热门标签
热门文章
- 1Springboot打war包
- 2Cookie和Session的区别(可能最全)_cookie和seesson的区别
- 3Windows10安装 Qt Creator_windows安装qtcreator
- 4【linux系统体验】-ubuntu简易折腾
- 5Mybatis-plus 所有条件拼接方式(及使用案例)_mybatisplusor条件拼接
- 6鸿蒙(HarmonyOS)应用开发——构建页面(题目答案)_在column容器中的子组件默认是按照从上到下的垂直方向布局的,其主轴的方向是垂直
- 7UE5 C++教程 (二、在线子系统)_c++调用ue5
- 8可视化深度学习模型架构的6个常用的方法总结_可视化模型
- 9Python max(),min(),nlargest(),nsmallest()
- 10CorelDRAW Graphics Suite2023破解版含2024最新注册机下载_cdr2023下载链接提取码
当前位置: article > 正文
unidbg实现淘宝请求参数算法,实现脱离模拟器/手机请求淘宝、闲鱼_unidbg x-sign
作者:你好赵伟 | 2024-02-28 10:01:44
赞
踩
unidbg x-sign
本篇文章仅适用于学习。
最近一直在研究阿里系的请求问题,原来一直都是hook请求端口,虽然和很多人的hook参数生成x-sign不一样,可以说更稳定一些。但总归是脱离不了安卓环境——或者用模拟器,或者用真机。
对于逆向来说,非常的没有档次,没有逼格。
相对于直接逆向x-sign的算法而言,用unidbg调用so文件的难度要小很多。由易入难,unidbg这时候势在必行了。
但是,随着研究的深入,相关的学习资料越来越少,unidbg和直接逆向学习的资料,虽然有一些,但对于问题的深入,原理的解析,以及具体API方法的使用,可以说是少之又少。鱼和渔的问题,越来越尖锐了。
已经研究了差不多几个月,总感觉临门一脚了,程序调试也没有完全通过。虽然越挫越勇,会继续研究,但还是感觉得慢慢来,研究、学习,本身也是一场永远止境的修行。
下面的代码面向的是mtop6.5.27, 代码还存在不少问题,并不能直接使用。
- import android.content.Context;
- import com.github.unidbg.AndroidEmulator;
- import com.github.unidbg.Emulator;
- import com.github.unidbg.Module;
- import com.github.unidbg.arm.HookStatus;
- import com.github.unidbg.file.FileResult;
- import com.github.unidbg.file.IOResolver;
- import com.github.unidbg.file.linux.AndroidFileIO;
- import com.github.unidbg.hook.HookContext;
- import com.github.unidbg.hook.ReplaceCallback;
- import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
- import com.github.unidbg.linux.android.AndroidResolver;
- import com.github.unidbg.linux.android.dvm.*;
- import com.github.unidbg.linux.android.dvm.array.ByteArray;
- import com.github.unidbg.linux.android.dvm.jni.ProxyDvmObject;
- import com.github.unidbg.memory.Memory;
- import com.github.unidbg.pointer.UnidbgPointer;
- import com.github.unidbg.spi.SyscallHandler;
- import com.taobao.tao.TaobaoApplication;
- import org.json.JSONObject;
-
- import java.io.File;
- import java.io.IOException;
- import java.util.HashMap;
- import java.util.LinkedHashMap;
- import java.util.Map;
-
- public class TaoBao extends AbstractJni implements IOResolver<AndroidFileIO> {
- private final AndroidEmulator emulator;
- private final VM vm;
- private final Context context;
- private final JSONObject data;
- private long slot;
-
- // private int num = 0;
-
- private TaoBao(File apk) throws Exception{
- emulator = AndroidEmulatorBuilder.for32Bit()
- .setRootDir(new File("D:\\DesktopTemp\\tb\\rootfs"))
- .build();
-
- Map<String, Integer> iNode = new LinkedHashMap<>();
- iNode.put("/data/system", 671745);
- iNode.put("/data/app", 327681);
- iNode.put("/sdcard/android", 294915);
- iNode.put("/data/user/0/com.taobao.taobao", 655781);
- iNode.put("/data/user/0/com.taobao.taobao/files", 655864);
- emulator.set("inode", iNode);
- emulator.set("uid", 10074);
-
- Memory memory = emulator.getMemory();
- memory.setLibraryResolver(new AndroidResolver(23));
- SyscallHandler<AndroidFileIO> handler = emulator.getSyscallHandler();
- handler.setVerbose(false);
- handler.addIOResolver(this);
- vm = emulator.createDalvikVM(apk);
- vm.setJni(this);
- vm.setVerbose(true);
