unidbg学习笔记

均来自龙哥星球

tenet Trace

龙哥星球学习到的。
unidbg 使用如下:
随便找个目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
package com.tenet;

import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.*;
import com.github.unidbg.arm.context.RegisterContext;
import unicorn.Arm64Const;

import java.io.PrintStream;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;

public class TenetTrace{
    private final Emulator<?> emulator;
    private final Module module;
    private final RegisterContext registerContext;
    private PrintStream out = System.err;
    private String mRead = "";
    private String mWrite = "";

    private static Map<String, Integer> arm64Regs;


    static {
        Map<String,Integer> aMap = new HashMap<>();
        aMap.put("X0", Arm64Const.UC_ARM64_REG_X0);
        aMap.put("X1", Arm64Const.UC_ARM64_REG_X1);
        aMap.put("X2", Arm64Const.UC_ARM64_REG_X2);
        aMap.put("X3", Arm64Const.UC_ARM64_REG_X3);
        aMap.put("X4", Arm64Const.UC_ARM64_REG_X4);
        aMap.put("X5", Arm64Const.UC_ARM64_REG_X5);
        aMap.put("X6", Arm64Const.UC_ARM64_REG_X6);
        aMap.put("X7", Arm64Const.UC_ARM64_REG_X7);
        aMap.put("X8", Arm64Const.UC_ARM64_REG_X8);
        aMap.put("X9", Arm64Const.UC_ARM64_REG_X9);
        aMap.put("X10", Arm64Const.UC_ARM64_REG_X10);
        aMap.put("X11", Arm64Const.UC_ARM64_REG_X11);
        aMap.put("X12", Arm64Const.UC_ARM64_REG_X12);
        aMap.put("X13", Arm64Const.UC_ARM64_REG_X13);
        aMap.put("X14", Arm64Const.UC_ARM64_REG_X14);
        aMap.put("X15", Arm64Const.UC_ARM64_REG_X15);
        aMap.put("X16", Arm64Const.UC_ARM64_REG_X16);
        aMap.put("X17", Arm64Const.UC_ARM64_REG_X17);
        aMap.put("X18", Arm64Const.UC_ARM64_REG_X18);
        aMap.put("X19", Arm64Const.UC_ARM64_REG_X19);
        aMap.put("X20", Arm64Const.UC_ARM64_REG_X20);
        aMap.put("X21", Arm64Const.UC_ARM64_REG_X21);
        aMap.put("X22", Arm64Const.UC_ARM64_REG_X22);
        aMap.put("X23", Arm64Const.UC_ARM64_REG_X23);
        aMap.put("X24", Arm64Const.UC_ARM64_REG_X24);
        aMap.put("X25", Arm64Const.UC_ARM64_REG_X25);
        aMap.put("X26", Arm64Const.UC_ARM64_REG_X26);
        aMap.put("X27", Arm64Const.UC_ARM64_REG_X27);
        aMap.put("X28", Arm64Const.UC_ARM64_REG_X28);
        aMap.put("X29", Arm64Const.UC_ARM64_REG_X29);
        aMap.put("X30", Arm64Const.UC_ARM64_REG_X30);
        aMap.put("SP", Arm64Const.UC_ARM64_REG_SP);
        arm64Regs = Collections.unmodifiableMap(aMap);
    }
    public Map<String, Long> preRegsValue = null;

    public TenetTrace(Emulator<?> emulator, Module module, PrintStream redirect){
        this.emulator = emulator;
        this.module = module;
        this.registerContext = emulator.getContext();
        if (redirect != null) {
            this.out = redirect;
        }
        start();
    }

    public Map<String, Long> getAllRegister(){
        Map<String, Long> regs = new HashMap<>();
        for (Map.Entry<String, Integer> entry : arm64Regs.entrySet()) {
            regs.put(entry.getKey(), registerContext.getLongByReg(entry.getValue()));
        }
        return regs;
    }

    public Map<String, Long> getDiff(Map<String, Long> nowRegs, Map<String, Long> preRegs){
        if(preRegs == null){
            return nowRegs;
        }
        Map<String, Long> diffRegs = new HashMap<>();
        for (Map.Entry<String, Integer> entry : arm64Regs.entrySet()) {
            String regName = entry.getKey();
            long now = nowRegs.get(regName);
            long pre = preRegs.get(regName);
            if(now != pre){
                diffRegs.put(regName, now);
            }
        }
        return diffRegs;
    }

    public void showRegs(Map<String, Long> regs){
        for (Map.Entry<String, Long> entry : regs.entrySet()) {
            out.printf("%s=%#X,", entry.getKey(), entry.getValue());
        }
        out.printf("PC=%#X", registerContext.getPCPointer().peer);
    }


    public void start(){
        emulator.getBackend().hook_add_new(new CodeHook() {
            @Override
            public void hook(Backend backend, long address, int size, Object user) {
                if(preRegsValue!=null){
                    out.println("");
                }
                Map<String, Long> regs = getAllRegister();
                Map<String, Long> diffRegs = getDiff(regs, preRegsValue);
                showRegs(diffRegs);
                preRegsValue = regs;
                out.print(mRead);
                out.print(mWrite);
                mRead = "";
                mWrite= "";
            }

