def test_something(self):
# Initialize emulator
emulator = Emulator(vfp_inst_set=True,
vfs_root=posixpath.join(dir_samples, "vfs"))
emulator.load_library(posixpath.join(dir_samples, "example_binaries",
"libdl.so"),
do_init=False)
emulator.load_library(posixpath.join(dir_samples, "example_binaries",
"libc.so"),
do_init=False)
emulator.load_library(posixpath.join(dir_samples, "example_binaries",
"libstdc++.so"),
do_init=False)
module = emulator.load_library(posixpath.join(
posixpath.dirname(__file__), "test_binaries", "test_native.so"),
do_init=False)
print(module.base)
emulator.mu.hook_add(UC_HOOK_CODE, debug_utils.hook_code)
emulator.mu.hook_add(UC_HOOK_MEM_UNMAPPED, debug_utils.hook_unmapped)
res = emulator.call_symbol(
module, 'Java_com_aeonlucid_nativetesting_MainActivity_testOneArg',
emulator.java_vm.address_ptr, 0x00, 'Hello', 'asd')
print(res)
def test_thread32(self):
emulator = Emulator(vfs_root="vfs", muti_task=True)
libcm = emulator.load_library("vfs/system/lib/libc.so")
sym = libcm.find_symbol("pthread_create")
h = FuncHooker(emulator)
h.fun_hook(sym, 4, self.__pthread_create32_before_hook,
self.__pthread_create32_after_hook)
libdemo = emulator.load_library("tests/bin/libdemo.so")
r = emulator.call_symbol(libdemo, "test_thread", 3)
self.assertEqual(r, 3)
self.assertTrue(self.__is32_before_call)
self.assertTrue(self.__is32_after_call)
def test_tls32(self):
try:
emulator = Emulator(
vfs_root="vfs"
)
#测试getenv,pthread_getspecific等涉及tls_init的代码是否正常
libcm = emulator.load_library("vfs/system/lib/libc.so")
self.__test_tls_common(emulator, libcm)
except UcError as e:
print("Exit at 0x%08X" % emulator.mu.reg_read(UC_ARM_REG_PC))
emulator.memory.dump_maps(sys.stdout)
raise
def testSixArg(self):
# Initialize emulator
emulator = Emulator(
vfp_inst_set=True,
vfs_root=os.path.join(dir_samples, "vfs")
)
emulator.load_library(os.path.join(dir_samples, "example_binaries", "libdl.so"))
emulator.load_library(os.path.join(dir_samples, "example_binaries", "libc.so"))
emulator.load_library(os.path.join(dir_samples, "example_binaries", "libstdc++.so"))
module = emulator.load_library(os.path.join(os.path.dirname(__file__), "test_binaries", "test_native.so"))
res = emulator.call_symbol(module, 'Java_com_aeonlucid_nativetesting_MainActivity_testSixArg', emulator.java_vm.jni_env.address_ptr, 0x00, 'One', 'Two', 'Three', 'Four', 'Five', 'Six')
self.assertEqual('OneTwoThreeFourFiveSix', res)
def test_something(self):
# Initialize emulator
emulator = Emulator(
vfp_inst_set=True,
vfs_root="vfs"
)
module = emulator.load_library(posixpath.join(posixpath.dirname(__file__), "bin", "test_native.so"))
self.assertTrue(module.base != 0)
#emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator)
res = emulator.call_symbol(module, 'Java_com_aeonlucid_nativetesting_MainActivity_testOneArg', emulator.java_vm.jni_env.address_ptr, 0x00, String('Hello'))
pystr = emulator.java_vm.jni_env.get_local_reference(res).value.get_py_string()
self.assertEqual(pystr, "Hello")
def test_thread64(self):
emulator = Emulator(vfs_root="vfs",
arch=emu_const.ARCH_ARM64,
muti_task=True)
libcm = emulator.load_library("vfs/system/lib64/libc.so")
sym = libcm.find_symbol("pthread_create")
#print("sym : %s"%hex(sym))
h = FuncHooker(emulator)
h.fun_hook(sym, 4, self.__pthread_create64_before_hook,
self.__pthread_create64_after_hook)
#emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator)
libdemo = emulator.load_library("tests/bin64/libdemo.so")
r = emulator.call_symbol(libdemo, "test_thread", 3)
self.assertEqual(r, 3)
self.assertTrue(self.__is64_before_call)
self.assertTrue(self.__is64_after_call)
def test_64_elf(self):
# Initialize emulator
emulator = Emulator(
vfs_root="vfs",
arch=emu_const.ARCH_ARM64
)
emulator.java_classloader.add_class(TestClass)
try:
libcm = emulator.load_library("vfs/system/lib64/libc.so")
libtest = emulator.load_library("tests/bin64/libnative-lib.so")
#emulator.memory.dump_maps(sys.stdout)
emulator.call_symbol(libtest, 'JNI_OnLoad', emulator.java_vm.address_ptr, 0x00)
t = TestClass()
r = t.testJni2(emulator, 10000000000)
self.assertEqual(r, 125)
app = ActivityThread.currentApplication(emulator)
s = t.testJni1(emulator, app).get_py_string()
self.assertEqual(s, "com.ss.android.ugc.aweme")
#emulator.memory.dump_maps(sys.stdout)
except UcError as e:
print("Exit at 0x%08X" % emulator.mu.reg_read(UC_ARM64_REG_PC))
emulator.memory.dump_maps(sys.stdout)
raise
def test_load_bias_new_delete(self):
emulator = Emulator(
vfs_root="vfs",
arch=emu_const.ARCH_ARM64
)
try:
libcpp = emulator.load_library("vfs/system/lib64/libc++.so")
new_ptr = emulator.call_symbol(libcpp, "_Znwm", 100)
emulator.mu.mem_write(new_ptr, b'hello world...')
