[分享]9.23 mtop 6.5.27-Android安全-看雪论坛-安全社区|非营利性质技术交流社区

[分享]9.23 mtop 6.5.27

发表于: 2021-8-16 14:40 36737

[分享]9.23 mtop 6.5.27

一只笨猫

2021-8-16 14:40

36737

图片描述
{x-sgext=JAF2ISSYmlUG1+ALEtL/8yFHEUYWQgJFE0EXTgJHAlUQQBBOFEMZTxhP, x-umt=fEIA5cBLPO3sKAJ5jg2jyHUW8jofTNMu, x-mini-wua=HHnB_8q+e3eYFlvUCIX6LyCDT3SbLfk1HzUM5kC7v/wzhcSbjfjDSz7lfFhv1nBe4+Ar1GNDr9WnRX6VH1/m7kWHRayVEAywpGLrITlYSqd4E2smkS1mv4iyVPBI1m99OI/qD, x-sign=azYBCM003xAAIG0RDWq8Z7L9nh7tAG0QaUR3dmqOojk61E0eMRTe3rPS7Tf18Lcs6kECM8zkoCKGSkkUPSEppMxUxIBtAG0QbQBtEG}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

import android.content.Context;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.HookStatus;
import com.github.unidbg.file.FileResult;
import com.github.unidbg.file.IOResolver;
import com.github.unidbg.file.linux.AndroidFileIO;
import com.github.unidbg.hook.HookContext;
import com.github.unidbg.hook.ReplaceCallback;
import com.github.unidbg.hook.hookzz.HookZz;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.linux.android.dvm.jni.ProxyDvmObject;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.pointer.UnidbgPointer;
import com.github.unidbg.spi.SyscallHandler;
import com.taobao.tao.TaobaoApplication;
import org.json.JSONObject;
 
import java.io.File;
import java.io.IOException;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
 
public class TaoBao extends AbstractJni implements IOResolver<AndroidFileIO> {
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Context context;
    private final HookZz zz;
    private final JSONObject data;
    private Module libc;
    private long slot;
 
//    private int num = 0;
 
    private TaoBao(File apk) throws  Exception{
        emulator = AndroidEmulatorBuilder.for32Bit()
                .setRootDir(new File("D:\\DesktopTemp\\tb\\rootfs"))
                .build();
 
        Map<String, Integer> iNode = new LinkedHashMap<>();
        iNode.put("/data/system", 671745);
        iNode.put("/data/app", 327681);
        iNode.put("/sdcard/android", 294915);
        iNode.put("/data/user/0/com.taobao.taobao", 655781);
        iNode.put("/data/user/0/com.taobao.taobao/files", 655864);
        emulator.set("inode", iNode);
        emulator.set("uid", 10074);
 
        Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        SyscallHandler<AndroidFileIO> handler = emulator.getSyscallHandler();
        handler.setVerbose(false);
        handler.addIOResolver(this);
        vm = emulator.createDalvikVM(apk);
        vm.setJni(this);
        vm.setVerbose(true);
 
        zz = HookZz.getInstance(emulator);
        context = new TaobaoApplication(vm);
        data = new JSONObject("{\"Soft_SGTMAGIC\":\"4I1q9PXiORQGtBivoqf4hSwMk9pwm1D8o4NitR+kvgA=\",\"dynamicreid_dynamicreid\":\"d0666b5b6022eb0\",\"dynamicrsid_dynamicrsid\":\"e1a2607877e260b\",\"SgDyUpdate_ac7123c301ca455b\":\"1621600637\",\"LOCAL_DEVICE_INFO_982c1b269b8e023e5aede2421cbf9c48\":\"YKepcS4SY+ADAIS37Xj5c7s+\",\"DynamicData_accs_ssl_key2_https:\\/\\/ossgw.alicdn.com_21646297%[B\":\"nRWwrMQ\\/jz+oOTWkAZ5FOjhnS1k48SqJdb3w3u\\/ImZJMSXQnlxpD8g0Lyi4kEfgHy5Me33VQ8fyLfqHjPk5PXZ3SwQDtSG4Km7fj9RhEav6NeP85kaWorOA8KTx9u9MHnXdbQa4GVOpBTln\\/GKsPje5gRpmCtWUb71auNwVEO\\/s9LUhH\\/HOcH\\/fwdPixaJAi\\/wNKYYlijdORJgVTOwrtSls1DeUr61NyCDUQa0SkVhw6\\/8PI8gdM1JNt8QEcBIemgI0sM4zA3yyRxFTb0wwcu8CpLsBmIqxqZbvHA+2081dfYDIKuKguH9vYy4s\\/q++odPRvTB25RuEfvXWW\\/+IPtScYQXMx9\\/MG4RW7t80WR0+DOWZXHtkpVlPhTDcU9P2fI4bcQdRSTOIcaI6uFmnOdmb5b9QdtwU3qXgSOuBTh2Bdd6yTeyydRLChBzlWRtcZm6+tYgHOTJIWRNoDg8CxEw==\",\"llc-local_2c3c7f544c159842\":\"1621600921\",\"llc-local_abv2\":\"his:0\",\"llc-local_tcv2\":\"source:0,0,0\"}");
 
