def test_something(self): # Initialize emulator emulator = Emulator(vfp_inst_set=True, vfs_root=posixpath.join(dir_samples, "vfs")) emulator.load_library(posixpath.join(dir_samples, "example_binaries", "libdl.so"), do_init=False) emulator.load_library(posixpath.join(dir_samples, "example_binaries", "libc.so"), do_init=False) emulator.load_library(posixpath.join(dir_samples, "example_binaries", "libstdc++.so"), do_init=False) module = emulator.load_library(posixpath.join( posixpath.dirname(__file__), "test_binaries", "test_native.so"), do_init=False) print(module.base) emulator.mu.hook_add(UC_HOOK_CODE, debug_utils.hook_code) emulator.mu.hook_add(UC_HOOK_MEM_UNMAPPED, debug_utils.hook_unmapped) res = emulator.call_symbol( module, 'Java_com_aeonlucid_nativetesting_MainActivity_testOneArg', emulator.java_vm.address_ptr, 0x00, 'Hello', 'asd') print(res)
def test_thread32(self): emulator = Emulator(vfs_root="vfs", muti_task=True) libcm = emulator.load_library("vfs/system/lib/libc.so") sym = libcm.find_symbol("pthread_create") h = FuncHooker(emulator) h.fun_hook(sym, 4, self.__pthread_create32_before_hook, self.__pthread_create32_after_hook) libdemo = emulator.load_library("tests/bin/libdemo.so") r = emulator.call_symbol(libdemo, "test_thread", 3) self.assertEqual(r, 3) self.assertTrue(self.__is32_before_call) self.assertTrue(self.__is32_after_call)
def test_tls32(self): try: emulator = Emulator( vfs_root="vfs" ) #测试getenv,pthread_getspecific等涉及tls_init的代码是否正常 libcm = emulator.load_library("vfs/system/lib/libc.so") self.__test_tls_common(emulator, libcm) except UcError as e: print("Exit at 0x%08X" % emulator.mu.reg_read(UC_ARM_REG_PC)) emulator.memory.dump_maps(sys.stdout) raise
def testSixArg(self): # Initialize emulator emulator = Emulator( vfp_inst_set=True, vfs_root=os.path.join(dir_samples, "vfs") ) emulator.load_library(os.path.join(dir_samples, "example_binaries", "libdl.so")) emulator.load_library(os.path.join(dir_samples, "example_binaries", "libc.so")) emulator.load_library(os.path.join(dir_samples, "example_binaries", "libstdc++.so")) module = emulator.load_library(os.path.join(os.path.dirname(__file__), "test_binaries", "test_native.so")) res = emulator.call_symbol(module, 'Java_com_aeonlucid_nativetesting_MainActivity_testSixArg', emulator.java_vm.jni_env.address_ptr, 0x00, 'One', 'Two', 'Three', 'Four', 'Five', 'Six') self.assertEqual('OneTwoThreeFourFiveSix', res)
def test_something(self): # Initialize emulator emulator = Emulator( vfp_inst_set=True, vfs_root="vfs" ) module = emulator.load_library(posixpath.join(posixpath.dirname(__file__), "bin", "test_native.so")) self.assertTrue(module.base != 0) #emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator) res = emulator.call_symbol(module, 'Java_com_aeonlucid_nativetesting_MainActivity_testOneArg', emulator.java_vm.jni_env.address_ptr, 0x00, String('Hello')) pystr = emulator.java_vm.jni_env.get_local_reference(res).value.get_py_string() self.assertEqual(pystr, "Hello")
def test_thread64(self): emulator = Emulator(vfs_root="vfs", arch=emu_const.ARCH_ARM64, muti_task=True) libcm = emulator.load_library("vfs/system/lib64/libc.so") sym = libcm.find_symbol("pthread_create") #print("sym : %s"%hex(sym)) h = FuncHooker(emulator) h.fun_hook(sym, 4, self.__pthread_create64_before_hook, self.__pthread_create64_after_hook) #emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator) libdemo = emulator.load_library("tests/bin64/libdemo.so") r = emulator.call_symbol(libdemo, "test_thread", 3) self.assertEqual(r, 3) self.assertTrue(self.__is64_before_call) self.assertTrue(self.__is64_after_call)
def test_64_elf(self): # Initialize emulator emulator = Emulator( vfs_root="vfs", arch=emu_const.ARCH_ARM64 ) emulator.java_classloader.add_class(TestClass) try: libcm = emulator.load_library("vfs/system/lib64/libc.so") libtest = emulator.load_library("tests/bin64/libnative-lib.so") #emulator.memory.dump_maps(sys.stdout) emulator.call_symbol(libtest, 'JNI_OnLoad', emulator.java_vm.address_ptr, 0x00) t = TestClass() r = t.testJni2(emulator, 10000000000) self.assertEqual(r, 125) app = ActivityThread.currentApplication(emulator) s = t.testJni1(emulator, app).get_py_string() self.assertEqual(s, "com.ss.android.ugc.aweme") #emulator.memory.dump_maps(sys.stdout) except UcError as e: print("Exit at 0x%08X" % emulator.mu.reg_read(UC_ARM64_REG_PC)) emulator.memory.dump_maps(sys.stdout) raise
def test_load_bias_new_delete(self): emulator = Emulator( vfs_root="vfs", arch=emu_const.ARCH_ARM64 ) try: libcpp = emulator.load_library("vfs/system/lib64/libc++.so") new_ptr = emulator.call_symbol(libcpp, "_Znwm", 100) emulator.mu.mem_write(new_ptr, b'hello world...') self.assertTrue(new_ptr!=0) emulator.call_symbol(libcpp, "_ZdlPv", new_ptr) # except UcError as e: print("Exit at 0x%08X" % emulator.mu.reg_read(UC_ARM64_REG_PC)) emulator.memory.dump_maps(sys.stdout) raise
jvm_name="com/sec/udemo/MainActivity"): @java_method_def(name="getSaltFromJava", signature="(Ljava/lang/String;)Ljava/lang/String;", native=False, args_list=['jstring']) def getSaltFromJava(self, mu, arg_str): return arg_str.value.value + "salt.." @java_method_def(name="sign_lv4", signature="(Ljava/lang/String;)Ljava/lang/String;", native=True) def sign_lv4(self, mu): pass emulator = Emulator() emulator.modules.add_symbol_hook( "__aeabi_memclr", emulator.hooker.write_function(hook_aeabi_memclr) + 1) emulator.modules.add_symbol_hook( "__aeabi_memcpy", emulator.hooker.write_function(hook_aeabi_memcpy) + 1) emulator.modules.add_symbol_hook( "sprintf", emulator.hooker.write_function(hook_sprintf) + 1) emulator.java_classloader.add_class(com_sec_udemo_MainActivity) emulator.load_library("lib/libc.so", do_init=False) libmod = emulator.load_library("lib/libnative-lib.so", do_init=False) try:
def __aeabi_memcpy(mu, dist, source, size): data = mu.mem_read(source, size) mu.mem_write(dist, bytes(data)) print('__aeabi_memcpy(%x,%x,%d)' % (dist, source, size)) @native_method def sprintf(mu, buffer, fmt, a1, a2): fmt1 = memory_helpers.read_utf8(mu, fmt) data1 = memory_helpers.read_utf8(mu, a1) result = fmt1 % (data1, a2) mu.mem_write(buffer, bytes((result + '\x00').encode('utf-8'))) # print('sprintf(%s)' % (result)) emulator = Emulator() #got hook emulator.modules.add_symbol_hook( '__aeabi_memclr', emulator.hooker.write_function(__aeabi_memclr) + 1) emulator.modules.add_symbol_hook( '__aeabi_memcpy', emulator.hooker.write_function(__aeabi_memcpy) + 1) emulator.modules.add_symbol_hook('sprintf', emulator.hooker.write_function(sprintf) + 1) libc = emulator.load_library('jnilibs/libc.so', do_init=False) libmod = emulator.load_library('jnilibs/libnative-lib.so', do_init=False) try:
def test_get(): serach_content = "林俊杰" #test_enc() api = "mtop.alimusic.search.searchservice.searchsongs" #res = get_callId(api, serach_content) #print(res) #x_c_traceid = get_x_c_traceid() #print(x_c_traceid) data = gen_data(api, serach_content) print(data) unix_time = int(time.time()) x_sign_input = get_x_sign_input(api, data, unix_time) print(x_sign_input) #x_sign_input = "XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&9d2395108230634c7438d833739c4ec9&1591175586&mtop.alimusic.search.searchservice.searchsongs&1.3&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27" #x_sign_input = "XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&b2604d60fe6fe6695f0c6e8186b9d972&1591887863&mtop.alimusic.search.searchservice.searchsongs&1.3&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27" emulator = Emulator(vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs"), config_path="xiami.json") sgmain_init(emulator) x_sign = get_x_sign(emulator, x_sign_input) print(x_sign) vmp_inst = avmp_wua_sgcipher_create(emulator) wua = get_wua(emulator, vmp_inst, x_sign) header = {} header["x-appkey"] = "21465214" header["x-nq"] = "WIFI" header["x-mini-wua"] = get_mini_wua(emulator, unix_time) #TODO header["x-c-traceid"] = get_x_c_traceid() header["x-app-conf-v"] = "0" header["x-features"] = "5.2" header["x-pv"] = "27" header["x-t"] = str(unix_time) header["x-app-ver"] = "8.3.8" header["f-refer"] = "mtop" header[ "user-agent"] = r"MTOPSDK%2F3.1.0.6+%28Android%3B6.0.1%3BLGE%3BAOSP+on+BullHead%29" header["x-ttid"] = r"701287%40xiami_android_8.3.8" header["x-nettype"] = "WIFI" header["cache-control"] = "no-cache" header[ "a-orange-q"] = "appKey=21465214&appVersion=8.3.8&clientAppIndexVersion=1120200603000600940&clientVersionIndexVersion=0" header["x-utdid"] = g_utdid header["x-umt"] = "pZ1LzvhLOlDOsjVyonOdfoph2Uetk1kT" header["x-devid"] = "AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9" header["x-sign"] = x_sign header["content-type"] = "application/x-www-form-urlencoded;charset=UTF-8" print("header:") print(header) print(wua) #https://acs.m.taobao.com/gw/mtop.alimusic.search.searchservice.searchsongs/1.3/?data=%7B%22requestStr%22%3A%22%7B%5C%22header%5C%22%3A%7B%5C%22accessToken%5C%22%3A%5C%22%5C%22%2C%5C%22appId%5C%22%3A200%2C%5C%22appVersion%5C%22%3A8030800%2C%5C%22callId%5C%22%3A%5C%22mtop.alimusic.search.searchservice.searchsongs_815fc5cc31eeb8cfb37134c32f14142c%5C%22%2C%5C%22ch%5C%22%3A%5C%22701287%5C%22%2C%5C%22deviceId%5C%22%3A%5C%2200c3476989d8b8a6%5C%22%2C%5C%22language%5C%22%3A%5C%22zh_CN%5C%22%2C%5C%22network%5C%22%3A1%2C%5C%22openId%5C%22%3A0%2C%5C%22osVersion%5C%22%3A%5C%2223%5C%22%2C%5C%22platformId%5C%22%3A%5C%22android_phone%5C%22%2C%5C%22proxy%5C%22%3A%5C%22false%5C%22%2C%5C%22resolution%5C%22%3A%5C%221794x1080%5C%22%2C%5C%22utdid%5C%22%3A%5C%22XtX3M1bJ69cDAFWqkBwQYXgY%5C%22%2C%5C%22uxid%5C%22%3A%5C%22%5C%22%7D%2C%5C%22model%5C%22%3A%7B%5C%22isRecommendCorrection%5C%22%3Atrue%2C%5C%22isTouFu%5C%22%3Atrue%2C%5C%22key%5C%22%3A%5C%22%E6%9E%97%E4%BF%8A%E6%9D%B0%5C%22%2C%5C%22pagingVO%5C%22%3A%7B%5C%22page%5C%22%3A1%2C%5C%22pageSize%5C%22%3A20%7D%7D%7D%22%7D&wua=Udd9_IpLcQKXNKqMbzDa1%2FvbXA7vvQsGEhgISS%2Bk8K0KiPTVb2yTKaB4VIGtwcdpWR5qHRwfYTNabU3u%2FrlxIOwS9M1vtVr0lR7loYAmhaXNr3whCct3gGVuxY9prZmVjCCyHqDBdSEIjgmFXrOpbKbKgmBdS%2BHpBxssjr3AXlw2Xza82Dv4Eko56vCsXkzBHwvOtq9bUuZKsR2j1AfSed8A7OUtaZAjNvD72%2B2EWrynygRjY3wwwSxDlssjj3o1GRGAaJZ5Eyv8SNPFWaFRCu71nWC5tLCXwpEzZDb7z%2BkgpgaWe%2Fgg1LyqPStMW6Le4KDTyriF4kIR8nw0Azg0%2Fltns2XMf2Y7eKtjjGA0wbhT2LW7LLTzccYbHzgQ%2BPNApgFZPDUTkGndC%2BwUnqYexjjSrgM3jP5gzeM67J1vjdC6VKrbLHGxOqcBSqaRvSCSUs29IyTs%2FuAA4w23R2pYygLQLNA%3D%3D%26MIT1_a0010bc4dd8b7722195272e27e2ff2de17c44afa24cc7&type=originaljson url = "https://acs.m.taobao.com/gw/mtop.alimusic.search.searchservice.searchsongs/1.3/" params_song = {"data": data, "wua": wua, "type": "originaljson"} http_session = requests.Session() resp = http_session.get(url, headers=header, params=params_song, verify=False).content print(resp.decode("utf-8"))
def test_enc(): # Initialize emulator emulator = Emulator(vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs"), config_path="xiami.json") try: sgmain_init(emulator) ''' 01-26 02:46:31.968 5752 6060 I librev-dj: param0 {INPUT=XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&a75c08d1bc5069534cd65d35372bede2&2169991&mtop.alimusic.common.menuservice.getdata&1.0&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27} [class java.util.HashMap] 01-26 02:46:31.968 5752 6060 I librev-dj: param1 21465214 [class java.lang.String] 01-26 02:46:31.968 5752 6060 I librev-dj: param2 7 [class java.lang.Integer] 01-26 02:46:31.968 5752 6060 I librev-dj: param3 is null 01-26 02:46:31.968 5752 6060 I librev-dj: param4 true [class java.lang.Boolean] 01-26 02:46:31.976 5752 6060 I librev-dj: call my_doCommandNative return 0x200041 01-26 02:46:31.976 5752 6060 I librev-dj: cmd 10401 return ab210e00103f3622607853182fe77adf41d41e872523ccfda2 06-04 03:14:19.257 5796 6311 I librev-dj: call my_doCommandNative 10401 06-04 03:14:19.258 5796 6311 I librev-dj: param0 {INPUT=XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&94de0d14487a78f08caa8b9366df870e&1591240459&mtop.alimusic.search.searchservice.searchsongs&1.3&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27} 06-04 03:14:19.258 5796 6311 I librev-dj: param1 21465214 06-04 03:14:19.258 5796 6311 I librev-dj: param2 7 06-04 03:14:19.258 5796 6311 I librev-dj: param3 is null 06-04 03:14:19.258 5796 6311 I librev-dj: param4 true06-04 03:14:19.264 5796 6311 I librev-dj: call my_doCommandNative return 0x41 06-04 03:14:19.264 5796 6311 I librev-dj: cmd 10401 return ab210e0010e507dbe03e3a648e23f5fa221b65a7a1cd01789e ''' #s = "XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&a75c08d1bc5069534cd65d35372bede2&2169991&mtop.alimusic.common.menuservice.getdata&1.0&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27" s = "XtX3M1bJ69cDAFWqkBwQYXgY&&&21465214&94de0d14487a78f08caa8b9366df870e&1591240459&mtop.alimusic.search.searchservice.searchsongs&1.3&&701287@xiami_android_8.3.8&AohsPSPH-F7lQLJzyIvh_6geqxEqIetYwOxZ0laI9k_9&&&27" r = get_x_sign(emulator, s) print("x-sign 10401 return %s" % r) ''' o1 = Integer(0) print("begin 12301") arr = Array([o1]) r = JNICLibrary.doCommandNative(emulator, 12301, arr) ''' mini_wua = get_mini_wua(emulator, 1591789191) print("mini_wua return %r" % mini_wua) vmp_inst = avmp_wua_sgcipher_create(emulator) print("60901 return %r" % vmp_inst) ''' 01-28 02:24:32.022 7389 7544 I librev-dj: call my_doCommandNative 60902 01-28 02:24:32.022 7389 7544 I librev-dj: param0 4250478350 [class java.lang.Long] 01-28 02:24:32.022 7389 7544 I librev-dj: param1 sign [class java.lang.String] 01-28 02:24:32.022 7389 7544 I librev-dj: param2 class [B [class java.lang.Class] 01-28 02:24:32.022 7389 7544 I librev-dj: param3 [Ljava.lang.Object;@800c770 [class [Ljava.lang.Object;] 01-28 02:24:32.099 7389 7544 I librev-dj: call my_doCommandNative return 0x95 01-28 02:24:32.099 7389 7544 I librev-dj: cmd 60902 return Udd9_PJaIv9t63ccPnqTEueflauoVQkhZLF+SWtD+hpI+ZvjblJMKz/9Ccp8oalFtHOHmE5MVXwGTzWDmtF8LRT2ssTpjnhXOvJfWH+hIAeqI3l0EVs3J5j7JjsoSvrrIQiUTJgjvOrSbNwQpEPB0hwYnTu82Aeuu03mJCFmuxfYc75ZVjqH1j4VLr81XTU/zmd1d9irWgA/mf2Ve512vxbj7qrW2Kuz8SUG3/bCNT2ta5ACJ1uZckEyv0ScQx8CynByYn41CQlrkHMT1mZgLM5Is6TfXE4UeC+pFLFuDXYta6ehiM49uflm95JQVBLwKezkOTjACWpol1B81p4Km+5wWFsMM62McPmgh2f31hgO4T8VpsY4DEdpsBKkrEfFUxmtt51Zy3G7Pw3NQRx823UWohZEV5veS2FFoU0pK+mmu2mGQHNLEE1Vbbxr1zA3uPTL0&MIT1_a0010fdb56926a9a642f4bd0f57dca86a9d50fcb85001 01-28 02:24:32.099 7389 7544 I librev-dj: cmd 60902 inner array 01-28 02:24:32.099 7389 7544 I librev-dj: param0 0 [class java.lang.Integer] 01-28 02:24:32.099 7389 7544 I librev-dj: param1 [B@5b93ae9 [class [B] 01-28 02:24:32.100 7389 7544 I librev-dj: param2 50 [class java.lang.Integer] 01-28 02:24:32.100 7389 7544 I librev-dj: param3 [class java.lang.String] 01-28 02:24:32.100 7389 7544 I librev-dj: param4 [B@907436e [class [B] 01-28 02:24:32.100 7389 7544 I librev-dj: param5 0 [class java.lang.Integer] 01-28 02:24:32.100 7389 7544 I librev-dj: cmd 60902 content ab210e0010e68383c6b1fe5baa33f0eddc45e943a955191a9a ''' sdata = 'ab210e0010e68383c6b1fe5baa33f0eddc45e943a955191a9a' wua = get_wua(emulator, vmp_inst, sdata) print(wua) except UcError as e: print("Exit at 0x%08X" % emulator.mu.reg_read(UC_ARM_REG_PC)) androidemu.utils.debug_utils.dump_registers(emulator.mu, sys.stdout) emulator.memory.dump_maps(sys.stdout) raise
class com_sec_udemo_MainActivity(metaclass=JavaClassDef, jvm_name="com/sec/udemo/MainActivity"): def __init__(self): pass @java_method_def(name='getSaltFromJava', signature='(Ljava/lang/String;)Ljava/lang/String;', native=False, args_list=['jstring']) def getSaltFromJava(self, mu, str): return str.value.value + "salt.." emulator = Emulator() #got hook emulator.modules.add_symbol_hook( '__aeabi_memclr', emulator.hooker.write_function(__aeabi_memclr) + 1) emulator.modules.add_symbol_hook( '__aeabi_memcpy', emulator.hooker.write_function(__aeabi_memcpy) + 1) emulator.modules.add_symbol_hook('sprintf', emulator.hooker.write_function(sprintf) + 1) emulator.java_classloader.add_class(com_sec_udemo_MainActivity) emulator.load_library('jnilibs/libc.so', do_init=False) libmod = emulator.load_library('jnilibs/libnative-lib.so', do_init=False)
from unicorn import UC_HOOK_CODE from unicorn.arm_const import * from androidemu.emulator import Emulator # Configure logging logging.basicConfig( stream=sys.stdout, level=logging.DEBUG, format="%(asctime)s %(levelname)7s %(name)34s | %(message)s") logger = logging.getLogger(__name__) # Initialize emulator emulator = Emulator(vfp_inst_set=True) emulator.load_library("example_binaries/libc.so", do_init=False) lib_module = emulator.load_library("example_binaries/libnative-lib.so", do_init=False) # Show loaded modules. logger.info("Loaded modules:") for module in emulator.modules: logger.info("[0x%x] %s" % (module.base, module.filename)) # Add debugging. def hook_code(mu, address, size, user_data): instruction = mu.mem_read(address, size) instruction_str = ''.join('{:02x} '.format(x) for x in instruction)
from androidemu.utils import memory_helpers from samples import debug_utils # Configure logging logging.basicConfig( stream=sys.stdout, level=logging.DEBUG, format="%(asctime)s %(levelname)7s %(name)34s | %(message)s", ) logger = logging.getLogger(__name__) # Initialize emulator emulator = Emulator( vfp_inst_set=True, vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs") ) # Load all libraries. emulator.load_library("example_binaries/libdl.so") emulator.load_library("example_binaries/libc.so") emulator.load_library("example_binaries/libstdc++.so") emulator.load_library("example_binaries/libm.so") emulator.load_library("example_binaries/libz.so") lib_module = emulator.load_library("example_binaries/qunar/libgoblin_6_1_1.so") # Show loaded modules. logger.info("Loaded modules:") for module in emulator.modules: logger.info("=> 0x%08x - %s" % (module.base, module.filename))
sys.exit(-1) # # androidemu.utils.debug_utils.dump_registers(mu, sys.stdout) # androidemu.utils.debug_utils.dump_code(emu, address, size, sys.stdout) androidemu.utils.debug_utils.dump_code(emu, address, size, sys.stdout) except Exception as e: logger.exception("exception in hook_code") sys.exit(-1) # # logger = logging.getLogger(__name__) # Initialize emulator emulator = Emulator( vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs") ) mnt = MemoryMonitor(emulator) # Register Java class. # emulator.java_classloader.add_class(MainActivity) emulator.java_classloader.add_class(XGorgen) emulator.java_classloader.add_class(UserInfo) emulator.java_classloader.add_class(java_lang_System) emulator.java_classloader.add_class(java_lang_Thread) emulator.java_classloader.add_class(java_lang_StackTraceElement) # Load all libraries. libdvm = emulator.load_library("vfs/system/lib/libdvm.so") libcm = emulator.load_library("vfs/system/lib/libc.so")
# #androidemu.utils.debug_utils.dump_registers(mu, sys.stdout) androidemu.utils.debug_utils.dump_code(emu, address, size, sys.stdout) except Exception as e: logger.exception("exception in hook_code") sys.exit(-1) # # logger = logging.getLogger(__name__) # Initialize emulator emulator = Emulator(vfp_inst_set=True, vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs")) #emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator) emulator.mu.hook_add(UC_HOOK_MEM_WRITE, hook_mem_write) emulator.mu.hook_add(UC_HOOK_MEM_READ, hook_mem_read) # Register Java class. # emulator.java_classloader.add_class(MainActivity) emulator.java_classloader.add_class(XGorgen) emulator.java_classloader.add_class(secuni_b) emulator.java_classloader.add_class(UserInfo) emulator.java_classloader.add_class(java_lang_System) emulator.java_classloader.add_class(java_lang_Thread) emulator.java_classloader.add_class(java_lang_StackTraceElement)
@java_method_def(name='getSaltFromJava', signature='(Ljava/lang/String;)Ljava/lang/String;', native=False, args_list=['jstring']) def getSaltFromJava(self, mu, str): return str.value.value + "salt.." @java_method_def(name='sign_lv4', signature='(Ljava/lang/String;)Ljava/lang/String;', native=True, args_list=['jstring']) def sign_lv4(self, mu): pass emulator = Emulator() #got hook emulator.modules.add_symbol_hook( '__aeabi_memclr', emulator.hooker.write_function(__aeabi_memclr) + 1) emulator.modules.add_symbol_hook( '__aeabi_memcpy', emulator.hooker.write_function(__aeabi_memcpy) + 1) emulator.modules.add_symbol_hook('sprintf', emulator.hooker.write_function(sprintf) + 1) emulator.java_classloader.add_class(com_sec_udemo_MainActivity) libc = emulator.load_library('jnilibs/libc.so', do_init=False) libmod = emulator.load_library('jnilibs/libnative-lib.so', do_init=True)
metaclass=JavaClassDef, jvm_name='android/telephony/ColorOSTelephonyManager', jvm_ignore=True): def __init__(self): pass # # logger = logging.getLogger(__name__) # Initialize emulator emulator = Emulator(vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs"), config_path="xiami.json") # Register Java class. emulator.java_classloader.add_class(HttpUtil) emulator.java_classloader.add_class(UmidAdapter) emulator.java_classloader.add_class(JNICLibrary) emulator.java_classloader.add_class(SPUtility2) emulator.java_classloader.add_class(DeviceInfoCapturer) emulator.java_classloader.add_class(DataReportJniBridge) emulator.java_classloader.add_class(ZipUtils) emulator.java_classloader.add_class(CallbackHelper)
import sys import logging from unicorn import * from unicorn.arm_const import * from androidemu.emulator import Emulator from UnicornTraceDebugger import udbg logging.basicConfig( stream=sys.stdout, level=logging.DEBUG, format="%(asctime)s %(levelname)7s %(name)34s | %(message)s") logger = logging.getLogger(__name__) emulator = Emulator() libc = emulator.load_library('jnilibs/libc.so', do_init=False) libso = emulator.load_library('jnilibs/libso.so', do_init=False) main = emulator.load_library('jnilibs/main', do_init=False) try: dbg = udbg.UnicornDebugger(emulator.mu) addr_start = 0xcbc6b000 + 0x4B0 + 1 addr_end = 0xcbc6b000 + 0x4D2 emulator.mu.emu_start(addr_start, addr_end) ret = emulator.mu.reg_read(UC_ARM_REG_R0) print(ret) except UcError as e: list_tracks = dbg.get_tracks() for addr in list_tracks[-100:-1]: print(hex(addr - 0xcbc66000)) print(e)
import sys import logging from unicorn import * from unicorn.arm_const import * from androidemu.emulator import Emulator from UnicornTraceDebugger import udbg logging.basicConfig(stream=sys.stdout, level=logging.DEBUG, format="%(asctime)s %(levelname)7s %(name)34s | %(message)s") logger = logging.getLogger(__name__) emulator = Emulator() libc = emulator.load_library('jnilibs/libc.so', do_init=False) libso = emulator.load_library('jnilibs/libnative-lib.so', do_init=False) # data segment data_base = 0xa00000 data_size = 0x10000 * 3 emulator.mu.mem_map(data_base, data_size) emulator.mu.mem_write(data_base, b'123') emulator.mu.reg_write(UC_ARM_REG_R0, data_base) try: dbg = udbg.UnicornDebugger(emulator.mu) addr_start = 0xcbc66000 + 0x9B68 + 1 addr_end = 0xcbc66000 + 0x9C2C emulator.mu.emu_start(addr_start, addr_end) r2 = emulator.mu.reg_read(UC_ARM_REG_R2) result = emulator.mu.mem_read(r2, 16)
print("DexInstallV26 install arg %r %s %s"%(obj, s)) # # # Configure logging logging.basicConfig( stream=sys.stdout, level=logging.DEBUG, format="%(asctime)s %(levelname)7s %(name)34s | %(message)s" ) logger = logging.getLogger(__name__) # Initialize emulator emulator = Emulator( vfp_inst_set=True, vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs") ) # Register Java class. emulator.java_classloader.add_class(Helper) emulator.java_classloader.add_class(DexInstall) emulator.java_classloader.add_class(DexInstallV26) #emulator.mu.hook_add(UC_HOOK_CODE, hook_code, emulator) # Load all libraries. lib_module2 = emulator.load_library("vfs/system/lib/libdvm.so") #lib_module = emulator.load_library("tests/bin/libSecShell.so") lib_module = emulator.load_library("../deobf/sec.so") #androidemu.utils.debug_utils.dump_symbols(emulator, sys.stdout) # Show loaded modules.
from unicorn import UC_HOOK_CODE from unicorn.arm_const import * from androidemu.emulator import Emulator # Initialize emulator emulator = Emulator() emulator.load_library("example_binaries/libc.so") my_base = emulator.load_library("example_binaries/libnative-lib.so") # Show loaded modules. print("Loaded modules:") for module in emulator.modules: print("[0x%x] %s" % (module.base_addr, module.filename)) # Add debugging. def hook_code(mu, address, size, user_data): instruction = mu.mem_read(address, size) instruction_str = ''.join('{:02x} '.format(x) for x in instruction) print( '# Tracing instruction at 0x%x, instruction size = 0x%x, instruction = %s' % (address, size, instruction_str)) emulator.mu.hook_add(UC_HOOK_CODE, hook_code) # Runs a method of "libnative-lib.so" that calls an imported # function "strlen" from "libc.so".
java_lang_StackTraceElement("com.android.internal.os.ZygoteInit"), java_lang_StackTraceElement("dalvik.system.NativeStart") ] # Configure logging logging.basicConfig( stream=sys.stdout, level=logging.DEBUG, format="%(asctime)s %(levelname)7s %(name)34s | %(message)s") logger = logging.getLogger(__name__) # Initialize emulator emulator = Emulator(vfp_inst_set=True, vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs")) # Register Java class. # emulator.java_classloader.add_class(MainActivity) emulator.java_classloader.add_class(XGorgen) emulator.java_classloader.add_class(secuni_b) emulator.java_classloader.add_class(UserInfo) emulator.java_classloader.add_class(java_lang_System) emulator.java_classloader.add_class(java_lang_Thread) emulator.java_classloader.add_class(java_lang_StackTraceElement) # Load all libraries. emulator.load_library("./example_binaries/libdl.so") emulator.load_library("./example_binaries/libc.so") emulator.load_library("./example_binaries/libstdc++.so")
def test(self): pass # Configure logging logging.basicConfig( stream=sys.stdout, level=logging.DEBUG, format="%(asctime)s %(levelname)7s %(name)34s | %(message)s") logger = logging.getLogger(__name__) # Initialize emulator emulator = Emulator(vfp_inst_set=True, vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs")) # Register Java class. emulator.java_classloader.add_class(MainActivity) # Load all libraries. emulator.load_library("example_binaries/libdl.so") emulator.load_library("example_binaries/libc.so", do_init=False) emulator.load_library("example_binaries/libstdc++.so") emulator.load_library("example_binaries/libm.so") lib_module = emulator.load_library("libsgavmpso-6.4.31.so", do_init=False) # # Show loaded modules. # logger.info("Loaded modules:")
@native_method def __aeabi_memcpy(mu, dist, source, size): data = mu.mem_read(source, size) mu.mem_write(dist, bytes(data)) print('__aeabi_memcpy(%x,%x,%d)' % (dist, source, size)) @native_method def sprintf(mu, buffer, fmt, a1, a2): fmt1 = memory_helpers.read_utf8(mu, fmt) data1 = memory_helpers.read_utf8(mu, a1) result = fmt1 % (data1, a2) mu.mem_write(buffer, bytes((result + '\x00').encode('utf-8'))) # print('sprintf(%s)' % (result)) emulator = Emulator() # data segment data_base = 0xa00000 data_size = 0x10000 * 3 emulator.mu.mem_map(data_base, data_size) #got hook emulator.modules.add_symbol_hook('__aeabi_memclr', emulator.hooker.write_function(__aeabi_memclr) + 1) emulator.modules.add_symbol_hook('__aeabi_memcpy', emulator.hooker.write_function(__aeabi_memcpy) + 1) emulator.modules.add_symbol_hook('sprintf', emulator.hooker.write_function(sprintf) + 1) libc = emulator.load_library('jnilibs/libc.so', do_init=False) libmod = emulator.load_library('jnilibs/libencrypt.so', do_init=True) try:
result = format_str % (a1_str, a2) # print(f">>> hook sprintf: {result}") mu.mem_write(buffer, bytes((result + '\x00').encode("utf-8"))) class com_sec_udemo_MainActivity(metaclass=JavaClassDef, jvm_name="com/sec/udemo/MainActivity"): @java_method_def(name="getSaltFromJava", signature="(Ljava/lang/String;)Ljava/lang/String;", native=False, args_list=['jstring']) def getSaltFromJava(self, mu, arg_str): return arg_str.value.value + "salt.." emulator = Emulator() emulator.modules.add_symbol_hook( "__aeabi_memclr", emulator.hooker.write_function(hook_aeabi_memclr) + 1) emulator.modules.add_symbol_hook( "__aeabi_memcpy", emulator.hooker.write_function(hook_aeabi_memcpy) + 1) emulator.modules.add_symbol_hook( "sprintf", emulator.hooker.write_function(hook_sprintf) + 1) emulator.java_classloader.add_class(com_sec_udemo_MainActivity) emulator.load_library("lib/libc.so", do_init=False) libmod = emulator.load_library("lib/libnative-lib.so", do_init=False) try:
from unicorn import UC_HOOK_CODE from unicorn.arm_const import * from androidemu.emulator import Emulator # Configure logging logging.basicConfig( stream=sys.stdout, level=logging.DEBUG, format="%(asctime)s %(levelname)7s %(name)34s | %(message)s") logger = logging.getLogger(__name__) # Initialize emulator emulator = Emulator() emulator.load_library("samples/example_binaries/libc.so", False) lib_module = emulator.load_library("samples/example_binaries/libnative-lib.so") # Show loaded modules. logger.info("Loaded modules:") for module in emulator.modules: logger.info("[0x%x] %s" % (module.base, module.filename)) # Add debugging. def hook_code(mu, address, size, user_data): instruction = mu.mem_read(address, size) instruction_str = ''.join('{:02x} '.format(x) for x in instruction)
class SDInfo(metaclass=JavaClassDef, jvm_name='com/mqunar/atom/defensive/utils/SDInfo'): pass # Configure logging logging.basicConfig( stream=sys.stdout, level=logging.DEBUG, format="%(asctime)s %(levelname)7s %(name)34s | %(message)s", ) logger = logging.getLogger(__name__) # Initialize emulator emulator = Emulator( vfp_inst_set=True, vfs_root=posixpath.join(posixpath.dirname(__file__), "vfs") ) # Register Java class. emulator.java_classloader.add_class(EnvChecker) emulator.java_classloader.add_class(SDInfo) emulator.java_classloader.add_class(ConfigurationActivity) emulator.java_classloader.add_class(QBugActivity) emulator.java_classloader.add_class(ActivityThread) emulator.java_classloader.add_class(Application) # Load all libraries. emulator.load_library("example_binaries/libdl.so") emulator.load_library("example_binaries/libc.so") emulator.load_library("example_binaries/libstdc++.so") emulator.load_library("example_binaries/libm.so")