首页
社区
课程
招聘
关于unidbg调试某app的libsgmainso文件出现的SecException(1910)问题
发表于: 2023-4-26 12:00 22135

关于unidbg调试某app的libsgmainso文件出现的SecException(1910)问题

2023-4-26 12:00
22135

【文章使用unidbg以及代码下载】
https://pan.baidu.com/s/1UCodd31iBgqCUztKKdZZpg
提取码:5ifo
1.网上看了某帖子关于对sgmain的doCommandNative函数调用的复现,进一步了解了关于sgmain系列的安全措施,于是萌生了复现的想法,帖子链接:https://f5.pm/go-129256.html
2.由于之前对某航app进行过研究,并且发现其对wToken参数加密时也使用了sgmain系列进行保护,所以想要针对次app进行unidbg复现sagmain.so的调用
3.关于在复现前,网查了很多关于sagmain的帖子,其中有汇编的大致分析逻辑和unidbg复现的相关逻辑,感谢前辈大佬的帖子
https://bbs.kanxue.com/thread-267741.htm#msg_header_h2_7
https://cloud.tencent.com/developer/article/1923148
https://blog.csdn.net/John_Lenon/article/details/129572217
https://blog.csdn.net/qq_32955223/article/details/120500351
https://bbs.kanxue.com/thread-265017.htm
4.关于doCommandNative调用前,还需要进行初始化的操作,可以从启动app开始对次函数调用进行hook,打印参数的内容和返回值,然后unidbg模拟一步步的执行

5.最终目的时调用参数60902参数的doCommandNative方法对请求内容进行加密获得wToken值,思路明确后准备unidbg进行如下的调用:(这里借用:https://f5.pm/go-129256.html 帖子大佬分析的执行流程图)
图片描述
6.在unidbg复现过程中,在第一个10101的调用时候,返回值一直是null,而不是hook的0,经过多方测试,最终在unidbg低版本并且对32位so进行模拟执行时,会返回0(猜测:新版本unidbg应该是帮我们补了一些环境,而旧版本则没有,所以旧版本运行会提示补环境,照补即可,这里补充环境参考了以下两个链接的帖子:https://blog.csdn.net/John_Lenon/article/details/129572217 和 https://blog.csdn.net/qq_32955223/article/details/120500351)
7.unidbg代码如下:

8.以上代码虽然能够正确的执行一些逻辑,但是在最后的60902调用时,返回值出错了,并且提示SecException(1910),通过如下链接查找,https://help.aliyun.com/document_detail/160578.html 该错误的原来可能是:非法的avmpInstance实例
图片描述
图片描述
10.补充说明:使用unidbg 080版本进行复现

【注】文章中如有任何侵权,请联系说明修改!!
【注】本文仅用于学习讨论,不做任何商务用途!!

AOSP on blueline::com.rytong.ceair ]-> libDexHelper.so detect:  0x9ec5c
libDexHelper.so detect:  0xaa97c
libDexHelper.so detect:  0x9d73c
libDexHelper.so detect:  0xe3fd0
0x6fbe7e40ac
2023-θ4-19 22:25:00:983】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libdexjni.so
2023-θ4-19 22:25:02:925】 目标app正在加载so文件:/vendor/lib64/hw/gralloc.sdm845.so
2023-θ4-19 22:25:02:938】 目标app正在加载so文件:/vendor/lib64/hw/android.hardware.graphics.mapper@2.0-impl-qti-display.so
2023-θ4-19 22:25:35:687】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libsgmainso-5.4.193.so
2023-θ4-19 22:25:35:687】 目标so已经加载,正在寻找目标类....
my_log->com.taobao.wireless.security.adapter.JNICLibrary,doCommandNative,,,,true,true
doCommandNative   hooking....
2023-θ4-19 22:25:35:699】 已找到目标类:com.taobao.wireless.security.adapter.JNICLibrary,正在切换classLoader....
--------------2023-θ4-19 22:25:35:715-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
10101
参数1:【类型:object
com.rytong.ceair.CeairApp@407804a,3,,/data/user/0/com.rytong.ceair/app_SGLib,
返回结果:【类型:object】 【类名:class java.lang.Integer】
0
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.mainplugin.SecurityGuardMainPlugin.onPluginLoaded(Unknown Source:147)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:1134)
        at com.alibaba.wireless.security.framework.d.d(Unknown Source:67)
        at com.alibaba.wireless.security.framework.d.getPluginInfo(Unknown Source:3)
        at com.alibaba.wireless.security.open.initialize.b.a(Unknown Source:38)
        at com.alibaba.wireless.security.open.initialize.a.loadLibrarySync(Unknown Source:5)
        at com.alibaba.wireless.security.open.initialize.a.initialize(Unknown Source:0)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInstance(Unknown Source:20)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInstance(Unknown Source:1)
        at aej.a(AliPreWorm.java:54)
        at com.rytong.ceair.CeairApp.agreeConcealPrivacyToInit(CeairApp.java:86)
        at com.rytong.ceair.main.SplashActivity$l.onClick(SplashActivity.kt:477)
        at zm.onClick(ClickProxy.java:55)
        at android.view.View.performClick(View.java:7259)
        at android.view.View.performClickInternal(View.java:7236)
        at android.view.View.access$3600(View.java:801)
        at android.view.View$PerformClick.run(View.java:27892)
        at android.os.Handler.handleCallback(Handler.java:883)
        at android.os.Handler.dispatchMessage(Handler.java:100)
        at android.os.Looper.loop(Looper.java:214)
        at android.app.ActivityThread.main(ActivityThread.java:7699)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
 
--------------2023-θ4-19 22:25:36:173-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
10102
参数1:【类型:object
main,5.4.193,/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libsgmainso-5.4.193.so
返回结果:【类型:object】 【类名:class java.lang.Integer】
0
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:1207)
        at com.alibaba.wireless.security.framework.d.d(Unknown Source:67)
        at com.alibaba.wireless.security.framework.d.getPluginInfo(Unknown Source:3)
        at com.alibaba.wireless.security.open.initialize.b.a(Unknown Source:38)
        at com.alibaba.wireless.security.open.initialize.a.loadLibrarySync(Unknown Source:5)
        at com.alibaba.wireless.security.open.initialize.a.initialize(Unknown Source:0)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInstance(Unknown Source:20)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInstance(Unknown Source:1)
        at aej.a(AliPreWorm.java:54)
        at com.rytong.ceair.CeairApp.agreeConcealPrivacyToInit(CeairApp.java:86)
        at com.rytong.ceair.main.SplashActivity$l.onClick(SplashActivity.kt:477)
        at zm.onClick(ClickProxy.java:55)
        at android.view.View.performClick(View.java:7259)
        at android.view.View.performClickInternal(View.java:7236)
        at android.view.View.access$3600(View.java:801)
        at android.view.View$PerformClick.run(View.java:27892)
        at android.os.Handler.handleCallback(Handler.java:883)
        at android.os.Handler.dispatchMessage(Handler.java:100)
        at android.os.Looper.loop(Looper.java:214)
        at android.app.ActivityThread.main(ActivityThread.java:7699)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
 
