Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

增加trace的部分 #214

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

增加trace的部分 #214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
64f9835
增加trace
dqzg12300 Dec 18, 2020
bd729a1
优化结果打印
dqzg12300 Dec 19, 2020
be45320
优化内存监控打印部分
dqzg12300 Dec 21, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,77 @@ Simple tests under src/test directory
- [kaitai_struct](https://github.com/kaitai-io/kaitai_struct)
- [fishhook](https://github.com/facebook/fishhook)
- [runtime_class-dump](https://github.com/Tyilo/runtime_class-dump)

## 在大佬的基础上增加了trace
相关代码在unidbg-api/src/main/java/king.trace中
使用方式如下

~~~java
//添加忽略trace的模块
GlobalData.ignoreModuleList.add("libc.so");
GlobalData.ignoreModuleList.add("libhookzz.so");
//添加内存监控,每个指令执行时,都查询该内存是否值有变化。比较消耗性能。
GlobalData.watch_address.put(0x401db840,"");
//dump ldr的数据。包括ldr赋值给寄存器的如果是指针,也会dump
GlobalData.is_dump_ldr=true;
//dump str的数据
GlobalData.is_dump_str=true;
KingTrace trace=new KingTrace(emulator);
trace.initialize(1,0,null);
emulator.getBackend().hook_add_new(trace,1,0,emulator);
~~~

trace的效果大致如下

~~~
>-----------------------------------------------------------------------------<
[23:25:53 634]watch_address:401db840 onchange, md5=526e01d14f11b9492f77e174187cccf2, hex=46f0c2bbd0b705006cfeffff70feffffb0fdffff2de9304806489c2406497844
size: 32
0000: 46 F0 C2 BB D0 B7 05 00 6C FE FF FF 70 FE FF FF F.......l...p...
0010: B0 FD FF FF 2D E9 30 48 06 48 9C 24 06 49 78 44 ....-.0H.H.$.IxD
^-----------------------------------------------------------------------------^
[ libc++.so] [0x32820] [ 2d e9 30 48 ] 0x401db820: push.w {r4, r5, fp, lr}-----r4=0x0 r5=0x0 //r4=0x700000000

>-----------------------------------------------------------------------------<
[23:25:53 639]ldr_right_address:401db840 dump, md5=ef93abe822600c1f7853f7391442906b, hex=46f0c2bbd0b705006cfeffff70feffffb0fdffff2de9304806489c24064978440d182819fef740e80c3c14f10c0ff8d1
size: 48
0000: 46 F0 C2 BB D0 B7 05 00 6C FE FF FF 70 FE FF FF F.......l...p...
0010: B0 FD FF FF 2D E9 30 48 06 48 9C 24 06 49 78 44 ....-.0H.H.$.IxD
0020: 0D 18 28 19 FE F7 40 E8 0C 3C 14 F1 0C 0F F8 D1 ..(...@..<......
^-----------------------------------------------------------------------------^
[ libc++.so] [0x32824] [ 07 4d ] 0x401db824: ldr r5, [pc, #0x1c]-----r5=0x0 pc=0x401db824 //r5=0x70005b7d0

>-----------------------------------------------------------------------------<
[23:25:53 642]ldr_right_address:401db846 dump, md5=d31277769916b0ea11452a4a5fd365dc, hex=05006cfeffff70feffffb0fdffff2de9304806489c24064978440d182819fef740e80c3c14f10c0ff8d1bde830889ab7
size: 48
0000: 05 00 6C FE FF FF 70 FE FF FF B0 FD FF FF 2D E9 ..l...p.......-.
0010: 30 48 06 48 9C 24 06 49 78 44 0D 18 28 19 FE F7 0H.H.$.IxD..(...
0020: 40 E8 0C 3C 14 F1 0C 0F F8 D1 BD E8 30 88 9A B7 @..<........0...
^-----------------------------------------------------------------------------^
[ libc++.so] [0x32826] [ 08 48 ] 0x401db826: ldr r0, [pc, #0x20]-----r0=0x0 pc=0x401db826 //r0=0x7fffffe6c
[ libc++.so] [0x32828] [ 7d 44 ] 0x401db828: add r5, pc-----r5=0x5b7d0 pc=0x401db828 //r5=0x740236ffc
[ libc++.so] [0x3282c] [ 20 46 ] 0x401db82c: mov r0, r4-----r0=0xfffffe6c r4=0x40239040 //r0=0x740239040
[ libc++.so] [0x3282e] [ fe f7 3e e8 ] 0x401db82e: blx #0x401d98ac
[ libc++.so] [0x308ac] [ 00 c6 8f e2 ] 0x401d98ac: add ip, pc, #0, #12-----ip=0x40082908 pc=0x401d98ac //sp=0x7bffff778
[ libc++.so] [0x308b0] [ 5d ca 8c e2 ] 0x401d98b0: add ip, ip, #0x5d000-----ip=0x401d98b4 //sp=0x1bffff778

>-----------------------------------------------------------------------------<
[23:25:53 660]ldr_right_address:40237584 dump, md5=7334f49b4d7a7548eb1c3356311f48eb, hex=f9fd1f40f5892140598a2140299d1f40d1142140d19f214031962140e5122040814a2040c1a02140d12b2040e18b2140
size: 48
0000: F9 FD 1F 40 F5 89 21 40 59 8A 21 40 29 9D 1F 40 ...@..!@Y.!@)..@
0010: D1 14 21 40 D1 9F 21 40 31 96 21 40 E5 12 20 40 ..!@..!@1.!@.. @
0020: 81 4A 20 40 C1 A0 21 40 D1 2B 20 40 E1 8B 21 40 .J @..!@.+ @..!@
^-----------------------------------------------------------------------------^
[ libc++.so] [0x308b4] [ d0 fc bc e5 ] 0x401d98b4: ldr pc, [ip, #0xcd0]!-----ip=0x402368b4 pc=0x401d98b4 //sp=0xbffff778

>-----------------------------------------------------------------------------<
[23:25:53 663]ldr_left_address:bffff778 dump, md5=f0f77a5db1c6c46c94ec8a0ea7e43f56, hex=0000000000000000000000000000ffff000000000000000000fcffbf0000000000000000000000000000000000000000
size: 48
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF ................
0010: 00 00 00 00 00 00 00 00 00 FC FF BF 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
^-----------------------------------------------------------------------------^
[ libc++.so] [0x56df8] [ 2d e9 f0 4f ] 0x401ffdf8: push.w {r4, r5, r6, r7, r8, sb, sl, fp, lr}-----r4=0x40239040 r5=0x40236ffc r6=0x0 r7=0x0 r8=0x0 //r4=0x40239040
[ libc++.so] [0x56dfc] [ 81 b0 ] 0x401ffdfc: sub sp, #4-----sp=0xbffff754 //sp=0xbffff750
~~~

