1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
| package com.dongchedi;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.virtualmodule.android.AndroidModule;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
public class dongchedi extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
dongchedi() {
Logger.getLogger("com.github.unidbg.linux.ARM32SyscallHandler").setLevel(Level.DEBUG);
Logger.getLogger("com.github.unidbg.unix.UnixSyscallHandler").setLevel(Level.DEBUG);
Logger.getLogger("com.github.unidbg.AbstractEmulator").setLevel(Level.DEBUG);
Logger.getLogger("com.github.unidbg.linux.android.dvm.DalvikVM").setLevel(Level.DEBUG);
Logger.getLogger("com.github.unidbg.linux.android.dvm.BaseVM").setLevel(Level.DEBUG);
Logger.getLogger("com.github.unidbg.linux.android.dvm").setLevel(Level.DEBUG);
emulator = AndroidEmulatorBuilder.for32Bit().build();
final Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(new File("unidbg-android\\src\\test\\java\\com\\dongchedi\\dongchedi_6_5_1.apk"));
vm.setJni(this);
vm.setVerbose(true);
new AndroidModule(emulator, vm).register(memory);
DalvikModule dm = vm.loadLibrary("cjtfcc", true);
module = dm.getModule();
dm.callJNI_OnLoad(emulator);
}
public String tfccDecrypt(int param1, int param2, String param3, String param4) {
List<Object> list = new ArrayList<>();
list.add(vm.getJNIEnv());
list.add(0);
list.add(param1);
list.add(param2);
StringObject stringObject1 = new StringObject(vm, param3);
list.add(vm.addLocalObject(stringObject1));
StringObject stringObject2 = new StringObject(vm, param4);
list.add(vm.addLocalObject(stringObject2));
Number number = module.callFunction(emulator, 0xa2ac, list.toArray());
System.out.println(vm.getObject(number.intValue()).getValue().toString());
return null;
}
public static void main(String[] args) {
dongchedi test = new dongchedi();
test.tfccDecrypt(9, 1, "14zRM+40n2UGVx0DlI7hqDFjsxGR6eJsnnxUME5ZDT8=",
"AQAAAIY8QCEBiAWgEHTCmugnR4hHWlbOmpfOHoYQ+gXQHXvSrCBlQtFmGM8T7eHljYYTD8vWOsQa8SuOaBwMTYOS03qjuUktB2dRu3+mWr4z5N3uMrb1Es/MTUrWx8JGHVoX1z7f6luarDvT9Wf0KKbfHRkqaJANlwVEqULsZU6HkJ0zkaFh3AnU5eQRsPoxttOPOhsVLv/kNjpm1" +
"qBHkENXSedO4MN+PGybTCOKH3Ri6dvoX9EXCUr41o2W0ujI46nYn7vUrRkHgHNOOrGkIL7Acn0wrU6nj3cZuFpxb+W+u6r+MFI8ScE9XQya3322RRqOQUr1xWXpCucv/zknN7pjyzptYk8iWRfeaCT+iSjkmwa+3EStu3U/TQakF1xh46hjPOczx7elte6qV9ztDyF61Eu" +
"Nrz4K+9O4TgqDeg9FGv7k+sNXg4M8L+Vx2BzJ/9MfaOFF5YXlI2oeMk0FReBTV8cBdXv2j23ju5HUpNo45dYF+tLihymL3maOiuWYviIAk8OKjNG+juruF4YuYoAqJoJSvuZ9Avujl3mqL66AdZmzG7vTa29S1MWIwu3XYj96lcbGSav9m5g4yRb6zXcQDIpqAmYHVgRjX" +
