Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

加油,我目前就是卡在不知道如何获取sign加密的值 #5

Open
LF-c opened this issue Oct 11, 2024 · 65 comments
Open

加油,我目前就是卡在不知道如何获取sign加密的值 #5

LF-c opened this issue Oct 11, 2024 · 65 comments

Comments

@LF-c
Copy link

LF-c commented Oct 11, 2024

市面上的ocr或者是简单的抓包版本都太拉跨了,还是要最终模拟人写。我分析完了,目前就卡在sign的值。逆向工程我不是很懂,这方面就等楼主了。知道了sign的值,就可以提前知道考试的答案和题目,也可以提交答案。但是获取答案的sign和提交答案的sign不一样,得逆向明白到底是如何加密的
@xmexg
Copy link
Owner

xmexg commented Oct 11, 2024

对于sign,具体的加密算法位于com.fenbi.android.leo.webapp.secure.commands.RequestConfigCommand.Companion.c, 但是该方法无法完全导出dex,我无法反编译出源码。应该不会有具体的sign算法,我正在分析调用过程,准备通过hook的方式,向frida传入无sign的url链接,传出带sign的url链接,中间计算过程由小猿口算app生成。

@LF-c
Copy link
Author

LF-c commented Oct 11, 2024

对的 反编译也很少时候是能反出源码,没事楼主的想法也很好哈哈哈,看你了,等你成功了借用一下你的方式

@Doctor-yoi
Copy link

对于sign,具体的加密算法位于com.fenbi.android.leo.webapp.secure.commands.RequestConfigCommand.Companion.c, 但是该方法无法完全导出dex,我无法反编译出源码。应该不会有具体的sign算法,我正在分析调用过程,准备通过hook的方式,向frida传入无sign的url链接,传出带sign的url链接,中间计算过程由小猿口算app生成。

安卓端的sign最终是调的native方法算的,在libRequestEncoder.so里面

@xmexg
Copy link
Owner

xmexg commented Oct 11, 2024

感谢提醒,我去看了下libRequestEncoder.so,我完全不会逆向so
image

@lpy30m
Copy link

lpy30m commented Oct 11, 2024

我已经使用unidbg 补出了sign的生成

@xmexg
Copy link
Owner

xmexg commented Oct 11, 2024

怎么生成的呢?能开源出来看看吗?

@xmexg xmexg pinned this issue Oct 11, 2024
@lpy30m
Copy link

lpy30m commented Oct 11, 2024

我是根据该文章 补的,https://github.com/kings0527/InfoSecurity-Series/blob/f1123f2179e5464777ac8df5e3c8761201140bb1/%E8%BD%AF%E4%BB%B6%E5%AE%89%E5%85%A8/%E9%80%86%E5%90%91%E5%B7%A5%E7%A8%8B/.more/%E5%A4%A7%E7%8C%BF%E6%90%9C%E9%A2%98%20sign%20so%20%E5%8A%A0%E5%AF%86%E5%8F%82%E6%95%B0%E5%88%86%E6%9E%90%EF%BD%9Cunidbg.md

下面是 unidbg 代码,其中的chararray 需要根据他说的新建一个 改改就行 但是不一定能用,我测试了登录貌似还是失败,
package com.xiaoyuan;

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.hook.hookzz.;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.;
import com.github.unidbg.linux.android.dvm.array.ArrayObject;
import com.github.unidbg.linux.android.dvm.array.CharArray;
import com.github.unidbg.linux.android.dvm.wrapper.DvmInteger;
import com.github.unidbg.memory.Memory;
import com.sun.jna.Pointer;
import net.dongliu.apk.parser.bean.CertificateMeta;

import java.io.File;
import java.io.IOException;

public class Xiaoyuan extends AbstractJni {

private final AndroidEmulator emulator;
private final VM vm;
private final Module module;

public DvmClass EClass;
public String apkPath = "E:\\unidbg\\apks\\xy\\xy.apk";

Xiaoyuan() {
    emulator = AndroidEmulatorBuilder.for32Bit().build();
    final Memory memory = emulator.getMemory();
    memory.setLibraryResolver(new AndroidResolver(23));
    vm = emulator.createDalvikVM(new File(apkPath));
    vm.setVerbose(true);
    DalvikModule dm = vm.loadLibrary(new File("E:\\unidbg\\apks\\xy\\libRequestEncoder.so"), true); // 加载so到虚拟内存
    vm.setJni(this);
    module = dm.getModule();
    dm.callJNI_OnLoad(emulator);
    EClass = vm.resolveClass("com/fenbi/android/leo/utils/e");
}

public void call_zcvsd1wr2t() {
    String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;";
    EClass.callStaticJniMethodObject(
            emulator, methodId,
            new StringObject(vm, "/leo-gateway/android/auth/password"),
            new StringObject(vm, "wdi4n2t8edr"),
            -28673
    );
}





public static void main(String[] args) {
    Xiaoyuan getSign = new Xiaoyuan();
    getSign.call_zcvsd1wr2t();
    getSign.destroy();
}

private void destroy() {
    try {
        emulator.close();
    } catch (IOException e) {
        e.printStackTrace();
    }
}
@Override
public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
    return 27;
}

@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
    switch (signature) {
        case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;":
            return vm.resolveClass("android/app/Application").newObject(null);
    }
    return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
    switch (signature) {
        case "android/app/Application->getBaseContext()Landroid/content/Context;":{
            return vm.resolveClass("android/content/Context").newObject(null);
        }
        case "android/content/pm/Signature->toChars()[C":{
            CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue();
            byte[] bytes = certificateMeta.getData();
            char[] chars = new char[bytes.length];
            for (int i = 0; i < bytes.length; i++) {
                chars[i] = (char) bytes[i];
            }
            return new CharArray(vm,chars);
        }
    }
    return super.callObjectMethodV(vm, dvmObject, signature, vaList);
};

}

@xmexg
Copy link
Owner

xmexg commented Oct 11, 2024

实在是太强了,比我厉害多了
我还得继续学习, 目前还没能力分析so

@lpy30m
Copy link

lpy30m commented Oct 11, 2024

实在是太强了,比我厉害多了 我还得继续学习,目前还没能力分析so

我也只是照抄而已,不算的厉害

@Doctor-yoi
Copy link

悲报,加密了(
喜报,大概率是前端解密因为so好像没动

@lpy30m
Copy link

lpy30m commented Oct 11, 2024

悲报,加密了( 喜报,大概率是前端解密因为so好像没动

什么加密了,题目这些返回的数据吗

@dfaofeng
Copy link 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

@daizhuentou
Copy link

解密出sign就可以直接发包拿分了,期待大佬发力

@lpy30m
Copy link

lpy30m commented Oct 11, 2024 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

