关于 “svcMemory.registerSvc” 执行过程中存在NULL错误的问题请教 #54

chenliquan2 · 2019-09-16T08:55:50Z

大神你好，遇到了一个问题，在调用_CallObjectMethodV的时候，DvmObject dvmObject = getObject(object.peer)，返回值为空；这个问题前面有个兄弟遇到过了，你给的解决方案是根据具体的context传入具体的内容，但是我这里不用传context，而且函数的签名是直接从so中复制出来的，应该不会出错，鉴于没有很好的参考性，所以来请教大神了。

值得一提的是，在调用其他的native接口的时候比如getKey，是可以直接得到结果的；但是在调用SM2的一个解密接口时，就会出现上述的错误，而且这个so的函数签名好像是混淆过的，希望大神抽空帮我看看，有劳了！

附件：
TestPag.zip

chenliquan2 · 2019-09-16T08:57:45Z

抱歉，忘了贴上LOG：

"C:\Program Files\Java\jdk1.8.0_201\bin\java.exe" "-javaagent:D:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2019.1\lib\idea_rt.jar=59486:D:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2019.1\bin" -Dfile.encoding=UTF-8 -classpath "C:\Program Files\Java\jdk1.8.0_201\jre\lib\charsets.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\deploy.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\access-bridge-64.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\cldrdata.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\dnsns.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\jaccess.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\jfxrt.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\localedata.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\nashorn.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\sunec.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\sunjce_provider.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\sunmscapi.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\sunpkcs11.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\ext\zipfs.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\javaws.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\jce.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\jfr.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\jfxswt.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\jsse.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\management-agent.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\plugin.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\resources.jar;C:\Program Files\Java\jdk1.8.0_201\jre\lib\rt.jar;D:\Users\Desktop\unidbg-master\target\test-classes;D:\Users\Desktop\unidbg-master\target\classes;C:\Users\Admin.m2\repository\org\unicorn-engine\unicorn\1.0.1\unicorn-1.0.1.jar;C:\Users\Admin.m2\repository\org\capstone-engine\capstone\3.0.5\capstone-3.0.5.jar;C:\Users\Admin.m2\repository\keystone\java-bindings\0.9.1-2\java-bindings-0.9.1-2.jar;C:\Users\Admin.m2\repository\net\java\dev\jna\jna-platform\4.5.1\jna-platform-4.5.1.jar;C:\Users\Admin.m2\repository\cn\banny\utils\0.0.8\utils-0.0.8.jar;C:\Users\Admin.m2\repository\net\java\dev\jna\jna\4.5.2\jna-4.5.2.jar;C:\Users\Admin.m2\repository\commons-io\commons-io\2.4\commons-io-2.4.jar;C:\Users\Admin.m2\repository\commons-logging\commons-logging\1.1.3\commons-logging-1.1.3.jar;C:\Users\Admin.m2\repository\net\dongliu\apk-parser\2.6.4\apk-parser-2.6.4.jar;C:\Users\Admin.m2\repository\io\kaitai\kaitai-struct-runtime\0.8\kaitai-struct-runtime-0.8.jar;C:\Users\Admin.m2\repository\log4j\log4j\1.2.17\log4j-1.2.17.jar;C:\Users\Admin.m2\repository\junit\junit\3.8.2\junit-3.8.2.jar;C:\Users\Admin.m2\repository\commons-codec\commons-codec\1.11\commons-codec-1.11.jar;C:\Users\Admin.m2\repository\org\slf4j\slf4j-api\1.7.26\slf4j-api-1.7.26.jar;C:\Users\Admin.m2\repository\org\slf4j\slf4j-log4j12\1.7.26\slf4j-log4j12-1.7.26.jar;D:\Users\Desktop\unidbg-master\prebuilt\jar\capstone-3.0.5.jar;D:\Users\Desktop\unidbg-master\prebuilt\jar\java-bindings-0.9.1-2.jar;D:\Users\Desktop\unidbg-master\prebuilt\jar\unicorn-1.0.1.jar;D:\Users\Desktop\unidbg-master\prebuilt\jar\utils-0.0.8.jar" cn.passguard.PassGuardEncrypt
[16:37:36 774] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__modsi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24, offset=0x0
[16:37:36 777] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__umoddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c, offset=0x0
[16:37:36 777] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__moddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0, offset=0x0
