Unidbg使用求助

查看 20|回复 0
作者:BoBuo   
我是小白看了几篇文章迫不及待的使用, 遇到个困难, 请大佬指点
[Asm] 纯文本查看 复制代码JNIEnv->FindClass(com/shizhuang/stone/main/SzSdk) was called from RX@0x4000b940[libszstone.so]0xb940
JNIEnv->RegisterNatives(com/shizhuang/stone/main/SzSdk, RW@0x4004a500[libszstone.so]0x4a500, 2) was called from RX@0x4000b98c[libszstone.so]0xb98c
RegisterNative(com/shizhuang/stone/main/SzSdk, lf(Ljava/lang/String;I)[B, RX@0x40036e94[libszstone.so]0x36e94)
RegisterNative(com/shizhuang/stone/main/SzSdk, ed(Ljava/lang/String;)[B, RX@0x400374c4[libszstone.so]0x374c4)
debugger break at: 0x40036e95 @ Function64 address=0x40036e95, arguments=[unidbg@0xfffe1640, 0, 1631862159, 1]
>>> x0=0xfffe1640(-125376) x1=0x0 x2=0x61443d8f x3=0x1 x4=0x6e x5=0x4004ac60 x6=0x0 x7=0xffffff4a x8=0x0 x9=0x0 x10=0xbdf5a8a2 x11=0x10006 x12=0x4004c84c x13=0x72 x14=0x68
>>> x15=0x0 x16=0x79 x17=0x74 x18=0x74 x19=0x0 x20=0x0 x21=0x0 x22=0x0 x23=0x0 x24=0x0 x25=0x0 x26=0x0 x27=0x0 x28=0x0 fp=0x0
>>> q0=0x25382d2f25203c3c(2.1798936848867314E-129) q1=0x412f7070612f64696f72646e614c2928(6.971287327864842E228, 1030200.189814699) q2=0xdac7d2d0dadfc3c3(-2.064209210071817E129) q3=0x69746163696c7070(9.750128403568775E199) q4=0xd633c3c2d632825233e28222d006564(6.330920456701233E-139, 3.521375485270711E-244) q5=0xcd858c838ecd83948388aecbd9858c8b(-1.23671206967636E-291, -2.8367027372717194E65) q6=0x703a382d703a382d703a382d703a382d(4.07061601473043E232, 4.07061601473043E232) q7=0x8fc5c7d28fc5c7d28fc5c7d28fc5c7d2(-1.0960297325414155E-232, -1.0960297325414155E-232) q8=0x0(0.0) q9=0x0(0.0) q10=0x0(0.0) q11=0x0(0.0) q12=0x0(0.0) q13=0x0(0.0) q14=0x0(0.0) q15=0x0(0.0)
>>> q16=0x9ffefaf2fef1eaf1(-1.4441338250785655E-154) q17=0xb1d0d4dcd0dfc4df(-9.754919139436121E-69) q18=0x190204235f171e111c5f1106111a3c58(5.0242911727938276E-172, 3.234856818974454E-188) q19=0x70322b59394b171e(2.820821385609923E232) q20=0xef9d8a828e819a81(-4.478810721580662E229) q21=0xbeccdbcccbcadddf(-3.4402124512130284E-6) q22=0xbcd5919ccfd09c9a(-1.1973088636000562E-15) q23=0x21246f6034213433(4.994225046440477E-149) q24=0x5e565a495d14565e(2.7911780976209208E146) q25=0x0(0.0) q26=0x0(0.0) q27=0x0(0.0) q28=0x0(0.0) q29=0x0(0.0) q30=0x0(0.0) q31=0x0(0.0)
LR=unidbg@0x7ffff0000
SP=0xbffff710
PC=RX@0x40036e95[libszstone.so]0x36e95
nzcv: N=0, Z=1, C=1, V=0, EL0, use SP_EL0
代码里没有用debugger, 一运行就这样子了,也不结束.
[Java] 纯文本查看 复制代码package com.test;
// 导入通用且标准的类库
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.AbstractJni;
import com.github.unidbg.linux.android.dvm.DalvikModule;
import com.github.unidbg.linux.android.dvm.StringObject;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.memory.Memory;
import java.io.File;
// 继承AbstractJni类
public class test extends AbstractJni{
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;
    test() {
        // 创建模拟器实例,进程名建议依照实际进程名填写,可以规避针对进程名的校验
        emulator = AndroidEmulatorBuilder.for64Bit().setProcessName("com.hupu.shihuo").build();
        // 获取模拟器的内存操作接口
        final Memory memory = emulator.getMemory();
        // 设置系统类库解析
        memory.setLibraryResolver(new AndroidResolver(23));
        // 创建Android虚拟机,传入APK,Unidbg可以替我们做部分签名校验的工作
        vm = emulator.createDalvikVM(new File("D:\\unidbg-master\\unidbg-android\\src\\test\\java\\com\\shihuo\\test\\7.50.0.apk"));
        // 加载目标SO
        DalvikModule dm = vm.loadLibrary(new File("D:\\unidbg-master\\unidbg-android\\src\\test\\java\\com\\shihuo\\test\\libszstone.so"), true); // 加载so到虚拟内存
        //获取本SO模块的句柄,后续需要用它
        module = dm.getModule();
        vm.setJni(this); // 设置JNI