        for (Module each : memory.getLoadedModules()) {
            if ("libc.so".equals(each.getPath())) {
                libc = each;
                break;
            }
        }
    }
 
    public static void main(String[] args) throws Exception {
//        Logger.getLogger(DvmClass.class).setLevel(Level.OFF);
//        Logger.getLogger(ARM32SyscallHandler.class).setLevel(Level.OFF);
        TaoBao taobao = new TaoBao(new File("D:\\DesktopTemp\\tb\\tb.apk"));
 
        AndroidEmulator emulator = taobao.emulator;
        String methodSign = "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;";
 
        DvmClass targetClass = taobao.vm.resolveClass("com/taobao/wireless/security/adapter/JNICLibrary");
        DalvikModule main = taobao.vm.loadLibrary("sgmainso-6.5.25", true);
 
        taobao.loadLibHook();
        taobao.loadTestHook();
        taobao.loadTestHook(main.getModule());
 
        main.callJNI_OnLoad(emulator);
 
        targetClass.callStaticJniMethodObject(emulator, methodSign,
                10101, ProxyDvmObject.createObject(taobao.vm, new Object[]{
                        taobao.context, 3, "", "/data/user/0/com.taobao.taobao/app_SGLib", ""
                }));
 
 
        targetClass.callStaticJniMethodObject(emulator, methodSign,
                10102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
                        "main", "6.5.25", "/data/app/com.taobao.taobao-1/lib/arm/libsgmainso-6.5.25.so"
                }));
 
 
        DalvikModule security = taobao.vm.loadLibrary("sgsecuritybodyso-6.5.33", true);
        security.callJNI_OnLoad(emulator);
 
 
        targetClass.callStaticJniMethodObject(emulator, methodSign,
                10102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
                        "securitybody", "6.5.33", "/data/app/com.taobao.taobao-1/lib/arm/libsgsecuritybodyso-6.5.33.so"
                }));
 
        DalvikModule middletier = taobao.vm.loadLibrary("sgmiddletierso-6.5.27", true);
        middletier.callJNI_OnLoad(emulator);
 
        targetClass.callStaticJniMethodObject(emulator, methodSign,
                10102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
                        "middletier", "6.5.27", "/data/app/com.taobao.taobao-1/lib/arm/libsgmiddletierso-6.5.27.so"
                }));
 
        taobao.loadTest3Hook(middletier.getModule());
 
        DvmObject<?> dvmObject1 = targetClass.callStaticJniMethodObject(emulator, methodSign,
                70102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
                        "丢失", "丢失",
                        false, 0, "mtop.alibaba.cro.umid.networksdk.savewb", "pageName=com.taobao.tao.welcome.Welcome&pageId=", null, null, null, "r_6"
                }));
 
        System.out.println(dvmObject1.getValue().toString());
        try {
            emulator.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
 
    private void loadTestHook(Module main) {
 
        zz.replace(main.base + 0x94584 | 1, new ReplaceCallback() {
            @Override
            public HookStatus onCall(Emulator<?> emulator, long originFunction) {
                return HookStatus.LR(emulator, 0x98764321);
            }
        });
 
//        zz.replace(main.base + 0x78248 | 1, new ReplaceCallback() {
//            @Override
//            public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
//                UnidbgPointer pointerArg = context.getPointerArg(0);
//                Inspector.inspect(pointerArg.getPointer(0).getByteArray(0, pointerArg.getInt(4)), "MD5");
//                return super.onCall(emulator, context, originFunction);
//            }
//        });
    }
 
    private void loadTest3Hook(Module middletier) {
//        emulator.traceCode(middletier.base + 0x00047AEA | 1, middletier.base + 0x00047AEC | 1, new TraceCodeListener() {
//            @Override
//            public void onInstruction(Emulator<?> emulator, long address, Capstone.CsInsn insn) {
//                num++;
//            }
//        }).setRedirect(new NullPrintStream());
    }
 
