一、Unidbg安装和使用

参考:https://www.jianshu.com/p/59e08e48ac20

二、Unidbg案例学习,模拟调用so文件生成京东sign参数

抓包商品详情页,要模拟的是sign参数

先搭建基础框架代码:
package com.kdd.test;import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.LibraryResolver;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;import java.io.*;public class jd_main extends AbstractJni {private static final Log log = LogFactory.getLog(AbstractJni.class);public static void main (String[] args) throws IOException {jd_main RunLDQ =new jd_main();RunLDQ.runJni();RunLDQ.destroy();}private void destroy() throws IOException{emulator.close();System.out.println("destroy");}private static LibraryResolver createLibraryResolver() {return new AndroidResolver(23);}private static AndroidEmulator createARMEmulator() {return AndroidEmulatorBuilder.for32Bit().build();}private final AndroidEmulator emulator;private final VM vm;private Module module;private DvmClass aBitmapkitUtils;//初始化public jd_main(){emulator = createARMEmulator();final Memory memory = emulator.getMemory();// 设置 sdk版本 23memory.setLibraryResolver(createLibraryResolver());//使用apk文件加载so的话,会自动处理签名方面的jni,具体可看AbstractJni,利用apk加载的好处,vm = emulator.createDalvikVM(new File("F:\\frida_learn_app\\jd\\jd-9.2.2.apk"));vm.setJni(this);// 是否打印日志vm.setVerbose(true);}public String runJni(){//加载apk的soDalvikModule dm = vm.loadLibrary("jdbitmapkit", false);//调用jnidm.callJNI_OnLoad(emulator);module = dm.getModule();return null;}
运行有报错补代码

    @Overridepublic DvmObject<?> getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature) {switch (signature) {case "com/jingdong/common/utils/BitmapkitUtils->a:Landroid/app/Application;": {return vm.resolveClass("android/app/Activity", vm.resolveClass("android/content/ContextWrapper", vm.resolveClass("android/content/Context"))).newObject(null);}}return super.getStaticObjectField(vm, dvmClass, signature);}

报错补代码

    @Overridepublic DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {switch (signature) {case "android/app/Application->getPackageName()Ljava/lang/String;": {String packageName = vm.getPackageName();if (packageName != null) {return new StringObject(vm, packageName);}}}throw new UnsupportedOperationException(signature);}

报错补代码

    @Overridepublic DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {switch (signature) {case "sun/security/pkcs/PKCS7-><init>([B)V": {ByteArray array = varArg.getObjectArg(0);return new StringObject(vm, new String(array.getValue()));}}return super.newObject(vm, dvmClass, signature, varArg);}
基础环境没报错后,调用签名函数

        //加载so的哪个类aBitmapkitUtils = vm.resolveClass("com/jingdong/common/utils/BitmapkitUtils");//调用方法DvmObject<?> strRc = aBitmapkitUtils.callStaticJniMethodObject(emulator,"getSignFromJni()(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",vm.addLocalObject(null),vm.addLocalObject(new StringObject(vm,"wareBusiness")),vm.addLocalObject(new StringObject(vm,"{\"abTest800\":true,\"avoidLive\":false,\"brand\":\"360\",\"cityId\":2144,\"darkModelEnum\":3,\"districtId\":24463,\"eventId\":\"Searchlist_Productid\",\"fromType\":0,\"isDesCbc\":true,\"latitude\":\"26.618816\",\"lego\":true,\"longitude\":\"106.644705\",\"model\":\"1605-A01\",\"ocrFlag\":false,\"pluginVersion\":90220,\"plusClickCount\":0,\"plusLandedFatigue\":0,\"provinceId\":\"24\",\"skuId\":\"10024083045618\",\"source_type\":\"search\",\"source_value\":\"鼠标垫小号\",\"townId\":51707,\"uAddrId\":\"0\"}")),vm.addLocalObject(new StringObject(vm,"uuid")),vm.addLocalObject(new StringObject(vm,"android")),vm.addLocalObject(new StringObject(vm,"9.2.2")));System.out.println(strRc.getValue());//获取返回值return (String) strRc.getValue();
后面有报错也是跟着报错补环境
最后成功运行出结果:

全部代码如下:
package com.kdd.test;import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.LibraryResolver;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.Enumeration;
import com.github.unidbg.linux.android.dvm.api.*;
import com.github.unidbg.linux.android.dvm.api.ClassLoader;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.memory.Memory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;import java.io.*;
import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.*;public class jd_main extends AbstractJni {private static final Log log = LogFactory.getLog(AbstractJni.class);public static void main (String[] args) throws IOException {jd_main RunLDQ =new jd_main();RunLDQ.runJni(args);RunLDQ.destroy();}private void destroy() throws IOException{emulator.close();System.out.println("destroy");}private static LibraryResolver createLibraryResolver() {return new AndroidResolver(23);}private static AndroidEmulator createARMEmulator() {return AndroidEmulatorBuilder.for32Bit().build();}private final AndroidEmulator emulator;private final VM vm;private Module module;private DvmClass aBitmapkitUtils;//初始化public jd_main(){emulator = createARMEmulator();final Memory memory = emulator.getMemory();// 设置 sdk版本 23memory.setLibraryResolver(createLibraryResolver());//使用apk文件加载so的话,会自动处理签名方面的jni,具体可看AbstractJni,利用apk加载的好处,vm = emulator.createDalvikVM(new File("F:\\frida_learn_app\\jd\\jd-9.2.2.apk"));vm.setJni(this);// 是否打印日志
//        vm.setVerbose(true);}public String runJni(String[] args){//加载apk的soDalvikModule dm = vm.loadLibrary("jdbitmapkit", false);//调用jnidm.callJNI_OnLoad(emulator);module = dm.getModule();//加载so的哪个类aBitmapkitUtils = vm.resolveClass("com/jingdong/common/utils/BitmapkitUtils");//调用方法DvmObject<?> strRc = aBitmapkitUtils.callStaticJniMethodObject(emulator,"getSignFromJni()(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",vm.addLocalObject(null),vm.addLocalObject(new StringObject(vm,"wareBusiness")),vm.addLocalObject(new StringObject(vm,"{\"abTest800\":true,\"avoidLive\":false,\"brand\":\"360\",\"cityId\":2144,\"darkModelEnum\":3,\"districtId\":24463,\"eventId\":\"Searchlist_Productid\",\"fromType\":0,\"isDesCbc\":true,\"latitude\":\"26.618816\",\"lego\":true,\"longitude\":\"106.644705\",\"model\":\"1605-A01\",\"ocrFlag\":false,\"pluginVersion\":90220,\"plusClickCount\":0,\"plusLandedFatigue\":0,\"provinceId\":\"24\",\"skuId\":\"10024083045618\",\"source_type\":\"search\",\"source_value\":\"鼠标垫小号\",\"townId\":51707,\"uAddrId\":\"0\"}")),vm.addLocalObject(new StringObject(vm,"uuid")),vm.addLocalObject(new StringObject(vm,"android")),vm.addLocalObject(new StringObject(vm,"9.2.2")));System.out.println(strRc.getValue());//获取返回值return (String) strRc.getValue();}@Overridepublic DvmObject<?> getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature) {switch (signature) {case "com/jingdong/common/utils/BitmapkitUtils->a:Landroid/app/Application;": {return vm.resolveClass("android/app/Activity", vm.resolveClass("android/content/ContextWrapper", vm.resolveClass("android/content/Context"))).newObject(null);}}return super.getStaticObjectField(vm, dvmClass, signature);}@Overridepublic DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {switch (signature) {case "sun/security/pkcs/PKCS7-><init>([B)V": {ByteArray array = varArg.getObjectArg(0);return new StringObject(vm, new String(array.getValue()));}}return super.newObject(vm, dvmClass, signature, varArg);}@Overridepublic DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {switch (signature) {case "android/app/Application->getPackageName()Ljava/lang/String;": {String packageName = vm.getPackageName();if (packageName != null) {return new StringObject(vm, packageName);}}}throw new UnsupportedOperationException(signature);}@Overridepublic DvmObject<?> newObjectV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {switch (signature) {case "java/lang/StringBuffer-><init>()V":{return vm.resolveClass("java/lang/StringBuffer").newObject(new StringBuffer());}case "java/lang/Integer-><init>(I)V" :{return vm.resolveClass("java/lang/Integer").newObject(new Integer(vaList.getIntArg(0)));}}throw new UnsupportedOperationException(signature);}@Overridepublic DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {switch (signature) {case "android/app/Application->getAssets()Landroid/content/res/AssetManager;":return new AssetManager(vm, signature);case "android/app/Application->getClassLoader()Ljava/lang/ClassLoader;":return new ClassLoader(vm, signature);case "android/app/Application->getContentResolver()Landroid/content/ContentResolver;":return vm.resolveClass("android/content/ContentResolver").newObject(signature);case "java/util/ArrayList->get(I)Ljava/lang/Object;": {int index = vaList.getIntArg(0);ArrayListObject arrayList = (ArrayListObject) dvmObject;return arrayList.getValue().get(index);}case "android/app/Application->getSystemService(Ljava/lang/String;)Ljava/lang/Object;": {StringObject serviceName = vaList.getObjectArg(0);assert serviceName != null;return new SystemService(vm, serviceName.getValue());}case "java/lang/String->toString()Ljava/lang/String;":return dvmObject;case "java/lang/Class->getName()Ljava/lang/String;":return new StringObject(vm, ((DvmClass) dvmObject).getName());case "android/view/accessibility/AccessibilityManager->getEnabledAccessibilityServiceList(I)Ljava/util/List;":return new ArrayListObject(vm, Collections.