self.assertTrue(new_ptr!=0)
emulator.call_symbol(libcpp, "_ZdlPv", new_ptr)
#
except UcError as e:
print("Exit at 0x%08X" % emulator.mu.reg_read(UC_ARM64_REG_PC))
emulator.memory.dump_maps(sys.stdout)
raise
jvm_name="com/sec/udemo/MainActivity"):
@java_method_def(name="getSaltFromJava",
signature="(Ljava/lang/String;)Ljava/lang/String;",
native=False,
args_list=['jstring'])
def getSaltFromJava(self, mu, arg_str):
return arg_str.value.value + "salt.."
@java_method_def(name="sign_lv4",
signature="(Ljava/lang/String;)Ljava/lang/String;",
native=True)
def sign_lv4(self, mu):
pass
emulator = Emulator()
emulator.modules.add_symbol_hook(
"__aeabi_memclr",
emulator.hooker.write_function(hook_aeabi_memclr) + 1)
emulator.modules.add_symbol_hook(
"__aeabi_memcpy",
emulator.hooker.write_function(hook_aeabi_memcpy) + 1)
emulator.modules.add_symbol_hook(
"sprintf",
emulator.hooker.write_function(hook_sprintf) + 1)
emulator.java_classloader.add_class(com_sec_udemo_MainActivity)
emulator.load_library("lib/libc.so", do_init=False)
libmod = emulator.load_library("lib/libnative-lib.so", do_init=False)
try:
def __aeabi_memcpy(mu, dist, source, size):
data = mu.mem_read(source, size)
mu.mem_write(dist, bytes(data))
print('__aeabi_memcpy(%x,%x,%d)' % (dist, source, size))
@native_method
def sprintf(mu, buffer, fmt, a1, a2):
fmt1 = memory_helpers.read_utf8(mu, fmt)
data1 = memory_helpers.read_utf8(mu, a1)
result = fmt1 % (data1, a2)
mu.mem_write(buffer, bytes((result + '\x00').encode('utf-8')))
# print('sprintf(%s)' % (result))
emulator = Emulator()
#got hook
emulator.modules.add_symbol_hook(
'__aeabi_memclr',
emulator.hooker.write_function(__aeabi_memclr) + 1)
emulator.modules.add_symbol_hook(
'__aeabi_memcpy',
emulator.hooker.write_function(__aeabi_memcpy) + 1)
emulator.modules.add_symbol_hook('sprintf',
emulator.hooker.write_function(sprintf) + 1)
libc = emulator.load_library('jnilibs/libc.so', do_init=False)
libmod = emulator.load_library('jnilibs/libnative-lib.so', do_init=False)
try:
def test_get():
serach_content = "林俊杰"
#test_enc()
api = "mtop.alimusic.search.searchservice.searchsongs"
#res = get_callId(api, serach_content)
#print(res)
#x_c_traceid = get_x_c_traceid()
#print(x_c_traceid)
data = gen_data(api, serach_content)
print(data)
unix_time = int(time.time())
x_sign_input = get_x_sign_input(api, data, unix_time)
print(x_sign_input)
#x_sign_input = "XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&9d2395108230634c7438d833739c4ec9&1591175586&mtop.alimusic.search.searchservice.searchsongs&1.3&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27"
#x_sign_input = "XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&b2604d60fe6fe6695f0c6e8186b9d972&1591887863&mtop.alimusic.search.searchservice.searchsongs&1.3&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27"
emulator = Emulator(vfs_root=posixpath.join(posixpath.dirname(__file__),
"vfs"),
config_path="xiami.json")
sgmain_init(emulator)
x_sign = get_x_sign(emulator, x_sign_input)
print(x_sign)
vmp_inst = avmp_wua_sgcipher_create(emulator)
wua = get_wua(emulator, vmp_inst, x_sign)
header = {}
header["x-appkey"] = "21465214"
header["x-nq"] = "WIFI"
header["x-mini-wua"] = get_mini_wua(emulator, unix_time) #TODO
header["x-c-traceid"] = get_x_c_traceid()
header["x-app-conf-v"] = "0"
header["x-features"] = "5.2"
header["x-pv"] = "27"
header["x-t"] = str(unix_time)
