Unidbg is a Unicorn-based reverse tool that can call Android and iOS SO files directly from the PC

1. Unidbg Download Address:https://github.com/zhkl0228/u…

The Unidbg project is written in Java, and the download above is a standard Maven project. Make sure your computer has JDK and Maven installed

2. Import IDEA into the project

First unzip the zip file, use the IDEA2021 version do not know how to import, here use for IDEA2018 version

The next step is to import the project for the first time. Some JARs will be automatically downloaded, depending on the network speed and Maven server. Be patient

3. Unidbg test

Unidbg -android\ SRC \test\ Java \com\bytedance\frameworks\core\encrypt There is a TTEncrypt test case in the path of the project, which executes the main method directly

The console prints the invocation message, indicating that the project import was successful

4. Run your own SO file

The following is a simple modification of the individual case, most of them are annotated, can refer to

package com.DU_APP; / / the path of the current file import com. Making. Unidbg. AndroidEmulator; import com.github.unidbg.Module; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.DalvikModule; import com.github.unidbg.linux.android.dvm.DvmClass; import com.github.unidbg.linux.android.dvm.StringObject; import com.github.unidbg.linux.android.dvm.VM; import com.github.unidbg.linux.android.dvm.array.ByteArray; import com.github.unidbg.memory.Memory; import java.io.File; import java.io.IOException; Public class DU_sign {private final AndroidEmulator emulator emulator; private final VM vm; private final Module module; private final DvmClass TTEncryptUtils; private final boolean logging; public DU_sign(boolean logging) { this.logging = logging; emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.shizhuang.duapp").build(); Final Memory Memory = emulator.getMemory(); Final Memory = emulator.getMemory(); Final Memory = emulator.getMemory(); / / simulator of memory operation interface memory. SetLibraryResolver (new AndroidResolver (23)); // Set vm = emulator.createdalvikvm (); // Create an Android VM. SetVerbose (Logging); String so_path = ""; DalvikModule dm = vm.loadLibrary(new File(so_path), false); // Load libttEncrypt.so into Unicorn's virtual memory. Init_array is used by default to call dm.calljni_onload (emulator); // Manifold JNI_OnLoad function module = dm.getModule(); / / load the good libttEncrypt. So corresponding to a module TTEncryptUtils = vm. ResolveClass (" com/duapp aesjni/AESEncrypt "); Void destroy() throws IOException {emulator.close(); void destroy() throws IOException {emulator.close(); if (logging) { System.out.println("destroy"); } } public static void main(String[] args) throws Exception { DU_sign test = new DU_sign(false); // Instantiate the current class // String str1 = "abTest[{\"name\":\"search_equlheight_spu_strategy\",\"value\":\"0\"}]catId0hideAddProduct0limit20loginTokenoriginSearch Falsepage0platformandroidproductDetailVersionFlag1showHot1sortMode0sortType0timestamp1625715089920title watch typeId0uuidd812 Da2917d75f8ev4. 71.0 "; System.out.println(test.encodeByte(str1)); test.destroy(); } public String encodeByte(String str1) {// The second String that needs to be encrypted, String byteString = "01011010001000101001001000001100011100101110101010100010111011101001101010110110101000100010110001011010001000101001101 0110011001111001011100010101000100100110010110010100010101011110010111100 "; // Define the type of the argument (s), pass the argument (s) to the emulator (emulator), and pass the argument (s) to the emulator. There are several parameters preach a few) Object ret = TTEncryptUtils. CallStaticJniMethodObject (emulator, "EncodeByte ([BLjava/lang/String;] Ljava/lang/String;", // Passing arguments, two strings are needed here, New ByteArray(vm, str1.getBytes()), vm.addLocalObject(new StringObject(vm, str1.getBytes())) byteString))); return ret.toString(); } }