2023-θ4-19 22:25:36:236】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libsgsecuritybodyso-5.4.112.so
--------------2023-θ4-19 22:25:36:240-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
10102
参数1:【类型:object
securitybody,5.4.112,/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libsgsecuritybodyso-5.4.112.so
返回结果:【类型:object】 【类名:class java.lang.Integer】
0
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:1207)
        at com.alibaba.wireless.security.framework.d.d(Unknown Source:67)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:301)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:340)
        at com.alibaba.wireless.security.framework.d.d(Unknown Source:67)
        at com.alibaba.wireless.security.framework.d.getPluginInfo(Unknown Source:3)
        at com.alibaba.wireless.security.framework.d.getInterface(Unknown Source:64)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInterface(Unknown Source:2)
        at aej.a(AliPreWorm.java:54)
        at com.rytong.ceair.CeairApp.agreeConcealPrivacyToInit(CeairApp.java:86)
        at com.rytong.ceair.main.SplashActivity$l.onClick(SplashActivity.kt:477)
        at zm.onClick(ClickProxy.java:55)
        at android.view.View.performClick(View.java:7259)
        at android.view.View.performClickInternal(View.java:7236)
        at android.view.View.access$3600(View.java:801)
        at android.view.View$PerformClick.run(View.java:27892)
        at android.os.Handler.handleCallback(Handler.java:883)
        at android.os.Handler.dispatchMessage(Handler.java:100)
        at android.os.Looper.loop(Looper.java:214)
        at android.app.ActivityThread.main(ActivityThread.java:7699)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
 
2023-θ4-19 22:25:36:268】 目标app正在加载so文件:/data/user/0/com.rytong.ceair/app_SGLib/app_1681789435/main/libsgavmpso-5.4.1002.so
--------------2023-θ4-19 22:25:36:270-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
10102
参数1:【类型:object
avmp,5.4.1002,/data/user/0/com.rytong.ceair/app_SGLib/app_1681789435/main/libsgavmpso-5.4.1002.so
返回结果:【类型:object】 【类名:class java.lang.Integer】
0
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:1207)
        at com.alibaba.wireless.security.framework.d.d(Unknown Source:67)
        at com.alibaba.wireless.security.framework.d.getPluginInfo(Unknown Source:3)
        at com.alibaba.wireless.security.framework.d.getInterface(Unknown Source:64)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInterface(Unknown Source:2)
        at aej.a(AliPreWorm.java:54)
        at com.rytong.ceair.CeairApp.agreeConcealPrivacyToInit(CeairApp.java:86)
        at com.rytong.ceair.main.SplashActivity$l.onClick(SplashActivity.kt:477)
        at zm.onClick(ClickProxy.java:55)
        at android.view.View.performClick(View.java:7259)
        at android.view.View.performClickInternal(View.java:7236)
        at android.view.View.access$3600(View.java:801)
        at android.view.View$PerformClick.run(View.java:27892)
        at android.os.Handler.handleCallback(Handler.java:883)
        at android.os.Handler.dispatchMessage(Handler.java:100)
        at android.os.Looper.loop(Looper.java:214)
        at android.app.ActivityThread.main(ActivityThread.java:7699)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
 
--------------2023-θ4-19 22:25:36:281-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
60901
参数1:【类型:object
0335_mwua,sgcipher
返回结果:【类型:object】 【类名:class java.lang.Long
475517112478
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.avmpplugin.b.b.a(Unknown Source:18)
        at com.alibaba.wireless.security.avmpplugin.b.a.createAVMPInstance(Unknown Source:7)
        at com.alibaba.wireless.security.avmpplugin.a.a.initialize(Unknown Source:14)
        at aej.a(AliPreWorm.java:55)
        at com.rytong.ceair.CeairApp.agreeConcealPrivacyToInit(CeairApp.java:86)
        at com.rytong.ceair.main.SplashActivity$l.onClick(SplashActivity.kt:477)
        at zm.onClick(ClickProxy.java:55)
        at android.view.View.performClick(View.java:7259)
        at android.view.View.performClickInternal(View.java:7236)
        at android.view.View.access$3600(View.java:801)
        at android.view.View$PerformClick.run(View.java:27892)
        at android.os.Handler.handleCallback(Handler.java:883)
        at android.os.Handler.dispatchMessage(Handler.java:100)
        at android.os.Looper.loop(Looper.java:214)
        at android.app.ActivityThread.main(ActivityThread.java:7699)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
 
