unidbg HookZz与Debug调试

写在最前面

本文章依旧只介绍使用，逆向分析的具体过程不记录。详情请关注 逆向lin狗 的公众号

HookZz

使用ida打开so层分析，有处时间的方法。为了方便调试，要将时间固定，以便分析。

image.png

• hook gettimeofday 代码如下

    public void fixedTime() {
        HookZz instance = HookZz.getInstance(emulator);
        instance.wrap(module.findSymbolByName("gettimeofday"), new WrapCallback<HookZzArm32RegisterContext>() {
            UnidbgPointer tv = null;  // 初始化Pointer指针

            @Override  // hook前
            public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
                tv = ctx.getPointerArg(0);  // 将指针赋值给tv
            }

            @Override // hook后
            public void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
                if (tv != null) {
                    byte[] before = tv.getByteArray(0, 12);
                    Inspector.inspect(before, "gettimeofday tv");
                }
                System.out.println("====++++====");
                // 固定时间
                long currentTimeMillis = 1668083944037L;
                long tv_sec = currentTimeMillis / 1000;
                long tv_usec = (currentTimeMillis % 1000) * 1000;
                System.out.println("=======");
                System.out.println(currentTimeMillis);
                System.out.println(tv_sec);
                System.out.println(tv_usec);
                // 创建TimeVal32时间对象，并传入指针
                TimeVal32 TimeVal = new TimeVal32(tv);
                TimeVal.tv_sec = (int) tv_sec;
                TimeVal.tv_usec = (int) tv_usec;
                TimeVal.pack();  // 替换
            }
        });
    }

image.png

image.png

时间已经固定

hook 0x10E18

    public void hook_sub_10E18(){
        HookZz instance = HookZz.getInstance(emulator);
        // 此so是32位的，所以地址要+1，64位的不需要+1
        instance.wrap(module.base + 0x10E18 +1, new WrapCallback<HookZzArm32RegisterContext>() {

            @Override  
            public void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
                System.out.println("+++++10E18++++");
                UnidbgPointer arg0 = ctx.getPointerArg(0);
                int arg1 = ctx.getIntArg(1); 
                UnidbgPointer arg2 = ctx.getPointerArg(2);
                int arg3 = ctx.getIntArg(3);
                System.out.println("arg0: "+new String(arg0.getByteArray(0, 32)));
                System.out.println("arg1: " + arg1);
                System.out.println("arg2:  "+new String(arg2.getByteArray(0, arg3)));
                System.out.println("arg3:  " + arg3);
            }

            @Override
            public void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {
            }
        });
    }

image.png

Debug 调试

• unidgb 3种调试模式
  源码写得很清楚了，分别是 CONSOLE、GDB_SERVER、ANDROID_SERVER_V7

package com.github.unidbg.debugger;
public enum  DebuggerType {
    /**
     * console debugger
     */
    CONSOLE,
    /**
     * gdb server
     */
    GDB_SERVER,
    /**
     * ida android server v7.x
     */
    ANDROID_SERVER_V7
}

• 开启调试模式

    Debugger attach = emulator.attach(DebuggerType.CONSOLE);
    attach.addBreakPoint(module.base + 0x10EA4, new BreakPointCallback() {
            @Override
            public boolean onHit(Emulator<?> emulator, long address) {
                return false;  // 为true是，是不会断住的，只有为false才会断住
            }
        });

• 调试方法
  运行得时候，就会自动断点了，控制台模式最重要得是知道命令：（在控制台输入错误命令 unidbg会有提示的）

c: continue
n: step over
bt: back trace

st hex: search stack
shw hex: search writable heap
shr hex: search readable heap
shx hex: search executable heap

nb: break at next block
s|si: step into
s[decimal]: execute specified amount instruction
s(blx): execute util BLX mnemonic, low performance

m(op) [size]: show memory, default size is 0x70, size may hex or decimal
mr0-mr7, mfp, mip, msp [size]: show memory of specified register
m(address) [size]: show memory of specified address, address must start with 0x

wr0-wr7, wfp, wip, wsp <value>: write specified register
wb(address), ws(address), wi(address) <value>: write (byte, short, integer) memory of specified address, address must start with 0x
wx(address) <hex>: write bytes to memory at specified address, address must start with 0x

b(address): add temporarily breakpoint, address must start with 0x, can be module offset
b: add breakpoint of register PC
r: remove breakpoint of register PC
blr: add temporarily breakpoint of register LR

p (assembly): patch assembly at PC address
where: show java stack trace

trace [begin end]: Set trace instructions
traceRead [begin end]: Set trace memory read
traceWrite [begin end]: Set trace memory write
vm: view loaded modules
vbs: view breakpoints
d|dis: show disassemble
d(0x): show disassemble at specify address
stop: stop emulation
run [arg]: run test
gc: Run System.gc()
threads: show thread list
cc size: convert asm from 0x40010ea4 - 0x40010ea4 + size bytes to c function

• 常用的命令介绍
  c - F8 （上一步）
  n - F9 （下一步）
  d - Varibles 窗口

d

image.png

m 指令

• mr0

  
  
  image.png

• msp

  
  
  image.png

• m+地址 [长度]

  
  
  image.png