- 模拟调用busybox里的wget方法
package com.github.unidbg.android;
import java.io.File;
import java.io.IOException;
public class BusyBoxTest {
public static void main(String[] args) throws IOException {
RunExecutable.run(new File("unidbg-android/src/test/resources/example_binaries/busybox"), null, "wget", "http://pv.sohu.com/cityjson?ie=utf-8", "-O", "-");
}
}
package com.github.unidbg.android;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.ModuleListener;
import com.github.unidbg.linux.LinuxModule;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.pointer.UnidbgPointer;
import com.github.unidbg.unix.UnixEmulator;
import com.sun.jna.Pointer;
import net.fornwall.jelf.ElfSymbol;
import org.apache.commons.io.IOUtils;
import java.io.File;
import java.io.IOException;
class RunExecutable {
static void run(File executable, ModuleListener listener, String[] preloads, String...args) throws IOException {
try (Emulator emulator = AndroidEmulatorBuilder.for32Bit()
.setProcessName(executable.getName())
.setRootDir(new File("target/rootfs"))
.build()) {
long start = System.currentTimeMillis();
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
if (listener != null) {
memory.addModuleListener(listener);
}
if (preloads != null) {
for (String preload : preloads) {
if (preload != null) {
//todo 这个地方是什么作用
Module preloaded = memory.dlopen(preload);
System.out.println("preloaded=" + preloaded);
}
}
}
// 加载可执行的模块
LinuxModule module = (LinuxModule) emulator.loadLibrary(executable);
// 获取依赖模块
LinuxModule libc = (LinuxModule) module.getDependencyModule("libc");
// environ是一个全局的外部变量
ElfSymbol environ = libc.getELFSymbolByName("environ");
if (environ != null) {
Pointer pointer = UnidbgPointer.pointer(emulator, libc.base + environ.value);
assert pointer != null;
// 打印环境变量名称
System.err.println("environ=" + pointer + ", value=" + pointer.getPointer(0));
}
// 因为long&int最终会将int类型隐式转换成long类型,而0xffffffff的值为-1(java是使用补码存储数值的),在隐式类型转换过程中扩展为long类型-1(0xffffffffffffffff),并不是0x00000000ffffffff。
// 所以需要将0xffffffff写为0xffffffffL(long类型),这样才能避免隐式转换带来错误的结果。
Number __errno = libc.callFunction(emulator, "__errno")[0];
Pointer pointer = UnidbgPointer.pointer(emulator, __errno.intValue() & 0xffffffffL);
assert pointer != null;
emulator.getMemory().setErrno(UnixEmulator.EACCES);
int value = pointer.getInt(0);
assert value == UnixEmulator.EACCES;
//监控code
// emulator.traceCode();
Pointer strerror = UnidbgPointer.pointer(emulator, libc.callFunction(emulator, "strerror", UnixEmulator.ECONNREFUSED)[0].intValue() & 0xffffffffL);
assert strerror != null;
System.out.println(strerror.getString(0));
//监控code
// emulator.traceCode();
//打印断点
// emulator.attach().addBreakPoint(libc.base + 0x00038F20);
// 调用函数并打印调用函数的返回结果
System.out.println("exit code: " + module.callEntry(emulator, args) + ", offset=" + (System.currentTimeMillis() - start) + "ms");
}
}
static void run(File executable, ModuleListener listener, String...args) throws IOException {
run(executable, listener, null, args);
}
}
备注:
1 在线arm汇编指令与HEX转换网站:https://armconverter.com/
其他学会应用就可以,原理后期再研究。
再阅读下网站:https://blog.csdn.net/Qiled/article/details/122149949