header["x-app-ver"] = "8.3.8"
header["f-refer"] = "mtop"
header[
"user-agent"] = r"MTOPSDK%2F3.1.0.6+%28Android%3B6.0.1%3BLGE%3BAOSP+on+BullHead%29"
header["x-ttid"] = r"701287%40xiami_android_8.3.8"
header["x-nettype"] = "WIFI"
header["cache-control"] = "no-cache"
header[
"a-orange-q"] = "appKey=21465214&appVersion=8.3.8&clientAppIndexVersion=1120200603000600940&clientVersionIndexVersion=0"
header["x-utdid"] = g_utdid
header["x-umt"] = "pZ1LzvhLOlDOsjVyonOdfoph2Uetk1kT"
header["x-devid"] = "AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9"
header["x-sign"] = x_sign
header["content-type"] = "application/x-www-form-urlencoded;charset=UTF-8"
print("header:")
print(header)
print(wua)
#https://acs.m.taobao.com/gw/mtop.alimusic.search.searchservice.searchsongs/1.3/?data=%7B%22requestStr%22%3A%22%7B%5C%22header%5C%22%3A%7B%5C%22accessToken%5C%22%3A%5C%22%5C%22%2C%5C%22appId%5C%22%3A200%2C%5C%22appVersion%5C%22%3A8030800%2C%5C%22callId%5C%22%3A%5C%22mtop.alimusic.search.searchservice.searchsongs_815fc5cc31eeb8cfb37134c32f14142c%5C%22%2C%5C%22ch%5C%22%3A%5C%22701287%5C%22%2C%5C%22deviceId%5C%22%3A%5C%2200c3476989d8b8a6%5C%22%2C%5C%22language%5C%22%3A%5C%22zh_CN%5C%22%2C%5C%22network%5C%22%3A1%2C%5C%22openId%5C%22%3A0%2C%5C%22osVersion%5C%22%3A%5C%2223%5C%22%2C%5C%22platformId%5C%22%3A%5C%22android_phone%5C%22%2C%5C%22proxy%5C%22%3A%5C%22false%5C%22%2C%5C%22resolution%5C%22%3A%5C%221794x1080%5C%22%2C%5C%22utdid%5C%22%3A%5C%22XtX3M1bJ69cDAFWqkBwQYXgY%5C%22%2C%5C%22uxid%5C%22%3A%5C%22%5C%22%7D%2C%5C%22model%5C%22%3A%7B%5C%22isRecommendCorrection%5C%22%3Atrue%2C%5C%22isTouFu%5C%22%3Atrue%2C%5C%22key%5C%22%3A%5C%22%E6%9E%97%E4%BF%8A%E6%9D%B0%5C%22%2C%5C%22pagingVO%5C%22%3A%7B%5C%22page%5C%22%3A1%2C%5C%22pageSize%5C%22%3A20%7D%7D%7D%22%7D&wua=Udd9_IpLcQKXNKqMbzDa1%2FvbXA7vvQsGEhgISS%2Bk8K0KiPTVb2yTKaB4VIGtwcdpWR5qHRwfYTNabU3u%2FrlxIOwS9M1vtVr0lR7loYAmhaXNr3whCct3gGVuxY9prZmVjCCyHqDBdSEIjgmFXrOpbKbKgmBdS%2BHpBxssjr3AXlw2Xza82Dv4Eko56vCsXkzBHwvOtq9bUuZKsR2j1AfSed8A7OUtaZAjNvD72%2B2EWrynygRjY3wwwSxDlssjj3o1GRGAaJZ5Eyv8SNPFWaFRCu71nWC5tLCXwpEzZDb7z%2BkgpgaWe%2Fgg1LyqPStMW6Le4KDTyriF4kIR8nw0Azg0%2Fltns2XMf2Y7eKtjjGA0wbhT2LW7LLTzccYbHzgQ%2BPNApgFZPDUTkGndC%2BwUnqYexjjSrgM3jP5gzeM67J1vjdC6VKrbLHGxOqcBSqaRvSCSUs29IyTs%2FuAA4w23R2pYygLQLNA%3D%3D%26MIT1_a0010bc4dd8b7722195272e27e2ff2de17c44afa24cc7&type=originaljson
url = "https://acs.m.taobao.com/gw/mtop.alimusic.search.searchservice.searchsongs/1.3/"
params_song = {"data": data, "wua": wua, "type": "originaljson"}
http_session = requests.Session()
resp = http_session.get(url,
headers=header,
params=params_song,
verify=False).content
print(resp.decode("utf-8"))
def test_enc():
# Initialize emulator
emulator = Emulator(vfs_root=posixpath.join(posixpath.dirname(__file__),
"vfs"),
config_path="xiami.json")
try:
sgmain_init(emulator)
'''
01-26 02:46:31.968 5752 6060 I librev-dj: param0 {INPUT=XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&a75c08d1bc5069534cd65d35372bede2&2169991&mtop.alimusic.common.menuservice.getdata&1.0&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27} [class java.util.HashMap]
01-26 02:46:31.968 5752 6060 I librev-dj: param1 21465214 [class java.lang.String]
01-26 02:46:31.968 5752 6060 I librev-dj: param2 7 [class java.lang.Integer]
01-26 02:46:31.968 5752 6060 I librev-dj: param3 is null
01-26 02:46:31.968 5752 6060 I librev-dj: param4 true [class java.lang.Boolean]