13 changes: 12 additions & 1 deletion unidbg-android/src/test/java/com/bytedance/frameworks/core/encrypt/TTEncrypt.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
import com.github.unidbg.memory.Memory;
import com.github.unidbg.utils.Inspector;
import com.sun.jna.Pointer;
import king.trace.GlobalData;
import king.trace.KingTrace;

import java.io.File;
import java.io.IOException;
Expand Down Expand Up @@ -50,6 +52,15 @@ public class TTEncrypt {
module = dm.getModule(); // 加载好的libttEncrypt.so对应为一个模块

TTEncryptUtils = vm.resolveClass("com/bytedance/frameworks/core/encrypt/TTEncryptUtils");

GlobalData.ignoreModuleList.add("libc.so");
GlobalData.ignoreModuleList.add("libhookzz.so");
GlobalData.watch_address.put(0x401db840,"");
GlobalData.is_dump_ldr=true;
GlobalData.is_dump_str=true;
KingTrace trace=new KingTrace(emulator);
trace.initialize(1,0,null);
emulator.getBackend().hook_add_new(trace,1,0,emulator);
}

void destroy() throws IOException {
Expand Down Expand Up @@ -152,7 +163,7 @@ public HookStatus onCall(Emulator<?> emulator, long originFunction) {
}

if (logging) {
emulator.attach(DebuggerType.ANDROID_SERVER_V7); // 附加IDA android_server,可输入c命令取消附加继续运行
// emulator.attach(DebuggerType.ANDROID_SERVER_V7); // 附加IDA android_server,可输入c命令取消附加继续运行
}
byte[] data = new byte[16];
ByteArray array = TTEncryptUtils.callStaticJniMethodObject(emulator, "ttEncrypt([BI)[B", new ByteArray(vm, data), data.length); // 执行Jni方法
Expand Down
2 changes: 2 additions & 0 deletions unidbg-android/src/test/java/com/sun/jna/JniDispatch32.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
import com.github.unidbg.memory.MemoryBlock;
import com.github.unidbg.pointer.UnidbgPointer;
import com.github.unidbg.utils.Inspector;
import king.trace.GlobalData;
import king.trace.KingTrace;

import java.io.File;
import java.io.IOException;
Expand Down
2 changes: 1 addition & 1 deletion unidbg-api/src/main/java/com/github/unidbg/arm/ARM.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -849,7 +849,7 @@ public static String readCString(Backend backend, long address) {
}
}

static String assembleDetail(Emulator<?> emulator, Capstone.CsInsn ins, long address, boolean thumb) {
public static String assembleDetail(Emulator<?> emulator, Capstone.CsInsn ins, long address, boolean thumb) {
return assembleDetail(emulator, ins, address, thumb, false);
}

