Unidbg调试so
在 Android逆向之ARM64静态分析 对ARM64汇编进行了介绍,网传ARMV9要出来了,难道又要重新学习ARMV9? 在Frida高级篇-免ROOT使用Frida(不修改源代码) 中对elf文件进行了介绍,本文使用unidbg模拟执行so来分析native方法。首先来介绍Unicorn。
Unicorn
Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework.
本文使用无名侠大神使用的Unicorn入门教程来看看Unicorn是怎么模拟CPU的。
from unicorn import *from unicorn.arm_const import *from capstone import *ARM_CODE = b"\x37\x00\xa0\xe3\x03\x10\x42\xe0"# Disassemble ARM32 binarymd = Cs(CS_ARCH_ARM, CS_MODE_ARM)for i in md.disasm(ARM_CODE, 0x1000):print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))# mov r0, #0x37;# sub r1, r2, r3# Test ARM# callback for tracing instructionsdef hook_code(uc, address, size, user_data):print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" % (address, size))def test_arm():print("Emulate ARM code")try:# Initialize emulator in ARM modemu = Uc(UC_ARCH_ARM, UC_MODE_THUMB)# map 2MB memory for this emulationADDRESS = 0x10000mu.mem_map(ADDRESS, 2 * 0x10000)mu.mem_write(ADDRESS, ARM_CODE)mu.reg_write(UC_ARM_REG_R0, 0x1234)mu.reg_write(UC_ARM_REG_R2, 0x6789)mu.reg_write(UC_ARM_REG_R3, 0x3333)mu.hook_add(UC_HOOK_CODE, hook_code, begin=ADDRESS, end=ADDRESS+8)# emulate machine code in infinite timemu.emu_start(ADDRESS, ADDRESS + len(ARM_CODE))r0 = mu.reg_read(UC_ARM_REG_R0)r1 = mu.reg_read(UC_ARM_REG_R1)print(">>> R0 = 0x%x" % r0)print(">>> R1 = 0x%x" % r1)except UcError as e:print("ERROR: %s" % e)test_arm()
运行结果:
添加指令级的Hook
这个有点像单步调试的感觉。
mu.hook_add(UC_HOOK_CODE, hook_code, begin=ADDRESS, end=ADDRESS)
在begin...end范围内的每一条指令被执行前都会调用callback。
让我们来看看hook_code 的实现吧
# callback for tracing instructionsdef hook_code(uc, address, size, user_data):print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" %(address, size))
这段代码仅打印指令执行的地址和长度信息。 实际应用中可配合capstone反汇编引擎玩一些更骚的操作。
UCHOOKCODE的callback中可以修改PC或EIP等寄存器来改变程序运行流程。实际上,Unicorn调试器的单步调试就是以这个为基础实现的。
Unidbg
Allows you to emulate an Android native library, and an experimental iOS emulation.
下载代码: https://github.com/zhkl0228/unidbg/releases/tag/v0.9.3,使用IntelliJ IDEA打开工程即可。
运行代码: com/bytedance/frameworks/core/encrypt/TTEncrypt.java, 出现下面的信息说明运行成功。
代码分析
入口点:
public static void main(String[] args) throws Exception {TTEncrypt test = new TTEncrypt(true);byte[] data = test.ttEncrypt();Inspector.inspect(data, "ttEncrypt");test.destroy();}
第一步: 补环境 跟踪TTEncrypt函数,注释写的很清楚了,不做过多分析。基本套路都是这个样子。
TTEncrypt(boolean logging) {this.logging = logging;emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.qidian.dldl.official").build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分final Memory memory = emulator.getMemory(); // 模拟器的内存操作接口memory.setLibraryResolver(new AndroidResolver(23)); // 设置系统类库解析vm = emulator.createDalvikVM(null); // 创建Android虚拟机vm.setVerbose(logging); // 设置是否打印Jni调用细节DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/resources/example_binaries/libttEncrypt.so"), false); // 加载libttEncrypt.so到unicorn虚拟内存,加载成功以后会默认调用init_array等函数dm.callJNI_OnLoad(emulator); // 手动执行JNI_OnLoad函数module = dm.getModule(); // 加载好的libttEncrypt.so对应为一个模块TTEncryptUtils = vm.resolveClass("com/bytedance/frameworks/core/encrypt/TTEncryptUtils");}
第二步: HOOK相关的函数 跟踪ttEncrypt,可知代码hook了ssencrypt和ssencrypted_size两个函数。
