def avmp_wua_sgcipher_create(emulator):
o1 = String("mwua")
o2 = String("sgcipher")
print("begin avmp 60901")
arr = Array([o1, o2])
vmp_inst = JNICLibrary.doCommandNative(emulator, 60901, arr)
return vmp_inst
def __init__(self):
self.SSID = String("")
self.BSSID = String("")
self.FQDN = String("")
self.hiddenSSID = False
self.networkId = 0
self.priority = 0
self.providerFriendlyName = String("hello")
def getString(emu, resolver, s1):
print("call getString %r %r" % (resolver, s1))
pys1 = s1.get_py_string()
if (pys1 == "android_id"):
android_id = config.global_config_get("android_id")
return String(android_id)
#
raise NotImplementedError()
return String("")
def get_x_sign(emulator, data_str):
o1 = HashMap({String("INPUT"): String(data_str)})
o2 = String("21465214")
o3 = Integer(7)
o4 = JAVA_NULL
o5 = Boolean(True)
arr = Array([o1, o2, o3, o4, o5])
print("begin 10401")
r = JNICLibrary.doCommandNative(emulator, 10401, arr)
return r.get_py_string()
def get_mini_wua(emulator, unix_time):
o1 = String(str(unix_time)) #unix 时间搓,变量
o2 = String("21465214") #appID
o3 = Integer(8)
o4 = JAVA_NULL
o5 = String("pageName=&pageId=")
o6 = Integer(0)
print("begin securitybodyso 20102")
arr = Array([o1, o2, o3, o4, o5, o6])
#emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator)
mini_wua = JNICLibrary.doCommandNative(emulator, 20102, arr)
return mini_wua.get_py_string()
def __init__(self):
Context.__init__(self)
pyPkgName = config.global_config_get("pkg_name")
self.__pkgName = String(pyPkgName)
self.__pkg_mgr = PackageManager(pyPkgName)
self.__resolver = ContentResolver()
def getString(self, emu, k):
pykey = k.get_py_string()
if (pykey in self.__pymap):
return String(self.__pymap[pykey])
else:
#attention do not return None, return None means no return value in function, return JAVA_NULL means the return value is NULL
return JAVA_NULL
#
raise NotImplementedError()
def get_wua(emulator, vmp_inst, sdata):
data = ByteArray(bytearray(sdata, "utf-8"))
le = Integer(len(data))
maybe_arr_out = ByteArray(bytearray())
o1 = vmp_inst
o2 = String("sign")
o3 = ByteArray
o4 = ByteArray(
[Integer(0), data, le,
String(""), maybe_arr_out,
Integer(0)])
arr = Array([o1, o2, o3, o4])
print("60902 run")
#emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator)
wua_arr = JNICLibrary.doCommandNative(emulator, 60902, arr)
wua = wua_arr.get_py_items()
return wua.decode("utf-8")
class Helper(metaclass=JavaClassDef, jvm_name='com/SecShell/SecShell/Helper',
jvm_fields=[
JavaFieldDef('PKGNAME', 'Ljava/lang/String;', True, String("com.myxh.coolshopping"))
]):
def __init__(self):
pass
@java_method_def(name='azbycx', signature='(Ljava/lang/String;)Ljava/lang/String;', native=True)
def azbycx(self, mu):
pass
def readFromSPUnified(mu, s1, s2, s3):
logger.debug("readFromSPUnified %s %s %s" % (s1, s2, s3))
key = "%s_%s" % (s1.get_py_string(), s2.get_py_string())
path = "vfs/data/data/fm.xiami.main/files/SGMANAGER_DATA2"
with open(path) as f:
content = f.read()
js = json.loads(content)
if key in js:
print("readFromSPUnified return %s" % js[key])
return String(js[key])
#
#
#raise NotImplementedError()
return s3
def test_something(self):
# Initialize emulator
emulator = Emulator(vfp_inst_set=True, vfs_root="vfs")
module = emulator.load_library(posixpath.join(
posixpath.dirname(__file__), "bin", "test_native.so"),
do_init=False)
self.assertTrue(module.base != 0)
#emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator)
res = emulator.call_symbol(
module, 'Java_com_aeonlucid_nativetesting_MainActivity_testOneArg',
emulator.java_vm.jni_env.address_ptr, 0x00, String('Hello'))
pystr = res.get_py_string()
self.assertEqual(pystr, "Hello")
path = "vfs/system/bin/app_process32"
sz = os.path.getsize(path)
vf = VirtualFile("/system/bin/app_process32", misc_utils.my_open(path, os.O_RDONLY), path)
emulator.memory.map(0xab006000, sz, UC_PROT_WRITE | UC_PROT_READ, vf, 0)
