Unidbg calls so file

Time:2021-7-30
Unidbg is a reverse tool based on unicorn, which can directly call so files in Android and IOS on the PC side

1. Unidbg download address:https://github.com/zhkl0228/u…

Unidbg calls so file

The unidbg project is written in Java, and the above download is a standard Maven project. Make sure that JDK and Maven are installed on the computer

2. Import project into idea

First unzip the zip file and use the idea2021 version. I don't know how to import it. Here, the idea2018 version is used

Unidbg calls so fileUnidbg calls so fileUnidbg calls so fileUnidbg calls so file

Next, you can import the project for the first time. Some jar packages will be downloaded automatically, which is related to network speed and Maven server. Please wait patiently

3. Unidbg test

There is a ttencrypt test case in the path of unidbg Android \ SRC \ test \ Java \ com \ byedance \ frameworks \ core \ encrypt in the project, which directly executes the main method

Unidbg calls so file

The console prints relevant call information, indicating that the project is imported successfully

Unidbg calls so file

4. Run your own so file

The following is a case of personal simple modification, most of which are annotated for reference

package com.DU_ APP;         // The path to the current file

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.DalvikModule;
import com.github.unidbg.linux.android.dvm.DvmClass;
import com.github.unidbg.linux.android.dvm.StringObject;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.memory.Memory;
import java.io.File;
import java.io.IOException;


public class DU_ Sign {// the class name should be consistent with the file name

    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;
    private final DvmClass TTEncryptUtils;
    private final boolean logging;

    public DU_sign(boolean logging) {
        this.logging = logging;
        emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.shizhuang.duapp").build(); //  To create an emulator instance, you need to simulate 32-bit or 64 bit, which can be distinguished here. The package name can be written, can not be written, and can be written at will
        final Memory memory = emulator.getMemory(); //  Memory operation interface of simulator
        memory.setLibraryResolver(new AndroidResolver(23)); //  Set system class library solution
        vm = emulator.createDalvikVM(); //  Create Android virtual machine
        vm.setVerbose(logging); //  Sets whether to print JNI call details
        String so_ path = "";   // So file path to call
        DalvikModule dm = vm.loadLibrary(new File(so_ path), false); //  Load libttencrypt.so into Unicorn virtual memory. After loading successfully, init will be called by default_ Array and other functions
        dm.callJNI_ OnLoad(emulator); //  Execute JNI manually_ Onload function
        module = dm.getModule(); //  The loaded libttencrypt.so corresponds to a module
        TTEncryptUtils = vm.resolveClass("com/duapp/aesjni/AESEncrypt");    // In which class of the Java layer is the so file to be called, and the path of the class
    }

    //Turn off the simulator
    void destroy() throws IOException {
        emulator.close();
        if (logging) {
            System.out.println("destroy");
        }
    }

    public static void main(String[] args) throws Exception {
        DU_ sign test = new DU_ sign(false);     // Instantiate the current class

    //String to encrypt
        String str1 = "abTest[{\"name\":\"search_ equlheight_ spu_ Strategy \ ", \" value \ ": \" 0 \ "}]catid0hideaddproduct0limit20logintokenoriginsearchfallepage0platform androidproductdetailversionflag1showhot1sortmode0sorttype0timestamp1625715089920title watch typeid0uuidd812da2917d75f8ev4.71.0";

        System.out.println(test.encodeByte(str1));

        test.destroy();     //Turn off the simulator
    }

    public String encodeByte(String str1) {
        //The second string that needs to be encrypted remains unchanged
        String byteString = "010110100010001010010010000011000111001011101010101000101110111010011010101101101010001000101100010110100010001010011010110011001111001011100010101000100100110010110010100010101011110010111100";
        //Define the type of the parameter, pass the parameter (emulator, smail writing method of the method to be called, pass the parameter (note the parameter type, pass several parameters for several parameters))
        Object ret = TTEncryptUtils.callStaticJniMethodObject(emulator, "encodeByte([BLjava/lang/String;)Ljava/lang/String;",
                //Two strings are required for parameter passing, so two parameters are passed in
                new ByteArray(vm, str1.getBytes()),
                vm.addLocalObject(new StringObject(vm, byteString)));

        return ret.toString();
    }

}