unidbg 补环境(类变量,类方法等)

unidbg 补环境(类变量,类方法等)

unidbg有时候会遇到补环境的状况

当看到报如下错误的时候基本上就是缺少环境,需要添加代码,添加代码的方式可以根据报错提示的第一行来进行补全,补全的函数名称和报错名称一致。
unidbg 补环境(类变量,类方法等)_第1张图片

以下为部分补全环境的实例(补完一个运行可能还会报错,接着补就行了,直到没有错位置)

public class hack extends AbstractJni {
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;
    private DvmClass cNative;

    private hack () {
        emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.test").build();
        final Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File("unidbg-android/src/test/java/com/hack/hack.apk"));
        DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/java/com/hack/libmyjni.so"), true);
        vm.setJni(this);
        vm.setVerbose(true);
        dm.callJNI_OnLoad(emulator);
        module = dm.getModule();

    }

    @Override
    public void setStaticIntField(BaseVM vm, DvmClass dvmClass, String signature, int value) {
        switch (signature) {
            case "com/gdufs/xman/MyApp->m:I":
                System.out.println("> Patched: com/gdufs/xman/MyApp->m:I");
                return;
        }
        super.setStaticIntField(vm, dvmClass, signature, value);
    }

    @Override
    public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
        switch (signature) {
            case "com/gdufs/xman/MyApp->m:I":
                System.out.println("> Patched: com/gdufs/xman/MyApp->m:I");
                return 0;
        }
        return super.getStaticIntField(vm, dvmClass, signature);
    }

    @Override
    public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
        switch (signature) {
            case "com/gdufs/xman/MainActivity->()V":
                System.out.println("> Patched: com/gdufs/xman/MainActivity->()V");
                return vm.resolveClass("com/gdufs/xman/MainActivity").newObject(null);
        }
        return super.newObject(vm, dvmClass, signature, varArg);
    }

    @Override
    public void callVoidMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
        switch (signature) {
            case "com/gdufs/xman/MainActivity->work(Ljava/lang/String;)V":
                System.out.println("> Patched: com/gdufs/xman/MainActivity->work(Ljava/lang/String;)V");
                return;
        }
        super.callVoidMethod(vm, dvmObject, signature, varArg);
    }

    public static void main(String[] args) {
        hack test = new hack();
        test.hookPuts();
        test.hookWork();
        test.saveSN();
        test.work();

    }


    private void saveSN() {
        List<Object> list = new ArrayList<>(10);
        list.add(vm.getJNIEnv());
        list.add(0);
        list.add(vm.addLocalObject(new StringObject(vm, "EoPAoY62@ElRD")));   // arg 3

        Number number =  module.callFunction(emulator, 0x000011F8+1, list.toArray());
    }

你可能感兴趣的:(移动端,unidbg,CTF,java,android,jvm)