package
com.smile.gifmaker3;
import
com.github.unidbg.*;
import
com.github.unidbg.Module;
import
com.github.unidbg.arm.backend.Backend;
import
com.github.unidbg.arm.backend.CodeHook;
import
com.github.unidbg.arm.backend.UnHook;
import
com.github.unidbg.arm.backend.UnicornBackend;
import
com.github.unidbg.arm.context.Arm32RegisterContext;
import
com.github.unidbg.arm.context.Arm64RegisterContext;
import
com.github.unidbg.file.FileResult;
import
com.github.unidbg.file.IOResolver;
import
com.github.unidbg.file.linux.AndroidFileIO;
import
com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import
com.github.unidbg.linux.android.AndroidResolver;
import
com.github.unidbg.linux.android.dvm.*;
import
com.github.unidbg.linux.android.dvm.api.AssetManager;
import
com.github.unidbg.linux.android.dvm.array.ArrayObject;
import
com.github.unidbg.linux.android.dvm.wrapper.DvmBoolean;
import
com.github.unidbg.linux.android.dvm.wrapper.DvmInteger;
import
com.github.unidbg.memory.Memory;
import
com.github.unidbg.pointer.UnidbgPointer;
import
com.github.unidbg.spi.SyscallHandler;
import
com.github.unidbg.utils.Inspector;
import
com.github.unidbg.virtualmodule.android.AndroidModule;
import
com.github.unidbg.virtualmodule.android.JniGraphics;
import
com.sun.jna.Pointer;
import
king.trace.GlobalData;
import
king.trace.KingTrace;
import
unicorn.Unicorn;
import
unicorn.UnicornConst;
import
java.io.File;
import
java.io.FileNotFoundException;
import
java.io.FileOutputStream;
import
java.io.PrintStream;
import
java.nio.ByteBuffer;
import
java.nio.ByteOrder;
import
java.util.ArrayList;
import
java.util.List;
public
class
kswgmain11420
extends
AbstractJni
implements
IOResolver {
private
final
AndroidEmulator emulator;
private
final
VM vm;
private
final
Module module;
kswgmain11420()
throws
FileNotFoundException {
// 创建模拟器实例,要模拟32位或者64位,在这里区分
EmulatorBuilder builder = AndroidEmulatorBuilder.for64Bit().setProcessName(
"com.smile.gifmaker"
);
emulator = builder.build();
emulator.getSyscallHandler().setEnableThreadDispatcher(
true
);
// 模拟器的内存操作接口
final
Memory memory = emulator.getMemory();
// 设置系统类库解析
memory.setLibraryResolver(
new
AndroidResolver(
23
));
// 创建Android虚拟机
// vm = emulator.createDalvikVM();
vm = emulator.createDalvikVM(
new
File(
"unidbg-android\\src\\test\\java\\com\\smile\\gifmaker3\\1142064wei.apk"
));
// 设置是否打印Jni调用细节
vm.setVerbose(
true
);
new
JniGraphics(emulator, vm).register(memory);
new
AndroidModule(emulator, vm).register(memory);
vm.setJni(
this
);
SyscallHandler handler = emulator.getSyscallHandler();
handler.addIOResolver(
this
);
// 加载libttEncrypt.so到unicorn虚拟内存,加载成功以后会默认调用init_array等函数
DalvikModule dm = vm.loadLibrary(
new
File(
"unidbg-android\\src\\test\\java\\com\\smile\\gifmaker3\\libkwsgmain.so"
),
true
);
// 加载好的libttEncrypt.so对应为一个模块
module = dm.getModule();
// trace code
// String traceFile = "unidbg-android\\src\\test\\java\\com\\smile\\gifmaker3\\sig3_jniOnload.trc";
// GlobalData.ignoreModuleList.add("libc.so");
// GlobalData.ignoreModuleList.add("libhookzz.so");
// GlobalData.ignoreModuleList.add("libc++_shared.so");
