search

zhkl0228 / unidbg

Allows you to emulate an Android native library, and an experimental iOS emulation
Apache License 2.0
3.64k stars 924 forks source link

执行错误 #604

Open q601180252 opened 4 months ago

q601180252 commented 4 months ago

` package com.libre;

import com.abbottdiabetescare.flashglucose.sensorabstractionservice.dataprocessing.Out; import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.JSONArray; import com.alibaba.fastjson.JSONObject; import com.github.unidbg.AndroidEmulator; import com.github.unidbg.Emulator; import com.github.unidbg.Module; import com.github.unidbg.arm.backend.Backend; import com.github.unidbg.arm.backend.CodeHook; import com.github.unidbg.arm.backend.UnHook; import com.github.unidbg.arm.backend.Unicorn2Factory; import com.github.unidbg.debugger.BreakPointCallback; import com.github.unidbg.debugger.Debugger; import com.github.unidbg.debugger.DebuggerType; import com.github.unidbg.file.FileResult; import com.github.unidbg.file.IOResolver; import com.github.unidbg.file.linux.AndroidFileIO; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.android.dvm.array.ByteArray; import com.github.unidbg.linux.android.dvm.jni.ProxyDvmObject; import com.github.unidbg.linux.file.ByteArrayFileIO; import com.github.unidbg.linux.file.SimpleFileIO; import com.github.unidbg.memory.Memory; import com.github.unidbg.memory.MemoryBlock; import com.github.unidbg.pointer.UnidbgPointer; import com.github.unidbg.spi.LibraryFile; import com.github.unidbg.utils.Inspector; import com.github.unidbg.virtualmodule.android.AndroidModule; import com.github.unidbg.virtualmodule.android.JniGraphics; import com.outshineiot.bubble.xabet.AlgorithmResults; import com.outshineiot.bubble.xabet.RequltData; import org.apache.commons.codec.DecoderException; import org.apache.commons.codec.binary.Hex; import org.apache.commons.io.IOUtils; import unicorn.Arm64Const; import unicorn.ArmConst; import unicorn.UnicornConst;

import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.math.BigInteger; import java.util.ArrayList; import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.zip.DataFormatException; import java.util.zip.Inflater;

public class runlibre5 extends AbstractJni {

static runlibre5 runLibre3Obj;

public static void init(String path) {
    if (runLibre3Obj == null) {
        try {
            String apkFilePath = path + "libre3/libreoop.apk";
            apkFile2 = new File(apkFilePath);
            runLibre3Obj = new runlibre5(apkFilePath);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

public static void clear() {
    if (runLibre3Obj != null) {
        try {
            runLibre3Obj.destroy();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    runLibre3Obj = null;
    System.gc();
}

private final AndroidEmulator emulator;
private final VM vm;
private final Module module;

private static File apkFile2;

private final DvmClass cNativeClass;

public runlibre5(String apkFilePath) throws DecoderException, IOException {
    System.out.println("runlibre4 == =====");
    emulator = AndroidEmulatorBuilder.for64Bit()
            .setProcessName("com.bubble.minalibre2ca")

// .addBackendFactory(new DynarmicFactory((true))) // .addBackendFactory(new HypervisorFactory(true)) // .addBackendFactory(new Unicorn2Factory(true)) .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分 System.out.println("backend == =" + emulator.getBackend()); final Memory memory = emulator.getMemory(); // 设置系统类库解析 memory.setLibraryResolver(new AndroidResolver(23));

    vm = emulator.createDalvikVM(new File(apkFilePath)); // 创建Android虚拟机
    vm.setJni(this);
    vm.setVerbose(true); // 设置是否打印Jni调用细节

//// vm.set // emulator.getSyscallHandler().addIOResolver(this); // DalvikModule dm = vm.loadLibrary("g", true); // 加载libttEncrypt.so到unicorn虚拟内存,加载成功以后会默认调用init_array等函数 // module = dm.getModule(); // 加载好的libttEncrypt.so对应为一个模块 // dm.callJNI_OnLoad(emulator); //

    DalvikModule dm = vm.loadLibrary("g", true);
    module = dm.getModule();

    // 执行JNIOnLoad(如果有的话)
    dm.callJNI_OnLoad(emulator);
    String classPath = "tk/glucodata/Natives";

    cNativeClass = vm.resolveClass(classPath);