发一下登录的网址 我看看 so算法我分析就差一段了 好像是aes

@dfaofeng
Copy link 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

发一下登录的网址 我看看 so算法我分析就差一段了 好像是aes

https://m.yuanfudao.com/u/login/force?backUrl=https%3A%2F%2Fm.yuanfudao.com%2Fnative%2Fmy-coins

@dfaofeng
Copy link

dfaofeng commented Oct 11, 2024
edited
Loading 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

发一下登录的网址 我看看 so算法我分析就差一段了 好像是aes

关键函数
return t.setPublicKey("-----BEGIN PUBLIC KEY-----\n ".concat("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSovT1rrwzrGoMCFb6z8e+5lzVdAD5o8krGIwdfxrVE2OnMijUZdkQk7etPJvZ2JOVXghthAGUUJkDUE8n2ZMNFKPjMrQJI49ewVzqWOKOvgU6Iu60Sn0xpeietP1wWXBkszdV1WfNBJUo2hhPDnIPMGzzdfLW5rMu+tczeUriJQIDAQAB", "\n -----END PUBLIC KEY-----")),
t.encrypt(n)

@xmexg xmexg mentioned this issue Oct 11, 2024
Open
@kongbai141
Copy link 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

@dfaofeng
Copy link 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

我用的objection追到的,第三方参数有1,-1,空 三个选项

@kongbai141
Copy link 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

我用的objection追到的,第三方参数有1,-1,空 三个选项

so实现伪代码555行实在没能力看逻辑

@lpy30m
Copy link

lpy30m commented Oct 11, 2024 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

我用的objection追到的,第三方参数有1,-1,空 三个选项

hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5

@kongbai141
Copy link 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

我用的objection追到的,第三方参数有1,-1,空 三个选项

hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5

这个能看到但具体逻辑没办法,还是没法自己生成sign和对数据加密实现整个流程

@lpy30m
Copy link

lpy30m commented Oct 11, 2024

https://m.yuanfudao.com/u/login/force?backUrl=https%3A%2F%2Fm.yuanfudao.com%2Fnative%2Fmy-coins

密码这种加密无所谓 主要是so的sign 这个网页貌似没有sign参数

@lpy30m
Copy link

lpy30m commented Oct 11, 2024 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

我用的objection追到的,第三方参数有1,-1,空 三个选项

hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5

这个能看到但具体逻辑没办法,还是没法自己生成sign和对数据加密实现整个流程

/leo-gateway/android/auth/password
wdi4n2t8edr
bcd65d0baba159174a6b3331ac998605 urlPATH+ salt MD5
/leo-gateway/android/auth/password
654194b4dbd03e4dc79ccbce86dda67a 前几位相加 MD5
3074026880171896034922881047576209528810400183074026880576209548017464801746181677721628810478167772164801746557620954172881047335544322400873173201164288104791757620952619134175762095179603492288104942881047826191349603492189603492717728810479288104787174801746576209517288104941728810464320116418517320116528810478288104172881046432011652881047842881047822161902881047817335544322881047822161902400873181778326d1162fb5f38730d95b2fd7286c14
wdi4n2t8edr

这是我分析的 现在只有

3074026880171896034922881047576209528810400183074026880576209548017464801746181677721628810478167772164801746557620954172881047335544322400873173201164288104791757620952619134175762095179603492288104942881047826191349603492189603492717728810479288104787174801746576209517288104941728810464320116418517320116528810478288104172881046432011652881047842881047822161902881047817335544322881047822161902400873181778326d1162fb5f38730d95b2fd7286c14
分析不出来

@kongbai141
Copy link 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

我用的objection追到的,第三方参数有1,-1,空 三个选项

hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5

sub_43b54是啥,我这勾的是sub_61BD4,能拿到那个salt

@lpy30m
Copy link

lpy30m commented Oct 11, 2024 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

我用的objection追到的,第三方参数有1,-1,空 三个选项

hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5

sub_43b54是啥,我这勾的是sub_61BD4,能拿到那个salt

是so函数的偏移地址,拿到salt没用啊,他盐java层就已经给传入了

@kongbai141
Copy link 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

我用的objection追到的,第三方参数有1,-1,空 三个选项

hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5

sub_43b54是啥,我这勾的是sub_61BD4,能拿到那个salt

是so函数的偏移地址,拿到salt没用啊,他盐java层就已经给传入了

time那个参数你追到过吗

@dfaofeng
Copy link

用的dump脚本

java_class: com.fenbi.android.leo.utils.e name: zcvsd1wr2t sig: (Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String; fnPtr: 0x703c321be4  fnOffset: 0x703c321be4 libRequestEncoder.so!0x61be4  callee: 0x703c322930 libRequestEncoder.so!0x62930

@lpy30m
Copy link

lpy30m commented Oct 11, 2024 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

我用的objection追到的,第三方参数有1,-1,空 三个选项

hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5

sub_43b54是啥,我这勾的是sub_61BD4,能拿到那个salt

是so函数的偏移地址,拿到salt没用啊,他盐java层就已经给传入了

time那个参数你追到过吗

你是说so层获取时间戳的地方吗

@ZQBCWG
Copy link

ZQBCWG commented Oct 12, 2024

SIGN的类是com.fenbi.android.leo.imgsearch.sdk.network.h

@xmexg
Copy link
Owner

xmexg commented Oct 12, 2024

SIGN的类是com.fenbi.android.leo.imgsearch.sdk.network.h

com.fenbi.android.leo.utils.e

package com.fenbi.android.leo.utils;

/* loaded from: classes3.dex */
public class e {
    static {
        System.loadLibrary("RequestEncoder");
    }

    public static native String sdwioxccsd();

    public static native String zcvsd1wr2t(String str, String str2, int i11);
}

@jqjhl
Copy link

jqjhl commented Oct 12, 2024 

pcVar22 = (char *)operator_new__(0x20);

这行代码的pcVar22指向的应该就是rc4加密的密匙了,但计算太复杂了,g
fun_001eefc.txt

@ParticleG
Copy link 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

我用的objection追到的,第三方参数有1,-1,空 三个选项

hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5

可以问一下text段的具体地址么,用IDA Pro 8逆向出来sub名不一样

@ParticleG
Copy link 

libRequestEncoder.so


com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来

直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来

我用的objection追到的,第三方参数有1,-1,空 三个选项

hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5

可以问一下text段的具体地址么,用IDA Pro 8逆向出来sub名不一样

理论上找到核心函数和依赖函数的伪代码,再编一个x86的lib是不是就可以直接拿去给python和java用了)

@ijmyvm
Copy link

ijmyvm commented Oct 13, 2024
edited
Loading 

import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;

import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.CharArray;
import com.github.unidbg.memory.Memory;
import net.dongliu.apk.parser.bean.CertificateMeta;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.File;
import java.io.IOException;


public class Main extends AbstractJni {
    private static final Logger log = LoggerFactory.getLogger(Main.class);
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;

    public DvmClass EClass;
    public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk";

