-
-
[求助]求助大神关于 unidbg 补坏境初始化
-
发表于: 2025-9-30 11:32
-
本人小白,想用 unidbg 跑通某番短剧的 libkwsgmain.so, 无奈各种折腾了半个多月
,初始化还是失败了。
求大神指点,先谢谢了!
下面是 unidbg 代码,但结果是 null,正确结果应该是 1
package com.kwai.theater;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.file.FileResult;
import com.github.unidbg.file.IOResolver;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.api.AssetManager;
import com.github.unidbg.linux.android.dvm.array.ArrayObject;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.virtualmodule.android.AndroidModule;
import com.github.unidbg.virtualmodule.android.JniGraphics;
import com.github.unidbg.virtualmodule.android.MediaNdkModule;
import com.github.unidbg.virtualmodule.android.SystemProperties;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import java.io.File;
public class Sig extends AbstractJni implements IOResolver {
private static final String PackName = "com.kwai.theater";
private static final String AppPath = "unidbg-android/src/test/resources/kwai_theater/xifan_2.7.4.1.apk";
private static final String[] SoName = {"unidbg-android/src/test/resources/kwai_theater/libkwsgmain.so"}; // 可能会出现多个SO文件加载的情况
// private static final String[] SoName = {"kwsgmain"}; // 可能会出现多个SO文件加载的情况
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
final Memory memory;
@Override
public FileResult resolve(Emulator emulator, String pathname, int oflags) {
System.out.println("Load File: " + pathname);
return null;
}
Sig() {
Level level = Level.ERROR;
Logger.getLogger("com.github.unidbg.AbstractEmulator").setLevel(level);
Logger.getLogger("com.github.unidbg.unix.UnixSyscallHandler").setLevel(level);
Logger.getLogger("com.github.unidbg.linux.ARM32SyscallHandler").setLevel(level);
Logger.getLogger("com.github.unidbg.linux.android.dvm.DalvikVM").setLevel(level);
Logger.getLogger("com.github.unidbg.linux.android.dvm.BaseVM").setLevel(level);
Logger.getLogger("com.github.unidbg.linux.android.dvm").setLevel(level);
// 创建模拟器
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName(PackName).addBackendFactory(new Unicorn2Factory(false)).build();
// 开启日志
emulator.getSyscallHandler().setVerbose(true);
// 创建模拟器的内存映射
emulator.getSyscallHandler().addIOResolver(this);
// 获取模拟器的内存操作接口
memory = emulator.getMemory();
// 设置系统类库解析 23
memory.setLibraryResolver(new AndroidResolver(23));
// 创建Android虚拟机,传入APK,Unidbg可以替我们做部分签名校验的工作
vm = emulator.createDalvikVM(new File(AppPath));
// 虚拟模块部分
new AndroidModule(emulator, vm).register(memory);
new MediaNdkModule(emulator, vm).register(memory);
new JniGraphics(emulator, vm).register(memory);
new SystemProperties(emulator, null).register(memory);
// 设置JNI
vm.setJni(this);
// 打印日志
vm.setVerbose(true);
// 加载目标SO
DalvikModule dm = vm.loadLibrary(new File(SoName[0]), true);
// DalvikModule dm = vm.loadLibrary(SoName[0], true);
//获取本SO模块的句柄,后续需要用它
module = dm.getModule();
// 调用JNI OnLoad
dm.callJNI_OnLoad(emulator);
// emulator.attach().addBreakPoint(module.base + 0xd072);
}
public static void main(String[] args) {
Sig action = new Sig();
action.doCommandNativeInit();
}
private void doCommandNativeInit() {
DvmClass JNICLibrary = vm.resolveClass("com.kuaishou.android.security.internal.dispatch.JNICLibrary");
StringObject appkey = new StringObject(vm, "d74f8f6d-951f-4ba0-bace-e5666ea0e323");
DvmObject<?> context = vm.resolveClass("com.kwai.theater.KSApplication").newObject(null);
ArrayObject arg2 = new ArrayObject(null, appkey, null, null, context, null, null);
DvmObject<?> res = JNICLibrary.callStaticJniMethodObject(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;", 10412, arg2);
System.out.println("result:" + res);
}
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
switch (signature) {
case "com/kwai/theater/KSApplication->getPackageCodePath()Ljava/lang/String;":
return new StringObject(vm, "/data/app/~~Xbux6OumhkgWT9KynIGWxA==/com.kwai.theater-XkyrDGEr330D6Ah1YOZ5bg==/base.apk");
case "com/kwai/theater/KSApplication->getPackageName()Ljava/lang/String;":
return new StringObject(vm, "com.kwai.theater");
case "com/kwai/theater/KSApplication->getAssets()Landroid/content/res/AssetManager;":
return new AssetManager(vm, signature);
case "com/kwai/theater/KSApplication->getPackageManager()Landroid/content/pm/PackageManager;":
return vm.resolveClass("android/content/pm/PackageManager").newObject(signature);
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
if (signature.equals("com/kuaishou/android/security/internal/common/ExceptionProxy->getProcessName(Landroid/content/Context;)Ljava/lang/String;")) {
return new StringObject(vm, "com.kwai.theater");
}
if (signature.equals("com/kuaishou/android/security/internal/common/ExceptionProxy->getThreadByName(Ljava/lang/String;)Ljava/lang/String;")) {
String res = "dalvik.system.VMStack-getThreadStackTracejava.lang.Thread-getStackTracecom.kuaishou.android.security.internal.common.ExceptionProxy-getThreadByNamecom.kuaishou.android.security.internal.common.ExceptionProxy-getThreadByName";
return new StringObject(vm, res);
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
@Override
public void callStaticVoidMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
if (signature.equals("com/kuaishou/android/security/internal/common/ExceptionProxy->nativeReport(ILjava/lang/String;)V")) {
return;
}
super.callStaticVoidMethodV(vm, dvmClass, signature, vaList);
}
}
下面是 样本的地址:
99bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3j5h3&6Q4x3X3g2I4N6h3q4J5K9#2)9J5k6h3y4F1i4K6u0r3M7#2)9J5c8U0u0T1x3K6l9J5x3U0S2T1y4X3x3$3x3l9`.`.
求大神指点,再次感谢 
|
|
|---|---|