01-26 02:46:31.976 5752 6060 I librev-dj: call my_doCommandNative return 0x200041
01-26 02:46:31.976 5752 6060 I librev-dj: cmd 10401 return ab210e00103f3622607853182fe77adf41d41e872523ccfda2
06-04 03:14:19.257 5796 6311 I librev-dj: call my_doCommandNative 10401
06-04 03:14:19.258 5796 6311 I librev-dj: param0 {INPUT=XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&94de0d14487a78f08caa8b9366df870e&1591240459&mtop.alimusic.search.searchservice.searchsongs&1.3&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27}
06-04 03:14:19.258 5796 6311 I librev-dj: param1 21465214
06-04 03:14:19.258 5796 6311 I librev-dj: param2 7
06-04 03:14:19.258 5796 6311 I librev-dj: param3 is null
06-04 03:14:19.258 5796 6311 I librev-dj: param4 true06-04 03:14:19.264 5796 6311 I librev-dj: call my_doCommandNative return 0x41
06-04 03:14:19.264 5796 6311 I librev-dj: cmd 10401 return ab210e0010e507dbe03e3a648e23f5fa221b65a7a1cd01789e
'''
#s = "XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&a75c08d1bc5069534cd65d35372bede2&2169991&mtop.alimusic.common.menuservice.getdata&1.0&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27"
s = "XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&94de0d14487a78f08caa8b9366df870e&1591240459&mtop.alimusic.search.searchservice.searchsongs&1.3&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27"
r = get_x_sign(emulator, s)
print("x-sign 10401 return %s" % r)
'''
o1 = Integer(0)
print("begin 12301")
arr = Array([o1])
r = JNICLibrary.doCommandNative(emulator, 12301, arr)
'''
mini_wua = get_mini_wua(emulator, 1591789191)
print("mini_wua return %r" % mini_wua)
vmp_inst = avmp_wua_sgcipher_create(emulator)
print("60901 return %r" % vmp_inst)
'''
01-28 02:24:32.022 7389 7544 I librev-dj: call my_doCommandNative 60902
01-28 02:24:32.022 7389 7544 I librev-dj: param0 4250478350 [class java.lang.Long]
01-28 02:24:32.022 7389 7544 I librev-dj: param1 sign [class java.lang.String]
01-28 02:24:32.022 7389 7544 I librev-dj: param2 class [B [class java.lang.Class]
01-28 02:24:32.022 7389 7544 I librev-dj: param3 [Ljava.lang.Object;@800c770 [class [Ljava.lang.Object;]
01-28 02:24:32.099 7389 7544 I librev-dj: call my_doCommandNative return 0x95
01-28 02:24:32.099 7389 7544 I librev-dj: cmd 60902 return Udd9_PJaIv9t63ccPnqTEueflauoVQkhZLF+SWtD+hpI+ZvjblJMKz/9Ccp8oalFtHOHmE5MVXwGTzWDmtF8LRT2ssTpjnhXOvJfWH+hIAeqI3l0EVs3J5j7JjsoSvrrIQiUTJgjvOrSbNwQpEPB0hwYnTu82Aeuu03mJCFmuxfYc75ZVjqH1j4VLr81XTU/zmd1d9irWgA/mf2Ve512vxbj7qrW2Kuz8SUG3/bCNT2ta5ACJ1uZckEyv0ScQx8CynByYn41CQlrkHMT1mZgLM5Is6TfXE4UeC+pFLFuDXYta6ehiM49uflm95JQVBLwKezkOTjACWpol1B81p4Km+5wWFsMM62McPmgh2f31hgO4T8VpsY4DEdpsBKkrEfFUxmtt51Zy3G7Pw3NQRx823UWohZEV5veS2FFoU0pK+mmu2mGQHNLEE1Vbbxr1zA3uPTL0&MIT1_a0010fdb56926a9a642f4bd0f57dca86a9d50fcb85001
01-28 02:24:32.099 7389 7544 I librev-dj: cmd 60902 inner array
01-28 02:24:32.099 7389 7544 I librev-dj: param0 0 [class java.lang.Integer]
01-28 02:24:32.099 7389 7544 I librev-dj: param1 [B@5b93ae9 [class [B]
01-28 02:24:32.100 7389 7544 I librev-dj: param2 50 [class java.lang.Integer]
01-28 02:24:32.100 7389 7544 I librev-dj: param3 [class java.lang.String]
01-28 02:24:32.100 7389 7544 I librev-dj: param4 [B@907436e [class [B]
01-28 02:24:32.100 7389 7544 I librev-dj: param5 0 [class java.lang.Integer]
01-28 02:24:32.100 7389 7544 I librev-dj: cmd 60902 content ab210e0010e68383c6b1fe5baa33f0eddc45e943a955191a9a
