unidbg随机数因子

ARM64SyscallHandler

原始

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

private static final int CLOCK_REALTIME = 0;
private static final int CLOCK_MONOTONIC = 1;
private static final int CLOCK_THREAD_CPUTIME_ID = 3;
private static final int CLOCK_MONOTONIC_RAW = 4;
private static final int CLOCK_MONOTONIC_COARSE = 6;
private static final int CLOCK_BOOTTIME = 7;

private final long nanoTime = System.nanoTime();

protected int clock_gettime(Emulator<?> emulator) {
    RegisterContext context = emulator.getContext();
    int clk_id = context.getIntArg(0) & 0x7;
    Pointer tp = context.getPointerArg(1);
    long offset = clk_id == CLOCK_REALTIME ? currentTimeMillis() * 1000000L : System.nanoTime() - nanoTime;
    long tv_sec = offset / 1000000000L;
    long tv_nsec = offset % 1000000000L;
    if (log.isDebugEnabled()) {
        log.debug("clock_gettime clk_id={}, tp={}, offset={}, tv_sec={}, tv_nsec={}", clk_id, tp, offset, tv_sec, tv_nsec);
    }
    switch (clk_id) {
        case CLOCK_REALTIME:
        case CLOCK_MONOTONIC:
        case CLOCK_THREAD_CPUTIME_ID:
        case CLOCK_MONOTONIC_RAW:
        case CLOCK_MONOTONIC_COARSE:
        case CLOCK_BOOTTIME:
            tp.setLong(0, tv_sec);
            tp.setLong(8, tv_nsec);
            return 0;
    }
    if (log.isDebugEnabled()) {
        emulator.attach().debug();
        }
        throw new UnsupportedOperationException("clk_id=" + clk_id);
    }

更改后

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 private static final int CLOCK_REALTIME = 0;
private static final int CLOCK_MONOTONIC = 1;
private static final int CLOCK_THREAD_CPUTIME_ID = 3;
private static final int CLOCK_MONOTONIC_RAW = 4;
private static final int CLOCK_MONOTONIC_COARSE = 6;
private static final int CLOCK_BOOTTIME = 7;

private int CLOCK_TIMES_0 = 0;
private int CLOCK_TIMES_1 = 0;

private final long nanoTime = System.nanoTime();

List<Long> list0 = new ArrayList<Long>() {{
    add(1765768512725878000L);
    add(1765768512823353000L);
    add(1765768512916020000L);
    add(1765768513012195000L);
    add(1765768513108126000L);
}};
List<Long> list1 = new ArrayList<Long>() {{
    add(18136934846099106L);
    add(18136934848744287L);
    add(18136934849180744L);
    add(18136934850204595L);
    add(18136934850400232L);
    add(18136934850362437L);
    add(18136934850687493L);
}};

protected int clock_gettime(Emulator<?> emulator) {
    RegisterContext context = emulator.getContext();
    int clk_id = context.getIntArg(0) & 0x7;
    Pointer tp = context.getPointerArg(1);
    long offset0 = clk_id == CLOCK_REALTIME ? currentTimeMillis() * 1000000L : System.nanoTime() - nanoTime;
    if (clk_id == 0) {
        CLOCK_TIMES_0 += 1;
    } else if (clk_id == 1) {
        CLOCK_TIMES_1 += 1;
    }
    long offset;
    if (CLOCK_TIMES_0 <= 5 && clk_id == 0) {
        offset = list0.get(CLOCK_TIMES_0 - 1);
    } else if (CLOCK_TIMES_1 <= 10 && clk_id == 1) {
        offset = list1.get(CLOCK_TIMES_1 - 1);
    } else {
        offset = offset0;
    }

    System.out.println("\n==========> offset0= " + offset0 + "==============\n");

    long tv_sec = offset / 1000000000L;
    long tv_nsec = offset % 1000000000L;
    if (log.isDebugEnabled()) {
        log.debug("clock_gettime clk_id={}, tp={}, offset={}, tv_sec={}, tv_nsec={}", clk_id, tp, offset, tv_sec, tv_nsec);
    }
    switch (clk_id) {
        case CLOCK_REALTIME:
        case CLOCK_MONOTONIC:
        case CLOCK_THREAD_CPUTIME_ID:
        case CLOCK_MONOTONIC_RAW:
        case CLOCK_MONOTONIC_COARSE:
        case CLOCK_BOOTTIME:
            tp.setLong(0, tv_sec);
            tp.setLong(8, tv_nsec);
            return 0;
    }
    if (log.isDebugEnabled()) {
        emulator.attach().debug();
    }
    throw new UnsupportedOperationException("clk_id=" + clk_id);
}

UnixSyscallHandler

1
2
3
4
5
protected long currentTimeMillis() {
//     return System.currentTimeMillis();
    System.out.println("固定时间戳:" + 1700000000000L);
    return 1700000000000L;
}

RandomFileIO

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package com.github.unidbg.linux.file;

import com.github.unidbg.Emulator;
import com.github.unidbg.arm.backend.Backend;
import com.github.unidbg.file.linux.IOConstants;
import com.sun.jna.Pointer;

import java.util.Arrays;
import java.util.concurrent.ThreadLocalRandom;

public class RandomFileIO extends DriverFileIO {

    public RandomFileIO(Emulator<?> emulator, String path) {
        super(emulator, IOConstants.O_RDONLY, path);
    }

    public static String toHex(byte[] bytes) {
        StringBuilder hexString = new StringBuilder();
        for (byte b : bytes) {
            hexString.append(String.format("%02x ", b));
        }
        return hexString.toString().trim();

    }

    @Override
    public int read(Backend backend, Pointer buffer, int count) {
        int total = 0;
        byte[] buf = new byte[Math.min(0x1000, count)];
        randBytes(buf);
        System.out.println("固定随机数:" + toHex(buf));
        Pointer pointer = buffer;
        while (total < count) {
            int read = Math.min(buf.length, count - total);
            pointer.write(0, buf, 0, read);
            total += read;
            pointer = pointer.share(read);
        }
        return total;

    }

    private static final byte[] FIXED_RANDOM_BYTES = {
            (byte) 0x12, (byte) 0x34, (byte) 0x56, (byte) 0x78,
            (byte) 0x9A, (byte) 0xBC, (byte) 0xDE, (byte) 0xF0
    };

    protected void randBytes(byte[] bytes) {
        if (bytes == null || bytes.length == 0) {
            return;
        }

        for (int i = 0; i < bytes.length; i++) {
            bytes[i] = FIXED_RANDOM_BYTES[i % FIXED_RANDOM_BYTES.length];
        }
    }

}
0:00 /0:00
暧昧合伙人
遗憾