強烈推薦龍哥的unidbg學習交流星球,更新頻率高。
package com.cxa;
import com.github.unidbg.Module;
import com.github.unidbg.arm.ARMEmulator;
import com.github.unidbg.linux.android.AndroidARMEmulator;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;
import java.io.File;
import java.io.IOException;
//毒app 4.16.0
public class du extends AbstractJni {
//ARM模擬器
private final ARMEmulator emulator;
//vm
private final VM vm;
//載入的模塊
private final Module module;
private final DvmClass TTEncryptUtils;
//初始化
public du() throws IOException {
//創建毒進程,這里其實可以不用寫的,我這里是隨便寫的,使用app本身的進程就可以繞過進程檢測
emulator = new AndroidARMEmulator("com.du.du");
Memory memory = emulator.getMemory();
//作者支持19和23兩個sdk
memory.setLibraryResolver(new AndroidResolver(23));
//創建DalvikVM,利用apk本身,可以為null
//如果用apk文件加載so的話,會自動處理簽名方面的jni,具體可看AbstractJni,這就是利用apk加載的好處
// vm = emulator.createDalvikVM(new File("src/test/resources/du/du4160.apk"));
vm = ((AndroidARMEmulator) emulator).createDalvikVM(null);
//加載so,使用armv8-64速度會快很多
DalvikModule dm = vm.loadLibrary(new File("/Users/chennan/javaproject/unidbg/unidbg-android/src/test/resources/du/libJNIEncrypt.so"), false);
//調用jni
dm.callJNI_OnLoad(emulator);
module = dm.getModule();
//Jni調用的類,加載so
TTEncryptUtils = vm.resolveClass("com/duapp/aesjni/AESEncrypt");
}
//關閉模擬器
private void destroy() throws IOException {
emulator.close();
System.out.println("destroy");
}
public static void main(String[] args) throws IOException {
du t = new du();
t.encodeByte("lastIdloginTokenplatformandroidsellTime201912timestamp1577459413370uuid7337c8189240625v4.16.0");
t.destroy();
}
private String encodeByte(String strs) {
//調試
// 這里還支持gdb調試,
//emulator.attach(DebuggerType.GDB_SERVER);
//附加調試器
// emulator.attach(DebuggerType.SIMPLE);
// emulator.traceCode();
//這里是打斷點,原地址0x00005028->新地址0x40005028 新地址需要改成0x4
// emulator.attach().addBreakPoint(null, 0x40001188);//encode地址
// emulator.attach().addBreakPoint(null, 0x40000D10);
// Number ret = TTEncryptUtils.callStaticJniMethod(emulator, "getByteValues()Ljava/lang/String;");
// 根據類 獲取對應的方法,最終獲取的是個地址
Object ret = TTEncryptUtils.callStaticJniMethodObject(emulator, "getByteValues()Ljava/lang/String;");
// 獲取地址里的值
String byteString = (String) ((DvmObject) ret).getValue();
//毒這里要處理下字符串
StringBuilder builder = new StringBuilder(byteString.length());
for (int i = 0; i < byteString.length(); i++) {
if (byteString.charAt(i) == '0') {
builder.append('1');
} else {
builder.append('0');
}
}
//獲取encodeByte地址
ret = TTEncryptUtils.callStaticJniMethodObject(emulator, "encodeByte(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",
strs,builder.toString());
//ret 返回的是地址,
//或得其值
String str = (String) ((DvmObject) ret).getValue();
//毒這里要處理下字符串
System.out.println(str);
return str;
}
}