-
-
[原创]X浪脱壳分析
-
发表于: 2025-7-28 14:55
-
版本:
x_14.10.0_vcode_7021_wm_3333_1001_so_32_64_x_6165_225001
运行环境:
ANDROID 14
Magisk 面具
magisk-frida
使用工具:
抓包工具Charles
JAVA逆向工具JADX
SO逆向工具IDA
动态分析工具FRIDA
ANDROID 14 环境配置:
Magisk 的环境配置341K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6@1L8%4m8B7L8$3S2F1N6%4g2Q4x3V1k6y4j5h3N6A6M7$3D9`.
Magisk 的Frida环境4dfK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6h3K9g2u0T1x3#2)9J5c8X3#2S2k6$3W2K6K9#2)9J5k6r3k6J5K9h3c8S2
ANDROID 14的证书配置 783K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6%4K9X3j5H3x3U0p5@1i4K6u0r3e0h3q4Y4K9i4y4C8i4K6u0V1e0h3!0$3k6f1y4m8b7$3g2J5N6s2x3`.
CA证书的重要变化
原来是 /system/etc/security/cacerts目录
新增加 /apex/com.android.conscrypt/cacerts目录
IDA动态调试的重要变化
现象为DDMS界面白屏,无待调试的进程。Android官方的更新文档解释为:
运行时
JDWP 线程创建
Android 14 添加了 persist.debug.dalvik.vm.jdwp.enabled 系统属性,用于控制是否在 userdebug build 中创建 Java 调试网络协议 (JDWP) 线程。如需了解详情,请参阅 JDWP 选项。
JDWP 选项
persist.debug.dalvik.vm.jdwp.enabled 系统属性用于控制是否在 userdebug build 中创建 Java 调试网络协议 (JDWP) 线程。默认情况下,系统不会设置此属性,且系统只会为可调试应用创建 JDWP 线程。如需同时为可调试和不可调试应用启用 JDWP 线程,请将 persist.debug.dalvik.vm.jdwp.enabled 设为 1。必须重新启动设备,才能使属性更改生效。
如需在 userdebug build 中调试某个不可调试应用,请运行以下命令来启用 JDWP:
adb shell setprop persist.debug.dalvik.vm.jdwp.enabled 1
adb reboot
注意:将 persist.debug.dalvik.vm.jdwp.enabled 属性设为 1,这不会使应用变得可调试,而只会允许将调试程序附加到进程。
对于搭载 Android 13 或更低版本的设备,运行时会在 userdebug build 中为可调试和不可调试应用创建 JDWP 线程。这意味着,您可以在 userdebug build 中附加调试程序或分析应用性能。
Magisk命令为
抓包确定需要的分析的关键点在com.sina.weibo.security下的SLib类八个native函数
同时com.sina.weibo.security 下的WBSecurity类的四个native函数
他对应的SO文件为libslib.so,正常流程为加载libslib.so模型,运行nativeInit初始化环境参数,运行nativeNewCalculateS来计算s参数的值;
查看IDA的导出表 发现没有静态注册的JNI函数
直接上Android的unidbg跑了一下(03fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6*7K9r3E0D9x3o6t1J5z5q4)9J5c8Y4g2F1K9h3c8T1k6#2!0q4c8W2!0n7b7#2)9^5z5g2!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4#2)9&6b7W2!0n7y4q4!0q4y4W2)9^5c8g2!0m8y4g2!0q4y4W2)9^5c8W2)9&6x3q4!0q4y4#2!0m8y4q4!0n7b7b7`.`.