- context = new TaobaoApplication(vm);
- data = new JSONObject("{\"Soft_SGTMAGIC\":\"4I1q9PXiORQGtBivoqf4hSwMk9pwm1D8o4NitR+kvgA=\",\"dynamicreid_dynamicreid\":\"d0666b5b6022eb0\",\"dynamicrsid_dynamicrsid\":\"e1a2607877e260b\",\"SgDyUpdate_ac7123c301ca455b\":\"1621600637\",\"LOCAL_DEVICE_INFO_982c1b269b8e023e5aede2421cbf9c48\":\"YKepcS4SY+ADAIS37Xj5c7s+\",\"DynamicData_accs_ssl_key2_https:\\/\\/ossgw.alicdn.com_21646297%[B\":\"nRWwrMQ\\/jz+oOTWkAZ5FOjhnS1k48SqJdb3w3u\\/ImZJMSXQnlxpD8g0Lyi4kEfgHy5Me33VQ8fyLfqHjPk5PXZ3SwQDtSG4Km7fj9RhEav6NeP85kaWorOA8KTx9u9MHnXdbQa4GVOpBTln\\/GKsPje5gRpmCtWUb71auNwVEO\\/s9LUhH\\/HOcH\\/fwdPixaJAi\\/wNKYYlijdORJgVTOwrtSls1DeUr61NyCDUQa0SkVhw6\\/8PI8gdM1JNt8QEcBIemgI0sM4zA3yyRxFTb0wwcu8CpLsBmIqxqZbvHA+2081dfYDIKuKguH9vYy4s\\/q++odPRvTB25RuEfvXWW\\/+IPtScYQXMx9\\/MG4RW7t80WR0+DOWZXHtkpVlPhTDcU9P2fI4bcQdRSTOIcaI6uFmnOdmb5b9QdtwU3qXgSOuBTh2Bdd6yTeyydRLChBzlWRtcZm6+tYgHOTJIWRNoDg8CxEw==\",\"llc-local_2c3c7f544c159842\":\"1621600921\",\"llc-local_abv2\":\"his:0\",\"llc-local_tcv2\":\"source:0,0,0\"}");
- }
-
- public static void main(String[] args) throws Exception {
- TaoBao taobao = new TaoBao(new File("D:\\DesktopTemp\\tb\\tb.apk"));
-
- AndroidEmulator emulator = taobao.emulator;
- String methodSign = "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;";
-
- DvmClass targetClass = taobao.vm.resolveClass("com/taobao/wireless/security/adapter/JNICLibrary");
- DalvikModule main = taobao.vm.loadLibrary("sgmainso-6.5.25", true);
-
- main.callJNI_OnLoad(emulator);
-
- targetClass.callStaticJniMethodObject(emulator, methodSign,
- 10101, ProxyDvmObject.createObject(taobao.vm, new Object[]{
- taobao.context, 3, "", "/data/user/0/com.taobao.taobao/app_SGLib", ""
- }));
-
-
- targetClass.callStaticJniMethodObject(emulator, methodSign,
- 10102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
- "main", "6.5.25", "/data/app/com.taobao.taobao-1/lib/arm/libsgmainso-6.5.25.so"
- }));
-
-
- DalvikModule security = taobao.vm.loadLibrary("sgsecuritybodyso-6.5.33", true);
- security.callJNI_OnLoad(emulator);
-
-
- targetClass.callStaticJniMethodObject(emulator, methodSign,
- 10102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
- "securitybody", "6.5.33", "/data/app/com.taobao.taobao-1/lib/arm/libsgsecuritybodyso-6.5.33.so"
- }));
-
- DalvikModule middletier = taobao.vm.loadLibrary("sgmiddletierso-6.5.27", true);
- middletier.callJNI_OnLoad(emulator);
-
- targetClass.callStaticJniMethodObject(emulator, methodSign,
- 10102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
- "middletier", "6.5.27", "/data/app/com.taobao.taobao-1/lib/arm/libsgmiddletierso-6.5.27.so"
- }));
-
- taobao.loadTest3Hook(middletier.getModule());
-
- DvmObject<?> dvmObject1 = targetClass.callStaticJniMethodObject(emulator, methodSign,
- 70102, ProxyDvmObject.createObject(taobao.vm, new Object[]{
- "丢失", "丢失",
- false, 0, "mtop.alibaba.cro.umid.networksdk.savewb", "pageName=com.taobao.tao.welcome.Welcome&pageId=", null, null, null, "r_6"
- }));
-
- System.out.println(dvmObject1.getValue().toString());
- try {
- emulator.close();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
