Unidbg安卓SO层方法执行教学文档<\/h1>

一、Unidbg简介<\/h2>
Unidbg是一个基于Java的开源项目，主要用于模拟安卓或iOS设备环境，能够直接执行SO文件中的算法而无需逆向分析内部实现。主要功能包括：<\/p>
模拟执行ARM\/MIPS\/x86架构代码<\/li>
内存访问与操作<\/li>
指令级跟踪<\/li>
函数调用跟踪<\/li>
JNI环境模拟<\/li> <\/ul>
支持多种后端：<\/p>
Unicorn（功能全面但速度较慢）<\/li>
Dynarmic（速度快但不支持所有特性）<\/li>
QEMU（稳定性高）<\/li> <\/ul>
二、环境配置<\/h2>

1. 开发环境要求<\/h3>
JDK 8+<\/li>
IntelliJ IDEA<\/li>
Maven构建工具<\/li> <\/ul>
2. 项目导入步骤<\/h3>
克隆或下载unidbg项目<\/li>
使用IDEA打开项目<\/li>
等待Maven依赖自动下载完成<\/li>
运行
com<\/code>包下的测试用例验证环境<\/li>
<\/ol>
三、核心API详解<\/h2>
1. 模拟器创建与初始化<\/h3>
\/\/ 创建32位模拟器实例
<\/span><\/span><\/span><\/span>emulator =<\/span> AndroidEmulatorBuilder
<\/span><\/span>    .<\/span>for32Bit<\/span>()<\/span>  \/\/ 指定32位CPU
<\/span><\/span><\/span><\/span>    .<\/span>addBackendFactory<\/span>(<\/span>new<\/span> DynarmicFactory(<\/span>true<\/span>))<\/span>  \/\/ 使用Dynarmic后端
<\/span><\/span><\/span><\/span>    .<\/span>setProcessName<\/span>(<\/span>"com.example.target"<\/span>)<\/span>  \/\/ 设置进程名
<\/span><\/span><\/span><\/span>    .<\/span>build<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 内存操作接口
<\/span><\/span><\/span><\/span>Memory memory =<\/span> emulator.<\/span>getMemory<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置Android SDK版本(23对应Android 6.0)
<\/span><\/span><\/span><\/span>LibraryResolver resolver =<\/span> new<\/span> AndroidResolver(<\/span>23<\/span>);<\/span>
<\/span><\/span>memory.<\/span>setLibraryResolver<\/span>(<\/span>resolver);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建Dalvik虚拟机
<\/span><\/span><\/span><\/span>vm =<\/span> emulator.<\/span>createDalvikVM<\/span>(<\/span>new<\/span> File(<\/span>"target.apk"<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 加载SO文件
<\/span><\/span><\/span><\/span>DalvikModule dm =<\/span> vm.<\/span>loadLibrary<\/span>(<\/span>new<\/span> File(<\/span>"libtarget.so"<\/span>),<\/span> false<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取模块句柄
<\/span><\/span><\/span><\/span>module =<\/span> dm.<\/span>getModule<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 调用JNI_OnLoad
<\/span><\/span><\/span><\/span>dm.<\/span>callJNI_OnLoad<\/span>(<\/span>emulator);<\/span>
<\/span><\/span><\/code><\/pre>2. 常用模拟器操作<\/h3>
\/\/ 获取内存接口
<\/span><\/span><\/span><\/span>Memory memory =<\/span> emulator.<\/span>getMemory<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取进程ID
<\/span><\/span><\/span><\/span>int<\/span> pid =<\/span> emulator.<\/span>getPid<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 寄存器操作
<\/span><\/span><\/span><\/span>emulator.<\/span>showRegs<\/span>();<\/span>  \/\/ 显示寄存器状态
<\/span><\/span><\/span><\/span>RegisterContext context =<\/span> emulator.<\/span>getContext<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 跟踪调试
<\/span><\/span><\/span><\/span>emulator.<\/span>traceRead<\/span>(<\/span>1<\/span>,<\/span> 0<\/span>);<\/span>  \/\/ 跟踪内存读取
<\/span><\/span><\/span><\/span>emulator.<\/span>traceWrite<\/span>(<\/span>1<\/span>,<\/span> 0<\/span>);<\/span> \/\/ 跟踪内存写入
<\/span><\/span><\/span><\/span>emulator.<\/span>traceCode<\/span>(<\/span>1<\/span>,<\/span> 0<\/span>);<\/span>  \/\/ 跟踪代码执行
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 获取后端CPU