[16:37:36 778] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__clear_cache, type=function, size=0] is missing relocationAddr=unicorn@0x413feed8[libLLVM.so]0x8fced8, offset=0x0
[16:37:36 778] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libbcc.so]symbol ElfSymbol[name=__clear_cache, type=function, size=0] is missing relocationAddr=unicorn@0x41427fec[libbcc.so]0x20fec, offset=0x0
[16:37:36 843] INFO [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:1581) - openat dirfd=-100, pathname=/proc/filesystems, oflags=0x20000, mode=0
[16:37:36 893] INFO [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:1581) - openat dirfd=-100, pathname=/dev/smem_log, oflags=0x20002, mode=0
[16:37:36 895] INFO [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:1581) - openat dirfd=-100, pathname=/system/etc/qmi_fw.conf, oflags=0x20000, mode=0
[16:37:37 167] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:383) - handleInterrupt intno=2, NR=125, svcNumber=0x0, PC=unicorn@0x401cc284[libc.so]0x41284, syscall=null
unicorn.UnicornException: No memory available or memory not present (UC_ERR_NOMEM)
at unicorn.Unicorn.mem_protect(Native Method)
at cn.banny.unidbg.spi.AbstractLoader.mprotect(AbstractLoader.java:188)
at cn.banny.unidbg.linux.ARMSyscallHandler.mprotect(ARMSyscallHandler.java:1478)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:214)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:267)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:360)
at cn.banny.unidbg.arm.AbstractARMEmulator.eInit(AbstractARMEmulator.java:213)
at cn.banny.unidbg.linux.AbsoluteInitFunction.call(AbsoluteInitFunction.java:33)
at cn.banny.unidbg.linux.LinuxModule.callInitFunction(LinuxModule.java:46)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:171)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:30)
at cn.banny.unidbg.spi.AbstractLoader.load(AbstractLoader.java:211)
at cn.banny.unidbg.linux.android.dvm.BaseVM.loadLibrary(BaseVM.java:249)
at cn.passguard.PassGuardEncrypt.(PassGuardEncrypt.java:55)
at cn.passguard.PassGuardEncrypt.main(PassGuardEncrypt.java:68)
[16:37:37 172] WARN [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:271) - emulate unicorn@0x401a168d[libc.so]0x1668d failed: sp=unicorn@0xbffff69c, offset=363ms
unicorn.UnicornException: No memory available or memory not present (UC_ERR_NOMEM)
at unicorn.Unicorn.mem_protect(Native Method)
at cn.banny.unidbg.spi.AbstractLoader.mprotect(AbstractLoader.java:188)
at cn.banny.unidbg.linux.ARMSyscallHandler.mprotect(ARMSyscallHandler.java:1478)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:214)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:267)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:360)
at cn.banny.unidbg.arm.AbstractARMEmulator.eInit(AbstractARMEmulator.java:213)
at cn.banny.unidbg.linux.AbsoluteInitFunction.call(AbsoluteInitFunction.java:33)
at cn.banny.unidbg.linux.LinuxModule.callInitFunction(LinuxModule.java:46)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:171)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:30)
at cn.banny.unidbg.spi.AbstractLoader.load(AbstractLoader.java:211)
at cn.banny.unidbg.linux.android.dvm.BaseVM.loadLibrary(BaseVM.java:249)
at cn.passguard.PassGuardEncrypt.(PassGuardEncrypt.java:55)
at cn.passguard.PassGuardEncrypt.main(PassGuardEncrypt.java:68)
[16:37:37 172] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__modsi3 symbol is missing before init relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24
[16:37:37 173] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__umoddi3 symbol is missing before init relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c
[16:37:37 173] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__moddi3 symbol is missing before init relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0
[16:37:37 173] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__clear_cache symbol is missing before init relocationAddr=unicorn@0x413feed8[libLLVM.so]0x8fced8
[16:37:37 173] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libbcc.so]__clear_cache symbol is missing before init relocationAddr=unicorn@0x41427fec[libbcc.so]0x20fec
[16:37:37 177] INFO [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:460) - ptrace request=0x0, pid=0, addr=null, data=null