2023-θ4-19 22:25:36:449】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libdeviceid_1.0.so
2023-θ4-19 22:25:37:564】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libencrypt.so
2023-θ4-19 22:25:37:619】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libentryexpro.so
2023-θ4-19 22:25:40:819】 目标app正在加载so文件:/data/dalvik-cache/arm64/product@app@webview@webview.apk@classes.dex
2023-θ4-19 22:25:40:839】 目标app正在加载so文件:libwebviewchromium.so
2023-θ4-19 22:25:40:927】 目标app正在加载so文件:/product/app/webview/webview.apk!/lib/arm64-v8a/libwebviewchromium.so
2023-θ4-19 22:25:40:934】 目标app正在加载so文件:/system/lib64/libwebviewchromium_plat_support.so
2023-θ4-19 22:25:42:838】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libwbsk_crypto_tool.so
--------------2023-θ4-19 22:25:42:894-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
60902
参数1:【类型:object
475517112478,sign,class [B,[Ljava.lang.Object;@8058bb
返回结果:【类型:object】 【类名:class [B】
"QllUUl9yUncwbkFVNFNpWTg5WnlnVldBcnZ2bmZuYXhVZnY4WHE4WDREcGhvNmNYSkdzM2dMMjZ5YUV6dndoRUorSjF5V1ZRVHNxZnBndk1PdVdQc1ZMdktGcHloZ256WXorNHAyWWJJWlhCbW5zNVdyMzg3cFM2VTJiakFPZTExZ1NzakNSRWplcEJ0NmVYU2w0eHNtWll2UFV0MmYxVTM5TEFyN01ZbzVoZDMzS0gzKzQ1aXd4aDY0TGdVaVVicUlBR3VNQnBKalQxc2lhMENTcTJEbGxHQlBPaXRTRjExTmNoRnpjcHlyOFE3Q2NZPSZBV0VSX2EwMDEzOTIzNzc5M2I1YWE5YjJiYWVkZWI4NWYwOWM1ZDAwYWYxZDU3ZTE4NQ=="
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.avmpplugin.b.b.invokeAVMP(Unknown Source:30)
        at com.alibaba.wireless.security.avmpplugin.a.a.avmpSign(Unknown Source:63)
        at aej.a(AliPreWorm.java:86)
        at acc.intercept(EncodeRequestInterceptor.kt:92)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at aco.intercept(TransactionIdInterceptor.kt:59)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at ack.intercept(IntervalRequestInterceptor.java:34)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at acd.intercept(HeaderInterceptor.kt:77)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
        at okhttp3.RealCall.execute(RealCall.java:81)
        at retrofit2.OkHttpCall.execute(OkHttpCall.java:190)
        at gya.a(CallObservable.java:41)
        at hxb.f(Observable.java:12284)
        at gxz.a(BodyObservable.java:34)
        at hxb.f(Observable.java:12284)
        at iqa$b.run(ObservableSubscribeOn.java:96)
        at hxj$a.run(Scheduler.java:578)
        at io.reactivex.internal.schedulers.ScheduledRunnable.run(ScheduledRunnable.java:66)
        at io.reactivex.internal.schedulers.ScheduledRunnable.call(ScheduledRunnable.java:57)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
        at java.lang.Thread.run(Thread.java:919)
AOSP on blueline::com.rytong.ceair ]-> libDexHelper.so detect:  0x9ec5c
libDexHelper.so detect:  0xaa97c
libDexHelper.so detect:  0x9d73c
libDexHelper.so detect:  0xe3fd0
0x6fbe7e40ac
2023-θ4-19 22:25:00:983】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libdexjni.so
2023-θ4-19 22:25:02:925】 目标app正在加载so文件:/vendor/lib64/hw/gralloc.sdm845.so
2023-θ4-19 22:25:02:938】 目标app正在加载so文件:/vendor/lib64/hw/android.hardware.graphics.mapper@2.0-impl-qti-display.so
2023-θ4-19 22:25:35:687】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libsgmainso-5.4.193.so
2023-θ4-19 22:25:35:687】 目标so已经加载,正在寻找目标类....
my_log->com.taobao.wireless.security.adapter.JNICLibrary,doCommandNative,,,,true,true
doCommandNative   hooking....
2023-θ4-19 22:25:35:699】 已找到目标类:com.taobao.wireless.security.adapter.JNICLibrary,正在切换classLoader....
--------------2023-θ4-19 22:25:35:715-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
10101
参数1:【类型:object
com.rytong.ceair.CeairApp@407804a,3,,/data/user/0/com.rytong.ceair/app_SGLib,
返回结果:【类型:object】 【类名:class java.lang.Integer】
0
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.mainplugin.SecurityGuardMainPlugin.onPluginLoaded(Unknown Source:147)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:1134)
        at com.alibaba.wireless.security.framework.d.d(Unknown Source:67)
        at com.alibaba.wireless.security.framework.d.getPluginInfo(Unknown Source:3)
        at com.alibaba.wireless.security.open.initialize.b.a(Unknown Source:38)
        at com.alibaba.wireless.security.open.initialize.a.loadLibrarySync(Unknown Source:5)
        at com.alibaba.wireless.security.open.initialize.a.initialize(Unknown Source:0)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInstance(Unknown Source:20)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInstance(Unknown Source:1)
        at aej.a(AliPreWorm.java:54)
        at com.rytong.ceair.CeairApp.agreeConcealPrivacyToInit(CeairApp.java:86)
        at com.rytong.ceair.main.SplashActivity$l.onClick(SplashActivity.kt:477)
        at zm.onClick(ClickProxy.java:55)
        at android.view.View.performClick(View.java:7259)
        at android.view.View.performClickInternal(View.java:7236)
        at android.view.View.access$3600(View.java:801)
        at android.view.View$PerformClick.run(View.java:27892)
        at android.os.Handler.handleCallback(Handler.java:883)
        at android.os.Handler.dispatchMessage(Handler.java:100)
        at android.os.Looper.loop(Looper.java:214)
        at android.app.ActivityThread.main(ActivityThread.java:7699)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
 
--------------2023-θ4-19 22:25:36:173-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
10102
参数1:【类型:object
main,5.4.193,/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libsgmainso-5.4.193.so
返回结果:【类型:object】 【类名:class java.lang.Integer】
0
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:1207)
        at com.alibaba.wireless.security.framework.d.d(Unknown Source:67)
        at com.alibaba.wireless.security.framework.d.getPluginInfo(Unknown Source:3)
        at com.alibaba.wireless.security.open.initialize.b.a(Unknown Source:38)
        at com.alibaba.wireless.security.open.initialize.a.loadLibrarySync(Unknown Source:5)
        at com.alibaba.wireless.security.open.initialize.a.initialize(Unknown Source:0)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInstance(Unknown Source:20)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInstance(Unknown Source:1)
        at aej.a(AliPreWorm.java:54)
        at com.rytong.ceair.CeairApp.agreeConcealPrivacyToInit(CeairApp.java:86)
        at com.rytong.ceair.main.SplashActivity$l.onClick(SplashActivity.kt:477)
        at zm.onClick(ClickProxy.java:55)
        at android.view.View.performClick(View.java:7259)
        at android.view.View.performClickInternal(View.java:7236)
        at android.view.View.access$3600(View.java:801)
        at android.view.View$PerformClick.run(View.java:27892)
        at android.os.Handler.handleCallback(Handler.java:883)
        at android.os.Handler.dispatchMessage(Handler.java:100)
        at android.os.Looper.loop(Looper.java:214)
        at android.app.ActivityThread.main(ActivityThread.java:7699)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
 
2023-θ4-19 22:25:36:236】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libsgsecuritybodyso-5.4.112.so
--------------2023-θ4-19 22:25:36:240-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
10102
参数1:【类型:object
securitybody,5.4.112,/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libsgsecuritybodyso-5.4.112.so
返回结果:【类型:object】 【类名:class java.lang.Integer】
0
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:1207)
        at com.alibaba.wireless.security.framework.d.d(Unknown Source:67)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:301)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:340)
        at com.alibaba.wireless.security.framework.d.d(Unknown Source:67)
        at com.alibaba.wireless.security.framework.d.getPluginInfo(Unknown Source:3)
        at com.alibaba.wireless.security.framework.d.getInterface(Unknown Source:64)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInterface(Unknown Source:2)
        at aej.a(AliPreWorm.java:54)
        at com.rytong.ceair.CeairApp.agreeConcealPrivacyToInit(CeairApp.java:86)
        at com.rytong.ceair.main.SplashActivity$l.onClick(SplashActivity.kt:477)
        at zm.onClick(ClickProxy.java:55)
        at android.view.View.performClick(View.java:7259)
        at android.view.View.performClickInternal(View.java:7236)
        at android.view.View.access$3600(View.java:801)
        at android.view.View$PerformClick.run(View.java:27892)
        at android.os.Handler.handleCallback(Handler.java:883)
        at android.os.Handler.dispatchMessage(Handler.java:100)
        at android.os.Looper.loop(Looper.java:214)
        at android.app.ActivityThread.main(ActivityThread.java:7699)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
 