    Main() {
        emulator = AndroidEmulatorBuilder.for32Bit()
                .setProcessName("com.fenbi.android.leo")
                .addBackendFactory(new Unicorn2Factory(true))
                .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分
        final Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File(apkPath));

        vm.setVerbose(true);
        DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true);

        vm.setJni(this);
        module = dm.getModule();
        dm.callJNI_OnLoad(emulator);

        EClass = vm.resolveClass("com/fenbi/android/leo/utils/e");

    }

    public static void main(String[] args) {
        Main main = new Main();
        main.call_zcvsd1wr2t();
        main.destroy();
    }

    public void call_zcvsd1wr2t() {
        String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;";
        StringObject result = EClass.callStaticJniMethodObject(
                emulator, methodId,
                new StringObject(vm, "/leo-gateway/android/auth/password"),
//                new StringObject(vm, ""),
                new StringObject(vm, "wdi4n2t8edr"),
//                new StringObject(vm, ""),
                0
        );
        System.out.println("Result: " + result);
    }


    @Override
    public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
        return 25;
    }


    @Override
    public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
        switch (signature) {
            case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;":
                return vm.resolveClass("android/app/Application").newObject(null);
        }
        System.out.println("callStaticObjectMethodV: " + signature);
        return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
    }

    @Override
    public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
        switch (signature) {
            case "android/app/Application->getBaseContext()Landroid/content/Context;": {
                return vm.resolveClass("android/app/ContextImpl").newObject(null);
            }
            case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": {
                return new StringObject(vm, "com.fenbi.android.leo");
            }


            case "android/content/pm/Signature->toChars()[C": {
                CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue();

                byte[] bytes = certificateMeta.getData();
                char[] chars = new char[bytes.length];
                for (int i = 0; i < bytes.length; i++) {
                    chars[i] = (char) bytes[i];
                }
                return new CharArray(vm, chars);
            }
        }
        return super.callObjectMethodV(vm, dvmObject, signature, vaList);
    }

    ;

    private void destroy() {
        try {
            emulator.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

我补的哪个地方有问题,返回结果为null

D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details.
JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47
JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59
RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9)
RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d)
Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9
JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515
JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f
JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f
JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579
JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d
JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7
JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603
JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71
JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd
JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11
JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1
JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653
JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b
callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager;
JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df
JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf
JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831
JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883
JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;
JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3
JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f
JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921
JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b
JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991
Result: null

Process finished with exit code 0

@lpy30m
Copy link

lpy30m commented Oct 13, 2024 

import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;

import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.CharArray;
import com.github.unidbg.memory.Memory;
import net.dongliu.apk.parser.bean.CertificateMeta;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.File;
import java.io.IOException;


public class Main extends AbstractJni {
    private static final Logger log = LoggerFactory.getLogger(Main.class);
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;

    public DvmClass EClass;
    public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk";

    Main() {
        emulator = AndroidEmulatorBuilder.for32Bit()
                .setProcessName("com.fenbi.android.leo")
                .addBackendFactory(new Unicorn2Factory(true))
                .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分
        final Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File(apkPath));

        vm.setVerbose(true);
        DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true);

        vm.setJni(this);
        module = dm.getModule();
        dm.callJNI_OnLoad(emulator);

        EClass = vm.resolveClass("com/fenbi/android/leo/utils/e");

    }

    public static void main(String[] args) {
        Main main = new Main();
        main.call_zcvsd1wr2t();
        main.destroy();
    }

    public void call_zcvsd1wr2t() {
        String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;";
        StringObject result = EClass.callStaticJniMethodObject(
                emulator, methodId,
                new StringObject(vm, "/leo-gateway/android/auth/password"),
//                new StringObject(vm, ""),
                new StringObject(vm, "wdi4n2t8edr"),
//                new StringObject(vm, ""),
                0
        );
        System.out.println("Result: " + result);
    }


    @Override
    public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
        return 25;
    }


    @Override
    public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
        switch (signature) {
            case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;":
                return vm.resolveClass("android/app/Application").newObject(null);
        }
        System.out.println("callStaticObjectMethodV: " + signature);
        return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
    }

    @Override
    public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
        switch (signature) {
            case "android/app/Application->getBaseContext()Landroid/content/Context;": {
                return vm.resolveClass("android/app/ContextImpl").newObject(null);
            }
            case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": {
                return new StringObject(vm, "com.fenbi.android.leo");
            }


            case "android/content/pm/Signature->toChars()[C": {
                CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue();

                byte[] bytes = certificateMeta.getData();
                char[] chars = new char[bytes.length];
                for (int i = 0; i < bytes.length; i++) {
                    chars[i] = (char) bytes[i];
                }
                return new CharArray(vm, chars);
            }
        }
        return super.callObjectMethodV(vm, dvmObject, signature, vaList);
    }

    ;

    private void destroy() {
        try {
            emulator.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

我补的哪个地方有问题,返回结果为null

D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main SLF4J: No SLF4J providers were found. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details. JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47 JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59 RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9) RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d) Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9 JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515 JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579 JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7 JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603 JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71 JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11 JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1 JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653 JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager; JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831 JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883 JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo; JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3 JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921 JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991 Result: null

Process finished with exit code 0

根据文章创建Chararray了吗

@ijmyvm
Copy link

ijmyvm commented Oct 13, 2024 

import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;

import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.CharArray;
import com.github.unidbg.memory.Memory;
import net.dongliu.apk.parser.bean.CertificateMeta;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.File;
import java.io.IOException;


public class Main extends AbstractJni {
    private static final Logger log = LoggerFactory.getLogger(Main.class);
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;

    public DvmClass EClass;
    public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk";

    Main() {
        emulator = AndroidEmulatorBuilder.for32Bit()
                .setProcessName("com.fenbi.android.leo")
                .addBackendFactory(new Unicorn2Factory(true))
                .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分
        final Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File(apkPath));

        vm.setVerbose(true);
        DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true);

        vm.setJni(this);
        module = dm.getModule();
        dm.callJNI_OnLoad(emulator);

        EClass = vm.resolveClass("com/fenbi/android/leo/utils/e");

    }

    public static void main(String[] args) {
        Main main = new Main();
        main.call_zcvsd1wr2t();
        main.destroy();
    }

    public void call_zcvsd1wr2t() {
        String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;";
        StringObject result = EClass.callStaticJniMethodObject(
                emulator, methodId,
                new StringObject(vm, "/leo-gateway/android/auth/password"),
//                new StringObject(vm, ""),
                new StringObject(vm, "wdi4n2t8edr"),
//                new StringObject(vm, ""),
                0
        );
        System.out.println("Result: " + result);
    }


    @Override
    public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
        return 25;
    }


    @Override
    public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
        switch (signature) {
            case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;":
                return vm.resolveClass("android/app/Application").newObject(null);
        }
        System.out.println("callStaticObjectMethodV: " + signature);
        return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
    }