getKey:124268048476002231160546874792054445205859695541773682585510549341692856527133748338173673409724680644261254462092544451007823053290585560919751502040858723643650222704101093197109429006854655834856230931813529754840873403742860610007429079738487054902351423296508023834355690216104617853526135691550059952419&65537
[16:37:37 201] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__modsi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24, offset=0x0
[16:37:37 201] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__umoddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c, offset=0x0
[16:37:37 201] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__moddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0, offset=0x0
[16:37:37 201] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__clear_cache, type=function, size=0] is missing relocationAddr=unicorn@0x413feed8[libLLVM.so]0x8fced8, offset=0x0
[16:37:37 202] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libbcc.so]symbol ElfSymbol[name=__clear_cache, type=function, size=0] is missing relocationAddr=unicorn@0x41427fec[libbcc.so]0x20fec, offset=0x0
[16:37:37 202] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__modsi3 symbol is missing before init relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24
[16:37:37 202] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__umoddi3 symbol is missing before init relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c
[16:37:37 202] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__moddi3 symbol is missing before init relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0
[16:37:37 202] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__clear_cache symbol is missing before init relocationAddr=unicorn@0x413feed8[libLLVM.so]0x8fced8
[16:37:37 202] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libbcc.so]__clear_cache symbol is missing before init relocationAddr=unicorn@0x41427fec[libbcc.so]0x20fec
[16:37:37 286] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__modsi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24, offset=0x0
[16:37:37 288] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__umoddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c, offset=0x0
[16:37:37 289] INFO [cn.banny.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:200) - [libLLVM.so]symbol ElfSymbol[name=__moddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0, offset=0x0
[16:37:37 289] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__modsi3 symbol is missing before init relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24
[16:37:37 289] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__umoddi3 symbol is missing before init relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c
[16:37:37 290] INFO [cn.banny.unidbg.linux.LinuxModule] (LinuxModule:39) - [libLLVM.so]__moddi3 symbol is missing before init relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0
【 SM2Encrypt 】
SM2Encrypt arg0=00a61737d578677488bafb1a825b4426a31b760d73eb1edba10a86d3e608ee6c06|00d16a855df766e7e41540b76fb1dfcc68701e4761027f0fcec11390b4d1db88ca
SM2Encrypt arg1=aabbcc123
【 jstring2str 】
jstring2str arg0=
jstring2str arg1=��
jstring2str arg2=aabbcc123
[16:37:37 504] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:383) - handleInterrupt intno=2, NR=-130672, svcNumber=0x112, PC=unicorn@0xfffe01b4, syscall=null
unicorn.UnicornException: dvmObject=null, dvmClass=null, jmethodID=unicorn@0x318b4ca9
at cn.banny.unidbg.linux.android.dvm.DalvikVM$19.handle(DalvikVM.java:308)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:91)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:267)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:360)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at cn.passguard.PassGuardEncrypt.sig_1init(PassGuardEncrypt.java:203)
at cn.passguard.PassGuardEncrypt.main(PassGuardEncrypt.java:70)
[16:37:37 505] WARN [cn.banny.unidbg.AbstractEmulator] (AbstractEmulator:281) - emulate unicorn@0x40033c7d[libPassGuard.so]0x33c7d exception sp=unicorn@0xbffff684, msg=dvmObject=null, dvmClass=null, jmethodID=unicorn@0x318b4ca9, offset=11ms
destroy

