本篇文章仅适用于学习。
最近一直在研究阿里系的请求问题,原来一直都是hook请求端口,虽然和很多人的hook参数生成x-sign不一样,可以说更稳定一些。但总归是脱离不了安卓环境——或者用模拟器,或者用真机。
对于逆向来说,非常的没有档次,没有逼格。
相对于直接逆向x-sign的算法而言,用unidbg调用so文件的难度要小很多。由易入难,unidbg这时候势在必行了。
但是,随着研究的深入,相关的学习资料越来越少,unidbg和直接逆向学习的资料,虽然有一些,但对于问题的深入,原理的解析,以及具体API方法的使用,可以说是少之又少。鱼和渔的问题,越来越尖锐了。
已经研究了差不多几个月,总感觉临门一脚了,程序调试也没有完全通过。虽然越挫越勇,会继续研究,但还是感觉得慢慢来,研究、学习,本身也是一场永远止境的修行。
下面的代码面向的是mtop6.5.27, 代码还存在不少问题,并不能直接使用。
import android.content.Context;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.HookStatus;
import com.github.unidbg.file.FileResult;
import com.github.unidbg.file.IOResolver;
import com.github.unidbg.file.linux.AndroidFileIO;
import com.github.unidbg.hook.HookContext;
import com.github.unidbg.hook.ReplaceCallback;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.linux.android.dvm.jni.ProxyDvmObject;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.pointer.UnidbgPointer;
import com.github.unidbg.spi.SyscallHandler;
import com.taobao.tao.TaobaoApplication;
import org.json.JSONObject;
import java.io.File;
import java.io.IOException;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
public class TaoBao extends AbstractJni implements IOResolver<AndroidFileIO> {
private final AndroidEmulator emulator;
private final VM vm;
private final Context context;
private final JSONObject data;
private long slot;
// private int num = 0;
private TaoBao(File apk) throws Exception{
emulator = AndroidEmulatorBuilder.for32Bit()
.setRootDir(new File("D:\\DesktopTemp\\tb\\rootfs"))
.build();
Map<String, Integer> iNode = new LinkedHashMap<>();
iNode.put("/data/system", 671745);
iNode.put("/data/app", 327681);
iNode.put("/sdcard/android", 294915);
iNode.put("/data/user/0/com.taobao.taobao", 655781);
iNode.put("/data/user/0/com.taobao.taobao/files", 655864);
emulator.set("inode", iNode);
emulator.set("uid", 10074);
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
SyscallHandler<AndroidFileIO> handler = emulator.getSyscallHandler();
handler.setVerbose(false);
handler.addIOResolver(this);
vm = emulator.createDalvikVM(apk);
vm.setJni(this);
vm.setVerbose(true);
context = new TaobaoApplication(vm);
data = new JSONObject("{\"Soft_SGTMAGIC\":\"4I1q9PXiORQGtBivoqf4hSwMk9pwm1D8o4NitR+kvgA=\",\"dynamicreid_dynamicreid\":\"d0666b5b6022eb0\",\"dynamicrsid_dynamicrsid\":\"e1a2607877e260b\",\"SgDyUpdate_ac7123c301ca455b\":\"1621600637\",\"LOCAL_DEVICE_INFO_982c1b269b8e023e5aede2421cbf9c48\":\"YKepcS4SY+ADAIS37Xj5c7s+\",\"DynamicData_accs_ssl_key2_https:\\/\\/ossgw.alicdn.com_21646297%[B\":\"nRWwrMQ\\/jz+oOTWkAZ5FOjhnS1k48SqJdb3w3u\\/ImZJMSXQnlxpD8g0Lyi4kEfgHy5Me33VQ8fyLfqHjPk5PXZ3SwQDtSG4Km7fj9RhEav6NeP85kaWorOA8KTx9u9MHnXdbQa4GVOpBTln\\/GKsPje5gRpmCtWUb71auNwVEO\\/s9LUhH\\/HOcH\\/fwdPixaJAi\\/wNKYYlijdORJgVTOwrtSls1DeUr61NyCDUQa0SkVhw6\\/8PI8gdM1JNt8QEcBIemgI0sM4zA3yyRxFTb0wwcu8CpLsBmIqxqZbvHA+2081dfYDIKuKguH9vYy4s\\/q++odPRvTB25RuEfvXWW\\/+IPtScYQXMx9\\/MG4RW7t80WR0+DOWZXHtkpVlPhTDcU9P2fI4bcQdRSTOIcaI6uFmnOdmb5b9QdtwU3qXgSOuBTh2Bdd6yTeyydRLChBzlWRtcZm6+tYgHOTJIWRNoDg8CxEw==\",\"llc-local_2c3c7f544c159842\":\"1621600921\",\"llc-local_abv2\":\"his:0\",\"llc-local_tcv2\":\"source:0,0,0\"}");
}
public static void main(String[] args) throws Exception {
TaoBao taobao = new TaoBao(new File("D:\\DesktopTemp\\tb\\tb.apk"));
AndroidEmulator emulator = taobao.emulator;
String methodSign = "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;";
DvmClass targetClass = taobao.vm.resolveClass("com/taobao/wireless/security/adapter/JNICLibrary");