    @Override
    public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
        switch (signature) {
            case "android/app/Application->getBaseContext()Landroid/content/Context;": {
                return vm.resolveClass("android/app/ContextImpl").newObject(null);
            }
            case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": {
                return new StringObject(vm, "com.fenbi.android.leo");
            }


            case "android/content/pm/Signature->toChars()[C": {
                CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue();

                byte[] bytes = certificateMeta.getData();
                char[] chars = new char[bytes.length];
                for (int i = 0; i < bytes.length; i++) {
                    chars[i] = (char) bytes[i];
                }
                return new CharArray(vm, chars);
            }
        }
        return super.callObjectMethodV(vm, dvmObject, signature, vaList);
    }

    ;

    private void destroy() {
        try {
            emulator.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

我补的哪个地方有问题,返回结果为null
D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main SLF4J: No SLF4J providers were found. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details. JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47 JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59 RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9) RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d) Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9 JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515 JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579 JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7 JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603 JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71 JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11 JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1 JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653 JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager; JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831 JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883 JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo; JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3 JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921 JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991 Result: null
Process finished with exit code 0

根据文章创建Chararray了吗
创建了的

package com.github.unidbg.linux.android.dvm.array;

import com.github.unidbg.Emulator;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.pointer.UnidbgPointer;
import com.sun.jna.Pointer;
import org.apache.commons.codec.binary.Hex;

public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> {

    public CharArray(VM vm, char[] value) {
        super(vm.resolveClass("[C"), value);
    }

    @Override
    public int length() {
        return value.length;
    }

    public void setValue(char[] value) {
        super.value = value;
    }

    @Override
    public void setData(int start, char[] data) {
        System.arraycopy(data, 0, value, start, data.length);
    }

    @Override
    public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) {
        if (isCopy != null) {
            isCopy.setInt(0, VM.JNI_TRUE);
        }
        try {
            UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 2); // 字符占用 2 字节
            pointer.write(0, value, 0, value.length * 2); // 每个字符写入 2 字节
            return pointer;
        } catch (Exception e) {
            e.printStackTrace();
            return null; // 处理异常,返回 null
        }
    }

    @Override
    public void _ReleaseArrayCritical(Pointer elems, int mode) {
        try {
            switch (mode) {
                case VM.JNI_COMMIT:
                    this.setValue(elems.getCharArray(0, this.value.length));
                    break;
                case 0:
                    this.setValue(elems.getCharArray(0, this.value.length));
                case VM.JNI_ABORT:
                    this.freeMemoryBlock(elems);
                    break;
            }
        } catch (Exception e) {
            e.printStackTrace(); // 捕获异常并输出
        }
    }

    @Override
    public String toString() {
        if (value != null && value.length <= 64) {
            return new String(value); // 直接返回字符串表示
        } else {
            return super.toString();
        }
    }

}

@lpy30m
Copy link

lpy30m commented Oct 13, 2024 

import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;

import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.CharArray;
import com.github.unidbg.memory.Memory;
import net.dongliu.apk.parser.bean.CertificateMeta;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.File;
import java.io.IOException;


public class Main extends AbstractJni {
    private static final Logger log = LoggerFactory.getLogger(Main.class);
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;

    public DvmClass EClass;
    public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk";

    Main() {
        emulator = AndroidEmulatorBuilder.for32Bit()
                .setProcessName("com.fenbi.android.leo")
                .addBackendFactory(new Unicorn2Factory(true))
                .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分
        final Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File(apkPath));

        vm.setVerbose(true);
        DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true);

        vm.setJni(this);
        module = dm.getModule();
        dm.callJNI_OnLoad(emulator);

        EClass = vm.resolveClass("com/fenbi/android/leo/utils/e");

    }

    public static void main(String[] args) {
        Main main = new Main();
        main.call_zcvsd1wr2t();
        main.destroy();
    }

    public void call_zcvsd1wr2t() {
        String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;";
        StringObject result = EClass.callStaticJniMethodObject(
                emulator, methodId,
                new StringObject(vm, "/leo-gateway/android/auth/password"),
//                new StringObject(vm, ""),
                new StringObject(vm, "wdi4n2t8edr"),
//                new StringObject(vm, ""),
                0
        );
        System.out.println("Result: " + result);
    }


    @Override
    public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
        return 25;
    }


    @Override
    public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
        switch (signature) {
            case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;":
                return vm.resolveClass("android/app/Application").newObject(null);
        }
        System.out.println("callStaticObjectMethodV: " + signature);
        return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
    }

    @Override
    public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
        switch (signature) {
            case "android/app/Application->getBaseContext()Landroid/content/Context;": {
                return vm.resolveClass("android/app/ContextImpl").newObject(null);
            }
            case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": {
                return new StringObject(vm, "com.fenbi.android.leo");
            }


            case "android/content/pm/Signature->toChars()[C": {
                CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue();

                byte[] bytes = certificateMeta.getData();
                char[] chars = new char[bytes.length];
                for (int i = 0; i < bytes.length; i++) {
                    chars[i] = (char) bytes[i];
                }
                return new CharArray(vm, chars);
            }
        }
        return super.callObjectMethodV(vm, dvmObject, signature, vaList);
    }

    ;

    private void destroy() {
        try {
            emulator.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

我补的哪个地方有问题,返回结果为null
D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main SLF4J: No SLF4J providers were found. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details. JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47 JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59 RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9) RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d) Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9 JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515 JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579 JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7 JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603 JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71 JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11 JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1 JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653 JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager; JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831 JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883 JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo; JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3 JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921 JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991 Result: null
Process finished with exit code 0

根据文章创建Chararray了吗
创建了的

package com.github.unidbg.linux.android.dvm.array;

import com.github.unidbg.Emulator;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.pointer.UnidbgPointer;
import com.sun.jna.Pointer;
import org.apache.commons.codec.binary.Hex;

public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> {

    public CharArray(VM vm, char[] value) {
        super(vm.resolveClass("[C"), value);
    }

    @Override
    public int length() {
        return value.length;
    }

    public void setValue(char[] value) {
        super.value = value;
    }

    @Override
    public void setData(int start, char[] data) {
        System.arraycopy(data, 0, value, start, data.length);
    }

    @Override
    public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) {
        if (isCopy != null) {
            isCopy.setInt(0, VM.JNI_TRUE);
        }
        try {
            UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 2); // 字符占用 2 字节
            pointer.write(0, value, 0, value.length * 2); // 每个字符写入 2 字节
            return pointer;
        } catch (Exception e) {
            e.printStackTrace();
            return null; // 处理异常,返回 null
        }
    }