Expand Down
193 changes: 193 additions & 0 deletions unidbg-api/src/main/java/king/trace/GlobalData.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
package king.trace;

import unicorn.Arm64Const;
import unicorn.ArmConst;

import java.util.*;

public class GlobalData {
//上一次汇编指令
public static String pre_codestr;
//上一次汇编的第一个寄存器名称
public static String pre_regname;
//是否有记录上一次的数据
public static boolean has_pre;
//监控的地址
public static Map<Integer,Integer> watch_address=new HashMap<Integer,Integer>();
//监控地址打印的内存数据长度
public static int watch_print_size=0x20;
//计算结果和汇编的分隔符
public static String print_split="-----";
//忽略的module
public static List<String> ignoreModuleList=new ArrayList<>();
//忽略打印计算数据的操作指令
public static List<String> ignoreOpList=new ArrayList<>();
//是否要dump汇编的ldr指令的内存
public static boolean is_dump_ldr=false;
//是否要dump汇编的str指令的内存
public static boolean is_dump_str=false;
//dump汇编的ldr指令内存的大小
public static int dump_ldr_size=0x30;
//dump汇编的str指令内存的大小
public static int dump_str_size=0x30;

//arm64的对应寄存器,需要打印的就追加
public static Map<String, Integer> arm64_reg_names ;
static {
Map<String,Integer > aMap =new HashMap<String, Integer>();
aMap.put("X0", Arm64Const.UC_ARM64_REG_X0);
aMap.put("X1", Arm64Const.UC_ARM64_REG_X1);
aMap.put("X2", Arm64Const.UC_ARM64_REG_X2);
aMap.put("X3", Arm64Const.UC_ARM64_REG_X3);
aMap.put("X4", Arm64Const.UC_ARM64_REG_X4);
aMap.put("X5", Arm64Const.UC_ARM64_REG_X5);
aMap.put("X6", Arm64Const.UC_ARM64_REG_X6);
aMap.put("X7", Arm64Const.UC_ARM64_REG_X7);
aMap.put("X8", Arm64Const.UC_ARM64_REG_X8);
aMap.put("X9", Arm64Const.UC_ARM64_REG_X9);
aMap.put("X10", Arm64Const.UC_ARM64_REG_X10);
aMap.put("X11", Arm64Const.UC_ARM64_REG_X11);
aMap.put("X12", Arm64Const.UC_ARM64_REG_X12);
aMap.put("X13", Arm64Const.UC_ARM64_REG_X13);
aMap.put("X14", Arm64Const.UC_ARM64_REG_X14);
aMap.put("X15", Arm64Const.UC_ARM64_REG_X15);
aMap.put("X16", Arm64Const.UC_ARM64_REG_X16);
aMap.put("X17", Arm64Const.UC_ARM64_REG_X17);
aMap.put("X18", Arm64Const.UC_ARM64_REG_X18);
aMap.put("X19", Arm64Const.UC_ARM64_REG_X19);
aMap.put("X20", Arm64Const.UC_ARM64_REG_X20);
aMap.put("X21", Arm64Const.UC_ARM64_REG_X21);
aMap.put("X22", Arm64Const.UC_ARM64_REG_X22);
aMap.put("X23", Arm64Const.UC_ARM64_REG_X23);
aMap.put("X24", Arm64Const.UC_ARM64_REG_X24);
aMap.put("X25", Arm64Const.UC_ARM64_REG_X25);
aMap.put("X26", Arm64Const.UC_ARM64_REG_X26);
aMap.put("X27", Arm64Const.UC_ARM64_REG_X27);
aMap.put("X28", Arm64Const.UC_ARM64_REG_X28);
aMap.put("X29", Arm64Const.UC_ARM64_REG_X29);
aMap.put("X30", Arm64Const.UC_ARM64_REG_X30);
aMap.put("W0", Arm64Const.UC_ARM64_REG_W0);
aMap.put("W1", Arm64Const.UC_ARM64_REG_W1);
aMap.put("W2", Arm64Const.UC_ARM64_REG_W2);