DalvikModule main = taobao.vm.loadLibrary("sgmainso-6.5.25", true);
main.callJNI_OnLoad(emulator);
targetClass.callStaticJniMethodObject(emulator, methodSign,
10101, ProxyDvmObject.createObject(taobao.vm, new Object[]{
taobao.context, 3, "", "/data/user/0/com.taobao.taobao/app_SGLib", ""
}));
targetClass.callStaticJniMethodObject(emulator, methodSign,
10102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
"main", "6.5.25", "/data/app/com.taobao.taobao-1/lib/arm/libsgmainso-6.5.25.so"
}));
DalvikModule security = taobao.vm.loadLibrary("sgsecuritybodyso-6.5.33", true);
security.callJNI_OnLoad(emulator);
targetClass.callStaticJniMethodObject(emulator, methodSign,
10102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
"securitybody", "6.5.33", "/data/app/com.taobao.taobao-1/lib/arm/libsgsecuritybodyso-6.5.33.so"
}));
DalvikModule middletier = taobao.vm.loadLibrary("sgmiddletierso-6.5.27", true);
middletier.callJNI_OnLoad(emulator);
targetClass.callStaticJniMethodObject(emulator, methodSign,
10102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
"middletier", "6.5.27", "/data/app/com.taobao.taobao-1/lib/arm/libsgmiddletierso-6.5.27.so"
}));
taobao.loadTest3Hook(middletier.getModule());
DvmObject<?> dvmObject1 = targetClass.callStaticJniMethodObject(emulator, methodSign,
70102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
"丢失", "丢失",
false, 0, "mtop.alibaba.cro.umid.networksdk.savewb", "pageName=com.taobao.tao.welcome.Welcome&pageId=", null, null, null, "r_6"
}));
System.out.println(dvmObject1.getValue().toString());
try {
emulator.close();
} catch (IOException e) {
e.printStackTrace();
}
}
@Override
public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "java/lang/Integer-><init>(I)V":
return ProxyDvmObject.createObject(vm, varArg.getIntArg(0));
case "java/lang/Long-><init>(J)V":
return ProxyDvmObject.createObject(vm, varArg.getLongArg(0));
case "java/util/HashMap-><init>(I)V":
return ProxyDvmObject.createObject(vm, new HashMap<>());
}
return super.newObject(vm, dvmClass, signature, varArg);
}
@Override
public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
if ("android/os/Build$VERSION->SDK_INT:I".equals(signature)) {
return 23;
}
return super.getStaticIntField(vm, dvmClass, signature);
}
@Override
public long getStaticLongField(BaseVM vm, DvmClass dvmClass, String signature) {
if ("com/alibaba/wireless/security/framework/SGPluginExtras->slot:J".equals(signature)) {
return slot;
}
return super.getStaticLongField(vm, dvmClass, signature);
}
@Override
public DvmObject<?> getObjectField(BaseVM vm, DvmObject<?> dvmObject, String signature) {
if ("android/content/pm/ApplicationInfo->nativeLibraryDir:Ljava/lang/String;".equals(signature)) {
return new StringObject(vm, "/data/app/com.taobao.taobao-1/lib/arm");
} else if ("android/content/pm/ApplicationInfo->sourceDir:Ljava/lang/String;".equals(signature)) {
return new StringObject(vm, this.context.getPackageCodePath());
}
return super.getObjectField(vm, dvmObject, signature);
}
@Override
public void setStaticLongField(BaseVM vm, DvmClass dvmClass, String signature, long value) {
if ("com/alibaba/wireless/security/framework/SGPluginExtras->slot:J".equals(signature)) {
slot = value;
return;
}
super.setStaticLongField(vm, dvmClass, signature, value);
}
@Override
public DvmObject<?> callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "com/alibaba/wireless/security/securitybody/SecurityGuardSecurityBodyPlugin->getPluginClassLoader()Ljava/lang/ClassLoader;":