Process finished with exit code 0

chenliquan2 · 2019-09-16T09:11:51Z

发现参数的传值有问题，请更改PassGuardEncrypt.java为下面内容（更改后依旧出现上述问题）：

package cn.passguard;

import cn.banny.auxiliary.Inspector;
import cn.banny.unidbg.Emulator;
import cn.banny.unidbg.LibraryResolver;
import cn.banny.unidbg.Module;
import cn.banny.unidbg.Symbol;
import cn.banny.unidbg.arm.ARMEmulator;
import cn.banny.unidbg.arm.HookStatus;
import cn.banny.unidbg.arm.context.RegisterContext;
import cn.banny.unidbg.hook.ReplaceCallback;
import cn.banny.unidbg.hook.hookzz.HookEntryInfo;
import cn.banny.unidbg.hook.hookzz.HookZz;
import cn.banny.unidbg.hook.hookzz.IHookZz;
import cn.banny.unidbg.hook.hookzz.WrapCallback;
import cn.banny.unidbg.hook.whale.IWhale;
import cn.banny.unidbg.hook.whale.Whale;
import cn.banny.unidbg.linux.android.AndroidARMEmulator;
import cn.banny.unidbg.linux.android.AndroidResolver;
import cn.banny.unidbg.linux.android.dvm.*;
import cn.banny.unidbg.memory.Memory;
import com.sun.jna.Pointer;
import utils.SignatureGen;

import java.io.File;
import java.io.IOException;

public class PassGuardEncrypt extends AbstractJni {

private static final String APP_PACKAGE_NAME = "io.dcloud.H59193852";

private static LibraryResolver createLibraryResolver() {
    return new AndroidResolver(23);
}

private static ARMEmulator createARMEmulator() {
    return new AndroidARMEmulator(APP_PACKAGE_NAME);
}

private final ARMEmulator emulator;
private final VM vm;
private final Module module;

private final DvmClass PassGuardEncrypt;

private PassGuardEncrypt() throws IOException {
    emulator = createARMEmulator();
    final Memory memory = emulator.getMemory();
    memory.setLibraryResolver(createLibraryResolver());
    memory.setCallInitFunction();

    vm = emulator.createDalvikVM(null);
    DalvikModule dm = vm.loadLibrary(new File("src/test/resources/example_binaries/armeabi-v7a/libPassGuard.so"), false);
    dm.callJNI_OnLoad(emulator);
    module = dm.getModule();

    PassGuardEncrypt = vm.resolveClass("cn/passguard/PassGuardEncrypt");
}

private void destroy() throws IOException {
    emulator.close();
    System.out.println("destroy");
}

public static void main(String[] args) throws Exception {
    PassGuardEncrypt test = new PassGuardEncrypt();

    test.sig_1init();

    test.destroy();
}

private void sig_1init() throws IOException {
    Number ret = PassGuardEncrypt.callStaticJniMethod(emulator, "getKey()Ljava/lang/String;");
    long hash = ret.intValue() & 0xffffffffL;
    StringObject checksum = vm.getObject(hash);
    System.out.println("getKey:" + checksum.getValue());


    IHookZz hookZz = HookZz.getInstance(emulator);

// System.out.println("reg1:" + hookZz);
// System.out.println("reg2:" + module);

    // SM2Encrypt
    hookZz.wrap(module.findSymbolByName("_Z32BB636C2CFA9E4B8ABE0FA1432BEBBBA4P7_JNIEnvP8_jobjectP8_jstringS4_"), new WrapCallback<RegisterContext>() {
        @Override
        public void preCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
            System.out.println("【 SM2Encrypt 】");

            Pointer pointer = ctx.getPointerArg(2);
            String str = pointer.getString(0);
            System.out.println("SM2Encrypt arg0=" + str);

            pointer = ctx.getPointerArg(3);
            str = pointer.getString(0);
            System.out.println("SM2Encrypt arg1=" + str);
        }
        @Override
        public void postCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
            System.out.println("realsm2 arg=");
        }
    });


    // realsm2
    IWhale whale = Whale.getInstance(emulator);
    Symbol free = emulator.getMemory().findModule("libPassGuard.so").findSymbolByName("_Z7realsm2RKSsS0_");
    whale.WInlineHookFunction(free, new ReplaceCallback() {
        @Override
        public HookStatus onCall(Emulator emulator, long originFunction) {
            System.out.println("【 realsm2 】");

            System.out.println("WInlineHookFunction free1=");
            Pointer pointer = emulator.getContext().getPointerArg(0);
            String str = pointer.getString(0);
            System.out.println("WInlineHookFunction free=" + str);
            return HookStatus.RET(emulator, originFunction);
        }
    });

    // jstring2str
    hookZz.wrap(module.findSymbolByName("_Z11jstring2strP7_JNIEnvP8_jstring"), new WrapCallback<RegisterContext>() {
        @Override
        public void preCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
            System.out.println("【 jstring2str 】");

