unidbg
基于java开发的开源项目 v0.9.6
1.下载
2,处理类
package com.jd.v1044.sign;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;
import java.io.File;
public class EncryptUtils extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
EncryptUtils() {
// 1.创建模拟器(32位或64位),由jd的so文件在armeabi-v7a中,所以选择32位
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.jingdong.app.mall").build();
// 2.设置安卓sdk
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
// 3.创建安卓虚拟机
vm = emulator.createDalvikVM(new File("unidbg-android/jd/v10.4.4.apk"));
vm.setJni(this);
//vm.setVerbose(true);
vm.setVerbose(false);
// 4.加载so文件
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/jd/libjdbitmapkit.so"), false);
//dm.callJNI_OnLoad(emulator);
}
public String sign() {
// 5.找到java中调用so的类和方法
DvmClass cSignUtil = vm.resolveClass("com/jingdong/common/utils/BitmapkitUtils");
String methodSign = "getSignFromJni()(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;";
// 6.调用方法
StringObject obj = cSignUtil.callStaticJniMethodObject(
emulator,
methodSign,
null,
new StringObject(vm, "backupKeywords"),
new StringObject(vm, "{\"keyword\":\"五粮液\"}"),
new StringObject(vm, "55c6428967d70488"),
new StringObject(vm, "android"),
new StringObject(vm, "10.4.4")
);
// 7.获取返回值
return obj.getValue();
}
public static void main(String[] args) {
EncryptUtils obj = new EncryptUtils();
String result = obj.sign();
System.out.println(result);
}
@Override
public DvmObject<?> newObjectV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
if (signature.equals("java/lang/StringBuffer-><init>()V")) {
return vm.resolveClass("java/lang/StringBuffer").newObject(new StringBuffer());
}
if (signature.equals("java/lang/Integer-><init>(I)V")) {
return vm.resolveClass("java/lang/Integer").newObject(vaList.getIntArg(0));
}
return super.newObjectV(vm, dvmClass, signature, vaList);
}
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
if (signature.equals("java/lang/StringBuffer->append(Ljava/lang/String;)Ljava/lang/StringBuffer;")) {
StringBuffer str = (StringBuffer) dvmObject.getValue();
StringObject data = vaList.getObjectArg(0);
return vm.resolveClass("java/lang/StringBuffer").newObject(str.append(data.getValue()));
}
if (signature.equals("java/lang/Integer->toString()Ljava/lang/String;")) {
Integer iUse = (Integer) dvmObject.getValue();
return new StringObject(vm, Integer.toString(iUse));
}
if (signature.equals("java/lang/StringBuffer->toString()Ljava/lang/String;")) {
StringBuffer str = (StringBuffer) dvmObject.getValue();
return new StringObject(vm, str.toString());
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}
}
3.so文件与apk文件所在路径
放在与src同路径的目录
4.打成java包
Project Structure -> Artifacts -> Jar -> Main Class选择自己写的类
-> 选择copy to the output directory and link via manifest
-> 选择include tests
-> build artifacts
5.python调用jar包
import uuid
import subprocess
function_id = "backupKeywords"
body = '{"keyword":"小米手机"}'
uid = str(uuid.uuid4()).replace("-", "")
cmd = f"java -jar unidbg-parent.jar {function_id} '{body}' {uid}"
signature = subprocess.check_output(cmd, shell=True, cwd="unidbg_parent_jar")
data_string = signature.strip().decode('utf-8').split("\n")[-1]
print(data_string)
记录自己的学习历程!