<\/span><\/span><\/span><\/span>Backend backend =<\/span> emulator.<\/span>getBackend<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>四、SO函数调用方法<\/h2>
1. 符号调用（推荐简单场景）<\/h3>
public<\/span> void<\/span> callBySymbol<\/span>()<\/span> {<\/span>
<\/span><\/span>    \/\/ 创建代理对象（包名必须与目标一致）
<\/span><\/span><\/span><\/span>    DvmObject<?><\/span> obj =<\/span> ProxyDvmObject.<\/span>createObject<\/span>(<\/span>vm,<\/span> this<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 调用JNI方法
<\/span><\/span><\/span><\/span>    \/\/ 格式: methodName(参数类型签名)返回值类型签名
<\/span><\/span><\/span><\/span>    DvmObject<?><\/span> result =<\/span> obj.<\/span>callJniMethodObject<\/span>(<\/span>
<\/span><\/span>        emulator,<\/span> 
<\/span><\/span>        "md5(Ljava\/lang\/String;)Ljava\/lang\/String;"<\/span>,<\/span> 
<\/span><\/span>        "inputData"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取结果
<\/span><\/span><\/span><\/span>    String value =<\/span> (<\/span>String)<\/span> result.<\/span>getValue<\/span>();<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Result: "<\/span> +<\/span> value);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 地址调用（复杂但灵活）<\/h3>
private<\/span> void<\/span> callByAddress<\/span>()<\/span> {<\/span>
<\/span><\/span>    \/\/ 获取JNI环境指针
<\/span><\/span><\/span><\/span>    Pointer jniEnv =<\/span> vm.<\/span>getJNIEnv<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建参数列表
<\/span><\/span><\/span><\/span>    List<<\/span>Object><\/span> args =<\/span> new<\/span> ArrayList<>();<\/span>
<\/span><\/span>    args.<\/span>add<\/span>(<\/span>jniEnv);<\/span>  \/\/ 第一个参数总是JNIEnv*
<\/span><\/span><\/span><\/span>    args.<\/span>add<\/span>(<\/span>vm.<\/span>addLocalObject<\/span>(<\/span>ProxyDvmObject.<\/span>createObject<\/span>(<\/span>vm,<\/span> this<\/span>)));<\/span> \/\/ this
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 添加字符串参数
<\/span><\/span><\/span><\/span>    StringObject data =<\/span> new<\/span> StringObject(<\/span>vm,<\/span> "inputData"<\/span>);<\/span>
<\/span><\/span>    args.<\/span>add<\/span>(<\/span>vm.<\/span>addLocalObject<\/span>(<\/span>data));<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 调用函数(地址偏移需要+1)
<\/span><\/span><\/span><\/span>    Number result =<\/span> module.<\/span>callFunction<\/span>(<\/span>emulator,<\/span> 0x849<\/span> +<\/span> 1<\/span>,<\/span> args.<\/span>toArray<\/span>());<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 处理返回值
<\/span><\/span><\/span><\/span>    DvmObject<?><\/span> object =<\/span> vm.<\/span>getObject<\/span>(<\/span>result.<\/span>intValue<\/span>());<\/span>
<\/span><\/span>    String value =<\/span> (<\/span>String)<\/span> object.<\/span>getValue<\/span>();<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Result: "<\/span> +<\/span> value);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>五、调试技巧<\/h2>
1. 控制台调试<\/h3>
\/\/ 附加调试器
<\/span><\/span><\/span><\/span>Debugger debugger =<\/span> emulator.<\/span>attach<\/span>(<\/span>DebuggerType.<\/span>CONSOLE<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置断点