"7adt09SOuvrcuORpUh2jSt5smO+lpR7fuHk4tlCr6OlRr360IgJr82PmeAAKz1dV9tHGYlV+618tjgi36J4iLuWaw6Ix9iJ1R6cFJY6JIX8pU8NoGoUFDjK3Dm8Pm9j72J9cTQpEMR/HCT3BOw5YTTTQHl3eQgdZevUD8HFnECMvajFZxKe6obyPieE41WBk/EQ5WI2Bwtu" +
"rmyzxEq/VPIm1UfoqE78T4QOa2ey82Mw6TCIzMSMhCwiA2huzSnlus9RicQaPCX1isa0BitIISMHeHRFqab9ORMnHKVxEX3AhZN3OwcPKntx43yxZrTp5GLYwndyqchZCpTXhu/j/7WfUZRnIc2aOhKegFCLNdeml0Kha9FPSXE8AxTMr6ldw2p5vhPmzn5p2iRvgXoqdr5J" +
"6W6QgBCEb8fGCupV+gLibY5mcLabHBmcSEkdax1h341Qxyk6s8/LvUlpx6MZHPM+/NgWf8bUvvbPKLrD7xhKPtCaaaO1PSGiNTPrlRJaajiBpJcMwMkjRbKT76+kDCL00teodYNyFBEkYmGJM5Sg7fHY1f6e3FXRYny6bXnr0R/mTnxWDPDAc9gn2eiyHofLRaBjvtbdpMStn" +
"MolS5ybQt8GfaVifsjfQe3jwLmFNCtsXn6unDo189udnL9iOwtwIhLUtUvIU9IejQ33rKAMWQjrlvA99KTLzdk6ewItUa4mI9sFcpcR/uIbQiiHYs1qvfrQiAmvzY+Z4AArPV1X20cZiVX7rXy2OCLfoniIu5ZrDojH2InVHpwUljokhfylTw2gahQUOMrcObw+b2PvYn1xNC" +
"kQxH8cJPcE7DlhNNO1SUZeQb5H5IQYdROwNOj0gcN4YmN1P2S2PC6VQzGJu2x0+T9e7PeW2jjIl4qM0N23z+A9W3IX0+x4oUU/1MNdgaxMlucq9SRoPnuyW/LC+PkDTN1tk6oMbKoqQSYiKn0dVOZKma6PWO3UogNGhFJN+uzG8TN0Vh5YDTrpJ/AhzGdpNu0aDFGXrXqaCx5n" +
"Lcxfiq9XMzz47/nNbJ5GD/sBg2anQ25uYJQqueFTZsej5Buy+PpsZ9UCUlZ3QDdC8Z2dGfQCnnzvosx3vb3nZVUtkxruvGaDtTueshIcL6OFF+liJQ1N3hjfsom7F74c4NYZo3SbrUSlOOLWi9YALqszQq+s6XvUNBbKWzeCU236tn7MmtlBkdA+ZAe95f1JPy63XwxkK6wtfF" +
"n7uxDQKfv/HVeKjvzQ+IAHv3wQmGSSUuHtusWtwFzTMXKqur3KNdLDQZIo6UV74/uvG3/CQnX3JoK3AHydHKV+kkMd9W6Uzjy37PixjrW5IFST6+thqb/yrK1chGM9MPJ7AbNeq9Zfhi5igComglK+5n0C+6OXebfNiKoMkM2f/ezRyGcMxEkKmyG2g9cZwfeDjZjDVvPiMd8Jf" +
"6XOoXT47iq7JcWZ8PM8FELOWjegOP9hXUMPdkn2waqXbJ7eFwfb1vI/kSsX6QdTF5cXYcScuqFjft/hLd/a+JaSwEyFqIbWnZkHMMNuAqCmBmzk8ZEXzYkflQBKnTdiEgsXVrf4RokNgd//cFo6ZfrcdMdtbpiOEM3k9iD9HABFcsV4boY89g1Uqmx66emYxoD1UUI7XlDyGFgvY" +
"uRFN5vcANjq9wM4mIfNRx8xN5JNj5EIcZG6fE3mq0jEQlEQf8V89ngy2x/Klp7c8OHWV9YDy3v4QeSTmSCrg8EvCx71UD0mhOPjBoF0EsUt6JseIrcKH+ORtrfSyPjUPnhkCnkTLZpyidfqUCJz6YksBQ7Ak+tA9vKN7Y2xGkgy/8jpwMfRjnmERo3YMrgaawqhp5RZLB0V2ZPLUC" +
"s5MqqsJDnIp2KnCV8hJVDTUdz6/XlAPCWACEfZAZpX38dS7RTVw/KzJf903a7pdrsPJ+fW4MVIaMzF98w0GCRjFSPw8V44sbHQbrcFLgZ+7bF6G2Dm0eez6L5xIs0ptZcX8tN7UE24KxYJK8/THH47mRDs/gyMFE4r5r5XzB1vgtPPWURrjzCtODTxtcsxDaQ89e7WHuBA7IVBzRC2" +
"5+lKeAndp3VlHpeGLzzLfHkgMqva7KsGE3rMPYk+ioGPl3TuPWrqawjwSKlsUP/vf61f80Br42DugXL4RPAoE5b5P/8628TZVqYMzkC1hfKNOzxkAOsYCW+vLizurCPm8yeIqDYlZq/DcFVxHxPkAR9uOFZwlKNXZbMzaDEU+ebXX4g+WG6dpKK0GSFV4MZX5SvpZrvIZvTspyVYjpXHV" +