            @Override
            public void onAttach(UnHook unHook) {

            }

            @Override
            public void detach() {

            }
        }, module.base, module.base+module.size, null);


        emulator.getBackend().hook_add_new(new ReadHook() {
            @Override
            public void hook(Backend backend, long address, int size, Object user) {
                byte[] reads = emulator.getBackend().mem_read(address, size);
                String content = String.format(",mr=%#X:%s", address, bytesToHex(reads));
                mRead += content;
            }

            @Override
            public void onAttach(UnHook unHook) {

            }

            @Override
            public void detach() {

            }
        }, 1, 0, null);

        emulator.getBackend().hook_add_new(new WriteHook() {
            @Override
            public void hook(Backend backend, long address, int size, long value, Object user) {
                byte[] writes = emulator.getBackend().mem_read(address, size);
                String content = String.format(",mw=%#X:%s", address, bytesToHex(writes));
                mWrite += content;
            }

            @Override
            public void onAttach(UnHook unHook) {

            }

            @Override
            public void detach() {

            }
        }, 1, 0, null);

    }

    private static final char[] HEX_ARRAY = "0123456789ABCDEF".toCharArray();
    public static String bytesToHex(byte[] bytes) {
        char[] hexChars = new char[bytes.length * 2];
        for (int j = 0; j < bytes.length; j++) {
            int v = bytes[j] & 0xFF;
            hexChars[j * 2] = HEX_ARRAY[v >>> 4];
            hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
        }
        return new String(hexChars);
    }


}

使用

1
2
3
4
5
6
7
8
// save path
String traceFile = "D:\\traces\\aikucun\\traceOasis.log";
try {
    PrintStream traceStream = new PrintStream(new FileOutputStream(traceFile), true);
    new TenetTrace(emulator, module, traceStream);
} catch (FileNotFoundException e) {
    e.printStackTrace();
}

android/os/SystemProperties->get(Ljava/lang/String;)Ljava/lang/String;

adb shell getprop 属性名 即可,比如 adb shell getprop ro.build.id

Coffee的Unidbg笔记

Context 如何构造

方式一:直接 new Context

1
DvmObject<?> context = vm.resolveClass("android/content/Context").newObject(null);

方式二:完整继承链构造(推荐)

1
2
3
4
DvmClass context = vm.resolveClass("android/content/Context");
DvmClass ContextWrapper = vm.resolveClass("android/content/ContextWrapper", context);
DvmClass Application = vm.resolveClass("android/app/Application", ContextWrapper);
return Application.newObject(signature);

补 ActivityThread.getApplication 环境

1
2
3
4
5
6
7
8
9
10
11
12
13
14
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
    switch (signature) {
        case "android/app/ActivityThread->getApplication()Landroid/app/Application;": {
            DvmClass context = vm.resolveClass("android/content/Context");
            DvmClass Application = vm.resolveClass("android/app/Application", context);
            return Application.newObject(signature);
        }
        case "android/content/Context->getContentResolver()Landroid/content/ContentResolver;": {
            return vm.resolveClass("android/content/ContentResolver").newObject(signature);
        }
    }
    return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}

字符串 / 字节数组 / 对象数组 / 实例对象参数传递

注意
JNI 里除了 8 种基本类型,其余对象都必须 vm.addLocalObject()

字符串

1
2
list.add(vm.addLocalObject(new StringObject(vm, "12345")));
list.add(vm.addLocalObject(new StringObject(vm, "r0ysue")));

字节数组

1
2
ByteArray plainText = new ByteArray(vm, "r0ysue".getBytes(StandardCharsets.UTF_8));
list.add(vm.addLocalObject(plainText));

对象数组构造

Native 方法:

1
public static native Object[] main(int i, Object[] objarr);

Java 侧:

1
2
3
4
5
6
7
8
9
10
11
12
StringObject input2_1 = new StringObject(vm, "9b69f861-e054-4bc4-9daf-d36ae205ed3e");
ByteArray input2_2 = new ByteArray(
        vm,
        "GET /aggroup/homepage/display __r0ysue".getBytes(StandardCharsets.UTF_8)
);
DvmInteger input2_3 = DvmInteger.valueOf(vm, 2);

vm.addLocalObject(input2_1);
vm.addLocalObject(input2_2);
vm.addLocalObject(input2_3);

list.add(vm.addLocalObject(new ArrayObject(input2_1, input2_2, input2_3)));