byte[] ttEncrypt() {if (logging) {Symbol sbox0 = module.findSymbolByName("sbox0"); // 在libttEncrypt.so模块中查找sbox0导出符号Symbol sbox1 = module.findSymbolByName("sbox1");Inspector.inspect(sbox0.createPointer(emulator).getByteArray(0, 256), "sbox0"); // 打印sbox0导出符号在unicorn中的内存数据Inspector.inspect(sbox1.createPointer(emulator).getByteArray(0, 256), "sbox1");IHookZz hookZz = HookZz.getInstance(emulator); // 加载HookZz,支持inline hook,文档看https://github.com/jmpews/HookZzhookZz.enable_arm_arm64_b_branch(); // 测试enable_arm_arm64_b_branch,可有可无hookZz.wrap(module.findSymbolByName("ss_encrypt"), new WrapCallback<RegisterContext>() { // inline wrap导出函数@Overridepublic void preCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {Pointer pointer = ctx.getPointerArg(2);int length = ctx.getIntArg(3);byte[] key = pointer.getByteArray(0, length);Inspector.inspect(key, "ss_encrypt key");}@Overridepublic void postCall(Emulator<?> emulator, RegisterContext ctx, HookEntryInfo info) {System.out.println("ss_encrypt.postCall R0=" + ctx.getLongArg(0));}});hookZz.disable_arm_arm64_b_branch();hookZz.instrument(module.base + 0x00000F5C + 1, new InstrumentCallback<Arm32RegisterContext>() {@Overridepublic void dbiCall(Emulator<?> emulator, Arm32RegisterContext ctx, HookEntryInfo info) { // 通过base+offset inline wrap内部函数,在IDA看到为sub_xxx那些System.out.println("R3=" + ctx.getLongArg(3) + ", R10=0x" + Long.toHexString(ctx.getR10Long()));}});Dobby dobby = Dobby.getInstance(emulator);dobby.replace(module.findSymbolByName("ss_encrypted_size"), new ReplaceCallback() { // 使用Dobby inline hook导出函数@Overridepublic HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {System.out.println("ss_encrypted_size.onCall arg0=" + context.getIntArg(0) + ", originFunction=0x" + Long.toHexString(originFunction));return HookStatus.RET(emulator, originFunction);}@Overridepublic void postCall(Emulator<?> emulator, HookContext context) {System.out.println("ss_encrypted_size.postCall ret=" + context.getIntArg(0));}}, true);IxHook xHook = XHookImpl.getInstance(emulator); // 加载xHook,支持Import hook,文档看https://github.com/iqiyi/xHookxHook.register("libttEncrypt.so", "strlen", new ReplaceCallback() { // hook libttEncrypt.so的导入函数strlen@Overridepublic HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {Pointer pointer = context.getPointerArg(0);String str = pointer.getString(0);System.out.println("strlen=" + str);context.push(str);return HookStatus.RET(emulator, originFunction);}@Overridepublic void postCall(Emulator<?> emulator, HookContext context) {System.out.println("strlen=" + context.pop() + ", ret=" + context.getIntArg(0));}}, true);xHook.register("libttEncrypt.so", "memmove", new ReplaceCallback() {@Overridepublic HookStatus onCall(Emulator<?> emulator, long originFunction) {RegisterContext context = emulator.getContext();Pointer dest = context.getPointerArg(0);Pointer src = context.getPointerArg(1);int length = context.getIntArg(2);Inspector.inspect(src.getByteArray(0, length), "memmove dest=" + dest);return HookStatus.RET(emulator, originFunction);}});xHook.register("libttEncrypt.so", "memcpy", new ReplaceCallback() {@Overridepublic HookStatus onCall(Emulator<?> emulator, long originFunction) {RegisterContext context = emulator.getContext();Pointer dest = context.getPointerArg(0);Pointer src = context.getPointerArg(1);int length = context.getIntArg(2);Inspector.inspect(src.getByteArray(0, length), "memcpy dest=" + dest);return HookStatus.RET(emulator, originFunction);}});xHook.refresh(); // 使Import hook生效}
第三步: 添加调试及主动调用
if (logging) {Debugger debugger = emulator.attach(DebuggerType.ANDROID_SERVER_V7); // 附加IDA android_server,可输入c命令取消附加继续运行}byte[] data = new byte[16];ByteArray array = TTEncryptUtils.callStaticJniMethodObject(emulator, "ttEncrypt([BI)[B", new ByteArray(vm, data), data.length); // 执行Jni方法return array.getValue();}
第四步: 销毁环境
跟踪destroy
void destroy() throws IOException {emulator.close();if (logging) {System.out.println("destroy");}}
运行结果
这个时候按c,继续,可以看到hook的结果以及JNI调用细节。
单步调试
ida_server的Debug方式相对简单,对于unidbg的强大之一在于它的单步调试-- Console Debugger
写在最后
作者的例子是以抖音作为例子的,还是很不错的。注释都写的比较清楚了。unidbg单步调试做的很棒,这个弥补了frida调试能力比较弱的缺点。
公众号
更多内容,欢迎关注我的微信公众号: 无情剑客。
