热门标签
热门文章
- 1欧盟网络安全产业分析
- 2windows11本地深度学习环境搭建Anacond,keras,tensorflow,pytorch, jupyter notebook
- 3韩国突发:将批准比特币ETF
- 4kubernetes Pod控制器详解
- 5如何做代币分析:以 TRX 币为例
- 6Python 语法及入门 (超全超详细) 专为Python零基础 一篇博客让你完全掌握Python语法
- 7大模型学习笔记四:LangChain开发框架解析
- 8Windows1903安装VMware Workstations Pro15.1.0并解锁Unlock3.0.2
- 9倍投技巧 - 凯利公式教你如何用正确的方法投资_正确的倍投6种方法
- 10SSM 完整项目 (内含源码)_gitee ssm项目
当前位置: article > 正文
Unidbg初步学习记录
作者:小丑西瓜9 | 2024-02-28 10:00:36
赞
踩
unidbg
一、Unidbg安装和使用
参考:https://www.jianshu.com/p/59e08e48ac20
二、Unidbg案例学习,模拟调用so文件生成京东sign参数
抓包商品详情页,要模拟的是sign参数
先搭建基础框架代码:
- package com.kdd.test;
-
- import com.github.unidbg.AndroidEmulator;
- import com.github.unidbg.LibraryResolver;
- import com.github.unidbg.Module;
- import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
- import com.github.unidbg.linux.android.AndroidResolver;
- import com.github.unidbg.linux.android.dvm.*;
- import com.github.unidbg.memory.Memory;
- import org.apache.commons.logging.Log;
- import org.apache.commons.logging.LogFactory;
-
- import java.io.*;
-
- public class jd_main extends AbstractJni {
- private static final Log log = LogFactory.getLog(AbstractJni.class);
- public static void main (String[] args) throws IOException {
- jd_main RunLDQ =new jd_main();
- RunLDQ.runJni();
- RunLDQ.destroy();
- }
-
- private void destroy() throws IOException{
- emulator.close();
- System.out.println("destroy");
- }
-
- private static LibraryResolver createLibraryResolver() {
- return new AndroidResolver(23);
- }
-
- private static AndroidEmulator createARMEmulator() {
- return AndroidEmulatorBuilder
- .for32Bit()
- .build();
- }
-
- private final AndroidEmulator emulator;
- private final VM vm;
- private Module module;
- private DvmClass aBitmapkitUtils;
-
- //初始化
- public jd_main(){
- emulator = createARMEmulator();
- final Memory memory = emulator.getMemory();
- // 设置 sdk版本 23
- memory.setLibraryResolver(createLibraryResolver());
-
- //使用apk文件加载so的话,会自动处理签名方面的jni,具体可看AbstractJni,利用apk加载的好处,
- vm = emulator.createDalvikVM(new File("F:\\frida_learn_app\\jd\\jd-9.2.2.apk"));
-
- vm.setJni(this);
- // 是否打印日志
- vm.setVerbose(true);
- }
-
- public String runJni(){
- //加载apk的so
- DalvikModule dm = vm.loadLibrary("jdbitmapkit", false);
- //调用jni
- dm.callJNI_OnLoad(emulator);
- module = dm.getModule();
- return null;
- }
运行有报错补代码
- @Override
- public DvmObject<?> getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature) {
- switch (signature) {
- case "com/jingdong/common/utils/BitmapkitUtils->a:Landroid/app/Application;": {
- return vm.resolveClass("android/app/Activity", vm.resolveClass("android/content/ContextWrapper", vm.resolveClass("android/content/Context"))).newObject(null);
- }
- }
- return super.getStaticObjectField(vm, dvmClass, signature);
- }
报错补代码
- @Override
- public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
- switch (signature) {
- case "android/app/Application->getPackageName()Ljava/lang/String;": {
- String packageName = vm.getPackageName();
- if (packageName != null) {
- return new StringObject(vm, packageName);
- }
- }
- }
- throw new UnsupportedOperationException(signature);
- }
报错补代码
- @Override
- public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
- switch (signature) {
- case "sun/security/pkcs/PKCS7-><init>([B)V": {
- ByteArray array = varArg.getObjectArg(0);
- return new StringObject(vm, new String(array.getValue()));
- }
- }
- return super.newObject(vm, dvmClass, signature, varArg);
- }
基础环境没报错后,调用签名函数
- //加载so的哪个类
- aBitmapkitUtils = vm.resolveClass("com/jingdong/common/utils/BitmapkitUtils");
- //调用方法
- DvmObject<?> strRc = aBitmapkitUtils.callStaticJniMethodObject(emulator,"getSignFromJni()(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",
