jin方法 public static native Object native(int param, Object... args);

android调用 String key = "123"; String val = "test"; int type = 7; String code = ""; native(1, new Object[]{val, key, code})

请问unidbg应该如何调用呢 目前写到这里不知道什么写了 native.callStaticJniMethod(emulator,"native(I[Ljava/lang/Object;)Ljava/lang/Object;",1,??)

在我测试抖音时，遇到如下崩溃日志： getString pointer=unicorn@0xbfffe22c, size=14, encoding=UTF-8, ret=/system/bin/su fstatat64 dirfd=-100, pathname=\system\bin\su, statbuf=unicorn@0xbfffe1c4, flags=0 [21:42:48 095] WARN [cn.banny.unidbg.linux.ARMSyscallHandler] (ARMSyscallHandler:1446) - fstatat64 dirfd=-100, pathname=\system\bin\su, statbuf=unicorn@0xbfffe1c4, flags=0 memory failed: address=0x0, size=1, value=0x0, user=null unicorn.UnicornException: Invalid memory read (UC_ERR_READ_UNMAPPED) at unicorn.Unicorn.emu_start(Native Method) at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:237) at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:328) at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201) at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154) at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:141) at com.bytedance.frameworks.core.encrypt.cms.sign(cms.java:108) at com.bytedance.frameworks.core.encrypt.cms.main(cms.java:96) debugger break at: 0x40012a54

r0=0x0 r1=0x414e1111 r2=0x574598f8, r3=0x0 r4=0xf72315d4 r5=0x18353522 r6=0x574598f7 r7=0xd7977dd5 sb=0x61cad990 sl=0x414e1112 fp=0x1 ip=0x0 sp=0xbfffe160 lr=0x61cad990 pc=0x40012a54 cpsr: N=0, Z=1, C=1, V=0, T=1, mode=0b10000 => [ libcms.so][0x12a55]*[* 01 9b ]*0x40012a54:*ldr r3, [sp, #4] [ libcms.so] [0x12a57] [ 03 93 ] 0x40012a56: str r3, [sp, #0xc] [ libcms.so] [0x12a59] [ 03 9b ] 0x40012a58: ldr r3, [sp, #0xc] [ libcms.so] [0x12a5b] [ 1b 78 ] 0x40012a5a: ldrb r3, [r3] [ libcms.so] [0x12a5d] [ 00 2b ] 0x40012a5c: cmp r3, #0 [ libcms.so] [0x12a5f] [ 23 46 ] 0x40012a5e: mov r3, r4 [ libcms.so] [0x12a61] [ 04 bf ] 0x40012a60: itt eq [ libcms.so] [0x12a63] [ 43 f2 22 53 ] 0x40012a62: movweq r3, #0x3522 [ libcms.so] [0x12a67] [ c1 f6 35 03 ] 0x40012a66: movteq r3, #0x1835 [ libcms.so] [0x12a6b] [ 21 e0 ] 0x40012a6a: b #0x40012ab0

我的测试代码如下: package com.bytedance.frameworks.core.encrypt;

import cn.banny.auxiliary.Inspector; import cn.banny.unidbg.LibraryResolver; import cn.banny.unidbg.Module; import cn.banny.unidbg.arm.ARMEmulator; import cn.banny.unidbg.linux.android.AndroidARMEmulator; import cn.banny.unidbg.linux.android.AndroidResolver; import cn.banny.unidbg.linux.android.dvm.DalvikModule; import cn.banny.unidbg.linux.android.dvm.DvmClass; import cn.banny.unidbg.linux.android.dvm.VM; import cn.banny.unidbg.memory.Memory;

import java.io.File; import java.io.IOException;

import cn.banny.unidbg.file.FileIO; import cn.banny.unidbg.file.IOResolver;

import cn.banny.unidbg.linux.android.dvm.*; import cn.banny.unidbg.linux.android.dvm.api.SystemService; import cn.banny.unidbg.linux.file.ByteArrayFileIO; import cn.banny.unidbg.linux.file.SimpleFileIO;

import org.apache.log4j.Level; import org.apache.log4j.Logger;

import java.io.; import java.net.;

public class cms extends AbstractJni implements IOResolver {

private static final int WSG_CODE_OK = 0;

private static final String APP_PACKAGE_NAME = "com.ss.android.ugc.aweme";

private final ARMEmulator emulator;
private final VM vm;
private final DvmClass cmsDVM;
private final DvmClass userinfoDVM;
private final DvmClass tongdunDVM;

private static final String APK_PATH = "src/test/resources/app/660.apk";

private final Module module;

private cms() throws IOException {
    Logger.getLogger("cn.banny.unidbg.AbstractEmulator").setLevel(Level.DEBUG);
    emulator = new AndroidARMEmulator(APP_PACKAGE_NAME);
    emulator.getSyscallHandler().addIOResolver(this);
    System.out.println("== init ===");

    final Memory memory = emulator.getMemory();
    memory.setLibraryResolver(new AndroidResolver(23));
    memory.setCallInitFunction();

    vm = emulator.createDalvikVM(new File(APK_PATH));


    vm.setJni(this);
    DalvikModule dm = vm.loadLibrary("cms", false);

    dm.callJNI_OnLoad(emulator);
    module = dm.getModule();

    cmsDVM = vm.resolveClass("com/ss/sys/ces/a");
    userinfoDVM = vm.resolveClass("com/ss/android/common/applog/UserInfo");
    tongdunDVM = vm.resolveClass("com/ss/sys/secuni/b/c");

// IHookZz hookZz = HookZz.getInstance(emulator); // hookZz.replace(module.base + 0x000733A0 + 1, new ReplaceCallback() { // @Override // public HookStatus onCall(Emulator emulator, long originFunction) { // long currentTimeMillis = System.currentTimeMillis(); // EditableArm32RegisterContext context = emulator.getContext(); // context.setR1((int) currentTimeMillis); // return HookStatus.LR(emulator, (int) (currentTimeMillis >> 32)); // } // });

// emulator.attach().debug(emulator); }

private void destroy() throws IOException {
    emulator.close();
    System.out.println("module=" + module);
    System.out.println("== destroy ===");
}

public static void main(String[] args) throws Exception {
    cms test = new cms();
    test.sign();
    test.destroy();
}

private void sign() {

    userinfoDVM.callStaticJniMethod(emulator, "setAppId(I)V", 1128);
    Number i = userinfoDVM.callStaticJniMethod(emulator, "initUser(Ljava/lang/String;)I", vm.addLocalObject(new StringObject(vm, "a3668f0afac72ca3f6c1697d29e0e1bb1fef4ab0285319b95ac39fa42c38d05f")));
    System.out.println("initUser ret: " + i.intValue());

// Number ret = cmsDVM.callStaticJniMethod(emulator, "e([B)[B", // vm.addLocalObject(new ByteArray("888888888".getBytes()))); DvmObject context = vm.resolveClass("android/content/Context").newObject(null); Number ret = tongdunDVM.callStaticJniMethod(emulator, "n0(Landroid/content/Context;)[B", vm.addLocalObject(context)); long hash = ret.intValue() & 0xffffffffL; ByteArray array = vm.getObject(hash);

    Inspector.inspect(array.getValue(), "n0 ret=" + ret + ", offset=" + (System.currentTimeMillis()) + "ms");
    vm.deleteLocalRefs();
}

private static final String INSTALL_PATH = "/data/app/com.ss.android.ugc.aweme-1.apk";