2023-θ4-19 22:25:36:268】 目标app正在加载so文件:/data/user/0/com.rytong.ceair/app_SGLib/app_1681789435/main/libsgavmpso-5.4.1002.so
--------------2023-θ4-19 22:25:36:270-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
10102
参数1:【类型:object
avmp,5.4.1002,/data/user/0/com.rytong.ceair/app_SGLib/app_1681789435/main/libsgavmpso-5.4.1002.so
返回结果:【类型:object】 【类名:class java.lang.Integer】
0
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.framework.d.a(Unknown Source:1207)
        at com.alibaba.wireless.security.framework.d.d(Unknown Source:67)
        at com.alibaba.wireless.security.framework.d.getPluginInfo(Unknown Source:3)
        at com.alibaba.wireless.security.framework.d.getInterface(Unknown Source:64)
        at com.alibaba.wireless.security.open.SecurityGuardManager.getInterface(Unknown Source:2)
        at aej.a(AliPreWorm.java:54)
        at com.rytong.ceair.CeairApp.agreeConcealPrivacyToInit(CeairApp.java:86)
        at com.rytong.ceair.main.SplashActivity$l.onClick(SplashActivity.kt:477)
        at zm.onClick(ClickProxy.java:55)
        at android.view.View.performClick(View.java:7259)
        at android.view.View.performClickInternal(View.java:7236)
        at android.view.View.access$3600(View.java:801)
        at android.view.View$PerformClick.run(View.java:27892)
        at android.os.Handler.handleCallback(Handler.java:883)
        at android.os.Handler.dispatchMessage(Handler.java:100)
        at android.os.Looper.loop(Looper.java:214)
        at android.app.ActivityThread.main(ActivityThread.java:7699)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
 
--------------2023-θ4-19 22:25:36:281-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
60901
参数1:【类型:object
0335_mwua,sgcipher
返回结果:【类型:object】 【类名:class java.lang.Long
475517112478
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.avmpplugin.b.b.a(Unknown Source:18)
        at com.alibaba.wireless.security.avmpplugin.b.a.createAVMPInstance(Unknown Source:7)
        at com.alibaba.wireless.security.avmpplugin.a.a.initialize(Unknown Source:14)
        at aej.a(AliPreWorm.java:55)
        at com.rytong.ceair.CeairApp.agreeConcealPrivacyToInit(CeairApp.java:86)
        at com.rytong.ceair.main.SplashActivity$l.onClick(SplashActivity.kt:477)
        at zm.onClick(ClickProxy.java:55)
        at android.view.View.performClick(View.java:7259)
        at android.view.View.performClickInternal(View.java:7236)
        at android.view.View.access$3600(View.java:801)
        at android.view.View$PerformClick.run(View.java:27892)
        at android.os.Handler.handleCallback(Handler.java:883)
        at android.os.Handler.dispatchMessage(Handler.java:100)
        at android.os.Looper.loop(Looper.java:214)
        at android.app.ActivityThread.main(ActivityThread.java:7699)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
 
2023-θ4-19 22:25:36:449】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libdeviceid_1.0.so
2023-θ4-19 22:25:37:564】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libencrypt.so
2023-θ4-19 22:25:37:619】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libentryexpro.so
2023-θ4-19 22:25:40:819】 目标app正在加载so文件:/data/dalvik-cache/arm64/product@app@webview@webview.apk@classes.dex
2023-θ4-19 22:25:40:839】 目标app正在加载so文件:libwebviewchromium.so
2023-θ4-19 22:25:40:927】 目标app正在加载so文件:/product/app/webview/webview.apk!/lib/arm64-v8a/libwebviewchromium.so
2023-θ4-19 22:25:40:934】 目标app正在加载so文件:/system/lib64/libwebviewchromium_plat_support.so
2023-θ4-19 22:25:42:838】 目标app正在加载so文件:/data/app/com.rytong.ceair-2joxiTDNb8xd68-9jbFtkA==/lib/arm64/libwbsk_crypto_tool.so
--------------2023-θ4-19 22:25:42:894-------------
com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative is called
参数长度:2
参数0:【类型:number】
60902
参数1:【类型:object
475517112478,sign,class [B,[Ljava.lang.Object;@8058bb
返回结果:【类型:object】 【类名:class [B】
"QllUUl9yUncwbkFVNFNpWTg5WnlnVldBcnZ2bmZuYXhVZnY4WHE4WDREcGhvNmNYSkdzM2dMMjZ5YUV6dndoRUorSjF5V1ZRVHNxZnBndk1PdVdQc1ZMdktGcHloZ256WXorNHAyWWJJWlhCbW5zNVdyMzg3cFM2VTJiakFPZTExZ1NzakNSRWplcEJ0NmVYU2w0eHNtWll2UFV0MmYxVTM5TEFyN01ZbzVoZDMzS0gzKzQ1aXd4aDY0TGdVaVVicUlBR3VNQnBKalQxc2lhMENTcTJEbGxHQlBPaXRTRjExTmNoRnpjcHlyOFE3Q2NZPSZBV0VSX2EwMDEzOTIzNzc5M2I1YWE5YjJiYWVkZWI4NWYwOWM1ZDAwYWYxZDU3ZTE4NQ=="
调用栈:
java.lang.Throwable
        at com.taobao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
        at com.alibaba.wireless.security.mainplugin.a.doCommand(Unknown Source:0)
        at com.alibaba.wireless.security.avmpplugin.b.b.invokeAVMP(Unknown Source:30)
        at com.alibaba.wireless.security.avmpplugin.a.a.avmpSign(Unknown Source:63)
        at aej.a(AliPreWorm.java:86)
        at acc.intercept(EncodeRequestInterceptor.kt:92)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at aco.intercept(TransactionIdInterceptor.kt:59)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at ack.intercept(IntervalRequestInterceptor.java:34)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at acd.intercept(HeaderInterceptor.kt:77)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
        at okhttp3.RealCall.execute(RealCall.java:81)
        at retrofit2.OkHttpCall.execute(OkHttpCall.java:190)
        at gya.a(CallObservable.java:41)
        at hxb.f(Observable.java:12284)
        at gxz.a(BodyObservable.java:34)
        at hxb.f(Observable.java:12284)
        at iqa$b.run(ObservableSubscribeOn.java:96)
        at hxj$a.run(Scheduler.java:578)
        at io.reactivex.internal.schedulers.ScheduledRunnable.run(ScheduledRunnable.java:66)
        at io.reactivex.internal.schedulers.ScheduledRunnable.call(ScheduledRunnable.java:57)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
        at java.lang.Thread.run(Thread.java:919)
package com.taobao.wireless.security.adapter.JNICLibrary;
 
