package com.iyue.exampleunidbg;
import com.github.unidbg.*;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.DynarmicFactory;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.jni.ProxyDvmObject;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.memory.MemoryBlock;
import com.github.unidbg.pointer.UnidbgPointer;
import java.io.File;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
public class MainActivity extends AbstractJni {
public String apkName = "";
public AndroidEmulator emulator = null;
public Memory memory = null;
public VM vm = null;
public Module module = null;
/**
* 初始化虚拟机
*/
public MainActivity() {
// 1.创建Android模拟器实例
emulator = AndroidEmulatorBuilder
.for32Bit() // new Unicorn2Factory(true) new DynarmicFactory(true)
.addBackendFactory(new DynarmicFactory(true))
// .setProcessName("com.iyue.example") // vm 加载apk后 就不用指定 进程名称
.build();
memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
//VM vm = emulator.createDalvikVM();
vm = emulator.createDalvikVM(new File("unidbg-android/src/test/iyuenative/android/apk/app-release.apk"));
//vm.setVerbose(true);
vm.setJni(this);
//Module module = emulator.loadLibrary(new File("unidbg-android/src/test/iyuenative/android/libs/armeabi-v7a/libexampleunidbg.so"), true);
//vm.callJNI_OnLoad(emulator, module);
DalvikModule docModule = vm.loadLibrary("exampleunidbg", true);
module = docModule.getModule();
docModule.callJNI_OnLoad(emulator);
}
/**
* 调用静态方法
*/
public void callJavaStaticRegisterFunc() {
try {
// 通过代理创建对象可以不用指定类名
// 创建一个类的实例对象
DvmObject<?> obj = vm.resolveClass("com/iyue/exampleunidbg/MainActivity").newObject(null);
// 调用 静态注册的 普通方法
// Java_com_iyue_exampleunidbg_MainActivity_stringFromJNI
DvmObject str = obj.callJniMethodObject(emulator, "stringFromJNI()Ljava/lang/String;");
System.out.println("[main]D/iyue->: " + "stringFromJNI()->result :" + str.toString());
// 调用 静态注册的 静态方法
// int __fastcall Java_com_iyue_exampleunidbg_MainActivity_staticGetNumber(JNIEnv *env, jclass _jclass, jint num)
int result = obj.callJniMethodInt(emulator, "staticGetNumber(I)I", 10);
System.out.println("[main]D/iyue->: " + "staticGetNumber(I)I->result :" + result);
} catch (Exception e) {
e.printStackTrace();
}
}
/**
* 通过偏移地址调用方法 void __fastcall printFunc1(char *a1)
*/
public void callprintFunc1() {
String str = "nniha你好";
MemoryBlock malloc = memory.malloc(str.length() + 1, false);
UnidbgPointer pointer = malloc.getPointer();
pointer.write(str.getBytes());
module.callFunction(emulator, 0x34AA8 + 1,str);
//System.out.println("[main]D/iyue->: " + "callOtherFunc:" + number.intValue());
malloc.free();
}
/**
* // int __fastcall printFunc2(char *a1)
*/
public void callprintFunc2(){
String str = "nniha你好aaaaa";
MemoryBlock malloc = memory.malloc(str.length() + 1, false);
UnidbgPointer pointer = malloc.getPointer();
pointer.write(str.getBytes());
module.callFunction(emulator,"_Z10printFunc2Pc",str);//pointer 都可以
}
/**
* jobject __fastcall isOK(JNIEnv *a1)
* {
* jclass v2; // r5
* struct _jfieldID *v3; // r2
*
* _android_log_print(3, "iyue->", "call isOK return FALSE!");
* v2 = (*a1)->FindClass(a1, "java/lang/Boolean");
* v3 = (*a1)->GetStaticFieldID(a1, v2, "FALSE", "Ljava/lang/Boolean;");
* return (*a1)->GetStaticObjectField(a1, v2, v3);
* }
*/
public boolean callisOK(){
List<Object> args = new ArrayList<Object>();
args.add(vm.getJNIEnv());
DvmObject<?> obj = vm.resolveClass("com/iyue/exampleunidbg/MainActivity").newObject(null);
args.add(vm.addLocalObject(obj));
Number number = module.callFunction(emulator, "_Z4isOKP7_JNIEnvP8_jobject", args.toArray());
Boolean value = (Boolean) vm.getObject(number.intValue()).getValue();
System.out.println("[main]D/iyue->: " +"callisOK: "+ value);
return value ;
}
/**
* 获取所有已经加载过的模块
*/
public void printModules() {
Collection<Module> loadedModules = memory.getLoadedModules();
for (Module module2 : loadedModules) {
System.out.println("[main]D/iyue->: " + "module2.name:" + module2.name);
}
}
/**
* 监听加载到内存的模块
*/
public void lisenLoadSo() {
memory.addModuleListener(new ModuleListener() {
@Override
public void onLoaded(Emulator<?> emulator, Module module) {
System.out.println("[main]D/iyue->: " + emulator.getProcessName() + ":" + module.name + "已被加载");
}
});
}
@Override
public DvmObject<?> getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature) {
if (signature.equals("java/lang/Boolean->FALSE:Ljava/lang/Boolean;")){
DvmObject <?> obj = vm.resolveClass("java/lang/Boolean").newObject(false);
return obj;
}
return super.getStaticObjectField(vm, dvmClass, signature);
}
}