 
    private void loadTestHook() {
        zz.replace(libc.findSymbolByName("time"), new ReplaceCallback() {
            @Override
            public HookStatus onCall(Emulator<?> emulator, long originFunction) {
                return HookStatus.LR(emulator, 1618558999);
            }
        });
        zz.replace(libc.findSymbolByName("lrand48"), new ReplaceCallback() {
            @Override
            public HookStatus onCall(Emulator<?> emulator, long originFunction) {
                return HookStatus.LR(emulator, 0);
            }
        });
        zz.replace(libc.findSymbolByName("arc4random"), new ReplaceCallback() {
            @Override
            public HookStatus onCall(Emulator<?> emulator, long originFunction) {
                return HookStatus.LR(emulator, 0x71BDF95F);
            }
        });
        zz.replace(libc.findSymbolByName("gettimeofday"), new ReplaceCallback() {
            @Override
            public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
                UnidbgPointer pointerArg = context.getPointerArg(0);
                pointerArg.write(0, new int[]{1618558999, 31231}, 0, 2);
                return HookStatus.LR(emulator, 0);
            }
        });
    }
 
    private void loadLibHook() {
        zz.replace(libc.findSymbolByName("pthread_create"), new ReplaceCallback() {
            @Override
            public HookStatus onCall(Emulator<?> emulator, long originFunction) {
                return HookStatus.LR(emulator, 0);
            }
        });
 
        zz.replace(libc.findSymbolByName("getuid"), new ReplaceCallback() {
            @Override
            public HookStatus onCall(Emulator<?> emulator, long originFunction) {
                return HookStatus.LR(emulator, emulator.<Integer>get("uid"));
            }
        });
 
        zz.replace(libc.findSymbolByName("stat64"), new ReplaceCallback() {
            private String path;
            private UnidbgPointer buff;
 
            @Override
            public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
                path = context.getPointerArg(0).getString(0);
                buff = context.getPointerArg(1);
                return super.onCall(emulator, context, originFunction);
            }
 
            @Override
            public void postCall(Emulator<?> emulator, HookContext context) {
                Object inode = emulator.get("inode");
                if (inode != null) {
                    Object integer = ((Map<?, ?>) inode).get(this.path);
                    if (integer != null) {
                        int[] ints = {(int) integer};
                        buff.write(12, ints, 0, 1);
                        buff.write(0x60, ints, 0, 1);
                    }
                }
                super.postCall(emulator, context);
            }
        }, true);
    }
 
    @Override
    public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
        switch (signature) {
            case "java/lang/Integer-><init>(I)V":
                return ProxyDvmObject.createObject(vm, varArg.getIntArg(0));
            case "java/lang/Long-><init>(J)V":
                return ProxyDvmObject.createObject(vm, varArg.getLongArg(0));
            case "java/util/HashMap-><init>(I)V":
                return ProxyDvmObject.createObject(vm, new HashMap<>());
        }
        return super.newObject(vm, dvmClass, signature, varArg);
    }
 
    @Override
    public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
        if ("android/os/Build$VERSION->SDK_INT:I".equals(signature)) {
            return 23;
        }
        return super.getStaticIntField(vm, dvmClass, signature);
    }
 
    @Override
    public long getStaticLongField(BaseVM vm, DvmClass dvmClass, String signature) {
        if ("com/alibaba/wireless/security/framework/SGPluginExtras->slot:J".equals(signature)) {
            return slot;
        }
        return super.getStaticLongField(vm, dvmClass, signature);
    }
 
    @Override
    public DvmObject<?> getObjectField(BaseVM vm, DvmObject<?> dvmObject, String signature) {
        if ("android/content/pm/ApplicationInfo->nativeLibraryDir:Ljava/lang/String;".equals(signature)) {
            return new StringObject(vm, "/data/app/com.taobao.taobao-1/lib/arm");
        } else if ("android/content/pm/ApplicationInfo->sourceDir:Ljava/lang/String;".equals(signature)) {
            return new StringObject(vm, this.context.getPackageCodePath());
        }
        return super.getObjectField(vm, dvmObject, signature);
    }
 
    @Override
    public void setStaticLongField(BaseVM vm, DvmClass dvmClass, String signature, long value) {
        if ("com/alibaba/wireless/security/framework/SGPluginExtras->slot:J".equals(signature)) {
            slot = value;
            return;
        }
        super.setStaticLongField(vm, dvmClass, signature, value);
    }
 
