄存器的内存

m（address）[size]：显示指定地址的内存，地址必须以0x开头

wr0-wr7，wfp，wip，wsp＜value＞：写入指定寄存器

wb（address）,ws（address）,wi（address）＜value＞：写入指定地址的（字节、短、整数）内存，地址必须以0x开头

wx（address）＜hex＞：将字节写入指定地址的内存，地址必须以0x开头

b（address）：添加临时断点，地址必须以0x开头，可以是模块偏移量

b： 添加寄存器PC的断点

r： 删除寄存器PC的断点

blr：添加寄存器LR的临时断点

p (assembly):位于PC地址的修补程序集

where: 显示java堆栈跟踪

trace[begin-end]：设置跟踪指令

traceRead[begin-end]：设置跟踪内存读取

traceWrite〔begin-end〕：设置跟踪内存写入

vm：查看加载的模块

vbs：查看断点

d|dis:显示反汇编

d（0x）：在指定地址显示反汇编

stop: 停止模拟

run[arg]：运行测试

gc：运行System.gc（）

threads: 显示线程列表

cc size：将asm从0x4000c364-0x4000c364+size字节转换为c函数

1

2

3

4

5

6

7

String traceFile = "myMonitorFile";

PrintStream traceStream = null;

try {

    traceStream = new PrintStream(new FileOutputStream(traceFile), true);

} catch (FileNotFoundException e) {

    e.printStackTrace();

}

1

emulator.traceRead(module.base, module.base + module.size).setRedirect(traceStream);

1

emulator.traceWrite(module.base, module.base + module.size).setRedirect(traceStream);

1

2

3

4

5

6

7

8

String traceFile = "myTraceCodeFile";

PrintStream traceStream = null;

try {

    traceStream = new PrintStream(new FileOutputStream(traceFile), true);

} catch (FileNotFoundException e) {

    e.printStackTrace();

}

emulator.traceCode(module.base, module.base + module.size).setRedirect(traceStream);