@Override
public FileIO resolve(File workDir, String pathname, int oflags) {
    System.out.println("pathname: " + pathname);
    //System.out.println("workdir: " + workDir.getAbsolutePath());
    if (("proc/" + emulator.getPid() + "/status").equals(pathname)) {
        return new ByteArrayFileIO(oflags, pathname, "TracerPid:\t0\n".getBytes());
    }
    else if("/proc/meminfo".equals(pathname))
    {
        return new SimpleFileIO(oflags, new File("src/main/resources/meminfo"), pathname);
    }
    else if("/proc/self/status".equals(pathname))
    {
        return new ByteArrayFileIO(oflags, pathname, "TracerPid:\t0\n".getBytes());
    }

    return null;
}

@Override
public DvmObject callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
    if ("java/lang/System->getProperty(Ljava/lang/String;)Ljava/lang/String;".equals(signature)) {
        StringObject string = varArg.getObject(0);
        return new StringObject(vm, System.getProperty(string.getValue()));
    }

    return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}

public DvmObject callObjectMethodV(BaseVM vm, DvmObject dvmObject, String signature, VaList vaList) {
    System.out.println("CallObjectMethodV       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~: " + signature);
    if ("Landroid/app/Application->getPackageManager()Landroid/content/pm/PackageManager;".equals(signature)) {
        return vm.resolveClass("Landroid/content/pm/PackageManager;").newObject(null);
    }
    else if ("java/lang/String->getBytes(Ljava/lang/String;)[B".equals(signature)) {
        StringObject string = (StringObject) dvmObject;
        StringObject encoding = vaList.getObject(0);
        System.err.println("string=" + string.getValue() + ", encoding=" + encoding.getValue());
        try {
            return new ByteArray(string.getValue().getBytes(encoding.getValue()));
        } catch (UnsupportedEncodingException e) {
            throw new IllegalStateException(e);
        }
    } else if ("android/content/Context->getFilesDir()Ljava/io/File;".equals(signature)) {
        return vm.resolveClass("Ljava/io/File;").newObject(null);
    } else if ("Ljava/io/File;->getAbsolutePath()Ljava/lang/String;".equals(signature)) {
        return new StringObject(vm, "/data/data/com.ss.android.ugc.aweme/files");
    }else if ("android/telephony/TelephonyManager->getDeviceId()Ljava/lang/String;".equals(signature))
    {
        return new StringObject(vm, "123456789123456");
    }
    else if ("android/content/Context->getContentResolver()Landroid/content/ContentResolver;".equals(signature))
    {
        return vm.resolveClass("android/content/ContentResolver").newObject(null);
    }
    else if ("android/content/ContentResolver->call(Landroid/net/Uri;Ljava/lang/String;Ljava/lang/String;Landroid/os/Bundle;)Landroid/os/Bundle;".equals(signature))
    {
        return vm.resolveClass("android/os/Bundle").newObject(null);
    }
    else if ("android/os/Bundle->getString(Ljava/lang/String;)Ljava/lang/String;".equals(signature))
    {
        return new StringObject(vm, "112233448855");
    }
    else if ("android/content/Context->getPackageManager()Landroid/content/pm/PackageManager;".equals(signature))
    {
        return vm.resolveClass("android/content/pm/PackageManager").newObject(null);
    }
    else if ("android/content/Context->getPackageName()Ljava/lang/String;".equals(signature))
    {
        return new StringObject(vm, "com.ss.android.ugc.aweme");
    }
    else {
        StringObject serviceName = vaList.getObject(0);
        return new SystemService(vm, serviceName.getValue());
    }

}

public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
    if ("android/os/Build$VERSION->SDK_INT:I".equals(signature)) {
        return 21;
    }
    return -1;
}

public DvmObject getObjectField(BaseVM vm, DvmObject dvmObject, String signature) {
    if ("Landroid/content/pm/ApplicationInfo;->sourceDir:Ljava/lang/String;".equals(signature)) {
        return new StringObject(vm, APK_PATH);
    }
    return null;
}

public int callIntMethodV(BaseVM vm, DvmObject dvmObject, String signature, VaList vaList) {
    if ("android/content/Context->checkSelfPermission(Ljava/lang/String;)I".equals(signature)) {
        System.out.println("checkSelfPermission: " + vaList.getObject(0));
        return 0;
    }
    return 0;
}

public DvmObject callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
    if ("java/security/cert/CertificateFactory->getInstance(Ljava/lang/String;)Ljava/security/cert/CertificateFactory;".equals(signature)) {

        return vm.resolveClass("java/security/cert/CertificateFactory").newObject(null);
    } else if ("java/security/cert/CertificateFactory->generateCertificate(Ljava/io/InputStream;)Ljava/security/cert/Certificate".equals(signature)) {
        return vm.resolveClass("java/security/cert/Certificate").newObject(null);
    } else if ("android/net/Uri->parse(Ljava/lang/String;)Landroid/net/Uri;".equals(signature)) {
        return vm.resolveClass("android/net/Uri").newObject(null);
    }

    return null;
}

public boolean callStaticBooleanMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
    if (signature.equals("android/os/Debug->isDebuggerConnected()Z"))
        return false;
    return false;
}

public DvmObject newObjectV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
    switch (signature) {
        case "java/io/ByteArrayInputStream-><init>([B)V": {
            return vm.resolveClass("java/io/ByteArrayInputStream").newObject(vaList);
        }
    }
    return null;
}


@Override
public DvmObject callObjectMethod(BaseVM vm, DvmObject dvmObject, String signature, VarArg varArg) {
    System.out.println("signature: " + signature);
    switch (signature) {
        case "android/content/Context->getSharedPreferences(Ljava/lang/String;I)Landroid/content/SharedPreferences;":
            return vm.resolveClass("android/content/SharedPreferences").newObject(null);
        case "android/content/SharedPreferences->getString(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;": {
            StringObject name = varArg.getObject(0);
            StringObject defValue = varArg.getObject(1);
            System.err.println("android/content/SharedPreferences->getString name=" + name.getValue() + ", defValue=" + defValue.getValue());
            if ("wsg_conf".equals(name.getValue())) {
                return new StringObject(vm, "mZUzsjDkxAqS/YFujbRrX3j/7jhZYgh8GHHqMzMdK9hXjXJ0lBEDsIFuKTfF48ps5gvaplUOkcmLNP5/FEmaqO4oUAad1HzDTQBZobDMeFpub20K+axGeu7PBZ+TztfPdVpMgVfmuHc7/axEHlZFBxadprthaQQtBfjzn2pf7Bp3RcreGaqnfO+QwENoQnpVo8Jj1CFy9vUnD8UDq4nO5S2ivoecc+g1luF9lLs5+4j1uCPK4QjSNhWp2HODbohlx01+uXQpMW1HVc0hjvEk/c8oKxFSJkqo8yZTpJ0Fg4lGc7f8znArzH1X6WanJIfA6O/XR/aUdAoAx9jHcC3QJM2kyM/F/aZB/7I0n5hWWwptaZfWf1nVxQMJrRzZ/X5bPEPCh+1czaeYVwZgEMfgLqo+yfGY8j0exLyd5vQnG4bIAV61X9P03+MXe4M67XmFaS0SsK3PuOYF5ht5I906QqXbcJcjF2YlkvnIC1UAJ70+MSKBLZErujU1GOBnPLLCyBt3PdzBNuwTVchZFPPcKYG7ZR5YEzpTNdxcu06Q8frtapYUus8rS7fHTbvUebdoR3oYDbe6hvzQX9E0Kq2YXOoByfy03I0/hSLW1GP+XYr2UIljf+9DaQxuZ4Qqk3p/PKh1QKlPL+bqC2jZhb1wLP4Vcg+unx/+diKBQsxVdW//J77vfUjj/1icJGrjbxHSUa4PB/YtfMFDfcPUAUOLvRWYyimyE3tvBUUs/RoFKMMFrvrzwIV9B+3oT/L292xdxa4U65DVHR1vULHWgxqW4HXOI9wBxh3GP5F9ZUDAHGjMQqjzaeV/w5LyscAJpsYpCWk9CTI4ixHpk5AvKRNNvq3z/SPZGPy+J0GkUbqT+gTsFyI370Levy3WHXoJxFZ3t2mgsyY1VS8rdbIh8rX5jdq0iGfIVw6D5pqRuhyz5Sgzoc45MJQCcXEniCrr5v4BkAafMybg7uRedFbqza1l1w==");
            }
        }
        case "android/content/Context->getPackageCodePath()Ljava/lang/String;":
            return new StringObject(vm, INSTALL_PATH);
        case "android/content/Context->getSystemService(Ljava/lang/String;)Ljava/lang/Object;":
            StringObject serviceName = varArg.getObject(0);
            System.err.println("android/content/Context->getSystemService name=" + serviceName);
            return new SystemService(vm, serviceName.getValue());
        case "android/telephony/TelephonyManager->getDeviceId()Ljava/lang/String;":
            return new StringObject(vm, "353490069873368");
        case "java/net/URL->openConnection(Ljava/net/Proxy;)Ljava/net/URLConnection;":
            Proxy proxy = (Proxy) varArg.getObject(0).getValue();
            URL url = (URL) dvmObject.getValue();
            try {
                return vm.resolveClass("java/net/HttpURLConnection").newObject(url.openConnection(proxy));
            } catch (IOException e) {
                throw new IllegalStateException(e);
            }
        case "java/net/HttpURLConnection->getOutputStream()Ljava/io/OutputStream;": {
            HttpURLConnection connection = (HttpURLConnection) dvmObject.getValue();
            try {
                return vm.resolveClass("java/io/OutputStream").newObject(connection.getOutputStream());
            } catch (IOException e) {
                throw new IllegalStateException(e);
            }
        }
        case "java/lang/String->getBytes()[B": {
            String str = (String) dvmObject.getValue();
            System.err.println("java/lang/String->getBytes str=" + str);
            return new ByteArray(str.getBytes());
        }
        case "java/net/HttpURLConnection->getInputStream()Ljava/io/InputStream;": {
            HttpURLConnection connection = (HttpURLConnection) dvmObject.getValue();
            try {
                return vm.resolveClass("java/io/InputStream").newObject(connection.getInputStream());
            } catch (IOException e) {
                throw new IllegalStateException(e);
            }
        }
        case "java/io/BufferedReader->readLine()Ljava/lang/String;": {
            BufferedReader reader = (BufferedReader) dvmObject.getValue();
            try {
                String line = reader.readLine();
                if (line != null) {
                    System.err.println("java/io/BufferedReader->readLine " + line);
                }
                return line == null ? null : new StringObject(vm, line);
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
        case "android/content/SharedPreferences->edit()Landroid/content/SharedPreferences$Editor;": {
            return vm.resolveClass("android/content/SharedPreferences$Editor").newObject(null);
        }
        case "android/content/SharedPreferences$Editor->putString(Ljava/lang/String;Ljava/lang/String;)Landroid/content/SharedPreferences$Editor;": {
            StringObject name = varArg.getObject(0);
            StringObject value = varArg.getObject(1);
            System.err.println("android/content/SharedPreferences$Editor->putString name=" + name.getValue() + ", value=" + value.getValue());
            return dvmObject;
        }
    }
    return super.callObjectMethod(vm, dvmObject, signature, varArg);
}

