Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

运行报Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)错误 #12

Closed
HHBO opened this issue May 19, 2019 · 2 comments
Closed

运行报Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)错误 #12

HHBO opened this issue May 19, 2019 · 2 comments

Comments

@HHBO
Copy link

HHBO commented May 19, 2019

你好,我在调用一个so时报Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)的错误,具体错误如下:
image
libdexshell.so有个依赖库libandroid.so,我尝试过把libandroid.so放到相关目录下,结果引发的错误更多了。现在在调用callJNI_OnLoad就会报Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)的错误,请问这个问题要怎么解决呢?代码如下:
package com.dexshell.protect;

import cn.banny.auxiliary.Inspector;
import cn.banny.emulator.Module;
import cn.banny.emulator.Symbol;
import cn.banny.emulator.arm.ARMEmulator;
import cn.banny.emulator.file.FileIO;
import cn.banny.emulator.file.IOResolver;
import cn.banny.emulator.linux.android.AndroidARMEmulator;
import cn.banny.emulator.linux.android.AndroidResolver;
import cn.banny.emulator.linux.android.dvm.*;
import cn.banny.emulator.memory.Memory;

import java.io.File;
import java.io.IOException;

public class DexShellUtil extends AbstractJni implements IOResolver {

private static final String APP_PACKAGE_NAME = "com.zz.yzzj.aligames";

private final ARMEmulator emulator;
private final VM vm;


private static final String APK_PATH = "src/test/resources/app/yzzj.apk";

private final Module module;

private final DvmClass DexShell;

private DexShellUtil() throws IOException {
	emulator = new AndroidARMEmulator(APP_PACKAGE_NAME);
    emulator.getSyscallHandler().addIOResolver(this);
    System.out.println("== init ===");

    final Memory memory = emulator.getMemory();
    memory.setLibraryResolver(new AndroidResolver(19));
    memory.setCallInitFunction();

    vm = emulator.createDalvikVM(new File(APK_PATH));
    vm.setJni(this);
    DalvikModule dm = vm.loadLibrary("dexshell", false);
    dm.callJNI_OnLoad(emulator);
    module = dm.getModule();

    DexShell = vm.resolveClass("com/dexshell/protect/DexShell");
    
}

private void destroy() throws IOException {
	emulator.close();
    System.out.println("module=" + module);
    System.out.println("== destroy ===");
}

public static void main(String[] args) throws Exception {
	DexShellUtil test = new DexShellUtil();

    test.Decrypt();

    test.destroy();
}

private void Decrypt() throws IOException {
	
	Symbol aeskey = module.findSymbolByName("aes_key");
	System.out.println("aeskey address = " + aeskey.getAddress());
	System.out.println("base address = " + module.base);
	Inspector.inspect(aeskey.createPointer(emulator).getByteArray(0, 32), "aes_key");
	
	byte[] aes_key = aeskey.createPointer(emulator).getByteArray(0, 32);

	ByteArray result = new ByteArray(new byte[128]);
	
	
	Symbol AES_set_decrypt_key = module.findSymbolByName("AES_set_decrypt_key");
    System.out.println("address = " + AES_set_decrypt_key.getAddress());
    System.out.println("base = " + module.base);
    Number ret = module.callFunction(emulator, AES_set_decrypt_key.getAddress(), aes_key, 128, vm.addLocalObject(result))[0];
    
    Inspector.inspect(result.getValue(), "AES_set_decrypt_key ret=" + ret);


}

@Override
public FileIO resolve(File workDir, String pathname, int oflags) {
    return null;
}

}
测试的apk的链接是http://www.9game.cn/game/downs_530641_2.html
麻烦看看这个问题。谢谢!
@zhkl0228
Copy link
Owner

下载最新的代码即可

@zhkl0228
Copy link
Owner

zhkl0228 commented May 19, 2019
edited
Loading

`package com.dexshell.protect;

import cn.banny.auxiliary.Inspector;
import cn.banny.unidbg.Module;
import cn.banny.unidbg.Symbol;
import cn.banny.unidbg.arm.ARMEmulator;
import cn.banny.unidbg.file.FileIO;
import cn.banny.unidbg.file.IOResolver;
import cn.banny.unidbg.linux.android.AndroidARMEmulator;
import cn.banny.unidbg.linux.android.AndroidResolver;
import cn.banny.unidbg.linux.android.dvm.*;
import cn.banny.unidbg.memory.Memory;
import cn.banny.unidbg.pointer.UnicornPointer;
import com.sun.jna.Pointer;

import java.io.File;
import java.io.IOException;

public class DexShellUtil extends AbstractJni implements IOResolver {

private static final int SDK_INT = 19;
private static final String APP_PACKAGE_NAME = "com.zz.yzzj.aligames";

private final ARMEmulator emulator;

private static final String APK_PATH = "src/test/resources/app/yzzj.apk";

private final Module module;

private final DvmClass DexShell;

private DexShellUtil() throws IOException {
    emulator = new AndroidARMEmulator(APP_PACKAGE_NAME);
    emulator.getSyscallHandler().addIOResolver(this);
    System.out.println("== init ===");

    final Memory memory = emulator.getMemory();
    memory.setLibraryResolver(new AndroidResolver(SDK_INT));
    memory.setCallInitFunction();

    VM vm = emulator.createDalvikVM(new File(APK_PATH));
    vm.setJni(this);
    DalvikModule dm = vm.loadLibrary("dexshell", true);
    dm.callJNI_OnLoad(emulator);
    module = dm.getModule();

    DexShell = vm.resolveClass("com/dexshell/protect/DexShell");
}

private void destroy() throws IOException {
    emulator.close();
    System.out.println("module=" + module);
    System.out.println("== destroy ===");
}

public static void main(String[] args) throws Exception {
    DexShellUtil test = new DexShellUtil();

    test.Decrypt();

    test.destroy();
}

private void Decrypt() throws IOException {
    Symbol aeskey = module.findSymbolByName("aes_key");
    System.out.println("aeskey address = " + aeskey.getAddress());
    System.out.println("base address = " + module.base);
    Inspector.inspect(aeskey.createPointer(emulator).getByteArray(0, 32), "aes_key");

    byte[] result = new byte[128];

    Symbol AES_set_decrypt_key = module.findSymbolByName("AES_set_decrypt_key");
    System.out.println("address = " + AES_set_decrypt_key.getAddress());
    System.out.println("base = " + module.base);
    Number[] numbers = AES_set_decrypt_key.call(emulator, aeskey.createPointer(emulator), 128, result);
    int ret = numbers[0].intValue();
    Pointer p1 = UnicornPointer.pointer(emulator, numbers[1].intValue() & 0xffffffffL);

    assert p1 != null;
    Inspector.inspect(p1.getByteArray(0, 128), "AES_set_decrypt_key ret=" + ret);
}

@Override
public FileIO resolve(File workDir, String pathname, int oflags) {
    return null;
}

@Override
public int callStaticIntMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
    if ("com/dexshell/protect/Util->getSDKINT()I".equals(signature)) {
        return SDK_INT;
    }

    return super.callStaticIntMethod(vm, dvmClass, signature, varArg);
}

}`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zhkl0228 @HHBO