- vm.addLocalObject(null),
- vm.addLocalObject(new StringObject(vm,"wareBusiness")),
- vm.addLocalObject(new StringObject(vm,"{\"abTest800\":true,\"avoidLive\":false,\"brand\":\"360\",\"cityId\":2144,\"darkModelEnum\":3,\"districtId\":24463,\"eventId\":\"Searchlist_Productid\",\"fromType\":0,\"isDesCbc\":true,\"latitude\":\"26.618816\",\"lego\":true,\"longitude\":\"106.644705\",\"model\":\"1605-A01\",\"ocrFlag\":false,\"pluginVersion\":90220,\"plusClickCount\":0,\"plusLandedFatigue\":0,\"provinceId\":\"24\",\"skuId\":\"10024083045618\",\"source_type\":\"search\",\"source_value\":\"鼠标垫小号\",\"townId\":51707,\"uAddrId\":\"0\"}")),
- vm.addLocalObject(new StringObject(vm,"uuid")),
- vm.addLocalObject(new StringObject(vm,"android")),
- vm.addLocalObject(new StringObject(vm,"9.2.2")));
- System.out.println(strRc.getValue());
- //获取返回值
- return (String) strRc.getValue();
后面有报错也是跟着报错补环境 最后成功运行出结果:
全部代码如下:
- package com.kdd.test;
-
- import com.github.unidbg.AndroidEmulator;
- import com.github.unidbg.LibraryResolver;
- import com.github.unidbg.Module;
- import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
- import com.github.unidbg.linux.android.AndroidResolver;
- import com.github.unidbg.linux.android.dvm.*;
- import com.github.unidbg.linux.android.dvm.Enumeration;
- import com.github.unidbg.linux.android.dvm.api.*;
- import com.github.unidbg.linux.android.dvm.api.ClassLoader;
- import com.github.unidbg.linux.android.dvm.array.ByteArray;
- import com.github.unidbg.memory.Memory;
- import org.apache.commons.logging.Log;
- import org.apache.commons.logging.LogFactory;
-
- import java.io.*;
- import java.security.MessageDigest;
- import java.security.cert.Certificate;
- import java.security.cert.CertificateEncodingException;
- import java.security.cert.CertificateException;
- import java.security.cert.CertificateFactory;
- import java.util.*;
-
- public class jd_main extends AbstractJni {
- private static final Log log = LogFactory.getLog(AbstractJni.class);
- public static void main (String[] args) throws IOException {
- jd_main RunLDQ =new jd_main();
- RunLDQ.runJni(args);
- RunLDQ.destroy();
- }
-
- private void destroy() throws IOException{
- emulator.close();
- System.out.println("destroy");
- }
-
- private static LibraryResolver createLibraryResolver() {
- return new AndroidResolver(23);
- }
-
- private static AndroidEmulator createARMEmulator() {
- return AndroidEmulatorBuilder
- .for32Bit()
- .build();
- }
-
- private final AndroidEmulator emulator;
- private final VM vm;
- private Module module;
- private DvmClass aBitmapkitUtils;
-
- //初始化
- public jd_main(){
- emulator = createARMEmulator();
- final Memory memory = emulator.getMemory();
- // 设置 sdk版本 23
- memory.setLibraryResolver(createLibraryResolver());
-
- //使用apk文件加载so的话,会自动处理签名方面的jni,具体可看AbstractJni,利用apk加载的好处,
- vm = emulator.createDalvikVM(new File("F:\\frida_learn_app\\jd\\jd-9.2.2.apk"));
-
- vm.setJni(this);
- // 是否打印日志
- // vm.setVerbose(true);
- }
-
- public String runJni(String[] args){
- //加载apk的so
- DalvikModule dm = vm.loadLibrary("jdbitmapkit", false);
- //调用jni
- dm.callJNI_OnLoad(emulator);
- module = dm.getModule();
- //加载so的哪个类
- aBitmapkitUtils = vm.resolveClass("com/jingdong/common/utils/BitmapkitUtils");
- //调用方法
- DvmObject<?> strRc = aBitmapkitUtils.callStaticJniMethodObject(emulator,"getSignFromJni()(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",
- vm.addLocalObject(null),
- vm.addLocalObject(new StringObject(vm,"wareBusiness")),