-
- @Override
- public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
- switch (signature) {
- case "java/lang/Integer-><init>(I)V":
- return ProxyDvmObject.createObject(vm, varArg.getIntArg(0));
- case "java/lang/Long-><init>(J)V":
- return ProxyDvmObject.createObject(vm, varArg.getLongArg(0));
- case "java/util/HashMap-><init>(I)V":
- return ProxyDvmObject.createObject(vm, new HashMap<>());
- }
- return super.newObject(vm, dvmClass, signature, varArg);
- }
-
- @Override
- public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
- if ("android/os/Build$VERSION->SDK_INT:I".equals(signature)) {
- return 23;
- }
- return super.getStaticIntField(vm, dvmClass, signature);
- }
-
- @Override
- public long getStaticLongField(BaseVM vm, DvmClass dvmClass, String signature) {
- if ("com/alibaba/wireless/security/framework/SGPluginExtras->slot:J".equals(signature)) {
- return slot;
- }
- return super.getStaticLongField(vm, dvmClass, signature);
- }
-
- @Override
- public DvmObject<?> getObjectField(BaseVM vm, DvmObject<?> dvmObject, String signature) {
- if ("android/content/pm/ApplicationInfo->nativeLibraryDir:Ljava/lang/String;".equals(signature)) {
- return new StringObject(vm, "/data/app/com.taobao.taobao-1/lib/arm");
- } else if ("android/content/pm/ApplicationInfo->sourceDir:Ljava/lang/String;".equals(signature)) {
- return new StringObject(vm, this.context.getPackageCodePath());
- }
- return super.getObjectField(vm, dvmObject, signature);
- }
-
- @Override
- public void setStaticLongField(BaseVM vm, DvmClass dvmClass, String signature, long value) {
- if ("com/alibaba/wireless/security/framework/SGPluginExtras->slot:J".equals(signature)) {
- slot = value;
- return;
- }
- super.setStaticLongField(vm, dvmClass, signature, value);
- }
-
- @Override
- public DvmObject<?> callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
- switch (signature) {
- case "com/alibaba/wireless/security/securitybody/SecurityGuardSecurityBodyPlugin->getPluginClassLoader()Ljava/lang/ClassLoader;":
- return vm.resolveClass("dalvik/system/PathClassLoader").newObject(this.getClass().getClassLoader());
- case "java/net/NetworkInterface->getNetworkInterfaces()Ljava/util/Enumeration;":
- try {
- return Context.getNetworkInterfaces(vm);
- } catch (Exception e) {
- e.printStackTrace();
- }
- return null;
- }
- return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
- }
-
- @Override
- public void callStaticVoidMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
- switch (signature) {
- case "com/alibaba/wireless/security/open/edgecomputing/ECMiscInfo->registerAppLifeCyCleCallBack()V":
- case "com/alibaba/wireless/security/securitybody/LifeCycle->setAccessibilityDelegateToView()V":
- return;
- }
- super.callStaticVoidMethod(vm, dvmClass, signature, varArg);
- }
-
- @Override
- public int callStaticIntMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
- switch (signature) {
- case "com/taobao/wireless/security/adapter/common/SPUtility2->saveToFileUnifiedForNative(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Z)I":
- return 2;
- case "com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge->utAvaiable()I":
