hookZz,Dobby,xHook,consoleDebugger

移动开发 2023-07-15 20:07:19 阅读次数: 0 

//简单的需求可以调用Unicorn对虚拟内存进行修改
public void patchVerify(){
    
    
     int patchCode = 0x4FF00100; //
     emulator.getMemory().pointer(module.base + 0x1E86).setInt(0,patchCode);
 }


//HOOZZ

public void HookMDStringold(){
    
    
  // 加载HookZz
  IHookZz hookZz = HookZz.getInstance(emulator);

  hookZz.wrap(module.base + 0x1BD0 + 1, new WrapCallback<HookZzArm32RegisterContext>() {
    
     // inline wrap导出函数
      @Override
      // 类似于 frida onEnter
      public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
    
    
          // 类似于Frida args[0]
          Pointer input = ctx.getPointerArg(0);
          System.out.println("input:" + input.getString(0));
      };

      @Override
      // 类似于 frida onLeave
      public void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
    
    
          Pointer result = ctx.getPointerArg(0);
          System.out.println("input:" + result.getString(0));
      }
  });
}


package com.dta.lesson2;

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.HookStatus;
import com.github.unidbg.arm.backend.DynarmicFactory;
import com.github.unidbg.arm.context.RegisterContext;
import com.github.unidbg.debugger.BreakPointCallback;
import com.github.unidbg.debugger.DebuggerType;
import com.github.unidbg.hook.HookContext;
import com.github.unidbg.hook.ReplaceCallback;
import com.github.unidbg.hook.hookzz.*;
import com.github.unidbg.hook.xhook.IxHook;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.XHookImpl;
import com.github.unidbg.linux.android.dvm.DalvikModule;
import com.github.unidbg.linux.android.dvm.DvmObject;
import com.github.unidbg.linux.android.dvm.StringObject;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.linux.android.dvm.jni.ProxyDvmObject;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.pointer.UnidbgPointer;
import com.github.unidbg.utils.Inspector;
import com.sun.jna.Pointer;
import net.dongliu.apk.parser.Main;
import unicorn.ArmConst;

import java.io.File;
import java.util.ArrayList;
import java.util.List;

import static com.dta.lesson2.AesKeyFinder.readFuncFromIDA;

public class MainActivity {
    
    
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Memory memory;
    private final Module module;

    public MainActivity(){
    
    
        emulator = AndroidEmulatorBuilder
                .for32Bit()
                //.setProcessName()
                //.setRootDir()
                //.setRootDir(new File("target/rootfs/default"))
                //.addBackendFactory(new DynarmicFactory(true))
                .build();

        vm = emulator.createDalvikVM();

        memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));

        DalvikModule dalvikModule = vm.loadLibrary(new File("unidbg-android/src/test/java/com/dta/lesson2/libtest-lib.so"), true);
        module = dalvikModule.getModule();

        vm.callJNI_OnLoad(emulator,module);
    }

    public void callAes(){
    
    
        //emulator.traceCode();
        DvmObject obj = ProxyDvmObject.createObject(vm,this);
        obj.callJniMethod(emulator, "aes(II)V");
    }

    public static void main(String[] args) {
    
    
        long start = System.currentTimeMillis();
        MainActivity mainActivity = new MainActivity();
        mainActivity.keyFinder();
        //mainActivity.hookZz();
        //mainActivity.consoleDebugger();

        System.out.println("load the vm "+( System.currentTimeMillis() - start )+ "ms");
        mainActivity.callAes();
    }

    private void consoleDebugger() {
    
    
        emulator.attach().addBreakPoint(module.base + 0x20ad, new BreakPointCallback() {
    
    
            @Override
            public boolean onHit(Emulator<?> emulator, long address) {
    
    
                //xx
                return false;
            }
        });
    }

    private void hookZz() {
    
    
        HookZz hookZz = HookZz.getInstance(emulator);
        hookZz.wrap(module.base + 0x20ad, new WrapCallback<HookZzArm32RegisterContextImpl>() {
    
    
            @Override
            public void preCall(Emulator<?> emulator, HookZzArm32RegisterContextImpl ctx, HookEntryInfo info) {
    