    @Override
    public DvmObject<?> callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
        switch (signature) {
            case "com/alibaba/wireless/security/securitybody/SecurityGuardSecurityBodyPlugin->getPluginClassLoader()Ljava/lang/ClassLoader;":
                return vm.resolveClass("dalvik/system/PathClassLoader").newObject(this.getClass().getClassLoader());
            case "com/taobao/dp/util/CallbackHelper->getInstance()Lcom/taobao/dp/util/CallbackHelper;":
                return vm.resolveClass("com/taobao/dp/util/CallbackHelper").newObject(null);
            case "com/taobao/wireless/security/adapter/common/SPUtility2->readFromSPUnified(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;": {
                String temp = null;
                String key = varArg.getObjectArg(0).getValue() + "_" + varArg.getObjectArg(1).getValue();
                try {
                    temp = data.getString(key);
                } catch (Exception ignored) {
                }
                return temp == null ? varArg.getObjectArg(2) : new StringObject(vm, temp);
            }
            case "com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer->doCommandForString(I)Ljava/lang/String;": {
                String temp;
                switch (varArg.getIntArg(0)) {
                    case 122:
                        temp = "com.taobao.taobao";
                        break;
                    case 123:
                        temp = "9.23.0";
                        break;
                    case 135:
                        temp = "YKepcS4SY+ADAIS37Xj5c7s+";
                        break;
                    default:
                        return null;
                }
                return new StringObject(vm, temp);
            }
            case "java/net/NetworkInterface->getNetworkInterfaces()Ljava/util/Enumeration;":
                try {
                    return Context.getNetworkInterfaces(vm);
                } catch (Exception e) {
                    e.printStackTrace();
                }
                return null;
            case "com/alibaba/wireless/security/securitybody/SecurityBodyAdapter->doAdapter(I)Ljava/lang/String;": {
                String value;
                switch (varArg.getIntArg(0)) {
                    case 6:
                        value = "100";
                        break;
                    case 8:
                        value = "1";
                        break;
                    case 9:
                        value = "1618558999";
                        break;
                    case 10:
                        value = "0";
                        break;
                    case 11:
                        value = "4.97";
                        break;
                    default:
                        return null;
                }
                return new StringObject(vm, value);
            }
            case "java/lang/Thread->currentThread()Ljava/lang/Thread;":
                return ProxyDvmObject.createObject(vm, Thread.currentThread());
        }
        return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
    }
 
    @Override
    public void callStaticVoidMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
        switch (signature) {
            case "com/alibaba/wireless/security/open/edgecomputing/ECMiscInfo->registerAppLifeCyCleCallBack()V":
            case "com/alibaba/wireless/security/securitybody/LifeCycle->setAccessibilityDelegateToView()V":
                return;
        }
        super.callStaticVoidMethod(vm, dvmClass, signature, varArg);
    }
 
    @Override
    public int callStaticIntMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
        switch (signature) {
            case "com/taobao/wireless/security/adapter/common/SPUtility2->saveToFileUnifiedForNative(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Z)I":
                return 2;
            case "com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge->utAvaiable()I":
            case "com/uc/crashsdk/JNIBridge->registerInfoCallback(Ljava/lang/String;IJI)I":
                return 1;
            case "android/provider/Settings$Secure->getInt(Landroid/content/ContentResolver;Ljava/lang/String;I)I":
                return context.getInt(varArg.getObjectArg(1).getValue().toString(), varArg.getIntArg(2));
        }
        return super.callStaticIntMethod(vm, dvmClass, signature, varArg);
    }
 
    @Override
    public boolean callBooleanMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
        switch (signature) {
            case "java/lang/Boolean->booleanValue()Z":
                return (Boolean) dvmObject.getValue();
            case "android/view/accessibility/AccessibilityManager->isEnabled()Z":
            case "android/view/accessibility/AccessibilityManager->isTouchExplorationEnabled()Z":
                return false;
            case "java/util/Enumeration->hasMoreElements()Z":
                return ((Enumeration) dvmObject).hasMoreElements();
            case "java/net/NetworkInterface->isUp()Z":
                return ((Context.mNetworkInterface) dvmObject.getValue()).isUp();
        }
        return super.callBooleanMethod(vm, dvmObject, signature, varArg);
    }
 
    @Override
    public void callVoidMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
        if ("com/taobao/dp/util/CallbackHelper->onUpdated(IILjava/lang/String;)V".equals(signature)) {
            return;
        }
        super.callVoidMethod(vm, dvmObject, signature, varArg);
    }
 
