执行到方法：AbstractJni.newObjectV 时，找不到对应的函数签名类型

[chenliquan2]

具体的报错为：

newObjectV signature:java/lang/String->([BLjava/lang/String;)V
[19:51:27 721] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:384) - handleInterrupt intno=2, NR=-2083121372, svcNumber=0x10d, PC=unicorn@0xfffe0164, syscall=null
java.lang.AbstractMethodError: java/lang/String->([BLjava/lang/String;)V
at cn.banny.unidbg.linux.android.dvm.AbstractJni.newObjectV(AbstractJni.java:346)
at cn.banny.unidbg.linux.android.dvm.DvmMethod.newObjectV(DvmMethod.java:177)
at cn.banny.unidbg.linux.android.dvm.DalvikVM$14.handle(DalvikVM.java:218)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:92)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:267)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:360)
at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201)
at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154)
at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140)
at cn.passguard.PassGuardEncrypt.sig_1init(PassGuardEncrypt.java:170)
at cn.passguard.PassGuardEncrypt.main(PassGuardEncrypt.java:71)

涉及到的方法原型：
@OverRide
public DvmObject newObjectV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
System.out.println("newObjectV signature:" + signature);
if ("java/io/ByteArrayInputStream->([B)V".equals(signature)) {
ByteArray array = vaList.getObject(0);
return new DvmObject<>(vm.resolveClass("java/io/ByteArrayInputStream"), new ByteArrayInputStream(array.value));
}
throw new AbstractMethodError(signature);
}

结果：
当sugbature为java/lang/String->([BLjava/lang/String;)V的时候，直接抛出异常，我应该怎么续写该类型的返回值？求大神解答。

附件：
TestPag.zip

[zhkl0228]

通过vaList获取到对应的ArrayObject跟StringObject，再调用new String(data, encoding)生成字符串，再返回StringObject

[chenliquan2]

通过vaList获取到对应的ArrayObject跟StringObject，再调用new String(data, encoding)生成字符串，再返回StringObject

有点抽象，是这样吗？小弟不才啊 /(ㄒoㄒ)/~~

@OverRide
public DvmObject newObjectV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
System.out.println("newObjectV signature:" + signature);
if ("java/io/ByteArrayInputStream->([B)V".equals(signature)) {
ByteArray array = vaList.getObject(0);
return new DvmObject<>(vm.resolveClass("java/io/ByteArrayInputStream"), new ByteArrayInputStream(array.value));

    } else if ("java/lang/String-><init>([BLjava/lang/String;)V".equals(signature)) {
        //通过vaList获取到对应的ArrayObject跟StringObject，再调用new String(data, encoding)生成字符串，再返回StringObject
        ByteArray data = vaList.getObject(0);
        String str = new String(data.value, StandardCharsets.UTF_8);
        return new StringObject(vm, str);
    }
    throw new AbstractMethodError(signature);
}

[chenliquan2]

通过vaList获取到对应的ArrayObject跟StringObject，再调用new String(data, encoding)生成字符串，再返回StringObject

或者这样对吗？

@OverRide
public DvmObject newObjectV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
System.out.println("newObjectV signature:" + signature);
if ("java/io/ByteArrayInputStream->([B)V".equals(signature)) {
ByteArray array = vaList.getObject(0);
return new DvmObject<>(vm.resolveClass("java/io/ByteArrayInputStream"), new ByteArrayInputStream(array.value));

    } else if ("java/lang/String-><init>([BLjava/lang/String;)V".equals(signature)) {
        //通过vaList获取到对应的ArrayObject跟StringObject，再调用new String(data, encoding)生成字符串，再返回StringObject
        ByteArray data = vaList.getObject(0);
        String str = new String(data.value, StandardCharsets.UTF_8);
        return new DvmObject<>(vm.resolveClass("java/lang/String"), new StringObject(vm, str));

    }
    throw new AbstractMethodError(signature);
}

好像后面这一种是可以返回有效地值得，但是不确定这样对不对 ...

[chenliquan2]

大神啊，万分感谢，我感觉后面一种方法应该就是对的，我直接拿生产的sign去重放是OK的。只是我有些强迫症，在看到诸如以下的错误打印时，很想搞清楚原因是什么，我可以有什么解决思路，希望大神有空再帮我指点迷津，再次表示感谢！逆向领域原子弹级别的发明！