    
                UnidbgPointer arg0 = ctx.getPointerArg(0);
                UnidbgPointer arg1 = ctx.getPointerArg(1);
                System.out.println("0x20ad_OnEnter: arg0=>"+arg0.getString(0));
                //System.out.println("0x20ad_OnEnter: arg1=>"+);
                Inspector.inspect(arg1.getByteArray(0,200),"0x20ad_OnEnter_arg1");
                ctx.push(arg1);
            }

            @Override
            public void postCall(Emulator<?> emulator, HookZzArm32RegisterContextImpl ctx, HookEntryInfo info) {
    
    
                UnidbgPointer arg1 = ctx.pop();
                Inspector.inspect(arg1.getByteArray(0,200),"0x20ad_OnLeave_arg1");
                super.postCall(emulator, ctx, info);
            }
        });
//        hookZz.replace(module.base + 0x20ad, new ReplaceCallback() {
    
    
//            @Override
//            public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
    
    
//                emulator.getBackend().reg_write(ArmConst.UC_ARM_REG_R0,1);
//                return super.onCall(emulator, context, context.getLR());
//            }
//
//            @Override
//            public void postCall(Emulator<?> emulator, HookContext context) {
    
    
//                super.postCall(emulator, context);
//            }
//        },true);
//        Dobby dobby = Dobby.getInstance(emulator);
//        dobby.replace(module.base + 0x20ad, new ReplaceCallback() {
    
    
//            @Override
//            public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
    
    
//                //HookStatus.RET(emulator,originFunction);
//                return super.onCall(emulator, context, originFunction);
//            }
//
//            @Override
//            public void postCall(Emulator<?> emulator, HookContext context) {
    
    
//                super.postCall(emulator, context);
//            }
//        },true);
//
//        IxHook ixHook = XHookImpl.getInstance(emulator);
//        ixHook.register("libtest-lib.so", "_Z17aes_key_expansionPhS_", new ReplaceCallback() {
    
    
//            @Override
//            public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
    
    
//                return super.onCall(emulator, context, originFunction);
//            }
//
//            @Override
//            public void postCall(Emulator<?> emulator, HookContext context) {
    
    
//                super.postCall(emulator, context);
//            }
//        });
//        ixHook.refresh();


    }

    private void keyFinder() {
    
    
        List<String> funclist = readFuncFromIDA("unidbg-android/src/test/java/com/dta/lesson2/libtest-lib_functionlist_1636779320.txt");
        AesKeyFinder aesKeyFinder = new AesKeyFinder(emulator);
        aesKeyFinder.searchEveryFunction(module.base, funclist);
    }
}

猜你喜欢

转载自blog.csdn.net/weixin_38927522/article/details/127795230
今日推荐
基于大语言模型的开源知识库问答系统 MaxKB GitHub Star 数量突破 5,000 个!
美国拟限制 AI 大模型出口中国和俄罗斯
苹果将与 OpenAI 达成协议,将 ChatGPT 应用于 iPhone
openKylin 社区生态委员会第六次会议圆满召开
阿里云正式发布通义千问 2.5
Python 3.13 发布首个 Beta:实验性自由线程模式和 JIT、改进交互式解释器
Stack Overflow 拿我的代码去训练 AI 大模型,还封了我的账号
Pop!_OS 的 COSMIC 桌面完成 App Store 上架工作
《2024 年一季度互联网投融资运行情况》研究报告
报告:Django 仍然是 74% 开发者的首选
15 年前上了“FFmpeg 耻辱柱”,今天他还得谢谢咱——腾讯QQPlayer一雪前耻?
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
周排行
记一下去大梅沙的准备(2018-05-26)
Spring 注解 事务
基于HTTP协议的客户端缓存
阿里云rds 备份和还原
[PHP] 几个拖慢 PHP 程序/API 运行速度的点
python 代码风格------------PEP8规则
js控制json生成菜单——自制菜单(一)
将字符串: 'k:1|k1:2|k2:3|k3:4 ' ,处理成 python 字典: {'k':1, 'k1':2, ...}
微信小程序转支付宝小程序
Qt551.窗口滚动条
每日归档
更多
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)
2024-05-10(38)
2024-05-09(35)
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022