return vm.resolveClass("dalvik/system/PathClassLoader").newObject(this.getClass().getClassLoader());
case "java/net/NetworkInterface->getNetworkInterfaces()Ljava/util/Enumeration;":
try {
return Context.getNetworkInterfaces(vm);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}
@Override
public void callStaticVoidMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "com/alibaba/wireless/security/open/edgecomputing/ECMiscInfo->registerAppLifeCyCleCallBack()V":
case "com/alibaba/wireless/security/securitybody/LifeCycle->setAccessibilityDelegateToView()V":
return;
}
super.callStaticVoidMethod(vm, dvmClass, signature, varArg);
}
@Override
public int callStaticIntMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "com/taobao/wireless/security/adapter/common/SPUtility2->saveToFileUnifiedForNative(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Z)I":
return 2;
case "com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge->utAvaiable()I":
case "com/uc/crashsdk/JNIBridge->registerInfoCallback(Ljava/lang/String;IJI)I":
return 1;
case "android/provider/Settings$Secure->getInt(Landroid/content/ContentResolver;Ljava/lang/String;I)I":
return context.getInt(varArg.getObjectArg(1).getValue().toString(), varArg.getIntArg(2));
}
return super.callStaticIntMethod(vm, dvmClass, signature, varArg);
}
@Override
public boolean callBooleanMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
switch (signature) {
case "java/lang/Boolean->booleanValue()Z":
return (Boolean) dvmObject.getValue();
case "android/view/accessibility/AccessibilityManager->isEnabled()Z":
case "android/view/accessibility/AccessibilityManager->isTouchExplorationEnabled()Z":
return false;
case "java/util/Enumeration->hasMoreElements()Z":
return ((Enumeration) dvmObject).hasMoreElements();
case "java/net/NetworkInterface->isUp()Z":
return ((Context.mNetworkInterface) dvmObject.getValue()).isUp();
}
return super.callBooleanMethod(vm, dvmObject, signature, varArg);
}
@Override
public void callVoidMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
if ("com/taobao/dp/util/CallbackHelper->onUpdated(IILjava/lang/String;)V".equals(signature)) {
return;
}
super.callVoidMethod(vm, dvmObject, signature, varArg);
}
@Override
public int callIntMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
if ("java/lang/Integer->intValue()I".equals(signature)) {
return (Integer) dvmObject.getValue();
} else if ("android/telephony/TelephonyManager->getSimState()I".equals(signature)) {
return ((Context) dvmObject.getValue()).getSimState();
}
return super.callIntMethod(vm, dvmObject, signature, varArg);
}
@Override
public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
switch (signature) {
case "java/lang/String->getBytes()[B":
return new ByteArray(vm, ((String) dvmObject.getValue()).getBytes());
case "com/taobao/tao/TaobaoApplication->getPackageCodePath()Ljava/lang/String;":
return new StringObject(vm, ((Context) dvmObject.getValue()).getPackageCodePath());
case "com/taobao/tao/TaobaoApplication->getFilesDir()Ljava/io/File;":
case "android/content/Context->getFilesDir()Ljava/io/File;":
return ProxyDvmObject.createObject(vm, ((Context) dvmObject.getValue()).getFilesDir());
case "java/io/File->getAbsolutePath()Ljava/lang/String;":
return new StringObject(vm, ((File) dvmObject.getValue()).getPath().replace('\\', '/'));