import com.alibaba.fastjson.util.IOUtils;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.Emulator;
import com.github.unidbg.file.FileResult;
import com.github.unidbg.file.IOResolver;
import com.github.unidbg.file.linux.AndroidFileIO;
import com.github.unidbg.linux.android.AndroidARMEmulator;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.ArrayObject;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.linux.android.dvm.wrapper.DvmInteger;
import com.github.unidbg.linux.android.dvm.wrapper.DvmLong;
import com.github.unidbg.memory.Memory;
 
import java.io.File;
import java.util.HashMap;
import java.util.Set;
 
public class MyAli extends AbstractJni implements IOResolver<AndroidFileIO> {
    private final AndroidEmulator emulator;
    private final VM vm;
    Module module;
    DalvikModule dm;
    static public long slot;
    private final DvmClass MYJNICLibrary;
    private final boolean logging;
 
    @Override
    public FileResult<AndroidFileIO> resolve(Emulator<AndroidFileIO> emulator, String pathname, int oflags){
        System.out.println("[files open]->"+pathname);
 
        switch (pathname){
            case "/data/app/com.rytong.ceair.apk":
                return FileResult.success(emulator.getFileSystem().createSimpleFileIO(
                        new File("unidbg-android/src/test/java/com/taobao/wireless/security/adapter/JNICLibrary/rootfs", pathname), oflags, pathname));
        }
        return null;
    }
    public MyAli(boolean logging) {
        this.logging = logging;
        emulator=new AndroidARMEmulator("com.rytong.ceair");
 
        final Memory memory = emulator.getMemory(); // 模拟器的内存操作接口
        emulator.getSyscallHandler().addIOResolver(this);
        memory.setLibraryResolver(new AndroidResolver(23)); // 设置系统类库解析
 
        vm = emulator.createDalvikVM(new File("unidbg-android/src/test/java/com/taobao/wireless/security/adapter/JNICLibrary/donghang9.3.0.apk"));
        vm.setVerbose(logging); // 设置是否打印Jni调用细节
        vm.setJni(this);
        MYJNICLibrary = vm.resolveClass("com/taobao/wireless/security/adapter/JNICLibrary");
    }
 
    void destroy() {
        IOUtils.close(emulator);
        if (logging) {
            System.out.println("destroy");
        }
    }
 
    public static void main(String[] args) throws Exception {
 
        MyAli test = new MyAli(true);
        test.Call_doCommandNative();
 
        test.destroy();
    }
 
    void Call_doCommandNative(){
 
        dm = vm.loadLibrary(new File("unidbg-android/src/test/java/com/taobao/wireless/security/adapter/JNICLibrary/libsgmainso-5.4.193.so"), true); // 加载libttEncrypt.so到unicorn虚拟内存,加载成功以后会默认调用init_array等函数
        dm.callJNI_OnLoad(emulator); // 手动执行JNI_OnLoad函数
        module = dm.getModule();
 
        System.out.println("TAG Vison ------------------- [1] -------------------");
        //1-10101 So初始化
        ArrayObject initSo_arg=new ArrayObject(
                vm.resolveClass("android/content/Context").newObject(null),
                DvmInteger.valueOf(vm,3),
                new StringObject(vm,""),
                new StringObject(vm,"/data/user/0/com.rytong.ceair/app_SGLib"),
                new StringObject(vm,"")
        );
        DvmObject<?> dvmObject_initSo = MYJNICLibrary.callStaticJniMethodObject(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10101,initSo_arg);
        System.out.println("TAG Vison ----- 10101 initSo ----- [res]:"+dvmObject_initSo.getValue());
 
        System.out.println("TAG Vison ------------------- [2] -------------------");
        //2-10102 libsgmainso插件初始化
        ArrayObject initSosgmain_arg=new ArrayObject(
                new StringObject(vm,"main"),
                new StringObject(vm,"5.4.193"),
                new StringObject(vm,"/data/app/com.rytong.ceair-yoTJTWpoydDKBU49a55E_A==/lib/arm/libsgmainso-5.4.193.so")
        );
        DvmObject<?> dvmObject_initSosgmain = MYJNICLibrary.callStaticJniMethodObject(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10102,initSosgmain_arg);
        System.out.println("TAG Vison ----- 10102 initSosgmain ----- [res]:"+dvmObject_initSosgmain.getValue());
        System.out.println("TAG Vison ------------------- [2-3 load-so] -------------------");
        DalvikModule dm1 = vm.loadLibrary(new File("unidbg-android/src/test/java/com/taobao/wireless/security/adapter/JNICLibrary/libsgsecuritybodyso-5.4.112.so"), true); // 加载libttEncrypt.so到unicorn虚拟内存,加载成功以后会默认调用init_array等函数
        dm1.callJNI_OnLoad(emulator);
 
        System.out.println("TAG Vison ------------------- [3] -------------------");
        //3-10102 libsgsecuritybodyso插件初始化
        ArrayObject initSosgsecuritybody_arg=new ArrayObject(
                new StringObject(vm,"securitybody"),
                new StringObject(vm,"5.4.112"),
                new StringObject(vm,"/data/app/com.rytong.ceair-yoTJTWpoydDKBU49a55E_A==/lib/arm/libsgsecuritybodyso-5.4.112.so")
        );
        DvmObject<?> dvmObject_initSosgsecuritybody = MYJNICLibrary.callStaticJniMethodObject(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10102,initSosgsecuritybody_arg);
        System.out.println("TAG Vison ----- 10102 initSosgsecuritybody ----- [res]:"+dvmObject_initSosgsecuritybody.getValue());
        System.out.println("TAG Vison ------------------- [3-4 load-so] -------------------");
        DalvikModule dm2 = vm.loadLibrary(new File("unidbg-android/src/test/java/com/taobao/wireless/security/adapter/JNICLibrary/libsgavmpso-5.4.1002.so"), true); // 加载libttEncrypt.so到unicorn虚拟内存,加载成功以后会默认调用init_array等函数
        dm2.callJNI_OnLoad(emulator);
 
        System.out.println("TAG Vison ------------------- [4] -------------------");
        //4-10102 libsgavmpso插件初始化
        ArrayObject initSosgavmp_arg=new ArrayObject(
                new StringObject(vm,"avmp"),
                new StringObject(vm,"5.4.1002"),
                new StringObject(vm,"/data/user/0/com.rytong.ceair/app_SGLib/app_1682143210/main/libsgavmpso-5.4.1002.so")
        );
        DvmObject<?> dvmObject_initSosgavmp = MYJNICLibrary.callStaticJniMethodObject(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10102,initSosgavmp_arg);
        System.out.println("TAG Vison ----- 10102 initSosgavmp ----- [res]:"+dvmObject_initSosgavmp.getValue());
 