<\/span><\/span><\/span><\/span>debugger.<\/span>addBreakPoint<\/span>(<\/span>module.<\/span>base<\/span> +<\/span> 0xC65<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 常用调试命令:
<\/span><\/span><\/span>\/\/ c - 继续执行
<\/span><\/span><\/span>\/\/ s - 单步步入
<\/span><\/span><\/span>\/\/ n - 单步步过
<\/span><\/span><\/span>\/\/ reg - 查看寄存器
<\/span><\/span><\/span>\/\/ mem - 查看内存
<\/span><\/span><\/span>\/\/ bt - 查看调用栈
<\/span><\/span><\/span><\/code><\/pre>2. 日志输出配置<\/h3>
\/\/ 启用详细JNI调用日志
<\/span><\/span><\/span><\/span>vm.<\/span>setVerbose<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 重定向输出到文件
<\/span><\/span><\/span><\/span>PrintStream out =<\/span> new<\/span> PrintStream(<\/span>new<\/span> FileOutputStream(<\/span>"unidbg.log"<\/span>));<\/span>
<\/span><\/span>emulator.<\/span>getBackend<\/span>().<\/span>setStdout<\/span>(<\/span>out);<\/span>
<\/span><\/span><\/code><\/pre>六、实战案例：PlzDebugMe分析<\/h2>
1. Java层分析<\/h3>
目标APK关键逻辑：<\/p>
public<\/span> void<\/span> onClick<\/span>(<\/span>View view)<\/span> {<\/span>
<\/span><\/span>    String input =<\/span> text.<\/span>getText<\/span>().<\/span>toString<\/span>();<\/span>
<\/span><\/span>    String key =<\/span> g4tk4y();<\/span>  \/\/ 来自SO层
<\/span><\/span><\/span><\/span>    String encrypted =<\/span> new<\/span> FishEnc(<\/span>key).<\/span>doEnc<\/span>(<\/span>input);<\/span>  \/\/ Blowfish加密
<\/span><\/span><\/span><\/span>    boolean<\/span> result =<\/span> check(<\/span>encrypted);<\/span>  \/\/ SO层验证
<\/span><\/span><\/span><\/span>    \/\/ 显示结果...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. SO层函数调用<\/h3>
g4tk4y函数实现<\/h4>
JNIEXPORT jstring JNICALL Java_work_pangbai_debugme_MainActivity_g4tk4y<\/span>
<\/span><\/span>    (JNIEnv *<\/span>env, jobject obj) {
<\/span><\/span>    \/\/ 初始化检查
<\/span><\/span><\/span><\/span>    if<\/span> (check()) exit(0<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 魔改Base64编码
<\/span><\/span><\/span><\/span>    char<\/span> table[] =<\/span> "4KBbSzwWClkZ2gsr1qA+Qu0FtxOm6\/iVcJHPY9GNp7EaRoDf8UvIjnL5MydTX3eh"<\/span>;
<\/span><\/span>    char<\/span> input[] =<\/span> "7h4K4y"<\/span>;
<\/span><\/span>    char<\/span> output[8<\/span>];
<\/span><\/span>    
<\/span><\/span>    \/\/ 特殊编码过程
<\/span><\/span><\/span><\/span>    output[0<\/span>] =<\/span> table[input[0<\/span>] &<\/span> 0x3F<\/span>];
<\/span><\/span>    output[1<\/span>] =<\/span> table[((input[0<\/span>] >><\/span> 6<\/span>) &<\/span> 0x3<\/span>) |<\/span> (4<\/span> *<\/span> (input[1<\/span>] &<\/span> 0xF<\/span>))];
<\/span><\/span>    \/\/ ...其他位处理
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    return<\/span> (*<\/span>env)-><\/span>NewStringUTF(env, output);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>check函数实现<\/h4>
JNIEXPORT jboolean JNICALL Java_work_pangbai_debugme_MainActivity_check<\/span>
<\/span><\/span>    (JNIEnv *<\/span>env, jobject obj, jstring input) {
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取输入字符串
<\/span><\/span><\/span><\/span>    const<\/span> char<\/span> *<\/span>str =<\/span> (*<\/span>env)-><\/span>GetStringUTFChars(env, input, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 加密算法核心