错误信息如下：（虽然最后能输出正确的结果）

九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.AndroidElfLoader resolveSymbols
信息: [libLLVM.so]symbol ElfSymbol[name=__modsi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24, offset=0x0
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.AndroidElfLoader resolveSymbols
信息: [libLLVM.so]symbol ElfSymbol[name=__umoddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c, offset=0x0
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.AndroidElfLoader resolveSymbols
信息: [libLLVM.so]symbol ElfSymbol[name=__moddi3, type=function, size=0] is missing relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0, offset=0x0
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.AndroidElfLoader resolveSymbols
信息: [libLLVM.so]symbol ElfSymbol[name=__clear_cache, type=function, size=0] is missing relocationAddr=unicorn@0x413feed8[libLLVM.so]0x8fced8, offset=0x0
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.AndroidElfLoader resolveSymbols
信息: [libbcc.so]symbol ElfSymbol[name=__clear_cache, type=function, size=0] is missing relocationAddr=unicorn@0x41427fec[libbcc.so]0x20fec, offset=0x0
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.ARMSyscallHandler openat
信息: openat dirfd=-100, pathname=/dev/smem_log, oflags=0x20002, mode=0
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.ARMSyscallHandler openat
信息: openat dirfd=-100, pathname=/system/etc/qmi_fw.conf, oflags=0x20000, mode=0
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.ARMSyscallHandler openat
信息: openat dirfd=-100, pathname=/proc/filesystems, oflags=0x20000, mode=0
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.ARMSyscallHandler hook
警告: handleInterrupt intno=2, NR=125, svcNumber=0x0, PC=unicorn@0x401cc284[libc.so]0x41284, syscall=null
unicorn.UnicornException: No memory available or memory not present (UC_ERR_NOMEM)
at unicorn.Unicorn.mem_protect(Native Method)
at cn.banny.unidbg.spi.AbstractLoader.mprotect(AbstractLoader.java:188)
at cn.banny.unidbg.linux.ARMSyscallHandler.mprotect(ARMSyscallHandler.java:1479)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:215)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:267)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:360)
at cn.banny.unidbg.arm.AbstractARMEmulator.eInit(AbstractARMEmulator.java:213)
at cn.banny.unidbg.linux.AbsoluteInitFunction.call(AbsoluteInitFunction.java:33)
at cn.banny.unidbg.linux.LinuxModule.callInitFunction(LinuxModule.java:46)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:171)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:30)
at cn.banny.unidbg.spi.AbstractLoader.load(AbstractLoader.java:211)
at cn.banny.unidbg.linux.android.dvm.BaseVM.loadLibrary(BaseVM.java:249)
at cn.passguard.PassGuardEncrypt.(PassGuardEncrypt.java:40)
at cn.passguard.PassGuardEncrypt.main(PassGuardEncrypt.java:54)

九月 17, 2019 11:16:31 上午 cn.banny.unidbg.AbstractEmulator emulate
警告: emulate unicorn@0x401a168d[libc.so]0x1668d failed: sp=unicorn@0xbffff60c, offset=288ms
unicorn.UnicornException: No memory available or memory not present (UC_ERR_NOMEM)
at unicorn.Unicorn.mem_protect(Native Method)
at cn.banny.unidbg.spi.AbstractLoader.mprotect(AbstractLoader.java:188)
at cn.banny.unidbg.linux.ARMSyscallHandler.mprotect(ARMSyscallHandler.java:1479)
at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:215)
at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123)
at unicorn.Unicorn.emu_start(Native Method)
at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:267)
at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:360)
at cn.banny.unidbg.arm.AbstractARMEmulator.eInit(AbstractARMEmulator.java:213)
at cn.banny.unidbg.linux.AbsoluteInitFunction.call(AbsoluteInitFunction.java:33)
at cn.banny.unidbg.linux.LinuxModule.callInitFunction(LinuxModule.java:46)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:171)
at cn.banny.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:30)
at cn.banny.unidbg.spi.AbstractLoader.load(AbstractLoader.java:211)
at cn.banny.unidbg.linux.android.dvm.BaseVM.loadLibrary(BaseVM.java:249)
at cn.passguard.PassGuardEncrypt.(PassGuardEncrypt.java:40)
at cn.passguard.PassGuardEncrypt.main(PassGuardEncrypt.java:54)

九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.LinuxModule callInitFunction
信息: [libLLVM.so]__modsi3 symbol is missing before init relocationAddr=unicorn@0x413fed24[libLLVM.so]0x8fcd24
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.LinuxModule callInitFunction
信息: [libLLVM.so]__umoddi3 symbol is missing before init relocationAddr=unicorn@0x413fed2c[libLLVM.so]0x8fcd2c
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.LinuxModule callInitFunction
信息: [libLLVM.so]__moddi3 symbol is missing before init relocationAddr=unicorn@0x413fedd0[libLLVM.so]0x8fcdd0
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.LinuxModule callInitFunction
信息: [libLLVM.so]__clear_cache symbol is missing before init relocationAddr=unicorn@0x413feed8[libLLVM.so]0x8fced8
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.LinuxModule callInitFunction
信息: [libbcc.so]__clear_cache symbol is missing before init relocationAddr=unicorn@0x41427fec[libbcc.so]0x20fec
九月 17, 2019 11:16:31 上午 cn.banny.unidbg.linux.ARMSyscallHandler ptrace
信息: ptrace request=0x0, pid=0, addr=null, data=null

getKey:124268048476002231160546874792054445205859695541773682585510549341692856527133748338173673409724680644261254462092544451007823053290585560919751502040858723643650222704101093197109429006854655834856230931813529754840873403742860610007429079738487054902351423296508023834355690216104617853526135691550059952419&65537
SM2Encrypt value:BPWd+QBVzCUpiMZK7JrGk6/MltgABPmme+jQE4Aw2k8nYBDrJprTfc7/607B1NVYz+UWN4MVBy3f0iDqLaniL3/B8GlnA9HwMr6TOoQtcfgtnENGCEdlywVgVvGwTZj5jlUbFMb1qv8IGA==
destroy