dh15178076212
commented
8 months ago // 这里是代码 package com.tianyancha;
import com.github.unidbg.AndroidEmulator; import com.github.unidbg.Module; import com.github.unidbg.file.FileIO; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.AbstractJni; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.android.dvm.array.ByteArray; import com.github.unidbg.memory.Memory;
import java.io.File; import java.security.MessageDigest; import java.util.Arrays;
public class skyeye extends AbstractJni { private final AndroidEmulator emulator; private final VM vm; private final DalvikModule dm; private final Module module;
skyeye() {
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.tianyancha.skyeye").build();
// 2.设置安卓sdk
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
// 3.创建安卓虚拟机
vm = emulator.createDalvikVM(new File("data/tyc2/tianyancha10.8.0.apk"));
vm.setJni(this);
vm.setVerbose(true); // 设置是否打印Jni调用细节, true / false
// 4.加载目标so文件到 unicorn虚拟内存,加载成功以后会默认调用init_array等函数
dm = vm.loadLibrary(new File("data/tyc2/libJMEncryptBox.so"), false);
dm.callJNI_OnLoad(emulator); // 手动执行JNI_OnLoad函数 (静态注册无需执行这一步)
module = dm.getModule();
}
public static void main(String[] args) throws Exception {
skyeye skyeyeobj = new skyeye();
byte[] inputByte = "imei-not-exist#@#0#@#1701937912731#@#tyc#@#78fe7353ce852fb0".getBytes();
byte[] arr = skyeyeobj.encryptToBytesFromBytes(inputByte);
System.out.println(Arrays.toString(arr));// skyeyeobj.call_address(); }
public void call_address() {
byte[] inputByte = "imei-not-exist#@#0#@#1701937912731#@#tyc#@#78fe7353ce852fb0".getBytes();
Number number = module.callFunction(
emulator,
0x584d,
vm.getJNIEnv(),
vm.addLocalObject(new ByteArray(vm, inputByte))
);
byte[] resArr = (byte[]) vm.getObject(number.intValue()).getValue();// System.out.println(Arrays.toString(resArr.getBytes())); System.out.println(Arrays.toString(resArr)); }
public byte[] encryptToBytesFromBytes(byte[] bArr) throws Exception {
DvmClass cls = vm.resolveClass("com/ijiami/JMEncryptBoxByRandom");
String method = "encryptByRandomType2([B)[B";
ByteArray arr = cls.callStaticJniMethodObject(
emulator,
method,
new ByteArray(vm, bArr)
);
return arr.getValue();
}
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
if (signature.equals("android/app/ActivityThread->getApplication()Landroid/app/Application;")) {
DvmClass cContext = vm.resolveClass("android/content/Context");
DvmClass cContextWrapper = vm.resolveClass("android/content/ContextWrapper", cContext);
DvmObject<?> cNative = vm.resolveClass("android/app/Application", cContextWrapper);
return ((DvmClass) cNative).newObject(null);
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
JMEncryptBox jmbox = new JMEncryptBox();
if (signature.equals("com/ijiami/JMEncryptBox->getFinger(Ljava/lang/String;[B)Ljava/lang/String;")) {
return new StringObject(vm, jmbox.getFinger((String) vaList.getObjectArg(0).getValue(), (byte[]) vaList.getObjectArg(1).getValue()));
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}}
class JMEncryptBox { public String getFinger(String s, byte[] arr_b) { try { return toHexString(MessageDigest.getInstance(s).digest(arr_b)); } catch (Exception exception0) { exception0.printStackTrace(); System.out.println("ERROR2"); return "ERROR2"; } }
public String toHexString(byte[] arr_b) {
StringBuffer stringBuffer0 = new StringBuffer();
int v;
for (v = 0; v < arr_b.length; ++v) {
byte2hex(arr_b[v], stringBuffer0);
}
return stringBuffer0.toString();
}
public static void byte2hex(byte b, StringBuffer stringBuffer0) {
char[] arr_c = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};
stringBuffer0.append(arr_c[(b & 0xF0) >> 4]);
stringBuffer0.append(arr_c[b & 15]);
}}
heckerstone
huanglaoji365
yangxiaopao
zcybupt
[17:24:05 089] WARN [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:533) - handleInterrupt intno=2, NR=192, svcNumber=0x0, PC=RWX@0x401af73e, LR=RWX@0x401af72d, syscall=null java.lang.IllegalStateException: munmap aligned=0x25000, start=0x40001000 at com.github.unidbg.spi.AbstractLoader.munmap(AbstractLoader.java:144) at com.github.unidbg.linux.AndroidElfLoader.mmap2(AndroidElfLoader.java:735) at com.github.unidbg.linux.ARM32SyscallHandler.mmap2(ARM32SyscallHandler.java:1840) at com.github.unidbg.linux.ARM32SyscallHandler.hook(ARM32SyscallHandler.java:346) at com.github.unidbg.arm.backend.UnicornBackend$11.hook(UnicornBackend.java:345) at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:376) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:380) at com.github.unidbg.thread.Function32.run(Function32.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:172) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:96) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:340) at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:229) at com.github.unidbg.linux.LinuxInitFunction.call(LinuxInitFunction.java:31) at com.github.unidbg.linux.LinuxModule.callInitFunction(LinuxModule.java:141) at com.github.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:180) at com.github.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:62) at com.github.unidbg.spi.AbstractLoader.load(AbstractLoader.java:233) at com.github.unidbg.linux.android.dvm.BaseVM.loadLibrary(BaseVM.java:312) at com.tianyancha.skyeye.(skyeye.java:36)
at com.tianyancha.skyeye.main(skyeye.java:42)
[17:24:05 093] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x4001b6a9[libJMEncryptBox.so]0x1b6a9 exception sp=unidbg@0xbffff6b4, msg=munmap aligned=0x25000, start=0x40001000, offset=7ms
[17:24:05 093] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x4000c030, size=1, value=0x0, PC=RX@0x4000c030[libJMEncryptBox.so]0xc030, LR=unidbg@0xffff0000
[17:24:05 093] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x4000c031[libJMEncryptBox.so]0xc031 exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=0ms
[17:24:05 093] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x40014a0c, size=1, value=0x0, PC=RX@0x40014a0c[libJMEncryptBox.so]0x14a0c, LR=unidbg@0xffff0000
[17:24:05 093] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x40014a0d[libJMEncryptBox.so]0x14a0d exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=0ms
[17:24:05 094] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x40019c00, size=1, value=0x0, PC=RX@0x40019c00[libJMEncryptBox.so]0x19c00, LR=unidbg@0xffff0000
[17:24:05 094] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x40019c01[libJMEncryptBox.so]0x19c01 exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=0ms
[17:24:05 094] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x4001d364, size=1, value=0x0, PC=@0x4001d364[libJMEncryptBox.so]0x1d364, LR=unidbg@0xffff0000
[17:24:05 094] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate @0x4001d365[libJMEncryptBox.so]0x1d365 exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=0ms
[17:24:05 094] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x400232a4, size=1, value=0x0, PC=@0x400232a4[libJMEncryptBox.so]0x232a4, LR=unidbg@0xffff0000
[17:24:05 094] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate @0x400232a5[libJMEncryptBox.so]0x232a5 exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=0ms
[17:24:05 097] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x40005430, size=1, value=0x0, PC=RX@0x40005430[libJMEncryptBox.so]0x5430, LR=unidbg@0xffff0000
[17:24:05 097] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x40005431[libJMEncryptBox.so]0x5431 exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=1ms
Exception in thread "main" java.lang.IllegalStateException: Illegal JNI version: 0xffffffff
at com.github.unidbg.linux.android.dvm.BaseVM.checkVersion(BaseVM.java:207)
at com.github.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:39)
at com.tianyancha.skyeye.(skyeye.java:37)
at com.tianyancha.skyeye.main(skyeye.java:42)