    @Override
    public int callIntMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
        if ("java/lang/Integer->intValue()I".equals(signature)) {
            return (Integer) dvmObject.getValue();
        } else if ("android/telephony/TelephonyManager->getSimState()I".equals(signature)) {
            return ((Context) dvmObject.getValue()).getSimState();
        }
        return super.callIntMethod(vm, dvmObject, signature, varArg);
    }
 
    @Override
    public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
        switch (signature) {
            case "java/lang/String->getBytes()[B":
                return new ByteArray(vm, ((String) dvmObject.getValue()).getBytes());
            case "com/taobao/tao/TaobaoApplication->getPackageCodePath()Ljava/lang/String;":
                return new StringObject(vm, ((Context) dvmObject.getValue()).getPackageCodePath());
            case "com/taobao/tao/TaobaoApplication->getFilesDir()Ljava/io/File;":
            case "android/content/Context->getFilesDir()Ljava/io/File;":
                return ProxyDvmObject.createObject(vm, ((Context) dvmObject.getValue()).getFilesDir());
            case "java/io/File->getAbsolutePath()Ljava/lang/String;":
                return new StringObject(vm, ((File) dvmObject.getValue()).getPath().replace('\\', '/'));
            case "com/taobao/tao/TaobaoApplication->getApplicationInfo()Landroid/content/pm/ApplicationInfo;":
                return super.callObjectMethod(vm, dvmObject,
                        "android/content/Context->getApplicationInfo()Landroid/content/pm/ApplicationInfo;", varArg);
            case "android/content/Context->getSystemService(Ljava/lang/String;)Ljava/lang/Object;":
                return ((TaobaoApplication) dvmObject.getValue()).getSystemService(varArg.getObjectArg(0).getValue().toString());
            case "dalvik/system/PathClassLoader->findClass(Ljava/lang/String;)Ljava/lang/Class;":
                return vm.resolveClass(varArg.getObjectArg(0).getValue().toString());
            case "java/util/Enumeration->nextElement()Ljava/lang/Object;":
                return ((Enumeration) dvmObject).nextElement();
            case "android/content/Context->getContentResolver()Landroid/content/ContentResolver;":
                return ((Context) dvmObject.getValue()).getContentResolver();
            case "java/net/NetworkInterface->getName()Ljava/lang/String;":
                return new StringObject(vm, ((Context.mNetworkInterface) dvmObject.getValue()).getName());
            case "java/lang/Thread->getStackTrace()[Ljava/lang/StackTraceElement;":
                return ProxyDvmObject.createObject(vm, ((Thread) dvmObject.getValue()).getStackTrace());
            case "java/lang/StackTraceElement->toString()Ljava/lang/String;":
                return new StringObject(vm, ((StackTraceElement) dvmObject.getValue()).toString());
            case "java/util/HashMap->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;":
                return ProxyDvmObject.createObject(vm, ((HashMap<Object, Object>) dvmObject.getValue())
                        .put(varArg.getObjectArg(0).getValue(), varArg.getObjectArg(1).getValue()));
        }
        return super.callObjectMethod(vm, dvmObject, signature, varArg);
    }
 
    @Override
    public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
        switch (signature) {
            case "android/content/Context->getClassLoader()Ljava/lang/ClassLoader;":
                return ProxyDvmObject.createObject(vm, this.getClass().getClassLoader());
            case "android/content/Context->getPackageResourcePath()Ljava/lang/String;":
                return ProxyDvmObject.createObject(vm, ((Context) dvmObject.getValue()).getPackageResourcePath());
            case "android/content/Context->getFilesDir()Ljava/io/File;":
                return ProxyDvmObject.createObject(vm, ((Context) dvmObject.getValue()).getFilesDir());
            case "java/io/File->getPath()Ljava/lang/String;":
                return ProxyDvmObject.createObject(vm, ((File) dvmObject.getValue()).getPath().replace('\\', '/'));
        }
        return super.callObjectMethodV(vm, dvmObject, signature, vaList);
    }
 