aMap.put("W3", Arm64Const.UC_ARM64_REG_W3);
aMap.put("W4", Arm64Const.UC_ARM64_REG_W4);
aMap.put("W5", Arm64Const.UC_ARM64_REG_W5);
aMap.put("W6", Arm64Const.UC_ARM64_REG_W6);
aMap.put("W7", Arm64Const.UC_ARM64_REG_W7);
aMap.put("W8", Arm64Const.UC_ARM64_REG_W8);
aMap.put("W9", Arm64Const.UC_ARM64_REG_W9);
aMap.put("W10", Arm64Const.UC_ARM64_REG_W10);
aMap.put("W11", Arm64Const.UC_ARM64_REG_W11);
aMap.put("W12", Arm64Const.UC_ARM64_REG_W12);
aMap.put("W13", Arm64Const.UC_ARM64_REG_W13);
aMap.put("W14", Arm64Const.UC_ARM64_REG_W14);
aMap.put("W15", Arm64Const.UC_ARM64_REG_W15);
aMap.put("W16", Arm64Const.UC_ARM64_REG_W16);
aMap.put("W17", Arm64Const.UC_ARM64_REG_W17);
aMap.put("W18", Arm64Const.UC_ARM64_REG_W18);
aMap.put("W19", Arm64Const.UC_ARM64_REG_W19);
aMap.put("W20", Arm64Const.UC_ARM64_REG_W20);
aMap.put("W21", Arm64Const.UC_ARM64_REG_W21);
aMap.put("W22", Arm64Const.UC_ARM64_REG_W22);
aMap.put("W23", Arm64Const.UC_ARM64_REG_W23);
aMap.put("W24", Arm64Const.UC_ARM64_REG_W24);
aMap.put("W25", Arm64Const.UC_ARM64_REG_W25);
aMap.put("W26", Arm64Const.UC_ARM64_REG_W26);
aMap.put("W27", Arm64Const.UC_ARM64_REG_W27);
aMap.put("W28", Arm64Const.UC_ARM64_REG_W28);
aMap.put("W29", Arm64Const.UC_ARM64_REG_W29);
aMap.put("W30", Arm64Const.UC_ARM64_REG_W30);
aMap.put("SP", Arm64Const.UC_ARM64_REG_SP);
aMap.put("XZR", Arm64Const.UC_ARM64_REG_XZR);
aMap.put("WZR", Arm64Const.UC_ARM64_REG_WZR);
aMap.put("IP", Arm64Const.UC_ARM64_REG_IP0);
aMap.put("PC", Arm64Const.UC_ARM64_REG_PC);
arm64_reg_names = Collections.unmodifiableMap(aMap);
}
//arm的对应寄存器
public static Map<String, Integer> arm_reg_names ;
static {
Map<String,Integer > aMap =new HashMap<String, Integer>();
aMap.put("R0", ArmConst.UC_ARM_REG_R0);
aMap.put("R1", ArmConst.UC_ARM_REG_R1);
aMap.put("R2", ArmConst.UC_ARM_REG_R2);
aMap.put("R3", ArmConst.UC_ARM_REG_R3);
aMap.put("R4", ArmConst.UC_ARM_REG_R4);
aMap.put("R5", ArmConst.UC_ARM_REG_R5);
aMap.put("R6", ArmConst.UC_ARM_REG_R6);
aMap.put("R7", ArmConst.UC_ARM_REG_R7);
aMap.put("R8", ArmConst.UC_ARM_REG_R8);
aMap.put("R9", ArmConst.UC_ARM_REG_R9);
aMap.put("R10", ArmConst.UC_ARM_REG_R10);
aMap.put("R11", ArmConst.UC_ARM_REG_R11);
aMap.put("R12", ArmConst.UC_ARM_REG_R12);
aMap.put("R13", ArmConst.UC_ARM_REG_R13);
aMap.put("R14", ArmConst.UC_ARM_REG_R14);
aMap.put("R15", ArmConst.UC_ARM_REG_R15);
aMap.put("SP", ArmConst.UC_ARM_REG_SP);
aMap.put("IP", ArmConst.UC_ARM_REG_IP);
aMap.put("PC", ArmConst.UC_ARM_REG_PC);
arm_reg_names = Collections.unmodifiableMap(aMap);
}
// {
// "X0": unicorn.arm64_const.UC_ARM64_REG_X0,
// "X1": unicorn.arm64_const.UC_ARM64_REG_X1,
// "X2": unicorn.arm64_const.UC_ARM64_REG_X2,
