jni调用java类属性的问题

panchoGG commented 4 years ago

如题， JNIEnv->FindClass(com/umetrip/android/umehttp/security/UmeJni) was called from RX@0x400022b1[libumejni.so]0x22b1 JNIEnv->RegisterNatives(com/umetrip/android/umehttp/security/UmeJni, RW@0x40018008[libumejni.so]0x18008, 3) was called from RX@0x4000241d[libumejni.so]0x241d [18:20:34 167] WARN [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:446) - handleInterrupt intno=2, NR=-1073744024, svcNumber=0x157, PC=unicorn@0xfffe0604, syscall=null unicorn.UnicornException: Invalid memory read (UC_ERR_READ_UNMAPPED) at unicorn.Unicorn.mem_read(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.mem_read(UnicornBackend.java:32) at com.github.unidbg.pointer.UnidbgPointer.getString(UnidbgPointer.java:299) at com.github.unidbg.pointer.UnidbgPointer.getString(UnidbgPointer.java:290) at com.github.unidbg.linux.android.dvm.DalvikVM$88.handle(DalvikVM.java:1788) at com.github.unidbg.linux.ARM32SyscallHandler.hook(ARM32SyscallHandler.java:103) at com.github.unidbg.arm.backend.UnicornBackend$5.hook(UnicornBackend.java:129) at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:136) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:388) at com.github.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:477) at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:209) at com.github.unidbg.Module.emulateFunction(Module.java:154) at com.github.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:211) at com.github.unidbg.linux.LinuxSymbol.call(LinuxSymbol.java:27) at com.github.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:30) at pancho.Demo2.(Demo2.java:52) at pancho.Demo2.main(Demo2.java:94) [18:20:34 169] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:407) - emulate RX@0x40003e55[libumejni.so]0x3e55 exception sp=unicorn@0xbffff6b0, msg=Invalid memory read (UC_ERR_READ_UNMAPPED), offset=6ms Find native function Java_com_umetrip_android_umehttp_security_UmeJni_sub_0515(Ljava/lang/Object;Ljava/lang/String;)Ljava/lang/String; => RX@0x4000c889[libumejni.so]0xc889 JNIEnv->CallObjectMethod(android/content/Context, getPackageManager()Landroid/content/pm/PackageManager; => android.content.pm.PackageManager@7006c658) was called from RX@0x4000c91d[libumejni.so]0xc91d JNIEnv->CallObjectMethod(android/content/Context, getPackageName()Ljava/lang/String; => "com.umetrip.android.msky.app") was called from RX@0x4000c987[libumejni.so]0xc987 JNIEnv->GetStringUtfChars("com.umetrip.android.msky.app") was called from RX@0x4000c9b1[libumejni.so]0xc9b1 JNIEnv->FindClass(com/umetrip/android/msky/app/BuildConfig) was called from RX@0x40010409[libumejni.so]0x10409 [18:20:34 308] WARN [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:446) - handleInterrupt intno=2, NR=-1073743992, svcNumber=0x139, PC=unicorn@0xfffe0424, syscall=null java.lang.UnsupportedOperationException: com/umetrip/android/msky/app/BuildConfig->tc2a2wqv:Ljava/lang/String; at com.github.unidbg.linux.android.dvm.AbstractJni.getStaticObjectField(AbstractJni.java:66) at com.github.unidbg.linux.android.dvm.DvmField.getStaticObjectField(DvmField.java:27) at com.github.unidbg.linux.android.dvm.DalvikVM$58.handle(DalvikVM.java:1263) at com.github.unidbg.linux.ARM32SyscallHandler.hook(ARM32SyscallHandler.java:103) at com.github.unidbg.arm.backend.UnicornBackend$5.hook(UnicornBackend.java:129) at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:136) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:388) at com.github.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:477) at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:209) at com.github.unidbg.Module.emulateFunction(Module.java:154) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:115) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:244) at pancho.Demo2.myJni(Demo2.java:68) at pancho.Demo2.main(Demo2.java:105) [18:20:34 309] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:407) - emulate RX@0x4000c889[libumejni.so]0xc889 exception sp=unicorn@0xbfffec30, msg=com/umetrip/android/msky/app/BuildConfig->tc2a2wqv:Ljava/lang/String;, offset=139ms error emulator destroy...

代码如下： package pancho;

import com.github.unidbg.Module; import com.github.unidbg.linux.android.AndroidARMEmulator; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.android.dvm.array.ByteArray; import com.github.unidbg.memory.Memory;

import java.io.File; import java.io.IOException;

/**

@program: unidbg-parent
@description: pancho
@create: 2020-10-10 10:21 **/ public class Demo2 extends AbstractJni {

private AndroidARMEmulator emulator;

private static VM vm;

private final Module module;

private final DvmClass UmeJni;

private final String appProcessName = "com.pancho";

private final int sdkVersion = 23;

