调用快手so时报错 Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)

[jtduan]

你好，我觉得CandyJni类应该是比较完善可以处理各种so调用的示例，我参照这个类写出了调用快手libcore.so的逻辑，但是运行时出现了错误Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)。

下面是我的代码，求教如何解决这个错误？
package com.kuaishou;

import java.io.File;
import java.io.IOException;

import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;

import cn.banny.emulator.LibraryResolver;
import cn.banny.emulator.Module;
import cn.banny.emulator.arm.ARMEmulator;
import cn.banny.emulator.file.FileIO;
import cn.banny.emulator.file.IOResolver;
import cn.banny.emulator.linux.android.AndroidARMEmulator;
import cn.banny.emulator.linux.android.AndroidResolver;
import cn.banny.emulator.linux.android.dvm.AbstractJni;
import cn.banny.emulator.linux.android.dvm.ArrayObject;
import cn.banny.emulator.linux.android.dvm.BaseVM;
import cn.banny.emulator.linux.android.dvm.ByteArray;
import cn.banny.emulator.linux.android.dvm.DalvikModule;
import cn.banny.emulator.linux.android.dvm.DvmClass;
import cn.banny.emulator.linux.android.dvm.DvmObject;
import cn.banny.emulator.linux.android.dvm.StringObject;
import cn.banny.emulator.linux.android.dvm.VM;
import cn.banny.emulator.linux.android.dvm.VarArg;
import cn.banny.emulator.linux.file.ByteArrayFileIO;
import cn.banny.emulator.linux.file.SimpleFileIO;
import cn.banny.emulator.memory.Memory;

public class KuaishouSign extends AbstractJni implements IOResolver {

private static final String APP_PACKAGE_NAME = "com.smile.gifmaker";

private static LibraryResolver createLibraryResolver() {
    return new AndroidResolver(23);
}

private static ARMEmulator createARMEmulator() {
    return new AndroidARMEmulator(APP_PACKAGE_NAME);
}

private final ARMEmulator emulator;
private final VM vm;

private final DvmClass CPUJni;

private static final String INSTALL_PATH = "/data/app/kuaishou.apk";
private static final String APK_PATH = "src/test/resources/app/kuaishou6.2.3.8614.apk";

private final Module module;

private KuaishouSign() throws IOException {
    emulator = createARMEmulator();
    emulator.getSyscallHandler().addIOResolver(this);
    System.out.println("== init ===");

    final Memory memory = emulator.getMemory();
    memory.setLibraryResolver(createLibraryResolver());
    memory.setCallInitFunction();

    vm = emulator.createDalvikVM(new File(APK_PATH));
    DalvikModule dm = vm.loadLibrary("core", false);
    dm.callJNI_OnLoad(emulator);
    module = dm.getModule();

    CPUJni = vm.resolveClass("com/yxcorp/gifshow/util/CPU");

    // memory.runLastThread();

    try {
        this.signature = Hex.decodeHex("3082027f308201e8a00302010202044d691bb8300d06092a864886f70d0101050500308182310b300906035504061302434e3110300e060355040813074265696a696e673110300e060355040713074265696a696e6731243022060355040a131b53616e6b75616920546563686e6f6c6f677920436f2e204c74642e31143012060355040b130b6d65697475616e2e636f6d311330110603550403130a4348454e204c69616e673020170d3131303232363135323634385a180f32313131303230323135323634385a308182310b300906035504061302434e3110300e060355040813074265696a696e673110300e060355040713074265696a696e6731243022060355040a131b53616e6b75616920546563686e6f6c6f677920436f2e204c74642e31143012060355040b130b6d65697475616e2e636f6d311330110603550403130a4348454e204c69616e6730819f300d06092a864886f70d010101050003818d0030818902818100ba09b72ceec15a04d9b91d66ba2226b50254e78e3d59f67e6f61f042c647f017ebc87999548a244d4059d1d8724e79f71cef456f71ac06e3ec128964746e6f140b75a23841fa1bae3690dcdab0cf46fb54b5e6af4b61a1777523f8190137d18dd3572f49dca940f6ad2b59d8e7c39ab6284a937be31ba4f920bfa99b31496d750203010001300d06092a864886f70d01010505000381810048a9df9ea307bacbf3214317d03e6a658a34d53a14cfdaa71ab5c05ce9204131ebed264005bcc42bc2c0c86e8f8e00594099f6ef62394dee051a712006fdeedfe17255d38280158d9a1b8d4056cc3dab49d9821b9d7a15c1d79237a0112cc80f3d86f444779fde38f7430d0f0c6bb5fba307eafc1e601c43c0222fdd00ad22f8".toCharArray());
    } catch (DecoderException e) {
        throw new IllegalStateException(e);
    }
}

private void destroy() throws IOException {
    emulator.close();
    System.out.println("module=" + module);
    System.out.println("== destroy ===");
}

public static void main(String[] args) throws Exception {
    KuaishouSign test = new KuaishouSign();
    test.sign();
    test.destroy();
}

private final byte[] signature;

private void sign() {
    vm.setJni(this);
    Logger.getLogger("cn.banny.emulator.AbstractEmulator").setLevel(Level.DEBUG);
    String str = "app=0appver=6.2.3.8614c=ALI_CPD,17client_key=3c2cd3f3contactData=7A9IqsDstz815+zxGyC1+XgougsArgtFUPBRYcRwUhcjwTsafJBmYnLZgLc5l4g7sjINLj0nrXFq1CCsFHteQSpac+959kD0yYEJyGzukSqMQGayQCue397jX98gp0NPU26waWGh+JWMaYnZG/F1Sg==country_code=CNdid=ANDROID_9fb7792f6142ea63did_gt=1553767215144ftt=hotfix_ver=isp=iuid=iv=5okP62w8Yl7WHiG6kpf=ANDROID_PHONEkpn=KUAISHOUlanguage=zh-cnlat=40.054041lon=116.298517max_memory=192mod=LGE(Nexus 5)net=WIFIoc=ALI_CPD,17os=androidsys=ANDROID_6.0.1token=f68245ccc1344489894f963248cc3501-1082592150ud=1082592150ver=6.2";

    DvmObject context = vm.resolveClass("android/content/Context").newObject(null);
    long start = System.currentTimeMillis();
    Number ret = CPUJni.callStaticJniMethod(emulator, "getClock(Ljava/lang/Object;[BI)Ljava/lang/String;",
            context,
            vm.addLocalObject(new ByteArray(str.getBytes())), 23);
    long hash = ret.intValue() & 0xffffffffL;
    StringObject obj = vm.getObject(hash);
    vm.deleteLocalRefs();
    System.out.println(obj.getValue());
}

@Override
public FileIO resolve(File workDir, String pathname, int oflags) {
    if ("/proc/self/cmdline".equals(pathname)) {
        return new ByteArrayFileIO(oflags, pathname, APP_PACKAGE_NAME.getBytes());
    }
    if (INSTALL_PATH.equals(pathname)) {
        return new SimpleFileIO(oflags, new File(APK_PATH), pathname);
    }
    if ("/data/misc/zoneinfo/tzdata".equals(pathname)) {
        return new SimpleFileIO(oflags, new File("src/main/resources/android/sdk19/system/usr/share/zoneinfo/tzdata"), pathname);
    }
    return null;
}

@Override
public DvmObject callObjectMethod(BaseVM vm, DvmObject dvmObject, String signature, String methodName, String args, VarArg varArg) {
    switch (signature) {
        case "android/content/Context->getPackageManager()Landroid/content/pm/PackageManager;":
            return new DvmObject<Object>(vm.resolveClass("android/content/pm/PackageManager"), null);
        case "android/content/Context->getPackageName()Ljava/lang/String;":
            return new StringObject(vm, APP_PACKAGE_NAME);
        case "android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;":
            StringObject packageName = varArg.getObject(0);
            int flags = varArg.getInt(1);
            System.err.println("getPackageInfo packageName=" + packageName.getValue() + ", flags=" + flags);
            return vm.resolveClass("android/content/pm/PackageInfo").newObject(packageName.getValue());
        case "android/content/Context->getPackageCodePath()Ljava/lang/String;":
            return new StringObject(vm, INSTALL_PATH);
        case "android/content/pm/Signature->toByteArray()[B":
            return new ByteArray(this.signature);
    }

    return super.callObjectMethod(vm, dvmObject, signature, methodName, args, varArg);
}

@Override
public DvmObject getObjectField(VM vm, DvmObject dvmObject, String signature) {
    if ("android/content/pm/PackageInfo->signatures:[Landroid/content/pm/Signature;".equals(signature)) {
        String packageName = (String) dvmObject.getValue();
        System.err.println("PackageInfo signatures packageName=" + packageName);
        DvmObject sig = vm.resolveClass("android/content/pm/Signature").newObject(null);
        return new ArrayObject(sig);
    }

    return super.getObjectField(vm, dvmObject, signature);
}

}

[zhkl0228]

apk 发上来测试下

[jtduan]

apk 发上来测试下

https://www.wandoujia.com/apps/com.smile.gifmaker/history_v8614

[zhkl0228]

android/content/pm/Signature->toByteArray()[B
这个签名发个正确的给我，jni里面有校验

[jtduan]

android/content/pm/Signature->toByteArray()[B
这个签名发个正确的给我，jni里面有校验

3082024F308201B8A00302010202044E269662300D06092A864886F70D0101050500306B310B300906035504061302434E3110300E060355040813076265696A696E673110300E060355040713076265696A696E6731133011060355040A130A686563616F2E696E666F31133011060355040B130A686563616F2E696E666F310E300C0603550403130563616F68653020170D3131303732303038343833345A180F32303636303432323038343833345A306B310B300906035504061302434E3110300E060355040813076265696A696E673110300E060355040713076265696A696E6731133011060355040A130A686563616F2E696E666F31133011060355040B130A686563616F2E696E666F310E300C0603550403130563616F686530819F300D06092A864886F70D010101050003818D003081890281810093BCE2A30779500E3A3160CE5B557F3FA34DF50DF25AC1AE38C181C8AD94E4709D00AFBC532D27CCFD4A92C8F1BD5B19C1F04F37B8230020035E33EB39DE2D482AD4C043F251FB08007CB3EAC4A348E140A817784195F0FBAFC7480C90F76EF966D220ABD9C4AB3D246276C98CE6D77A7FCC4F451AE89EB387D9BFF521898D970203010001300D06092A864886F70D0101050500038181001CE4EB9F42D76DFC4E0F5DA07BC3EFAE2CF98B47A39790D35407F3AEB6B554CADD65E84C7252046B3AB72B2DFC86F0892E28FEE3E6E4E801093E3A4F29BC560762D33839CEB29385583DED64548F245977D61925543DDA7AC3D34E8153A88F9846F446FF96D4877AD808280BBD7C43B9BF5FEEA3DD8D6BD179BC8CF29F949163

我使用的如下方法获取的签名值
PackageInfo packageInfo = getApplicationContext().getPackageManager().getPackageInfo("com.smile.gifmaker", PackageManager.GET_SIGNATURES); System.out.println(byte2hex(packageInfo.signatures[0].toByteArray()));

[zhkl0228]

== init ===
[21:41:03 376] DEBUG [cn.banny.emulator.AbstractEmulator] (AbstractEmulator:197) - emulate unicorn@0x40001241[libcore.so]0x1241 started sp=unicorn@0xbffff7d8
getPackageInfo packageName=com.smile.gifmaker, flags=64
PackageInfo signatures packageName=com.smile.gifmaker
[21:41:03 399] DEBUG [cn.banny.emulator.AbstractEmulator] (AbstractEmulator:222) - emulate unicorn@0x40001241[libcore.so]0x1241 finished sp=unicorn@0xbffff7d8, offset=22ms
6d795b6870c5132c1ca712cfc785b928
module=LinuxModule{base=0x40000000, size=20604, name='libcore.so'}
== destroy ===

我把代码提交到仓库了