# Show loaded modules.
logger.info("Loaded modules:")
for module in emulator.modules:
logger.info("=> 0x%08x - %s" % (module.base, module.filename))
# Debug
# emulator.mu.hook_add(UC_HOOK_CODE, debug_utils.hook_code)
# emulator.mu.hook_add(UC_HOOK_MEM_UNMAPPED, debug_utils.hook_unmapped)
# emulator.mu.hook_add(UC_HOOK_MEM_WRITE, debug_utils.hook_mem_write)
# emulator.mu.hook_add(UC_HOOK_MEM_READ, debug_utils.hook_mem_read)
try:
# 字符串解密
emulator.mu.mem_write(0x00, "9C9092D0928E8A919E8DD09C908D9AD09D9E8C9A9C8B87D09E8F8F93969C9E8B969091D0AEBE8F8F93969C9E8B969091".encode())
emulator.call_native(lib_module.base + 0x2155, 0x00)
r0 = emulator.mu.reg_read(UC_ARM_REG_R0)
ret = memory_helpers.read_utf8(emulator.mu, r0)
print(ret)
# 解密
cipher_text = 'AAAAAHXRClMAAAAAxiXxwQxK0+AAAAQAwoiaTbpLaMzREgASTV8x7y/h5kt4VSMWDvdnFVVHsdC6CLpGbpVcD1RBNXCZgskWYjI4VYLZ5aJv9adiUB/XXFUhSrHxgc/JYvYV8ES8x36OuEuS1dNynxpjawcse7+2dhFqi4zwUrMSd8iwOZjHibjB9y21GRyEGtbZ/dhbTrVNYgHZHPAFSp5H3GJY+vLocoiVujvKXHg5hryAsvJL8/u+yTmft+tIB2hgUnqmDUbw/W/OOBcTM1bs08oAjeRtd2Y3giHeVP7Kh01Jsh4UjHnGY5U/Y2k6QJgsATo+0LoH25euCwbHwM4PMoxW+ORgfdbzLm2tPfFh3JFx0oqjngXjLSrJnPNNv/CC5IZON9PKjlHw4rwCAUjg7Czw9hEqf71bPk9a+zKPcFjz6+M2AwrZw/m+s2DE2eAwsBIy9wm2Mfn42geHSIhVeYPoaaKLd8ugFOtQp2xAheJ1JEUmXuqsp+egB/ugd4gpY0bt63slNKQATv5PjvOsONWb4ydoBQ+VfPSZ6oTpEH7XCQn20wkLN1Orzp3x52E0JEeVvwornbwrz1n8jw35MxTbby5hYMOUHBMRq3JVHqkPcpqSJHxh6rK+qzksy88nPTxDzgkO5mkLzWYG0H9bt1SlxpliYdehAH0K+32MlItLTEh1uYvGmg0TyuqIsttRI4LeivovibTdZxXEBTvAs3iG0Lga9xRYOiDQmjpEhppZrk4bS4TZ9d1VmFUym7oIo2mqeXASwGa5/06rygD7ZS+QwTXzyZ8gCSllR9wc0DU1qWgjxRqafwMgDzw+IVIb2/ng/nsCbqF/DnJQco/5kW/z/rTQv9zZtQIfVYepqe8odOJFLRYJprUKLOd+Y2s3OlUImUWZzPMBkDo62w7faetpbxU8QRytn0kRoK8m/dwsv92B1canJhVp5vkGfmaQxjleSDUEMl1nZBuXMpHaQn1X+33DPFdbJxwh1fXzsQ3axWXcIEoTG+Vn+qGpx47aubifoj7MQjZUiB7A4rvDrUCTLg8FBCaPHrodCwr948dl0TPGU+gdTHzJb/c9OPBMFBeYY8bJRZNKo4LuHMohQqE+UZ+0MbyAuMo4h9ucnwK9IoCRWT9pUXtWQkW35gEkpRabizuLrgIugKANeCyJrGlbTPWpwn5G54Uulz1aQF1ZE3/BGTiRC8lHXZ+EauEgJdeBzITuljP