search

zhkl0228 / unidbg

Allows you to emulate an Android native library, and an experimental iOS emulation
Apache License 2.0
3.91k stars 971 forks source link

svcNumber=0x103 这个找不到在哪,麻烦看下样本链接 aHR0cHM6Ly93d3cud2FuZG91amlhLmNvbS9hcHBzLzYyMzM3MzkvaGlzdG9yeV92ODQzMTE0MQ== #699

Open sign-cc opened 3 weeks ago

sign-cc commented 3 weeks ago

list 0 :-1534962946 [14:48:53 785] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true [14:48:53 785] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0xffffffff857edf86, global=true [14:48:53 785] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x6737fd8f, global=true JNIEnv->CallStaticObjectMethodV(class com/xingin/tiny/internal/t, b(0xa48252fe, [class android/content/Context, "getSharedPreferencesPath", ["String"]]) => java.lang.reflect.Method@6737fd8f) was called from RX@0x1219c934[libtiny.so]0x19c934 [14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x6737fd8f, global=false [14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$225:3563) - ExceptionCheck throwable=null [14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=unidbg@0x799e72a69aeb4952, version=0x10006 [14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$20:309) - DeleteLocalRef object=unidbg@0x63e2203c [14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=unidbg@0xfffe1640[libmediandk.so]0x640, version=0x10006 [14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$20:309) - DeleteLocalRef object=unidbg@0x3b084709 [14:48:53 786] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:410) - handleInterrupt intno=2, NR=-130880, svcNumber=0x103, PC=unidbg@0xfffe00c4, LR=RX@0x12249e28[libtiny.so]0x249e28, syscall=null java.lang.UnsupportedOperationException at com.github.unidbg.linux.android.dvm.DalvikVM64$4.handle(DalvikVM64.java:96) at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:119) at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.java:352) at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:109) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312) at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend.java:389) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378) at com.github.unidbg.thread.Function64.run(Function64.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:165) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:97) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341) at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:262) at com.github.unidbg.Module.emulateFunction(Module.java:163) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:135) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:316) at com.xhs._8431.Tiny.init1(Tiny.java:1122) at com.xhs._8431.Tiny.main(Tiny.java:1167) debugger break at: 0xfffe00c4 @ Runnable|Function64 address=0x120d2544, arguments=[unidbg@0xfffe1640[libmediandk.so]0x640, -1733448322, 1184568860, 36333492]

x0=0xfffe1640(-125376) x1=0x6737fd8f x2=0x10006 x3=0xe4fff190 x4=0x3b084709 x5=0xffffffff x6=0x1 x7=0xe4fff718 x8=0xfffe00c0 x9=0x0 x10=0xe4fff190 x11=0x0 x12=0xe4fff200 x13=0x2 x14=0x3 x15=0xab x16=0xac x17=0x124c6000 x18=0x12602020 x19=0xefcdea78 x20=0xfffe1640 x21=0x12619260 x22=0x6737fd8f x23=0x3a1cfd55 x24=0xe4fff718 x25=0x1208d2e5 x26=0x9dface6f x27=0x57c67984 x28=0xfacd8979 fp=0xe4fff2a0 q0=0xe4fff19000000000e4fff200(1.8981897767E-314, 1.8981897213E-314) q1=0xffffff80ffffffd800000000e4fff160(1.8981896976E-314, NaN) q2=0x761db22743897aecb1f12cd8(2.29505005888314112E17, 9.790689612E-315) q3=0x799e72a69aeb49527118101522e3eb18(6.120729363268888E236, 6.746720486162527E277) q4=0x10000000000000001(4.9E-324, 4.9E-324) q5=0x40000000000000004(2.0E-323, 2.0E-323) q6=0x20000000000000002(1.0E-323, 1.0E-323) q7=0x510000000000000051(4.0E-322, 4.0E-322) q8=0x0(0.0) q9=0x0(0.0) q10=0x0(0.0) q11=0x0(0.0) q12=0x0(0.0) q13=0x0(0.0) q14=0x0(0.0) q15=0x0(0.0) q16=0x30510000000000002051(4.0874E-320, 6.111E-320) q17=0x0(0.0) q18=0x30510000000000002051(4.0874E-320, 6.111E-320) q19=0x0(0.0) q20=0x0(0.0) q21=0x0(0.0) q22=0x0(0.0) q23=0x0(0.0) q24=0x0(0.0) q25=0x0(0.0) q26=0x0(0.0) q27=0x0(0.0) q28=0x0(0.0) q29=0x0(0.0) q30=0x0(0.0) q31=0x0(0.0) LR=RX@0x12249e28[libtiny.so]0x249e28 SP=0xe4fff270 PC=unidbg@0xfffe00c4 nzcv: N=0, Z=1, C=1, V=0, EL0, use SP_EL0

sign-cc commented 3 weeks ago
image

从ida中查看 BLR x8 指向了错误地址导致的

sign-cc commented 3 weeks ago
image

frida hook返回值是一个反射对象

sign-cc commented 3 weeks ago

看起来像是Systemcall报错了,handleInterrupt intno=2, NR=-130880, svcNumber=0x103, 但是查系统调用表查不到对应的值

image
sign-cc commented 3 weeks ago

@zhkl0228

sign-cc commented 3 weeks ago
image

但是看报错异常仿佛是反射方法pointer 找不到

createnewdemo commented 2 weeks ago

哥们 解决了吗?我也遇到了;

sign-cc commented 2 weeks ago

@createnewdemo 没,要不要一起研究研究,我问了下其它人说都不行

createnewdemo commented 2 weeks ago

q320783214 一起研究一下

sign-cc commented 2 weeks ago

但是从trace 的情况来看 返回的是一个MethodId

image
sign-cc commented 2 weeks ago

@createnewdemo 加了

airqj commented 1 week ago

这问题解决了吗

sign-cc commented 6 days ago

@airqj 暂无方法