    @Override
    public FileResult<AndroidFileIO> resolve(Emulator<AndroidFileIO> emulator, String pathname, int oflags) {
        switch (pathname) {
            case "/data/app/com.taobao.taobao-1/base.apk":
            case "/data/user/0/com.taobao.taobao/files/sg_oc.lock":
            case "/data/user/0/com.taobao.taobao/files/ab914f43b8296c2c.lock":
            case "/data/user/0/com.taobao.taobao/files/0a231bd8575dcf72.txt":
            case "/data/user/0/com.taobao.taobao/files/.ba2f9c85.lock":
            case "/data/user/0/com.taobao.taobao/files/JX0WDG83P1ZN.txt":
            case "/data/user/0/com.taobao.taobao/files/sgFile.lock":
            case "/data/user/0/com.taobao.taobao/app_SGLib/SG_INNER_DATA":
                return FileResult.success(emulator.getFileSystem().createSimpleFileIO(
                        new File("D:\\DesktopTemp\\tb\\rootfs", pathname), oflags, pathname));
            case "/data/data/com.taobao.taobao/app_SGLib/sec":
            case "/data/user/0/com.taobao.taobao/app_SGLib/sec":
            case "/data/user/0/com.taobao.taobao/app_SGLib/lvmreport":
                return FileResult.success(emulator.getFileSystem().createDirectoryFileIO(
                        new File("D:\\DesktopTemp\\tb\\rootfs", pathname), oflags, pathname));
            default:
                return null;
        }
    }
 
}

[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入！

最后于 2021-8-16 14:41 被一只笨猫编辑，原因：

#HOOK注入

收藏・35

免费・2

支持

最新回复 (30) 1 2 ▶
mb_foyotena 雪币： 477 活跃值： (1412) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 304 粉丝 14 关注私信	mb_foyotena 2 楼雕虫小技也敢班门弄斧, 大V天龙 2021-8-16 15:09 1
陈某人雪币： 1528 活跃值： (5248) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 61 粉丝 2 关注私信	陈某人 3 楼 TaobaoApplication 这个类能分享下吗 2021-8-16 17:49 0
iwxiao 雪币： 209 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	iwxiao 4 楼强的离谱 2021-8-17 11:16 0
万里星河雪币： 240 活跃值： (1930) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 581 粉丝 8 关注私信	万里星河 5 楼没看懂想表达啥 2021-8-18 07:22 0
wx_0xC05StackOver 雪币： 208 活跃值： (2528) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 124 粉丝 13 关注私信	wx_0xC05StackOver 6 楼天天折腾MTOP 你们还让不让开发休息了 2021-8-23 17:49 0
CTF冠军雪币： 66 能力值： ( LV1，RANK：0 ) 在线值：发帖 27 回帖 50 粉丝 2 关注私信	CTF冠军 7 楼 6.5.7 跑到[14:32:31 213] INFO [com.github.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:796) - pthread_clone child_stack=RW@0x419bf930, thread_id=9, fn=RX@0x401de7f5[libc.so]0x3f7f5, arg=RW@0x419bf930, flags=[CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_THREAD, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID] 提示 2403 2021-8-31 14:35 0
奋斗小菜鸟雪币： 4671 活跃值： (4308) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 28 粉丝 1 关注私信	奋斗小菜鸟 8 楼强强强 2021-9-19 20:40 0
suuuuu 雪币： 864 活跃值： (5144) 能力值： ( LV2，RANK：10 ) 在线值：发帖 22 回帖 298 粉丝 8 关注私信	suuuuu 9 楼乌云出征寸草不生 2021-9-22 17:20 0
wx_A39 雪币：能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	wx_A39 10 楼 x-mini-wua 结果是短的没用处 2021-10-7 11:48 0
kakasasa 雪币： 577 活跃值： (2035) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 294 粉丝 5 关注私信	kakasasa 11 楼 mark 2021-10-7 14:07 0