查看了一下libziparchive-private.so这个文件,他是一个解压文件,把libziparchive-private.so文件放入libslib.so的同目录再次运行
这时的运行结果没有任何提示,发现原来的so内有JNI_OnLoad函数和.init_array的段,.init_array 段的函数 在加载so时会自动执行,JNI_OnLoad需要手动调用mDalvikModule.callJNI_OnLoad(emulator);来执行;
这时的运行结果为RegisterNative动态注册了WBSecurity下的三个native函数,但是SLib的函数并没有注册;调用isUnpackSuccess()和getUnPackResult()两个结果,提示原so并没有解压成功。
这时就需要分析libslib.so这个文件,他的共享名称竟然是libsoshell.so,他的依赖库包含libziparchive-private.so,说明这是一个壳文件,在内部运行中调用zip来对原文件进行解压,生成的文件才是libslib.so文件。
其在init_array 内执行了解压的操作,sub_EEE0为关键的解压解压函数;
这时的一个简单的方法是对这个ZIP解压的函数进行HOOK,就可以得到真正的libslib.so文件。
使用Frida的trace功能来对init_array下的所有函数进行trace,发现其根本没有调用解压函数。
再比较真机上Frida的trace结果和unidbg的trace结果,发现其调用的流程发生了变化,有可能是根据环境来判断的执行流程,在diff两个trace结果时发现了许多的跳转错乱问题,这个壳是经过Obfuscator-LLVM clang version 4.0.1 (based on Obfuscator-LLVM 4.0.1)混淆的,流程已经发生了许多变化。
HOOK了libc的open函数,发现其在sub_EEE0中打开了/proc/self/maps文件和/lib/arm64/libslib.so 文件。其打开 maps 文件有可能是进行反调试,来查看进程运行的实时信息,也是为了得到libslib.so在Android系统中的绝对路径。
HOOK libc 的pread 函数,来查看so读取了壳文件的哪些内容,首先使用open来打开了/lib/arm64/libslib.so 这个动态库,返回的 fd 是 0x84,然后调用pread 来读取了文件的部分内容
其中目的地址并不是连续的,而从0xb40000773365efd0至0xb40000773365f1d0的地址是连续的,拷贝了0x6c008处的0x20个字节,0x6c028处的0x140个字节,0x6c168处的0x40e28 个字节。使用Python根据以上的信息拼接成一个文件来分析一下,生成的新的so 文件,还需要再次解压。
在进行trace的时候发现Frida的默认Stalker.follow并没有跟踪call 和arm 的bl,需要在设置events的call 为true,但是在我的运行环境,只要开启了这个选项,Frida运行就崩溃。
这段需要进行后续的详细分析,分析其解压的逻辑,其中其密文是确定的。
其执行流程为
详细信息:
其他的解决方案:
HOOK真机上的RegisterNatives函数(285K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6D9j5i4y4@1K9h3&6Y4i4K6u0V1P5h3q4F1k6#2)9J5c8X3k6J5K9h3c8S2i4K6g2X3K9r3!0G2K9#2)9#2k6X3I4A6j5X3q4J5N6q4!0q4c8W2!0n7b7#2)9^5z5g2!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4W2)9&6c8q4!0m8y4g2!0q4y4W2)9^5z5g2)9&6x3#2!0q4y4g2)9^5c8q4!0n7x3q4!0q4y4q4!0n7z5q4)9^5x3q4!0q4y4q4!0n7z5q4)9^5b7W2!0q4z5q4!0n7x3q4)9^5x3#2!0q4z5q4!0m8c8W2)9&6y4g2!0q4y4#2)9&6b7g2)9^5y4q4!0q4y4#2!0n7b7W2)9&6x3#2!0q4y4W2)9&6c8g2)9&6b7#2!0q4x3#2)9^5x3q4)9^5x3R3`.`.
发现其动态注册了SLib的nativeInit函数和nativeNewCalculateS函数,并且给出了其调用动态注册函数的地址和nativeInit函数和nativeNewCalculateS函数的地址。
现在只需要根据nativeInit的地址来找到在maps中对应的so文件的起始地址和结束地址,使用Frida的dump功能将内存dump下来就是脱壳后的so文件。
ELF 头文件修复
内存DUMP的so文件的ELF的头是损坏的,与原来的libslib的壳头文件相比,前0x200处的头不一致,从0x200开始一致。
脱壳后我ELF头如下:
原始的libslib 的头文件如下:
将libslib 的原始的前0x200个头拷贝至脱壳文件,然后修改内存dump文件的elf_header各项的值为其真实的值;
将Section header table 的所有项的值都置为0;主要是修复Program header table 各项的值;
主要是修复program_header_table 的各项的值:
其中 (R_X) Loadable Segment 和 (RW_) Loadable Segment ,可以根据内存的 maps 信息,来查看各个段的执行权限和读写权限;为方便我将所有的地址都设置为RWX权限;
(RW_) Dynamic Segment 就是动态表的地址,他与got表相关,需要在找到其动态表的开始地址;可以根据原libslib的特征值,来找到动态段的开始地址;
其他的各项值都设置为了0:
修复后的信息如下:
IDA 打开修复后的文件,发现其动态库的名称已经有libsoshell.so变为了libslib.so, 动态库的依赖也发生了变化,不再依赖libziparchive-private.so。
GOT表的修复也正常,错误的GOT表__imp_内容显示的就是0x开始的内存地址。
代码执行处的内容显示为:
字符串处也出现了 nativeInit 和nativeNewCalculateS函数名称,和PackageManager 、PackageInfo 和 Signature 的Android的签名校验的类。
把修复后的脱壳文件放到unidbg-android项目中,调用JNI_OnLoad加载函数mDalvikModule.callJNI_OnLoad(emulator) 出现动态成功的信息。
现在只需要按照要求调用nativeInit(Ljava/lang/String;)V 来初始化环境,和调用
nativeNewCalculateS(Landroid/content/Context;Ljava/lang/String;I)Ljava/lang/String;来计算 S 值即可。
调用nativeInit 的代码如下:
提示调用成功图如下:
调用nativeNewCalculateS 的函数代码如下:
运行报错,提示信息如下:
日志信息如下
根据其提示的信息android/content/pm/PackageManager 可以断定其主要功能为获取APK的签名信息,来进行环境判断,是进行反调试的功能。其android/content/Context的获取就是我们传进去的第一个参数。
定位其出错的信息DalvikVM64.java:556 处的代码如下:
其报错的主要原因是dvmClass 根据jmethodID来找DvmMethod发生错误,错误的原因有可能是我们传入参数android/content/Context 时发生错误。
定位Android 源码,我们发现Context 类和getPackageManager的方法都是abstract抽象的,Java的抽象类不能被实例化,他的实现方法必须由子类来继承和实现。
继续分析错误提示,jmethodID=unidbg@0x53f2c391 这个报错,而这个jmethodID的值是从JNIEnv->GetMethodID(android/content/ContextWrapper.getPackageManager()Landroid/content/pm/PackageManager;) => 0x53f2c391 处获取的,而参数传入的是他的父类android/content/Context,应该修改为他自己的类名android/content/ContextWrapper。
