Unidbg初步学习记录
Posted 凯多233
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Unidbg初步学习记录相关的知识,希望对你有一定的参考价值。
一、Unidbg安装和使用
参考:https://www.jianshu.com/p/59e08e48ac20
二、Unidbg案例学习,模拟调用so文件生成京东sign参数
抓包商品详情页,要模拟的是sign参数
先搭建基础框架代码:
package com.kdd.test;
import com.github.unidbg.androidEmulator;
import com.github.unidbg.LibraryResolver;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import java.io.*;
public class jd_main extends AbstractJni
private static final Log log = LogFactory.getLog(AbstractJni.class);
public static void main (String[] args) throws IOException
jd_main RunLDQ =new jd_main();
RunLDQ.runJni();
RunLDQ.destroy();
private void destroy() throws IOException
emulator.close();
System.out.println("destroy");
private static LibraryResolver createLibraryResolver()
return new AndroidResolver(23);
private static AndroidEmulator createARMEmulator()
return AndroidEmulatorBuilder
.for32Bit()
.build();
private final AndroidEmulator emulator;
private final VM vm;
private Module module;
private DvmClass aBitmapkitUtils;
//初始化
public jd_main()
emulator = createARMEmulator();
final Memory memory = emulator.getMemory();
// 设置 sdk版本 23
memory.setLibraryResolver(createLibraryResolver());
//使用apk文件加载so的话,会自动处理签名方面的jni,具体可看AbstractJni,利用apk加载的好处,
vm = emulator.createDalvikVM(new File("F:\\\\frida_learn_app\\\\jd\\\\jd-9.2.2.apk"));
vm.setJni(this);
// 是否打印日志
vm.setVerbose(true);
public String runJni()
//加载apk的so
DalvikModule dm = vm.loadLibrary("jdbitmapkit", false);
//调用jni
dm.callJNI_OnLoad(emulator);
module = dm.getModule();
return null;
运行有报错补代码
@Override
public DvmObject<?> getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature)
switch (signature)
case "com/jingdong/common/utils/BitmapkitUtils->a:Landroid/app/Application;":
return vm.resolveClass("android/app/Activity", vm.resolveClass("android/content/ContextWrapper", vm.resolveClass("android/content/Context"))).newObject(null);
return super.getStaticObjectField(vm, dvmClass, signature);
报错补代码
@Override
public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg)
switch (signature)
case "android/app/Application->getPackageName()Ljava/lang/String;":
String packageName = vm.getPackageName();
if (packageName != null)
return new StringObject(vm, packageName);
throw new UnsupportedOperationException(signature);
报错补代码
@Override
public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg)
switch (signature)
case "sun/security/pkcs/PKCS7-><init>([B)V":
ByteArray array = varArg.getObjectArg(0);
return new StringObject(vm, new String(array.getValue()));
return super.newObject(vm, dvmClass, signature, varArg);
基础环境没报错后,调用签名函数
//加载so的哪个类
aBitmapkitUtils = vm.resolveClass("com/jingdong/common/utils/BitmapkitUtils");
//调用方法
DvmObject<?> strRc = aBitmapkitUtils.callStaticJniMethodObject(emulator,"getSignFromJni()(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",
vm.addLocalObject(null),
vm.addLocalObject(new StringObject(vm,"wareBusiness")),
vm.addLocalObject(new StringObject(vm,"\\"abTest800\\":true,\\"avoidLive\\":false,\\"brand\\":\\"360\\",\\"cityId\\":2144,\\"darkModelEnum\\":3,\\"districtId\\":24463,\\"eventId\\":\\"Searchlist_Productid\\",\\"fromType\\":0,\\"isDesCbc\\":true,\\"latitude\\":\\"26.618816\\",\\"lego\\":true,\\"longitude\\":\\"106.644705\\",\\"model\\":\\"1605-A01\\",\\"ocrFlag\\":false,\\"pluginVersion\\":90220,\\"plusClickCount\\":0,\\"plusLandedFatigue\\":0,\\"provinceId\\":\\"24\\",\\"skuId\\":\\"10024083045618\\",\\"source_type\\":\\"search\\",\\"source_value\\":\\"鼠标垫小号\\",\\"townId\\":51707,\\"uAddrId\\":\\"0\\"")),
vm.addLocalObject(new StringObject(vm,"uuid")),
vm.addLocalObject(new StringObject(vm,"android")),
vm.addLocalObject(new StringObject(vm,"9.2.2")));
System.out.println(strRc.getValue());
//获取返回值
return (String) strRc.getValue();后面有报错也是跟着报错补环境 最后成功运行出结果:
全部代码如下:
package com.kdd.test;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.LibraryResolver;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.Enumeration;
import com.github.unidbg.linux.android.dvm.api.*;
import com.github.unidbg.linux.android.dvm.api.ClassLoader;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.memory.Memory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import java.io.*;
