unidbg executes a certain section and replaces the value and breakpoint assembly execution analysis

Mobile 2023-08-02 05:48:53 views: null 
package com.dta.lesson27;

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Backend;
import com.github.unidbg.linux.AndroidElfLoader;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.DalvikModule;
import com.github.unidbg.linux.android.dvm.DvmClass;
import com.github.unidbg.linux.android.dvm.DvmObject;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.memory.MemoryBlock;
import com.github.unidbg.pointer.UnidbgPointer;
import keystone.Keystone;
import keystone.KeystoneArchitecture;
import keystone.KeystoneEncoded;
import keystone.KeystoneMode;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import unicorn.ArmConst;

import java.io.File;
import java.nio.charset.StandardCharsets;


public class MainActivity {
    
    
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Memory memory;
    private final Module module;

    public MainActivity(){
    
    
        emulator = AndroidEmulatorBuilder
                .for32Bit()
                //.setRootDir(new File("target/rootfs/default"))
                //.addBackendFactory(new DynarmicFactory(true))
                .build();

        memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));

        vm = emulator.createDalvikVM();
        vm.setVerbose(true);

        DalvikModule dalvikModule = vm.loadLibrary(new File("unidbg-android/src/test/java/com/dta/lesson27/libcyberpeace.so"), false);
        module = dalvikModule.getModule();

        vm.callJNI_OnLoad(emulator,module);
    }

    static {
    
    
        Logger.getLogger(AndroidElfLoader.class).setLevel(Level.INFO);
    }


    public static void main(String[] args) {
    
    
        long start = System.currentTimeMillis();
        MainActivity mainActivity = new MainActivity();
        System.out.println("load the vm "+( System.currentTimeMillis() - start )+ "ms");
        mainActivity.debugger();
        //mainActivity.check();
        mainActivity.callAddress();

    }

    //断点
    private void debugger() {
    
    
        emulator.attach().addBreakPoint(module,0x10B8);
    }

    private void check() {
    
    
        DvmClass obj = vm.resolveClass("com/testjava/jack/pingan2/cyberpeace");
        //public static native int CheckString(String str);
        String input = "123456654321abcdeffedcba4321abcd";
        int i = obj.callStaticJniMethodInt(emulator, "CheckString(Ljava/lang/String;)I", input);
        System.out.println("result  ==> "+ i);
    }

    private void callAddress(){
    
    
        emulator.traceCode(); //汇编执行指令
        UnidbgPointer buffer = memory.malloc(32, false).getPointer();
        buffer.setString(0,"f72c5a36569418a20907b55be5bf95ad");

        Backend backend = emulator.getBackend();
        backend.reg_write(ArmConst.UC_ARM_REG_R4,buffer.peer);
        module.callFunction(emulator,0x108B);
    }
}

Guess you like

Origin blog.csdn.net/weixin_38927522/article/details/127872416
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com