# Run JNI_OnLoad.
# JNI_OnLoad will call 'RegisterNatives'.
emulator.call_symbol(lib_module, 'JNI_OnLoad', emulator.java_vm.address_ptr, 0x00)
#8.5 xg基本检测流程
#1.调用meta,传入以下参数,如果不调用meta,leviathan将会返回null,meta的参数直接影响leviathan的结果
print("begin meta")
XGorgen.meta(emulator, 101, 0, String("0"))
XGorgen.meta(emulator, 102, 0, String("1128"))
XGorgen.meta(emulator, 1020, 0, String(""))
XGorgen.meta(emulator, 103, 0, String("5179025446"))
XGorgen.meta(emulator, 104, 0, String("110943176729"))
XGorgen.meta(emulator, 105, 0, String("850"))
XGorgen.meta(emulator, 106, 0, String("com.ss.android.ugc.aweme"))
XGorgen.meta(emulator, 107, 0, String("/data/user/0/com.ss.android.ugc.aweme/files"))
XGorgen.meta(emulator, 108, 0, String("/data/app/com.ss.android.ugc.aweme-1.apk"))
XGorgen.meta(emulator, 109, 0, String("/storage/emulated/0"))
XGorgen.meta(emulator, 110, 0, String("/data"))
def getStackTrace(self, *args, **kwargs):
#堆栈345行包名要对。其他没所谓
l = [java_lang_StackTraceElement(String("dalvik.system.VMStack")),
java_lang_StackTraceElement(String("java.lang.Thread")),
java_lang_StackTraceElement(String("com.ss.sys.ces.a")),
java_lang_StackTraceElement(String("com.ss.sys.ces.gg.tt$1")),
java_lang_StackTraceElement(String("com.bytedance.frameworks.baselib.network.http.e.a")),
java_lang_StackTraceElement(String("com.bytedance.ttnet.a.a.onCallToAddSecurityFactor")),
java_lang_StackTraceElement(String("android.support.v7.app.AppCompatViewInflater$DeclaredOnClickListener")),
java_lang_StackTraceElement(String("java.lang.reflect.Method")),
java_lang_StackTraceElement(String("com.ttnet.org.chromium.base.Reflect.on")),
java_lang_StackTraceElement(String("com.ttnet.org.chromium.base.Reflect.call")),
java_lang_StackTraceElement(String("org.chromium.c.a")),
java_lang_StackTraceElement(String("org.chromium.e.onCallToAddSecurityFactor")),
java_lang_StackTraceElement(String("com.ttnet.org.chromium.net.impl.CronetUrlRequestContext")),
java_lang_StackTraceElement(String("com.ttnet.org.chromium.net.impl.CronetUrlRequest")),
]
return List(l)
def getStackTrace(self, *args, **kwargs):
#堆栈345行包名要对。其他没所谓
l = [
java_lang_StackTraceElement(
String(
"dalvik.system.VMStack.getThreadStackTrace(Native Method)")
),
java_lang_StackTraceElement(
String("java.lang.Thread.getStackTrace(Thread.java:580)")),
java_lang_StackTraceElement(
String("com.ss.sys.ces.a.leviathan(Native Method)")),
java_lang_StackTraceElement(
String("com.ss.sys.ces.gg.tt$1.a(Unknown Source)")),
java_lang_StackTraceElement(
String(
"com.bytedance.frameworks.baselib.network.http.e.a(SourceFile:33947656)"
)),
java_lang_StackTraceElement(
String(
"com.bytedance.ttnet.a.a.onCallToAddSecurityFactor(SourceFile:33816621)"
)),
java_lang_StackTraceElement(
String(
"android.support.v7.app.AppCompatViewInflater$DeclaredOnClickListener"
)),
java_lang_StackTraceElement(
String("java.lang.reflect.Method.invoke(Native Method)")),
java_lang_StackTraceElement(
String(
"com.ttnet.org.chromium.base.Reflect.on(SourceFile:50659347)"
)),
java_lang_StackTraceElement(
String(
"com.ttnet.org.chromium.base.Reflect.call(SourceFile:50528262)"
)),
java_lang_StackTraceElement(
String("org.chromium.c.a(SourceFile:33882174)")),
java_lang_StackTraceElement(
String(
"org.chromium.e.onCallToAddSecurityFactor(SourceFile:33685508)"
)),
java_lang_StackTraceElement(
String(
"com.ttnet.org.chromium.net.impl.CronetUrlRequestContext.onCallToAddSecurityFactor(SourceFile:33685512)"
)),
java_lang_StackTraceElement(
String(
"com.ttnet.org.chromium.net.impl.CronetUrlRequest.addSecurityFactor(SourceFile:33882142)"
)),
]
return List(l)
for module in emulator.modules:
logger.info("=> 0x%08x - %s" % (module.base, module.filename))
try:
# Run JNI_OnLoad.
# JNI_OnLoad will call 'RegisterNatives'.
impl = ContextImpl()
app = MainApplication()
app.attachBaseContext(impl)
emulator.call_symbol(lib_module, 'JNI_OnLoad',
emulator.java_vm.address_ptr, 0x00)
o2 = Integer(1)
o3 = String("")
o4 = String("/data/data/fm.xiami.main/app_SGLib")
o5 = String("")
pyarr = [app, o2, o3, o4, o5]
arr = Array("Ljava/lang/Object;", pyarr)
#print(arr)
#emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator)
JNICLibrary.doCommandNative(emulator, 10101, arr)
o1 = String("main")
o2 = String("6.4.163")
o3 = String("/data/data/fm.xiami.main/lib/libsgmainso-6.4.163.so")
print("begin 10102")
arr = Array("Ljava/lang/Object;", [o1, o2, o3])
def doCommandForString(mu, cmdId):
return String("0")
# bypass douyin checks
path = "vfs/system/bin/app_process32"
sz = os.path.getsize(path)
vf = VirtualFile("/system/bin/app_process32",
misc_utils.my_open(path, os.O_RDONLY), path)
emulator.memory.map(0xab006000, sz, UC_PROT_WRITE | UC_PROT_READ, vf, 0)
# Run JNI_OnLoad.
# JNI_OnLoad will call 'RegisterNatives'.
emulator.call_symbol(lib_module, 'JNI_OnLoad',
emulator.java_vm.address_ptr, 0x00)
#8.5 xg基本检测流程
#1.调用meta,传入以下参数,如果不调用meta,leviathan将会返回null,meta的参数直接影响leviathan的结果
print("begin meta")
XGorgen.meta(emulator, 101, 0, String("0"))
XGorgen.meta(emulator, 102, 0, String("1128"))
XGorgen.meta(emulator, 1020, 0, String(""))
XGorgen.meta(emulator, 105, 0, String("850"))
XGorgen.meta(emulator, 106, 0, String("com.ss.android.ugc.aweme"))
XGorgen.meta(emulator, 107, 0,
String("/data/user/0/com.ss.android.ugc.aweme/files"))
XGorgen.meta(emulator, 108, 0,
String("/data/app/com.ss.android.ugc.aweme-1.apk"))
XGorgen.meta(emulator, 109, 0, String("/sdcard"))
XGorgen.meta(emulator, 110, 0, String("/data"))
#my_meta call tid 4470 [CZL-MRT] 222 0x1d200005 AchillesHell!!!
#该调用会触发检测,真机开启一个叫CZL-MRT的线程做,不会影响leviathan的运行,但是如果堆栈不对,leviathan也会触发这个检测流程
def getExternalStorageDirectory(emu):
return File(String("/sdcard/"))
def doCommandForString(mu, cmdId):
print("doCommandForString %d" % cmdId)
if (cmdId == 11):
#http.proxy
#有影响
return String("0")
elif (cmdId == 104):
'''
TelephonyManager v0 = h.a;
if(v0 != null) {
String v0_1 = v0.getDeviceId();
if(v0_1 != null && v0_1.length() != 0) {
return v0_1;
}
}
'''
return JAVA_NULL
#
elif (cmdId == 105):
#长度有影响
#telephonyManager.getSubscriberId();
#return String("12312321")
return JAVA_NULL
elif (cmdId == 109):
#mac
#有影响
return String("00:a7:10:93:64:57")
elif (cmdId == 110):
#return v0.getSSID();
return String("my-home")
elif (cmdId == 111):
#return v0.getBSSID();
return String("78:bc:0a:3c:2c:81")
elif (cmdId == 114):
'''
DisplayMetrics v0_1 = v0.getResources().getDisplayMetrics();
int v1 = v0_1.widthPixels;
int v0_2 = v0_1.heightPixels;
'''
return String("1080*1794")
elif (cmdId == 115):
#StatFs v1 = new StatFs(arg5.getPath());
#long v2 = ((long)v1.getBlockSize());
#long v0_1 = ((long)v1.getBlockCount());
return String("11454181376")
elif (cmdId == 117):
'''
Intent v8_2 = v8_1.registerReceiver(null, new IntentFilter("android.intent.action.BATTERY_CHANGED"));
if(v8_2 == null) {
goto label_67;
}
c.b = v8_2.getIntExtra("level", -1) + "";
c.c = v8_2.getIntExtra("voltage", -1) + "";
c.d = v8_2.getIntExtra("temperature", -1) + "";
'''
#有影响
return String("100")
elif (cmdId == 121):
#v0 = Class.forName("com.taobao.login4android.Login").getMethod("getNick").invoke(v0);
#goto label_10;
#FIXME 对结果有影响
return String("")
#
elif (cmdId == 122):
return String("fm.xiami.main")
elif (cmdId == 123):
#v0.versionName
#FIXME 对结果有影响
return String("8.3.8")
#
else:
raise NotImplementedError()
#
return String("0")
def sgmain_init(emulator):
# Register Java class.
emulator.java_classloader.add_class(HttpUtil)
emulator.java_classloader.add_class(UmidAdapter)
emulator.java_classloader.add_class(JNICLibrary)
emulator.java_classloader.add_class(SPUtility2)
emulator.java_classloader.add_class(DeviceInfoCapturer)
emulator.java_classloader.add_class(DataReportJniBridge)
emulator.java_classloader.add_class(ZipUtils)
emulator.java_classloader.add_class(CallbackHelper)
emulator.java_classloader.add_class(UserTrackMethodJniBridge)
emulator.java_classloader.add_class(UMIDComponent)
emulator.java_classloader.add_class(ECMiscInfo)
emulator.java_classloader.add_class(MainApplication)
emulator.java_classloader.add_class(JNIBridge)
emulator.java_classloader.add_class(SecException)
emulator.java_classloader.add_class(SGPluginExtras)
emulator.java_classloader.add_class(MalDetect)
emulator.java_classloader.add_class(NativeReflectUtils)
emulator.java_classloader.add_class(SDKUtils)
emulator.java_classloader.add_class(MiuiAd)
emulator.java_classloader.add_class(TelephonyManagerEx)
emulator.java_classloader.add_class(FtTelephonyAdapter)
emulator.java_classloader.add_class(FtTelephony)
emulator.java_classloader.add_class(FtDeviceInfo)
emulator.java_classloader.add_class(ColorOSTelephonyManager)
#map [vectors]
path = "vfs/system/lib/vectors"
vf = VirtualFile("[vectors]", misc_utils.my_open(path, os.O_RDONLY), path)
emulator.memory.map(0xffff0000, 0x1000, UC_PROT_EXEC | UC_PROT_READ, vf, 0)
# Load all libraries.
lib_module = emulator.load_library(
"vfs/data/data/fm.xiami.main/lib/libsgmainso-6.4.163.so")
lib_module_secbody = emulator.load_library(
"vfs/data/data/fm.xiami.main/lib/libsgsecuritybodyso-6.4.95.so")
lib_module_avmp = emulator.load_library(
"vfs/data/data/fm.xiami.main/lib/libsgavmpso-6.4.35.so")
# Show loaded modules.
logger.info("Loaded modules:")
for module in emulator.modules:
logger.info("=> 0x%08x - %s" % (module.base, module.filename))
#
act_thread = ActivityThread()
app = act_thread.currentApplication(emulator)
emulator.call_symbol(lib_module, 'JNI_OnLoad',
emulator.java_vm.address_ptr, 0x00)
#10101 10102 sgmain
o2 = Integer(1)
o3 = String("")
o4 = String("/data/data/fm.xiami.main/app_SGLib")
o5 = String("")
pyarr = [app, o2, o3, o4, o5]
arr = Array(pyarr)
#print(arr)
JNICLibrary.doCommandNative(emulator, 10101, arr)
o1 = String("main")
o2 = String("6.4.163")
o3 = String("/data/data/fm.xiami.main/lib/libsgmainso-6.4.163.so")
print("begin 10102")
arr = Array([o1, o2, o3])
JNICLibrary.doCommandNative(emulator, 10102, arr)
#10102 secbody
print("secbody JNI_OnLoad")
emulator.call_symbol(lib_module_secbody, 'JNI_OnLoad',
emulator.java_vm.address_ptr, 0x00)
o1 = String("securitybody")
o2 = String("6.4.95")
o3 = String("/data/data/fm.xiami.main/lib/libsgsecuritybodyso-6.4.95.so")
print("begin securitybodyso 10102")
arr = Array([o1, o2, o3])
JNICLibrary.doCommandNative(emulator, 10102, arr)
#10102 avmp
emulator.call_symbol(lib_module_avmp, 'JNI_OnLoad',
emulator.java_vm.address_ptr, 0x00)
o1 = String("avmp")
o2 = String("6.4.35")
o3 = String("/data/data/fm.xiami.main/lib/libsgavmpso-6.4.35.so")
print("begin avmp 10102")
arr = Array([o1, o2, o3])
JNICLibrary.doCommandNative(emulator, 10102, arr)
def readSS(mu, ctx, s1):
if (s1 in _kv):
return _kv[s1]
return String("")
def read(mu, s1):
if (s1 in _kv):
return _kv[s1]
return String("")
def getProperty(self, *args, **kwargs):
print(args[0])
return String("2.1.0")
def sendReportBridgeHttps(mu, s1, s2, bytes1):
raise NotImplementedError()
return String("")
def njss(mu, i1, o1):
print("njss arg %d %s" % (i1, o1))
if i1 == 131:
return String("eyJvcyI6IkFuZHJvaWQiLCJ2ZXJzaW9uIjoiMS4wLjMiLCJ0b2tlbl9pZCI6IiIsImNvZGUiOjUwNH0=")
elif i1 == 130:
return String("00:00:00:00:00:00[<!>]TP-LINK_49lnLeA[<!>]2026350784[<!>]")
elif i1 == 124:
return String('[]')
elif i1 == 125:
return String("113.4363886,22.382336")
elif i1 == 129:
return String("420[<!>]1080*1794[<!>]")
elif i1 == 126:
return String("2600")
elif i1 == 120:
return String('''{"core":6,"hw":"MT6795","max":"1440000","min":"384000","ft":"fp asimd evtstrm aes pmull sha1 sha2 crc32 wp half thumb fastmult vfp edsp neon vfpv3 tlsi vfpv4 idiva idivt"}''')
elif i1 == 127:
return String("357710060743807")
elif i1 == 128:
return String("460020862550230")
elif i1 == 122:
return String("GMT+08:00")
elif i1 == 121:
return String("zh_CN")
elif i1 == 134:
return String("-0.1, 0.6, -9.8")
elif i1 == 133:
return String('{}')
return JAVA_NULL
def __init__(self, pyPkgName):
self.sourceDir = String("/data/app/%s/" % pyPkgName)
self.dataDir = String("/data/data/%s" % pyPkgName)
self.nativeLibraryDir = String("/data/data/%s" % pyPkgName)
self.flags = 0x30e8bf46
def sendReportBridgeMtop(mu, s1, s2, s3, map, bytes1):
raise NotImplementedError()
return String("")
def write(mu, s1, s2):
if (s1 in _kv):
return _kv[s1]
return String("")
def getStackTrace(self, *args, **kwargs):
l = [
java_lang_StackTraceElement(String("dalvik.system.VMStack")),
java_lang_StackTraceElement(String("java.lang.Thread")),
java_lang_StackTraceElement(String("com.ss.sys.ces.a")),
java_lang_StackTraceElement(
String("com.yf.douyintool.MainActivity")),
java_lang_StackTraceElement(String("java.lang.reflect.Method")),
java_lang_StackTraceElement(String("java.lang.reflect.Method")),
java_lang_StackTraceElement(
String(
"android.support.v7.app.AppCompatViewInflater$DeclaredOnClickListener"
)),
java_lang_StackTraceElement(String("android.view.View")),
java_lang_StackTraceElement(String("android.os.Handler")),
java_lang_StackTraceElement(String("android.os.Handler")),
java_lang_StackTraceElement(String("android.os.Looper")),
java_lang_StackTraceElement(String("android.app.ActivityThread")),
java_lang_StackTraceElement(String("java.lang.reflect.Method")),
java_lang_StackTraceElement(String("java.lang.reflect.Method")),
java_lang_StackTraceElement(
String(
"com.android.internal.os.ZygoteInit$MethodAndArgsCaller")),
java_lang_StackTraceElement(
String("com.android.internal.os.ZygoteInit")),
java_lang_StackTraceElement(String("dalvik.system.NativeStart"))
]
#
#
r = List(l)
return r
def getLastAppVersion(mu):
raise NotImplementedError()
return String("1.0")