版本: 370401
字节的校验参数是在 libmetasec_ml.so 中,静态导出函数只有一个 JNI_OnLoad, 其它导出函数是通过 JNIEnv->RegisterNatives 动态注册。
init_array 段如下:
首先运行 UNIDBG 最基础的代码来测试 init_array :
正常情况下,输出日志如下:
运行 dm.callJNI_OnLoad(emulator); 调用 JNI_OnLoad 后报错 :
错误的原因如下 :
根据 APK 的 JAVA 代码 :
补充以下代码 :
继续运行报错 :
修补环境, 打印出第一个参数是 268435470
继续分析以上 com/bytedance/mobsec/metasec/ml/MS 类的调用, 最终的调用函数 u2.a(i, i2, j, str, obj) 代码如下 :
结果为返回 2
修补代码如下 :
最终调用 JNI_OnLoad 的完整代码如下 :
输出日志如下:
根据 JNI_OnLoad 的日志,可以看到其调用了 RegisterNative 注册了 ms/bd/c/y2 类的 a 函数 , 对应的 libmetasec_ml.so 函数的地址为 0x26f0f8
对应的反汇编代码如下:
对 ms/bd/c/y2 类的 a 函数进行 HOOK, 和 com.bytedance.mobsec.metasec.ml.MS 的 a 是同一个函数, HOOK 代码如下:
发现有调用号为 0x1000001 的解密调用:
在 UNIDBG 中对解密函数进行调用:
成功输出了 scale 的解密结果:
但是没有 HOOK 到调用号为 0x3000001 对签名参数的调用,手动构造 0x3000001 的参数,使用 FRIDA 主动调用的代码如下:
返回结果为 NULL :
字节使用的网络底层库是 Cronet, 签名参数是在 libsscronet.so 中添加的,根据字符串 x-ttnet-origin-url 定位到目标函数地址是 0x47A31C,
调用 libmetasec_ml.so 签名函数的伪代码和汇编代码如下:
使用 FRIDA HOOK 0x47AAEC 地址, 获取到 X23 的地址是 libmetasec_ml.so 的 0x2A45F0 偏移:
对 libmetasec_ml.so 的 0x2A45F0 地址进行 HOOK ,获取到了签名参数:
UNIDBG 调用签名函数代码如下:
修补完环境后的完整代码如下:
生成的结果如下:
.init_array:0000000000374BC0 ; Segment type: Pure data
.init_array:0000000000374BC0 AREA .init_array, DATA, ALIGN=3
.init_array:0000000000374BC0 ; ORG 0x374BC0
.init_array:0000000000374BC0 DCQ sub_173268
.init_array:0000000000374BC8 DCQ sub_180D6C
.init_array:0000000000374BD0 DCQ sub_268454
.init_array:0000000000374BD8 DCQ sub_2723C8
.init_array:0000000000374BE0 DCQ sub_283BA0
.init_array:0000000000374BE8 DCQ sub_29AE6C
.init_array:0000000000374BF0 DCQ sub_29D1A4
.init_array:0000000000374BF8 DCQ sub_2A0B1C
.init_array:0000000000374C00 DCQ sub_2A3288
.init_array:0000000000374C08 DCQ sub_2A3CA8
.init_array:0000000000374C10 DCQ sub_343964
.init_array:0000000000374C10 ; .init_array ends
.init_array:0000000000374BC0 ; Segment type: Pure data
.init_array:0000000000374BC0 AREA .init_array, DATA, ALIGN=3
.init_array:0000000000374BC0 ; ORG 0x374BC0
.init_array:0000000000374BC0 DCQ sub_173268
.init_array:0000000000374BC8 DCQ sub_180D6C
.init_array:0000000000374BD0 DCQ sub_268454
.init_array:0000000000374BD8 DCQ sub_2723C8
.init_array:0000000000374BE0 DCQ sub_283BA0
.init_array:0000000000374BE8 DCQ sub_29AE6C
.init_array:0000000000374BF0 DCQ sub_29D1A4
.init_array:0000000000374BF8 DCQ sub_2A0B1C
.init_array:0000000000374C00 DCQ sub_2A3288
.init_array:0000000000374C08 DCQ sub_2A3CA8
.init_array:0000000000374C10 DCQ sub_343964
.init_array:0000000000374C10 ; .init_array ends
package com.ss.android.ugc.aweme;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;
import java.io.File;
public class Sign6_370401 extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
private final Memory memory;
private Sign6_370401() {
emulator = AndroidEmulatorBuilder
.for64Bit()
.setProcessName("com.ss.android.ugc.aweme")
.addBackendFactory(new Unicorn2Factory(true))
.build();
emulator.getBackend().registerEmuCountHook(100000);
emulator.getSyscallHandler().setVerbose(true);
emulator.getSyscallHandler().setEnableThreadDispatcher(true);
memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
memory.setCallInitFunction(true);
vm = emulator.createDalvikVM(new File("unidbg-android/src/test/resources/bytedance/aweme_douyinweb2_370401.apk"));
vm.setJni(this);
vm.setVerbose(true);
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/resources/bytedance/libmetasec_ml.370401.so"), true);
module = dm.getModule();
}
public static void main(String[] args) {
Sign6_370401 sign6 = new Sign6_370401();
}
}
package com.ss.android.ugc.aweme;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;
import java.io.File;
public class Sign6_370401 extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
private final Memory memory;
private Sign6_370401() {
emulator = AndroidEmulatorBuilder
.for64Bit()
.setProcessName("com.ss.android.ugc.aweme")
.addBackendFactory(new Unicorn2Factory(true))
.build();
emulator.getBackend().registerEmuCountHook(100000);
emulator.getSyscallHandler().setVerbose(true);
emulator.getSyscallHandler().setEnableThreadDispatcher(true);
memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
memory.setCallInitFunction(true);
vm = emulator.createDalvikVM(new File("unidbg-android/src/test/resources/bytedance/aweme_douyinweb2_370401.apk"));
vm.setJni(this);
vm.setVerbose(true);
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/resources/bytedance/libmetasec_ml.370401.so"), true);
module = dm.getModule();
}
public static void main(String[] args) {
Sign6_370401 sign6 = new Sign6_370401();
}
}
File opened 'stdin' with oflags=0x0 from null
File opened 'stdout' with oflags=0x1 from null
File opened 'stderr' with oflags=0x1 from null
[17:25:31 888] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64:3927) - _JavaVM=unidbg@0xfffe0080, _JNIInvokeInterface=unidbg@0xfffe16a0, _JNIEnv=unidbg@0xfffe1640
[17:25:32 070] INFO [com.github.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:487) - libmetasec_ml.so load dependency libandroid.so failed
File opened '/dev/__properties__' with oflags=0x88000 from RX@0x12552854[libc.so]0x22854
File closed '/dev/__properties__' from RX@0x1254ece4[libc.so]0x1ece4
File opened '/proc/stat' with oflags=0x80000 from RX@0x12552854[libc.so]0x22854
dlopen:libnetd_client.so
AndroidElfLoader dlopen libnetd_client.so
AndroidElfLoader LinuxModule null
AndroidElfLoader MemRegion name /system/lib64/libdl.so
AndroidElfLoader MemRegion name /system/lib64/libdl.so
AndroidElfLoader MemRegion name /system/lib64/libc.so
AndroidElfLoader MemRegion name /system/lib64/libc.so
AndroidElfLoader MemRegion name /system/lib64/libm.so
AndroidElfLoader MemRegion name /system/lib64/libm.so
AndroidElfLoader MemRegion name /system/lib64/libc++.so
AndroidElfLoader MemRegion name /system/lib64/libc++.so
AndroidElfLoader MemRegion name /system/lib64/liblog.so
AndroidElfLoader MemRegion name /system/lib64/liblog.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader LibraryFile null