@Override
public DvmObject newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
    System.out.println("signature: " + signature);
    switch (signature) {
        case "java/net/URL-><init>(Ljava/lang/String;)V":
            StringObject url = varArg.getObject(0);
            System.err.println("open URL: " + url.getValue());
            try {
                return vm.resolveClass("java/net/URL").newObject(new URL(url.getValue()));
            } catch (MalformedURLException e) {
                throw new IllegalStateException(e);
            }
        case "java/io/InputStreamReader-><init>(Ljava/io/InputStream;)V": {
            InputStream inputStream = (InputStream) varArg.getObject(0).getValue();
            return vm.resolveClass("java/io/InputStreamReader").newObject(new InputStreamReader(inputStream));
        }
        case "java/io/BufferedReader-><init>(Ljava/io/Reader;)V": {
            Reader reader = (Reader) varArg.getObject(0).getValue();
            return vm.resolveClass("java/io/BufferedReader").newObject(new BufferedReader(reader));
        }
    }

    return super.newObject(vm, dvmClass, signature, varArg);
}

@Override
public DvmObject getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature) {
    System.out.println("signature: " + signature);
    if ("java/net/Proxy->NO_PROXY:Ljava/net/Proxy;".equals(signature)) {
        return vm.resolveClass("java/net/Proxy").newObject(Proxy.NO_PROXY);
    }

    return super.getStaticObjectField(vm, dvmClass, signature);
}

@Override
public void callVoidMethod(BaseVM vm, DvmObject dvmObject, String signature, VarArg varArg) {
    System.out.println("signature: " + signature);
    switch (signature) {
        case "java/net/HttpURLConnection->setRequestMethod(Ljava/lang/String;)V": {
            HttpURLConnection connection = (HttpURLConnection) dvmObject.getValue();
            StringObject method = varArg.getObject(0);
            System.err.println("java/net/HttpURLConnection->setRequestMethod method=" + method.getValue());
            try {
                connection.setRequestMethod(method.getValue());
            } catch (ProtocolException e) {
                throw new IllegalStateException(e);
            }
            return;
        }
        case "java/net/HttpURLConnection->setConnectTimeout(I)V": {
            HttpURLConnection connection = (HttpURLConnection) dvmObject.getValue();
            int timeout = varArg.getInt(0);
            System.err.println("java/net/HttpURLConnection->setConnectTimeout timeout=" + timeout);
            connection.setConnectTimeout(timeout);
            return;
        }
        case "java/net/HttpURLConnection->setRequestProperty(Ljava/lang/String;Ljava/lang/String;)V": {
            HttpURLConnection connection = (HttpURLConnection) dvmObject.getValue();
            StringObject key = varArg.getObject(0);
            StringObject value = varArg.getObject(1);
            System.err.println("java/net/HttpURLConnection->setRequestProperty key=" + key.getValue() + ", value=" + value.getValue());
            connection.setRequestProperty(key.getValue(), value.getValue());
            return;
        }
        case "java/net/HttpURLConnection->setDoOutput(Z)V": {
            HttpURLConnection connection = (HttpURLConnection) dvmObject.getValue();
            int doOutput = varArg.getInt(0);
            System.err.println("java/net/HttpURLConnection->setDoOutput: " + doOutput);
            connection.setDoOutput(doOutput != 0);
            return;
        }
        case "java/io/OutputStream->write([B)V": {
            OutputStream outputStream = (OutputStream) dvmObject.getValue();
            ByteArray array = varArg.getObject(0);
            try {
                outputStream.write(array.getValue());
            } catch (IOException e) {
                throw new IllegalStateException(e);
            }
            return;
        }
        case "java/io/OutputStream->close()V": {
            OutputStream outputStream = (OutputStream) dvmObject.getValue();
            try {
                outputStream.close();
            } catch (IOException e) {
                throw new IllegalStateException(e);
            }
            return;
        }
        case "java/net/HttpURLConnection->connect()V": {
            HttpURLConnection connection = (HttpURLConnection) dvmObject.getValue();
            try {
                connection.connect();
            } catch (IOException e) {
                throw new IllegalStateException(e);
            }
            return;
        }
        case "java/io/InputStream->close()V": {
            InputStream inputStream = (InputStream) dvmObject.getValue();
            try {
                inputStream.close();
                return;
            } catch (IOException e) {
                throw new IllegalStateException(e);
            }
        }
        case "java/io/BufferedReader->close()V": {
            BufferedReader reader = (BufferedReader) dvmObject.getValue();
            try {
                reader.close();
                return;
            } catch (IOException e) {
                throw new IllegalStateException(e);
            }
        }
        case "java/net/HttpURLConnection->disconnect()V": {
            HttpURLConnection connection = (HttpURLConnection) dvmObject.getValue();
            connection.disconnect();
            return;
        }
    }

    super.callVoidMethod(vm, dvmObject, signature, varArg);
}

@Override
public int callIntMethod(BaseVM vm, DvmObject dvmObject, String signature, VarArg varArg) {
    System.out.println("signature: " + signature);
    if ("java/net/HttpURLConnection->getResponseCode()I".equals(signature)) {
        HttpURLConnection connection = (HttpURLConnection) dvmObject.getValue();
        try {
            return connection.getResponseCode();
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

    return super.callIntMethod(vm, dvmObject, signature, varArg);
}

@Override
public boolean callBooleanMethod(BaseVM vm, DvmObject dvmObject, String signature, VarArg varArg) {
    System.out.println("signature: " + signature);
    if ("android/content/SharedPreferences$Editor->commit()Z".equals(signature)) {
        return true;
    }

    return super.callBooleanMethod(vm, dvmObject, signature, varArg);
}

}

libcms.zip

public class AwemeEncryptTest extends AbstractJni implements IOResolver {

    private static LibraryResolver createLibraryResolver() {
        return new AndroidResolver(23);
    }

    private static ARMEmulator createARMEmulator() {
        return new AndroidARMEmulator("com.ss.android");
    }

    private final ARMEmulator emulator;
    private final VM vm;
    private final Module module;

    private final DvmClass UserInfo;

    private AwemeEncryptTest() throws IOException {
        emulator = createARMEmulator();
        final Memory memory = emulator.getMemory();
        memory.setLibraryResolver(createLibraryResolver());
        memory.setCallInitFunction();

        vm = emulator.createDalvikVM(null);
        DalvikModule dm = vm.loadLibrary(new File("src/test/resources/example_binaries/libcms.so"), false);
        vm.setJni(this);
        dm.callJNI_OnLoad(emulator);
        module = dm.getModule();