<DvmObject<?>>emptyList());case "java/util/Enumeration->nextElement()Ljava/lang/Object;":return ((Enumeration) dvmObject).nextElement();case "java/util/Locale->getLanguage()Ljava/lang/String;":Locale locale = (Locale) dvmObject.getValue();return new StringObject(vm, locale.getLanguage());case "java/util/Locale->getCountry()Ljava/lang/String;":locale = (Locale) dvmObject.getValue();return new StringObject(vm, locale.getCountry());case "android/os/IServiceManager->getService(Ljava/lang/String;)Landroid/os/IBinder;": {ServiceManager serviceManager = (ServiceManager) dvmObject;StringObject serviceName = vaList.getObjectArg(0);assert serviceName != null;return serviceManager.getService(vm, serviceName.getValue());}case "java/io/File->getAbsolutePath()Ljava/lang/String;":File file = (File) dvmObject.getValue();return new StringObject(vm, file.getAbsolutePath());case "android/app/Application->getPackageManager()Landroid/content/pm/PackageManager;":case "android/content/ContextWrapper->getPackageManager()Landroid/content/pm/PackageManager;":case "android/content/Context->getPackageManager()Landroid/content/pm/PackageManager;":DvmClass clazz = vm.resolveClass("android/content/pm/PackageManager");return clazz.newObject(signature);case "android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;": {StringObject packageName = vaList.getObjectArg(0);assert packageName != null;int flags = vaList.getIntArg(1);if (log.isDebugEnabled()) {log.debug("getPackageInfo packageName=" + packageName.getValue() + ", flags=0x" + Integer.toHexString(flags));}return new PackageInfo(vm, packageName.getValue(), flags);}case "android/app/Application->getPackageName()Ljava/lang/String;":case "android/content/ContextWrapper->getPackageName()Ljava/lang/String;":case "android/content/Context->getPackageName()Ljava/lang/String;": {String packageName = vm.getPackageName();if (packageName != null) {return new StringObject(vm, packageName);}break;}case "android/content/pm/Signature->toByteArray()[B":if (dvmObject instanceof Signature) {Signature sig = (Signature) dvmObject;return new ByteArray(vm, sig.toByteArray());}break;case "android/content/pm/Signature->toCharsString()Ljava/lang/String;":if (dvmObject instanceof Signature) {Signature sig = (Signature) dvmObject;return new StringObject(vm, sig.toCharsString());}break;case "java/lang/String->getBytes()[B": {String str = (String) dvmObject.getValue();return new ByteArray(vm, str.getBytes());}case "java/lang/String->getBytes(Ljava/lang/String;)[B":String str = (String) dvmObject.getValue();StringObject charsetName = vaList.getObjectArg(0);assert charsetName != null;try {return new ByteArray(vm, str.getBytes(charsetName.getValue()));} catch (UnsupportedEncodingException e) {throw new IllegalStateException(e);}case "java/lang/Integer->toString()Ljava/lang/String;":{Integer iUse =  (Integer)dvmObject.getValue();return new StringObject(vm, Integer.toString(iUse));}case "java/lang/StringBuffer->toString()Ljava/lang/String;":{StringBuffer str1 = (StringBuffer) dvmObject.getValue();return new StringObject(vm,str1.toString());}case "java/lang/StringBuffer->append(Ljava/lang/String;)Ljava/lang/StringBuffer;": {StringBuffer str1 = (StringBuffer) dvmObject.getValue();StringObject serviceName = vaList.getObjectArg(0);assert serviceName != null;return vm.resolveClass("java/lang/StringBuffer").newObject(str1.append(serviceName.getValue()));}case "java/security/cert/CertificateFactory->generateCertificate(Ljava/io/InputStream;)Ljava/security/cert/Certificate;":CertificateFactory factory = (CertificateFactory) dvmObject.getValue();DvmObject<?> stream = vaList.getObjectArg(0);assert stream != null;InputStream inputStream = (InputStream) stream.getValue();try {return vm.resolveClass("java/security/cert/Certificate").newObject(factory.generateCertificate(inputStream));} catch (CertificateException e) {throw new IllegalStateException(e);}case "java/security/cert/Certificate->getEncoded()[B": {Certificate certificate = (Certificate) dvmObject.getValue();try {return new ByteArray(vm, certificate.getEncoded());} catch (CertificateEncodingException e) {throw new IllegalStateException(e);}}case "java/security/MessageDigest->digest([B)[B": {MessageDigest messageDigest = (MessageDigest) dvmObject.getValue();ByteArray array = vaList.getObjectArg(0);assert array != null;return new ByteArray(vm, messageDigest.digest(array.getValue()));}case "java/util/ArrayList->remove(I)Ljava/lang/Object;": {int index = vaList.getIntArg(0);ArrayListObject list = (ArrayListObject) dvmObject;return list.getValue().remove(index);}case "java/util/List->get(I)Ljava/lang/Object;":List<?> list = (List<?>) dvmObject.getValue();return (DvmObject<?>) list.get(vaList.getIntArg(0));case "java/util/Map->entrySet()Ljava/util/Set;":Map<?, ?> map = (Map<?, ?>) dvmObject.getValue();return vm.resolveClass("java/util/Set").newObject(map.entrySet());case "java/util/Set->iterator()Ljava/util/Iterator;":Set<?> set = (Set<?>) dvmObject.getValue();return vm.resolveClass("java/util/Iterator").newObject(set.iterator());}throw new UnsupportedOperationException(signature);}
}

