在 Android逆向之ARM64靜態(tài)分析 對(duì)ARM64匯編進(jìn)行了介紹，網(wǎng)傳ARMV9要出來了，難道又要重新學(xué)習(xí)ARMV9? 在Frida高級(jí)篇-免ROOT使用Frida(不修改源代碼) 中對(duì)elf文件進(jìn)行了介紹，本文使用unidbg模擬執(zhí)行so來分析native方法。首先來介紹Unicorn。

Unicorn

Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework.

本文使用無名俠大神使用的Unicorn入門教程來看看Unicorn是怎么模擬CPU的。

1. from unicorn import *

2. from unicorn.arm_const import *

3. from capstone import *

4. 
   

5. ARM_CODE = b"\x37\x00\xa0\xe3\x03\x10\x42\xe0"

6. 
   

7. # Disassemble ARM32 binary

8. md = Cs(CS_ARCH_ARM, CS_MODE_ARM)

9. for i in md.disasm(ARM_CODE, 0x1000):

10. print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))

11. 
    

12. 
    

13. # mov r0, #0x37;

14. # sub r1, r2, r3

15. # Test ARM

16. 
    

17. # callback for tracing instructions

18. def hook_code(uc, address, size, user_data):

19. print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" % (address, size))

20. 
    

21. def test_arm():

22. print("Emulate ARM code")

23. try:

24. # Initialize emulator in ARM mode

25. ? ? ? ?mu = Uc(UC_ARCH_ARM, UC_MODE_THUMB)

26. 
    

27. # map 2MB memory for this emulation

28. ? ? ? ?ADDRESS = 0x10000

29. ? ? ? ?mu.mem_map(ADDRESS, 2 * 0x10000)

30. ? ? ? ?mu.mem_write(ADDRESS, ARM_CODE)

31. 
    

32. ? ? ? ?mu.reg_write(UC_ARM_REG_R0, 0x1234)

33. ? ? ? ?mu.reg_write(UC_ARM_REG_R2, 0x6789)

34. ? ? ? ?mu.reg_write(UC_ARM_REG_R3, 0x3333)

35. 
    

36. ? ? ? ?mu.hook_add(UC_HOOK_CODE, hook_code, begin=ADDRESS, end=ADDRESS+8)

37. # emulate machine code in infinite time

38. ? ? ? ?mu.emu_start(ADDRESS, ADDRESS + len(ARM_CODE))

39. ? ? ? ?r0 = mu.reg_read(UC_ARM_REG_R0)

40. ? ? ? ?r1 = mu.reg_read(UC_ARM_REG_R1)

41. print(">>> R0 = 0x%x" % r0)

42. print(">>> R1 = 0x%x" % r1)

43. except UcError as e:

44. print("ERROR: %s" % e)

45. 
    

46. 
    

47. test_arm()

運(yùn)行結(jié)果:

添加指令級(jí)的Hook

這個(gè)有點(diǎn)像單步調(diào)試的感覺。

1. mu.hook_add(UC_HOOK_CODE, hook_code, begin=ADDRESS, end=ADDRESS)

在begin...end范圍內(nèi)的每一條指令被執(zhí)行前都會(huì)調(diào)用callback。

讓我們來看看hook_code 的實(shí)現(xiàn)吧

1. # callback for tracing instructions

2. def hook_code(uc, address, size, user_data):

3. print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" %(address, size))

這段代碼僅打印指令執(zhí)行的地址和長度信息。 實(shí)際應(yīng)用中可配合capstone反匯編引擎玩一些更騷的操作。

UCHOOKCODE的callback中可以修改PC或EIP等寄存器來改變程序運(yùn)行流程。實(shí)際上，Unicorn調(diào)試器的單步調(diào)試就是以這個(gè)為基礎(chǔ)實(shí)現(xiàn)的。

Unidbg

Allows you to emulate an Android native library, and an experimental iOS emulation.

下載代碼: https://github.com/zhkl0228/unidbg/releases/tag/v0.9.3，使用IntelliJ IDEA打開工程即可。

運(yùn)行代碼: com/bytedance/frameworks/core/encrypt/TTEncrypt.java, 出現(xiàn)下面的信息說明運(yùn)行成功。

代碼分析

入口點(diǎn):

1. public static void main(String[] args) throws Exception {

2. TTEncrypt test = new TTEncrypt(true);

3. 
   