修改后这段代码调试通过,不再提示错误。
新的错误提示信息如下:
日志信息如下
提示的信息为java.lang.NullPointerException,可能的原因是C环境的指针传入Java环境内错误。
启用调试模式,在03B3D0处下断点。
根据其汇编代码,可以确定其三个参数为 X0 X1 X8 ,根据错误的提示信息,可以确定其是JNI调用的Java代码,X0 和 X1 是参数,X8是地址。
s 进入发现其调用的是svc软中断,来调用Java代码。
在log4j.properties 文件开启 log4j.logger.com.github.unidbg.linux.android.dvm=DEBUG 的调试模式。
日志信息如下
提示的错误信息是string类型为NULL,所以提示NULL指针错误。
提示错误的代码为:
基本功能是_GetStringLength 返回字符串的长度,其对应的offset正是前述的0x520。
正常的调用_GetStringLength 方法的参数:
报错时调用_GetStringLength 方法的参数:
可以确定为x1=0x31aa为NULL,查看函数的调用栈,发现了0x00F160处的代码如下:
第一次调用sub_3B4E4是正常的,第二次调用sub_3B4E4就出现了NULL指针的错误,而qword_50F58 的值正是0x31AA。
因为这个SO是从内存dump的,0x50F58处的值为运行时的信息,查看0x50F58处的引用,发现有STR用于写值。
在0x00E9A8处是写值到0x050F58,在0x00E9A8处下断点,发现根本没有执行,这个有可能是因为0x050F58处已经有值,所以就不再写值。
在0x50F58处下内存访问断点
提示信息如下:
第一个值0xeb88为判断是否为0的代码,第二个值0xf17c就是调用其报错的代码。
提示e_shnum is SHN_UNDEF(0) 错误,修改 ELF的头的项值:e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES 为 1 。
动态修改0x50F58处的值为0;
修改后运行正常取得S的值。
完整的运行信息如下:
sumagisk resetprop ro.debuggable 1magisk resetprop ro.force.debuggable 1magisk resetprop ro.build.type engmagisk resetprop ro.build.type userdebugmagisk resetprop persist.debug.dalvik.vm.jdwp.enabled 1stop;startsumagisk resetprop ro.debuggable 1magisk resetprop ro.force.debuggable 1magisk resetprop ro.build.type engmagisk resetprop ro.build.type userdebugmagisk resetprop persist.debug.dalvik.vm.jdwp.enabled 1stop;startprivate native boolean nativeCheck();private native String nativeGetCheckErr();private native int nativeGetCheckErrType();private native long nativeGetPkgTimeCost();private native long nativeGetV1TimeCost();private native long nativeGetV2TimeCost();private native void nativeInit(String str);private native String nativeNewCalculateS(Context context, String str, int i);private native boolean nativeCheck();private native String nativeGetCheckErr();private native int nativeGetCheckErrType();private native long nativeGetPkgTimeCost();private native long nativeGetV1TimeCost();private native long nativeGetV2TimeCost();private native void nativeInit(String str);private native String nativeNewCalculateS(Context context, String str, int i);public native String getSignature(String str);public native String getTimeCost();public native String getUnPackResult();public native boolean isUnpackSuccess();public native String getSignature(String str);public native String getTimeCost();public native String getUnPackResult();public native boolean isUnpackSuccess();INFO [com.github.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:481) - libsoshell.so load dependency libziparchive-private.so failedINFO [com.github.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:481) - libsoshell.so load dependency libziparchive-private.so failed一:读取了ELF的头文件 pread arg 0: 0x84pread arg 1: 0x7febe06928pread arg 2: 0x40pread arg 3: 0x0二:读取了0x6c008处的0x20个字节信息 pread arg 0: 0x84pread arg 1: 0xb400007563533b98pread arg 2: 0x20pread arg 3: 0x6c008三:再次读取了0x6c008出的0x20个字节的信息 pread arg 0: 0x84pread arg 1: 0xb40000773365efd0pread arg 2: 0x20pread arg 3: 0x6c008四:读取了0x0x6c028处的0x140个字节信息 pread arg 0: 0x84pread arg 1: 0xb40000773365eff0pread arg 2: 0x140pread arg 3: 0x6c028 五:读取了0x6c168处的0x40e28个字节的信息 pread arg 0: 0x84pread arg 1: 0xb40000773365f1d0pread arg 2: 0x40e28pread arg 3: 0x6c168一:读取了ELF的头文件 pread arg 0: 0x84pread arg 1: 0x7febe06928pread arg 2: 0x40pread arg 3: 0x0二:读取了0x6c008处的0x20个字节信息 pread arg 0: 0x84pread arg 1: 0xb400007563533b98pread arg 2: 0x20pread arg 3: 0x6c008三:再次读取了0x6c008出的0x20个字节的信息 pread arg 0: 0x84pread arg 1: 0xb40000773365efd0pread arg 2: 0x20pread arg 3: 0x6c008四:读取了0x0x6c028处的0x140个字节信息 pread arg 0: 0x84pread arg 1: 0xb40000773365eff0pread arg 2: 0x140pread arg 3: 0x6c028 五:读取了0x6c168处的0x40e28个字节的信息 pread arg 