寫在最前面

本文章依舊只介紹使用，逆向分析的具體過程不記錄。詳情請關注 逆向lin狗 的公眾號

HookZz

使用ida打開so層分析，有處時間的方法。為了方便調試，要將時間固定，以便分析。

image.png

• hook gettimeofday 代碼如下

    public void fixedTime() {
        HookZz instance = HookZz.getInstance(emulator);
        instance.wrap(module.findSymbolByName("gettimeofday"), new WrapCallback<HookZzArm32RegisterContext>() {
            UnidbgPointer tv = null;  // 初始化Pointer指針

            @Override  // hook前
            public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
                tv = ctx.getPointerArg(0);  // 將指針賦值給tv
            }

            @Override // hook后
            public void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
                if (tv != null) {
                    byte[] before = tv.getByteArray(0, 12);
                    Inspector.inspect(before, "gettimeofday tv");
                }
                System.out.println("====++++====");
                // 固定時間
                long currentTimeMillis = 1668083944037L;
                long tv_sec = currentTimeMillis / 1000;
                long tv_usec = (currentTimeMillis % 1000) * 1000;
                System.out.println("=======");
                System.out.println(currentTimeMillis);
                System.out.println(tv_sec);
                System.out.println(tv_usec);
                // 創建TimeVal32時間對象，并傳入指針
                TimeVal32 TimeVal = new TimeVal32(tv);
                TimeVal.tv_sec = (int) tv_sec;
                TimeVal.tv_usec = (int) tv_usec;
                TimeVal.pack();  // 替換
            }
        });
    }

image.png

image.png

時間已經固定

hook 0x10E18

    public void hook_sub_10E18(){
        HookZz instance = HookZz.getInstance(emulator);
        // 此so是32位的，所以地址要+1，64位的不需要+1
        instance.wrap(module.base + 0x10E18 +1, new WrapCallback<HookZzArm32RegisterContext>() {

            @Override  
            public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
                System.out.println("+++++10E18++++");
                UnidbgPointer arg0 = ctx.getPointerArg(0);
                int arg1 = ctx.getIntArg(1); 
                UnidbgPointer arg2 = ctx.getPointerArg(2);
                int arg3 = ctx.getIntArg(3);
                System.out.println("arg0: "+new String(arg0.getByteArray(0, 32)));
                System.out.println("arg1: " + arg1);
                System.out.println("arg2:  "+new String(arg2.getByteArray(0, arg3)));
                System.out.println("arg3:  " + arg3);
            }

            @Override
            public void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
            }
        });
    }

image.png

Debug 調試

• unidgb 3種調試模式
  源碼寫得很清楚了，分別是 CONSOLE、GDB_SERVER、ANDROID_SERVER_V7

package com.github.unidbg.debugger;
public enum  DebuggerType {
    /**
     * console debugger
     */
    CONSOLE,
    /**
     * gdb server
     */
    GDB_SERVER,
    /**
     * ida android server v7.x
     */
    ANDROID_SERVER_V7
}

• 開啟調試模式

    Debugger attach = emulator.attach(DebuggerType.CONSOLE);
    attach.addBreakPoint(module.base + 0x10EA4, new BreakPointCallback() {
            @Override
            public boolean onHit(Emulator<?> emulator, long address) {
                return false;  // 為true是，是不會斷住的，只有為false才會斷住
            }
        });

• 調試方法
  運行得時候，就會自動斷點了，控制臺模式最重要得是知道命令：（在控制臺輸入錯誤命令 unidbg會有提示的）

c: continue
n: step over
bt: back trace

st hex: search stack
shw hex: search writable heap
shr hex: search readable heap
shx hex: search executable heap

nb: break at next block
s|si: step into
s[decimal]: execute specified amount instruction
s(blx): execute util BLX mnemonic, low performance

m(op) [size]: show memory, default size is 0x70, size may hex or decimal
mr0-mr7, mfp, mip, msp [size]: show memory of specified register
m(address) [size]: show memory of specified address, address must start with 0x

wr0-wr7, wfp, wip, wsp <value>: write specified register
wb(address), ws(address), wi(address) <value>: write (byte, short, integer) memory of specified address, address must start with 0x
wx(address) <hex>: write bytes to memory at specified address, address must start with 0x

b(address): add temporarily breakpoint, address must start with 0x, can be module offset
b: add breakpoint of register PC
r: remove breakpoint of register PC
blr: add temporarily breakpoint of register LR

p (assembly): patch assembly at PC address
where: show java stack trace

trace [begin end]: Set trace instructions
traceRead [begin end]: Set trace memory read
traceWrite [begin end]: Set trace memory write
vm: view loaded modules
vbs: view breakpoints
d|dis: show disassemble
d(0x): show disassemble at specify address
stop: stop emulation
run [arg]: run test
gc: Run System.gc()
threads: show thread list
cc size: convert asm from 0x40010ea4 - 0x40010ea4 + size bytes to c function

• 常用的命令介紹
  c - F8 （上一步）
  n - F9 （下一步）
  d - Varibles 窗口

d

image.png

m 指令

• mr0

  
  
  image.png

• msp

  
  
  image.png

• m+地址 [長度]

  
  
  image.png