三、打包成jar,方便其它程序调用

IDEA 找到 File → Project Structure …​ 然后选择 Artifacts, 点加号 Add
如图配置,勾上 Include tests

点击ok后
Build → Build Artifacts进行编译
编译成功后会生成很多jar文件

在控制台测试运行下java -jar unidbg-master.jar

运行出了结果,证明打包的没问题

四、进行python调用打包的jar包

# coding:utf-8
import requests, urllib, subprocess
import chardet, jpype,osheaders = {"Host": "api.m.jd.com","charset": "UTF-8","cache-control": "no-cache","content-type": "application/x-www-form-urlencoded; charset=UTF-8","user-agent": "okhttp/3.12.1"
}
cookies = {
}
url = "https://api.m.jd.com/client.action"
params = {"functionId": "wareBusiness","clientVersion": "9.2.2","build": "85371","client": "android","d_brand": "360","d_model": "1605-A01","osVersion": "6.0.1","screen": "1920*1080","partner": "ks012","aid": "xxx","oaid": "","eid": "xxx","sdkVersion": "23","lang": "zh_CN","uuid": "xxx","area": "24_2144_2149_21104","networkType": "wifi","wifiBssid": "xxx",# "st": "1665562015795",# "sign": "45a7dc3f547be113a6a4dfa942e190c6",# "sv": "111"
}
body = '''{"abTest800":true,"avoidLive":false,"brand":"360","cityId":2144,"darkModelEnum":3,"districtId":24463,"eventId":"Searchlist_Productid","fromType":0,"isDesCbc":true,"latitude":"","lego":true,"longitude":"","model":"1605-A01","ocrFlag":false,"pluginVersion":90220,"plusClickCount":0,"plusLandedFatigue":0,"provinceId":"24","skuId":"10024083045618","source_type":"search","source_value":"鼠标垫小号","townId":51707,"uAddrId":"0"}'''
data = {"lmt": "0","body": body,"": ""
}
jvmPath=jpype.getDefaultJVMPath()
d='unidbg_master_jar2/unidbg-master.jar'#对应jar地址
jpype.startJVM(jvmPath,"-ea","-Djava.class.path="+d+"")JDClass=jpype.JClass("com.kdd.test.runliudq")  //类目
jd=JDClass()
signature=jd.runJni(["wareBusiness", body, "uuid", "android", "9.2.2"])url = url + "?" + urllib.parse.urlencode(params) + "&" + str(signature)
print(url)
response = requests.post(url, headers=headers, cookies=cookies, data=data)print(response.text)
print(response)
jpype.shutdownJVM()

成功跑出结果

总结

这个案例网上有很多,适合入门哈哈

Unidbg初步学习记录相关推荐

  1. 格密码初步学习记录(三)SVP

    SVP问题概述 The SVP is simply: given a lattice Lrepresented by a basis, find a nonzerov ∈Lsuch that||v|| ...