0: 0x84pread arg 1: 0xb40000773365f1d0pread arg 2: 0x40e28pread arg 3: 0x6c168events: { call: true, // CALL instructions: yes please ret: false, // RET instructions exec: false, // all instructions: not recommended as it's block: false, // block executed: coarse execution trace compile: false // block compiled: useful for coverage }events: { call: true, // CALL instructions: yes please ret: false, // RET instructions exec: false, // all instructions: not recommended as it's block: false, // block executed: coarse execution trace compile: false // block compiled: useful for coverage }一:打开/lib/arm64/libslib.so 文件; open arg: /data/app/~~M0_AMbekAj3bHBcAv32Zmg==/com.sina.weibo1yMlgldzELG6p0wvPZePqw==/lib/arm64/libslib.so open retval: 0x87二:依次读取/lib/arm64/libslib.so 各段的地址内容;读取密文至0xb400007733604fd0 的开始处。 pread arg 0: 0x87pread arg 1: 0xb400007733604fd0pread arg 2: 0x20pread arg 3: 0x6c008pread arg 0: 0x87pread arg 1: 0xb400007733604ff0pread arg 2: 0x140pread arg 3: 0x6c028pread arg 0: 0x87pread arg 1: 0xb4000077336051d0pread arg 2: 0x40e28pread arg 3: 0x6c168 三:按照内部的解压函数,来解压0xb400007733604fd0开始处的密文; 四:将解压后的内容拷贝至0x7733370000处; memcpy arg 0: 0x7733370000memcpy arg 1: 0xb400007733604fd0memcpy arg 2: 0x3f5b8 memcpy arg 0: 0x77333bf000memcpy arg 1: 0xb400007733643fd0memcpy arg 2: 0x1ed4 五:设置0x7733370000处的内容执行权限为执行权限; mprotect arg 0: 0x7733370000mprotect arg 1: 0x3f5b8 mprotect arg 0: 0x77333bf000mprotect arg 1: 0x1ed4一:打开/lib/arm64/libslib.so 文件; open arg: /data/app/~~M0_AMbekAj3bHBcAv32Zmg==/com.sina.weibo1yMlgldzELG6p0wvPZePqw==/lib/arm64/libslib.so open retval: 0x87二:依次读取/lib/arm64/libslib.so 各段的地址内容;读取密文至0xb400007733604fd0 的开始处。 pread arg 0: 0x87pread arg 1: 0xb400007733604fd0pread arg 2: 0x20pread arg 3: 0x6c008pread arg 0: 0x87pread arg 1: 0xb400007733604ff0pread arg 2: 0x140pread arg 3: 0x6c028pread arg 0: 0x87pread arg 1: 0xb4000077336051d0pread arg 2: 0x40e28pread arg 3: 0x6c168 三:按照内部的解压函数,来解压0xb400007733604fd0开始处的密文; 四:将解压后的内容拷贝至0x7733370000处; memcpy arg 0: 0x7733370000memcpy arg 1: 0xb400007733604fd0memcpy arg 2: 0x3f5b8 memcpy arg 0: 0x77333bf000memcpy arg 1: 0xb400007733643fd0memcpy arg 2: 0x1ed4 五:设置0x7733370000处的内容执行权限为执行权限; mprotect arg 0: 0x7733370000mprotect arg 1: 0x3f5b8 mprotect arg 0: 0x77333bf000mprotect arg 1: 0x1ed4open onEnter: 0x7745350f00open arg: /data/app/~~M0_AMbekAj3bHBcAv32Zmg==/com.sina.weibo1yMlgldzELG6p0wvPZePqw==/lib/arm64/libslib.so open retval: 0x87open onLeave: 0x7745350f00pread onEnter: 0x77453aba80pread arg 0: 0x87pread arg 1: 0xb400007733604fd0pread arg 2: 0x20pread arg 3: 0x6c008pread onLeave: 0x77453aba80pread onEnter: 0x77453aba80pread arg 0: 0x87pread arg 1: 0xb400007733604ff0pread arg 2: 0x140pread arg 3: 0x6c028pread onLeave: 0x77453aba80pread onEnter: 0x77453aba80pread arg 0: 0x87pread arg 1: 0xb4000077336051d0pread arg 2: 0x40e28pread arg 3: 0x6c168pread onLeave: 0x77453aba80memcpy onEnter: 0x774533c480memcpy arg 0: 0x7733370000memcpy arg 1: 0xb400007733604fd0memcpy arg 2: 0x3f5b8memcpy onLeave: 0x774533c480mprotect onEnter: 0x77453abc40mprotect arg 0: 0x7733370000mprotect arg 1: 0x3f5b8mprotect onLeave: 0x77453abc40memcpy onEnter: 0x774533c480memcpy arg 0: 0x77333bf000memcpy arg 1: 0xb400007733643fd0memcpy arg 2: 0x1ed4memcpy onLeave: 0x774533c480mprotect onEnter: 0x77453abc40mprotect arg 0: 0x77333bf000mprotect arg 1: 0x1ed4mprotect onLeave: 0x77453abc40open onEnter: 0x7745350f00open arg: /data/app/~~M0_AMbekAj3bHBcAv32Zmg==/com.sina.weibo1yMlgldzELG6p0wvPZePqw==/lib/arm64/libslib.so open retval: 0x87open onLeave: 0x7745350f00pread onEnter: 0x77453aba80pread arg 0: 0x87pread arg 1: 0xb400007733604fd0pread arg 2: 0x20pread arg 3: 0x6c008pread onLeave: 0x77453aba80pread onEnter: 0x77453aba80pread arg 0: 0x87pread arg 1: 0xb400007733604ff0pread