import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.*;
public class jd_main extends AbstractJni
private static final Log log = LogFactory.getLog(AbstractJni.class);
public static void main (String[] args) throws IOException
jd_main RunLDQ =new jd_main();
RunLDQ.runJni(args);
RunLDQ.destroy();
private void destroy() throws IOException
emulator.close();
System.out.println("destroy");
private static LibraryResolver createLibraryResolver()
return new AndroidResolver(23);
private static AndroidEmulator createARMEmulator()
return AndroidEmulatorBuilder
.for32Bit()
.build();
private final AndroidEmulator emulator;
private final VM vm;
private Module module;
private DvmClass aBitmapkitUtils;
//初始化
public jd_main()
emulator = createARMEmulator();
final Memory memory = emulator.getMemory();
// 设置 sdk版本 23
memory.setLibraryResolver(createLibraryResolver());
//使用apk文件加载so的话,会自动处理签名方面的jni,具体可看AbstractJni,利用apk加载的好处,
vm = emulator.createDalvikVM(new File("F:\\\\frida_learn_app\\\\jd\\\\jd-9.2.2.apk"));
vm.setJni(this);
// 是否打印日志
// vm.setVerbose(true);
public String runJni(String[] args)
//加载apk的so
DalvikModule dm = vm.loadLibrary("jdbitmapkit", false);
//调用jni
dm.callJNI_OnLoad(emulator);
module = dm.getModule();
//加载so的哪个类
aBitmapkitUtils = vm.resolveClass("com/jingdong/common/utils/BitmapkitUtils");
//调用方法
DvmObject<?> strRc = aBitmapkitUtils.callStaticJniMethodObject(emulator,"getSignFromJni()(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",
vm.addLocalObject(null),
vm.addLocalObject(new StringObject(vm,"wareBusiness")),
vm.addLocalObject(new StringObject(vm,"\\"abTest800\\":true,\\"avoidLive\\":false,\\"brand\\":\\"360\\",\\"cityId\\":2144,\\"darkModelEnum\\":3,\\"districtId\\":24463,\\"eventId\\":\\"Searchlist_Productid\\",\\"fromType\\":0,\\"isDesCbc\\":true,\\"latitude\\":\\"26.618816\\",\\"lego\\":true,\\"longitude\\":\\"106.644705\\",\\"model\\":\\"1605-A01\\",\\"ocrFlag\\":false,\\"pluginVersion\\":90220,\\"plusClickCount\\":0,\\"plusLandedFatigue\\":0,\\"provinceId\\":\\"24\\",\\"skuId\\":\\"10024083045618\\",\\"source_type\\":\\"search\\",\\"source_value\\":\\"鼠标垫小号\\",\\"townId\\":51707,\\"uAddrId\\":\\"0\\"")),
vm.addLocalObject(new StringObject(vm,"uuid")),
vm.addLocalObject(new StringObject(vm,"android")),
vm.addLocalObject(new StringObject(vm,"9.2.2")));
System.out.println(strRc.getValue());
//获取返回值
return (String) strRc.getValue();
@Override
public DvmObject<?> getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature)
switch (signature)
case "com/jingdong/common/utils/BitmapkitUtils->a:Landroid/app/Application;":
return vm.resolveClass("android/app/Activity", vm.resolveClass("android/content/ContextWrapper", vm.resolveClass("android/content/Context"))).newObject(null);
return super.getStaticObjectField(vm, dvmClass, signature);
@Override
public DvmObject<?> newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg)
switch (signature)
case "sun/security/pkcs/PKCS7-><init>([B)V":
ByteArray array = varArg.getObjectArg(0);
return new StringObject(vm, new String(array.getValue()));
return super.newObject(vm, dvmClass, signature, varArg);
@Override
public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg)
switch (signature)
case "android/app/Application->getPackageName()Ljava/lang/String;":
String packageName = vm.getPackageName();
if (packageName != null)
return new StringObject(vm, packageName);
throw new UnsupportedOperationException(signature);
@Override
public DvmObject<?> newObjectV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList)
switch (signature)
case "java/lang/StringBuffer-><init>()V":
return vm.resolveClass("java/lang/StringBuffer").newObject(new StringBuffer());
case "java/lang/Integer-><init>(I)V" :
return vm.resolveClass("java/lang/Integer").newObject(new Integer(vaList.getIntArg(0)));
throw new UnsupportedOperationException(signature);
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList)
switch (signature)
case "android/app/Application->getAssets()Landroid/content/res/AssetManager;":
return new AssetManager(vm, signature);