        UserInfo = vm.resolveClass("com/ss/android/common/applog/UserInfo");
    }
    private void destroy() throws IOException {
        emulator.close();
        System.out.println("module=" + module);
        System.out.println("== destroy ===");
    }
    public static void main(String[] args) throws Exception {
        AwemeEncryptTest test = new AwemeEncryptTest();
        test.sign();
        test.destroy();
    }

    private void sign() {
        int appId = 1128;
        UserInfo.callStaticJniMethod(emulator, "setAppId(I)V", appId);
        long hash;
        StringObject obj ;
        Number ret;
        String key = "a3668f0afac72ca3f6c1697d29e0e1bb1fef4ab0285319b95ac39fa42c38d05f";
        UserInfo.callStaticJniMethod(emulator, "initUser(Ljava/lang/String;)I", new StringObject(vm, key));
//        System.out.println(obj.getValue());

        ret = UserInfo.callStaticJniMethod(emulator, "getS()Ljava/lang/String;");
        hash = ret.intValue() & 0xffffffffL;
        obj = vm.getObject(hash);
        System.out.println(obj.getValue());

        UserInfo.callStaticJniMethod(emulator, "getType()I");


        int timeStamp = 1559629512;
        String deviceId = "53039791462";
        String url = "https://aweme-eagle.snssdk.com/aweme/v1/feed/?os_api=26&device_type=MHA-AL00&ssmix=a&manifest_version_code=380&dpi=480&uuid=865296034887289&js_sdk_version=1.5.4&need_relieve_aweme=0&min_cursor=0&req_from=&count=6&app_name=aweme&max_cursor=0&version_name=3.8.0&pull_type=1&ac=wifi&app_type=normal&update_version_code=3802&channel=update&type=0&_rticket=1545468521415&is_cold_start=0&device_platform=android&iid=54915619827&volume=0.0&longitude=120.388862&version_code=380&openudid=3a6f6cdf79dc8965&device_id=53039791462&latitude=36.090072&resolution=1080*1808&device_brand=HUAWEI&language=zh&os_version=8.0.0&filter_warn=0&aid=1128&mcc_mnc=46000&ts=1559629512";
        ret = UserInfo.callStaticJniMethod(emulator, "getUserInfo(ILjava/lang/String;[Ljava/lang/String;)Ljava/lang/String;",
                timeStamp,new StringObject(vm,url),null,new StringObject(vm,deviceId));
        hash = ret.intValue() & 0xffffffffL;
        obj = vm.getObject(hash);
        vm.deleteLocalRefs();
//        System.out.println(obj.getValue());
        Number[] numbers = module.callFunction(emulator, 0x19c5d,vm.getJNIEnv(),0x363E7561,timeStamp,url,null,deviceId);
        Unicorn unicorn = emulator.getUnicorn();
        long address = numbers[0].intValue() & 0xffffffffL;
        System.out.println("eFunc length is: " + numbers[0].intValue());
        System.out.println("ret=" + ARM.readCString(unicorn, address));
    }


    @Override
    public FileIO resolve(File workDir, String pathname, int oflags) {
        if (("proc/" + emulator.getPid() + "/status").equals(pathname)) {
            return new ByteArrayFileIO(oflags, pathname, "TracerPid:\t0\n".getBytes());
        }
        return null;
    }
}

这个是so文件 libcms.zip

getS 和 getType能得到返回值 其他就是NullPointerException

运行手机端的so文件的时候，第一个参数是一个视频文件的路径，第二个参数是一个字符窜，运行后程序挂起了，不知道代码问题还是哪里问题，程序也不打印结果File file = new File("/disk/apps/wubaapp/libMp4v2.dylib"); DalvikModule dm = vm.loadLibrary(file.canRead() ? file : new File("/disk/apps/wubaapp/libMp4v2.dylib"), true); dm.callJNI_OnLoad(emulator);

    cUtilities = vm.resolveClass("com/wbvideo/encrypt/WBMp4v2");
    
    String filePath = "/Users/etui/Downloads/tesst/VID_20210625_130236391.mp4";
	String key = "392284585";
    long start = System.currentTimeMillis();

// emulator.traceCode(); boolean success = cUtilities.callStaticJniMethodBoolean(emulator, "tagsWithFilePath(Ljava/lang/String;Ljava/lang/String;)Z", new StringObject(vm, filePath), new StringObject(vm, key)); // Inspector.inspect("c offset=" + (System.currentTimeMillis() - start) + "ms");

下面是日志： [libMp4v2.so]CallInitFunction: RX@0x400719a4[libMp4v2.so]0x719a4, offset=2ms Find native function Java_com_wbvideo_encrypt_WBMp4v2_tagsWithFilePath(Ljava/lang/String;Ljava/lang/String;)Z => RX@0x400f09f8[libMp4v2.so]0xf09f8

LR=RX@0x4033e024[libc.so]0x1e024 SP=0xbfffddb0 PC=RX@0x4038ac14[libc.so]0x6ac14 nzcv: N=0, Z=0, C=0, V=0, EL0, use SP_EL0 debugger break at: 0x4038ac14

出现这个日志后程序就走不动了，代码就挂起了，服务也没停止

你好，zhkl0228 ，我在调用so初始化时候，在执行newGlobalRefs 报空指针错误，能帮忙看看么 [17:12:54 108] DEBUG [cn.banny.emulator.linux.ARMSyscallHandler] (ARMSyscallHandler:433) - handleInterrupt intno=2, NR=-1073743908, svcNumber=0x106, PC=unicorn@0xfffe007c, syscall=null java.lang.NullPointerException at cn.banny.emulator.linux.android.dvm.DalvikVM$7.handle(DalvikVM.java:112) at cn.banny.emulator.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:71) at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123) at unicorn.Unicorn.emu_start(Native Method) at cn.banny.emulator.AbstractEmulator.emulate(AbstractEmulator.java:197) at cn.banny.emulator.AbstractEmulator.eFunc(AbstractEmulator.java:283) at cn.banny.emulator.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:191) at cn.banny.emulator.linux.LinuxModule.emulateFunction(LinuxModule.java:154) at cn.banny.emulator.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:144) at com.xingin.xhs.Shield.(Shield.java:73) at com.xingin.xhs.Shield.main(Shield.java:120) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147)

unidbg升级到最新版后 跑不起来libsgmain.so ,去年6月的版本是可以跑起来的，求修复 测试代码:

package com.bytedance.frameworks.core.encrypt;

import java.io.File; import java.io.IOException; import java.util.HashMap; import java.util.Map; import java.util.Set;

import com.github.unidbg.Emulator; import com.github.unidbg.LibraryResolver; import com.github.unidbg.arm.ARMEmulator; import com.github.unidbg.file.FileResult; import com.github.unidbg.file.IOResolver; import com.github.unidbg.linux.android.AndroidARMEmulator; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.AbstractJni; import com.github.unidbg.linux.android.dvm.BaseVM; import com.github.unidbg.linux.android.dvm.DalvikModule; import com.github.unidbg.linux.android.dvm.DvmClass; import com.github.unidbg.linux.android.dvm.DvmObject; import com.github.unidbg.linux.android.dvm.StringObject; import com.github.unidbg.linux.android.dvm.VM; import com.github.unidbg.linux.android.dvm.VarArg; import com.github.unidbg.linux.android.dvm.array.ArrayObject; import com.github.unidbg.linux.android.dvm.wrapper.DvmBoolean; import com.github.unidbg.linux.android.dvm.wrapper.DvmInteger; import com.github.unidbg.linux.file.ByteArrayFileIO; import com.github.unidbg.linux.file.SimpleFileIO; import com.github.unidbg.memory.Memory;

public class TestSignso extends AbstractJni implements IOResolver {

private static LibraryResolver createLibraryResolver() {
    return new AndroidResolver(19);
}

private static AndroidARMEmulator createARMEmulator() {
    return new AndroidARMEmulator();
}

private final AndroidARMEmulator emulator;
private final VM vm;

private final DvmClass Native;

private TestSignso() throws IOException {

// Logger.getLogger("cn.banny.unidbg.AbstractEmulator").setLevel(Level.DEBUG);

    emulator = createARMEmulator();
    emulator.getSyscallHandler().addIOResolver(this);
    final Memory memory = emulator.getMemory();
    memory.setLibraryResolver(createLibraryResolver());

    vm = emulator.createDalvikVM(APK_FILE);
    vm.setJni(this);
    DalvikModule dm = vm.loadLibrary("sgmainso-6.4.152", false);
    dm.callJNI_OnLoad(emulator);

