一
unidbg 介绍
unidbg 是建立在Unicorn引擎之上的,Unicorn引擎是一个强大的开源CPU模拟器框架,支持多种架构,包括x86、ARM、MIPS等,因此unidbg也能够模拟这些不同的CPU架构。UniDGB的另一个核心组成部分是Capstone引擎,它用于反汇编和指令解码。
unidbg 下载地址:https://github.com/zhkl0228/unidbg
二
框架快速搭建
package com.kanxue.test2; import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.DynarmicFactory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.AbstractJni;
import com.github.unidbg.linux.android.dvm.DalvikModule;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.memory.Memory;import java.io.File;
public class Test05 extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
Test05(){
// 创建模拟器
emulator = AndroidEmulatorBuilder
.for32Bit().addBackendFactory(new DynarmicFactory(true))
.setProcessName("cc.ccc.cc")
.build();// 内存调用
Memory memory = emulator.getMemory();// 设定 SDK 版本
memory.setLibraryResolver(new AndroidResolver(23));//创建虚拟机
vm = emulator.createDalvikVM(new File("sssss.apk"));//jni 日志打印
vm.setVerbose(true);// jni 设置
vm.setJni(this);// 执行so文件
DalvikModule dm = vm.loadLibrary(new File("ssss.so"), true);// 获取so 文件模块
module = dm.getModule();//调用JNI——onload 函数
vm.callJNI_OnLoad(emulator,module);
// dm.callJNI_OnLoad(module);
}
}
三
基础文档
emulator 的操作
// 获取内存操作接口
Memory memory1 = emulator.getMemory();// 获取进程id
int pid = emulator.getPid();//创建虚拟机
VM dalvikVM = emulator.createDalvikVM();//创建虚拟机并指定文件
VM dalvikVM1 = emulator.createDalvikVM(new File("ss/ss/apk"));//获取已经创建的虚拟机
VM dalvikVM2 = emulator.getDalvikVM();//显示当前寄存器的状态 可指定寄存器
emulator.showRegs();// 获取后端CPU
Backend backend = emulator.getBackend();//获取进程名
String processName = emulator.getProcessName();// 获取寄存器
RegisterContext context = emulator.getContext();//Trace 读取内存
emulator.traceRead(1,0);// trace 写内存
emulator.traceWrite(1,0);//trace 汇编
emulator.traceCode(1,0);// 是否在运行
boolean running = emulator.isRunning();
memory 操作
// 指定安卓sdk 版本 只支持 19 和 23
memory.setLibraryResolver(new AndroidResolver(23));// 拿到一个指针 指向内存地址 通过该指针可操作内存
UnidbgPointer pointer = memory.pointer(0x11111111);//获取当前内存映射的情况
Collection<MemoryMap> memoryMap = memory1.getMemoryMap();//根据模块名 来拿某个模块
Module sss = memory1.findModule("sss");// 根据地址 来拿某个模块
Module moduleByAddress = memory1.findModuleByAddress(0x111111);
VM 操作
//推荐指定apk 文件 unidbg会自动做许多固定的操作
VM vvm = emulator.createDalvikVM(new File("ssss.apk"));// 是否输出jni 运行日志
vvm.setVerbose(true);//加载so模块 参数二设置是否自动调用init函数
DalvikModule dalvikModule = vvm.loadLibrary(new File("ss.so"), true);// 设置jni 交互接口 参数需要实现jni接口 推荐使用this 继承AbstractJni
vvm.setJni(this);//获取JNIEnv 指针 可以作为参数传递
Pointer jniEnv = vm.getJNIEnv();//获取JavaVM 指针
Pointer javaVM = vm.getJavaVM();//调用jni_onload函数
dalvikModule.callJNI_OnLoad(emulator);
vm.callJNI_OnLoad(emulator,dalvikModule.getModule());
符号调用
// 创建一个vm 对象,相当于 java 层去调用native函数类的实例对象
// DvmObject obj = ProxyDvmObject.createObject(vm,this); // 默认获取MainActivity 当有很多类的时候,防止默认指定错误,可以以下指定
DvmObject<?> obj = vm.resolveClass("com/example/demo01/MainActivity").newObject(null);String signSting = "123456";
DvmObject dvmObject = obj.callJniMethodObject(emulator, "jniMd52([B)Ljava/lang/String;", signSting.getBytes(StandardCharsets.UTF_8));
String result = (String) dvmObject.getValue();
System.out.println("[symble] Call the so md5 function result is ==> " + result);
地址调用
ArrayList<Object> args = new ArrayList<>(); Pointer jniEnv = vm.getJNIEnv();
DvmObject object1 = ProxyDvmObject.createObject(vm, this);
// DvmObject<?> dvmObject = vm.resolveClass("com/xx/xx/MainActivity").newObject(null);
args.add(jniEnv);
// args.add(vm.addLocalObject(object1));// args.add(null)
args.add(null);args.add(vm.addLocalObject(new StringObject(vm, "123456")));
Number number = module.callFunction(emulator, 0x11AE8 + 1, args.toArray());// 是个地址
System.out.println("[addr] number is ==> " + number.intValue());
DvmObject<?> object = vm.getObject(number.intValue());
System.out.println("[addr] Call the so md5 function result is ==> " + object.getValue());
参数 context
DvmObject<?> context = vm.resolveClass("android/content/Context").newObject(null);
list.add(vm.addLocalObject(context));
四
unidbg hook
hookZz
IHookZz hookZz = HookZz.getInstance(emulator); // 加载HookZz,支持inline hook
hookZz.enable_arm_arm64_b_branch(); // 测试enable_arm_arm64_b_branch,可有可无
hookZz.wrap(module.findSymbolByName("ss_encrypt"), new WrapCallback<RegisterContext>() { // inline wrap导出函数
@Override
public void preCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {
Pointer pointer = ctx.getPointerArg(2);
int length = ctx.getIntArg(3);
byte[] key = pointer.getByteArray(0, length);
Inspector.inspect(key, "ss_encrypt key");
}
@Override
public void postCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {
System.out.println("ss_encrypt.postCall R0=" + ctx.getLongArg(0));
}
});
hookZz.disable_arm_arm64_b_branch();
hookZz.instrument(module.base + 0x00000F5C + 1, new InstrumentCallback<Arm32RegisterContext>() {
@Override
public void dbiCall(Emulator<?> emulator, Arm32RegisterContext ctx, HookEntryInfo info) { // 通过base+offset inline wrap内部函数,在IDA看到为sub_xxx那些
System.out.println("R3=" + ctx.getLongArg(3) + ", R10=0x" + Long.toHexString(ctx.getR10Long()));
}
});
// 加载HookZz
IHookZz hookZz = HookZz.getInstance(emulator);hookZz.wrap(module.base + 0x1BD0 + 1, new WrapCallback<HookZzArm32RegisterContext>() { // inline wrap导出函数
@Override
// 类似于 frida onEnter
public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
// 类似于Frida args[0]
Pointer input = ctx.getPointerArg(0);
System.out.println("input:" + input.getString(0));
};@Override
// 类似于 frida onLeave
public void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
Pointer result = ctx.getPointerArg(0);
System.out.println("input:" + result.getString(0));
}
});
Dobby dobby = Dobby.getInstance(emulator);
dobby.replace(module.findSymbolByName("ss_encrypted_size"), new ReplaceCallback() { // 使用Dobby inline hook导出函数
@Override
public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
System.out.println("ss_encrypted_size.onCall arg0=" + context.getIntArg(0) + ", originFunction=0x" + Long.toHexString(originFunction));
return HookStatus.RET(emulator, originFunction);
}
@Override
public void postCall(Emulator<?> emulator, HookContext context) {
System.out.println("ss_encrypted_size.postCall ret=" + context.getIntArg(0));
}
}, true);
xHook
IxHook xHook = XHookImpl.getInstance(emulator); // 加载xHook,支持Import hook,
xHook.register("libttEncrypt.so", "strlen", new ReplaceCallback() { // hook libttEncrypt.so的导入函数strlen
@Override
public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
Pointer pointer = context.getPointerArg(0);
String str = pointer.getString(0);
System.out.println("strlen=" + str);
context.push(str);
return HookStatus.RET(emulator, originFunction);
}
@Override
public void postCall(Emulator<?> emulator, HookContext context) {
System.out.println("strlen=" + context.pop() + ", ret=" + context.getIntArg(0));
}
}, true);
xHook.register("libttEncrypt.so", "memmove", new ReplaceCallback() {
@Override
public HookStatus onCall(Emulator<?> emulator, long originFunction) {
RegisterContext context = emulator.getContext();
Pointer dest = context.getPointerArg(0);
Pointer src = context.getPointerArg(1);
int length = context.getIntArg(2);
Inspector.inspect(src.getByteArray(0, length), "memmove dest=" + dest);
return HookStatus.RET(emulator, originFunction);
}
});
xHook.register("libttEncrypt.so", "memcpy", new ReplaceCallback() {
@Override
public HookStatus onCall(Emulator<?> emulator, long originFunction) {
RegisterContext context = emulator.getContext();
Pointer dest = context.getPointerArg(0);
Pointer src = context.getPointerArg(1);
int length = context.getIntArg(2);
Inspector.inspect(src.getByteArray(0, length), "memcpy dest=" + dest);
return HookStatus.RET(emulator, originFunction);
}
});
xHook.refresh(); // 使Import hook生效
Unicorn Hook
emulator.getBackend().hook_add_new(new CodeHook() {
@Override
public void hook(Backend backend, long address, int size, Object user) {
RegisterContext context = emulator.getContext();
//System.out.println(user);
//System.out.println(size);
if (address == module.base + 0x1FF4){
Pointer md5Ctx = context.getPointerArg(0);
Inspector.inspect(md5Ctx.getByteArray(0, 32), "md5Ctx");
Pointer plainText = context.getPointerArg(1);
int length = context.getIntArg(2);
Inspector.inspect(plainText.getByteArray(0, length), "plainText");
}else if (address == module.base + 0x2004){
Pointer cipherText = context.getPointerArg(1);
Inspector.inspect(cipherText.getByteArray(0, 16), "cipherText");
}}
@Override
public void onAttach(UnHook unHook) {
}
@Override
public void detach() {
}
}, module.base + 0x1FE8, module.base + 0x2004, "xxxxzzzz");
五
打印调用栈
emulator.getUnwinder().unwind();
public void callFunc() {
emulator.getBackend().hook_add_new(new CodeHook() {
@Override
public void hook(Backend backend, long address, int size, Object user) {System.out.println("开始--------------------------");
System.out.println(user);
System.out.println(size);
emulator.getUnwinder().unwind();
System.out.println("===============================");}
@Override
public void onAttach(UnHook unHook) {}
@Override
public void detach() {}
},module.base+0xAD40,module.base+0xAD40,"xibei");}
六
Console Debugger
Debugger attach = emulator.attach();
attach.addBreakPoint(module.base + 0xC365); //断点地址
c:继续
n:跨过
bt:回溯st hex:搜索堆栈
shw hex:搜索可写堆
shr hex:搜索可读堆
shx-hex:搜索可执行堆nb:在下一个街区破发
s|si:步入
s[decimal]:执行指定的金额指令
s(blx):执行util blx助记符,性能低m(op)[size]:显示内存,默认大小为0x70,大小可以是十六进制或十进制
mr0-mr7,mfp,mip,msp[size]:显示指定寄存器的内存
m(address)[size]:显示指定地址的内存,地址必须以0x开头wr0-wr7,wfp,wip,wsp<value>:写入指定寄存器
wb(address),ws(address),wi(address)<value>:写入指定地址的(字节、短、整数)内存,地址必须以0x开头
wx(address)<hex>:将字节写入指定地址的内存,地址必须以0x开头b(address):添加临时断点,地址必须以0x开头,可以是模块偏移量
b:添加寄存器PC的断点
r:删除寄存器PC的断点
blr:添加寄存器LR的临时断点p (assembly):位于PC地址的修补程序集
where: 显示java堆栈跟踪
trace[begin-end]:设置跟踪指令
traceRead[begin-end]:设置跟踪内存读取
traceWrite〔begin-end〕:设置跟踪内存写入
vm:查看加载的模块
vbs:查看断点
d|dis:显示反汇编
d(0x):在指定地址显示反汇编
stop: 停止模拟
run[arg]:运行测试
gc:运行System.gc()
threads: 显示线程列表
cc size:将asm从0x4000c364-0x4000c364+size字节转换为c函数
监控内存读写
将信息输出到文件
String traceFile = "myMonitorFile";
PrintStream traceStream = null;
try {
traceStream = new PrintStream(new FileOutputStream(traceFile), true);
} catch (FileNotFoundException e) {
e.printStackTrace();
}
监控内存读
emulator.traceRead(module.base, module.base + module.size).setRedirect(traceStream);
监控内存写
emulator.traceWrite(module.base, module.base + module.size).setRedirect(traceStream);
八
trace
String traceFile = "myTraceCodeFile";
PrintStream traceStream = null;
try {
traceStream = new PrintStream(new FileOutputStream(traceFile), true);
} catch (FileNotFoundException e) {
e.printStackTrace();
}
emulator.traceCode(module.base, module.base + module.size).setRedirect(traceStream);
看雪ID:西贝巴巴
https://bbs.kanxue.com/user-home-961239.htm
# 往期推荐
2、BFS Ekoparty 2022 Linux Kernel Exploitation Challenge
3、银狐样本分析
球分享
球点赞
球在看
点击阅读原文查看更多
如有侵权请联系:admin#unsafe.sh