}

private void destroy() throws IOException {
    emulator.close();
}

public DvmObject<?> allocObject(BaseVM vm, DvmClass dvmClass, String signature) {
    System.out.println("allocObject111111=====" + signature);
    if ("com/outshineiot/bubble/xabet/AlgorithmResults->allocObject".equals(signature)) {
        return dvmClass.newObject(new AlgorithmResults());
    }
    throw new UnsupportedOperationException(signature);
}

public int getIntField(BaseVM vm, DvmObject<?> dvmObject, String signature) {
    System.out.println("getIntField=====" + signature);
    if ("android/content/pm/PackageInfo->versionCode:I".equals(signature)) {
        return (int) vm.getVersionCode();
    }
    throw new UnsupportedOperationException(signature);
}

@Override
public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
    System.out.println("newObject");
    if ("com/github/unidbg/android/AndroidTest-><init>()V".equals(signature)) {
        return dvmClass.newObject(null);
    }
    return super.newObject(vm, dvmClass, signature, varArg);
}

public static void main(String[] args) throws IOException, DecoderException, Exception {

    File file = new File("");
    String path = file.getCanonicalPath();
    System.out.println("path===" + path);
    String apkFilePath = path + "/libre3/libreoop.apk";
    apkFile2 = new File(apkFilePath);

    runlibre5 runLibre3Obj = new runlibre5(apkFilePath);
    runLibre3Obj.init();

// runLibre3Obj.initNFC(); runLibre3Obj.destroy(); }

// /data/user/0/com.bubble.minalibre2ca/files before setfilesdir country=CN nativeDir=/data/app/com.bubble.minalibre2ca-El4SZwJUYPPCboNjatnzAQ==/lib/arm64
public void init() {
    LibraryFile file = vm.findLibrary("libg.so");
    String fileName = file.getPath().replace("/libg.so", "");
    System.out.println(fileName);

    String s1 = "/data/user/0/com.bubble.minalibre2ca-1/files";
    String s2 = "CN";
    String s3 = fileName;
    int processScan = cNativeClass.callStaticJniMethodInt(emulator, "setfilesdir(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)I", s1, s2, s3);
    cNativeClass.callStaticJniMethod(emulator, "startsensors()V");
    System.out.println(JSON.toJSONString(processScan));
    boolean flag = cNativeClass.callStaticJniMethodBoolean(emulator, "abbottinit()Z");
}

public void initNFC() {
    AlgorithmResults algorithmResults = new AlgorithmResults();
    byte[] uid = UtilBlue.hexStringToBytes("5751b50200a407e0");
    byte[] info = UtilBlue.hexStringToBytes("9d0830017709");
    byte[] data = UtilBlue.hexStringToBytes("a665c3bf772138b274313497cfeadf760a2d8b40be8cf226a7b4830a8b7b20d320b4f4d131cd915191b7f1964d4599452363d29375257f95772a93d75e4631365b30fd94b3b64f60a54e06385f7b670047dce9e9e5a9d6f2d85d291b87e85fd16d850a7aa088b55525f73b7103f359510eed4e7aee4f22070fbadee295ba3a8eea701134fd58cc7499879a199d11ceb63f5cfedcf771dd4a6b1dbc98c94e92c53107960f64e2ef9396f48a800f737ea97e6744514c34c5d66ae6a567e4e003f55ed78cc39280ac4c790a22fb78cedd676b10c24d9f2b5831d87a1669b1deb42dfe8d04b986b10e42a0e895b3240102f05851bcabb361a811c67543effd7f2d83b66f99d5daf20bd5de30a800fa3fb050368308d246c00b47a9014d6eeeacd96716bf644282cf62f9a11ddad729536b20910784cd81f38877412913458304c356fe690791536f91571b6cc62e36afc5646307f5791d6abdf4");
    String mname = "nfcdata([B[B[BLcom/outshineiot/bubble/xabet/RequltData;[B[B[B)Ljava/lang/Object";
    RequltData out = new RequltData();
    DvmObject<?> out1 = ProxyDvmObject.createObject(vm, out);
    out.sensorStartTime = 0;
    out.currentTime = 326855705;
    DvmObject<?> processScan = cNativeClass.callStaticJniMethodObject(emulator, mname, uid, info, data, out1, null, null, null);
    System.out.println(JSON.toJSONString(processScan));
}