<\/span><\/span><\/span><\/span>    for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> len; i++<\/span>) {
<\/span><\/span>        int<\/span> tmp =<\/span> input[i+<\/span>1<\/span>] ^<\/span> input[i];
<\/span><\/span>        if<\/span> (v6) {
<\/span><\/span>            tmp =<\/span> (tmp <<<\/span> (31<\/span>-<\/span>i)) |<\/span> (tmp >><\/span> (i+<\/span>1<\/span>));
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            tmp =<\/span> (tmp >><\/span> (31<\/span>-<\/span>i)) |<\/span> (tmp <<<\/span> (i+<\/span>1<\/span>));
<\/span><\/span>        }
<\/span><\/span>        input[i+<\/span>1<\/span>] =<\/span> tmp ^<\/span> input[i];
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 与硬编码值比较
<\/span><\/span><\/span><\/span>    return<\/span> memcmp(result, expected, len) ==<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. Unidbg解决方案<\/h3>
获取g4tk4y返回值<\/h4>
public<\/span> void<\/span> getKey<\/span>()<\/span> {<\/span>
<\/span><\/span>    DvmObject<?><\/span> obj =<\/span> ProxyDvmObject.<\/span>createObject<\/span>(<\/span>vm,<\/span> this<\/span>);<\/span>
<\/span><\/span>    DvmObject<?><\/span> result =<\/span> obj.<\/span>callJniMethodObject<\/span>(<\/span>
<\/span><\/span>        emulator,<\/span> 
<\/span><\/span>        "g4tk4y()Ljava\/lang\/String;"<\/span>);<\/span>
<\/span><\/span>    String key =<\/span> (<\/span>String)<\/span> result.<\/span>getValue<\/span>();<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Key: "<\/span> +<\/span> key);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>逆向加密算法<\/h4>
def<\/span> decrypt<\/span>(encrypted):
<\/span><\/span>    # 逆向check函数中的加密算法<\/span>
<\/span><\/span>    for<\/span> i in<\/span> range(len(enc)-<\/span>1<\/span>, -<\/span>1<\/span>, -<\/span>1<\/span>):
<\/span><\/span>        tmp =<\/span> enc[(i+<\/span>1<\/span>)%<\/span>12<\/span>] ^<\/span> enc[i]
<\/span><\/span>        if<\/span> v6:  # 根据实际情况确定<\/span>
<\/span><\/span>            tmp =<\/span> ((tmp <<<\/span> (i+<\/span>1<\/span>)) |<\/span> (tmp >><\/span> (32<\/span>-<\/span>(i+<\/span>1<\/span>)))) &<\/span> 0xFFFFFFFF<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            tmp =<\/span> ((tmp >><\/span> (i+<\/span>1<\/span>)) |<\/span> (tmp <<<\/span> (32<\/span>-<\/span>(i+<\/span>1<\/span>)))) &<\/span> 0xFFFFFFFF<\/span>
<\/span><\/span>        enc[(i+<\/span>1<\/span>)%<\/span>12<\/span>] =<\/span> tmp ^<\/span> enc[i]
<\/span><\/span>    
<\/span><\/span>    # 转换为字符串<\/span>
<\/span><\/span>    return<\/span> ''<\/span>.<\/span>join(pack('<I'<\/span>, x).<\/span>decode() for<\/span> x in<\/span> enc)
<\/span><\/span><\/code><\/pre>七、最佳实践建议<\/h2>


环境配置<\/strong><\/p>

优先使用Dynarmic后端提升速度<\/li>
设置正确的SDK版本匹配目标环境<\/li>
保持包名与目标一致以避免JNI问题<\/li>
<\/ul>
<\/li>

函数调用<\/strong><\/p>

简单调用使用符号调用方式<\/li>
复杂场景使用地址调用<\/li>
注意ARM模式下地址需要+1<\/li>
<\/ul>
<\/li>

调试技巧<\/strong><\/p>

关键函数设置断点<\/li>
结合IDA等工具交叉分析<\/li>
记录完整执行日志<\/li>
<\/ul>
<\/li>

性能优化<\/strong><\/p>

避免不必要的内存操作<\/li>
复用模拟器实例<\/li>
适当减少日志输出<\/li>
<\/ul>
<\/li>

常见问题解决<\/strong><\/p>

JNIEnv错误检查JNI调用约定<\/li>
内存访问错误验证指针有效性<\/li>
无输出检查SO加载是否正确<\/li>
<\/ul>
<\/li>
<\/ol>
通过本教学文档，您应该能够掌握使用Unidbg执行安卓SO层方法的核心技术，包括环境搭建、API使用、函数调用和逆向分析等关键技能。<\/p>