    Native = vm.resolveClass("com.taobao.wireless.security.adapter.JNICLibrary".replace(".", "/"));
}

private static final String APK_INSTALL_PATH = "/data/app/test.apk";
private static final File APK_FILE = new File("unidbg-android/src/test/resources/app/com.taobao.taobao_8.8.0_243.apk");

@Override
public FileResult resolve(Emulator emulator, String pathname, int oflags) {
    if (pathname.equals(APK_INSTALL_PATH)) {
        return FileResult.success(new SimpleFileIO(oflags, APK_FILE, pathname));
    }

    if (("/proc/self/status").equals(pathname)) {
        return FileResult.success(new ByteArrayFileIO(oflags, pathname, ("TracerPid:\t0\nState" +
                ":\tr\n").getBytes()));
    }
    if (("/proc/" + emulator.getPid() + "/stat").equals(pathname)) {
        return FileResult.success(new ByteArrayFileIO(oflags, pathname, (emulator.getPid() +
                " (a.out) R 6723 6873 6723 34819 6873 8388608 77 0 0 0 41958 31 0 0 25 0 3 0 5882654 1409024 56 4294967295 134512640 134513720 3215579040 0 2097798 0 0 0 0 0 0 0 17 0 0 0\n").getBytes()));
    }
    if (("/proc/" + emulator.getPid() + "/wchan").equals(pathname)) {
        return FileResult.success(new ByteArrayFileIO(oflags, pathname,
                "sys_epoll".getBytes()));
    }

    return null;
}

private void destroy() throws IOException {
    emulator.close();
    System.out.println("destroy");
}

public static void main(String[] args) throws Exception {
    TestSignso test = new TestSignso();
    test.test();
    test.destroy();
}

private void test() {
    DvmObject context = vm.resolveClass("android/content/Context").newObject(null);
    long start = System.currentTimeMillis();
    Number ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
            10101,
            new ArrayObject(context, DvmInteger.valueOf(vm, 3), new StringObject(vm, ""), new StringObject(vm, new File("target/app_SGLib").getAbsolutePath()), new StringObject(vm, ""))
    );
    long hash = ret.intValue() & 0xffffffffL;
    DvmObject dvmObject = vm.getObject(hash);
    System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
    vm.deleteLocalRefs();

    Map<String, String> map = new HashMap<>();
    map.put("INPUT", "XPDlGfM+zOoDAMHyPLa9+Okq&&&21646297&99914b932bd37a50b983c5e7c90ae93b&1560149480&mtop.common.gettimestamp&*&&231200@taobao_android_8.8.0&AjA1TIyT9T8vcuFw8Osrli35ALbE3ZW2SHLZNuihw8Ku&&&27&&&&&&&");
    start = System.currentTimeMillis();
    ret = Native.callStaticJniMethod(emulator, "doCommandNative(I[Ljava/lang/Object;)Ljava/lang/Object;",
            10401,
            new ArrayObject(vm.resolveClass("java/util/HashMap").newObject(map),
                    new StringObject(vm, "21646297"), DvmInteger.valueOf(vm, 7), null, DvmBoolean.valueOf(vm, true)));
    hash = ret.intValue() & 0xffffffffL;
    dvmObject = vm.getObject(hash);
    System.out.println("hash:" + hash + ", dvmObject=" + dvmObject + ", offset=" + (System.currentTimeMillis() - start) + "ms");
    vm.deleteLocalRefs();
    System.out.println("=========" + dvmObject);
}

@Override
public DvmObject callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
    switch (signature) {
        case "com/alibaba/wireless/security/mainplugin/SecurityGuardMainPlugin->getMainPluginClassLoader()Ljava/lang/ClassLoader;":
            return vm.resolveClass("java/lang/ClassLoader").newObject(null);
        case "com/taobao/wireless/security/adapter/common/SPUtility2->readFromSPUnified(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;":
            StringObject a1 = varArg.getObject(0);
            StringObject a2 = varArg.getObject(1);
            StringObject a3 = varArg.getObject(2);
            System.out.println("readFromSPUnified a1=" + a1 + ", a2=" + a2 + ", a3=" + a3);
            return null;
        case "com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer->doCommandForString(I)Ljava/lang/String;":
            int value = varArg.getInt(0);
            System.out.println("com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer->doCommandForString value=" + value);
            return null;
    }

    return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}

@Override
public DvmObject newObject(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
    switch (signature) {
        case "com/alibaba/wireless/security/open/SecException-><init>(Ljava/lang/String;I)V": {
            StringObject msg = varArg.getObject(0);
            int value = varArg.getInt(1);
            return dvmClass.newObject(msg.getValue() + "[" + value + "]");
        }
        case "java/lang/Integer-><init>(I)V":
            int value = varArg.getInt(0);
            return DvmInteger.valueOf(vm, value);
    }

    return super.newObject(vm, dvmClass, signature, varArg);
}

@Override
public DvmObject callObjectMethod(BaseVM vm, DvmObject dvmObject, String signature, VarArg varArg) {
    switch (signature) {
        case "java/util/HashMap->keySet()Ljava/util/Set;": {
            HashMap map = (HashMap) dvmObject.getValue();
            return vm.resolveClass("java/util/Set").newObject(map.keySet());
        }
        case "java/util/Set->toArray()[Ljava/lang/Object;":
            Set set = (Set) dvmObject.getValue();
            Object[] array = set.toArray();
            DvmObject[] objects = new DvmObject[array.length];
            for (int i = 0; i < array.length; i++) {
                if (array[i] instanceof String) {
                    objects[i] = new StringObject(vm, (String) array[i]);
                } else {
                    throw new IllegalStateException("array=" + array[i]);
                }
            }
            return new ArrayObject(objects);
        case "java/util/HashMap->get(Ljava/lang/Object;)Ljava/lang/Object;": {
            HashMap map = (HashMap) dvmObject.getValue();
            Object key = varArg.getObject(0).getValue();
            Object obj = map.get(key);
            if (obj instanceof String) {
                return new StringObject(vm, (String) obj);
            } else {
                throw new IllegalStateException("array=" + obj);
            }
        }
        case "android/content/Context->getPackageCodePath()Ljava/lang/String;":
            return new StringObject(vm, APK_INSTALL_PATH);
        case "android/content/Context->getFilesDir()Ljava/io/File;":
            return vm.resolveClass("java/io/File").newObject(new File("target"));
        case "java/io/File->getAbsolutePath()Ljava/lang/String;":
            File file = (File) dvmObject.getValue();
            return new StringObject(vm, file.getAbsolutePath());
    }

    return super.callObjectMethod(vm, dvmObject, signature, varArg);
}

@Override
public void callStaticVoidMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
    switch (signature) {
        case "com/taobao/dp/util/CallbackHelper->onCallBack(ILjava/lang/String;I)V":
            int i1 = varArg.getInt(0);
            StringObject str = varArg.getObject(1);
            int i2 = varArg.getInt(2);
            System.out.println("com/taobao/dp/util/CallbackHelper->onCallBack i1=" + i1 + ", str=" + str + ", i2=" + i2);
            return;
        case "com/alibaba/wireless/security/open/edgecomputing/ECMiscInfo->registerAppLifeCyCleCallBack()V":
            System.out.println("registerAppLifeCyCleCallBack");
            return;
    }

    super.callStaticVoidMethod(vm, dvmClass, signature, varArg);
}

@Override
public DvmObject getObjectField(BaseVM vm, DvmObject dvmObject, String signature) {
    switch (signature) {
        case "android/content/pm/ApplicationInfo->nativeLibraryDir:Ljava/lang/String;":
            return new StringObject(vm, new File("target").getAbsolutePath());
    }

    return super.getObjectField(vm, dvmObject, signature);
}

@Override
public int callStaticIntMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
    switch (signature) {
        case "com/alibaba/wireless/security/framework/utils/UserTrackMethodJniBridge->utAvaiable()I":
            return 1;
        case "com/taobao/wireless/security/adapter/common/SPUtility2->saveToFileUnifiedForNative(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Z)I":
            StringObject a1 = varArg.getObject(0);
            StringObject a2 = varArg.getObject(1);
            StringObject a3 = varArg.getObject(2);
            boolean b4 = varArg.getInt(3) != 0;
            System.out.println("saveToFileUnifiedForNative a1=" + a1 + ", a2=" + a2 + ", a3=" + a3 + ", b4=" + b4);
            return 0;
    }

    return super.callStaticIntMethod(vm, dvmClass, signature, varArg);
}

}

运行后是null

//代码如下 package com.tzrd;

import com.github.unidbg.AndroidEmulator; import com.github.unidbg.Module; import com.github.unidbg.Symbol; import com.github.unidbg.linux.android.AndroidARMEmulator; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.memory.Memory; import com.github.unidbg.memory.MemoryBlock;

import java.io.File; import java.io.IOException;