            Pointer pointer = ctx.getPointerArg(0);
            String str = pointer.getString(0);
            System.out.println("jstring2str arg0=" + str);

            pointer = ctx.getPointerArg(1);
            str = pointer.getString(0);
            System.out.println("jstring2str arg1=" + str);

            pointer = ctx.getPointerArg(2);
            str = pointer.getString(0);
            System.out.println("jstring2str arg2=" + str);

        }
        @Override
        public void postCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
        }
    });

    // realsm2
    hookZz.wrap(module.findSymbolByName("_Z7realsm2RKSsS0_"), new WrapCallback<RegisterContext>() {
        @Override
        public void preCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
            System.out.println("【 realsm2 】");

            Pointer pointer = ctx.getPointerArg(2);
            String str = pointer.getString(0);
            System.out.println("realsm2 arg0=" + str);
        }
        @Override
        public void postCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
        }
    });

    // str2jstring
    hookZz.wrap(module.findSymbolByName("_Z11str2jstringP7_JNIEnvPKc"), new WrapCallback<RegisterContext>() {
        @Override
        public void preCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
            System.out.println("【 str2jstring 】");

            Pointer pointer = ctx.getPointerArg(0);
            String str = pointer.getString(0);
            System.out.println("str2jstring arg0=" + str);

            pointer = ctx.getPointerArg(1);
            str = pointer.getString(0);
            System.out.println("str2jstring arg1=" + str);

            pointer = ctx.getPointerArg(2);
            str = pointer.getString(0);
            System.out.println("str2jstring arg2=" + str);
        }
        @Override
        public void postCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
        }
    });

// free = emulator.getMemory().findModule("libPassGuard.so").findSymbolByName("sub_32A06");
// System.out.println("【 sub_32A06 】" + free);
// whale.WInlineHookFunction(free, new ReplaceCallback() {
// @OverRide
// public HookStatus onCall(Emulator emulator, long originFunction) {
// System.out.println("【 sub_32A06 】2");
//
// System.out.println("WInlineHookFunction free1=");
// Pointer pointer = emulator.getContext().getPointerArg(0);
// String str = pointer.getString(0);
// System.out.println("WInlineHookFunction free=" + str);
// return HookStatus.RET(emulator, originFunction);
// }
// });

    final String key = "00a61737d578677488bafb1a825b4426a31b760d73eb1edba10a86d3e608ee6c06|00d16a855df766e7e41540b76fb1dfcc68701e4761027f0fcec11390b4d1db88ca";
    final String psw = "aabbcc123";
    ret = PassGuardEncrypt.callStaticJniMethod(emulator,
            "SM2Encrypt(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",
            vm.addLocalObject(new StringObject(vm, key)),
            vm.addLocalObject(new StringObject(vm, psw)));

    vm.deleteLocalRefs();
    System.out.println("SM2Encrypt ret:" + ret);

// long hash2 = ret.intValue() & 0xffffffffL;
// StringObject checksum2 = vm.getObject(hash2);
// vm.deleteLocalRefs();
// System.out.println("SM2Encrypt value:" + checksum2.getValue());

}


@Override
public DvmObject callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
    if ("java/lang/System->getProperty(Ljava/lang/String;)Ljava/lang/String;".equals(signature)) {
        StringObject string = varArg.getObject(0);
        return new StringObject(vm, System.getProperty(string.getValue()));
    }

    return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}

}

chenliquan2 closed this as completed Sep 16, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

关于 “svcMemory.registerSvc” 执行过程中存在NULL错误的问题请教 #54

关于 “svcMemory.registerSvc” 执行过程中存在NULL错误的问题请教 #54

chenliquan2 commented Sep 16, 2019

chenliquan2 commented Sep 16, 2019

chenliquan2 commented Sep 16, 2019

关于 “svcMemory.registerSvc” 执行过程中存在NULL错误的问题请教 #54

关于 “svcMemory.registerSvc” 执行过程中存在NULL错误的问题请教 #54

Comments

chenliquan2 commented Sep 16, 2019

chenliquan2 commented Sep 16, 2019

chenliquan2 commented Sep 16, 2019