'''
sdata = 'ab210e0010e68383c6b1fe5baa33f0eddc45e943a955191a9a'
wua = get_wua(emulator, vmp_inst, sdata)
print(wua)
except UcError as e:
print("Exit at 0x%08X" % emulator.mu.reg_read(UC_ARM_REG_PC))
androidemu.utils.debug_utils.dump_registers(emulator.mu, sys.stdout)
emulator.memory.dump_maps(sys.stdout)
raise
class com_sec_udemo_MainActivity(metaclass=JavaClassDef,
jvm_name="com/sec/udemo/MainActivity"):
def __init__(self):
pass
@java_method_def(name='getSaltFromJava',
signature='(Ljava/lang/String;)Ljava/lang/String;',
native=False,
args_list=['jstring'])
def getSaltFromJava(self, mu, str):
return str.value.value + "salt.."
emulator = Emulator()
#got hook
emulator.modules.add_symbol_hook(
'__aeabi_memclr',
emulator.hooker.write_function(__aeabi_memclr) + 1)
emulator.modules.add_symbol_hook(
'__aeabi_memcpy',
emulator.hooker.write_function(__aeabi_memcpy) + 1)
emulator.modules.add_symbol_hook('sprintf',
emulator.hooker.write_function(sprintf) + 1)
emulator.java_classloader.add_class(com_sec_udemo_MainActivity)
emulator.load_library('jnilibs/libc.so', do_init=False)
libmod = emulator.load_library('jnilibs/libnative-lib.so', do_init=False)
from unicorn import UC_HOOK_CODE
from unicorn.arm_const import *
from androidemu.emulator import Emulator
# Configure logging
logging.basicConfig(
stream=sys.stdout,
level=logging.DEBUG,
format="%(asctime)s %(levelname)7s %(name)34s | %(message)s")
logger = logging.getLogger(__name__)
# Initialize emulator
emulator = Emulator(vfp_inst_set=True)
emulator.load_library("example_binaries/libc.so", do_init=False)
lib_module = emulator.load_library("example_binaries/libnative-lib.so",
do_init=False)
# Show loaded modules.
logger.info("Loaded modules:")
for module in emulator.modules:
logger.info("[0x%x] %s" % (module.base, module.filename))
# Add debugging.
def hook_code(mu, address, size, user_data):
instruction = mu.mem_read(address, size)
instruction_str = ''.join('{:02x} '.format(x) for x in instruction)
from androidemu.utils import memory_helpers
from samples import debug_utils
# Configure logging
logging.basicConfig(
stream=sys.stdout,
level=logging.DEBUG,
format="%(asctime)s %(levelname)7s %(name)34s | %(message)s",
)
logger = logging.getLogger(__name__)
# Initialize emulator
emulator = Emulator(
vfp_inst_set=True,
vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs")
)
# Load all libraries.
emulator.load_library("example_binaries/libdl.so")
emulator.load_library("example_binaries/libc.so")
emulator.load_library("example_binaries/libstdc++.so")
emulator.load_library("example_binaries/libm.so")
emulator.load_library("example_binaries/libz.so")
lib_module = emulator.load_library("example_binaries/qunar/libgoblin_6_1_1.so")
# Show loaded modules.
logger.info("Loaded modules:")
for module in emulator.modules:
logger.info("=> 0x%08x - %s" % (module.base, module.filename))
sys.exit(-1)
#
# androidemu.utils.debug_utils.dump_registers(mu, sys.stdout)
# androidemu.utils.debug_utils.dump_code(emu, address, size, sys.stdout)
androidemu.utils.debug_utils.dump_code(emu, address, size, sys.stdout)
except Exception as e:
logger.exception("exception in hook_code")
sys.exit(-1)
#
#
logger = logging.getLogger(__name__)
# Initialize emulator
emulator = Emulator(
vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs")
)
mnt = MemoryMonitor(emulator)
