-
-
未解决 [求助] 某APP中的签名,使用unidbg时找不到class 100雪币
-
发表于: 2025-7-18 17:17 521
-
// 理论上,我加入对应的class后,应该可以加载到的,还有个模拟的方法,但是不知道为什么,一直是找不到Class的异常,我尝试DEBUG unidbg,看不出来什么问题,菜鸟的苦恼~
//
public class TbSign extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final DvmClass signClass;
TbSign() {
emulator = AndroidEmulatorBuilder.for64Bit()
.setProcessName("com.taobao.taobao")
.build();
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM();
ProxyClassFactory factory = new ProxyClassFactory();
vm.setDvmClassFactory(factory);
vm.setVerbose(false);
signClass = vm.resolveClass("com/tb/wireless/security/adapter/JNICLibrary");
vm.resolveClass("com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin");
vm.setJni(this);
DalvikModule module = vm.loadLibrary(new File("unidbg-android/src/test/resources/example_binaries/arm64-v8a/libsgmainso1.so"), false);
module.callJNI_OnLoad(emulator);
}
@Override
public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
if (signature.equals("com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin")) {
System.out.println("new SecurityGuardMainPlugin");
return dvmClass.newObject(signature);
}
return super.newObject(vm, dvmClass, signature, varArg);
}
@Override
public DvmObject<?> callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
if (signature.equals("com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin->getInstance(Landroid/content/Context;)Lcom/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin;")) {
return dvmClass.newObject(null);
} else if (signature.equals("com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin->getMainPluginClassLoader()Ljava/lang/ClassLoader;")) {
DvmClass classLoaderClass = vm.resolveClass("java/lang/ClassLoader");
DvmObject<?> classLoader = classLoaderClass.newObject(null);
return classLoader;
}
return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}
@Override
public int callIntMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
if (signature.equals("com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin->init(Landroid/content/Context;)I")) {
return 0; // 返回0表示初始化成功
}
return super.callIntMethod(vm, dvmObject, signature, varArg);
}
public void destroy() throws IOException {
emulator.close();
}
public Object doCommandNative(int v, Object[] args) {
String methodSign = "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;";
DvmObject<Object> obj = signClass.callStaticJniMethodObject(emulator, methodSign, v, ProxyDvmObject.createObject(vm, args));
return obj.getValue();
}
private DvmObject<?>[] createJavaObjectArray() {
DvmObject<?>[] objArray = new DvmObject<?>[12];
objArray[0] = new StringObject(vm, "21646297");
objArray[1] = new StringObject(vm, "21646297");
objArray[2] = DvmBoolean.valueOf(vm, false);
objArray[3] = DvmInteger.valueOf(vm, 0);
objArray[4] = new StringObject(vm, "usertrack.uf.wrapper");
objArray[5] = new StringObject(vm, "");
objArray[6] = new StringObject(vm, "");
objArray[7] = new StringObject(vm, "");
objArray[8] = new StringObject(vm, "");
objArray[9] = new StringObject(vm, "");
objArray[10] = DvmInteger.valueOf(vm, 1);
objArray[11] = DvmInteger.valueOf(vm, 3);
return objArray;
}
public static void main(String[] args) {
TbSign tb = new TbSign();
Object[] obj = new Object[12];
obj[0] = "21646297";
obj[1] = "21646297";
obj[2] = false;
obj[3] = 0;
obj[4] = "usertrack.uf.wrapper";
obj[5] = "";
obj[6] = "";
obj[7] = "";
obj[8] = "";
obj[9] = "";
obj[10] = 1;
obj[11] = 3;
// Object map = taobaoSign.doCommandNative(70102, obj);
// System.out.printf("map=%s\n", map);
tb.doCommandNative(70102, obj);
}