/**

• @author huoja

• @date 2020/6/8 下午3:43 */ public class TzrdClient extends AbstractJni { private static final String APP_PACKAGE_NAME = "com.maihan.tredian";

  //创建安卓的模拟器 private final AndroidEmulator emulator;

  //创建虚拟机 private final VM vm;

  //创建运行模块 private final Module module;

  //android native 类 private final DvmClass Native;

  //创建对应的报名安卓模拟器 private static AndroidEmulator createARMEmulator() { return new AndroidARMEmulator(APP_PACKAGE_NAME); }

  private TzrdClient() throws Exception { emulator = createARMEmulator();

   Memory memory = emulator.getMemory();
  
   memory.setLibraryResolver(new AndroidResolver(23));
  
   vm = emulator.createDalvikVM(null);
  
   vm.setJni(this);
  
   vm.setVerbose(true);
  
   DalvikModule dm = vm.loadLibrary(new File("src/test/resources/example_binaries/armeabi-v7a/libtre.so"),false);
  
   dm.callJNI_OnLoad(emulator);
  
   module = dm.getModule();
  
   Native = vm.resolveClass("com/maihan/tredian/util");
  
   Symbol __system_property_get = module.findSymbolByName("__system_property_get",true);
  
   MemoryBlock block = memory.malloc(0x20);
  
   Number ret = __system_property_get.call(emulator,"ro.build.version.sdk",block.getPointer())[0];
  
   System.out.println("sdk=" + new String(block.getPointer().getByteArray(0,ret.intValue())) + ", libc=" + memory.findModule("libc.so"));
  
   Symbol Java_com_maihan_tredian_util_TreUtil_sign = module.findSymbolByName("Java_com_maihan_tredian_util_TreUtil_sign");
  
   Number ret2 = Java_com_maihan_tredian_util_TreUtil_sign.call(emulator, "this is a test")[0];
  
   long address = ret2.intValue() & 0xffffffffL;
  
   String sign = (String) vm.getObject(address).getValue();
  
   System.out.println(sign);
  

  }

  private void destroy() throws IOException { emulator.close(); }

  public static void main(String args[]) { try { TzrdClient tzrdClient = new TzrdClient(); tzrdClient.destroy();

   } catch (Exception e) {
       e.printStackTrace();
   }
  

  } }

在调用_CallObjectMethodV的时候，DvmObject dvmObject = getObject(object.peer);拿到的东西是空的，求大佬帮忙看看是什么情况。 具体报错如下： `` unicorn.UnicornException: dvmObject=null, dvmClass=null, jmethodID=unicorn@0x318b4ca9 at cn.banny.unidbg.linux.android.dvm.DalvikVM$19.handle(DalvikVM.java:308) at cn.banny.unidbg.linux.ARMSyscallHandler.hook(ARMSyscallHandler.java:90) at unicorn.Unicorn.invokeInterruptCallbacks(Unicorn.java:123) at unicorn.Unicorn.emu_start(Native Method) at cn.banny.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:267) at cn.banny.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:360) at cn.banny.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:201) at cn.banny.unidbg.linux.LinuxModule.emulateFunction(LinuxModule.java:154) at cn.banny.unidbg.linux.android.dvm.DvmClass.callStaticJniMethod(DvmClass.java:140) at com.ss.sys.ces.CMS.sign(CMS.java:101) at com.ss.sys.ces.CMS.main(CMS.java:77) debugger break at: 0xfffe01b4

r0=0xfffe0920 r1=0xbffff7c4 r2=0x318b4ca9, r3=0xbfffef14 r4=0xb377e5e8 r5=0xfffe0920 r6=0x50bb0e8 r7=0xabf69add r8=0xc148d653 r9=0xfffe0920 r10=0x6fe75f6e fp=0xc148d654 ip=0xfffe01b0 sp=0xbfffef00 lr=0x40011af5 pc=0xfffe01b4 cpsr: N=0, Z=1, C=1, V=0, T=0, mode=0b10000 [ libcms.so] [0x11ad7] [ fc 44 ] 0x40011ad6: add ip, pc [ libcms.so] [0x11ad9] [ dc f8 00 c0 ] 0x40011ad8: ldr.w ip, [ip] [ libcms.so] [0x11add] [ dc f8 00 c0 ] 0x40011adc: ldr.w ip, [ip] [ libcms.so] [0x11ae1] [ 05 93 ] 0x40011ae0: str r3, [sp, #0x14] [ libcms.so] [0x11ae3] [ 05 ab ] 0x40011ae2: add r3, sp, #0x14 [ libcms.so] [0x11ae5] [ cd f8 08 c0 ] 0x40011ae4: str.w ip, [sp, #8] [ libcms.so] [0x11ae9] [ 01 93 ] 0x40011ae8: str r3, [sp, #4] [ libcms.so] [0x11aeb] [ d0 f8 00 c0 ] 0x40011aea: ldr.w ip, [r0] [ libcms.so] [0x11aef] [ dc f8 8c c0 ] 0x40011aee: ldr.w ip, [ip, #0x8c] [ libcms.so] [0x11af3] [ e0 47 ] 0x40011af2: blx ip [ 0xfffe01b0] [0x001b0] [ 12 01 00 ef ] 0xfffe01b0: svc #0x112 => [ 0xfffe01b4][0x001b4]*[ 1e ff 2f e1 ]*0xfffe01b4:*bx lr [ 0xfffe01b8] [0x001b8] [ 00 00 00 00 ] 0xfffe01b8: andeq r0, r0, r0 [ 0xfffe01bc] [0x001bc] [ 00 00 00 00 ] 0xfffe01bc: andeq r0, r0, r0 [ 0xfffe01c0] [0x001c0] [ 13 01 00 ef ] 0xfffe01c0: svc #0x113 [ 0xfffe01c4] [0x001c4] [ 1e ff 2f e1 ] 0xfffe01c4: bx lr [ 0xfffe01c8] [0x001c8] [ 00 00 00 00 ] 0xfffe01c8: andeq r0, r0, r0 [ 0xfffe01cc] [0x001cc] [ 00 00 00 00 ] 0xfffe01cc: andeq r0, r0, r0 [ 0xfffe01d0] [0x001d0] [ 14 01 00 ef ] 0xfffe01d0: svc #0x114 [ 0xfffe01d4] [0x001d4] [ 1e ff 2f e1 ] 0xfffe01d4: bx lr [ 0xfffe01d8] [0x001d8] [ 00 00 00 00 ] 0xfffe01d8: andeq r0, r0, r0 ``

附件： upload.zip

660.apk是dy的apk

今天跑一下dy720版本的meta的时候，发现系统调用read了/proc/self/maps这个文件后，r0=0xffffffff r1=0x0 r2=0xffffffff, r3=0x0 r4=0x6991e777 r5=0x98，r0直接变成了0xffffffff，我看这个文件读取了好几次，前面都没问题，下面就出问题了。 报错日志：

不清楚是什么错误，大佬有空帮手看看！ 测试用例相关文件： test.zip

先贴报错 com.github.unidbg.arm.backend.BackendException at com.github.unidbg.linux.android.dvm.DalvikVM$31.handle(DalvikVM.java:498) at com.github.unidbg.linux.ARM32SyscallHandler.hook(ARM32SyscallHandler.java:103) at com.github.unidbg.arm.backend.UnicornBackend$6.hook(UnicornBackend.java:305) at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:331) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:370) at com.github.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:446) at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:220) at com.github.unidbg.Module.emulateFunction(Module.java:158) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:133) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:292) at com.anjuke.mobile.sign.SignUtil.getSign0(SignUtil.java:45) at com.anjuke.mobile.sign.SignUtil.sign(SignUtil.java:57) at com.anjuke.mobile.sign.SignUtil.main(SignUtil.java:72)

我debug了一下: DalvikVM.java 496 DvmMethod dvmMethod = dvmClass == null ? null : dvmClass.getMethod(jmethodID.toIntPeer()); 这里我的理解是 从这个类中根据hash值找到方法? 然后没找到

其他尝试: 我报错的原因极大可能是需要使用Context 当前so的方法中,我试了不需要Context的方法,是正常的 其他so的方法中,Context可以传空,也能正常执行