/**
- @param soFilePath 需要执行的so文件路径
- @param classPath 需要执行的函数所在的Java类路径
- @throws IOException */ public Demo2(String soFilePath, String classPath) throws IOException { // 创建app进程，包名可任意写 emulator = new AndroidARMEmulator(appProcessName); Memory memory = emulator.getMemory(); // 作者支持19和23两个sdk memory.setLibraryResolver(new AndroidResolver(sdkVersion)); // memory.malloc(0x1000000); // 创建DalvikVM，利用apk本身，可以为null vm = ((AndroidARMEmulator) emulator).createDalvikVM(new File("unidbg-android/src/test/resources/apk/航旅纵横v2020_09_19 _副本.apk")); vm.setJni(this); vm.setVerbose(true); // （关键处1）加载so，填写so的文件路径 DalvikModule dm = vm.loadLibrary(new File(soFilePath), false); // 调用jni dm.callJNI_OnLoad(emulator); module = dm.getModule(); // （关键处2）加载so文件中的哪个类，填写完整的类路径 UmeJni = vm.resolveClass(classPath);
}

/**
- 调用so文件中的指定函数
- @param methodSign 传入你要执行的函数信息，需要完整的smali语法格式的函数签名
- @param args 是即将调用的函数需要的参数
- @return 函数调用结果 */ private String myJni(String methodSign, Object... args) { // 使用jni调用传入的函数签名对应的方法（） Number ret = UmeJni.callStaticJniMethod(emulator, methodSign, args); // ret存放返回调用结果存放的地址，获得函数执行后返回值 if (null != ret) { StringObject str = vm.getObject(Integer.parseInt((ret.intValue() & 0xffffffffL) + "")); return str.getValue(); } return "error"; }
/**
- 关闭模拟器
- @throws IOException */ private void destroy() throws IOException { emulator.close(); System.out.println("emulator destroy..."); }
public static void main(String[] args) throws IOException { // 1、需要调用的so文件所在路径 String soFilePath = "unidbg-android/src/test/resources/so/fixed.so"; // 2、需要调用函数所在的Java类完整路径，比如a/b/c/d等等，注意需要用/代替. String classPath = "com/umetrip/android/umehttp/security/UmeJni"; // 3、需要调用函数的函数签名，我这里调用EncryptUtils中的getGameKey方法，由于此方法没有参数列表，所以不需要传入 String methodSign = "sub_0515(Ljava/lang/Object;Ljava/lang/String;)Ljava/lang/String;"; Demo2 demo2 = new Demo2(soFilePath, classPath);
```
// Object custom = null;
// DvmObject context = vm.resolveClass("com/umetrip/android/msky/app/UmeApplication").newObject(custom);
DvmObject context = vm.resolveClass("android/content/Context").newObject(null);
String data = "{\"lastReqTime\":\"8151\",\"lastTransactionID\":\"1267d11000331602210574619\",\"latitude\":\"23.083936\",\"longitude\":\"113.231597\",\"netType\":\"1\",\"pageId\":\"110300\"," +
        "\"rchannel\":\"10000025\",\"rcuuid\":\"1267df7f194d74c5f922c5295499b92ee\"," +
        "\"rcver\":\"AND_a01_06.51.0914\",\"rkey\":\"2020-10-09 10:30:46 8000\"," +
        "\"rparams\":{\"mobile\":\"13188886666\",\"passWord\":\"123456789abcdef\",\"rttimestamp\":0,\"validateCode\":\"\"}," +
        "\"rpid\":\"1100033\",\"rpver\":\"3.0\",\"rsid\":\"\",\"transactionID\":\"1267d11000331602210646184\"}";
// 输出getGameKey方法调用结果
String result = demo2.myJni(methodSign, context, data, vm.addLocalObject(vm.resolveClass("com/umetrip/android/msky/app/BuildConfig").newObject(null)));

System.err.println(result);
demo2.destroy();
```
}

}

拜托大佬，我应该怎样才能把java类的属性放到jni中呢

zhkl0228 commented 4 years ago

java及so或者apk打包发出来看下

panchoGG commented 4 years ago

上述是脱壳后的APK以及核心加密算法的so.现在要模拟调用的是com.umetrip.android.umehttp.security.UmeJni类中的sub_0515方法。问题：jni调用过程中用到了java一个类的属性，就是不知道怎么模拟

------------------ 原始邮件 ------------------ 发件人: "zhkl0228/unidbg" <notifications@github.com>; 发送时间: 2020年10月10日(星期六) 晚上11:36 收件人: "zhkl0228/unidbg"<unidbg@noreply.github.com>; 抄送: "328366802@qq.com"<328366802@qq.com>;"Author"<author@noreply.github.com>; 主题: Re: [zhkl0228/unidbg] jni调用java类属性的问题 (#192)

java及so或者apk打包发出来看下

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

从QQ邮箱发来的超大附件

航旅纵横v2020_09_19.apk (99.38M, 2020年11月09日 23:38 到期)进入下载页面：http://mail.qq.com/cgi-bin/ftnExs_download?t=exs_ftn_download&k=75323535c688f19aeb48a72640640a4c0b57570056075e5a14540d575e490c535a0b185456560a4e5f02040756575e540951560c667338d984f0f6e2bbded9150b0207053954013c080b1b54160f385e&code=9255fd8c

ghost commented 3 years ago

ava.lang.ClassCastException: com.github.unidbg.linux.android.dvm.DvmObject cannot be cast to com.github.unidbg.linux.android.dvm.Array

zhkl0228 / unidbg

jni调用java类属性的问题 #192