4. byte[] data = test.ttEncrypt();

5. Inspector.inspect(data, "ttEncrypt");

6. 
   

7. ? ? test.destroy();

8. }

第一步： 補(bǔ)環(huán)境 跟蹤TTEncrypt函數(shù),注釋寫的很清楚了，不做過多分析?；咎茁范际沁@個(gè)樣子。

1. TTEncrypt(boolean logging) {

2. this.logging = logging;

3. 
   

4. ? ? ? ?emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.qidian.dldl.official").build(); // 創(chuàng)建模擬器實(shí)例，要模擬32位或者64位，在這里區(qū)分

5. final Memory memory = emulator.getMemory(); // 模擬器的內(nèi)存操作接口

6. ? ? ? ?memory.setLibraryResolver(new AndroidResolver(23)); // 設(shè)置系統(tǒng)類庫解析

7. 
   

8. ? ? ? ?vm = emulator.createDalvikVM(null); // 創(chuàng)建Android虛擬機(jī)

9. ? ? ? ?vm.setVerbose(logging); // 設(shè)置是否打印Jni調(diào)用細(xì)節(jié)

10. DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/resources/example_binaries/libttEncrypt.so"), false); // 加載libttEncrypt.so到unicorn虛擬內(nèi)存，加載成功以后會(huì)默認(rèn)調(diào)用init_array等函數(shù)

11. ? ? ? ?dm.callJNI_OnLoad(emulator); // 手動(dòng)執(zhí)行JNI_OnLoad函數(shù)

12. ? ? ? ?module = dm.getModule(); // 加載好的libttEncrypt.so對(duì)應(yīng)為一個(gè)模塊

13. 
    

14. TTEncryptUtils = vm.resolveClass("com/bytedance/frameworks/core/encrypt/TTEncryptUtils");

15. }

第二步： HOOK相關(guān)的函數(shù) 跟蹤ttEncrypt，可知代碼hook了ssencrypt和ssencrypted_size兩個(gè)函數(shù)。

1. byte[] ttEncrypt() {

2. if (logging) {

3. Symbol sbox0 = module.findSymbolByName("sbox0"); // 在libttEncrypt.so模塊中查找sbox0導(dǎo)出符號(hào)

4. Symbol sbox1 = module.findSymbolByName("sbox1");

5. Inspector.inspect(sbox0.createPointer(emulator).getByteArray(0, 256), "sbox0"); // 打印sbox0導(dǎo)出符號(hào)在unicorn中的內(nèi)存數(shù)據(jù)

6. Inspector.inspect(sbox1.createPointer(emulator).getByteArray(0, 256), "sbox1");

7. 
   

8. IHookZz hookZz = HookZz.getInstance(emulator); // 加載HookZz，支持inline hook，文檔看https://github.com/jmpews/HookZz

9. ? ? ? ? ? ?hookZz.enable_arm_arm64_b_branch(); // 測(cè)試enable_arm_arm64_b_branch，可有可無

10. ? ? ? ? ? ?hookZz.wrap(module.findSymbolByName("ss_encrypt"), new WrapCallback<RegisterContext>() { // inline wrap導(dǎo)出函數(shù)

11. @Override

12. public void preCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {

13. Pointer pointer = ctx.getPointerArg(2);

14. int length = ctx.getIntArg(3);

15. byte[] key = pointer.getByteArray(0, length);

16. Inspector.inspect(key, "ss_encrypt key");

17. }

18. @Override

19. public void postCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {

20. System.out.println("ss_encrypt.postCall R0=" + ctx.getLongArg(0));

21. }

22. });

23. ? ? ? ? ? ?hookZz.disable_arm_arm64_b_branch();

24. ? ? ? ? ? ?hookZz.instrument(module.base + 0x00000F5C + 1, new InstrumentCallback<Arm32RegisterContext>() {

25. @Override

26. public void dbiCall(Emulator<?> emulator, Arm32RegisterContext ctx, HookEntryInfo info) { // 通過base+offset inline wrap內(nèi)部函數(shù)，在IDA看到為sub_xxx那些

27. System.out.println("R3=" + ctx.getLongArg(3) + ", R10=0x" + Long.toHexString(ctx.getR10Long()));

28. }

29. });

30. 
    