case "android/app/Application->getClassLoader()Ljava/lang/ClassLoader;":
return new ClassLoader(vm, signature);
case "android/app/Application->getContentResolver()Landroid/content/ContentResolver;":
return vm.resolveClass("android/content/ContentResolver").newObject(signature);
case "java/util/ArrayList->get(I)Ljava/lang/Object;":
int index = vaList.getIntArg(0);
ArrayListObject arrayList = (ArrayListObject) dvmObject;
return arrayList.getValue().get(index);
case "android/app/Application->getSystemService(Ljava/lang/String;)Ljava/lang/Object;":
StringObject serviceName = vaList.getObjectArg(0);
assert serviceName != null;
return new SystemService(vm, serviceName.getValue());
case "java/lang/String->toString()Ljava/lang/String;":
return dvmObject;
case "java/lang/Class->getName()Ljava/lang/String;":
return new StringObject(vm, ((DvmClass) dvmObject).getName());
case "android/view/accessibility/AccessibilityManager->getEnabledAccessibilityServiceList(I)Ljava/util/List;":
return new ArrayListObject(vm, Collections.<DvmObject<?>>emptyList());
case "java/util/Enumeration->nextElement()Ljava/lang/Object;":
return ((Enumeration) dvmObject).nextElement();
case "java/util/Locale->getLanguage()Ljava/lang/String;":
Locale locale = (Locale) dvmObject.getValue();
return new StringObject(vm, locale.getLanguage());
case "java/util/Locale->getCountry()Ljava/lang/String;":
locale = (Locale) dvmObject.getValue();
return new StringObject(vm, locale.getCountry());
case "android/os/IServiceManager->getService(Ljava/lang/String;)Landroid/os/IBinder;":
ServiceManager serviceManager = (ServiceManager) dvmObject;
StringObject serviceName = vaList.getObjectArg(0);
assert serviceName != null;
return serviceManager.getService(vm, serviceName.getValue());
case "java/io/File->getAbsolutePath()Ljava/lang/String;":
File file = (File) dvmObject.getValue();
return new StringObject(vm, file.getAbsolutePath());
case "android/app/Application->getPackageManager()Landroid/content/pm/PackageManager;":
case "android/content/ContextWrapper->getPackageManager()Landroid/content/pm/PackageManager;":
case "android/content/Context->getPackageManager()Landroid/content/pm/PackageManager;":
DvmClass clazz = vm.resolveClass("android/content/pm/PackageManager");
return clazz.newObject(signature);
case "android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;":
StringObject packageName = vaList.getObjectArg(0);
assert packageName != null;
int flags = vaList.getIntArg(1);
if (log.isDebugEnabled())
log.debug("getPackageInfo packageName=" + packageName.getValue() + ", flags=0x" + Integer.toHexString(flags));
return new PackageInfo(vm, packageName.getValue(), flags);
case "android/app/Application->getPackageName()Ljava/lang/String;":
case "android/content/ContextWrapper->getPackageName()Ljava/lang/String;":
case "android/content/Context->getPackageName()Ljava/lang/String;":
String packageName = vm.getPackageName();
if (packageName != null)
return new StringObject(vm, packageName);
break;
case "android/content/pm/Signature->toByteArray()[B":
if (dvmObject instanceof Signature)
Signature sig = (Signature) dvmObject;
return new ByteArray(vm, sig.toByteArray());
break;
case "android/content/pm/Signature->toCharsString()Ljava/lang/String;":
if (dvmObject instanceof Signature)
Signature sig = (Signature) dvmObject;
return new StringObject(vm, sig.toCharsString());
break;
case "java/lang/String->getBytes()[B":
String str = (String) dvmObject.getValue();
return new ByteArray(vm, str.getBytes());
case "java/lang/String->getBytes(Ljava/lang/String;)[B":
String str = (String) dvmObject.getValue();
StringObject charsetName = vaList.getObjectArg(0);
assert charsetName != null;
try
return new ByteArray(vm, str.getBytes(charsetName.getValue()));
catch (UnsupportedEncodingException e)
throw new IllegalStateException(e);
case "java/lang/Integer->toString()Ljava/lang/String;":
Integer iUse = (Integer)dvmObject.getValue();
return new StringObject(vm, Integer.toString(iUse));
case "java/lang/StringBuffer->toString()Ljava/lang/String;":
StringBuffer str1 = (StringBuffer) dvmObject.getValue();
return new StringObject(vm,str1.toString());