- vm.addLocalObject(new StringObject(vm,"{\"abTest800\":true,\"avoidLive\":false,\"brand\":\"360\",\"cityId\":2144,\"darkModelEnum\":3,\"districtId\":24463,\"eventId\":\"Searchlist_Productid\",\"fromType\":0,\"isDesCbc\":true,\"latitude\":\"26.618816\",\"lego\":true,\"longitude\":\"106.644705\",\"model\":\"1605-A01\",\"ocrFlag\":false,\"pluginVersion\":90220,\"plusClickCount\":0,\"plusLandedFatigue\":0,\"provinceId\":\"24\",\"skuId\":\"10024083045618\",\"source_type\":\"search\",\"source_value\":\"鼠标垫小号\",\"townId\":51707,\"uAddrId\":\"0\"}")),
- vm.addLocalObject(new StringObject(vm,"uuid")),
- vm.addLocalObject(new StringObject(vm,"android")),
- vm.addLocalObject(new StringObject(vm,"9.2.2")));
- System.out.println(strRc.getValue());
- //获取返回值
- return (String) strRc.getValue();
- }
-
- @Override
- public DvmObject<?> getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature) {
- switch (signature) {
- case "com/jingdong/common/utils/BitmapkitUtils->a:Landroid/app/Application;": {
- return vm.resolveClass("android/app/Activity", vm.resolveClass("android/content/ContextWrapper", vm.resolveClass("android/content/Context"))).newObject(null);
- }
- }
- return super.getStaticObjectField(vm, dvmClass, signature);
- }
-
- @Override
- public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
- switch (signature) {
- case "sun/security/pkcs/PKCS7-><init>([B)V": {
- ByteArray array = varArg.getObjectArg(0);
- return new StringObject(vm, new String(array.getValue()));
- }
- }
- return super.newObject(vm, dvmClass, signature, varArg);
- }
-
- @Override
- public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
- switch (signature) {
- case "android/app/Application->getPackageName()Ljava/lang/String;": {
- String packageName = vm.getPackageName();
- if (packageName != null) {
- return new StringObject(vm, packageName);
- }
- }
- }
- throw new UnsupportedOperationException(signature);
- }
-
- @Override
- public DvmObject<?> newObjectV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
- switch (signature) {
- case "java/lang/StringBuffer-><init>()V":{
- return vm.resolveClass("java/lang/StringBuffer").newObject(new StringBuffer());
- }
- case "java/lang/Integer-><init>(I)V" :{
- return vm.resolveClass("java/lang/Integer").newObject(new Integer(vaList.getIntArg(0)));
- }
- }
- throw new UnsupportedOperationException(signature);
- }
-
- @Override
- public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
- switch (signature) {
- case "android/app/Application->getAssets()Landroid/content/res/AssetManager;":
- return new AssetManager(vm, signature);
- case "android/app/Application->getClassLoader()Ljava/lang/ClassLoader;":
- return new ClassLoader(vm, signature);
- case "android/app/Application->getContentResolver()Landroid/content/ContentResolver;":
- return vm.resolveClass("android/content/ContentResolver").newObject(signature);
- case "java/util/ArrayList->get(I)Ljava/lang/Object;": {
- int index = vaList.getIntArg(0);
- ArrayListObject arrayList = (ArrayListObject) dvmObject;
- return arrayList.getValue().get(index);
- }
- case "android/app/Application->getSystemService(Ljava/lang/String;)Ljava/lang/Object;": {
- StringObject serviceName = vaList.getObjectArg(0);
- assert serviceName != null;
- return new SystemService(vm, serviceName.getValue());
- }
- case "java/lang/String->toString()Ljava/lang/String;":
- return dvmObject;
- case "java/lang/Class->getName()Ljava/lang/String;":
- return new StringObject(vm, ((DvmClass) dvmObject).getName());
- case "android/view/accessibility/AccessibilityManager->getEnabledAccessibilityServiceList(I)Ljava/util/List;":
- return new ArrayListObject(vm, Collections.<DvmObject<?>>emptyList());
- case "java/util/Enumeration->nextElement()Ljava/lang/Object;":
- return ((Enumeration) dvmObject).nextElement();
- case "java/util/Locale->getLanguage()Ljava/lang/String;":
- Locale locale = (Locale) dvmObject.getValue();