// emulator.traceCode(module.base, module.base+module.size).setRedirect(new PrintStream(new FileOutputStream(traceFile), true));
dm.callJNI_OnLoad(emulator);
}
public
static
void
main(String[] args)
throws
FileNotFoundException {
kswgmain11420 kk =
new
kswgmain11420();
kk.init_native();
kk.get_NS_sig3();
}
public
void
init_native()
throws
FileNotFoundException {
// trace code
// String traceFile = "unidbg-android\\src\\test\\java\\com\\smile\\gifmaker3\\sig3_init_native.trc";
// GlobalData.ignoreModuleList.add("libc.so");
// GlobalData.ignoreModuleList.add("libhookzz.so");
// GlobalData.ignoreModuleList.add("libc++_shared.so");
// emulator.traceCode(module.base, module.base+module.size).setRedirect(new PrintStream(new FileOutputStream(traceFile), true));
List list =
new
ArrayList<>(
10
);
list.add(vm.getJNIEnv());
// 第一个参数是env
DvmObject> thiz = vm.resolveClass(
"com/kuaishou/android/security/internal/dispatch/JNICLibrary"
).newObject(
null
);
list.add(vm.addLocalObject(thiz));
// 第二个参数,实例方法是jobject,静态方法是jclass,直接填0,一般用不到。
DvmObject> context = vm.resolveClass(
"com/yxcorp/gifshow/App"
).newObject(
null
);
// context
vm.addLocalObject(context);
list.add(
10412
);
//参数1
StringObject appkey =
new
StringObject(vm,
"d7b7d042-d4f2-4012-be60-d97ff2429c17"
);
// SO文件有校验
vm.addLocalObject(appkey);
DvmInteger intergetobj = DvmInteger.valueOf(vm,
0
);
vm.addLocalObject(intergetobj);
list.add(vm.addLocalObject(
new
ArrayObject(intergetobj,appkey,intergetobj,intergetobj,context,intergetobj,intergetobj)));
// 直接通过地址调用
Number numbers = module.callFunction(emulator,
0x41680
, list.toArray());
System.out.println(
"numbers:"
+numbers);
DvmObject> object = vm.getObject(numbers.intValue());
String result = (String) object.getValue();
System.out.println(
"result:"
+result);
}
@Override
public
DvmObject> callObjectMethodV(BaseVM vm, DvmObject> dvmObject, String signature, VaList vaList) {
switch
(signature) {
case
"com/yxcorp/gifshow/App->getPackageCodePath()Ljava/lang/String;"
: {
return
new
StringObject(vm,
"/data/app/com.smile.gifmaker-q14Fo0PSb77vTIOM1-iEqQ==/base.apk"
);
}
case
"com/yxcorp/gifshow/App->getAssets()Landroid/content/res/AssetManager;"
: {
// return new Long(vm, "3817726272");
return
new
AssetManager(vm, signature);
}
case
"com/yxcorp/gifshow/App->getPackageName()Ljava/lang/String;"
: {
return
new
StringObject(vm,
"com.smile.gifmaker"
);
}
case
"com/yxcorp/gifshow/App->getPackageManager()Landroid/content/pm/PackageManager;"
: {
DvmClass clazz = vm.resolveClass(
"android/content/pm/PackageManager"
);
return
clazz.newObject(signature);
}
}
return
super
.callObjectMethodV(vm, dvmObject, signature, vaList);
}
@Override
public
boolean
callBooleanMethodV(BaseVM vm, DvmObject> dvmObject, String signature, VaList vaList) {
switch
(signature) {
case
"java/lang/Boolean->booleanValue()Z"
:
DvmBoolean dvmBoolean = (DvmBoolean) dvmObject;
return
dvmBoolean.getValue();
}
return
super
.callBooleanMethodV(vm, dvmObject, signature, vaList);
}
public
String get_NS_sig3()
throws
FileNotFoundException {
// trace code