自己能雪币： 0 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 16 粉丝 1 关注私信	自己能 12 楼 import android.content.Context; 这个是怎么实现导入的呢? 2021-10-15 18:31 0
pa0ca1 雪币： 220 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	pa0ca1 13 楼 TaobaoApplication 这个类能分享下吗，有偿求助 2021-10-29 15:20 0
一只笨猫雪币： 791 活跃值： (5272) 能力值： ( LV3，RANK：20 ) 在线值：发帖 17 回帖 116 粉丝 227 关注私信	一只笨猫 14 楼 pa0ca1 TaobaoApplication 这个类能分享下吗，有偿求助 si 2021-10-29 16:34 0
pa0ca1 雪币： 220 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	pa0ca1 15 楼没权限 2021-10-30 10:35 0
pa0ca1 雪币： 220 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	pa0ca1 16 楼这个报错怎么解决啊，搞了很久没思路？ [19:51:16 930] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:313) - handleInterrupt intno=2, NR=-130448, svcNumber=0x11e, PC=unidbg@0xfffe0274, LR=RX@0x400da418[libmain.so]0xda418, syscall=null com.github.unidbg.arm.backend.BackendException at com.github.unidbg.linux.android.dvm.DalvikVM64$31.handle(DalvikVM64.java:499) at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:92) at com.github.unidbg.arm.backend.UnicornBackend$10.hook(UnicornBackend.java:323) at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:354) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:370) at com.github.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:446) at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:220) at com.github.unidbg.Module.emulateFunction(Module.java:159) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:133) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:292) at com.taobao.taobao.XSign.getXSign(XSign.java:180) at com.taobao.taobao.XSign.main(XSign.java:107) [19:51:16 933] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:389) - emulate RX@0x40016bc0[libmain.so]0x16bc0 exception sp=unidbg@0xbfffdc00, msg=null, offset=99ms 2021-11-3 20:06 0
胖虎1103 雪币： 202 活跃值： (216) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 7 粉丝 0 关注私信	胖虎1103 17 楼付费求成品 2022-3-26 00:21 0
Miracle_193014 雪币： 0 活跃值： (64) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	Miracle_193014 18 楼 TaobaoApplication 可以分享一下吗？我使用了空的context生成的是短的miniwua，感觉应该就是初始化时没有上下文造成的。 2022-3-31 18:18 0
一只笨猫雪币： 791 活跃值： (5272) 能力值： ( LV3，RANK：20 ) 在线值：发帖 17 回帖 116 粉丝 227 关注私信	一只笨猫 19 楼例子存在很多问题没时间搞 2022-4-1 18:57 0
一只笨猫雪币： 791 活跃值： (5272) 能力值： ( LV3，RANK：20 ) 在线值：发帖 17 回帖 116 粉丝 227 关注私信	一只笨猫 20 楼 mb_xzfwsiuy 付费求成品没有 2022-4-1 19:01 0
一只笨猫雪币： 791 活跃值： (5272) 能力值： ( LV3，RANK：20 ) 在线值：发帖 17 回帖 116 粉丝 227 关注私信	一只笨猫 21 楼 Miracle_193014 TaobaoApplication 可以分享一下吗？我使用了空的context生成的是短的miniwua，感觉应该就是初始化时没有上下文造成的。是的 2022-4-1 19:01 0
wan1y 雪币： 6 能力值： ( LV1，RANK：0 ) 在线值：发帖 1 回帖 3 粉丝 0 关注私信	wan1y 22 楼 CTF冠军 6.5.7 跑到[14:32:31 213] INFO [com.github.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:796) - p ... 2403解决了吗 2022-5-6 08:28 0
mb_iibcdkce 雪币： 200 活跃值： (205) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	mb_iibcdkce 23 楼怎么联系 2022-7-21 07:10 0
empty_ 雪币： 225 活跃值： (725) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	empty_ 24 楼留个联系方式吧 2022-8-16 13:58 0
caolinkai 雪币： 3836 活跃值： (4142) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 810 粉丝 1 关注私信	caolinkai 25 楼 6666 2022-8-16 15:09 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