        System.out.println("TAG Vison ------------------- [5] -------------------");
        //5-60901 AVMP初始化
        ArrayObject initVmp_arg=new ArrayObject(
                new StringObject(vm,"0335_mwua"),
                new StringObject(vm,"sgcipher")
        );
        DvmObject<?> dvmObject_initVmp = MYJNICLibrary.callStaticJniMethodObject(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 60901,initVmp_arg);
        long createAVMPInstance = Long.valueOf(dvmObject_initVmp.getValue().toString());
        createAVMPInstance=createAVMPInstance& 0xffffffffL;
        System.out.println("TAG Vison ----- 60901 initVmp ----- [res]:"+createAVMPInstance);
 
 
        //long createAVMPInstance=2242459650L;
        System.out.println("TAG Vison ------------------- [6] -------------------");
        //6-60902 wToken加密调用
 
        String strbody = "{\"req\":\"S6TVWfiiBE2ZEXY9ldOr4oz9JB6+/EaSHqY1/vILbUs/6L2Eqv3e8m2QToNujniIPYeDZRK4Gr6fVX+hRS4f9aWHsJaevbhzM+qiHoS2nsFagR+T3pTsKJmkNRObOuYk0POOaSRogMRZ+1tkiG7RuzxfZ8fVZ47CKz6dGB1jsC2z4KGQDRp8iGkKlhzP65+DqgbazzCBhv3nFhKXFL/GtBnmJnoVktVmCGVp/tCMLmybMF+EniB7nejy3nlCoJ512ZOeuYNCWnYgz2KjnYr913ksgfGfewxGXJtLr8A3KjbGHAEAs/IOohWkoR8k+2X1+q4myAypJ+jh5cRj8ghYuz149+lGJan68aaZgeMOBYL1jdtAL71E8zPHCJ66Ap33flyIfK/D2SxzIaGvVjWttsMvCBTsd5xkqUiGgDOXCHb0MPez3c+fzBtg+LTsFbdNWBWdEKV+uVw/xJByHUncxmT/cT7cgQHt55qNvdULzpCYOFxh5tqQgFAs3lM27Y1Z6WYm5noXLO24gUoehhxCC2Rw/duiowt+yw2iHhi3UpLbjvGSudkDUyDIYb7ij7xpkIt6HD2O5avNJIBh2aYuRmcpcHPUQItbf/PoQwlB8BEy+tce6Pp7ZeOFUudo3yBOuWo2yP5KyKjL8nkstRDwKwjcplZPZfKwJQJvz+osen1oGdfyhseJEuBLGzHcc1g3pJbf9OqIoQ3iniQcne3IY7IB0Y5hWfMfgvCv5BbZjYD8Ofw5OkuvBOY7WKS0TuahsnucIVKtqhcy/C9NzAM9Zx1Ge2q+aK4zKjQJckgs6R4EXB4V+6ZlJx4rwFMXRs/WeJFE2TtIX83XND+KilCLvnI3BUfbDLAyvZk3e6EXaSDZtTxWGAr+sRrlk66dRZydCVe8Eu00bHTP7fV3MBcldb5RXoW3JAg0DyXJaPRUh7VL7w091OoUoW/9Kb0pbXjlent4Tvg/VKb5HBQ/BmV+HUcScDLm4ra7aPmYFR1v5SmXxRw1snKXgoM6Cu/pd1Z2epLsm2dqiaHO99B5bq853tKdtYDwXcXLh8Fr9MtyftqGy25cxVGK4sfzwvEAt9wzGX1xHKFROq4bJXEcFSDB2zifdx9QUjDIezIBiMNzg2nSYeAMsf/aymk8HnEAwPL7DjrvmzooFKI0IbVF+wT8mjsbAXmFyRLeuBQyKm9HSvNuoz7E9Z6xN8ZSnZyYpJ0KAovs59k9/HpHWMvXxK+7mjVDeUhk/LErE1d36LAxK0rAp10iwHqeXCPdwZr3+y/0/YKNgkXGV0IYrljD8X2ue13+cu3bMtDgaxACee0l57qzGr/bTcbW6RDzlwtZf/R8kNrvjTybLs+gwFl6wFHZbNxwJ3ED8k0Nxt/RO0ZBXdFtGJSQ+uppc5yh2OJJKXB3aYy7IsmCY8f02jI1qM/UfkGy3WGbToWtV0bEVV1SHIApX1+G10+9Lqc84JABPbwB26Zd+TljMcBCIzB2ltL/68kiId7EGlcUK3Y0C02XjVFGxqCz1+6Z/P+2IhpxzJCRfRWIXWImq76MfAIu3Xacmw9lLscd/pR9Saaj1/DMPSTU=\"}";
 
        ArrayObject aryobj1=new ArrayObject(
                DvmInteger.valueOf(vm,3),
                new ByteArray(vm,strbody.getBytes()),
                DvmInteger.valueOf(vm,strbody.length()),
                new StringObject(vm,""),
                new ByteArray(vm,new byte[4]),
                DvmInteger.valueOf(vm,0)
        );
        ArrayObject aryobj2=new ArrayObject(
                DvmLong.valueOf(vm,createAVMPInstance),
                new StringObject(vm,"sign"),
                vm.resolveClass("[B"),
                aryobj1
        );
        DvmObject<?> dvmObject_entry = MYJNICLibrary.callStaticJniMethodObject(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 60902,aryobj2); // 执行Jni方法
        System.out.println("TAG Vison ----- 60902 wToken ----- [res]:"+dvmObject_entry);
    }
 
    @Override
    public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
        switch (signature){
            case "android/content/Context->getPackageCodePath()Ljava/lang/String;":{
                return new StringObject(vm, "/data/app/com.rytong.ceair.apk");
            }
            case "android/content/Context->getFilesDir()Ljava/io/File;":{
                return vm.resolveClass("java/io/File").newObject(new File("/data/data/com.rytong.ceair/files"));
            }
            // 固定写法
            case "java/io/File->getAbsolutePath()Ljava/lang/String;": {
                return new StringObject(vm, ((File) dvmObject.getValue()).getAbsolutePath());
            }
            case "[B->getClass()Ljava/lang/Class;":{
                return vm.resolveClass("[B");
            }
            case "android/app/ActivityThread->getSystemContext()Landroid/app/ContextImpl;":{
                return vm.resolveClass("android/app/ContextImpl").newObject(null);
            }
            case "android/app/ContextImpl->getPackageManager()Landroid/content/pm/PackageManager;":{
 
                return vm.resolveClass("android/content/pm/PackageManager").newObject(null);
 