// "X3": unicorn.arm64_const.UC_ARM64_REG_X3,
// "X4": unicorn.arm64_const.UC_ARM64_REG_X4,
// "X5": unicorn.arm64_const.UC_ARM64_REG_X5,
// "X6": unicorn.arm64_const.UC_ARM64_REG_X6,
// "X7": unicorn.arm64_const.UC_ARM64_REG_X7,
// "X8": unicorn.arm64_const.UC_ARM64_REG_X8,
// "X9": unicorn.arm64_const.UC_ARM64_REG_X9,
// "X10": unicorn.arm64_const.UC_ARM64_REG_X10,
// "X11": unicorn.arm64_const.UC_ARM64_REG_X11,
// "X12": unicorn.arm64_const.UC_ARM64_REG_X12,
// "X13": unicorn.arm64_const.UC_ARM64_REG_X13,
// "X14": unicorn.arm64_const.UC_ARM64_REG_X14,
// "X15": unicorn.arm64_const.UC_ARM64_REG_X15,
// "X16": unicorn.arm64_const.UC_ARM64_REG_X16,
// "X17": unicorn.arm64_const.UC_ARM64_REG_X17,
// "X18": unicorn.arm64_const.UC_ARM64_REG_X18,
// "X19": unicorn.arm64_const.UC_ARM64_REG_X19,
// "X20": unicorn.arm64_const.UC_ARM64_REG_X20,
// "X21": unicorn.arm64_const.UC_ARM64_REG_X21,
// "X22": unicorn.arm64_const.UC_ARM64_REG_X22,
// "X23": unicorn.arm64_const.UC_ARM64_REG_X23,
// "X24": unicorn.arm64_const.UC_ARM64_REG_X24,
// "X25": unicorn.arm64_const.UC_ARM64_REG_X25,
// "X26": unicorn.arm64_const.UC_ARM64_REG_X26,
// "X27": unicorn.arm64_const.UC_ARM64_REG_X27,
// "X28": unicorn.arm64_const.UC_ARM64_REG_X28,
// "W0": unicorn.arm64_const.UC_ARM64_REG_W0,
// "W1": unicorn.arm64_const.UC_ARM64_REG_W1,
// "W2": unicorn.arm64_const.UC_ARM64_REG_W2,
// "W3": unicorn.arm64_const.UC_ARM64_REG_W3,
// "W4": unicorn.arm64_const.UC_ARM64_REG_W4,
// "W5": unicorn.arm64_const.UC_ARM64_REG_W5,
// "W6": unicorn.arm64_const.UC_ARM64_REG_W6,
// "W7": unicorn.arm64_const.UC_ARM64_REG_W7,
// "W8": unicorn.arm64_const.UC_ARM64_REG_W8,
// "W9": unicorn.arm64_const.UC_ARM64_REG_W9,
// "W10": unicorn.arm64_const.UC_ARM64_REG_W10,
// "W11": unicorn.arm64_const.UC_ARM64_REG_W11,
// "W12": unicorn.arm64_const.UC_ARM64_REG_W12,
// "W13": unicorn.arm64_const.UC_ARM64_REG_W13,
// "W14": unicorn.arm64_const.UC_ARM64_REG_W14,
// "W15": unicorn.arm64_const.UC_ARM64_REG_W15,
// "W16": unicorn.arm64_const.UC_ARM64_REG_W16,
// "W17": unicorn.arm64_const.UC_ARM64_REG_W17,
// "W18": unicorn.arm64_const.UC_ARM64_REG_W18,
// "W19": unicorn.arm64_const.UC_ARM64_REG_W19,
// "W20": unicorn.arm64_const.UC_ARM64_REG_W20,
// "W21": unicorn.arm64_const.UC_ARM64_REG_W21,
// "W22": unicorn.arm64_const.UC_ARM64_REG_W22,
// "W23": unicorn.arm64_const.UC_ARM64_REG_W23,
// "W24": unicorn.arm64_const.UC_ARM64_REG_W24,
// "W25": unicorn.arm64_const.UC_ARM64_REG_W25,
// "W26": unicorn.arm64_const.UC_ARM64_REG_W26,
// "W27": unicorn.arm64_const.UC_ARM64_REG_W27,
// "W28": unicorn.arm64_const.UC_ARM64_REG_W28,
// "SP": unicorn.arm64_const.UC_ARM64_REG_SP,
// }
}
Loading