arg 2: 0x140pread arg 3: 0x6c028pread onLeave: 0x77453aba80pread onEnter: 0x77453aba80pread arg 0: 0x87pread arg 1: 0xb4000077336051d0pread arg 2: 0x40e28pread arg 3: 0x6c168pread onLeave: 0x77453aba80memcpy onEnter: 0x774533c480memcpy arg 0: 0x7733370000memcpy arg 1: 0xb400007733604fd0memcpy arg 2: 0x3f5b8memcpy onLeave: 0x774533c480mprotect onEnter: 0x77453abc40mprotect arg 0: 0x7733370000mprotect arg 1: 0x3f5b8mprotect onLeave: 0x77453abc40memcpy onEnter: 0x774533c480memcpy arg 0: 0x77333bf000memcpy arg 1: 0xb400007733643fd0memcpy arg 2: 0x1ed4memcpy onLeave: 0x774533c480mprotect onEnter: 0x77453abc40mprotect arg 0: 0x77333bf000mprotect arg 1: 0x1ed4mprotect onLeave: 0x77453abc40(R__) Note (R__) Note (R__) GCC .eh_frame_hdr Segment (RW_) GNU Stack (executability) (R__) GNU Read-only After Relocation(R__) Note (R__) Note (R__) GCC .eh_frame_hdr Segment (RW_) GNU Stack (executability) (R__) GNU Read-only After Relocationpublic void nativeInit(){ String M = "10EA095010"; String N = "10EA095010"; String O = "10EA095060"; String nativeInit = "nativeInit(Ljava/lang/String;)V"; SLib.callStaticJniMethod(emulator, nativeInit, M);} public void nativeInit(){ String M = "10EA095010"; String N = "10EA095010"; String O = "10EA095060"; String nativeInit = "nativeInit(Ljava/lang/String;)V"; SLib.callStaticJniMethod(emulator, nativeInit, M);} public void nativeNewCalculateS(){ Object custom = null; DvmObject context = vm.resolveClass("android/content/Context").newObject(custom); System.out.println(context); String str = "2015876998797"; int mode = 3; String nativeNewCalculateS = "nativeNewCalculateS(Landroid/content/Context;Ljava/lang/String;I)Ljava/ lang/String;"; Object obj = SLib.callStaticJniMethodObject(emulator, nativeNewCalculateS, context, str, mode); System.out.println(obj); }public void nativeNewCalculateS(){ Object custom = null; DvmObject context = vm.resolveClass("android/content/Context").newObject(custom); System.out.println(context); String str = "2015876998797"; int mode = 3; String nativeNewCalculateS = "nativeNewCalculateS(Landroid/content/Context;Ljava/lang/String;I)Ljava/ lang/String;"; Object obj = SLib.callStaticJniMethodObject(emulator, nativeNewCalculateS, context, str, mode); System.out.println(obj); }FindClass(android/content/ContextWrapper) was called fromRX@0x120046a0[libslib.so]0x46a0JNIEnv->GetMethodID(android/content/ContextWrapper.getPackageManager()La ndroid/content/pm/PackageManager;) => 0x53f2c391 was called fromRX@0x12004440[libslib.so]0x4440JNIEnv->FindClass(android/content/pm/PackageManager) was called fromRX@0x120047f8[libslib.so]0x47f8[17:05:57 267] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:410) - handleInterrupt intno=2, NR=-130432, svcNumber=0x11f, PC=unidbg@0xfffe0284, LR=RX@0x12004af8[libslib.so]0x4af8, syscall=null com.github.unidbg.arm.backend.BackendException: dvmObject=android.content.Context@50675690, dvmClass=classandroid/content/Context, jmethodID=unidbg@0x53f2c391 at com.github.unidbg.linux.android.dvm.DalvikVM64$32.handle(DalvikVM64.java :556) at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.jav a:119) at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.ja va:352) at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicor n.java:109) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312 ) at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend. java:389) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378) at com.github.unidbg.thread.Function64.run(Function64.