  2. gdb 初步学习记录

    客户有一段代码,一个死循环, 里面就一个 times(NULL) 函数,以及一个usleep, 运行了10分钟左右就会出现段错误. 现在用 gdb 调试看一下是哪一步出现了问题. 在Linux 虚拟机 ...

  3. Android-Fragment课堂学习(初步学习版笔记)

    (初步学习记录) 一 .Fragment是什么 Fragment是一种可以嵌入在Activity当中的UI片段,它能让程序更加合理和充分地利用大屏幕的空间,因而在平板上应用得非常广泛. 和Activi ...

  4. Netty学习记录-初步认识Netty及I/O模型

    Netty学习记录 Netty简介 Netty特征 Netty架构结构图 Netty如今使用的场景 IO了解 BIO: BIO演变的NIO的过程 NIO: NIO三大核心(重点) NIO非阻塞网络编程 ...

  5. json2.js的初步学习与了解(转)

    转载来源:http://apps.hi.baidu.com/share/detail/6092406 json2.js的初步学习与了解 1.)该js的下载地址是:http://www.json.org ...

  6. git缓冲区查看_git原理学习记录:从基本指令到背后原理,实现一个简单的git

    好家伙~ 实操可以考虑点击阅读原文跳转到博客地址,博客可以点超链接可能会方便一些. 一开始我还担心 git 的原理会不会很难懂,但在阅读了官方文档后我发现其实并不难懂,似乎可以动手实现一个简单的 gi ...

  7. 从入门到入土:机器学习part02|python|初步学习|numpy|Matplotlib

    此博客仅用于记录个人学习进度,学识浅薄,若有错误观点欢迎评论区指出.欢迎各位前来交流.(部分材料来源网络,若有侵权,立即删除) 本人博客所有文章纯属学习之用,不涉及商业利益.不合适引用,自当删除! 若 ...

  8. 从入门到入土:机器学习part01|python|代码分析|初步学习

    此博客仅用于记录个人学习进度,学识浅薄,若有错误观点欢迎评论区指出.欢迎各位前来交流.(部分材料来源网络,若有侵权,立即删除) 本人博客所有文章纯属学习之用,不涉及商业利益.不合适引用,自当删除! 若 ...

  9. 初步学习pg_control文件之十四

    接前文 初步学习pg_control文件之十三 看如下几个: /** Parameter settings that determine if the WAL can be used for arch ...

最新文章

  1. C程序演示产生僵死进程的过程
  2. 22.2. 表管理(Table)
  3. 用Kibana和logstash快速搭建实时日志查询、收集与分析系统
  4. 近世代数--素理想--I是R的素理想↔R/I是整环
  5. bestcoder Delete
  6. 【算法系列之三】单链表反转
  7. 设置ntpdate服务开机启动校验时间
  8. 拉普拉斯算子属于卷积方法吗_三代图卷积网络理论
  9. 单片机tcp异常处理_TCP三次握手、四次挥手出现意外情况时,为保证稳定,是如何处理的...
  10. centos npm install 超时报错
  11. Centos7搭建pptp一键安装脚本
  12. 2017/07/27 工作日志
  13. python:画图调整图例位置
  14. java webservice 实例_Java WebService 简单实例(附实例代码)
  15. 专访Wunderlist主设计师Jan Martin:永远不要盲目跟风流行趋势1
  16. 微信小程序: 摇色子
  17. 怎么看PLC梯形图?
  18. 深信服三面/hr面 总结
  19. android开发-验证邮箱输入是否合法
  20. 以梦为马,越骑越傻。诗和远方,越走越慌

热门文章

  1. uni-app和flutter的区别
  2. 从后台循环数据并展示
  3. openGauss数据库备库重启报错,有没有解决方案呢
  4. 曝光!电影售票员教你半价看电影~别再当冤大头了!
  5. Python+BeautifulSoup抓取暴走漫画页面图片
  6. 【送书福利】图论算法:如何找到最适合自己的另一半 ?
  7. 微信小程序开发——第一个小程序
  8. Edge浏览器主页被桔梗导航恶意绑定篡改的解决办法
  9. Hdu1874 最短路径_畅通工程续
  10. 记我的第一个springboot项目,Roomstore寝室小卖部系统