# Register Java class.
# emulator.java_classloader.add_class(MainActivity)
emulator.java_classloader.add_class(XGorgen)
emulator.java_classloader.add_class(UserInfo)
emulator.java_classloader.add_class(java_lang_System)
emulator.java_classloader.add_class(java_lang_Thread)
emulator.java_classloader.add_class(java_lang_StackTraceElement)
# Load all libraries.
libdvm = emulator.load_library("vfs/system/lib/libdvm.so")
libcm = emulator.load_library("vfs/system/lib/libc.so")
#
#androidemu.utils.debug_utils.dump_registers(mu, sys.stdout)
androidemu.utils.debug_utils.dump_code(emu, address, size, sys.stdout)
except Exception as e:
logger.exception("exception in hook_code")
sys.exit(-1)
#
#
logger = logging.getLogger(__name__)
# Initialize emulator
emulator = Emulator(vfp_inst_set=True,
vfs_root=posixpath.join(posixpath.dirname(__file__),
"vfs"))
#emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator)
emulator.mu.hook_add(UC_HOOK_MEM_WRITE, hook_mem_write)
emulator.mu.hook_add(UC_HOOK_MEM_READ, hook_mem_read)
# Register Java class.
# emulator.java_classloader.add_class(MainActivity)
emulator.java_classloader.add_class(XGorgen)
emulator.java_classloader.add_class(secuni_b)
emulator.java_classloader.add_class(UserInfo)
emulator.java_classloader.add_class(java_lang_System)
emulator.java_classloader.add_class(java_lang_Thread)
emulator.java_classloader.add_class(java_lang_StackTraceElement)
@java_method_def(name='getSaltFromJava',
signature='(Ljava/lang/String;)Ljava/lang/String;',
native=False,
args_list=['jstring'])
def getSaltFromJava(self, mu, str):
return str.value.value + "salt.."
@java_method_def(name='sign_lv4',
signature='(Ljava/lang/String;)Ljava/lang/String;',
native=True,
args_list=['jstring'])
def sign_lv4(self, mu):
pass
emulator = Emulator()
#got hook
emulator.modules.add_symbol_hook(
'__aeabi_memclr',
emulator.hooker.write_function(__aeabi_memclr) + 1)
emulator.modules.add_symbol_hook(
'__aeabi_memcpy',
emulator.hooker.write_function(__aeabi_memcpy) + 1)
emulator.modules.add_symbol_hook('sprintf',
emulator.hooker.write_function(sprintf) + 1)
emulator.java_classloader.add_class(com_sec_udemo_MainActivity)
libc = emulator.load_library('jnilibs/libc.so', do_init=False)
libmod = emulator.load_library('jnilibs/libnative-lib.so', do_init=True)
metaclass=JavaClassDef,
jvm_name='android/telephony/ColorOSTelephonyManager',
jvm_ignore=True):
def __init__(self):
pass
#
#
logger = logging.getLogger(__name__)
# Initialize emulator
emulator = Emulator(vfs_root=posixpath.join(posixpath.dirname(__file__),
"vfs"),
config_path="xiami.json")
# Register Java class.
emulator.java_classloader.add_class(HttpUtil)
emulator.java_classloader.add_class(UmidAdapter)
emulator.java_classloader.add_class(JNICLibrary)
emulator.java_classloader.add_class(SPUtility2)
emulator.java_classloader.add_class(DeviceInfoCapturer)
emulator.java_classloader.add_class(DataReportJniBridge)
emulator.java_classloader.add_class(ZipUtils)
emulator.java_classloader.add_class(CallbackHelper)
import sys
import logging
from unicorn import *
from unicorn.arm_const import *
from androidemu.emulator import Emulator
from UnicornTraceDebugger import udbg
logging.basicConfig(
stream=sys.stdout,
level=logging.DEBUG,
format="%(asctime)s %(levelname)7s %(name)34s | %(message)s")
logger = logging.getLogger(__name__)
emulator = Emulator()
libc = emulator.load_library('jnilibs/libc.so', do_init=False)
libso = emulator.load_library('jnilibs/libso.so', do_init=False)
main = emulator.load_library('jnilibs/main', do_init=False)
try:
dbg = udbg.UnicornDebugger(emulator.mu)
addr_start = 0xcbc6b000 + 0x4B0 + 1
addr_end = 0xcbc6b000 + 0x4D2
emulator.mu.emu_start(addr_start, addr_end)
ret = emulator.mu.reg_read(UC_ARM_REG_R0)
print(ret)
except UcError as e:
list_tracks = dbg.get_tracks()
for addr in list_tracks[-100:-1]:
print(hex(addr - 0xcbc66000))
print(e)
import sys
import logging
from unicorn import *
from unicorn.arm_const import *
from androidemu.emulator import Emulator
from UnicornTraceDebugger import udbg
logging.basicConfig(stream=sys.stdout,
level=logging.DEBUG,