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.jav a:165) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadD ispatcher.java:97) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.jav a:341) at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator. java:262) at com.github.unidbg.Module.emulateFunction(Module.java:163) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.ja va:135) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(D vmClass.java:316) at com.sina.weibo.security.SLib.nativeNewCalculateS(SLib.java:70) at com.sina.weibo.security.SLib.main(SLib.java:91) [17:05:57 269] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:417) - emulate RX@0x1200241c[libslib.so]0x241cexception sp=unidbg@0xe4fff1d0, msg=dvmObject=android.content.Context@50675690, dvmClass=classandroid/content/Context, jmethodID=unidbg@0x53f2c391, offset=12ms @ Runnable|Function64 address=0x1200241c, arguments=[unidbg@0xfffe1640, 1627241951, 1348949648, 834133664, 3] NullFindClass(android/content/ContextWrapper) was called fromRX@0x120046a0[libslib.so]0x46a0JNIEnv->GetMethodID(android/content/ContextWrapper.getPackageManager()La ndroid/content/pm/PackageManager;) => 0x53f2c391 was called fromRX@0x12004440[libslib.so]0x4440JNIEnv->FindClass(android/content/pm/PackageManager) was called fromRX@0x120047f8[libslib.so]0x47f8[17:05:57 267] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:410) - handleInterrupt intno=2, NR=-130432, svcNumber=0x11f, PC=unidbg@0xfffe0284, LR=RX@0x12004af8[libslib.so]0x4af8, syscall=null com.github.unidbg.arm.backend.BackendException: dvmObject=android.content.Context@50675690, dvmClass=classandroid/content/Context, jmethodID=unidbg@0x53f2c391 at com.github.unidbg.linux.android.dvm.DalvikVM64$32.handle(DalvikVM64.java :556) at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.jav a:119) at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.ja va:352) at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicor n.java:109) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312 ) at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend. java:389) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378) at com.github.unidbg.thread.Function64.run(Function64.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.jav a:165) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadD ispatcher.java:97) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.jav a:341) at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator. java:262) at com.github.unidbg.Module.emulateFunction(Module.java:163) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.ja va:135) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(D vmClass.java:316) at com.sina.weibo.security.SLib.nativeNewCalculateS(SLib.java:70) at com.sina.weibo.security.SLib.main(SLib.java:91) [17:05:57 269] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:417) - emulate RX@0x1200241c[libslib.so]0x241cexception sp=unidbg@0xe4fff1d0, msg=dvmObject=android.content.Context@50675690, dvmClass=classandroid/content/Context, jmethodID=unidbg@0x53f2c391, offset=12ms @ Runnable|Function64 address=0x1200241c, arguments=[unidbg@0xfffe1640, 1627241951, 1348949648, 834133664, 3] NullJNIEnv->GetStringUtfChars("2015876998797") was called fromRX@0x1203b48c[libslib.so]0x3b48cJNIEnv->ReleaseStringUTFChars("2015876998797") was called fromRX@0x1203b390[libslib.so]0x3b390[18:23:33 969] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:410) - handleInterrupt intno=2, NR=-128048, svcNumber=0x1b4, PC=unidbg@0xfffe0bd4, LR=RX@0x1203b3d4[libslib.so]0x3b3d4, syscall=null java.lang.NullPointerException at java.util.Objects.requireNonNull(Objects.java:203) at com.github.unidbg.linux.android.dvm.DalvikVM64$181.handle(DalvikVM64.jav a:2962) at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.jav a:119) at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.ja va:352) at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicor n.java:109) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312 ) at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend. java:389) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378) at com.github.unidbg.thread.Function64.run(Function64.