上源码: package com.anjuke.mobile.sign;

import com.github.unidbg.AndroidEmulator; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.android.dvm.jni.ProxyClassFactory; import com.github.unidbg.linux.android.dvm.jni.ProxyDvmObject; import com.github.unidbg.memory.Memory;

import java.io.File; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.util.HashMap; import java.util.Map;

public class SignUtil {

private final AndroidEmulator emulator;

private final DvmClass cSignUtil;
private final VM vm;

public SignUtil() {
    emulator = AndroidEmulatorBuilder.for32Bit()
            .setProcessName("")
            .build();
    Memory memory = emulator.getMemory();
    memory.setLibraryResolver(new AndroidResolver(23));
    vm = emulator.createDalvikVM();
    vm.setDvmClassFactory(new ProxyClassFactory());
    vm.setVerbose(true);
  DalvikModule dm = vm.loadLibrary(new File("/Users/ddd/Desktop/libJniHelper.so"), false);
  cSignUtil = vm.resolveClass("com/vip/sdk/base/jni/JniHelper");
    dm.callJNI_OnLoad(emulator);
}

public void destroy() throws IOException {
    emulator.close();
}

public String getSign0(String p1, String p2, Map<String, String> map, String p3, int i) {
  DvmObject contexts =vm.resolveClass("android/content/Context").newObject(null);
  String methodSign = "getSignHash(Landroid/content/Context;Ljava/util/Map;Ljava/lang/String;)Ljava/lang/String;";
  StringObject obj = cSignUtil.callStaticJniMethodObject(emulator, methodSign, contexts,ProxyDvmObject.createObject(vm, map),"2");

 /* String methodSign = "get3DesKey()Ljava/lang/String;";
  StringObject obj = cSignUtil.callStaticJniMethodObject(emulator, methodSign);*/
  return obj.getValue();
}

private synchronized String sign(String p1, String p2, Map<String, String> paramMap, String p3, int i) {
    Map<String, String> map = new HashMap<>();
    for (String key : paramMap.keySet()) {
        map.put(key, paramMap.get(key));
    }
    return getSign0(p1, p2, map, p3, i);
}


public static void main(String[] args) throws Exception {
    Map<String, String> paramMap = new HashMap<String, String>() {{
        put("a", "b");
        put("b", "b");
    }};
    String p1 = "aa";
    String p2 = "bb";
    String p3 = "cc";
    int i = 10;

    SignUtil signUtil = new SignUtil();
    String sign = signUtil.sign(p1, p2, paramMap, p3, i);
    System.out.println("sign=" + sign);
    signUtil.destroy();
}

}

希望大佬帮我看下什么问题,谢谢!

调用某车帝 llibtfcc.so 中 tfccDecrypt(int i, String str, String str2); 方法 参数i：1 参数str：14zRM+40n2UGVx0DlI7hqDFjsxGR6eJsnnxUME5ZDT8= 参数str2: BQADAggAxzHqH07gvkuZptzo1OjSi/6LI9LXorqXAICkO0f2ILbt//z0V/CGpy6k4m6JlehN5PA1AtqHz6QSJhN3mRXb9ip5QySI61kGDuYhXqBxxcpfcW+Va9l4DgkMLdczm5bBb3HTdchxgmlzmfZ0xtE2mhgug5V87hWZZHZyhd/qs9pc1zeBl51elaei9IHES5JEBtof0QsJp8TGDM7f6PXumwD7a8pDVrDQQovnDEhCMwQx503TE33z1YjUguq4w3HsraEgsrylbZfnFCW2vlu0a1wESE2HgY2DSIdc77v8XbUhe/XdTZM9wD+P2+tGtJU+m/1sL/n63EwPTE7g1qUH6uc7rwI6kINYbPh44QcbUgXBRa9E4Pfa7JSWVVC8eqHvFLka1uD/5DGGpMeQURT78OUkrodChAlFC2JziHhvGGQmE5Lo/XLSJ3OwGISEXWKRd2elyvUuG4v0ALRzmOaFRjGQV5v5Qr7hPeO8wNf9/6fDYvWpb0sVaGG86b/gsGSPfPZF2NzA+wADHwH405R8LeVAVmyNdlJQ5PvxxtV79HG88n0ZBIVzsPlaqyozyS5/nuYtundmTkM2Rr+0sMMd3x8qUHXIdIR5fzyJmEVPcSkrrb9KR1xeapcyGW4ueM54tL/d/QBoQOOgI0U14Zf1Ph350mI=

调用出现错误如下，且程序一直停在方法callStaticJniMethodObject 14:40:20.020 [main] WARN com.github.unidbg.arm.AbstractARMEmulator - memory failed: address=0x27c, size=1, value=0x0, PC=unidbg@0x27c, LR=RX@0x4000903f[libtfcc.so]0x903f debugger break at: 0x27c

r0=0xfffe0a50(-128432) r1=0x3399da6d r2=0xf4f3cce3 r3=0xfffffffd r4=0xbffff768 r5=0xfffffffd r6=0x40211008 r7=0xbffff788 r8=0x3399da6d sb=0xfffe0a50 sl=0x0 fp=0x0 ip=0x27c SP=0xbffff760 LR=RX@0x4000903f[libtfcc.so]0x903f PC=unidbg@0x27c cpsr: N=0, Z=1, C=1, V=0, T=0, mode=0b10000 com.github.unidbg.arm.backend.BackendException: unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:298) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:382) at com.github.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:471) at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:215) at com.github.unidbg.Module.emulateFunction(Module.java:154) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:128) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:291) at cn.atgco.webmagic.util.JniDispatch32.test(JniDispatch32.java:64) at cn.atgco.webmagic.util.JniDispatch32.main(JniDispatch32.java:56) Caused by: unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:296) ... 8 more com.github.unidbg.arm.backend.BackendException: unicorn.UnicornException: Invalid memory read (UC_ERR_READ_UNMAPPED) at com.github.unidbg.arm.backend.UnicornBackend.mem_read(UnicornBackend.java:101) at com.github.unidbg.arm.CodeHistory.disassemble(CodeHistory.java:20) at com.github.unidbg.arm.AbstractARMDebugger.disassemble(AbstractARMDebugger.java:610) at com.github.unidbg.arm.SimpleARMDebugger.loop(SimpleARMDebugger.java:37) at com.github.unidbg.arm.AbstractARMDebugger.debug(AbstractARMDebugger.java:187) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:399) at com.github.unidbg.AbstractEmulator.eFunc(AbstractEmulator.java:471) at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:215) at com.github.unidbg.Module.emulateFunction(Module.java:154) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:128) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:291) at cn.atgco.webmagic.util.JniDispatch32.test(JniDispatch32.java:64) at cn.atgco.webmagic.util.JniDispatch32.main(JniDispatch32.java:56) Caused by: unicorn.UnicornException: Invalid memory read (UC_ERR_READ_UNMAPPED) at unicorn.Unicorn.mem_read(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.mem_read(UnicornBackend.java:99) ... 12 more

程序代码： ‘ import com.github.unidbg.AndroidEmulator; import com.github.unidbg.LibraryResolver; import com.github.unidbg.Module; import com.github.unidbg.linux.android.AndroidARMEmulator; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.DalvikModule; import com.github.unidbg.linux.android.dvm.DvmClass; import com.github.unidbg.linux.android.dvm.VM; import com.github.unidbg.linux.android.dvm.jni.ProxyClassFactory; import com.github.unidbg.memory.Memory;

import java.io.File; import java.io.IOException;

public class JniDispatch32 {

private static LibraryResolver createLibraryResolver() {
    return new AndroidResolver(23);
}

private static AndroidEmulator createARMEmulator() {
    return new AndroidARMEmulator("com.sun.jna");
}

private final AndroidEmulator emulator;
private final Module module;

private final DvmClass cNative;

private JniDispatch32() {
    emulator = createARMEmulator();
    final Memory memory = emulator.getMemory();
    memory.setLibraryResolver(createLibraryResolver());