- case "com/uc/crashsdk/JNIBridge->registerInfoCallback(Ljava/lang/String;IJI)I":
- return 1;
- case "android/provider/Settings$Secure->getInt(Landroid/content/ContentResolver;Ljava/lang/String;I)I":
- return context.getInt(varArg.getObjectArg(1).getValue().toString(), varArg.getIntArg(2));
- }
- return super.callStaticIntMethod(vm, dvmClass, signature, varArg);
- }
-
- @Override
- public boolean callBooleanMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
- switch (signature) {
- case "java/lang/Boolean->booleanValue()Z":
- return (Boolean) dvmObject.getValue();
- case "android/view/accessibility/AccessibilityManager->isEnabled()Z":
- case "android/view/accessibility/AccessibilityManager->isTouchExplorationEnabled()Z":
- return false;
- case "java/util/Enumeration->hasMoreElements()Z":
- return ((Enumeration) dvmObject).hasMoreElements();
- case "java/net/NetworkInterface->isUp()Z":
- return ((Context.mNetworkInterface) dvmObject.getValue()).isUp();
- }
- return super.callBooleanMethod(vm, dvmObject, signature, varArg);
- }
-
- @Override
- public void callVoidMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
- if ("com/taobao/dp/util/CallbackHelper->onUpdated(IILjava/lang/String;)V".equals(signature)) {
- return;
- }
- super.callVoidMethod(vm, dvmObject, signature, varArg);
- }
-
- @Override
- public int callIntMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
- if ("java/lang/Integer->intValue()I".equals(signature)) {
- return (Integer) dvmObject.getValue();
- } else if ("android/telephony/TelephonyManager->getSimState()I".equals(signature)) {
- return ((Context) dvmObject.getValue()).getSimState();
- }
- return super.callIntMethod(vm, dvmObject, signature, varArg);
- }
-
- @Override
- public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
- switch (signature) {
- case "java/lang/String->getBytes()[B":
- return new ByteArray(vm, ((String) dvmObject.getValue()).getBytes());
- case "com/taobao/tao/TaobaoApplication->getPackageCodePath()Ljava/lang/String;":
- return new StringObject(vm, ((Context) dvmObject.getValue()).getPackageCodePath());
- case "com/taobao/tao/TaobaoApplication->getFilesDir()Ljava/io/File;":
- case "android/content/Context->getFilesDir()Ljava/io/File;":
- return ProxyDvmObject.createObject(vm, ((Context) dvmObject.getValue()).getFilesDir());
- case "java/io/File->getAbsolutePath()Ljava/lang/String;":
- return new StringObject(vm, ((File) dvmObject.getValue()).getPath().replace('\\', '/'));
- case "com/taobao/tao/TaobaoApplication->getApplicationInfo()Landroid/content/pm/ApplicationInfo;":
- return super.callObjectMethod(vm, dvmObject,
- "android/content/Context->getApplicationInfo()Landroid/content/pm/ApplicationInfo;", varArg);
- case "android/content/Context->getSystemService(Ljava/lang/String;)Ljava/lang/Object;":
- return ((TaobaoApplication) dvmObject.getValue()).getSystemService(varArg.getObjectArg(0).getValue().toString());
- case "dalvik/system/PathClassLoader->findClass(Ljava/lang/String;)Ljava/lang/Class;":
- return vm.resolveClass(varArg.getObjectArg(0).getValue().toString());