实例对象参数不要偷懒传 0

1
2
3
4
5
DvmClass cNative = vm.resolveClass("com/roysue/test623/MainActivity");
DvmObject<?> cnative = cNative.newObject(null);

list.add(vm.getJNIEnv());
list.add(cnative.hashCode());

Thumb 模式调用注意事项

1
Number number = module.callFunction(emulator, 0x1E7C + 1, list.toArray())[0];

调用 / Hook 需要 +1
Patch、下断点 不需要

Patch 方法

直接写 Opcode

1
2
int patchCode = 0x4FF00100; // mov r0,1
emulator.getMemory().pointer(module.base + 0x1E86).setInt(0, patchCode);

Keystone 汇编 Patch(推荐)

1
2
3
4
5
6
7
Pointer pointer = UnidbgPointer.pointer(emulator, module.base + 0x1E86);
byte[] code = pointer.getByteArray(0, 4);

try (Keystone keystone = new Keystone(KeystoneArchitecture.Arm, KeystoneMode.ArmThumb)) {
    KeystoneEncoded encoded = keystone.assemble("mov r0,1");
    pointer.write(0, encoded.getMachineCode(), 0, 4);
}

Unidbg Hook 示例

HookZz wrap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
hookZz.wrap(module.base + 0x1BD0 + 1,
    new WrapCallback<HookZzArm32RegisterContext>() {

        @Override
        public void preCall(...) {
            Pointer input = ctx.getPointerArg(0);
            System.out.println(input.getString(0));
        }

        @Override
        public void postCall(...) {
            Pointer result = ctx.getPointerArg(0);
            System.out.println(result.getString(0));
        }
});

Inline Hook(instrument)

1
2
3
4
hookZz.instrument(module.base + 0x315B0 + 1,
    (emulator, ctx, info) -> {
        System.out.println("R2=" + ctx.getR2Long());
});

Unicorn CodeHook

1
2
3
4
5
6
7
8
9
emulator.getBackend().hook_add_new(new CodeHook() {
    @Override
    public void hook(Backend backend, long address, int size, Object user) {
        if (address == module.base + 0x9D24) {
            RegisterContext ctx = emulator.getContext();
            System.out.println(ctx.getPointerArg(0).getString(0));
        }
    }
}, module.base + 0x9D24, module.base + 0x9D28, null);

so 加载与 init

1
DalvikModule dm = vm.loadLibrary(new File("libnet_crypto.so"), true);

false 会导致字符串未解密(init / JNI_OnLoad 未执行)

常见补环境示例

getAppContext

1
2
case "com/izuiyou/common/base/BaseApplication->getAppContext()Landroid/content/Context;":
    return vm.resolveClass("android/content/Context").newObject(null);

Debug 检测

1
2
case "android/os/Debug->isDebuggerConnected()Z":
    return false;

PID

1
2
case "android/os/Process->myPid()I":
    return emulator.getPid();

Map.get / isEmpty

1
2
TreeMap<String, String> map = (TreeMap<String, String>) dvmObject.getValue();
return map.get(key);

Throwable 初始化

1
2
case "java/lang/Throwable-><init>()V":
    return vm.resolveClass("java/lang/Throwable").newObject(new Throwable());

内存 Hexdump(类似 Frida)

1
2
Inspector.inspect(ctx.getR0Pointer().getByteArray(0, 0x10), "Arg1");
ctx.push(ctx.getR2Pointer());

主动调用 Native 函数

1
2
3
4
5
MemoryBlock block = emulator.getMemory().malloc(16, false);
UnidbgPointer ptr = block.getPointer();
ptr.write("r0ysue".getBytes());

module.callFunction(emulator, 0x65540 + 1, ptr, 6, outPtr);

断点与 Trace

1
2
emulator.attach().addBreakPoint(module.base + 0x3161E);
emulator.traceCode(module.base, module.base + module.size);

开启全部日志

1
Logger.getLogger("com.github.unidbg.AbstractEmulator").setLevel(Level.DEBUG);

注册 libAndroid.so

1
new AndroidModule(emulator, vm).register(memory);

必须在 vm.loadLibrary 之前

Console Debugger 常用命令

1
2
c / n / si / bt
trace / b(address) / p(asm) / m(address)

JNI Version 错误说明

通常是 JNI_OnLoad 未完全执行
修完其他问题后再看

固定 PID(可选)

1
this.pid = 23638;
0:00 /0:00
暧昧合伙人
遗憾