unidbg 应用实例,失败的实验
实验目标
本例子的应用场景是使用自己写了个c++代码,然后使用IDA进行静态分析,再使用unidbg动态分析。
实验步骤
1:准备c++源码和编译后的源码。
我这里将使用资料进行上传,大家可以自行下载。源码如下。
#include <iostream>
int arraySum( int array[], int count )
{
int i;
int sum = 0;
for(i = 0; i < count; i++)
sum += array[i];
return sum;
}
int main() {
int nums[10];
int i;
//将1~10放入数组中
for(i=0; i<10; i++){
nums[i] = (i+1);
}
int length = sizeof(nums) / sizeof(nums[0]);
int sum = arraySum(nums,length);
printf("sum = %d
", sum);
return 0;
}
源码很简单,就是一个求和函数和在main方法里调用。也可以从这里.
2:使用IDA动态分析main.exe文件
( 从这里 与上面的连接是一个地址)
3:使用unidbg进行动态hook函数sub_100401080
package com.github.unidbg.mytest;
import com.github.unidbg.Emulator;
import com.github.unidbg.LibraryResolver;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.memory.Memory;
import java.io.File;
import java.io.IOException;
public class HelloUnidbg {
public static void main(String[] args) throws IOException {
new HelloUnidbg().crack();
}
private final Emulator<?> emulator;
private final Module module;
private final File executable;
public HelloUnidbg() {
executable = new File("unidbg-android/src/test/resources/example_binaries/main.exe");
emulator = AndroidEmulatorBuilder.for64Bit()
.setProcessName(executable.getName())
.setRootDir(new File("target/rootfs"))
// .addBackendFactory(new DynarmicFactory(true))
.addBackendFactory(new Unicorn2Factory(true))
.build();
Memory memory = emulator.getMemory();
LibraryResolver resolver = new AndroidResolver(19);
memory.setLibraryResolver(resolver);
module = emulator.loadLibrary(executable);
}
private boolean canStop;
private void crack() {
while (!canStop) {
long start = System.currentTimeMillis();
System.err.println("exit code: " + module.callEntry(emulator) + ", offset=" + (System.currentTimeMillis() - start) + "ms" );
canStop = true;
}
}
}
4:结论
本来计划参考CrackMe来实现,但是执行是报错。应该是unidbg不支持exe文件调用。
Exception in thread "main" net.fornwall.jelf.ElfException: Bad magic number for file at net.fornwall.jelf.ElfFile.<init>(ElfFile.java:271) at net.fornwall.jelf.ElfFile.fromBytes(ElfFile.java:259) at com.github.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:338) at com.github.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:197) at com.github.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:63) at com.github.unidbg.spi.AbstractLoader.load(AbstractLoader.java:212) at com.github.unidbg.spi.AbstractLoader.load(AbstractLoader.java:202) at com.github.unidbg.arm.AbstractARM64Emulator.loadLibrary(AbstractARM64Emulator.java:144) at com.github.unidbg.mytest.HelloUnidbg.<init>(HelloUnidbg.java:45) at com.github.unidbg.mytest.HelloUnidbg.main(HelloUnidbg.java:26) Class transformation time: 0.058103707s for 713 classes or 8.149187517531557E-5s per class
5:总结
建议以后向android 的jni或者ios逆向方向研究。