    @Override
    public void _ReleaseArrayCritical(Pointer elems, int mode) {
        try {
            switch (mode) {
                case VM.JNI_COMMIT:
                    this.setValue(elems.getCharArray(0, this.value.length));
                    break;
                case 0:
                    this.setValue(elems.getCharArray(0, this.value.length));
                case VM.JNI_ABORT:
                    this.freeMemoryBlock(elems);
                    break;
            }
        } catch (Exception e) {
            e.printStackTrace(); // 捕获异常并输出
        }
    }

    @Override
    public String toString() {
        if (value != null && value.length <= 64) {
            return new String(value); // 直接返回字符串表示
        } else {
            return super.toString();
        }
    }

}

package com.github.unidbg.linux.android.dvm.array;

import com.github.unidbg.Emulator;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.pointer.UnidbgPointer;
import com.sun.jna.Pointer;

public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> {

    public CharArray(VM vm, char[] value) {
        super(vm.resolveClass("[C"), value);
    }

    @Override
    public int length() {
        return value.length;
    }

    public void setValue(char[] value) {
        super.value = value;
    }

    @Override
    public void setData(int start, char[] data) {
        System.arraycopy(data, 0, value, start, data.length);
    }

    @Override
    public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) {
        if (isCopy != null) {
            isCopy.setInt(0, VM.JNI_TRUE);
        }
        UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 4);
        pointer.write(0, value, 0, value.length);
        return pointer;
    }

    @Override
    public void _ReleaseArrayCritical(Pointer elems, int mode) {
        switch (mode) {
            case VM.JNI_COMMIT:
                this.setValue(elems.getCharArray(0, this.value.length));
                break;
            case 0:
                this.setValue(elems.getCharArray(0, this.value.length));
            case VM.JNI_ABORT:
                this.freeMemoryBlock(elems);
                break;
        }
    }
}

@ijmyvm
Copy link

ijmyvm commented Oct 13, 2024 

import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;

import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.CharArray;
import com.github.unidbg.memory.Memory;
import net.dongliu.apk.parser.bean.CertificateMeta;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.File;
import java.io.IOException;


public class Main extends AbstractJni {
    private static final Logger log = LoggerFactory.getLogger(Main.class);
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;

    public DvmClass EClass;
    public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk";

    Main() {
        emulator = AndroidEmulatorBuilder.for32Bit()
                .setProcessName("com.fenbi.android.leo")
                .addBackendFactory(new Unicorn2Factory(true))
                .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分
        final Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File(apkPath));

        vm.setVerbose(true);
        DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true);

        vm.setJni(this);
        module = dm.getModule();
        dm.callJNI_OnLoad(emulator);

        EClass = vm.resolveClass("com/fenbi/android/leo/utils/e");

    }

    public static void main(String[] args) {
        Main main = new Main();
        main.call_zcvsd1wr2t();
        main.destroy();
    }

    public void call_zcvsd1wr2t() {
        String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;";
        StringObject result = EClass.callStaticJniMethodObject(
                emulator, methodId,
                new StringObject(vm, "/leo-gateway/android/auth/password"),
//                new StringObject(vm, ""),
                new StringObject(vm, "wdi4n2t8edr"),
//                new StringObject(vm, ""),
                0
        );
        System.out.println("Result: " + result);
    }


    @Override
    public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
        return 25;
    }


    @Override
    public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
        switch (signature) {
            case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;":
                return vm.resolveClass("android/app/Application").newObject(null);
        }
        System.out.println("callStaticObjectMethodV: " + signature);
        return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
    }

    @Override
    public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
        switch (signature) {
            case "android/app/Application->getBaseContext()Landroid/content/Context;": {
                return vm.resolveClass("android/app/ContextImpl").newObject(null);
            }
            case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": {
                return new StringObject(vm, "com.fenbi.android.leo");
            }


            case "android/content/pm/Signature->toChars()[C": {
                CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue();

                byte[] bytes = certificateMeta.getData();
                char[] chars = new char[bytes.length];
                for (int i = 0; i < bytes.length; i++) {
                    chars[i] = (char) bytes[i];
                }
                return new CharArray(vm, chars);
            }
        }
        return super.callObjectMethodV(vm, dvmObject, signature, vaList);
    }

    ;

    private void destroy() {
        try {
            emulator.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

我补的哪个地方有问题,返回结果为null
D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main SLF4J: No SLF4J providers were found. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details. JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47 JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59 RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9) RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d) Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9 JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515 JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579 JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7 JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603 JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71 JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11 JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1 JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653 JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager; JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831 JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883 JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo; JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3 JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921 JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991 Result: null
Process finished with exit code 0

根据文章创建Chararray了吗
创建了的

package com.github.unidbg.linux.android.dvm.array;

import com.github.unidbg.Emulator;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.pointer.UnidbgPointer;
import com.sun.jna.Pointer;
import org.apache.commons.codec.binary.Hex;

public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> {

    public CharArray(VM vm, char[] value) {
        super(vm.resolveClass("[C"), value);
    }

    @Override
    public int length() {
        return value.length;
    }

    public void setValue(char[] value) {
        super.value = value;
    }

    @Override
    public void setData(int start, char[] data) {
        System.arraycopy(data, 0, value, start, data.length);
    }

    @Override
    public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) {
        if (isCopy != null) {
            isCopy.setInt(0, VM.JNI_TRUE);
        }
        try {
            UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 2); // 字符占用 2 字节
            pointer.write(0, value, 0, value.length * 2); // 每个字符写入 2 字节
            return pointer;
        } catch (Exception e) {
            e.printStackTrace();
            return null; // 处理异常,返回 null
        }
    }

    @Override
    public void _ReleaseArrayCritical(Pointer elems, int mode) {
        try {
            switch (mode) {
                case VM.JNI_COMMIT:
                    this.setValue(elems.getCharArray(0, this.value.length));
                    break;
                case 0:
                    this.setValue(elems.getCharArray(0, this.value.length));
                case VM.JNI_ABORT:
                    this.freeMemoryBlock(elems);
                    break;
            }
        } catch (Exception e) {
            e.printStackTrace(); // 捕获异常并输出
        }
    }

    @Override
    public String toString() {
        if (value != null && value.length <= 64) {
            return new String(value); // 直接返回字符串表示
        } else {
            return super.toString();
        }
    }

}

package com.github.unidbg.linux.android.dvm.array;

import com.github.unidbg.Emulator;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.pointer.UnidbgPointer;
import com.sun.jna.Pointer;

public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> {

    public CharArray(VM vm, char[] value) {
        super(vm.resolveClass("[C"), value);
    }

    @Override
    public int length() {
        return value.length;
    }

    public void setValue(char[] value) {
        super.value = value;
    }

    @Override
    public void setData(int start, char[] data) {
        System.arraycopy(data, 0, value, start, data.length);
    }

    @Override
    public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) {
        if (isCopy != null) {
            isCopy.setInt(0, VM.JNI_TRUE);
        }
        UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 4);
        pointer.write(0, value, 0, value.length);
        return pointer;
    }