// String traceFile = "unidbg-android\\src\\test\\java\\com\\smile\\gifmaker3\\sig3_new.trc";
// GlobalData.ignoreModuleList.add("libc.so");
// GlobalData.ignoreModuleList.add("libhookzz.so");
// GlobalData.ignoreModuleList.add("libc++_shared.so");
// emulator.traceCode(module.base, module.base+module.size).setRedirect(new PrintStream(new FileOutputStream(traceFile), true));
System.out.println(
"_NS_sig3 start"
);
List list =
new
ArrayList<>(
10
);
list.add(vm.getJNIEnv());
// 第一个参数是env
DvmObject> thiz = vm.resolveClass(
"com/kuaishou/android/security/internal/dispatch/JNICLibrary"
).newObject(
null
);
list.add(vm.addLocalObject(thiz));
// 第二个参数,实例方法是jobject,静态方法是jclass,直接填0,一般用不到。
DvmObject> context = vm.resolveClass(
"com/yxcorp/gifshow/App"
).newObject(
null
);
// context
vm.addLocalObject(context);
list.add(
10418
);
//参数1
StringObject urlObj =
new
StringObject(vm,
"/rest/app/eshop/ks/live/item/byGuest6bcab0543b7433b6d0771892528ef686"
);
vm.addLocalObject(urlObj);
ArrayObject arrayObject =
new
ArrayObject(urlObj);
StringObject appkey =
new
StringObject(vm,
"d7b7d042-d4f2-4012-be60-d97ff2429c17"
);
vm.addLocalObject(appkey);
DvmInteger intergetobj = DvmInteger.valueOf(vm, -
1
);
vm.addLocalObject(intergetobj);
DvmBoolean boolobj = DvmBoolean.valueOf(vm,
false
);
vm.addLocalObject(boolobj);
StringObject appkey2 =
new
StringObject(vm,
"7e46b28a-8c93-4940-8238-4c60e64e3c81"
);
vm.addLocalObject(appkey2);
list.add(vm.addLocalObject(
new
ArrayObject(arrayObject,appkey,intergetobj,boolobj,context,
null
,boolobj,appkey2)));
// 直接通过地址调用
Number numbers = module.callFunction(emulator,
0x41680
, list.toArray());
System.out.println(
"numbers:"
+numbers);
DvmObject> object = vm.getObject(numbers.intValue());
String result = (String) object.getValue();
System.out.println(
"result:"
+result);
return
result;
}
@Override
public
FileResult resolve(Emulator emulator, String pathname,
int
oflags) {
System.out.println(
"fuck:"
+pathname);
return
null
;
}
public
String readStdString(Pointer strptr){
Boolean isTiny = (strptr.getByte(
0
) &
1
) ==
0
;
if
(isTiny){
return
strptr.getString(
1
);
}
return
strptr.getPointer(emulator.getPointerSize()* 2L).getString(
0
);
}
@Override
public
DvmObject> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
switch
(signature) {
case
"com/kuaishou/android/security/internal/common/ExceptionProxy->getProcessName(Landroid/content/Context;)Ljava/lang/String;"
:
return
new
StringObject(vm,
"com.smile.gifmaker"
);
case
"com/meituan/android/common/mtguard/NBridge->getSecName()Ljava/lang/String;"
:
return
new
StringObject(vm,
"ppd_com.sankuai.meituan.xbt"
);
case
"com/meituan/android/common/mtguard/NBridge->getAppContext()Landroid/content/Context;"
:
return
vm.resolveClass(
"android/content/Context"
).newObject(
null
);
case
"com/meituan/android/common/mtguard/NBridge->getMtgVN()Ljava/lang/String;"
:
return
new
StringObject(vm,
"4.4.7.3"
);
case
"com/meituan/android/common/mtguard/NBridge->getDfpId()Ljava/lang/String;"
:
return
new
StringObject(vm,
""
);
}
return
super
.callStaticObjectMethodV(vm, dvmClass, signature,vaList);
}
}