unidbg HookZz與Debug調試

寫在最前面

本文章依舊只介紹使用,逆向分析的具體過程不記錄。詳情請關注 逆向lin狗 的公眾號

HookZz

使用ida打開so層分析,有處時間的方法。為了方便調試,要將時間固定,以便分析。


image.png
  • hook gettimeofday 代碼如下
    public void fixedTime() {
        HookZz instance = HookZz.getInstance(emulator);
        instance.wrap(module.findSymbolByName("gettimeofday"), new WrapCallback<HookZzArm32RegisterContext>() {
            UnidbgPointer tv = null;  // 初始化Pointer指針

            @Override  // hook前
            public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
                tv = ctx.getPointerArg(0);  // 將指針賦值給tv
            }

            @Override // hook后
            public void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
                if (tv != null) {
                    byte[] before = tv.getByteArray(0, 12);
                    Inspector.inspect(before, "gettimeofday tv");
                }
                System.out.println("====++++====");
                // 固定時間
                long currentTimeMillis = 1668083944037L;
                long tv_sec = currentTimeMillis / 1000;
                long tv_usec = (currentTimeMillis % 1000) * 1000;
                System.out.println("=======");
                System.out.println(currentTimeMillis);
                System.out.println(tv_sec);
                System.out.println(tv_usec);
                // 創建TimeVal32時間對象,并傳入指針
                TimeVal32 TimeVal = new TimeVal32(tv);
                TimeVal.tv_sec = (int) tv_sec;
                TimeVal.tv_usec = (int) tv_usec;
                TimeVal.pack();  // 替換
            }
        });
    }
image.png

image.png

時間已經固定

hook 0x10E18

    public void hook_sub_10E18(){
        HookZz instance = HookZz.getInstance(emulator);
        // 此so是32位的,所以地址要+1,64位的不需要+1
        instance.wrap(module.base + 0x10E18 +1, new WrapCallback<HookZzArm32RegisterContext>() {

            @Override  
            public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
                System.out.println("+++++10E18++++");
                UnidbgPointer arg0 = ctx.getPointerArg(0);
                int arg1 = ctx.getIntArg(1); 
                UnidbgPointer arg2 = ctx.getPointerArg(2);
                int arg3 = ctx.getIntArg(3);
                System.out.println("arg0: "+new String(arg0.getByteArray(0, 32)));
                System.out.println("arg1: " + arg1);
                System.out.println("arg2:  "+new String(arg2.getByteArray(0, arg3)));
                System.out.println("arg3:  " + arg3);
            }

            @Override
            public void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
            }
        });
    }
image.png

Debug 調試

  • unidgb 3種調試模式
    源碼寫得很清楚了,分別是 CONSOLE、GDB_SERVER、ANDROID_SERVER_V7
package com.github.unidbg.debugger;
public enum  DebuggerType {
    /**
     * console debugger
     */
    CONSOLE,
    /**
     * gdb server
     */
    GDB_SERVER,
    /**
     * ida android server v7.x
     */
    ANDROID_SERVER_V7
}

  • 開啟調試模式
    Debugger attach = emulator.attach(DebuggerType.CONSOLE);
    attach.addBreakPoint(module.base + 0x10EA4, new BreakPointCallback() {
            @Override
            public boolean onHit(Emulator<?> emulator, long address) {
                return false;  // 為true是,是不會斷住的,只有為false才會斷住
            }
        });
  • 調試方法
    運行得時候,就會自動斷點了,控制臺模式最重要得是知道命令:(在控制臺輸入錯誤命令 unidbg會有提示的)
c: continue
n: step over
bt: back trace

st hex: search stack
shw hex: search writable heap
shr hex: search readable heap
shx hex: search executable heap

nb: break at next block
s|si: step into
s[decimal]: execute specified amount instruction
s(blx): execute util BLX mnemonic, low performance

m(op) [size]: show memory, default size is 0x70, size may hex or decimal
mr0-mr7, mfp, mip, msp [size]: show memory of specified register
m(address) [size]: show memory of specified address, address must start with 0x

wr0-wr7, wfp, wip, wsp <value>: write specified register
wb(address), ws(address), wi(address) <value>: write (byte, short, integer) memory of specified address, address must start with 0x
wx(address) <hex>: write bytes to memory at specified address, address must start with 0x

b(address): add temporarily breakpoint, address must start with 0x, can be module offset
b: add breakpoint of register PC
r: remove breakpoint of register PC
blr: add temporarily breakpoint of register LR

p (assembly): patch assembly at PC address
where: show java stack trace

trace [begin end]: Set trace instructions
traceRead [begin end]: Set trace memory read
traceWrite [begin end]: Set trace memory write
vm: view loaded modules
vbs: view breakpoints
d|dis: show disassemble
d(0x): show disassemble at specify address
stop: stop emulation
run [arg]: run test
gc: Run System.gc()
threads: show thread list
cc size: convert asm from 0x40010ea4 - 0x40010ea4 + size bytes to c function
  • 常用的命令介紹
    c - F8 (上一步)
    n - F9 (下一步)
    d - Varibles 窗口
d
image.png

m 指令

  • mr0


    image.png
  • msp


    image.png
  • m+地址 [長度]


    image.png
?著作權歸作者所有,轉載或內容合作請聯系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發布,文章內容僅代表作者本人觀點,簡書系信息發布平臺,僅提供信息存儲服務。

推薦閱讀更多精彩內容

  • 給大家介紹一下反調試匯總的原理及實現方式,以及各種反調試的擴展 反調試匯總: 針對于一些大型apk 反調試不一定是...
    樂天聽雨丶閱讀 850評論 0 0
  • 用兩張圖告訴你,為什么你的 App 會卡頓? - Android - 掘金 Cover 有什么料? 從這篇文章中你...
    hw1212閱讀 12,975評論 2 59
  • 動態調試 一、什么是動態調試 動態調試就是將程序運行起來,通過打斷點、打印等方式,查看參數、返回值、函數調用流程等...
    冰風v落葉閱讀 4,065評論 0 3
  • 在互聯網飛速發展的今天,相信很多程序開發者對 GitHub 很熟悉,我們在這里學習知識、分享自己的開源庫或者開源代...
    騰飛Tenfay閱讀 3,301評論 0 6
  • 本章中我們會在越獄手機上對APP進行調試,我們將進行下面幾個內容的探索:1、將自定義.cy文件引入到手機磁盤,連接...
    Jax_YD閱讀 693評論 0 1