search

zhkl0228 / unidbg

Allows you to emulate an Android native library, and an experimental iOS emulation
Apache License 2.0
3.88k stars 966 forks source link

ExceptionRaised[dynarmic.cpp->ExceptionRaised:231] #611

Open hackdoors opened 8 months ago

hackdoors commented 8 months ago

unidbg使用自带hookzz出现异常,这是怎么回事啊 image

hackdoors commented 8 months ago

package com.hack.lesson5;

import com.alibaba.fastjson.support.hsf.HSFJSONUtils; import com.github.unidbg.AndroidEmulator; import com.github.unidbg.Emulator; import com.github.unidbg.Module; import com.github.unidbg.arm.HookStatus; import com.github.unidbg.arm.backend.DynarmicFactory; import com.github.unidbg.hook.HookContext; import com.github.unidbg.hook.IHook; import com.github.unidbg.hook.ReplaceCallback; import com.github.unidbg.hook.hookzz.HookZz; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.DalvikModule; import com.github.unidbg.linux.android.dvm.DvmObject; import com.github.unidbg.linux.android.dvm.StringObject; import com.github.unidbg.linux.android.dvm.VM; import com.github.unidbg.linux.android.dvm.jni.ProxyDvmObject; import com.github.unidbg.memory.Memory; import com.sun.jna.Pointer; import unicorn.Unicorn;

import java.io.File; import java.util.ArrayList; import java.util.List;

public class MainActivity { private final AndroidEmulator emulator; private final VM vm; private final Memory memory; private final Module module;

public MainActivity(){
    emulator= AndroidEmulatorBuilder.for32Bit().addBackendFactory(new DynarmicFactory(true)).build();
    memory=emulator.getMemory();
    memory.setLibraryResolver(new AndroidResolver(23));

    vm=emulator.createDalvikVM();
    DalvikModule dalvikModule=vm.loadLibrary(new File("unidbg-android/src/test/java/com/hack/lesson5/libnative-lib.so"),true);
    module=dalvikModule.getModule();

    vm.callJNI_OnLoad(emulator,module);
}

public void callAdd(){
    DvmObject object= ProxyDvmObject.createObject(vm,this);
    final int result = object.callJniMethodInt(emulator, "add(II)I", 3,2);
    System.out.println("call the so add function result is ==>"+result);

}

public void hook(){
    //unidbg集成了HookZz框架
    HookZz hook = HookZz.getInstance(emulator);
    //直接hook add函数的地址,比通过符号hook更具有“普适性”
    hook.replace(module.base + 0x3DC + 1, new ReplaceCallback() {
        @Override
        public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
            //R2和R3才是参数,R0是env,R1是object
            System.out.println(String.format("R2: %d, R3: %d",context.getIntArg(2),context.getIntArg(3)));
            //把第二个参数R3改成5
            emulator.getBackend().reg_write(Unicorn.UC_ARM_REG_R3,5);
            return super.onCall(emulator, context, originFunction);
        }
        @Override
        public void postCall(Emulator<?> emulator, HookContext context) {
            emulator.getBackend().reg_write(Unicorn.UC_ARM_REG_R0,10);
            //返回值放R0,这里直接修改返回值
            super.postCall(emulator, context);
        }
    }, true);
}
//psvm快速输入
public static void main(String[] args) {
    long start = System.currentTimeMillis();
    MainActivity mainActivity=new MainActivity();
    System.out.println("load the vm "+(System.currentTimeMillis()-start)+"ms");
    mainActivity.hook();
    mainActivity.callAdd();

}

}

hackdoors commented 8 months ago

nativelib代码如下

hackdoors commented 8 months ago

include

include

include

include

include

include

extern "C" JNIEXPORT jint JNICALL Java_com_hack_lesson5_MainActivity_add(JNIEnv *env, jobject thiz, jint a,jint b) { if(a<0){ a=-a; } if(b<0){ b=-b; } return a+b; }