"Atr+wCzO0N5tg1kGJABoj+aZ4GWGFYv7kzTMBuk0hDeFXfDgp+Af7tMAkfmG67iqopLbNccfhlE6fXBwZail88u/6S9zhqAgZLclp3cPFDnZdGLF0pNqzsx6pk2j5tS+srUVHT+M5gGYOhC6iofm0ek0CQYsSwd6e8uUV627Cb00qLT1d0BGax0oQA2UE+dgCiR2jZaO0bnPsh6a6VC3P0" +
"vGdiWeNZyjTEHXD3YaUb9y49+bniXV7SpHcLiZj+voezbBQqCETrDTc1pLjicAgBtCJ4kPYUzDJBtB/NUQR+PHMwH4QrhgqaDKFPnCjFAOv63ob7aepyfMI/fWenLJmEuTQU/hWv7zxhvC3KX7hfcIPTtUYDRJofRS4F0UNTGY7wHf0nD+uqJPaxEamlsFMNtPLa2ZAskmEXy1tegY8sH8" +
"V8pFL7Gn0EbOAonzSLwQKZhlESxQ7MPTu3fgP7mnuEknJmhk3dwiCNNePtG6NftfjQSeJGHl+qtJNdWL22jONkATEgCZDQfYCAGkDPnI/svE9N80b83xT5K/+MQaLZGX/cyTWKLIlz21uaHGSRo0MaNBwYrRjNOZhoHbN2Cy0sgVLvlaMGTnkH4PJ/I09GQxsNAKLXz+vAKKNwbA36Kw4n" +
"21WRWDoSBJ5gPjFKWHR1S4BYUCxI90O51M9InW1G06saOk991lD9RH6A0ywH3Nw4Mkg7BGLvdIdqCoqAmrcvgYJ1h/RvJOt/h2ipzcDpz/qaZU2UZabYEn3V714z0d5LMvN690tCaaaO1PSGiNTPrlRJaajhMKjIj0sQ1U1K4To1wyvhN4rsSeR+QtEIKK1xOW8yj5nhlEvksrd3GULB+hL" +
"1ymx/tZgdQxe4ysd3cL9U/7tMmlPc9YWVtO22UO7iVrTfhTHmT0Rs9ttFNBjkyh/bPRTloBts7VeIUpze3ppRP4ncOJCaxxLOwtd0fA6iTvV4eAFeAcia29951yCHn91FjaNljJcPnRNy+u0VK+SlDptv5AcagR0luMfzGuIHOHdn9wIvb8/UDxAvxhwnieHQ7s1GdDUSq1T2xR5iHstyUu" +
"Ma/Gax0oQA2UE+dgCiR2jZaO5/TnlbXb9IKvNeQ1fAvHxiIwfpxozEMIvOzOrPbLwJjs8xXbkCH8GvEYiqQfMw2B3w6YIawzwVlcx+4CypfZvtYTatE+XCzs2j8rjFUZWUBv2olwN3ZfL3a0AfpAo0+LTSRIivoQSNEEuk7sIg2xU1lonGUe8JRYJovoyczZNNC/OUI5wD5kWCEM0v3A/kO" +
"Du50mX+Sl1LtmX8FQdy1q5nbS1BWFqfF6cibw4CL5yMH");
}
}
|
运行样本后报错:
GetObjectClass 的 object 为 null
![image]()
当前报错位置已经断下来了,输入bt查看调用栈
![image]()
用ida打开样本so,跳到 0x092b8 地址
![image]()
先分析一下,查看GetObjectClass的文档
1
| jclass GetObjectClass(JNIEnv *env, jobject obj);
|
有两个参数,env和object,根据ARM函数调用约定采用,参数1参数4 分别保存到 R0R3 寄存器中
所以往上看R1出现的地址位置,0x92A8,进行断点查看调用的位置
![image]()
ida跳到0x0a554,转为汇编代码后,可以看到object是v24,也就是入参a2,
![image]()
![image]()
查看该函数的地址为0xa2ac,这跟我们一开始调用的地址一样的,在看当时传递的第二个object,确实传的0
![image]()
可以通过jadx查看正确的对象
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| public String tfccDecrypt(int param1, int param2, String param3, String param4) {
List<Object> list = new ArrayList<>();
list.add(vm.getJNIEnv());
DvmClass Tfcc = vm.resolveClass("com/bdcaijing/tfccsdk/Tfcc");
DvmObject<?> TfccObject = Tfcc.newObject(null);
list.add(vm.addLocalObject(TfccObject));
list.add(param1);
list.add(param2);
StringObject stringObject1 = new StringObject(vm, param3);
list.add(vm.addLocalObject(stringObject1));
StringObject stringObject2 = new StringObject(vm, param4);
list.add(vm.addLocalObject(stringObject2));
Number number = module.callFunction(emulator, 0xa2ac, list.toArray());
System.out.println(vm.getObject(number.intValue()).getValue().toString());
return null;
}
|
再次运行就可以了