format="%(asctime)s %(levelname)7s %(name)34s | %(message)s")
logger = logging.getLogger(__name__)
emulator = Emulator()
libc = emulator.load_library('jnilibs/libc.so', do_init=False)
libso = emulator.load_library('jnilibs/libnative-lib.so', do_init=False)
# data segment
data_base = 0xa00000
data_size = 0x10000 * 3
emulator.mu.mem_map(data_base, data_size)
emulator.mu.mem_write(data_base, b'123')
emulator.mu.reg_write(UC_ARM_REG_R0, data_base)
try:
dbg = udbg.UnicornDebugger(emulator.mu)
addr_start = 0xcbc66000 + 0x9B68 + 1
addr_end = 0xcbc66000 + 0x9C2C
emulator.mu.emu_start(addr_start, addr_end)
r2 = emulator.mu.reg_read(UC_ARM_REG_R2)
result = emulator.mu.mem_read(r2, 16)
print("DexInstallV26 install arg %r %s %s"%(obj, s))
#
#
# Configure logging
logging.basicConfig(
stream=sys.stdout,
level=logging.DEBUG,
format="%(asctime)s %(levelname)7s %(name)34s | %(message)s"
)
logger = logging.getLogger(__name__)
# Initialize emulator
emulator = Emulator(
vfp_inst_set=True,
vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs")
)
# Register Java class.
emulator.java_classloader.add_class(Helper)
emulator.java_classloader.add_class(DexInstall)
emulator.java_classloader.add_class(DexInstallV26)
#emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator)
# Load all libraries.
lib_module2 = emulator.load_library("vfs/system/lib/libdvm.so")
#lib_module = emulator.load_library("tests/bin/libSecShell.so")
lib_module = emulator.load_library("../deobf/sec.so")
#androidemu.utils.debug_utils.dump_symbols(emulator, sys.stdout)
# Show loaded modules.
from unicorn import UC_HOOK_CODE
from unicorn.arm_const import *
from androidemu.emulator import Emulator
# Initialize emulator
emulator = Emulator()
emulator.load_library("example_binaries/libc.so")
my_base = emulator.load_library("example_binaries/libnative-lib.so")
# Show loaded modules.
print("Loaded modules:")
for module in emulator.modules:
print("[0x%x] %s" % (module.base_addr, module.filename))
# Add debugging.
def hook_code(mu, address, size, user_data):
instruction = mu.mem_read(address, size)
instruction_str = ''.join('{:02x} '.format(x) for x in instruction)
print(
'# Tracing instruction at 0x%x, instruction size = 0x%x, instruction = %s'
% (address, size, instruction_str))
emulator.mu.hook_add(UC_HOOK_CODE, hook_code)
# Runs a method of "libnative-lib.so" that calls an imported
# function "strlen" from "libc.so".
java_lang_StackTraceElement("com.android.internal.os.ZygoteInit"),
java_lang_StackTraceElement("dalvik.system.NativeStart")
]
# Configure logging
logging.basicConfig(
stream=sys.stdout,
level=logging.DEBUG,
format="%(asctime)s %(levelname)7s %(name)34s | %(message)s")
logger = logging.getLogger(__name__)
# Initialize emulator
emulator = Emulator(vfp_inst_set=True,
vfs_root=posixpath.join(posixpath.dirname(__file__),
"vfs"))
# Register Java class.
# emulator.java_classloader.add_class(MainActivity)
emulator.java_classloader.add_class(XGorgen)
emulator.java_classloader.add_class(secuni_b)
emulator.java_classloader.add_class(UserInfo)
emulator.java_classloader.add_class(java_lang_System)
emulator.java_classloader.add_class(java_lang_Thread)
emulator.java_classloader.add_class(java_lang_StackTraceElement)
# Load all libraries.
emulator.load_library("./example_binaries/libdl.so")
emulator.load_library("./example_binaries/libc.so")
emulator.load_library("./example_binaries/libstdc++.so")
def test(self):
pass
# Configure logging
logging.basicConfig(
stream=sys.stdout,
level=logging.DEBUG,
format="%(asctime)s %(levelname)7s %(name)34s | %(message)s")
logger = logging.getLogger(__name__)
# Initialize emulator
emulator = Emulator(vfp_inst_set=True,
vfs_root=posixpath.join(posixpath.dirname(__file__),
"vfs"))
# Register Java class.
emulator.java_classloader.add_class(MainActivity)
# Load all libraries.
emulator.load_library("example_binaries/libdl.so")
emulator.load_library("example_binaries/libc.so", do_init=False)
emulator.load_library("example_binaries/libstdc++.so")
emulator.load_library("example_binaries/libm.so")
lib_module = emulator.load_library("libsgavmpso-6.4.31.so", do_init=False)