    @Override
    public void _ReleaseArrayCritical(Pointer elems, int mode) {
        switch (mode) {
            case VM.JNI_COMMIT:
                this.setValue(elems.getCharArray(0, this.value.length));
                break;
            case 0:
                this.setValue(elems.getCharArray(0, this.value.length));
            case VM.JNI_ABORT:
                this.freeMemoryBlock(elems);
                break;
        }
    }
}

不好意思,我复制您的代码依然不起作用

@lpy30m
Copy link

lpy30m commented Oct 13, 2024 

import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;

import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.CharArray;
import com.github.unidbg.memory.Memory;
import net.dongliu.apk.parser.bean.CertificateMeta;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.File;
import java.io.IOException;


public class Main extends AbstractJni {
    private static final Logger log = LoggerFactory.getLogger(Main.class);
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;

    public DvmClass EClass;
    public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk";

    Main() {
        emulator = AndroidEmulatorBuilder.for32Bit()
                .setProcessName("com.fenbi.android.leo")
                .addBackendFactory(new Unicorn2Factory(true))
                .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分
        final Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File(apkPath));

        vm.setVerbose(true);
        DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true);

        vm.setJni(this);
        module = dm.getModule();
        dm.callJNI_OnLoad(emulator);

        EClass = vm.resolveClass("com/fenbi/android/leo/utils/e");

    }

    public static void main(String[] args) {
        Main main = new Main();
        main.call_zcvsd1wr2t();
        main.destroy();
    }

    public void call_zcvsd1wr2t() {
        String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;";
        StringObject result = EClass.callStaticJniMethodObject(
                emulator, methodId,
                new StringObject(vm, "/leo-gateway/android/auth/password"),
//                new StringObject(vm, ""),
                new StringObject(vm, "wdi4n2t8edr"),
//                new StringObject(vm, ""),
                0
        );
        System.out.println("Result: " + result);
    }


    @Override
    public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
        return 25;
    }


    @Override
    public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
        switch (signature) {
            case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;":
                return vm.resolveClass("android/app/Application").newObject(null);
        }
        System.out.println("callStaticObjectMethodV: " + signature);
        return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
    }

    @Override
    public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
        switch (signature) {
            case "android/app/Application->getBaseContext()Landroid/content/Context;": {
                return vm.resolveClass("android/app/ContextImpl").newObject(null);
            }
            case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": {
                return new StringObject(vm, "com.fenbi.android.leo");
            }


            case "android/content/pm/Signature->toChars()[C": {
                CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue();

                byte[] bytes = certificateMeta.getData();
                char[] chars = new char[bytes.length];
                for (int i = 0; i < bytes.length; i++) {
                    chars[i] = (char) bytes[i];
                }
                return new CharArray(vm, chars);
            }
        }
        return super.callObjectMethodV(vm, dvmObject, signature, vaList);
    }

    ;

    private void destroy() {
        try {
            emulator.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

我补的哪个地方有问题,返回结果为null
D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main SLF4J: No SLF4J providers were found. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details. JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47 JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59 RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9) RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d) Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9 JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515 JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579 JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7 JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603 JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71 JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11 JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1 JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653 JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager; JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831 JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883 JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo; JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3 JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921 JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991 Result: null
Process finished with exit code 0

根据文章创建Chararray了吗
创建了的

package com.github.unidbg.linux.android.dvm.array;

import com.github.unidbg.Emulator;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.pointer.UnidbgPointer;
import com.sun.jna.Pointer;
import org.apache.commons.codec.binary.Hex;

public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> {

    public CharArray(VM vm, char[] value) {
        super(vm.resolveClass("[C"), value);
    }

    @Override
    public int length() {
        return value.length;
    }

    public void setValue(char[] value) {
        super.value = value;
    }

    @Override
    public void setData(int start, char[] data) {
        System.arraycopy(data, 0, value, start, data.length);
    }

    @Override
    public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) {
        if (isCopy != null) {
            isCopy.setInt(0, VM.JNI_TRUE);
        }
        try {
            UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 2); // 字符占用 2 字节
            pointer.write(0, value, 0, value.length * 2); // 每个字符写入 2 字节
            return pointer;
        } catch (Exception e) {
            e.printStackTrace();
            return null; // 处理异常,返回 null
        }
    }

    @Override
    public void _ReleaseArrayCritical(Pointer elems, int mode) {
        try {
            switch (mode) {
                case VM.JNI_COMMIT:
                    this.setValue(elems.getCharArray(0, this.value.length));
                    break;
                case 0:
                    this.setValue(elems.getCharArray(0, this.value.length));
                case VM.JNI_ABORT:
                    this.freeMemoryBlock(elems);
                    break;
            }
        } catch (Exception e) {
            e.printStackTrace(); // 捕获异常并输出
        }
    }

    @Override
    public String toString() {
        if (value != null && value.length <= 64) {
            return new String(value); // 直接返回字符串表示
        } else {
            return super.toString();
        }
    }

}

package com.github.unidbg.linux.android.dvm.array;

import com.github.unidbg.Emulator;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.pointer.UnidbgPointer;
import com.sun.jna.Pointer;

public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> {

    public CharArray(VM vm, char[] value) {
        super(vm.resolveClass("[C"), value);
    }

    @Override
    public int length() {
        return value.length;
    }

    public void setValue(char[] value) {
        super.value = value;
    }

    @Override
    public void setData(int start, char[] data) {
        System.arraycopy(data, 0, value, start, data.length);
    }

    @Override
    public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) {
        if (isCopy != null) {
            isCopy.setInt(0, VM.JNI_TRUE);
        }
        UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 4);
        pointer.write(0, value, 0, value.length);
        return pointer;
    }

    @Override
    public void _ReleaseArrayCritical(Pointer elems, int mode) {
        switch (mode) {
            case VM.JNI_COMMIT:
                this.setValue(elems.getCharArray(0, this.value.length));
                break;
            case 0:
                this.setValue(elems.getCharArray(0, this.value.length));
            case VM.JNI_ABORT:
                this.freeMemoryBlock(elems);
                break;
        }
    }
}