case "com/taobao/tao/TaobaoApplication->getApplicationInfo()Landroid/content/pm/ApplicationInfo;":
return super.callObjectMethod(vm, dvmObject,
"android/content/Context->getApplicationInfo()Landroid/content/pm/ApplicationInfo;", varArg);
case "android/content/Context->getSystemService(Ljava/lang/String;)Ljava/lang/Object;":
return ((TaobaoApplication) dvmObject.getValue()).getSystemService(varArg.getObjectArg(0).getValue().toString());
case "dalvik/system/PathClassLoader->findClass(Ljava/lang/String;)Ljava/lang/Class;":
return vm.resolveClass(varArg.getObjectArg(0).getValue().toString());
case "java/util/Enumeration->nextElement()Ljava/lang/Object;":
return ((Enumeration) dvmObject).nextElement();
case "android/content/Context->getContentResolver()Landroid/content/ContentResolver;":
return ((Context) dvmObject.getValue()).getContentResolver();
case "java/net/NetworkInterface->getName()Ljava/lang/String;":
return new StringObject(vm, ((Context.mNetworkInterface) dvmObject.getValue()).getName());
case "java/lang/Thread->getStackTrace()[Ljava/lang/StackTraceElement;":
return ProxyDvmObject.createObject(vm, ((Thread) dvmObject.getValue()).getStackTrace());
case "java/lang/StackTraceElement->toString()Ljava/lang/String;":
return new StringObject(vm, ((StackTraceElement) dvmObject.getValue()).toString());
case "java/util/HashMap->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;":
return ProxyDvmObject.createObject(vm, ((HashMap<Object, Object>) dvmObject.getValue())
.put(varArg.getObjectArg(0).getValue(), varArg.getObjectArg(1).getValue()));
}
return super.callObjectMethod(vm, dvmObject, signature, varArg);
}
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
switch (signature) {
case "android/content/Context->getClassLoader()Ljava/lang/ClassLoader;":
return ProxyDvmObject.createObject(vm, this.getClass().getClassLoader());
case "android/content/Context->getPackageResourcePath()Ljava/lang/String;":
return ProxyDvmObject.createObject(vm, ((Context) dvmObject.getValue()).getPackageResourcePath());
case "android/content/Context->getFilesDir()Ljava/io/File;":
return ProxyDvmObject.createObject(vm, ((Context) dvmObject.getValue()).getFilesDir());
case "java/io/File->getPath()Ljava/lang/String;":
return ProxyDvmObject.createObject(vm, ((File) dvmObject.getValue()).getPath().replace('\\', '/'));
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}
@Override
public FileResult<AndroidFileIO> resolve(Emulator<AndroidFileIO> emulator, String pathname, int oflags) {
switch (pathname) {
case "/data/app/com.taobao.taobao-1/base.apk":
case "/data/user/0/com.taobao.taobao/files/sg_oc.lock":
case "/data/user/0/com.taobao.taobao/files/ab914f43b8296c2c.lock":
case "/data/user/0/com.taobao.taobao/files/0a231bd8575dcf72.txt":
case "/data/user/0/com.taobao.taobao/files/.ba2f9c85.lock":
case "/data/user/0/com.taobao.taobao/files/JX0WDG83P1ZN.txt":
case "/data/user/0/com.taobao.taobao/files/sgFile.lock":
case "/data/user/0/com.taobao.taobao/app_SGLib/SG_INNER_DATA":
return FileResult.success(emulator.getFileSystem().createSimpleFileIO(
new File("D:\\DesktopTemp\\tb\\rootfs", pathname), oflags, pathname));
case "/data/data/com.taobao.taobao/app_SGLib/sec":
case "/data/user/0/com.taobao.taobao/app_SGLib/sec":
case "/data/user/0/com.taobao.taobao/app_SGLib/lvmreport":
return FileResult.success(emulator.getFileSystem().createDirectoryFileIO(
new File("D:\\DesktopTemp\\tb\\rootfs", pathname), oflags, pathname));
default:
return null;
}
}
}