}日志 [17:13:00 578] DEBUG [com.github.unidbg.pointer.UnidbgPointer] (UnidbgPointer:348) - getString pointer=RW@0x402cd461[libmain.so]0x2cd461, size=64, encoding=UTF-8, ret=com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin [17:13:00 578] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0xffffffff931f7f6c, global=true [17:13:00 578] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$3:87) - FindClass env=unidbg@0xfffe1640, className=com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin, hash=0x931f7f6c [17:13:00 578] DEBUG [com.github.unidbg.pointer.UnidbgPointer] (UnidbgPointer:348) - getString pointer=RW@0x402cd4a2[libmain.so]0x2cd4a2, size=24, encoding=UTF-8, ret=getMainPluginClassLoader [17:13:00 578] DEBUG [com.github.unidbg.pointer.UnidbgPointer] (UnidbgPointer:348) - getString pointer=RW@0x402cd4bb[libmain.so]0x2cd4bb, size=25, encoding=UTF-8, ret=()Ljava/lang/ClassLoader; [17:13:00 578] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$110:1781) - GetStaticMethodID class=unidbg@0x931f7f6c, methodName=getMainPluginClassLoader, args=()Ljava/lang/ClassLoader;, LR=RX@0x4008a838[libmain.so]0x8a838 [17:13:00 578] DEBUG [com.github.unidbg.linux.android.dvm.DvmClass] (DvmClass:99) - getStaticMethodID signature=com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin->getMainPluginClassLoader()Ljava/lang/ClassLoader;, hash=0xffffffffcc338928 [17:13:00 578] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$111:1803) - CallStaticObjectMethod clazz=unidbg@0x931f7f6c, jmethodID=unidbg@0xffffffffcc338928 [17:13:00 579] WARN [com.github.unidbg.linux.android.dvm.jni.ProxyJni] (ProxyJni:212) - callStaticObjectMethod java.lang.ClassNotFoundException: com.alibaba.wireless.security.mainplugin.SecurityGuardMainPlugin at java.net.URLClassLoader.findClass(URLClassLoader.java:387) at java.lang.ClassLoader.loadClass(ClassLoader.java:419) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352) at java.lang.ClassLoader.loadClass(ClassLoader.java:352) at com.github.unidbg.linux.android.dvm.jni.ProxyClassLoader.loadClass(ProxyClassLoader.java:22) at com.github.unidbg.linux.android.dvm.jni.ProxyJni.callStaticObjectMethod(ProxyJni.java:207) at com.github.unidbg.linux.android.dvm.DvmMethod.callStaticObjectMethod(DvmMethod.java:54) at com.github.unidbg.linux.android.dvm.DalvikVM64$111.handle(DalvikVM64.java:1811) at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:121) at com.github.unidbg.arm.backend.UnicornBackend$11.hook(UnicornBackend.java:345) at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:376) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378) at com.github.unidbg.thread.Function64.run(Function64.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:175) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:99) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341) at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:262) at com.github.unidbg.Module.emulateFunction(Module.java:163) at com.github.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:262) at com.github.unidbg.linux.LinuxSymbol.call(LinuxSymbol.java:27) at com.github.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:33) at com.tb.TbSign.<init>(TbSign.java:41) at com.tb.TbSign.main(TbSign.java:103) [17:13:00 580] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:412) - handleInterrupt intno=2, NR=-129168, svcNumber=0x16e, PC=unidbg@0xfffe0774, LR=RX@0x4008a854[libmain.so]0x8a854, syscall=null java.lang.UnsupportedOperationException: com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin->getMainPluginClassLoader()Ljava/lang/ClassLoader; at com.github.unidbg.linux.android.dvm.JniFunction.callStaticObjectMethod(JniFunction.java:159) at com.github.unidbg.linux.android.dvm.JniFunction.callStaticObjectMethod(JniFunction.java:153) at com.github.unidbg.linux.android.dvm.jni.ProxyJni.callStaticObjectMethod(ProxyJni.java:214) at com.github.unidbg.linux.android.dvm.DvmMethod.callStaticObjectMethod(DvmMethod.java:54) at com.github.unidbg.linux.android.dvm.DalvikVM64$111.handle(DalvikVM64.java:1811) at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:121) at com.github.unidbg.arm.backend.UnicornBackend$11.hook(UnicornBackend.java:345) at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:376) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378) at com.github.unidbg.thread.Function64.run(Function64.