- return new StringObject(vm, locale.getLanguage());
- case "java/util/Locale->getCountry()Ljava/lang/String;":
- locale = (Locale) dvmObject.getValue();
- return new StringObject(vm, locale.getCountry());
- case "android/os/IServiceManager->getService(Ljava/lang/String;)Landroid/os/IBinder;": {
- ServiceManager serviceManager = (ServiceManager) dvmObject;
- StringObject serviceName = vaList.getObjectArg(0);
- assert serviceName != null;
- return serviceManager.getService(vm, serviceName.getValue());
- }
- case "java/io/File->getAbsolutePath()Ljava/lang/String;":
- File file = (File) dvmObject.getValue();
- return new StringObject(vm, file.getAbsolutePath());
- case "android/app/Application->getPackageManager()Landroid/content/pm/PackageManager;":
- case "android/content/ContextWrapper->getPackageManager()Landroid/content/pm/PackageManager;":
- case "android/content/Context->getPackageManager()Landroid/content/pm/PackageManager;":
- DvmClass clazz = vm.resolveClass("android/content/pm/PackageManager");
- return clazz.newObject(signature);
- case "android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;": {
- StringObject packageName = vaList.getObjectArg(0);
- assert packageName != null;
- int flags = vaList.getIntArg(1);
- if (log.isDebugEnabled()) {
- log.debug("getPackageInfo packageName=" + packageName.getValue() + ", flags=0x" + Integer.toHexString(flags));
- }
- return new PackageInfo(vm, packageName.getValue(), flags);
- }
- case "android/app/Application->getPackageName()Ljava/lang/String;":
- case "android/content/ContextWrapper->getPackageName()Ljava/lang/String;":
- case "android/content/Context->getPackageName()Ljava/lang/String;": {
- String packageName = vm.getPackageName();
- if (packageName != null) {
- return new StringObject(vm, packageName);
- }
- break;
- }
- case "android/content/pm/Signature->toByteArray()[B":
- if (dvmObject instanceof Signature) {
- Signature sig = (Signature) dvmObject;
- return new ByteArray(vm, sig.toByteArray());
- }
- break;
- case "android/content/pm/Signature->toCharsString()Ljava/lang/String;":
- if (dvmObject instanceof Signature) {
- Signature sig = (Signature) dvmObject;
- return new StringObject(vm, sig.toCharsString());
- }
- break;
- case "java/lang/String->getBytes()[B": {
- String str = (String) dvmObject.getValue();
- return new ByteArray(vm, str.getBytes());
- }
- case "java/lang/String->getBytes(Ljava/lang/String;)[B":
- String str = (String) dvmObject.getValue();
- StringObject charsetName = vaList.getObjectArg(0);
- assert charsetName != null;
- try {
- return new ByteArray(vm, str.getBytes(charsetName.getValue()));
- } catch (UnsupportedEncodingException e) {
- throw new IllegalStateException(e);
- }
- case "java/lang/Integer->toString()Ljava/lang/String;":{
- Integer iUse = (Integer)dvmObject.getValue();
- return new StringObject(vm, Integer.toString(iUse));
- }
- case "java/lang/StringBuffer->toString()Ljava/lang/String;":{
- StringBuffer str1 = (StringBuffer) dvmObject.getValue();
- return new StringObject(vm,str1.toString());
- }
- case "java/lang/StringBuffer->append(Ljava/lang/String;)Ljava/lang/StringBuffer;": {
- StringBuffer str1 = (StringBuffer) dvmObject.getValue();
- StringObject serviceName = vaList.getObjectArg(0);
- assert serviceName != null;
- return vm.resolveClass("java/lang/StringBuffer").newObject(str1.append(serviceName.getValue()));
- }
- case "java/security/cert/CertificateFactory->generateCertificate(Ljava/io/InputStream;)Ljava/security/cert/Certificate;":
- CertificateFactory factory = (CertificateFactory) dvmObject.getValue();
- DvmObject<?> stream = vaList.getObjectArg(0);
- assert stream != null;
- InputStream inputStream = (InputStream) stream.getValue();
