Shulou(Shulou.com)06/01 Report--

How to call the so file to generate xgorgon, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can get something.

At present, many App encryption and signature algorithms are in so files, forced reverse so may consume a lot of time and resources.

Before using xposed to use hook method to calculate signatures from the program, but need simulator or real machine to run this application, the use of efficiency is not high.

You've also used jtype to start JVM, and then make calls to so files through native, because you need to start JVM every time, so it's not efficient.

Unidbg he does not need to run app, nor need to reverse the so file, by finding the corresponding JNI interface in app, and then using the unicorn engine to directly call the so file, so it is relatively efficient.

Characteristics of unidbg

Simulate JNI to call API, you can call JNI_OnLoad

Support for JavaVM,JNIEnv

Simulate system call

Support for ARM32 and ARM64

Inline hook (Inline Hook)

Android import hook

Some hook tools of iOS fishhook and substrate and whale hook

Support for simple console debugger, gdb stub, experimental IDA android debugger server, instruction trace, memory read / write trace

Support for iOS objc and Swift

Unidbg environment configuration

Unidbg download link: https://github.com/zhkl0228/unidbg

IntelliJ IDEA can be used to edit unidbg sources

After the download is completed, import it to IDEA. Of course, you need to prepare the java environment (jdk, maven).

Select Maven

After waiting for the load to complete, run src/... TTEncrypt test cases in / encrypt

If the console prints the relevant call information, the import has been successful.

Load libcms.so

Now you are ready to call the leviathan function in the libcms.so file

First, create a new folder dylib under the src/test/resources directory and put the libcms.so file

Libcms.so download address: https://download.csdn.net/download/weixin_43582101/12713664

Then I created a new JniDispatch228.java file in the / unidbg/unidbg-android/src/test/java/com/sun/jna/ directory

The JniDispatch228.java file is as follows:

Note: "com/ss/sys/ces/a" requires the full path of the Java class where the function is called, such as a/b/c/d, etc. Note that you need to use / replace the function name that "leviathan (II [B) [B") needs to call. The name is smali syntax. You can check the path of the "vm.loadLibrary (new File)" so file through jadx and other tools. It needs to be modified by yourself, preferably the absolute path package com.sun.jna;import com.github.unidbg.*. Import com.github.unidbg.linux.android.AndroidARMEmulator;import com.github.unidbg.linux.android.AndroidResolver;import com.github.unidbg.linux.android.dvm.*;import com.github.unidbg.memory.Memory;import com.github.unidbg.memory.MemoryBlock;import com.github.unidbg.linux.android.dvm.array.ByteArray;import java.io.File;import java.io.IOException;public class JniDispatch228 extends AbstractJni {private static LibraryResolver createLibraryResolver () {return new AndroidResolver (23) } private static AndroidEmulator createARMEmulator () {return new AndroidARMEmulator ("com.sun.jna");} private final AndroidEmulator emulator; private final Module module; private final VM vm; private final DvmClass Native; private JniDispatch228 () {emulator = createARMEmulator (); final Memory memory = emulator.getMemory (); memory.setLibraryResolver (createLibraryResolver ()); vm = emulator.createDalvikVM (null); vm.setJni (this) Vm.setVerbose (true); / / modify the file path DalvikModule dm = vm.loadLibrary (new File ("/ Users/Desktop/unidbg/unidbg-android/src/test/resources/dylib/libcms.so"), false); dm.callJNI_OnLoad (emulator); module = dm.getModule (); Native = vm.resolveClass ("com/ss/sys/ces/a") } private void destroy () throws IOException {emulator.close (); System.out.println ("destroy");} public static void main (String [] args) throws Exception {JniDispatch228 test = new JniDispatch228 (); test.test (); test.destroy ();} public static String xuzi1 (byte [] bArr) {if (bArr = = null) {return null } char [] charArray = "0123456789abcdef" .toCharArray (); char [] cArr = new char [(bArr.length * 2)]; for (int I = 0; I

> > 4]; cArr [i2 + 1] = charArray [b2 & 15];} return new String (cArr);} private void test () {String methodSign = "leviathan (II [B) [B"; byte [] data = "temporarily casually written, here is url processed data" .getBytes (); int time = (int) (System.currentTimeMillis () / 1000) Native.callStaticJniMethod (emulator, methodSign,-1); Object ret = Native.callStaticJniMethodObject (emulator, methodSign,-1); System.out.println ("callObject execution result: + ((DvmObject) ret). GetValue ()); byte [] tt = (byte []) ((DvmObject) ret) .getValue (); System.out.println (new String (tt)) String s = xuzi1 (tt); System.out.println (s);}}

Run the main method to view the generated xgorgon

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.