首页 > 基础资料 博客日记

unicornHook原生hook

2023-07-24 18:04:29基础资料围观298

这篇文章介绍了unicornHook原生hook,分享给大家做个参考,收藏Java资料网收获更多编程知识

都知道unidbg是基于unicorn开发的;

hook_add_new 第一个参数是Hook回调,我们这里选择CodeHook,它是逐条Hook,参数2是起始地址,参数3是结束地址,参数4一般填null。这意味着从起始地址到终止地址这个范围内的每条指令,我们都可以在其执行前处理它。
这一点的优点我很喜欢

package com.hookInUnidbg;

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Backend;
import com.github.unidbg.arm.backend.UnHook;
import com.github.unidbg.arm.context.RegisterContext;
import com.github.unidbg.debugger.BreakPointCallback;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.utils.Inspector;
import keystone.Keystone;
import keystone.KeystoneArchitecture;
import keystone.KeystoneEncoded;
import keystone.KeystoneMode;
import unicorn.ArmConst;
import com.github.unidbg.arm.backend.CodeHook;
import unicorn.Unicorn;

import java.io.File;

public class crackDemo {
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;

    crackDemo() {

        // 创建模拟器实例
        emulator = AndroidEmulatorBuilder.for32Bit().build();

        // 模拟器的内存操作接口
        final Memory memory = emulator.getMemory();
        // 设置系统类库解析
        memory.setLibraryResolver(new AndroidResolver(23));
        // 创建Android虚拟机
        vm = emulator.createDalvikVM(new File("unidbg-android/src/test/java/com/hookInUnidbg/app-debug.apk"));


        // 加载so到虚拟内存
        DalvikModule dm = vm.loadLibrary("hookinunidbg", true);
        // 加载好的 libhookinunidbg.so对应为一个模块
        module = dm.getModule();

        // debug
//        emulator.attach().addBreakPoint(module.findSymbolByName("base64_encode").getAddress());

        // 执行JNIOnLoad(如果有的话)
        dm.callJNI_OnLoad(emulator);
    }


    public void unicornHook(){
        emulator.getBackend().hook_add_new(new CodeHook() {
            final RegisterContext registerContext = emulator.getContext();

            @Override // com.github.unidbg.arm.backend.Detachable
            public void hook(Backend backend, long address, int size, Object user) {
                if(address == module.base + 0x8A0){
                    int r0 = registerContext.getIntByReg(ArmConst.UC_ARM_REG_R0);
                    System.out.println("0x8A0 r0:"+Integer.toHexString(r0));
                }
                if(address == module.base + 0x8A2){
                    int r2 = registerContext.getIntByReg(ArmConst.UC_ARM_REG_R2);
                    System.out.println("0x8A2 r2:"+Integer.toHexString(r2));
                }
                if(address == module.base + 0x8A4){

                    int r4 = registerContext.getIntByReg(ArmConst.UC_ARM_REG_R4);
                    System.out.println("0x8A4 r4:"+Integer.toHexString(r4));
                }
            }

            @Override // com.github.unidbg.arm.backend.Detachable
            public void onAttach(UnHook unHook) {
            }

            @Override // com.github.unidbg.arm.backend.Detachable
            public void detach() {
            }
        }, module.base + 0x8A0, module.base + 0x8C2, null);
    }



    public void hook(){

        int patchCode = 0x4FF00000; // movs r0,0
        emulator.getMemory().pointer(module.base + 0x8CA).setInt(0,patchCode);

//        try (Keystone keystone = new Keystone(KeystoneArchitecture.Arm, KeystoneMode.ArmThumb)) {
//            KeystoneEncoded encoded = keystone.assemble("mov r0,0");
//            byte[] patchCode = encoded.getMachineCode();
//            emulator.getMemory().pointer(module.base + 0x8CA).write(0, patchCode, 0, patchCode.length);
//        }

//        emulator.attach().addBreakPoint(module, 0x8CA, new BreakPointCallback() {
//            RegisterContext registerContext = emulator.getContext();
//            @Override
//            public boolean onHit(Emulator<?> emulator, long address) {
//                System.out.println("nop这里的调用");
//                emulator.getBackend().reg_write(ArmConst.UC_ARM_REG_PC, registerContext.getPCPointer().peer + 4 + 1);
//                emulator.getBackend().reg_write(ArmConst.UC_ARM_REG_R0, 0);
//                return true;
//            }
//        });



    }


    public void call(){
        DvmClass dvmClass = vm.resolveClass("com/example/hookinunidbg/MainActivity");
        String methodSign = "call()V";
        DvmObject<?> dvmObject = dvmClass.newObject(null);

        dvmObject.callJniMethodObject(emulator, methodSign);
    }


    public static void main(String[] args) {
        crackDemo mydemo = new crackDemo();
        mydemo.hook();
        mydemo.call();
    }
}

文章来源:https://blog.csdn.net/weixin_38927522/article/details/128224931
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若内容造成侵权/违法违规/事实不符,请联系邮箱:jacktools123@163.com进行投诉反馈,一经查实,立即删除!

标签:

上一篇:eclipse下载与安装(汉化教程)超详细
下一篇:Java程序调用Linux的shell脚本出现No such file or directory

相关文章

最新发布

点击排行

本站推荐

标签云