大杀器Unidbg真正的威力
看雪论坛作者ID:至尊小仙侠
论2021如何处理 arm vmp?
有图有真相 Unidbg的杀手锏 CPU指令级别Trace
callFunction:
那么我们在分析So的过程中,发现了一个非JNI函数能不能主动调用呢?答案是必须能。
public final Number[] callFunction(Emulator<?> emulator, String symbolName, Object... args) {
Symbol symbol = findSymbolByName(symbolName, false);
if (symbol == null) {
throw new IllegalStateException("find symbol failed: " + symbolName);
}
if (symbol.isUndef()) {
throw new IllegalStateException(symbolName + " is NOT defined");
}
return symbol.call(emulator, args);
}
emulator = createARMEmulator();
private static void CallVMPFunc(Module module,AndroidEmulator emulator){
try {
Symbol malloc = module.findSymbolByName("malloc");
Symbol free = module.findSymbolByName("free");
MemoryBlock block = MemoryAllocBlock.malloc(emulator,malloc,free,0x1000);
MemoryBlock namebyte = MemoryAllocBlock.malloc(emulator,malloc,free,0x1000);
UnidbgPointer blockpoint = block.getPointer();
UnidbgPointer namepoint = namebyte.getPointer();
String name = "magicillusion";
String data = "hello worid";
namepoint.write(name.getBytes());
blockpoint.write(data.getBytes());
Number[] ret = module.callFunction(emulator,0x13B30+1,namepoint,blockpoint,2);
UnidbgPointer ret1 = new UnidbgPointer(emulator,ret[0].intValue(),4);
String string = ret1.getString(0);
System.out.println("Number => " + (string));
} finally {
}
}
大杀器内置的HOOK框架
// 1. 获取HookZz对象
IHookZz hookZz = HookZz.getInstance(emulator); // 加载HookZz,支持inline hook,文档看https://github.com/jmpews/HookZz
// 2. enable hook
hookZz.enable_arm_arm64_b_branch(); // 测试enable_arm_arm64_b_branch,可有可无
index = 0;
hookZz.replace(module.findSymbolByName("lrand48"), new ReplaceCallback() {
@Override
public void postCall(Emulator<?> emulator, HookContext context) {
((EditableArm32RegisterContext)context).setR0(0x12345678);
int ptrace_args0 = context.getIntArg(0);
System.out.println("lrand48=" + ptrace_args0);
}
},true);
//aesdecode hook
hookZz.wrap((module.base)+0x39634+1, new WrapCallback<RegisterContext>() { // inline wrap导出函数
UnidbgPointer addr = null;
@Override
// 4. 方法执行前
public void preCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {
addr= ctx.getPointerArg(0);
UnidbgPointer pointerArg = ctx.getPointerArg(1);
UnidbgPointer pointer = pointerArg.getPointer(12);
int anInt = pointerArg.getInt(8);
byte[] byteArray = pointer.getByteArray(0, anInt);
String s =xuzi1(byteArray);
System.out.println("aes aesdecode= " + s);
}
@Override
// 5. 方法执行后
public void postCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {
byte[] aaaa = addr.getPointer(0).getPointer(12).getByteArray(0,0x30);
String s =xuzi1(aaaa);
System.out.println("aes aesdecode1= " + s);
}
});
看雪ID:至尊小仙侠
https://bbs.pediy.com/user-home-873999.htm
官网:https://www.bagevent.com/event/6334937
# 往期推荐
2. CVE-2021-26708 利用四字节释放特定地址,修改内存
3.网刃杯逆向wp
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
[广告]赞助链接:
关注数据与安全,洞悉企业级服务市场:https://www.ijiandao.com/
让资讯触达的更精准有趣:https://www.0xu.cn/
关注KnowSafe微信公众号
随时掌握互联网精彩
随时掌握互联网精彩
- 高通汽车业务订单总估值增长至300亿美元
- 今晚19:00明眸直播专场|AI 算法打开降本增效新模式
- 诸子安在·百家说事|8.20直播预告
- 业界首创云原生安全检测双模型!安全狗报告亮相数字中国建设峰会
- 百家|从伊朗钢铁厂被侵事件看钢企数字化转型安全
- 历史上的今天:首届图灵奖的获得者诞生;苹果电脑公司成立;Gmail 问世
- 疫情诈骗剧本翻新大盘点:17种套路让人大开眼界
- 需求着急上线,是写烂代码的理由吗?
- 不只是手表,更是智能助手
- 联接改变未来,UBBF 2021华为丁耘邀您共同迈入“联接+,新增长”时代
- 用 Python 分析了 5 万条相亲数据,告诉你男女相亲背后的秘密
- 一周内咸鱼疯转 2.4W 次,最终被所有大厂封杀!
赞助链接