一只笨猫

发帖

116

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (30) 1 2 ▶
mb_foyotena 雪币： 477 活跃值： (1412) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 304 粉丝 14 关注私信	mb_foyotena 2 楼雕虫小技也敢班门弄斧, 大V天龙 2021-8-16 15:09 1
陈某人雪币： 1528 活跃值： (5248) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 61 粉丝 2 关注私信	陈某人 3 楼 TaobaoApplication 这个类能分享下吗 2021-8-16 17:49 0
iwxiao 雪币： 209 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	iwxiao 4 楼强的离谱 2021-8-17 11:16 0
万里星河雪币： 240 活跃值： (1930) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 581 粉丝 8 关注私信	万里星河 5 楼没看懂想表达啥 2021-8-18 07:22 0
wx_0xC05StackOver 雪币： 208 活跃值： (2528) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 124 粉丝 13 关注私信	wx_0xC05StackOver 6 楼天天折腾MTOP 你们还让不让开发休息了 2021-8-23 17:49 0
CTF冠军雪币： 66 能力值： ( LV1，RANK：0 ) 在线值：发帖 27 回帖 50 粉丝 2 关注私信	CTF冠军 7 楼 6.5.7 跑到[14:32:31 213] INFO [com.github.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:796) - pthread_clone child_stack=RW@0x419bf930, thread_id=9, fn=RX@0x401de7f5[libc.so]0x3f7f5, arg=RW@0x419bf930, flags=[CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_THREAD, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID] 提示 2403 2021-8-31 14:35 0
奋斗小菜鸟雪币： 4671 活跃值： (4308) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 28 粉丝 1 关注私信	奋斗小菜鸟 8 楼强强强 2021-9-19 20:40 0
suuuuu 雪币： 864 活跃值： (5144) 能力值： ( LV2，RANK：10 ) 在线值：发帖 22 回帖 298 粉丝 8 关注私信	suuuuu 9 楼乌云出征寸草不生 2021-9-22 17:20 0
wx_A39 雪币：能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	wx_A39 10 楼 x-mini-wua 结果是短的没用处 2021-10-7 11:48 0
kakasasa 雪币： 577 活跃值： (2035) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 294 粉丝 5 关注私信	kakasasa 11 楼 mark 2021-10-7 14:07 0
自己能雪币： 0 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 16 粉丝 1 关注私信	自己能 12 楼 import android.content.Context; 这个是怎么实现导入的呢? 2021-10-15 18:31 0
pa0ca1 雪币： 220 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	pa0ca1 13 楼 TaobaoApplication 这个类能分享下吗，有偿求助 2021-10-29 15:20 0
一只笨猫雪币： 791 活跃值： (5272) 能力值： ( LV3，RANK：20 ) 在线值：发帖 17 回帖 116 粉丝 227 关注私信	一只笨猫 14 楼 pa0ca1 TaobaoApplication 这个类能分享下吗，有偿求助 si 2021-10-29 16:34 0
pa0ca1 雪币： 220 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	pa0ca1 15 楼没权限 2021-10-30 10:35 0
pa0ca1 雪币： 220 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	pa0ca1 16 楼这个报错怎么解决啊，搞了很久没思路？ [19:51:16 930] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:313) - handleInterrupt intno=2, NR=-130448, svcNumber=0x11e, PC=unidbg@0xfffe0274, LR=RX@0x400da418[libmain.so]0xda418, syscall=null com.github.unidbg.arm.backend.BackendException at com.github.unidbg.linux.android.dvm.DalvikVM64$31.handle(DalvikVM64.java:499) at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:92) at com.github.unidbg.arm.backend.UnicornBackend$10.hook(UnicornBackend.java:323) at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:354) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:370) at com.github.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:446) at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:220) at com.github.unidbg.Module.emulateFunction(Module.java:159) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:133) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:292) at com.taobao.taobao.XSign.getXSign(XSign.java:180) at com.taobao.taobao.XSign.main(XSign.java:107) [19:51:16 933] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:389) - emulate RX@0x40016bc0[libmain.so]0x16bc0 exception sp=unidbg@0xbfffdc00, msg=null, offset=99ms 2021-11-3 20:06 0
胖虎1103 雪币： 202 活跃值： (216) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 7 粉丝 0 关注私信	胖虎1103 17 楼付费求成品 2022-3-26 00:21 0
Miracle_193014 雪币： 0 活跃值： (64) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	Miracle_193014 18 楼 TaobaoApplication 可以分享一下吗？我使用了空的context生成的是短的miniwua，感觉应该就是初始化时没有上下文造成的。 2022-3-31 18:18 0
一只笨猫雪币： 791 活跃值： (5272) 能力值： ( LV3，RANK：20 ) 在线值：发帖 17 回帖 116 粉丝 227 关注私信	一只笨猫 19 楼例子存在很多问题没时间搞 2022-4-1 18:57 0
一只笨猫雪币： 791 活跃值： (5272) 能力值： ( LV3，RANK：20 ) 在线值：发帖 17 回帖 116 粉丝 227 关注私信	一只笨猫 20 楼 mb_xzfwsiuy 付费求成品没有 2022-4-1 19:01 0
一只笨猫雪币： 791 活跃值： (5272) 能力值： ( LV3，RANK：20 ) 在线值：发帖 17 回帖 116 粉丝 227 关注私信	一只笨猫 21 楼 Miracle_193014 TaobaoApplication 可以分享一下吗？我使用了空的context生成的是短的miniwua，感觉应该就是初始化时没有上下文造成的。是的 2022-4-1 19:01 0
wan1y 雪币： 6 能力值： ( LV1，RANK：0 ) 在线值：发帖 1 回帖 3 粉丝 0 关注私信	wan1y 22 楼 CTF冠军 6.5.7 跑到[14:32:31 213] INFO [com.github.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:796) - p ... 2403解决了吗 2022-5-6 08:28 0
mb_iibcdkce 雪币： 200 活跃值： (205) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	mb_iibcdkce 23 楼怎么联系 2022-7-21 07:10 0
empty_ 雪币： 225 活跃值： (725) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	empty_ 24 楼留个联系方式吧 2022-8-16 13:58 0
caolinkai 雪币： 3836 活跃值： (4142) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 810 粉丝 1 关注私信	caolinkai 25 楼 6666 2022-8-16 15:09 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复