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.jav a:165) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadD ispatcher.java:97) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.jav a:341) at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator. java:262) at com.github.unidbg.Module.emulateFunction(Module.java:163) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.ja va:135) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(D vmClass.java:316) at com.sina.weibo.security.SLib.nativeNewCalculateS(SLib.java:70) at com.sina.weibo.security.SLib.main(SLib.java:91) JNIEnv->GetStringUtfChars("2015876998797") was called fromRX@0x1203b48c[libslib.so]0x3b48cJNIEnv->ReleaseStringUTFChars("2015876998797") was called fromRX@0x1203b390[libslib.so]0x3b390[18:23:33 969] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:410) - handleInterrupt intno=2, NR=-128048, svcNumber=0x1b4, PC=unidbg@0xfffe0bd4, LR=RX@0x1203b3d4[libslib.so]0x3b3d4, syscall=null java.lang.NullPointerException at java.util.Objects.requireNonNull(Objects.java:203) at com.github.unidbg.linux.android.dvm.DalvikVM64$181.handle(DalvikVM64.jav a:2962) at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.jav a:119) at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.ja va:352) at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicor n.java:109) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312 ) at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend. java:389) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378) at com.github.unidbg.thread.Function64.run(Function64.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.jav a:165) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadD ispatcher.java:97) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.jav a:341) at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator. java:262) at com.github.unidbg.Module.emulateFunction(Module.java:163) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.ja va:135) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(D vmClass.java:316) at com.sina.weibo.security.SLib.nativeNewCalculateS(SLib.java:70) at com.sina.weibo.security.SLib.main(SLib.java:91) public void setDebug(){ Module module = mDalvikModule.getModule(); Debugger debugger = emulator.attach(DebuggerType.CONSOLE); debugger.addBreakPoint(module.base+0x03B3D0); }public void setDebug(){ Module module = mDalvikModule.getModule(); Debugger debugger = emulator.attach(DebuggerType.CONSOLE); debugger.addBreakPoint(module.base+0x03B3D0); }x0=0xfffe1640(-125376) x1=0x3930015a x8=0xfffe0bd0x0=0xfffe1640(-125376) x1=0x3930015a x8=0xfffe0bd0LDR X8, [X8,#0x520] 中的 0x520 就是SVC 的偏移值。 LDR X8, [X8,#0x520] 中的 0x520 就是SVC 的偏移值。 svcNumber=0x1b4, PC=unidbg@0xfffe0bd4, LR=RX@0x1203b3d4[libslib.so]0x3b3d4, syscall=null java.lang.NullPointerException at java.util.Objects.requireNonNull(Objects.java:203) at com.github.unidbg.linux.android.dvm.DalvikVM64$181.handle(DalvikVM64.jav a:2962) at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.jav a:119) at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.ja va:352) at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicor n.java:109) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312 ) at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend. java:389) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378) at com.github.unidbg.thread.Function64.run(Function64.