- case "java/util/Enumeration->nextElement()Ljava/lang/Object;":
- return ((Enumeration) dvmObject).nextElement();
- case "android/content/Context->getContentResolver()Landroid/content/ContentResolver;":
- return ((Context) dvmObject.getValue()).getContentResolver();
- case "java/net/NetworkInterface->getName()Ljava/lang/String;":
- return new StringObject(vm, ((Context.mNetworkInterface) dvmObject.getValue()).getName());
- case "java/lang/Thread->getStackTrace()[Ljava/lang/StackTraceElement;":
- return ProxyDvmObject.createObject(vm, ((Thread) dvmObject.getValue()).getStackTrace());
- case "java/lang/StackTraceElement->toString()Ljava/lang/String;":
- return new StringObject(vm, ((StackTraceElement) dvmObject.getValue()).toString());
- case "java/util/HashMap->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;":
- return ProxyDvmObject.createObject(vm, ((HashMap<Object, Object>) dvmObject.getValue())
- .put(varArg.getObjectArg(0).getValue(), varArg.getObjectArg(1).getValue()));
- }
- return super.callObjectMethod(vm, dvmObject, signature, varArg);
- }
-
- @Override
- public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
- switch (signature) {
- case "android/content/Context->getClassLoader()Ljava/lang/ClassLoader;":
- return ProxyDvmObject.createObject(vm, this.getClass().getClassLoader());
- case "android/content/Context->getPackageResourcePath()Ljava/lang/String;":
- return ProxyDvmObject.createObject(vm, ((Context) dvmObject.getValue()).getPackageResourcePath());
- case "android/content/Context->getFilesDir()Ljava/io/File;":
- return ProxyDvmObject.createObject(vm, ((Context) dvmObject.getValue()).getFilesDir());
- case "java/io/File->getPath()Ljava/lang/String;":
- return ProxyDvmObject.createObject(vm, ((File) dvmObject.getValue()).getPath().replace('\\', '/'));
- }
- return super.callObjectMethodV(vm, dvmObject, signature, vaList);
- }
-
- @Override
- public FileResult<AndroidFileIO> resolve(Emulator<AndroidFileIO> emulator, String pathname, int oflags) {
- switch (pathname) {
- case "/data/app/com.taobao.taobao-1/base.apk":
- case "/data/user/0/com.taobao.taobao/files/sg_oc.lock":
- case "/data/user/0/com.taobao.taobao/files/ab914f43b8296c2c.lock":
- case "/data/user/0/com.taobao.taobao/files/0a231bd8575dcf72.txt":
- case "/data/user/0/com.taobao.taobao/files/.ba2f9c85.lock":
- case "/data/user/0/com.taobao.taobao/files/JX0WDG83P1ZN.txt":
- case "/data/user/0/com.taobao.taobao/files/sgFile.lock":
- case "/data/user/0/com.taobao.taobao/app_SGLib/SG_INNER_DATA":
- return FileResult.success(emulator.getFileSystem().createSimpleFileIO(
- new File("D:\\DesktopTemp\\tb\\rootfs", pathname), oflags, pathname));
- case "/data/data/com.taobao.taobao/app_SGLib/sec":
- case "/data/user/0/com.taobao.taobao/app_SGLib/sec":
- case "/data/user/0/com.taobao.taobao/app_SGLib/lvmreport":
- return FileResult.success(emulator.getFileSystem().createDirectoryFileIO(
- new File("D:\\DesktopTemp\\tb\\rootfs", pathname), oflags, pathname));
- default:
- return null;
- }
- }
-
- }
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/你好赵伟/article/detail/158465
推荐阅读
相关标签