Read 1884 bytes from '/proc/stat'
Read 0 bytes from '/proc/stat'
File closed '/proc/stat' from RX@0x1254ece4[libc.so]0x1ece4
File opened 'stdin' with oflags=0x0 from null
File opened 'stdout' with oflags=0x1 from null
File opened 'stderr' with oflags=0x1 from null
[17:25:31 888] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64:3927) - _JavaVM=unidbg@0xfffe0080, _JNIInvokeInterface=unidbg@0xfffe16a0, _JNIEnv=unidbg@0xfffe1640
[17:25:32 070] INFO [com.github.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:487) - libmetasec_ml.so load dependency libandroid.so failed
File opened '/dev/__properties__' with oflags=0x88000 from RX@0x12552854[libc.so]0x22854
File closed '/dev/__properties__' from RX@0x1254ece4[libc.so]0x1ece4
File opened '/proc/stat' with oflags=0x80000 from RX@0x12552854[libc.so]0x22854
dlopen:libnetd_client.so
AndroidElfLoader dlopen libnetd_client.so
AndroidElfLoader LinuxModule null
AndroidElfLoader MemRegion name /system/lib64/libdl.so
AndroidElfLoader MemRegion name /system/lib64/libdl.so
AndroidElfLoader MemRegion name /system/lib64/libc.so
AndroidElfLoader MemRegion name /system/lib64/libc.so
AndroidElfLoader MemRegion name /system/lib64/libm.so
AndroidElfLoader MemRegion name /system/lib64/libm.so
AndroidElfLoader MemRegion name /system/lib64/libc++.so
AndroidElfLoader MemRegion name /system/lib64/libc++.so
AndroidElfLoader MemRegion name /system/lib64/liblog.so
AndroidElfLoader MemRegion name /system/lib64/liblog.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader LibraryFile null
Read 1884 bytes from '/proc/stat'
Read 0 bytes from '/proc/stat'
File closed '/proc/stat' from RX@0x1254ece4[libc.so]0x1ece4
[17:29:47 233] DEBUG [com.github.unidbg.linux.android.dvm.DalvikModule] (DalvikModule:31) - Call [libmetasec_ml.so]JNI_OnLoad: 0x1227bfb0
[17:29:47 237] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=null, version=0x10006
JNIEnv->FindClass(com/bytedance/mobsec/metasec/ml/MS) was called from RX@0x1226ee80[libmetasec_ml.so]0x26ee80
[17:29:47 238] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true
[17:29:47 240] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x36f48686, global=true
[17:29:47 240] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$3:87) - FindClass env=unidbg@0xfffe1640, className=com/bytedance/mobsec/metasec/ml/MS, hash=0x36f48686
JNIEnv->GetSuperClass(class com/bytedance/mobsec/metasec/ml/MS) was called from RX@0x1226ee9c[libmetasec_ml.so]0x26ee9c
[17:29:47 240] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$7:153) - JNIEnv->GetSuperClass was called, class = com/bytedance/mobsec/metasec/ml/MS, superClass get failed.
[17:29:47 241] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:410) - handleInterrupt intno=2, NR=-130832, svcNumber=0x106, PC=unidbg@0xfffe00f4, LR=RX@0x1226ee9c[libmetasec_ml.so]0x26ee9c, syscall=null
com.github.unidbg.arm.backend.BackendException
at com.github.unidbg.linux.android.dvm.DalvikVM64$7.handle(DalvikVM64.java:155)
at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:119)
at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.java:352)
at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:109)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312)
at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend.java:389)
at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378)
at com.github.unidbg.thread.Function64.run(Function64.java:39)
at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19)
at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:165)
at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:97)
at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341)
at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:262)
at com.github.unidbg.Module.emulateFunction(Module.java:163)
at com.github.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:256)
at com.github.unidbg.linux.LinuxSymbol.call(LinuxSymbol.java:27)
at com.github.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:33)
at com.ss.android.ugc.aweme.Sign6_370401.<init>(Sign6_370401.java:40)
at com.ss.android.ugc.aweme.Sign6_370401.main(Sign6_370401.java:45)
[17:29:47 243] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:417) - emulate RX@0x1227bfb0[libmetasec_ml.so]0x27bfb0 exception sp=unidbg@0xe4fff460, msg=com.github.unidbg.arm.backend.BackendException, offset=8ms @ Runnable|Function64 address=0x1227bfb0, arguments=[unidbg@0xfffe0080, null]
[17:29:47 243] DEBUG [com.github.unidbg.linux.android.dvm.DalvikModule] (DalvikModule:36) - Call [libmetasec_ml.so]JNI_OnLoad finished: version=0xffffffff, offset=10ms
Exception in thread "main" java.lang.IllegalStateException: Illegal JNI version: 0xffffffff
at com.github.unidbg.linux.android.dvm.BaseVM.checkVersion(BaseVM.java:228)
at com.github.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:39)
at com.ss.android.ugc.aweme.Sign6_370401.<init>(Sign6_370401.java:40)
at com.ss.android.ugc.aweme.Sign6_370401.main(Sign6_370401.java:45)
[17:29:47 233] DEBUG [com.github.unidbg.linux.android.dvm.DalvikModule] (DalvikModule:31) - Call [libmetasec_ml.so]JNI_OnLoad: 0x1227bfb0
[17:29:47 237] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=null, version=0x10006
JNIEnv->FindClass(com/bytedance/mobsec/metasec/ml/MS) was called from RX@0x1226ee80[libmetasec_ml.so]0x26ee80
[17:29:47 238] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true
[17:29:47 240] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x36f48686, global=true
[17:29:47 240] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$3:87) - FindClass env=unidbg@0xfffe1640, className=com/bytedance/mobsec/metasec/ml/MS, hash=0x36f48686
JNIEnv->GetSuperClass(class com/bytedance/mobsec/metasec/ml/MS) was called from RX@0x1226ee9c[libmetasec_ml.so]0x26ee9c
[17:29:47 240] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$7:153) - JNIEnv->GetSuperClass was called, class = com/bytedance/mobsec/metasec/ml/MS, superClass get failed.
[17:29:47 241] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:410) - handleInterrupt intno=2, NR=-130832, svcNumber=0x106, PC=unidbg@0xfffe00f4, LR=RX@0x1226ee9c[libmetasec_ml.so]0x26ee9c, syscall=null
com.github.unidbg.arm.backend.BackendException
at com.github.unidbg.linux.android.dvm.DalvikVM64$7.handle(DalvikVM64.java:155)
at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:119)
at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.java:352)
at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:109)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312)
at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend.java:389)
at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378)
at com.github.unidbg.thread.Function64.run(Function64.java:39)
at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19)
at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:165)
at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:97)
at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341)
at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:262)
at com.github.unidbg.Module.emulateFunction(Module.java:163)
at com.github.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:256)
at com.github.unidbg.linux.LinuxSymbol.call(LinuxSymbol.java:27)
at com.github.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:33)
at com.ss.android.ugc.aweme.Sign6_370401.<init>(Sign6_370401.java:40)
at com.ss.android.ugc.aweme.Sign6_370401.main(Sign6_370401.java:45)
[17:29:47 243] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:417) - emulate RX@0x1227bfb0[libmetasec_ml.so]0x27bfb0 exception sp=unidbg@0xe4fff460, msg=com.github.unidbg.arm.backend.BackendException, offset=8ms @ Runnable|Function64 address=0x1227bfb0, arguments=[unidbg@0xfffe0080, null]
[17:29:47 243] DEBUG [com.github.unidbg.linux.android.dvm.DalvikModule] (DalvikModule:36) - Call [libmetasec_ml.so]JNI_OnLoad finished: version=0xffffffff, offset=10ms
Exception in thread "main" java.lang.IllegalStateException: Illegal JNI version: 0xffffffff
at com.github.unidbg.linux.android.dvm.BaseVM.checkVersion(BaseVM.java:228)
at com.github.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:39)
at com.ss.android.ugc.aweme.Sign6_370401.<init>(Sign6_370401.java:40)
at com.ss.android.ugc.aweme.Sign6_370401.main(Sign6_370401.java:45)
JNIEnv->GetSuperClass was called, class = com/bytedance/mobsec/metasec/ml/MS, superClass get failed.
JNIEnv->GetSuperClass was called, class = com/bytedance/mobsec/metasec/ml/MS, superClass get failed.
package com.bytedance.mobsec.metasec.ml;
import ms.bd.c.i2;
public final class MS extends i2 {
}
package com.bytedance.mobsec.metasec.ml;
import ms.bd.c.i2;
public final class MS extends i2 {
}
package ms.bd.c;
public abstract class i2 extends y2 {
public static final void Louis() {
}
public static final void Zeoy() {
}
public void Francies() {
}
}
package ms.bd.c;
public abstract class i2 extends y2 {
public static final void Louis() {
}
public static final void Zeoy() {
}
public void Francies() {
}
}
package ms.bd.c;
public abstract class y2 {
public static native Object a(int i, int i2, long j, String str, Object obj);
public static Object b(int i, int i2, long j, String str, Object obj) {
try {
return u2.a(i, i2, j, str, obj);
} catch (Throwable th) {
throw new RuntimeException(th);
}
}
}
package ms.bd.c;
public abstract class y2 {
public static native Object a(int i, int i2, long j, String str, Object obj);
public static Object b(int i, int i2, long j, String str, Object obj) {
try {
return u2.a(i, i2, j, str, obj);
} catch (Throwable th) {
throw new RuntimeException(th);
}
}
}
DvmClass a = vm.resolveClass("ms/bd/c/y2");
DvmClass b = vm.resolveClass("ms/bd/c/i2", a);
DvmClass c = vm.resolveClass("com/bytedance/mobsec/metasec/ml/MS", b);
DvmClass a = vm.resolveClass("ms/bd/c/y2");
DvmClass b = vm.resolveClass("ms/bd/c/i2", a);
DvmClass c = vm.resolveClass("com/bytedance/mobsec/metasec/ml/MS", b);
java.lang.UnsupportedOperationException: com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;
at com.github.unidbg.linux.android.dvm.AbstractJni.callStaticObjectMethodV(AbstractJni.java:504)
at com.github.unidbg.linux.android.dvm.AbstractJni.callStaticObjectMethodV(AbstractJni.java:438)
at com.github.unidbg.linux.android.dvm.DvmMethod.callStaticObjectMethodV(DvmMethod.java:59)
at com.github.unidbg.linux.android.dvm.DalvikVM64$112.handle(DalvikVM64.java:1836)
at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:119)
at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.java:352)
at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:109)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312)
at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend.java:389)
at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378)
at com.github.unidbg.thread.Function64.run(Function64.java:39)
at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19)
at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:165)
at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:97)
at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341)
at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:262)
at com.github.unidbg.Module.emulateFunction(Module.java:163)
at com.github.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:256)
at com.github.unidbg.linux.LinuxSymbol.call(LinuxSymbol.java:27)
at com.github.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:33)
at com.ss.android.ugc.aweme.Sign6_370401.<init>(Sign6_370401.java:45)
at com.ss.android.ugc.aweme.Sign6_370401.main(Sign6_370401.java:50)
java.lang.UnsupportedOperationException: com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;
at com.github.unidbg.linux.android.dvm.AbstractJni.callStaticObjectMethodV(AbstractJni.java:504)
at com.github.unidbg.linux.android.dvm.AbstractJni.callStaticObjectMethodV(AbstractJni.java:438)
at com.github.unidbg.linux.android.dvm.DvmMethod.callStaticObjectMethodV(DvmMethod.java:59)
at com.github.unidbg.linux.android.dvm.DalvikVM64$112.handle(DalvikVM64.java:1836)
at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:119)
at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.java:352)
at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:109)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312)
at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend.java:389)
at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378)
at com.github.unidbg.thread.Function64.run(Function64.java:39)
at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19)
at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:165)
at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:97)
at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341)
at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:262)
at com.github.unidbg.Module.emulateFunction(Module.java:163)
at com.github.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:256)
at com.github.unidbg.linux.LinuxSymbol.call(LinuxSymbol.java:27)
at com.github.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:33)
at com.ss.android.ugc.aweme.Sign6_370401.<init>(Sign6_370401.java:45)
at com.ss.android.ugc.aweme.Sign6_370401.main(Sign6_370401.java:50)
callStaticObjectMethodV com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;
----------------------------
268435470
----------------------------
callStaticObjectMethodV com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;
----------------------------
268435470
----------------------------
case 268435470:
return Long.valueOf(C2450509eM.LIZ);
case 268435470:
return Long.valueOf(C2450509eM.LIZ);
public final class C2450509eM {
public static volatile long LIZ = 2;
public static volatile long LIZIZ;
}
public final class C2450509eM {
public static volatile long LIZ = 2;
public static volatile long LIZIZ;
}
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
System.out.println("callStaticObjectMethodV "+ signature);
switch (signature) {
case "com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;": {
int a = vaList.getIntArg(0);
System.out.println("----------------------------");
System.out.println(a);
System.out.println("----------------------------");
if (a == 268435470) {
return DvmLong.valueOf(vm,2);
}
}
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
@Override
public long callLongMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
switch (signature) {
case "java/lang/Long->longValue()J": {
java.lang.Long result = (java.lang.Long)dvmObject.getValue();
return result;
}
}
return super.callLongMethodV(vm, dvmObject, signature, vaList);
}
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
System.out.println("callStaticObjectMethodV "+ signature);
switch (signature) {
case "com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;": {
int a = vaList.getIntArg(0);
System.out.println("----------------------------");
System.out.println(a);
System.out.println("----------------------------");
if (a == 268435470) {
return DvmLong.valueOf(vm,2);
}
}
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
@Override
public long callLongMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
switch (signature) {
case "java/lang/Long->longValue()J": {
java.lang.Long result = (java.lang.Long)dvmObject.getValue();
return result;
}
}
return super.callLongMethodV(vm, dvmObject, signature, vaList);
}
package com.ss.android.ugc.aweme;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.wrapper.DvmLong;
import com.github.unidbg.memory.Memory;
import java.io.File;
public class Sign6_370401 extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
private final Memory memory;
private Sign6_370401() {
emulator = AndroidEmulatorBuilder
.for64Bit()
.setProcessName("com.ss.android.ugc.aweme")
.addBackendFactory(new Unicorn2Factory(true))
.build();
emulator.getBackend().registerEmuCountHook(100000);
emulator.getSyscallHandler().setVerbose(true);
emulator.getSyscallHandler().setEnableThreadDispatcher(true);
memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
memory.setCallInitFunction(true);
vm = emulator.createDalvikVM(new File("unidbg-android/src/test/resources/bytedance/aweme_douyinweb2_370401.apk"));
vm.setJni(this);
vm.setVerbose(true);
DvmClass a = vm.resolveClass("ms/bd/c/y2");
DvmClass b = vm.resolveClass("ms/bd/c/i2", a);
DvmClass c = vm.resolveClass("com/bytedance/mobsec/metasec/ml/MS", b);
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/resources/bytedance/libmetasec_ml.370401.so"), true);
module = dm.getModule();
dm.callJNI_OnLoad(emulator);
}
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
System.out.println("callStaticObjectMethodV "+ signature);
switch (signature) {
case "com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;": {
int a = vaList.getIntArg(0);
System.out.println("----------------------------");
System.out.println(a);
System.out.println("----------------------------");
if (a == 268435470) {
return DvmLong.valueOf(vm,2);
}
}
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
@Override
public long callLongMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
switch (signature) {
case "java/lang/Long->longValue()J": {
java.lang.Long result = (java.lang.Long)dvmObject.getValue();
return result;
}
}
return super.callLongMethodV(vm, dvmObject, signature, vaList);
}
public static void main(String[] args) {
Sign6_370401 sign6 = new Sign6_370401();
}
}
package com.ss.android.ugc.aweme;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.wrapper.DvmLong;
import com.github.unidbg.memory.Memory;
import java.io.File;
public class Sign6_370401 extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
private final Memory memory;
private Sign6_370401() {
emulator = AndroidEmulatorBuilder
.for64Bit()
.setProcessName("com.ss.android.ugc.aweme")
.addBackendFactory(new Unicorn2Factory(true))
.build();
emulator.getBackend().registerEmuCountHook(100000);
emulator.getSyscallHandler().setVerbose(true);
emulator.getSyscallHandler().setEnableThreadDispatcher(true);
memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
memory.setCallInitFunction(true);
vm = emulator.createDalvikVM(new File("unidbg-android/src/test/resources/bytedance/aweme_douyinweb2_370401.apk"));
vm.setJni(this);
vm.setVerbose(true);
DvmClass a = vm.resolveClass("ms/bd/c/y2");
DvmClass b = vm.resolveClass("ms/bd/c/i2", a);
DvmClass c = vm.resolveClass("com/bytedance/mobsec/metasec/ml/MS", b);
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/resources/bytedance/libmetasec_ml.370401.so"), true);
module = dm.getModule();
dm.callJNI_OnLoad(emulator);
}
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
System.out.println("callStaticObjectMethodV "+ signature);
switch (signature) {
case "com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;": {
int a = vaList.getIntArg(0);
System.out.println("----------------------------");
System.out.println(a);
System.out.println("----------------------------");
if (a == 268435470) {
return DvmLong.valueOf(vm,2);
}
}
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
@Override
public long callLongMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
switch (signature) {
case "java/lang/Long->longValue()J": {
java.lang.Long result = (java.lang.Long)dvmObject.getValue();
return result;
}
}
return super.callLongMethodV(vm, dvmObject, signature, vaList);
}
public static void main(String[] args) {
Sign6_370401 sign6 = new Sign6_370401();
}
}
File opened 'stdin' with oflags=0x0 from null
File opened 'stdout' with oflags=0x1 from null
File opened 'stderr' with oflags=0x1 from null
[18:38:47 675] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64:3927) - _JavaVM=unidbg@0xfffe0080, _JNIInvokeInterface=unidbg@0xfffe16a0, _JNIEnv=unidbg@0xfffe1640
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0xffffffff9de5a268, global=true
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0xffffffff9de5a078, global=true
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x36f48686, global=true
[18:38:47 861] INFO [com.github.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:487) - libmetasec_ml.so load dependency libandroid.so failed
File opened '/dev/__properties__' with oflags=0x88000 from RX@0x12552854[libc.so]0x22854
File closed '/dev/__properties__' from RX@0x1254ece4[libc.so]0x1ece4
dlopen:libnetd_client.so
AndroidElfLoader dlopen libnetd_client.so
AndroidElfLoader LinuxModule null
AndroidElfLoader MemRegion name /system/lib64/libdl.so
AndroidElfLoader MemRegion name /system/lib64/libdl.so
AndroidElfLoader MemRegion name /system/lib64/libc.so
AndroidElfLoader MemRegion name /system/lib64/libc.so
AndroidElfLoader MemRegion name /system/lib64/libm.so
AndroidElfLoader MemRegion name /system/lib64/libm.so
AndroidElfLoader MemRegion name /system/lib64/libc++.so
AndroidElfLoader MemRegion name /system/lib64/libc++.so
AndroidElfLoader MemRegion name /system/lib64/liblog.so
AndroidElfLoader MemRegion name /system/lib64/liblog.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader LibraryFile null
File opened '/proc/stat' with oflags=0x80000 from RX@0x12552854[libc.so]0x22854
Read 1884 bytes from '/proc/stat'
Read 0 bytes from '/proc/stat'
File closed '/proc/stat' from RX@0x1254ece4[libc.so]0x1ece4
[18:38:47 957] DEBUG [com.github.unidbg.linux.android.dvm.DalvikModule] (DalvikModule:31) - Call [libmetasec_ml.so]JNI_OnLoad: 0x1227bfb0
[18:38:47 961] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=null, version=0x10006
JNIEnv->FindClass(com/bytedance/mobsec/metasec/ml/MS) was called from RX@0x1226ee80[libmetasec_ml.so]0x26ee80
[18:38:47 962] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x36f48686, global=true
[18:38:47 962] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$3:87) - FindClass env=unidbg@0xfffe1640, className=com/bytedance/mobsec/metasec/ml/MS, hash=0x36f48686
JNIEnv->GetSuperClass(class com/bytedance/mobsec/metasec/ml/MS) was called from RX@0x1226ee9c[libmetasec_ml.so]0x26ee9c
[18:38:47 962] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$7:158) - JNIEnv->GetSuperClass was called, class = com/bytedance/mobsec/metasec/ml/MS, superClass = ms/bd/c/i2
JNIEnv->GetSuperClass(class ms/bd/c/i2) was called from RX@0x1226eec0[libmetasec_ml.so]0x26eec0
[18:38:47 963] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$7:158) - JNIEnv->GetSuperClass was called, class = ms/bd/c/i2, superClass = ms/bd/c/y2
[18:38:47 963] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$212:3366) - RegisterNatives dvmClass=class ms/bd/c/y2, methods=unidbg@0xe4fff460, nMethods=1
JNIEnv->RegisterNatives(ms/bd/c/y2, unidbg@0xe4fff460, 1) was called from RX@0x1226ef88[libmetasec_ml.so]0x26ef88
[18:38:47 963] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$212:3379) - RegisterNatives dvmClass=class ms/bd/c/y2, name=a, signature=(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, fnPtr=RX@0x1226f0f8[libmetasec_ml.so]0x26f0f8
RegisterNative(ms/bd/c/y2, a(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, RX@0x1226f0f8[libmetasec_ml.so]0x26f0f8)
[18:38:47 964] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$20:309) - DeleteLocalRef object=unidbg@0xffffffff9de5a268
[18:38:47 964] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$110:1781) - GetStaticMethodID class=unidbg@0x36f48686, methodName=b, args=(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, LR=RX@0x1226f044[libmetasec_ml.so]0x26f044
[18:38:47 964] DEBUG [com.github.unidbg.linux.android.dvm.DvmClass] (DvmClass:99) - getStaticMethodID signature=com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, hash=0x2f94ee13
JNIEnv->GetStaticMethodID(com/bytedance/mobsec/metasec/ml/MS.b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;) => 0x2f94ee13 was called from RX@0x1226f044[libmetasec_ml.so]0x26f044
[18:38:47 965] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$229:3607) - GetObjectRefType object=unidbg@0x36f48686, dvmGlobalObject=class com/bytedance/mobsec/metasec/ml/MS, dvmLocalObject=null
[18:38:47 967] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=null, version=0x10006
[18:38:47 968] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=null, version=0x10006
[18:38:47 969] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=null, version=0x10006
[18:38:47 969] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$112:1828) - CallStaticObjectMethodV clazz=unidbg@0x36f48686, jmethodID=unidbg@0x2f94ee13, va_list=unidbg@0xe4fff300
[18:38:47 970] DEBUG [com.github.unidbg.linux.android.dvm.VaList64] (VaList64:131) - VaList64 base_p=0xe4fff370, base_integer=0xe4fff300, base_float=0xe4fff2d0, mask_integer=0x0, mask_float=0xffffff80, args=(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, shorty=[I, I, J, Ljava/lang/String;, Ljava/lang/Object;]
callStaticObjectMethodV com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;
----------------------------
268435470
----------------------------
[18:38:47 970] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true
[18:38:47 970] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0xc1caa8f, global=true
JNIEnv->CallStaticObjectMethodV(class com/bytedance/mobsec/metasec/ml/MS, b(0x1000000e, 0x0, 0x0L, null, null) => java.lang.Long@17ed40e0) was called from RX@0x1226f430[libmetasec_ml.so]0x26f430
[18:38:47 971] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x17ed40e0, global=false
JNIEnv->FindClass(java/lang/Long) was called from RX@0x12271414[libmetasec_ml.so]0x271414
[18:38:47 972] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0xc1caa8f, global=true
[18:38:47 972] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$3:87) - FindClass env=unidbg@0xfffe1640, className=java/lang/Long, hash=0xc1caa8f
[18:38:47 972] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$229:3607) - GetObjectRefType object=unidbg@0xc1caa8f, dvmGlobalObject=class java/lang/Long, dvmLocalObject=null
[18:38:47 972] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$30:502) - GetMethodID class=unidbg@0xc1caa8f, methodName=longValue, args=()J, LR=RX@0x12271450[libmetasec_ml.so]0x271450
[18:38:47 972] DEBUG [com.github.unidbg.linux.android.dvm.DvmClass] (DvmClass:133) - getMethodID signature=java/lang/Long->longValue()J, hash=0x44606195
JNIEnv->GetMethodID(java/lang/Long.longValue()J) => 0x44606195 was called from RX@0x12271450[libmetasec_ml.so]0x271450
[18:38:47 973] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$50:882) - CallLongMethodV object=unidbg@0x17ed40e0, jmethodID=unidbg@0x44606195, va_list=unidbg@0xe4fff300
[18:38:47 973] DEBUG [com.github.unidbg.linux.android.dvm.VaList64] (VaList64:131) - VaList64 base_p=0xe4fff370, base_integer=0xe4fff300, base_float=0xe4fff2d0, mask_integer=0xffffffd8, mask_float=0xffffff80, args=()J, shorty=[]
JNIEnv->CallLongMethodV(java.lang.Long@17ed40e0, longValue() => 0x2L) was called from RX@0x12225ab4[libmetasec_ml.so]0x225ab4
[18:38:47 973] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$20:309) - DeleteLocalRef object=unidbg@0x17ed40e0
bionic_clone fn=RX@0x12597c70[libc.so]0x67c70, LR=RX@0x1254ec80[libc.so]0x1ec80
bionic_clone fn=RX@0x12597c70[libc.so]0x67c70, LR=RX@0x1254ec80[libc.so]0x1ec80
bionic_clone fn=RX@0x12597c70[libc.so]0x67c70, LR=RX@0x1254ec80[libc.so]0x1ec80
File opened '/proc/self/exe' with oflags=0x0 from RX@0x12275638[libmetasec_ml.so]0x275638
Read 64 bytes from '/proc/self/exe'
File closed '/proc/self/exe' from RX@0x12274c94[libmetasec_ml.so]0x274c94
[18:38:48 032] DEBUG [com.github.unidbg.linux.android.dvm.DalvikModule] (DalvikModule:36) - Call [libmetasec_ml.so]JNI_OnLoad finished: version=0x10006, offset=75ms
File opened 'stdin' with oflags=0x0 from null
File opened 'stdout' with oflags=0x1 from null
File opened 'stderr' with oflags=0x1 from null
[18:38:47 675] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64:3927) - _JavaVM=unidbg@0xfffe0080, _JNIInvokeInterface=unidbg@0xfffe16a0, _JNIEnv=unidbg@0xfffe1640
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0xffffffff9de5a268, global=true
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0xffffffff9de5a078, global=true
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true
[18:38:47 677] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x36f48686, global=true
[18:38:47 861] INFO [com.github.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:487) - libmetasec_ml.so load dependency libandroid.so failed
File opened '/dev/__properties__' with oflags=0x88000 from RX@0x12552854[libc.so]0x22854
File closed '/dev/__properties__' from RX@0x1254ece4[libc.so]0x1ece4
dlopen:libnetd_client.so
AndroidElfLoader dlopen libnetd_client.so
AndroidElfLoader LinuxModule null
AndroidElfLoader MemRegion name /system/lib64/libdl.so
AndroidElfLoader MemRegion name /system/lib64/libdl.so
AndroidElfLoader MemRegion name /system/lib64/libc.so
AndroidElfLoader MemRegion name /system/lib64/libc.so
AndroidElfLoader MemRegion name /system/lib64/libm.so
AndroidElfLoader MemRegion name /system/lib64/libm.so
AndroidElfLoader MemRegion name /system/lib64/libc++.so
AndroidElfLoader MemRegion name /system/lib64/libc++.so
AndroidElfLoader MemRegion name /system/lib64/liblog.so
AndroidElfLoader MemRegion name /system/lib64/liblog.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader MemRegion name /system/lib64/libmetasec_ml.370401.so
AndroidElfLoader LibraryFile null
File opened '/proc/stat' with oflags=0x80000 from RX@0x12552854[libc.so]0x22854
Read 1884 bytes from '/proc/stat'
Read 0 bytes from '/proc/stat'
File closed '/proc/stat' from RX@0x1254ece4[libc.so]0x1ece4
[18:38:47 957] DEBUG [com.github.unidbg.linux.android.dvm.DalvikModule] (DalvikModule:31) - Call [libmetasec_ml.so]JNI_OnLoad: 0x1227bfb0
[18:38:47 961] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=null, version=0x10006
JNIEnv->FindClass(com/bytedance/mobsec/metasec/ml/MS) was called from RX@0x1226ee80[libmetasec_ml.so]0x26ee80
[18:38:47 962] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x36f48686, global=true
[18:38:47 962] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$3:87) - FindClass env=unidbg@0xfffe1640, className=com/bytedance/mobsec/metasec/ml/MS, hash=0x36f48686
JNIEnv->GetSuperClass(class com/bytedance/mobsec/metasec/ml/MS) was called from RX@0x1226ee9c[libmetasec_ml.so]0x26ee9c
[18:38:47 962] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$7:158) - JNIEnv->GetSuperClass was called, class = com/bytedance/mobsec/metasec/ml/MS, superClass = ms/bd/c/i2
JNIEnv->GetSuperClass(class ms/bd/c/i2) was called from RX@0x1226eec0[libmetasec_ml.so]0x26eec0
[18:38:47 963] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$7:158) - JNIEnv->GetSuperClass was called, class = ms/bd/c/i2, superClass = ms/bd/c/y2
[18:38:47 963] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$212:3366) - RegisterNatives dvmClass=class ms/bd/c/y2, methods=unidbg@0xe4fff460, nMethods=1
JNIEnv->RegisterNatives(ms/bd/c/y2, unidbg@0xe4fff460, 1) was called from RX@0x1226ef88[libmetasec_ml.so]0x26ef88
[18:38:47 963] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$212:3379) - RegisterNatives dvmClass=class ms/bd/c/y2, name=a, signature=(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, fnPtr=RX@0x1226f0f8[libmetasec_ml.so]0x26f0f8
RegisterNative(ms/bd/c/y2, a(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, RX@0x1226f0f8[libmetasec_ml.so]0x26f0f8)
[18:38:47 964] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$20:309) - DeleteLocalRef object=unidbg@0xffffffff9de5a268
[18:38:47 964] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$110:1781) - GetStaticMethodID class=unidbg@0x36f48686, methodName=b, args=(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, LR=RX@0x1226f044[libmetasec_ml.so]0x26f044
[18:38:47 964] DEBUG [com.github.unidbg.linux.android.dvm.DvmClass] (DvmClass:99) - getStaticMethodID signature=com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, hash=0x2f94ee13
JNIEnv->GetStaticMethodID(com/bytedance/mobsec/metasec/ml/MS.b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;) => 0x2f94ee13 was called from RX@0x1226f044[libmetasec_ml.so]0x26f044
[18:38:47 965] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$229:3607) - GetObjectRefType object=unidbg@0x36f48686, dvmGlobalObject=class com/bytedance/mobsec/metasec/ml/MS, dvmLocalObject=null
[18:38:47 967] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=null, version=0x10006
[18:38:47 968] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=null, version=0x10006
[18:38:47 969] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=null, version=0x10006
[18:38:47 969] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$112:1828) - CallStaticObjectMethodV clazz=unidbg@0x36f48686, jmethodID=unidbg@0x2f94ee13, va_list=unidbg@0xe4fff300
[18:38:47 970] DEBUG [com.github.unidbg.linux.android.dvm.VaList64] (VaList64:131) - VaList64 base_p=0xe4fff370, base_integer=0xe4fff300, base_float=0xe4fff2d0, mask_integer=0x0, mask_float=0xffffff80, args=(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, shorty=[I, I, J, Ljava/lang/String;, Ljava/lang/Object;]
callStaticObjectMethodV com/bytedance/mobsec/metasec/ml/MS->b(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;
----------------------------
268435470
----------------------------
[18:38:47 970] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true
[18:38:47 970] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0xc1caa8f, global=true
JNIEnv->CallStaticObjectMethodV(class com/bytedance/mobsec/metasec/ml/MS, b(0x1000000e, 0x0, 0x0L, null, null) => java.lang.Long@17ed40e0) was called from RX@0x1226f430[libmetasec_ml.so]0x26f430
[18:38:47 971] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x17ed40e0, global=false
JNIEnv->FindClass(java/lang/Long) was called from RX@0x12271414[libmetasec_ml.so]0x271414
[18:38:47 972] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0xc1caa8f, global=true
[18:38:47 972] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$3:87) - FindClass env=unidbg@0xfffe1640, className=java/lang/Long, hash=0xc1caa8f
[18:38:47 972] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$229:3607) - GetObjectRefType object=unidbg@0xc1caa8f, dvmGlobalObject=class java/lang/Long, dvmLocalObject=null
[18:38:47 972] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$30:502) - GetMethodID class=unidbg@0xc1caa8f, methodName=longValue, args=()J, LR=RX@0x12271450[libmetasec_ml.so]0x271450
[18:38:47 972] DEBUG [com.github.unidbg.linux.android.dvm.DvmClass] (DvmClass:133) - getMethodID signature=java/lang/Long->longValue()J, hash=0x44606195
JNIEnv->GetMethodID(java/lang/Long.longValue()J) => 0x44606195 was called from RX@0x12271450[libmetasec_ml.so]0x271450
[18:38:47 973] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$50:882) - CallLongMethodV object=unidbg@0x17ed40e0, jmethodID=unidbg@0x44606195, va_list=unidbg@0xe4fff300
[18:38:47 973] DEBUG [com.github.unidbg.linux.android.dvm.VaList64] (VaList64:131) - VaList64 base_p=0xe4fff370, base_integer=0xe4fff300, base_float=0xe4fff2d0, mask_integer=0xffffffd8, mask_float=0xffffff80, args=()J, shorty=[]
JNIEnv->CallLongMethodV(java.lang.Long@17ed40e0, longValue() => 0x2L) was called from RX@0x12225ab4[libmetasec_ml.so]0x225ab4
[18:38:47 973] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$20:309) - DeleteLocalRef object=unidbg@0x17ed40e0
bionic_clone fn=RX@0x12597c70[libc.so]0x67c70, LR=RX@0x1254ec80[libc.so]0x1ec80
bionic_clone fn=RX@0x12597c70[libc.so]0x67c70, LR=RX@0x1254ec80[libc.so]0x1ec80
bionic_clone fn=RX@0x12597c70[libc.so]0x67c70, LR=RX@0x1254ec80[libc.so]0x1ec80
File opened '/proc/self/exe' with oflags=0x0 from RX@0x12275638[libmetasec_ml.so]0x275638
Read 64 bytes from '/proc/self/exe'
File closed '/proc/self/exe' from RX@0x12274c94[libmetasec_ml.so]0x274c94
[18:38:48 032] DEBUG [com.github.unidbg.linux.android.dvm.DalvikModule] (DalvikModule:36) - Call [libmetasec_ml.so]JNI_OnLoad finished: version=0x10006, offset=75ms
[18:38:47 963] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$212:3366) - RegisterNatives dvmClass=class ms/bd/c/y2, methods=unidbg@0xe4fff460, nMethods=1
JNIEnv->RegisterNatives(ms/bd/c/y2, unidbg@0xe4fff460, 1) was called from RX@0x1226ef88[libmetasec_ml.so]0x26ef88
[18:38:47 963] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$212:3379) - RegisterNatives dvmClass=class ms/bd/c/y2, name=a, signature=(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, fnPtr=RX@0x1226f0f8[libmetasec_ml.so]0x26f0f8
RegisterNative(ms/bd/c/y2, a(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, RX@0x1226f0f8[libmetasec_ml.so]0x26f0f8)
[18:38:47 963] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$212:3366) - RegisterNatives dvmClass=class ms/bd/c/y2, methods=unidbg@0xe4fff460, nMethods=1
JNIEnv->RegisterNatives(ms/bd/c/y2, unidbg@0xe4fff460, 1) was called from RX@0x1226ef88[libmetasec_ml.so]0x26ef88
[18:38:47 963] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$212:3379) - RegisterNatives dvmClass=class ms/bd/c/y2, name=a, signature=(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, fnPtr=RX@0x1226f0f8[libmetasec_ml.so]0x26f0f8
RegisterNative(ms/bd/c/y2, a(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;, RX@0x1226f0f8[libmetasec_ml.so]0x26f0f8)
sub_26F0F8
var_50= -0x50
var_48= -0x48
var_40= -0x40
var_38= -0x38
var_30= -0x30
var_28= -0x28
var_20= -0x20
var_18= -0x18
var_10= -0x10
var_8= -8
MOV X1, X0
MOV W0, W2
MOV W2, W3
MOV X3, X4
MOV X4, X5
MOV X5, X6
SUB SP, SP, #0x50
STP X29, X30, [SP,#0x50+var_10]
STP X0, X1, [SP,#0x50+var_50]
STP X2, X3, [SP,#0x50+var_40]
STP X4, X5, [SP,#0x50+var_30]
STP X6, X7, [SP,#0x50+var_20]
BL sub_26F138
MOV X1, X0
ADD X1, X1, #0x38 ; '8'
BR X1
; End of function sub_26F0F8
sub_26F0F8
var_50= -0x50
var_48= -0x48
var_40= -0x40
var_38= -0x38
var_30= -0x30
var_28= -0x28
var_20= -0x20
var_18= -0x18
var_10= -0x10
var_8= -8
MOV X1, X0
MOV W0, W2
MOV W2, W3
MOV X3, X4
MOV X4, X5
MOV X5, X6
SUB SP, SP, #0x50
STP X29, X30, [SP,#0x50+var_10]
STP X0, X1, [SP,#0x50+var_50]
STP X2, X3, [SP,#0x50+var_40]
STP X4, X5, [SP,#0x50+var_30]
STP X6, X7, [SP,#0x50+var_20]
BL sub_26F138
MOV X1, X0
ADD X1, X1, #0x38 ; '8'
BR X1
; End of function sub_26F0F8
function hookJava(){
Java.perform(function(){
let MS = Java.use("ms.bd.c.y2");
MS["a"].implementation = function (i, i2, j, str, obj) {
console.log(`MS is called: i=${i}, i2=${i2}, j=${j}, str=${str}, obj=${obj}`);
if(obj != null ){
var jsArray = Java.array('byte', obj);
var buffer = new Uint8Array(jsArray).buffer;
console.log(hexdump(buffer, {
offset: 0,
length: buffer.length,
header: true,
ansi: true
}));
}
let result = this["a"](i, i2, j, str, obj);
console.log(`MS result=${result}`);
return result;
};
});
}
function hookJava(){
Java.perform(function(){
let MS = Java.use("ms.bd.c.y2");
MS["a"].implementation = function (i, i2, j, str, obj) {
console.log(`MS is called: i=${i}, i2=${i2}, j=${j}, str=${str}, obj=${obj}`);
if(obj != null ){
var jsArray = Java.array('byte', obj);
var buffer = new Uint8Array(jsArray).buffer;
console.log(hexdump(buffer, {
offset: 0,
length: buffer.length,
header: true,
ansi: true
}));
}
let result = this["a"](i, i2, j, str, obj);
console.log(`MS result=${result}`);
return result;
};
});
}
MS is called: i=16777217, i2=0, j=0, str=eecc17, obj=[B@e111eaf
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 75 69 14 05 01 29 62 0a 33 23 64 29 31 14 1a 29 ui...)b.3
00000010 70 4d 26 2a 40 6f 02 12 0f 24 pM&*@o...$
MS result=android.app.ActivityThread
MS is called: i=16777217, i2=0, j=0, str=fe9aef, obj=[B@efd92bc
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 74 72 58 07 5f 7f 71 65 6b 25 7e 71 43 01 43 45 trX._.qek%~qC.CE
00000010 6d 56 6d 30 73 mVm0s
MS result=currentActivityThread
MS is called: i=16777217, i2=0, j=0, str=2c96ae, obj=[B@e14f245
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 2e 40 49 56 57 64 38 56 61 63 30 .@IVWd8Vac0
MS result=mActivities
MS is called: i=16777217, i2=0, j=0, str=00a510, obj=[B@71a5d9a
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 32 26 1d 51 1e 22 37 2&.Q."7
MS result=stopped
MS is called: i=16777217, i2=0, j=0, str=146b73, obj=[B@d976dc1
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 21 35 51 1f 1e 2d 26 0c !5Q..-&.
MS result=activity
MS is called: i=16777217, i2=0, j=0, str=38186e, obj=[B@b27c117
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 23 34 46 5e 06 7b 34 57 69 66 36 3f 4c 58 47 73
00000010 33 0d 69 67 2c 74 60 6d 3d 46 15 2b 59 57 01 12 3.ig,t`m=F.+YW..
00000020 63 62 2e 57 14 cb.W.
MS result=android.intent.action.BATTERY_CHANGED
MS is called: i=16777217, i2=0, j=0, str=3849df, obj=[B@b8c6904
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 32 36 52 4a 5c 74 34 26RJ\t4
MS result=plugged
MS is called: i=16777217, i2=0, j=0, str=fd01c9, obj=[B@fe01eed
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 76 68 47 57 53 27 61 0b 68 6f 63 63 4d 51 12 2f vhGWS'a.hoccMQ./
00000010 66 51 68 6e 79 28 61 64 68 1a 40 77 58 5e 54 4e fQhny(adh.@wX^TN
00000020 62 6b 7b 0b 41 bk{.A
MS result=android.intent.action.BATTERY_CHANGED
MS is called: i=16777217, i2=0, j=0, str=0cb0c5, obj=[B@55d57b3
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 2d 64 07 41 50 -d.AP
MS result=level
MS is called: i=16777217, i2=0, j=0, str=d91fba, obj=[B@32cbce9
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 66 38 43 1e 58 f8C.X
MS result=scale
MS is called: i=16777217, i2=0, j=0, str=eecc17, obj=[B@e111eaf
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 75 69 14 05 01 29 62 0a 33 23 64 29 31 14 1a 29 ui...)b.3
00000010 70 4d 26 2a 40 6f 02 12 0f 24 pM&*@o...$
MS result=android.app.ActivityThread
MS is called: i=16777217, i2=0, j=0, str=fe9aef, obj=[B@efd92bc
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 74 72 58 07 5f 7f 71 65 6b 25 7e 71 43 01 43 45 trX._.qek%~qC.CE
00000010 6d 56 6d 30 73 mVm0s
MS result=currentActivityThread
MS is called: i=16777217, i2=0, j=0, str=2c96ae, obj=[B@e14f245
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 2e 40 49 56 57 64 38 56 61 63 30 .@IVWd8Vac0
MS result=mActivities
MS is called: i=16777217, i2=0, j=0, str=00a510, obj=[B@71a5d9a
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 32 26 1d 51 1e 22 37 2&.Q."7
MS result=stopped
MS is called: i=16777217, i2=0, j=0, str=146b73, obj=[B@d976dc1
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 21 35 51 1f 1e 2d 26 0c !5Q..-&.
MS result=activity
MS is called: i=16777217, i2=0, j=0, str=38186e, obj=[B@b27c117
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 23 34 46 5e 06 7b 34 57 69 66 36 3f 4c 58 47 73
00000010 33 0d 69 67 2c 74 60 6d 3d 46 15 2b 59 57 01 12 3.ig,t`m=F.+YW..
00000020 63 62 2e 57 14 cb.W.
MS result=android.intent.action.BATTERY_CHANGED
MS is called: i=16777217, i2=0, j=0, str=3849df, obj=[B@b8c6904
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 32 36 52 4a 5c 74 34 26RJ\t4
MS result=plugged
MS is called: i=16777217, i2=0, j=0, str=fd01c9, obj=[B@fe01eed
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 76 68 47 57 53 27 61 0b 68 6f 63 63 4d 51 12 2f vhGWS'a.hoccMQ./
00000010 66 51 68 6e 79 28 61 64 68 1a 40 77 58 5e 54 4e fQhny(adh.@wX^TN
00000020 62 6b 7b 0b 41 bk{.A
MS result=android.intent.action.BATTERY_CHANGED
MS is called: i=16777217, i2=0, j=0, str=0cb0c5, obj=[B@55d57b3
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 2d 64 07 41 50 -d.AP
MS result=level
MS is called: i=16777217, i2=0, j=0, str=d91fba, obj=[B@32cbce9
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 66 38 43 1e 58 f8C.X
MS result=scale
public void decrypt(){
int i = 0x1000001;
int i2 = 0;
long j = 0;
String str = "d91fba";
byte[] obj = new byte[]{0x66, 0x38, 0x43, 0x1e, 0x58};
Object result = y2.callStaticJniMethodObject(emulator, "a(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;", i, i2, j, str, obj);
System.out.println("result:"+result);
}
public void decrypt(){
int i = 0x1000001;
int i2 = 0;
long j = 0;
String str = "d91fba";
byte[] obj = new byte[]{0x66, 0x38, 0x43, 0x1e, 0x58};
Object result = y2.callStaticJniMethodObject(emulator, "a(IIJLjava/lang/String;Ljava/lang/Object;)Ljava/lang/Object;", i, i2, j, str, obj);
System.out.println("result:"+result);
传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2天前
被易之生生编辑
,原因:
