用unidbg模拟执行so中的方法返回空
类: com.tencent.mobileqq.qsec.qsecurity.QSec 方法: getXwDebugID 签名: (Ljava/lang/String;)[B 函数地址: 0x7f6396454c 模块名: libfekit.so 函数偏移: 0xd554c
[Java] 纯文本查看 复制代码public String getXwDebugID(String user) {
ByteArray result_string = Class_QSec.newObject(null).callJniMethodObject(emulator, "getXwDebugID(Ljava/lang/String;)[B"
, new StringObject(vm, user)
);
return result_string == null ? "加密错误" : byteToHex(result_string.getValue());
}
IDA pro
[Java] 纯文本查看 复制代码__int64 __fastcall sub_D554C(jobject a1)
{
unsigned __int64 v2; // x1
__int64 v3; // x0
__int64 v4; // x19
__int64 v5; // x3
_BYTE *v6; // x4
unsigned __int8 v8; // [xsp+0h] [xbp-20h]
_BYTE v9[7]; // [xsp+1h] [xbp-1Fh] BYREF
unsigned int v10; // [xsp+8h] [xbp-18h]
void *ptr; // [xsp+10h] [xbp-10h]
__int64 v12; // [xsp+18h] [xbp-8h]
v12 = *(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
sub_647A4();
if ( (v8 & 1) != 0 )
v2 = v10;
else
v2 = v8 >> 1;
v3 = (*(*a1 + 1408LL))(a1, v2);
v4 = v3;
if ( (v8 & 1) != 0 )
v5 = v10;
else
v5 = v8 >> 1;
if ( (v8 & 1) != 0 )
v6 = ptr;
else
v6 = v9;
(*(*a1 + 0x680LL))(a1, v3, 0LL, v5, v6);
if ( (v8 & 1) != 0 )
operator delete(ptr);
return v4;
}
unidbg中的返回值
[Java] 纯文本查看 复制代码JNIEnv->FindClass(com/tencent/mobileqq/qsec/qsecest/QsecEst) was called from RX@0x4007e8c4[libfekit.so]0x7e8c4
JNIEnv->NewGlobalRef(class com/tencent/mobileqq/qsec/qsecest/QsecEst) was called from RX@0x4007eabc[libfekit.so]0x7eabc
JNIEnv->GetStaticMethodID(com/tencent/mobileqq/qsec/qsecest/QsecEst.p(Landroid/content/Context;I)Ljava/lang/String;) => 0x747ab66c was called from RX@0x4007e97c[libfekit.so]0x7e97c
Find native function Java_com_tencent_mobileqq_qsec_qsecurity_QSec_getXwDebugID => RX@0x400d554c[libfekit.so]0xd554c
JNIEnv->NewByteArray(0) was called from RX@0x400d55a0[libfekit.so]0xd55a0
JNIEnv->SetByteArrayRegion([B@0x, 0, 0, unidbg@0xbffff6b1) was called from RX@0x400d55dc[libfekit.so]0xd55dc
res1 --->
最后出现了NewByteArray(0)和SetByteArrayRegion([B@0x, 0, 0, unidbg@0xbffff6b1)
求大佬帮助
{:301_972:}