3yHKFv2yRd6xwjT9rzrzyUj8TsTXeQPZZxqHv6R1/wD02BJWQ9L21bgWNof1a2oAscLaECQOmwOoOjC89Roc9OZbA6KAJXXPO4g7x6EXihDdLsLecUlHJpVoDopMRnMVEAKKeScY/kYXIKM+KHIWnk56+tJC6R1ncy6Fh8VxP5KGYgxcZlJmANncxuHz9bcCSO0GGUMgtie7RvxrB2odWScyQvgE2X5HDJaEvN3N1of9iVt9DrD0HOi/wBTI8j47MN0loNjJbjChK8UZVPd+MovwskvrnA7dl0WndihuQbKb9odkiWJUssepkuB1pbUQ/uulmI2C6CICyCtT1vgc8kLrV3f4XxwiacDv2p0xlej0z7n0hpOkbdogpfw2nR8XsJ1kbRmcAEBjrKW4wwhZGdHHK9SdDrETAHkFbXT4fy5F3aca9poIqYPSQNiQU3DvCIGHYYuRl1ZdEPE7I+QSsEmwd9bFaQQXIazkmPOqUO1sxxVe1lACEe+T3NwbZJ051lkOINQlOQjkwr2xsSfllUh67GZkVjXAqZ5v3S4VtVmo6VgdhAJhMnWukxMgQJjvUG+o+YuNiP9FAG5LPTefUsq504WTSGTP89MLAV2GVIJQlirPpaGRhq6kapKC5z0EOfAFwAxcK3XtvdOERE97o5F/C5db3loSR7LO0Fc82e9NPvvFOS94g5esJDe/H3C6DNqHwLAm4hXnbklQ+KGUcKo27Og30TeOG8AwKMs3dudA+XOT8Ve1I0PajLbmOBl9zoN5nQRKx/7lXB/xPF1c4nsnYh1wwCFtCSiRY3hnmlagGSfpfcIYFUivKtVNrNoEw8Hl3K7r8YJpqhIGNOg9r3Qz9nQN49JVI4bit+3QAZTd21S1kSLyAZQXDNG54HaCIEFU48LwN0HFb2NZMwyD+sLhe9m9LPFhx+hjbQXDSluR/FeOhse/kpO819LBVcYx09dSHT+xUFbGOEkpR3iA2/OOlUV13/gMXUEfd+gF+j3ME5bhiBU26HCQgjpcAvHWBIU3g1TpalVuwAUGucvqVHxa9OyX+hGMc0FV4K6ZB9HQxPctB3NWu9rEgsyW/E6ufzRv2raDXm5PNG3TkUCUtaV1qLsXPJlVxEWMmd94Tl51cyM3b1gctZj50MfxprnB37hKXApw3eA/+/z43aiPXnI/UNbIpvMIkyiZNbXoBG5PqNQqhBr3O9Qa9ZAQnGKE/dE2jOzrG29t2RyzebO7BgnUgdTsKt++9zaKW6ZtBgdiah1kewRgh0t0gopDPj/dN3Ug9Oq+tE4eLbTboATWIy+rfWNu4Xn32ixbm/78i99Bm8UO/+dYyJnyU/VRWTqInXRlSAhwqU0I38xn0reJgpLSl1KEt9ygW7toUDW4+ytMSsoi7eECc4SMbavQQDrkCJYx2cyOJLPUV/daM5bAaFQLwZPLNxNaTVQzs5kWIa367HB9PFo9A/GfJ0N2tNSp51KGP7tZgxytZOHNtyL0AUMoQEvVoFgAsmGpx5McU0sA1wauZG4G5+u4PAg9MvTg3KN/p0Wvmy2KOHL/a3mec34WjEp/TrdVK0YyOrKqd2qbwkh0w9zmMHstD9au4kKFACQbMqDkNjuUSrq5XWuIOhYcYBq7lwuLfj3UTH/jriNIBMaMeb1PqvoO1kpixVCcBZaOXNKfrr+YCwsDZ95ySOWuYPIkYorNaYu8gGlsU/rV6+Pa5q4SJ6e7oiVD29X+Al5PkF5uILl7wgxH+1Z9i/g2m6XM2HElZQqk9wE3/4CBIMYYZAOklnQlAzUnK67nyMQgT2s0+FBk84EctL79GV3/dE3sSb9W5Ti2o3KhIOwVek27WWOoMvxn/QDH24rI5DoAFBXf1lXnsCUwWwDcLuHcnMX5S3ponGs4XJ7Wf6zwmA8GNExYaLshUsBDIEThgqotWfnlByyPChiIJFOibWFv8mGM678KOaCNbE3hhedzqKGI3RPifOo5MekR0IvzUAHqCs2KJWh6wo8tl4OiTGs+K7Suh77HbNGeZ3uhEj7bO/nJrlG+1VhSPA3IQ0YnKhw8TzUhoD/0bdPaM+o1TzUFKBc/ayfkZm1VnumQrJbNDn+QQhTNQRAJgEywaoeXTZDBbQ8jpz/TW8tVGrPN0HDWxqCcms4aXP7AjtjBsfEVjBiSUS2bvRHCW2eNGLhUg89wGtUnycx/IAuE/4mxT4mdjzjt6vci5xj3NkAohawWAkZLXH73WWQfIuM7G17KfP3fzFdRbHqqSNReuvBL7SkTmblMsvqgK0HvxEJ3BFXxetMrX82VNNF9HpWfcjHhZpSg6ofRybM5yVK5hMyR6qjkhWCCP2K4FfwPEwqDq7ajH3FDw1iUrjo6B/+lK41mw1rVgcoH1Sn+fBlMqYcOrm4MSJee2clFmYp8EvEubCdC6bLC0AkWbwobrfjGkGQxU03kVhhD4HUl2v9/LnPrvA8cEeCs5Ohc5WpZ7pDSVwObM34tco1+2vIcXxp1S/W/c8ytT3t3pVqRL4TE3qGZTrGBK8A4+z0/AMsGWpB/NMTfEtnsYjsrff43qdNvO6Jxi9gnIDxd1xE9Ryaq/EgFmpg7VjB5uRZaS6H/dCgaH0CRE8nnXXOoPkXR5Xekw1Xw3RvyfE3DsYvHijDLXk8h0rx+jrUXbyywAzXVIMgWOkjuj0b9KfyePYqxfvFpBnP90nTr30u6+GLB47oICPeG/e2rnogKeDvilmvnKQMPnJWcAwEhHNiwn/PA8D/plkeFwFdPE1PNaoCM+sVCQj4Xbfrn9MycxCKw1V2MgSup+Jw5CwWQlZiumjPXr2FRp8we44l3LHJY9p8SfL9fiQHSH3Rq6jTJ0oh0xwIveQMoF2Y0xpWKa7rtJVcTwQysgvv/16vausK3ZLij9P9yXRbNytKWitv6ROaZVZpWvFcwojI1EZkWA6ZkH665A0AOjlk9L6VIio9WHx/EeBtzKmlqP4gdZEWct2RSuiNVp+QjZbMTGy9J+EKs3XZYhtUVxiQWELTXNRf0sPQNURYj7jPMzNi38UC3EL58ejU5lnFlpigeha2+VHwFP+oRsU1iZOzzSq+qyVhrq9hwQUtZQBEi9zIF05u8M9UsFShnsORkG4MP0tq/EK9oh+pSnhMaXIG3Hqe+Q6QznwaH7sfXAyYd76IXPjhSx81dJkqIEBocExMQPgNbOgj3tjXGQ1sBtW4fYQDr5747dLJxjZ1AYiDpz4Jjs16YbSqa1lOrv7banVTgXcBnTBTqU/1Y2G9DgFvf8g4Xo9HsSOVroSYS5tkPWXLyhALV9SLOrnEBk9zFAD7xpKI9hEmowsJRgpbrRF09ZoEyWGarItVZ4WVqRgu8iIrXGuOadgT2ImCobBAr4koIgJkPvJITMzuHPuOZ8KyBiMQ0t1FyhJl2n5jm/sSveQG1yPVi7lN6dzUCJ5jEYv10GBGVL7pXqdKM8wdZODpc+411xtjUBrxHGEO8iZdITcUubGtS5ZJXFa5uyfH3ayF83czyiuPNupqJmiYHJLFXBz9Dy+ozq51vKgafUedFbVg/hpJSdZvbIkHivxOZ8TefyPw2SC21eodysRZMdqgPSI0TwDM9HJgHX1MNSN5zqS5zqHJzuDqiqMUr7JpEogLvW/t1200qyd1Kb7kt3wNJjXikxjX5FK9efUjUTs4gKw+2ObuJsTw7ZqDzelreyLkoJyMiBUkOe/Ad36/wLv3cKY8OZQqzNHCB3IoqKg86J/qSLlibdp+TRd/WYR1NNEGsGHPBbFQvEemIOywoL7391FXFRbw8qg7E8nDMUxEAlVTS8cKIMWQY8QpxbX4NjycSj54Bq7eP9KpP77DTh8G6vC7n4e8Kav2ix4iu/CPpTEnkkSwn+bGVz5db/IXPNARZsjhMpc80RFjOxX2YvUQysbTDqC5C8E9GLSMWH6KmzKmUI/JEWDuZYry8pyoqi+zXI7BexIwXWqYKDtCt1POcY8wRP4XDipawUC7eTRtI3NnQL3+QiEa/uiiopRrHvz9OcJlEARyKsyGeCUwp43ZEvn8IAb6PeZCS5HA6hJScAkTU97WjX7eREBpr9uyS6TrYmLGijjmtWoFpUfudhdj+UuJ8wGBbZ+oE8Du2OIz4BOePgAHJY/UV3C3VB6mA7GgCE+e5QP1+AGbLNrYmU0cyEsvETo1/HM3JgiKBVmtyhitBDi9sC1XymKh5gEG0oT947ATnyxHZRA58LaIZkMrqePgOUoYbiknDQEa4bPP5SV1d7TcxCBECOjOXWXZeTYOsfEa7PSOXbXCx88jwsMARpsy9t'
data = base64.b64decode(cipher_text)
data = bytearray(data)
ret = emulator.call_native(lib_module.base + 0x4655, emulator.java_vm.jni_env.address_ptr, 0, data)
ret = base64.b64encode(ret)
print(ret.decode())
# 加密
plan_text = 'eNqFVM1u4zYQzqMUPFsBKUu27JsjOdgA222apD0FMCiJllhTosKfZIPA5wJF732JXosWfZ5tn6NDUpbTXgoEzmhm+HFmvm/Y1rL58eLi4g0paQ2LzOvA0Bq10kAAzVBNDT05e6k6KsD5zJTmsgcXucSXGDwDVbTTaP2GSvejDVUGrfEMCdY3pkVrgheL4wxV76LOdU5IVunxeHxDVrM6p1ULF+6p0Awy5AvT5lbxinlIWlthcmn7cANVKufmFYr58sdPf//2O1Sj+u9DhTe9YQqw4yV0woYx76+ff/ny56+Q18iCGtdZjGMc4WVE5v8+LWhfo/ViFc+QllZVYTQdywWvDveMqqqFA1wHs2ClbXxNFS15/xCm5sbTUp23XNRjE95nLQdsBNaTZer1xn1EBD51xfrQacmbB0X3e16d230abvq99KPeC960ZqeZEDvV++jokqpm8GcoD5E4ziC2G6N7+2K9ewleTztgqGcozXtJupidsakJCIt4cpZSHnjfeP88njvkjv4g1a60fS0CiJ/ZmD/Q6kAbNtW4O4PD1LzbMzQFaF1zAwRQ8R4y82fd+MPNJJtucE2cKvJZfgChm9D6CxWHjg4hA4TYchP4gXTDO6a9NVF/gleyu2OV7DrmhHAW5EgkcVQDL+j6Q36iHEd3n3b3281d/sFrI29p37AgtBGA61u/AePnADJjBdPVqAxPyVRdmNL02UkFRgQ3l/b12rd/K7UfV5BeUAoBDmtpS8E+ch2Us+dKmzsGanMOoyxcXTlVnsU1uLbupTrPRktXaApy7WGiwOI3Q7jKCXdQLCh/Uz54UETRe9V++x9hu73/ZLuRo/LZ7SZxOmew79UB8op0vlouC7LZYlzEizyfk22BCcnz7VURJ5ttliRpmmEEL0Wnm1AG77n57rRMjTc2myTebEgS5RnOo6RIr6IsX26jdFUUSTzHc7xYub08jCN3/fuO/GmCMfFEMC2FHfslOMOfySp2Ae3T8HUGQKskmuNNFiXpdRGt8jSNrpJ0jkkak+2Ve0+sPtX2fDKm1af1yaooSBDY6y67J9tTdUkN2KO+yQr7FHD9X1JHA57Uk5TRAl5psotdMUY/u/cuA1M0Y9N2pPPAwv9O1kyA+fXNV8nHh61LpWNqqayGxxq9PSJhHtH6EeFHdHSTlGbPP5+vdDNlo4zQC99zh9vLEHFg07KrflfDTmvDq9ElnGKhXT+aPMbLFB3/Aa9vFdk='
data = base64.b64decode(plan_text)
emulator.load_library("example_binaries/libm.so")
emulator.load_library("example_binaries/libz.so")
emulator.load_library("example_binaries/liblog.so")
emulator.load_library("example_binaries/qunar/liblottie.so")
lib_module = emulator.load_library("example_binaries/qunar/libturbo.so")
# 修正malloc free地址
emulator.mu.mem_write(lib_module.base + 0x123388, b'\x49\x85\xbe\xcb')
emulator.mu.mem_write(lib_module.base + 0x12338C, b'\x09\x85\xbe\xcb')
# Show loaded modules.
logger.info("Loaded modules:")
for module in emulator.modules:
logger.info("=> 0x%08x - %s" % (module.base, module.filename))
# Debug
# emulator.mu.hook_add(UC_HOOK_CODE, debug_utils.hook_code)
# emulator.mu.hook_add(UC_HOOK_MEM_UNMAPPED, debug_utils.hook_unmapped)
# emulator.mu.hook_add(UC_HOOK_MEM_WRITE, debug_utils.hook_mem_write)
# emulator.mu.hook_add(UC_HOOK_MEM_READ, debug_utils.hook_mem_read)
try:
# 签名
data = '{"usedCache":false,"lowestPrice":0,"adultCount":0,"arrCity":"上海","rnVersionInter":427,"depCity":"北京","goDate":"2020-07-13","rnVersionInland":692,"source":"homeClickSearch","isSearchDebug":0,"cabinType":"0","hasChildPrice":"0","uuid":"","queryId":"-1","scene":0,"bigTrafficCount":0,"qpInfos":{"flight_sell_rn":0,"flight_orderdetail_rn":228,"f_flight_fuwu_rn":78,"route_service_rn":156,"flight_seat_rn":262,"flight_booking_rn":323,"f_major_bundle_rn":692,"flight_package_rn":0,"f_flight_search_rn":427,"f_flight_additional_bundle_rn":80,"f_home_rn":318,"flight_routing_rn":0,"f_order_rn":128,"f_walkmap_rn":0},"hitType":0,"times":0,"rnVersion":318,"fromRecommend":false,"lowPrice":1,"cat":"FHCabinType0-RN_SEARCH","isChangeDate":false,"isPart":false,"planeDesc":"0","routeType":0,"searchType":0,"more":-1,"buyFlightPosition":0,"count":16,"doubleList":0,"firstRequest":true,"childCount":0,"priceSortType":0,"sort":5,"underageOption":"","preSearchAbTest":"a","bigTrafficQueryId":"-1","startNum":0}'
debug_utils.libgoblin_addresss = lib_module.base
ret = emulator.call_native(lib_module.base + 0x1186F5, emulator.java_vm.jni_env.address_ptr, 0, data)
print(ret)
except UcError as e:
print("Exit at %x" % emulator.mu.reg_read(UC_ARM_REG_PC))
raise