            }
            case "android/app/ContextImpl->getSystemService(Ljava/lang/String;)Ljava/lang/Object;":{
                String str1= (String) varArg.getObject(0).getValue();
                System.out.println("[getSystemService str1]->"+str1);
                return vm.resolveClass("android/net/wifi/WifiManager").newObject(null);
            }
            case "android/net/wifi/WifiManager->getConnectionInfo()Landroid/net/wifi/WifiInfo;":{
 
                return vm.resolveClass("android/net/wifi/WifiInfo").newObject(null);
            }
            case "android/net/wifi/WifiInfo->getMacAddress()Ljava/lang/String;":{
 
                return new StringObject(vm,"02:00:00:00:00:00");
            }
            case "java/util/HashMap->keySet()Ljava/util/Set;":{
                HashMap<?,?> map = (HashMap<?, ?>) dvmObject.getValue();
                return vm.resolveClass("java/util/Set").newObject(map.keySet());
            }
            case "java/util/Set->toArray()[Ljava/lang/Object;":{
                Set<?> set= (Set<?>) dvmObject.getValue();
                Object[] array=set.toArray();
                DvmObject<?>[] objects=new DvmObject[array.length];
                for(int i=0;i<array.length;i++){
                    if(array[i] instanceof String){
                        objects[i]=new StringObject(vm, (String) array[i]);
                    }else{
                        //throw new IllegalAccessException("array="+array[i]);
                    }
                }
                return new ArrayObject(objects);
            }
            case "java/util/HashMap->get(Ljava/lang/Object;)Ljava/lang/Object;":{
                HashMap<?,?> map = (HashMap<?, ?>) dvmObject.getValue();
                Object key = varArg.getObject(0).getValue();
                Object obj = map.get(key);
                if(obj instanceof String){
                    return new StringObject(vm, (String) obj);
                }else{
                    //throw new IllegalAccessException("array="+obj);
                }
 
            }
        }
        return super.callObjectMethod(vm, dvmObject, signature, varArg);
    }
 
    @Override
    public DvmObject<?> getObjectField(BaseVM vm, DvmObject<?> dvmObject, String signature) {
        switch (signature){
            case "android/content/pm/ApplicationInfo->nativeLibraryDir:Ljava/lang/String;": {
                return new StringObject(vm, "/data/app/com.rytong.ceair-yoTJTWpoydDKBU49a55E_A==/lib/arm");
            }
        }
        return super.getObjectField(vm, dvmObject, signature);
    }
 
    @Override
    public void callStaticVoidMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
        switch (signature){
            case "com/alibaba/wireless/security/open/edgecomputing/ECMiscInfo->registerAppLifeCyCleCallBack()V": {
                return;
            }
        }
        super.callStaticVoidMethod(vm, dvmClass, signature, varArg);
    }
 
    @Override
    public int callStaticIntMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
        switch (signature){
            case "com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge->utAvaiable()I": {
                return 1;
            }
        }
        return super.callStaticIntMethod(vm, dvmClass, signature, varArg);
    }
 
    @Override
    public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
        switch (signature){
            // 固定写法
            case "java/lang/Integer-><init>(I)V": {
                int value = varArg.getInt(0);
                return vm.resolveClass("java/lang/Integer").newObject(value);
            }
            case "java/lang/Long-><init>(J)V": {
                int value = varArg.getInt(0);
                return vm.resolveClass("java/lang/Long").newObject(value);
            }
 
            case "com/alibaba/wireless/security/open/SecException-><init>(Ljava/lang/String;I)V": {
                int value = varArg.getInt(1);
                System.out.println("[TAG-SecException]->"+value);
                return vm.resolveClass("com/alibaba/wireless/security/open/SecException").newObject(value);
            }
        }
        return super.newObject(vm, dvmClass, signature, varArg);
    }
 
    @Override
    public long getStaticLongField(BaseVM vm, DvmClass dvmClass, String signature) {
        switch (signature) {
            case "com/alibaba/wireless/security/framework/SGPluginExtras->slot:J": {
                return slot;
            }
        }
        return super.getStaticLongField(vm, dvmClass, signature);
    }
 
    @Override
    public void setStaticLongField(BaseVM vm, DvmClass dvmClass, String signature, long value) {
        switch (signature) {
            case "com/alibaba/wireless/security/framework/SGPluginExtras->slot:J": {
                slot = value;
                return;
            }
        }
        super.setStaticLongField(vm, dvmClass, signature, value);
    }
 
    @Override
    public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
        switch (signature){
            case"android/os/Build$VERSION->SDK_INT:I":{
                return 23;
            }
        }
        return super.getStaticIntField(vm, dvmClass, signature);
    }
 
    @Override
    public DvmObject<?> callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
        switch (signature){
            case"android/app/ActivityThread->currentPackageName()Ljava/lang/String;":{
                return new StringObject(vm,"com.rytong.ceair");
            }
            case "android/app/ActivityThread->currentActivityThread()Landroid/app/ActivityThread;":{
                return dvmClass.newObject(null);
            }
            case "android/os/SystemProperties->get(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;":{
                String str1= (String) varArg.getObject(0).getValue();
                String res="";
                System.out.println("[SystemProperties str1]->"+str1);
                System.out.println("[SystemProperties str2]->"+varArg.getObject(1).getValue());
                if(str1.indexOf("ro.serialno")!=-1){
                    res="94CX1Z56A";
                }
                return new StringObject(vm,res);
            }
        }
        return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
    }
 
 
    @Override
    public DvmObject<?> getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature) {
        switch (signature){
            case "android/os/Build->BRAND:Ljava/lang/String;":
                return new StringObject(vm,"Ljava/lang/String;");
            case "android/os/Build->MODEL:Ljava/lang/String;":
                return new StringObject(vm,"Ljava/lang/String;");
            case "android/os/Build$VERSION->RELEASE:Ljava/lang/String;":
                return new StringObject(vm,"Ljava/lang/String;");
            case "android/os/Build->DEVICE:Ljava/lang/String;":
                return new StringObject(vm,"Ljava/lang/String;");
        }
        return super.getStaticObjectField(vm,dvmClass,signature);
    }
 
}
package com.taobao.wireless.security.adapter.JNICLibrary;
 
import com.alibaba.fastjson.util.IOUtils;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.Emulator;
import com.github.unidbg.file.FileResult;
import com.github.unidbg.file.IOResolver;
import com.github.unidbg.file.linux.AndroidFileIO;
import com.github.unidbg.linux.android.AndroidARMEmulator;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.ArrayObject;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.linux.android.dvm.wrapper.DvmInteger;
import com.github.unidbg.linux.android.dvm.wrapper.DvmLong;
import com.github.unidbg.memory.Memory;
 
import java.io.File;
import java.util.HashMap;
import java.util.Set;
 
public class MyAli extends AbstractJni implements IOResolver<AndroidFileIO> {
    private final AndroidEmulator emulator;
    private final VM vm;
    Module module;
    DalvikModule dm;
    static public long slot;
    private final DvmClass MYJNICLibrary;
    private final boolean logging;
 
    @Override
    public FileResult<AndroidFileIO> resolve(Emulator<AndroidFileIO> emulator, String pathname, int oflags){
        System.out.println("[files open]->"+pathname);
 
        switch (pathname){
            case "/data/app/com.rytong.ceair.apk":
                return FileResult.success(emulator.getFileSystem().createSimpleFileIO(
                        new File("unidbg-android/src/test/java/com/taobao/wireless/security/adapter/JNICLibrary/rootfs", pathname), oflags, pathname));
        }
        return null;
    }
    public MyAli(boolean logging) {
        this.logging = logging;
        emulator=new AndroidARMEmulator("com.rytong.ceair");
 
        final Memory memory = emulator.getMemory(); // 模拟器的内存操作接口
        emulator.getSyscallHandler().addIOResolver(this);
        memory.setLibraryResolver(new AndroidResolver(23)); // 设置系统类库解析
 

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2023-4-26 12:35 被shmilyaxy编辑 ,原因: 添加附件及说明
收藏
免费 3
支持
分享
最新回复 (22)
雪    币: 518
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
我跑的其他调用,一开始也会有这个secException,我就把它当常规补环境,自己构造一个SecException返回,最后可以正常出结果。。
2023-4-26 14:29
1
雪    币: 17
活跃值: (1578)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
为什么不用096版本?还有你这个  log是怎么得到的???

AOSP on blueline::com.rytong.ceair ]-> libDexHelper.so detect:  0x9ec5c
libDexHelper.so detect:  0xaa97c
libDexHelper.so detect:  0x9d73c
libDexHelper.so detect:  0xe3fd0
2023-4-26 18:21
1
雪    币: 2159
活跃值: (3265)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
4
zxvv 我跑的其他调用,一开始也会有这个secException,我就把它当常规补环境,自己构造一个SecException返回,最后可以正常出结果。。
我这里补了com/alibaba/wireless/security/open/SecException-><init>(Ljava/lang/String;I)V这个环境,一开始在10101调用都会报错SecException - 0xc7 ,一直找不到原因,后面降低了unidbg版本,发现存在环境修补,补充后在最后调用出现了SecException 报错,这个是我一直无法解决的。不知道你补的是这个环境吗?还是其他的调用?方便告之我试一试吗?
2023-4-26 21:09
1
雪    币: 2159
活跃值: (3265)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
5
bluegatar 为什么不用096版本?还有你这个 log是怎么得到的??? AOSP on blueline::com.rytong.ceair ]-> libDexHelper.so detect: ...
我用过最新的unidbg,但是直接报SecException - 0xc7错误,后面更换低版本才发现原来是有环境需要补,新版本的不知道是不是默认给修补了。
后面的是hook代码,我的研究的这个app有frida检测,所以我在判断检测frida线程,并且将其杀死。
2023-4-26 21:11
1
雪    币: 116
活跃值: (1012)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
 mark
2023-4-26 23:53
1
雪    币: 518
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
7
shmilyaxy 我这里补了com/alibaba/wireless/security/open/SecException->(Ljava/lang/String;I)V这个环境,一开始在10101调用都会报错S ...

就是这个,我unidbg是0.9.7版本,10101没报错,看了你图里面补的,初始化传了个int,我是直接null初始化

最后于 2023-4-27 11:17 被zxvv编辑 ,原因:
2023-4-27 11:10
1
雪    币: 2159
活跃值: (3265)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
8
zxvv shmilyaxy 我这里补了com/alibaba/wireless/security/open/SecException-&gt;(L ...
我刚才试了下,“return vm.resolveClass("com/alibaba/wireless/security/open/SecException").newObject(null);”,最后得调用还是返回null,不过我用新版本试试看,能不能实现第一个10101得调用-返回0
2023-4-27 13:18
1
雪    币: 10
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
9

mark

最后于 2023-10-8 18:00 被wx_justght编辑 ,原因:
2023-10-8 17:40
1
雪    币: 1
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
10
你好,请问可以付费交流吗? q 2075335452
2023-12-6 11:24
1
雪    币: 1
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
11
zxvv 我跑的其他调用,一开始也会有这个secException,我就把它当常规补环境,自己构造一个SecException返回,最后可以正常出结果。。
是长mini-wua么
2023-12-19 18:53
1
雪    币: 392
活跃值: (917)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
解决了 吗 哥们返回的是 125 我干
2023-12-25 11:10
1
雪    币: 392
活跃值: (917)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
各位想解决 这个com/alibaba/wireless/security/open/SecException 导致返回为 null的话建议用unidbg 0.9.5就行了
2023-12-25 14:12
2
雪    币: 2159
活跃值: (3265)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
14
西瓜帅 各位想解决 这个com/alibaba/wireless/security/open/SecException 导致返回为 null的话建议用unidbg 0.9.5就行了
我好像也是换了unidbg版本之后就没提示这个SecException 错误了,有点玄学,我没搞懂真正问题点
2024-1-5 11:44
0
雪    币: 392
活跃值: (917)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
16
shmilyaxy 我好像也是换了unidbg版本之后就没提示这个SecException 错误了,有点玄学,我没搞懂真正问题点
顶级玄学
2024-2-1 13:50
0
雪    币: 702
活跃值: (1477)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
17
不吹不黑,我用ida调试都能碰到这个报错。。。。
2024-2-1 14:46
0
雪    币: 220
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
18
版本都太老了。
2024-2-13 19:04
0
雪    币: 2787
活跃值: (30801)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
19
感谢分享
2024-2-13 21:09
1
雪    币: 69
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
20
调用没有报错,加密结果也出来了,但加密的和app加密出来的不一样,
2024-2-29 17:19
0
雪    币: 2159
活跃值: (3265)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
21
cobe 调用没有报错,加密结果也出来了,但加密的和app加密出来的不一样,
能用不?加密用到很多信息,unidbg和真机是不一样的
2024-3-1 22:46
0
雪    币: 19
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
22
shmilyaxy 我好像也是换了unidbg版本之后就没提示这个SecException 错误了,有点玄学,我没搞懂真正问题点
换了版本还是没跑通作者上面的例子
2024-8-27 13:18
0
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
23
付费求个 ybs3788
2024-8-30 19:23
0
游客
登录 | 注册 方可回帖
返回
//