31. Dobby dobby = Dobby.getInstance(emulator);

32. ? ? ? ? ? ?dobby.replace(module.findSymbolByName("ss_encrypted_size"), new ReplaceCallback() { // 使用Dobby inline hook導(dǎo)出函數(shù)

33. @Override

34. public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {

35. System.out.println("ss_encrypted_size.onCall arg0=" + context.getIntArg(0) + ", originFunction=0x" + Long.toHexString(originFunction));

36. return HookStatus.RET(emulator, originFunction);

37. }

38. @Override

39. public void postCall(Emulator<?> emulator, HookContext context) {

40. System.out.println("ss_encrypted_size.postCall ret=" + context.getIntArg(0));

41. }

42. }, true);

43. 
    

44. IxHook xHook = XHookImpl.getInstance(emulator); // 加載xHook，支持Import hook，文檔看https://github.com/iqiyi/xHook

45. ? ? ? ? ? ?xHook.register("libttEncrypt.so", "strlen", new ReplaceCallback() { // hook libttEncrypt.so的導(dǎo)入函數(shù)strlen

46. @Override

47. public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {

48. Pointer pointer = context.getPointerArg(0);

49. String str = pointer.getString(0);

50. System.out.println("strlen=" + str);

51. ? ? ? ? ? ? ? ? ? ?context.push(str);

52. return HookStatus.RET(emulator, originFunction);

53. }

54. @Override

55. public void postCall(Emulator<?> emulator, HookContext context) {

56. System.out.println("strlen=" + context.pop() + ", ret=" + context.getIntArg(0));

57. }

58. }, true);

59. ? ? ? ? ? ?xHook.register("libttEncrypt.so", "memmove", new ReplaceCallback() {

60. @Override

61. public HookStatus onCall(Emulator<?> emulator, long originFunction) {

62. RegisterContext context = emulator.getContext();

63. Pointer dest = context.getPointerArg(0);

64. Pointer src = context.getPointerArg(1);

65. int length = context.getIntArg(2);

66. Inspector.inspect(src.getByteArray(0, length), "memmove dest=" + dest);

67. return HookStatus.RET(emulator, originFunction);

68. }

69. });

70. ? ? ? ? ? ?xHook.register("libttEncrypt.so", "memcpy", new ReplaceCallback() {

71. @Override

72. public HookStatus onCall(Emulator<?> emulator, long originFunction) {

73. RegisterContext context = emulator.getContext();

74. Pointer dest = context.getPointerArg(0);

75. Pointer src = context.getPointerArg(1);

76. int length = context.getIntArg(2);

77. Inspector.inspect(src.getByteArray(0, length), "memcpy dest=" + dest);

78. return HookStatus.RET(emulator, originFunction);

79. }

80. });

81. ? ? ? ? ? ?xHook.refresh(); // 使Import hook生效

82. }

第三步： 添加調(diào)試及主動(dòng)調(diào)用

1. if (logging) {

2. Debugger debugger = emulator.attach(DebuggerType.ANDROID_SERVER_V7); // 附加IDA android_server，可輸入c命令取消附加繼續(xù)運(yùn)行

3. }

4. byte[] data = new byte[16];

5. ByteArray array = TTEncryptUtils.callStaticJniMethodObject(emulator, "ttEncrypt([BI)[B", new ByteArray(vm, data), data.length); // 執(zhí)行Jni方法

6. return array.getValue();

7. }

第四步： 銷毀環(huán)境

跟蹤destroy

1. void destroy() throws IOException {

2. ? ? ?emulator.close();

3. if (logging) {

4. System.out.println("destroy");

5. }

6. }

運(yùn)行結(jié)果

這個(gè)時(shí)候按c，繼續(xù)，可以看到hook的結(jié)果以及JNI調(diào)用細(xì)節(jié)。

單步調(diào)試

ida_server的Debug方式相對(duì)簡單，對(duì)于unidbg的強(qiáng)大之一在于它的單步調(diào)試-- Console Debugger

寫在最后

作者的例子是以抖音作為例子的，還是很不錯(cuò)的。注釋都寫的比較清楚了。unidbg單步調(diào)試做的很棒，這個(gè)彌補(bǔ)了frida調(diào)試能力比較弱的缺點(diǎn)。

公眾號(hào)

更多內(nèi)容，歡迎關(guān)注我的微信公眾號(hào): 無情劍客。