- try {
- return vm.resolveClass("java/security/cert/Certificate").newObject(factory.generateCertificate(inputStream));
- } catch (CertificateException e) {
- throw new IllegalStateException(e);
- }
- case "java/security/cert/Certificate->getEncoded()[B": {
- Certificate certificate = (Certificate) dvmObject.getValue();
- try {
- return new ByteArray(vm, certificate.getEncoded());
- } catch (CertificateEncodingException e) {
- throw new IllegalStateException(e);
- }
- }
- case "java/security/MessageDigest->digest([B)[B": {
- MessageDigest messageDigest = (MessageDigest) dvmObject.getValue();
- ByteArray array = vaList.getObjectArg(0);
- assert array != null;
- return new ByteArray(vm, messageDigest.digest(array.getValue()));
- }
- case "java/util/ArrayList->remove(I)Ljava/lang/Object;": {
- int index = vaList.getIntArg(0);
- ArrayListObject list = (ArrayListObject) dvmObject;
- return list.getValue().remove(index);
- }
- case "java/util/List->get(I)Ljava/lang/Object;":
- List<?> list = (List<?>) dvmObject.getValue();
- return (DvmObject<?>) list.get(vaList.getIntArg(0));
- case "java/util/Map->entrySet()Ljava/util/Set;":
- Map<?, ?> map = (Map<?, ?>) dvmObject.getValue();
- return vm.resolveClass("java/util/Set").newObject(map.entrySet());
- case "java/util/Set->iterator()Ljava/util/Iterator;":
- Set<?> set = (Set<?>) dvmObject.getValue();
- return vm.resolveClass("java/util/Iterator").newObject(set.iterator());
- }
-
- throw new UnsupportedOperationException(signature);
- }
- }
三、打包成jar,方便其它程序调用
IDEA 找到 File → Project Structure … 然后选择 Artifacts, 点加号 Add 如图配置,勾上 Include tests
点击ok后 Build → Build Artifacts进行编译 编译成功后会生成很多jar文件
在控制台测试运行下 java -jar unidbg-master.jar
运行出了结果,证明打包的没问题
四、进行python调用打包的jar包
- # coding:utf-8
- import requests, urllib, subprocess
- import chardet, jpype,os
-
- headers = {
- "Host": "api.m.jd.com",
- "charset": "UTF-8",
- "cache-control": "no-cache",
- "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
- "user-agent": "okhttp/3.12.1"
- }
- cookies = {
- }
- url = "https://api.m.jd.com/client.action"
- params = {
- "functionId": "wareBusiness",
- "clientVersion": "9.2.2",
- "build": "85371",
- "client": "android",
- "d_brand": "360",
- "d_model": "1605-A01",
- "osVersion": "6.0.1",
- "screen": "1920*1080",
- "partner": "ks012",
- "aid": "xxx",
- "oaid": "",
- "eid": "xxx",
- "sdkVersion": "23",
- "lang": "zh_CN",
- "uuid": "xxx",
- "area": "24_2144_2149_21104",
- "networkType": "wifi",
- "wifiBssid": "xxx",
- # "st": "1665562015795",
- # "sign": "45a7dc3f547be113a6a4dfa942e190c6",
- # "sv": "111"
- }
- body = '''{"abTest800":true,"avoidLive":false,"brand":"360","cityId":2144,"darkModelEnum":3,"districtId":24463,"eventId":"Searchlist_Productid","fromType":0,"isDesCbc":true,"latitude":"","lego":true,"longitude":"","model":"1605-A01","ocrFlag":false,"pluginVersion":90220,"plusClickCount":0,"plusLandedFatigue":0,"provinceId":"24","skuId":"10024083045618","source_type":"search","source_value":"鼠标垫小号","townId":51707,"uAddrId":"0"}'''
- data = {
- "lmt": "0",
- "body": body,
- "": ""
- }
- jvmPath=jpype.getDefaultJVMPath()
- d='unidbg_master_jar2/unidbg-master.jar'#对应jar地址
- jpype.startJVM(jvmPath,"-ea","-Djava.class.path="+d+"")
-
- JDClass=jpype.JClass("com.kdd.test.runliudq") //类目
- jd=JDClass()
- signature=jd.runJni(["wareBusiness", body, "uuid", "android", "9.2.2"])
-
- url = url + "?" + urllib.parse.urlencode(params) + "&" + str(signature)
- print(url)
- response = requests.post(url, headers=headers, cookies=cookies, data=data)
-
- print(response.text)
- print(response)
- jpype.shutdownJVM()
成功跑出结果
总结
这个案例网上有很多,适合入门哈哈
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小丑西瓜9/article/detail/158461
推荐阅读
相关标签