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:175) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:99) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341) at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:262) at com.github.unidbg.Module.emulateFunction(Module.java:163) at com.github.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:262) at com.github.unidbg.linux.LinuxSymbol.call(LinuxSymbol.java:27) at com.github.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:33) at com.tb.TbSign.<init>(TbSign.java:41) at com.tb.TbSign.main(TbSign.java:103) debugger break at: 0xfffe0774 @ Runnable|Function64 address=0x40057bb8, arguments=[unidbg@0xfffe0080, null] >>> x0=0xfffe1640(-125376) x1=0x931f7f6c x2=0xffffffffcc338928 x3=0x402cd4bb x4=0x44 x5=0x3 x6=0x402ca064 x7=0x21fc x8=0xfffe0770 x9=0x0 x10=0xbffff584 x11=0xbffff580 x12=0x73 x13=0x400211d7 x14=0x402cd73a >>> x15=0xc5 x16=0x34 x17=0x40140c58 x18=0x18 x19=0xfffe1640 x20=0x5d8c8af1 x21=0x931f7f6c x22=0x0 x23=0xad5bdf75 x24=0x402cd000 x25=0x402cd000 x26=0x0 x27=0x8 x28=0x0 fp=0xbffff600 >>> q0=0x0(0.0) q1=0xc0(2.6904930515036488E-43) q2=0x363038353620323120323938(5.540897692487247E-48, 4.491697924E-315) q3=0x0(0.0) q4=0x0(0.0) q5=0x40100401401004014010040140100401(4.003911019303815, 4.003911019303815) q6=0x0(0.0) q7=0x1f100000000000001f1(2.456E-321, 2.456E-321) q8=0x0(0.0) q9=0x0(0.0) q10=0x0(0.0) q11=0x0(0.0) q12=0x0(0.0) q13=0x0(0.0) q14=0x0(0.0) q15=0x0(0.0) >>> q16=0x51f100000000000041f1(8.3403E-320, 1.0364E-319) q17=0x0(0.0) q18=0x51f100000000000041f1(8.3403E-320, 1.0364E-319) q19=0x0(0.0) q20=0x0(0.0) q21=0x0(0.0) q22=0x0(0.0) q23=0x0(0.0) q24=0x0(0.0) q25=0x0(0.0) q26=0x0(0.0) q27=0x0(0.0) q28=0x0(0.0) q29=0x0(0.0) q30=0x0(0.0) q31=0x0(0.0) LR=RX@0x4008a854[libmain.so]0x8a854 SP=0xbffff600 PC=unidbg@0xfffe0774 nzcv: N=0, Z=1, C=1, V=0, EL0, use SP_EL0 [17:13:00 591] DEBUG [org.scijava.nativelib.NativeLibraryUtil] (NativeLibraryUtil:157) - architecture is WINDOWS_64 os.name is windows 11 [17:13:00 591] DEBUG [org.scijava.nativelib.NativeLibraryUtil] (NativeLibraryUtil:215) - platform specific path is natives/windows_64/ [17:13:00 591] DEBUG [org.scijava.nativelib.BaseJniExtractor] (BaseJniExtractor:359) - mappedLib is disassembler.dll [17:13:00 591] DEBUG [org.scijava.nativelib.BaseJniExtractor] (BaseJniExtractor:359) - Couldn't find resource natives/windows_64/disassembler.dll [17:13:00 591] DEBUG [org.scijava.nativelib.NativeLibraryUtil] (NativeLibraryUtil:215) - platform specific path is windows_64/ [17:13:00 591] DEBUG [org.scijava.nativelib.BaseJniExtractor] (BaseJniExtractor:359) - mappedLib is disassembler.dll [17:13:00 591] DEBUG [org.scijava.nativelib.BaseJniExtractor] (BaseJniExtractor:359) - Couldn't find resource windows_64/disassembler.dll [17:13:00 591] DEBUG [org.scijava.nativelib.NativeLibraryUtil] (NativeLibraryUtil:215) - platform specific path is META-INF/lib/windows_64/ [17:13:00 591] DEBUG [org.scijava.nativelib.BaseJniExtractor] (BaseJniExtractor:359) - mappedLib is disassembler.dll [17:13:00 591] DEBUG [org.scijava.nativelib.BaseJniExtractor] (BaseJniExtractor:359) - Couldn't find resource META-INF/lib/windows_64/disassembler.dll [Arm64Svc 0x000770] [c12d00d4] 0xfffe0770: "svc #0x16e" => *[Arm64Svc *0x000774]*[c0035fd6]*0xfffe0774:*"ret"
[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
赞赏
|
|
|---|---|
|
|
他的文章
谁下载
赞赏
雪币:
留言:
