unicorn and unidbg

unicorn开机代码以及unidbg调用

from unicorn import *
from unicorn.x86_const import *
from capstone import *
import sys
import hexdump
x86_Code=b"\xB8\x78\x56\x34\x12\x81\xE8\x78\x56\x34\x12"

md = Cs(CS_ARCH_X86, CS_MODE_32)
for i in md.disasm(x86_Code, 0x1000):
print("%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))

def hook_code(uc,address,size,userdata):
     print("Tracing instruction at 0x%x,instruction size = 0x%x" %(address, size))
def test_x86():
print("Emulate X86 Code")
try:
    mu=Uc(UC_ARCH_X86,UC_MODE_32)
    Address=0x10000#地址必须和0x10对齐
    mu.mem_map(Address,2*0x10000)#从起始地址分配内存
    mu.mem_write(Address,x86_Code)
    mu.reg_write(UC_X86_REG_EAX,0)
    mu.hook_add(UC_HOOK_CODE,hook_code,begin=Address,end=Address+1000)
    mu.emu_start(Address,Address+len(x86_Code))
    eax=mu.reg_read(UC_X86_REG_EAX)
    ebx = mu.reg_read(UC_X86_REG_EBX)
    ecx = mu.reg_read(UC_X86_REG_ECX)
    print(">>> eax = 0x%x" % eax)
except UcError as e:
    print("ERROR: %s" % e)

test_x86()
、

前两天试了下unidbg调用最右的sign算法,确实很方便,直接贴代码,有个小坑,最右的库不仅仅注册了一个生成签名的算法,而且注册了一个native_init函数进行了初始化,在调用getsign算法前还是得先调用下初始化函数,光会用这个工具不够,得深入分析这个工具的实现,最近在看无名巨巨的unicorn教程,自己还是有点功能想要实现的,继续找实习~~

image_1dt56rpih87k43bm8bi9u11929.png-27.4kB

package com.com.zuiyou;
import cn.banny.unidbg.LibraryResolver;
import cn.banny.unidbg.Module;
import cn.banny.unidbg.arm.ARMEmulator;
import cn.banny.unidbg.file.FileIO;
import cn.banny.unidbg.file.IOResolver
import cn.banny.unidbg.linux.android.AndroidARMEmulator;
import cn.banny.unidbg.linux.android.AndroidResolver;
import cn.banny.unidbg.linux.android.dvm.*;
import cn.banny.unidbg.memory.Memory;
import org.apache.log4j.Level;
import java.io.File;
public class Nmsl   extends AbstractJni implements IOResolver {
private static LibraryResolver createLibraryResolver() {
    return new AndroidResolver(23);
}
@Override
public FileIO resolve(File workDir, String pathname, int oflags) {
    return null;
}

private static ARMEmulator createARMEmulator() {
    return new AndroidARMEmulator("com.zuiyou");
}

private static final String APK_PATH = "src/test/resources/app/zuiyou.apk";
private final ARMEmulator emulator;
private final VM vm;
private final Module module;
private final DvmClass Nmsl;
private Nmsl() throws IOException {
    emulator = createARMEmulator();
    emulator.getSyscallHandler().addIOResolver(this);
    System.out.println("== init ===");

    final Memory memory = emulator.getMemory();
    memory.setLibraryResolver(createLibraryResolver());
    memory.setCallInitFunction();

    vm = emulator.createDalvikVM(new File(APK_PATH));
    vm.setJni(this);
    DalvikModule dm = vm.loadLibrary("net_crypto", false);
    dm.callJNI_OnLoad(emulator);
    module = dm.getModule();
    Nmsl = vm.resolveClass("cn/xiaochuankeji/netcrypto/NetCrypto");
}

//析构函数
private void destroy() throws IOException {
    emulator.close();
    System.out.println("destroy");
}

//主函数
public static void main(String[] args) throws Exception {
    Nmsl test = new Nmsl();
    test.GetSign();
    test.destroy();
}

private void GetSign() throws IOException {

    //申请参数空间
    String str="{\"size\":\"big\",\"version\":0,\"h_av\":\"4.1.6\",\"h_dt\":0,\"h_os\":22,\"h_app\":\"zuiyou\",\"h_model\":\"vivo v3\",\"h_did\":\"865166029899062_00:81:81\",\"h_nt\":1,\"h_m\":172480973,\"h_ch\":\"zuiyou\",\"h_ts\":1577500409477,\"token\":\"T2K2NvcwR06ehMlhs2CXF-xHH5Eks5Haq0WiU-KKv22mArxaNmXoWiycBZdigmZJE7h3k\"}";
    //调用函数generateSign(Ljava/lang/String;)Ljava/lang/String;

    Nmsl.callStaticJniMethod(emulator,"native_init()V");
    Number ret =Nmsl.callStaticJniMethod(emulator,"generateSign([B)Ljava/lang/String;",
            vm.addLocalObject(new ByteArray(str.getBytes())),23);
    long hash = ret.intValue() & 0xffffffffL;
    StringObject obj = vm.getObject(hash);
    //vm.deleteLocalRefs();
    System.out.println(obj.getValue());
    }
}

算是填了一个坑,想重拾soul,听说最近soul被人搞的加壳了23333,过几天看看,这几天先把unicorn摸摸透,再把毕设定个题

image_1dt56v1gee9p19t8k2s1nd7h2am.png-69.4kB