case "java/lang/StringBuffer->append(Ljava/lang/String;)Ljava/lang/StringBuffer;":
StringBuffer str1 = (StringBuffer) dvmObject.getValue();
StringObject serviceName = vaList.getObjectArg(0);
assert serviceName != null;
return vm.resolveClass("java/lang/StringBuffer").newObject(str1.append(serviceName.getValue()));
case "java/security/cert/CertificateFactory->generateCertificate(Ljava/io/InputStream;)Ljava/security/cert/Certificate;":
CertificateFactory factory = (CertificateFactory) dvmObject.getValue();
DvmObject<?> stream = vaList.getObjectArg(0);
assert stream != null;
InputStream inputStream = (InputStream) stream.getValue();
try
return vm.resolveClass("java/security/cert/Certificate").newObject(factory.generateCertificate(inputStream));
catch (CertificateException e)
throw new IllegalStateException(e);
case "java/security/cert/Certificate->getEncoded()[B":
Certificate certificate = (Certificate) dvmObject.getValue();
try
return new ByteArray(vm, certificate.getEncoded());
catch (CertificateEncodingException e)
throw new IllegalStateException(e);
case "java/security/MessageDigest->digest([B)[B":
MessageDigest messageDigest = (MessageDigest) dvmObject.getValue();
ByteArray array = vaList.getObjectArg(0);
assert array != null;
return new ByteArray(vm, messageDigest.digest(array.getValue()));
case "java/util/ArrayList->remove(I)Ljava/lang/Object;":
int index = vaList.getIntArg(0);
ArrayListObject list = (ArrayListObject) dvmObject;
return list.getValue().remove(index);
case "java/util/List->get(I)Ljava/lang/Object;":
List<?> list = (List<?>) dvmObject.getValue();
return (DvmObject<?>) list.get(vaList.getIntArg(0));
case "java/util/Map->entrySet()Ljava/util/Set;":
Map<?, ?> map = (Map<?, ?>) dvmObject.getValue();
return vm.resolveClass("java/util/Set").newObject(map.entrySet());
case "java/util/Set->iterator()Ljava/util/Iterator;":
Set<?> set = (Set<?>) dvmObject.getValue();
return vm.resolveClass("java/util/Iterator").newObject(set.iterator());
throw new UnsupportedOperationException(signature);
三、打包成jar,方便其它程序调用
IDEA 找到 File → Project Structure … 然后选择 Artifacts, 点加号 Add 如图配置,勾上 Include tests
点击ok后 Build → Build Artifacts进行编译 编译成功后会生成很多jar文件
在控制台测试运行下 java -jar unidbg-master.jar
运行出了结果,证明打包的没问题
四、进行python调用打包的jar包
# coding:utf-8
import requests, urllib, subprocess
import chardet, jpype,os
headers =
"Host": "api.m.jd.com",
"charset": "UTF-8",
"cache-control": "no-cache",
"content-type": "application/x-www-form-urlencoded; charset=UTF-8",
"user-agent": "okhttp/3.12.1"
cookies =
url = "https://api.m.jd.com/client.action"
params =
"functionId": "wareBusiness",
"clientVersion": "9.2.2",
"build": "85371",
"client": "android",
"d_brand": "360",
"d_model": "1605-A01",
"osVersion": "6.0.1",
"screen": "1920*1080",
"partner": "ks012",
"aid": "xxx",
"oaid": "",
"eid": "xxx",
"sdkVersion": "23",
"lang": "zh_CN",
"uuid": "xxx",
"area": "24_2144_2149_21104",
"networkType": "wifi",
"wifiBssid": "xxx",
# "st": "1665562015795",
# "sign": "45a7dc3f547be113a6a4dfa942e190c6",
# "sv": "111"
body = '''"abTest800":true,"avoidLive":false,"brand":"360","cityId":2144,"darkModelEnum":3,"districtId":24463,"eventId":"Searchlist_Productid","fromType":0,"isDesCbc":true,"latitude":"","lego":true,"longitude":"","model":"1605-A01","ocrFlag":false,"pluginVersion":90220,"plusClickCount":0,"plusLandedFatigue":0,"provinceId":"24","skuId":"10024083045618","source_type":"search","source_value":"鼠标垫小号","townId":51707,"uAddrId":"0"'''
data =
"lmt": "0",
"body": body,
"": ""
jvmPath=jpype.getDefaultJVMPath()
d='unidbg_master_jar2/unidbg-master.jar'#对应jar地址
jpype.startJVM(jvmPath,"-ea","-Djava.class.path="+d+"")
JDClass=jpype.JClass("com.kdd.test.runliudq") //类目
jd=JDClass()
signature=jd.runJni(["wareBusiness", body, "uuid", "android", "9.2.2"])
url = url + "?" + urllib.parse.urlencode(params) + "&" + str(signature)
print(url)
response = requests.post(url, headers=headers, cookies=cookies, data=data)
print(response.text)
print(response)
jpype.shutdownJVM()
成功跑出结果
总结
这个案例网上有很多,适合入门哈哈
以上是关于Unidbg初步学习记录的主要内容,如果未能解决你的问题,请参考以下文章
记录一个不同的流媒体网站实现方法,和用Python爬虫爬它的坑
Python:Python语言的简介(语言特点/pyc介绍/Python版本语言兼容问题(python2 VS Python3))安装学习路线(数据分析/机器学习/网页爬等编程案例分析)之详细攻略