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.jav a:165) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadD ispatcher.java:97) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.jav a:341) at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator. java:262) at com.github.unidbg.Module.emulateFunction(Module.java:163) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.ja va:135) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(D vmClass.java:316) at com.sina.weibo.security.SLib.nativeNewCalculateS(SLib.java:80) at com.sina.weibo.security.SLib.main(SLib.java:102)svcNumber=0x1b4, PC=unidbg@0xfffe0bd4, LR=RX@0x1203b3d4[libslib.so]0x3b3d4, syscall=null java.lang.NullPointerException at java.util.Objects.requireNonNull(Objects.java:203) at com.github.unidbg.linux.android.dvm.DalvikVM64$181.handle(DalvikVM64.jav a:2962) at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.jav a:119) at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.ja va:352) at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicor n.java:109) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312 ) at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend. java:389) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378) at com.github.unidbg.thread.Function64.run(Function64.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.jav a:165) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadD ispatcher.java:97) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.jav a:341) at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator. java:262) at com.github.unidbg.Module.emulateFunction(Module.java:163) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.ja va:135) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(D vmClass.java:316) at com.sina.weibo.security.SLib.nativeNewCalculateS(SLib.java:80) at com.sina.weibo.security.SLib.main(SLib.java:102)x0=0xfffe1640(-125376) x1=0x3930015a x8=0xfffe0bd0x0=0xfffe1640(-125376) x1=0x3930015a x8=0xfffe0bd0x0=0xfffe1640(-125376) x1=0x31aa x8=0xfffe0bd0x0=0xfffe1640(-125376) x1=0x31aa x8=0xfffe0bd0public void setMemoryHook(){ Module module = mDalvikModule.getModule(); emulator.getBackend().hook_add_new(new ReadHook() { private UnHook unHook; @Override public void hook(Backend backend, long address, int size, Object user) { String hexAddress = Long.toHexString(address - module.base); System.err.println("ReadHook Address: 0x" + hexAddress); System.err.println("user: " + user); AndroidEmulator muser = (AndroidEmulator)user; System.err.println("MemoryHook PC: " + muser.getContext().getPCPointer()); } @Override public void onAttach(UnHook unHook) { this.unHook = unHook; } @Override public void detach() { this.unHook.unhook(); } }, module.base + 0x50F58, module.base + 0x50F58 + 8L, emulator); }public void setMemoryHook(){ Module module = mDalvikModule.getModule(); emulator.getBackend().hook_add_new(new ReadHook() { private UnHook unHook; @Override public void hook(Backend backend, long address, int size, Object user) { String hexAddress = Long.toHexString(address - module.base); System.err.println("ReadHook Address: 0x" + hexAddress); System.err.println("user: " + user); AndroidEmulator muser = (AndroidEmulator)user; System.err.println("MemoryHook PC: " + muser.getContext().getPCPointer()); } @Override public void onAttach(UnHook unHook) { this.unHook = unHook; } @Override public void detach() { this.unHook.unhook(); } }, module.base + 0x50F58, module.base + 0x50F58 + 8L, emulator); }public void fix_0x50F58(){ Module module = mDalvikModule.getModule(); Pointer pointer_base = UnidbgPointer.pointer(emulator, module.base); pointer_base.setLong(0x50F58, 0x0); }public void fix_0x50F58(){ Module module = mDalvikModule.getModule(); Pointer pointer_base = UnidbgPointer.pointer(emulator, module.base); pointer_base.setLong(0x50F58, 0x0); }[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
