search

zhkl0228 / unidbg

Allows you to emulate an Android native library, and an experimental iOS emulation
Apache License 2.0
3.93k stars 971 forks source link

如何通过hook,获得指针参数对应的string啊,大佬们 #318

Open silasol opened 3 years ago

silasol commented 3 years ago

如何通过hook,获得下边这种指针参数对应的string啊,大佬们。

    Encrypt(
      (std::__ndk1::string *)encryptRes,
      (const std::__ndk1::string *)_model,
      (const std::__ndk1::string *)_systemVersion,
      (const std::__ndk1::string *)_deviceUid,
      (const std::__ndk1::string *)_phoneNum,
      (const std::__ndk1::string *)_timestamp,
      (const std::__ndk1::string *)_authentication,
      (const std::__ndk1::string *)_slipDistance,
      (const std::__ndk1::string *)_slipTime);

我使用以下的方式来获取,但是好像不对。

hookZz.wrap(module.findSymbolByName("_Z7EncryptRKNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEES7_S7_S7_S7_S7_S7_S7_"), new WrapCallback<RegisterContext>() { 
            @Override
            // 4. 方法执行前
            public void preCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {
                //System.out.println("[Encrypt] : rerstr ->" + ctx.getPointerArg(0).getString(0));
                System.out.println("[Encrypt] : model ->" + ctx.getPointerArg(1).getString(0));
                System.out.println("[Encrypt] : systemVersion ->" + ctx.getPointerArg(2).getString(0));
                System.out.println("[Encrypt] : deviceUid ->" + ctx.getPointerArg(3).getString(0));
                System.out.println("[Encrypt] : phoneNum ->" + ctx.getPointerArg(4).getString(0));
                System.out.println("[Encrypt] : timestamp ->" + ctx.getPointerArg(5).getString(0));
                System.out.println("[Encrypt] : authentication ->" + ctx.getPointerArg(6).getString(0));
                System.out.println("[Encrypt] : slipDistance ->" + ctx.getPointerArg(7).getString(0));
                System.out.println("[Encrypt] : slipTime ->" + ctx.getPointerArg(8).getString(0));
            }

            @Override
            // 5. 方法执行后
            public void postCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {
                System.out.println("[Encrypt] End");
            }
        });
zhkl0228 commented 3 years ago

查阅std::__ndk1::string的结构体

silasol commented 3 years ago

是通过寻找结构体中的字符串数据的偏移,将其打印出来吗

Pr0214 commented 3 years ago

Unidbg读写std::string,新瓶装旧酒。

public String readStdString(Pointer strptr){
    Boolean isTiny = (strptr.getByte(0) & 1) == 0;
    if(isTiny){
        return strptr.getString(1);
    }
    return strptr.getPointer(emulator.getPointerSize()* 2L).getString(0);
}

public void writeStdString(Pointer strptr, String content){
    Boolean isTiny = (strptr.getByte(0) & 1) == 0;
    if(isTiny){
        strptr.write(1, content.getBytes(StandardCharsets.UTF_8), 0, content.length());
    }
    strptr.getPointer(emulator.getPointerSize()* 2L).write(0, content.getBytes(StandardCharsets.UTF_8), 0, content.length());
};