# # Show loaded modules.
# logger.info("Loaded modules:")
@native_method
def __aeabi_memcpy(mu, dist, source, size):
data = mu.mem_read(source, size)
mu.mem_write(dist, bytes(data))
print('__aeabi_memcpy(%x,%x,%d)' % (dist, source, size))
@native_method
def sprintf(mu, buffer, fmt, a1, a2):
fmt1 = memory_helpers.read_utf8(mu, fmt)
data1 = memory_helpers.read_utf8(mu, a1)
result = fmt1 % (data1, a2)
mu.mem_write(buffer, bytes((result + '\x00').encode('utf-8')))
# print('sprintf(%s)' % (result))
emulator = Emulator()
# data segment
data_base = 0xa00000
data_size = 0x10000 * 3
emulator.mu.mem_map(data_base, data_size)
#got hook
emulator.modules.add_symbol_hook('__aeabi_memclr', emulator.hooker.write_function(__aeabi_memclr) + 1)
emulator.modules.add_symbol_hook('__aeabi_memcpy', emulator.hooker.write_function(__aeabi_memcpy) + 1)
emulator.modules.add_symbol_hook('sprintf', emulator.hooker.write_function(sprintf) + 1)
libc = emulator.load_library('jnilibs/libc.so', do_init=False)
libmod = emulator.load_library('jnilibs/libencrypt.so', do_init=True)
try:
result = format_str % (a1_str, a2)
# print(f">>> hook sprintf: {result}")
mu.mem_write(buffer, bytes((result + '\x00').encode("utf-8")))
class com_sec_udemo_MainActivity(metaclass=JavaClassDef,
jvm_name="com/sec/udemo/MainActivity"):
@java_method_def(name="getSaltFromJava",
signature="(Ljava/lang/String;)Ljava/lang/String;",
native=False,
args_list=['jstring'])
def getSaltFromJava(self, mu, arg_str):
return arg_str.value.value + "salt.."
emulator = Emulator()
emulator.modules.add_symbol_hook(
"__aeabi_memclr",
emulator.hooker.write_function(hook_aeabi_memclr) + 1)
emulator.modules.add_symbol_hook(
"__aeabi_memcpy",
emulator.hooker.write_function(hook_aeabi_memcpy) + 1)
emulator.modules.add_symbol_hook(
"sprintf",
emulator.hooker.write_function(hook_sprintf) + 1)
emulator.java_classloader.add_class(com_sec_udemo_MainActivity)
emulator.load_library("lib/libc.so", do_init=False)
libmod = emulator.load_library("lib/libnative-lib.so", do_init=False)
try:
from unicorn import UC_HOOK_CODE
from unicorn.arm_const import *
from androidemu.emulator import Emulator
# Configure logging
logging.basicConfig(
stream=sys.stdout,
level=logging.DEBUG,
format="%(asctime)s %(levelname)7s %(name)34s | %(message)s")
logger = logging.getLogger(__name__)
# Initialize emulator
emulator = Emulator()
emulator.load_library("samples/example_binaries/libc.so", False)
lib_module = emulator.load_library("samples/example_binaries/libnative-lib.so")
# Show loaded modules.
logger.info("Loaded modules:")
for module in emulator.modules:
logger.info("[0x%x] %s" % (module.base, module.filename))
# Add debugging.
def hook_code(mu, address, size, user_data):
instruction = mu.mem_read(address, size)
instruction_str = ''.join('{:02x} '.format(x) for x in instruction)
class SDInfo(metaclass=JavaClassDef, jvm_name='com/mqunar/atom/defensive/utils/SDInfo'):
pass
# Configure logging
logging.basicConfig(
stream=sys.stdout,
level=logging.DEBUG,
format="%(asctime)s %(levelname)7s %(name)34s | %(message)s",
)
logger = logging.getLogger(__name__)
# Initialize emulator
emulator = Emulator(
vfp_inst_set=True,
vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs")
)
# Register Java class.
emulator.java_classloader.add_class(EnvChecker)
emulator.java_classloader.add_class(SDInfo)
emulator.java_classloader.add_class(ConfigurationActivity)
emulator.java_classloader.add_class(QBugActivity)
emulator.java_classloader.add_class(ActivityThread)
emulator.java_classloader.add_class(Application)
# Load all libraries.
emulator.load_library("example_binaries/libdl.so")
emulator.load_library("example_binaries/libc.so")
emulator.load_library("example_binaries/libstdc++.so")
emulator.load_library("example_binaries/libm.so")