不好意思,我复制您的代码依然不起作用

你可以尝试检验下你的 java层的代码 可能是哪里误写错了

@ijmyvm
Copy link

ijmyvm commented Oct 13, 2024

您使用的是什么版本的小猿口算呢,我复制您写的代码也是一样为null

@lpy30m
Copy link

lpy30m commented Oct 13, 2024

您使用的是什么版本的小猿口算呢,我复制您写的代码也是一样为null

3.84.1

@ijmyvm
Copy link

ijmyvm commented Oct 13, 2024

您使用的是什么版本的小猿口算呢,我复制您写的代码也是一样为null

3.84.1

我用的是最新版本的3.93.4,可能是版本更新的原因

@lpy30m
Copy link

lpy30m commented Oct 13, 2024

您使用的是什么版本的小猿口算呢,我复制您写的代码也是一样为null

3.84.1

我用的是最新版本的3.93.4,可能是版本更新的原因

可以吧so上传网盘发我,我来补一下

@ijmyvm
Copy link

ijmyvm commented Oct 13, 2024

好的,麻烦大佬了
https://pan.baidu.com/s/1Jcq_Z0aspdXBJ5At__yVoQ?pwd=xmru

@dfaofeng
Copy link

好的,麻烦大佬了 https://pan.baidu.com/s/1Jcq_Z0aspdXBJ5At__yVoQ?pwd=xmru

用这个 https://4275.com/ 百度太恶心人了

@ijmyvm
Copy link

ijmyvm commented Oct 13, 2024

好的,麻烦大佬了 https://pan.baidu.com/s/1Jcq_Z0aspdXBJ5At__yVoQ?pwd=xmru

用这个 https://4275.com/ 百度太恶心人了

好的
apk: http://4275.com/qwxa5i
so: http://4275.com/4udir2

@lpy30m
Copy link

lpy30m commented Oct 13, 2024

好的,麻烦大佬了 https://pan.baidu.com/s/1Jcq_Z0aspdXBJ5At__yVoQ?pwd=xmru

image

应该是你代码写错了
我这里还是能跑

package com.xiaoyuan;

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.debugger.Debugger;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.ArrayObject;
import com.github.unidbg.linux.android.dvm.array.CharArray;
import com.github.unidbg.linux.android.dvm.wrapper.DvmInteger;
import com.github.unidbg.memory.Memory;
import com.sun.jna.Pointer;
import net.dongliu.apk.parser.bean.CertificateMeta;

import java.io.File;
import java.io.IOException;

public class Xiaoyuan extends AbstractJni {
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;

    public DvmClass EClass;
    public String apkPath = "/Users/jiangxia/unidbg/apks/xyks.apk";

    Xiaoyuan() {
        emulator = AndroidEmulatorBuilder.for32Bit().build();
        final Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File(apkPath));
        vm.setVerbose(true);
        DalvikModule dm = vm.loadLibrary(new File("/Users/jiangxia/unidbg/apks/libRequestEncoder1.so"), true); // 加载so到虚拟内存
        vm.setJni(this);
        module = dm.getModule();
        dm.callJNI_OnLoad(emulator);
        EClass = vm.resolveClass("com/fenbi/android/leo/utils/e");
        Debugger debugger = emulator.attach();
//        debugger.addBreakPoint(module.base + 0x43434+ 1);
    }

    public void call_zcvsd1wr2t() {
        String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;";
        EClass.callStaticJniMethodObject(
                emulator, methodId,
                new StringObject(vm, "/leo-gateway/android/auth/password"),
                new StringObject(vm, "wdi4n2t8edr"),
                -28673
        );
    }





    public static void main(String[] args) {
        Xiaoyuan getSign = new Xiaoyuan();
        getSign.call_zcvsd1wr2t();
        getSign.destroy();
    }

    private void destroy() {
        try {
            emulator.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
    @Override
    public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
        return 27;
    }

    @Override
    public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
        switch (signature) {
            case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;":
                return vm.resolveClass("android/app/Application").newObject(null);
        }
        return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
    }
    @Override
    public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
        switch (signature) {
            case "android/app/Application->getBaseContext()Landroid/content/Context;":{
                return vm.resolveClass("android/content/Context").newObject(null);
            }
            case "android/content/pm/Signature->toChars()[C":{
                CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue();
                byte[] bytes = certificateMeta.getData();
                char[] chars = new char[bytes.length];
                for (int i = 0; i < bytes.length; i++) {
                    chars[i] = (char) bytes[i];
                }
                return new CharArray(vm,chars);
            }
        }
        return super.callObjectMethodV(vm, dvmObject, signature, vaList);
    };

}

@ijmyvm
Copy link

ijmyvm commented Oct 13, 2024

我找到原因了,多谢大佬
因为我的java文件放在了unidbg-android/main/java中
我把它移动到unidbg-android/main/test/java/com/xiaoyuan中跟您保持一致就会提示新的报错

[13:09:22 622]  WARN [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:537) - handleInterrupt intno=2, NR=-1073744096, svcNumber=0x1b3, PC=unidbg@0xfffe0bc4, LR=RX@0x400419a3[libRequestEncoder.so]0x419a3, syscall=null
java.lang.AbstractMethodError
	at com.github.unidbg.pointer.UnidbgPointer.write(UnidbgPointer.java:198)
	at com.github.unidbg.linux.android.dvm.array.CharArray._GetArrayCritical(CharArray.java:34)
	at com.github.unidbg.linux.android.dvm.DalvikVM$180.handle(DalvikVM.java:2855)
	at com.github.unidbg.linux.ARM32SyscallHandler.hook(ARM32SyscallHandler.java:133)
	at com.github.unidbg.arm.backend.UnicornBackend$11.hook(UnicornBackend.java:345)
	at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128)
	at unicorn.Unicorn.emu_start(Native Method)
	at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:376)
	at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378)
	at com.github.unidbg.thread.Function32.run(Function32.java:39)
	at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19)
	at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:175)
	at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:99)
	at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341)
	at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:255)
	at com.github.unidbg.Module.emulateFunction(Module.java:163)
	at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:135)
	at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:316)
	at com.xiaoyuan.Xiaoyuan.call_zcvsd1wr2t(Xiaoyuan.java:41)
	at com.xiaoyuan.Xiaoyuan.main(Xiaoyuan.java:56)

然后根据报错将write改为

    @Override
    public void write(long offset, char[] buf, int index, int length) {
        for (int i = index; i < length; i++) {
            setChar((i - index) * 4L + offset, buf[i]);
        }
//        throw new AbstractMethodError();
    }

就可以得出运行结果了

JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47
JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6e4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59
RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9)
RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d)
Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9
JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515
JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f
JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f
JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579
JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d
JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7
JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x1b) was called from RX@0x40041603[libRequestEncoder.so]0x41603
JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71
JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd
JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11
JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@18a70f16) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1
JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653
JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b
JNIEnv->CallObjectMethodV(android.app.Application@18a70f16, getPackageManager() => android.content.pm.PackageManager@62e136d3) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df
JNIEnv->CallObjectMethodV(android.app.Application@18a70f16, getBaseContext() => android.content.Context@c8e4bb0) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf
JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831
JNIEnv->GetMethodID(android/content/Context.getPackageName()Ljava/lang/String;) => 0xf6590850 was called from RX@0x40041883[libRequestEncoder.so]0x41883
JNIEnv->CallObjectMethodV(android.content.Context@c8e4bb0, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@62e136d3, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@14d3bc22) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3
JNIEnv->GetObjectField(android.content.pm.PackageInfo@14d3bc22, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@31c88ec8]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f
JNIEnv->GetObjectArrayElement([android.content.pm.Signature@31c88ec8], 0) => android.content.pm.Signature@31c88ec8 was called from RX@0x40041921[libRequestEncoder.so]0x41921
JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b
JNIEnv->CallObjectMethodV(android.content.pm.Signature@31c88ec8, toChars() => [C@3d51f06e) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->GetArrayLength([C@3d51f06e => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991
JNIEnv->NewStringUTF("4a1e61de7310f4f36427dc675243d2a2") was called from RX@0x40041a83[libRequestEncoder.so]0x41a83
"4a1e61de7310f4f36427dc675243d2a2"