}

`

q601180252 commented 4 months ago

错误信息 debugger break at: 0x400e9ce4 @ Runnable|Function64 address=0x400e2acc, arguments=[unidbg@0xfffe1640, -1662257446]

x0=0xfffe1640(-125376) x1=0xffffffff9cebf6da x2=0xd0 x3=0x403c0000 x4=0x403c0200 x5=0x403c02d0 x6=0x1 x7=0xbffff708 x8=0x0 x9=0x0 x10=0x1 x11=0xbfffe430 x12=0xb x13=0x0 x14=0x7fffffff x15=0x0 x16=0x40189358 x17=0x40348760 x18=0xb x19=0x0 x20=0x0 x21=0x0 x22=0x0 x23=0x0 x24=0x0 x25=0x0 x26=0x0 x27=0x0 x28=0x0 fp=0xbffff6d0 q0=0xbffff69000000000bffff700(1.591495705E-314, 1.5914956496E-314) q1=0xffffff80ffffffc800000000bffff650(1.591495618E-314, NaN) q2=0x72742f73676f6c2f73656c69662f6163(7.489563950000777E247, 2.153539780993943E243) q3=0xbffff5e0(-1.9996910095214844) q4=0x8dcf33a2(-1.2769790099084385E-30) q5=0x8b(1.9478048654114957E-43) q6=0x8b61(4.99997305055738E-41) q7=0x8b6165(1.280007254057179E-38) q8=0x0(0.0) q9=0x0(0.0) q10=0x0(0.0) q11=0x0(0.0) q12=0x0(0.0) q13=0x0(0.0) q14=0x0(0.0) q15=0x0(0.0) q16=0x0(0.0) q17=0x7b(1.723597111119525E-43) q18=0x7b90(4.4325873023522614E-41) q19=0x7b908e(1.1347622478403723E-38) q20=0x8ffe5d9b(-2.508238925581193E-29) q21=0xc4(2.7465449900766415E-43) q22=0xc4f3(7.065206727279295E-41) q23=0xc4f3aa(1.808716744257393E-38) q24=0x40180bf0(2.3757286071777344) q25=0x0(0.0) q26=0x4035528c(2.833163261413574) q27=0x0(0.0) q28=0xbffff6c0(-1.9997177124023438) q29=0x0(0.0) q30=0x0(0.0) q31=0x0(0.0) LR=RX@0x400e2ad8[libg.so]0xe2ad8 SP=0xbffff6d0 PC=RX@0x400e9ce4[libg.so]0xe9ce4 nzcv: N=0, Z=1, C=1, V=0, EL0, use SP_EL0 [libg.so 0x0e9ce0] [280100b4] 0x400e9ce0: "cbz x8, #0x400e9d04" => [libg.so 0x0e9ce4][080940f9]0x400e9ce4:*"ldr x8, [x8, #0x10]" [0x10] => mem_read address=0x10, size=8 [libg.so 0x0e9ce8] [087d4039] 0x400e9ce8: "ldrb w8, [x8, #0x1f]" [libg.so 0x0e9cec] [c8000037] 0x400e9cec: "tbnz w8, #0, #0x400e9d04" [libg.so 0x0e9cf0] [20fbffb0] 0x400e9cf0: "adrp x0, #0x4004e000" [libg.so 0x0e9cf4] [00c83791] 0x400e9cf4: "add x0, x0, #0xdf2" [libg.so 0x0e9cf8] [224f0294] 0x400e9cf8: "bl #0x4017d980" [libg.so 0x0e9cfc] [60008012] 0x400e9cfc: "mov w0, #-4" [libg.so 0x0e9d00] [07000014] 0x400e9d00: "b #0x400e9d1c" [libg.so 0x0e9d04] [280500b0] 0x400e9d04: "adrp x8, #0x4018e000" [libg.so 0x0e9d08] [08e10191] 0x400e9d08: "add x8, x8, #0x78" [libg.so 0x0e9d0c] [08fddf08] 0x400e9d0c: "ldarb w8, [x8]" [libg.so 0x0e9d10] [c8000036] 0x400e9d10: "tbz w8, #0, #0x400e9d28" [libg.so 0x0e9d14] [280500b0] 0x400e9d14: "adrp x8, #0x4018e000" [libg.so 0x0e9d18] [007140b9] 0x400e9d18: "ldr w0, [x8, #0x70]" [libg.so 0x0e9d1c] [f30b40f9] 0x400e9d1c: "ldr x19, [sp, #0x10]" [libg.so 0x0e9d20] [fd7bc2a8] 0x400e9d20: "ldp x29, x30, [sp], #0x20"

heckerstone commented 4 months ago

修改点1: image 修改点2: image resole方法中增加对应文件即可