    VM vm = emulator.createDalvikVM(null);
    vm.setDvmClassFactory(new ProxyClassFactory());
    vm.setVerbose(true);
    DalvikModule dm = vm.loadLibrary(new File("D:\\atg_project\\atg_webmagic\\src\\main\\resources\\dongchedi\\libtfcc.so"), false);
    dm.callJNI_OnLoad(emulator);
    module = dm.getModule();

    cNative = vm.resolveClass("com/ss/android/tfcc/Tfcc");
}

private void destroy() throws IOException {
    emulator.close();
    System.out.println("destroy");
}

public static void main(String[] args) throws Exception {
    JniDispatch32 test = new JniDispatch32();
    test.test();
    test.destroy();
}

private void test() {
    String str = "BQADAggAxzHqH07gvkuZptzo1OjSi/6LI9LXorqXAICkO0f2ILbt//z0V/CGpy6k4m6JlehN5PA1AtqHz6QSJhN3mRXb9ip5QySI61kGDuYhXqBxxcpfcW+Va9l4DgkMLdczm5bBb3HTdchxgmlzmfZ0xtE2mhgug5V87hWZZHZyhd/qs9pc1zeBl51elaei9IHES5JEBtof0QsJp8TGDM7f6PXumwD7a8pDVrDQQovnDEhCMwQx503TE33z1YjUguq4w3HsraEgsrylbZfnFCW2vlu0a1wESE2HgY2DSIdc77v8XbUhe/XdTZM9wD+P2+tGtJU+m/1sL/n63EwPTE7g1qUH6uc7rwI6kINYbPh44QcbUgXBRa9E4Pfa7JSWVVC8eqHvFLka1uD/5DGGpMeQURT78OUkrodChAlFC2JziHhvGGQmE5Lo/XLSJ3OwGISEXWKRd2elyvUuG4v0ALRzmOaFRjGQV5v5Qr7hPeO8wNf9/6fDYvWpb0sVaGG86b/gsGSPfPZF2NzA+wADHwH405R8LeVAVmyNdlJQ5PvxxtV79HG88n0ZBIVzsPlaqyozyS5/nuYtundmTkM2Rr+0sMMd3x8qUHXIdIR5fzyJmEVPcSkrrb9KR1xeapcyGW4ueM54tL/d/QBoQOOgI0U14Zf1Ph350mI=";
    String key = "14zRM+40n2UGVx0DlI7hqDFjsxGR6eJsnnxUME5ZDT8=";

    Object version = cNative.callStaticJniMethodObject(emulator, "tfccDecrypt(ILjava/lang/String;Ljava/lang/String;)Ljava/lang/String", 1, key, str);
}

} `

代码如下：

public class VZCore extends AbstractJni {

private final AndroidEmulator emulator;
private final VM vm;
private final Module module;

public VZCore(){
    emulator = AndroidEmulatorBuilder.for32Bit().build(); // 创建模拟器实例，要模拟32位或者64位，在这里区分
    final Memory memory = emulator.getMemory(); // 模拟器的内存操作接口
    memory.setLibraryResolver(new AndroidResolver(23)); // 设置系统类库解析
    vm = emulator.createDalvikVM();
    new AndroidModule(emulator, vm).register(memory);
    DalvikModule dm = vm.loadLibrary(new File("D:/app/libNatciml.so"), true);
   
    vm.setJni(this);
    vm.setVerbose(true);

    vm.setDvmClassFactory(new ProxyClassFactory());
    dm.callJNI_OnLoad(emulator);
    module = dm.getModule();

}


public static void main(String[] args) {
       VZCore test = new VZCore();
}

}

日志如下

[libc.so]CallInitFunction: RX@0x402157bd[libc.so]0x167bd, offset=34ms

[libc++.so]CallInitFunction: RX@0x4019c821[libc++.so]0x32821, offset=18ms com.github.unidbg.arm.backend.BackendException: unicorn.UnicornException: Invalid instruction (UC_ERR_INSN_INVALID) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:378) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:380) at com.github.unidbg.thread.Function32.run(Function32.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:175) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:99) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:340) at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:229) at com.github.unidbg.linux.AbsoluteInitFunction.call(AbsoluteInitFunction.java:55) at com.github.unidbg.linux.LinuxModule.callInitFunction(LinuxModule.java:143) at com.github.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:180) at com.github.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:1) at com.github.unidbg.spi.AbstractLoader.load(AbstractLoader.java:237) at com.github.unidbg.linux.android.dvm.BaseVM.loadLibrary(BaseVM.java:315) at com.ctrip.test.VZCore.(VZCore.java:46) at com.ctrip.test.VZCore.main(VZCore.java:59) Caused by: unicorn.UnicornException: Invalid instruction (UC_ERR_INSN_INVALID) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:376) ... 15 more debugger break at: 0x4006a82c @ Runnable|Function32 address=0x4006a470, arguments=[]

r0=0x0 r1=0x0 r2=0xbffff6c0 r3=0x1 r4=0xbffff700 r5=0x0 r6=0x0 r7=0x0 r8=0x0 sb=0x0 sl=0x0 fp=0xbffff728 ip=0x4015b948 SP=0xbffff6f8 LR=RX@0x4006a6a0[libNatciml.so]0x6a6a0 PC=RX@0x4006a82c[libNatciml.so]0x6a82c cpsr: N=0, Z=1, C=1, V=0, T=0, mode=0b10000 d0=0x0(0.0) d1=0x3220302034203720(3.002229861217884E-67) d2=0x3436333832203236(3.5366761868402984E-57) d3=0x3120323938343135(4.583358096989596E-72) d4=0x2030203020302030(1.2027122125173386E-153) d5=0x2030203020302030(1.2027122125173386E-153) d6=0x2030203020302030(1.2027122125173386E-153) d7=0x2030203020302030(1.2027122125173386E-153) d8=0x0(0.0) d9=0x0(0.0) d10=0x0(0.0) d11=0x0(0.0) d12=0x0(0.0) d13=0x0(0.0) d14=0x0(0.0) d15=0x0(0.0) _armv7_tick + 0x4 [libNatciml.so 0x06a828] [1e0f51ec] 0x4006a828: "mrrc p15, #1, r0, r1, c14" => [libNatciml.so*0x06a82c][1eff2fe1]0x4006a82c:"bx lr"

case "com/meituan/android/common/mtguard/NBridge->getClassLoader()Ljava/lang/ClassLoader;": return vm.resolveClass("dalvik/system/PathClassLoader").newObject(this.getClass().getClassLoader());

报错：Error： [03:20:02 448] WARN [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:533) - handleInterrupt intno=2, NR=-1073744532, svcNumber=0x11f, PC=unidbg@0xfffe0284, LR=RX@0x400107fd[libmtguard.so]0x107fd, syscall=null com.github.unidbg.arm.backend.BackendException: dvmObject=dalvik.system.PathClassLoader@6d86b085, dvmClass=class dalvik/system/PathClassLoader, jmethodID=unidbg@0xc48b82e2 at com.github.unidbg.linux.android.dvm.DalvikVM$32.handle(DalvikVM.java:544) at com.github.unidbg.linux.ARM32SyscallHandler.hook(ARM32SyscallHandler.java:132) at com.github.unidbg.arm.backend.UnicornBackend$11.hook(UnicornBackend.java:345) at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:376) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:380) at com.github.unidbg.thread.Function32.run(Function32.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:172) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:96) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:340) at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:229) at com.github.unidbg.Module.emulateFunction(Module.java:163) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:135) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:316) at com.meituan.android.common.mtguard.NBridge.<init>(NBridge.java:81) at com.meituan.android.common.mtguard.NBridge.main(NBridge.java:95) [03:20:02 451] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x40005275[libmtguard.so]0x5275 exception sp=unidbg@0xbffff558, msg=dvmObject=dalvik.system.PathClassLoader@6d86b085, dvmClass=class dalvik/system/PathClassLoader, jmethodID=unidbg@0xc48b82e2, offset=11ms

求解决方案

https://github.com/zhkl0228/unidbg/blob/3512f1d33c417c2f835430916b58612b0f7d599c/unidbg-ios/src/main/java/com/github/unidbg/ios/MachOModule.java#L206

internal symbol but not in export symbols will be skipped at here.

public native String nativeEncrypt(HashMap<String, String> param); 有这样的一个jni方法，参数是个HashMap 因为HashMap是jdk自带的库， 所以可以这么构造参数： vm.setDvmClassFactory(new ProxyClassFactory()); DvmObject proxyMap = ProxyDvmObject.createObject(vm, map); clzOfMainActivity.callStaticJniMethodObject(emulator, "nativeEncrypt(Ljava/util/HashMap;)Ljava/lang/String;", proxyMap);

这样可以方便处理native中，和map的交互。 但是在nativeEncrypt的native代码中，会调用其它类的JNI方法。这些类不是JDK自带的，是App的业务类。 这时需要setJni来“补环境” 但是好像setDvmClassFactory后，就不能setJni了，设置了无效，重载的补环境代码好像不会执行。

能否同时支持setJni和setDvmClassFactory呢？