Process finished with exit code 0

@lpy30m
Copy link

lpy30m commented Oct 13, 2024

我找到原因了,多谢大佬 因为我的java文件放在了unidbg-android/main/java中 我把它移动到unidbg-android/main/test/java/com/xiaoyuan中跟您保持一致就会提示新的报错

[13:09:22 622]  WARN [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:537) - handleInterrupt intno=2, NR=-1073744096, svcNumber=0x1b3, PC=unidbg@0xfffe0bc4, LR=RX@0x400419a3[libRequestEncoder.so]0x419a3, syscall=null
java.lang.AbstractMethodError
	at com.github.unidbg.pointer.UnidbgPointer.write(UnidbgPointer.java:198)
	at com.github.unidbg.linux.android.dvm.array.CharArray._GetArrayCritical(CharArray.java:34)
	at com.github.unidbg.linux.android.dvm.DalvikVM$180.handle(DalvikVM.java:2855)
	at com.github.unidbg.linux.ARM32SyscallHandler.hook(ARM32SyscallHandler.java:133)
	at com.github.unidbg.arm.backend.UnicornBackend$11.hook(UnicornBackend.java:345)
	at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128)
	at unicorn.Unicorn.emu_start(Native Method)
	at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:376)
	at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378)
	at com.github.unidbg.thread.Function32.run(Function32.java:39)
	at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19)
	at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:175)
	at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:99)
	at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341)
	at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:255)
	at com.github.unidbg.Module.emulateFunction(Module.java:163)
	at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:135)
	at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:316)
	at com.xiaoyuan.Xiaoyuan.call_zcvsd1wr2t(Xiaoyuan.java:41)
	at com.xiaoyuan.Xiaoyuan.main(Xiaoyuan.java:56)

然后根据报错将write改为

    @Override
    public void write(long offset, char[] buf, int index, int length) {
        for (int i = index; i < length; i++) {
            setChar((i - index) * 4L + offset, buf[i]);
        }
//        throw new AbstractMethodError();
    }

就可以得出运行结果了

JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47
JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6e4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59
RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9)
RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d)
Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9
JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515
JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f
JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f
JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579
JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d
JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7
JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x1b) was called from RX@0x40041603[libRequestEncoder.so]0x41603
JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71
JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd
JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11
JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@18a70f16) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1
JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653
JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b
JNIEnv->CallObjectMethodV(android.app.Application@18a70f16, getPackageManager() => android.content.pm.PackageManager@62e136d3) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df
JNIEnv->CallObjectMethodV(android.app.Application@18a70f16, getBaseContext() => android.content.Context@c8e4bb0) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf
JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831
JNIEnv->GetMethodID(android/content/Context.getPackageName()Ljava/lang/String;) => 0xf6590850 was called from RX@0x40041883[libRequestEncoder.so]0x41883
JNIEnv->CallObjectMethodV(android.content.Context@c8e4bb0, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@62e136d3, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@14d3bc22) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3
JNIEnv->GetObjectField(android.content.pm.PackageInfo@14d3bc22, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@31c88ec8]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f
JNIEnv->GetObjectArrayElement([android.content.pm.Signature@31c88ec8], 0) => android.content.pm.Signature@31c88ec8 was called from RX@0x40041921[libRequestEncoder.so]0x41921
JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b
JNIEnv->CallObjectMethodV(android.content.pm.Signature@31c88ec8, toChars() => [C@3d51f06e) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->GetArrayLength([C@3d51f06e => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991
JNIEnv->NewStringUTF("4a1e61de7310f4f36427dc675243d2a2") was called from RX@0x40041a83[libRequestEncoder.so]0x41a83
"4a1e61de7310f4f36427dc675243d2a2"

Process finished with exit code 0

只能用于辅助分析算法,如果有技术,您可以尝试搭建服务测试能不能使用,我直接替换sign好想不太行同

@ijmyvm
Copy link

ijmyvm commented Oct 13, 2024

我发现第一个传参为空时,加密后的字符串跟hook结果一致,不为空反而不一致

@lpy30m
Copy link

lpy30m commented Oct 13, 2024

我发现第一个传参为空时,加密后的字符串跟hook结果一致,不为空反而不一致

能给出截图或者一些关键代码吗 第一个参数应该是urlpath吧

@ijmyvm
Copy link

ijmyvm commented Oct 13, 2024

image

@lpy30m
Copy link

lpy30m commented Oct 13, 2024

image

可以多尝试几次 ,每次都是一样的使用可能的,他每次都会变是因为有个时间戳的因素 导致每次生成的结果不是固定的

@dfaofeng
Copy link

你们apk在哪下的?怎么我看库是32位的,我自己下载的是64位的?

@ZQBCWG
Copy link

ZQBCWG commented Oct 13, 2024

你们apk在哪下的?怎么我看库是32位的,我自己下载的是64位的?

https://xiaoyuankousuan.com/

@dfaofeng
Copy link

你们apk在哪下的?怎么我看库是32位的,我自己下载的是64位的?

https://xiaoyuankousuan.com/

image
官方apk只有64位的.

@SleepyAsh0191
Copy link

SleepyAsh0191 commented Oct 14, 2024
edited
Loading 

pcVar22 = (char *)operator_new__(0x20);

这行代码的pcVar22指向的应该就是rc4加密的密匙了,但计算太复杂了,g fun_001eefc.txt

def generate_custom_key():
    T = np.zeros(256, dtype=np.uint8)
    lookup_table1 = [((i * 7 + 13) % 256) for i in range(256)]
    lookup_table2 = [((i * 11 + 29) % 256) for i in range(256)]
    
    for i in range(256):
        value = i
        bit_count = bin(value).count('1')
        temp = ((value << 3) + (value >> 2)) & 0xFF
        temp ^= lookup_table1[i]
        temp = (temp + bit_count * 17) & 0xFF
        temp ^= lookup_table2[(temp + i) % 256]
        T[i] = temp
    
    return T.tolist()

用 python 写的,伪代码读着真累
不确定是否正确,欢迎有志之士测试

@dfaofeng
Copy link

https://github.com/LanBaiCode/xiaoyuan_unidbg 这个issues可以关了,看雪大神出手了 https://bbs.kanxue.com/thread-283960.htm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests