unidbg-fork及管道读写

fork子进程直接执行子进程函数；
管道读写采用了输入输出形式；
实战(六)

package com.dta.lesson31;import com.GitHub.unidbg.AndroidEmulator;import com.github.unidbg.Module;import com.github.unidbg.linux.AndroidElfLoader;import com.github.unidbg.linux.android.AndroidEmulatorBuilder;import com.github.unidbg.linux.android.AndroidResolver;import com.github.unidbg.linux.android.dvm.*;import com.github.unidbg.memory.Memory;import com.github.unidbg.memory.MemoryBlock;import com.github.unidbg.pointer.UnidbgPointer;import org.apache.log4j.Level;import org.apache.log4j.Logger;import java.io.File;import java.NIO.charset.StandardCharsets;import java.util.ArrayList;import java.util.List;public class MainActivity2 extends AbstractJni {    private final AndroidEmulator emulator;    private final VM vm;    private final Memory memory;    private final Module module;    public MainActivity2(){        emulator = AndroidEmulatorBuilder                .for32Bit()                //.setRootDir(new File("target/rootfs/default"))                //.addBackendFactory(new DynarmicFactory(true))                .build();        memory = emulator.getMemory();        memory.setLibraryResolver(new AndroidResolver(23));        vm = emulator.createDalvikVM();        vm.setVerbose(true);        vm.setJni(this);        DalvikModule dalvikModule = vm.loadLibrary(new File("unidbg-android/src/test/java/com/dta/lesson31/libcheck.so"), false);        module = dalvikModule.getModule();        vm.callJNI_OnLoad(emulator,module);    }    static {        Logger.getLogger(AndroidElfLoader.class).setLevel(Level.INFO);    }    public static void main(String[] args) {        long start = System.currentTimeMillis();        MainActivity2 mainActivity = new MainActivity2();        System.out.println("load the vm "+( System.currentTimeMillis() - start )+ "ms");        mainActivity.sub_85E0();    }    private void sub_85E0() {        //emulator.traceCode();        List<Object> args = new ArrayList<>();        UnidbgPointer ptr_arg0 = UnidbgPointer.pointer(emulator, module.base + 0xF1B0);        args.add(ptr_arg0.toIntPeer());        args.add(622);        MemoryBlock malloc = memory.malloc(32, true);        UnidbgPointer ptr_md5 = malloc.getPointer();        String md5 = "f8c49056e4ccf9a11e090eaf471f418d";        ptr_md5.write(md5.getBytes(StandardCharsets.UTF_8));        args.add(ptr_md5.toIntPeer());        Number[] numbers = module.callFunction(emulator, 0x85E1, args.toArray());        System.out.println("result => " + numbers[0].longValue());        sub_shellCode(numbers[0].longValue());    }    private void sub_shellCode(long addr) {        List<Object> args = new ArrayList<>();        String input = "qqqqqqq";        MemoryBlock malloc = memory.malloc(input.length(), true);        UnidbgPointer ptr_input = malloc.getPointer();        UnidbgPointer ptr_v9 = memory.allocateStack(8);        ptr_v9.setPointer(0,ptr_input);        UnidbgPointer ptr_pipe = memory.allocateStack(8);        ptr_pipe.setInt(0,0);        ptr_pipe.setInt(4,1);        ptr_v9.setPointer(4,ptr_pipe);        args.add(ptr_v9.toIntPeer());        Number[] numbers = module.callFunction(emulator, addr - module.base + 1, args.toArray());        System.out.println("shellcode result => " + numbers[0].longValue());    }    @Override    public DvmObject<?> callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {        if(signature.equals("com/a/sample/loopcrypto/Decode->a([BI)Ljava/lang/String;")){            byte[] bytes = (byte[]) varArg.getObjectArg(0).getValue();            int i = varArg.getIntArg(1);            String a = Encrypt.a(bytes, i);            return new StrinGobject(vm, a);        }        return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);    }}

来源地址：https://blog.csdn.net/weixin_38927522/article/details/127891479