        vm.setVerbose(true); // 打印日志
        dm.callJNI_OnLoad(emulator); // 调用JNI OnLoad
    };
//    public byte[] getS(){
//        List list = new ArrayList(10);
//        list.add(vm.getJNIEnv());
//        list.add(0);
//        list.add(vm.addLocalObject(new StringObject(vm, "awt\u001C1\u001Dbav\u001C7.49.0\u001Dbavn\u001C19219\u001Dbcn\u001Csh\u001Dbcv\u001C1.3.3.230601\u001Dbdn\u001C识货\u001Dbssm\u001C\u001Ddat\u001C1688442287513\u001Ddbra\u001Cgoogle\u001Ddbs\u001C90,4156,350,2,2,1688520944947\u001Ddbt\u001C1688469181575\u001Ddgi\u001C\u001Ddhki\u001C\u001Ddhw\u001Cqcom\u001Ddid\u001Ccom.hupu.shihuo\u001Ddmcc\u001C\u001Ddme\u001CMI 6\u001Ddmf\u001CXiaomi\u001Ddmpc\u001C\u001Ddmpn\u001C\u001Ddmua\u001C1688442287513\u001Ddo\u001C10\u001Ddo2\u001C29\u001Ddpid\u001C19775\u001Dds\u001C2246343,11454181376\u001Ddsb\u001C53\u001Ddsc\u001C5.2\u001Ddsenc\u001C25\u001Ddsim\u001C0\u001Ddss\u001C1080,1920,2.625\u001Ddtu\u001Cmyapp\u001Ddust\u001C2\u001Ddvo\u001C5,0,0,0,6\u001Ddwm\u001C02:00:00:00:00:00\u001Ddwn\u001C\u001Detcst\u001C456\u001Difaid\u001C9353efc8e722bbc8\u001Disdi\u001C\u001Dldh\u001C0\u001Dlish\u001C0\u001Dlisr\u001C0\u001Dsk\u001C\u001Dsksour\u001C0\u001Dsrc\u001Candroid\u001Dtct\u001C1688520946329\u001Dtnt\u001CWIFI\u001Dtot\u001C1688520944076\u001Dbty\u001Cdefault\u001Dbkv\u001Cuserid=\u001Diud\u001C75de1a958b474fe0afd636428f7dd93d\u001Dtcst\u001C2294\u001D")));
//        // arg4 ,boolean false 填入0
//        list.add(1);
//        // 参数准备完成
//        // call function
//        System.out.println("执行了1 ==> ");
//        Number number = module.callFunction(emulator, 0x36e94 + 1, list.toArray());
//        System.out.println("执行了2 ==> ");
//
//
//        ByteArray result = (ByteArray) vm.getObject((Integer) number).getValue();
//        return result.getValue();
//    }
    public byte[] getS() {
        int obj = vm.addLocalObject(new StringObject(vm, "awt\u001C1\u001Dbav\u001C7.49.0\u001Dbavn\u001C19219\u001Dbcn\u001Csh\u001Dbcv\u001C1.3.3.230601\u001Dbdn\u001C识货\u001Dbssm\u001C\u001Ddat\u001C1688442287513\u001Ddbra\u001Cgoogle\u001Ddbs\u001C90,4156,350,2,2,1688520944947\u001Ddbt\u001C1688469181575\u001Ddgi\u001C\u001Ddhki\u001C\u001Ddhw\u001Cqcom\u001Ddid\u001Ccom.hupu.shihuo\u001Ddmcc\u001C\u001Ddme\u001CMI 6\u001Ddmf\u001CXiaomi\u001Ddmpc\u001C\u001Ddmpn\u001C\u001Ddmua\u001C1688442287513\u001Ddo\u001C10\u001Ddo2\u001C29\u001Ddpid\u001C19775\u001Dds\u001C2246343,11454181376\u001Ddsb\u001C53\u001Ddsc\u001C5.2\u001Ddsenc\u001C25\u001Ddsim\u001C0\u001Ddss\u001C1080,1920,2.625\u001Ddtu\u001Cmyapp\u001Ddust\u001C2\u001Ddvo\u001C5,0,0,0,6\u001Ddwm\u001C02:00:00:00:00:00\u001Ddwn\u001C\u001Detcst\u001C456\u001Difaid\u001C9353efc8e722bbc8\u001Disdi\u001C\u001Dldh\u001C0\u001Dlish\u001C0\u001Dlisr\u001C0\u001Dsk\u001C\u001Dsksour\u001C0\u001Dsrc\u001Candroid\u001Dtct\u001C1688520946329\u001Dtnt\u001CWIFI\u001Dtot\u001C1688520944076\u001Dbty\u001Cdefault\u001Dbkv\u001Cuserid=\u001Diud\u001C75de1a958b474fe0afd636428f7dd93d\u001Dtcst\u001C2294\u001D"));  // 输入字符串
        Number[] numbers = new Number[]{module.callFunction(emulator, 0x36e94 + 1, vm.getJNIEnv(), 0, obj, 1)};
        long returnValue = (Long) numbers[0].longValue();
        ByteArray result = (ByteArray) vm.getObject((int) returnValue).getValue();
        return result.getValue();
    }
    public static void main(String[] args) {
        test testInstance = new test();
        byte[] result = testInstance.getS();
        System.out.printf("result ==> ", result);
    }
}
请大佬指点迷津

大佬, 宋体

您需要登录后才可以回帖 登录 | 立即注册