svcNumber=0x103 这个找不到在哪，麻烦看下样本链接 aHR0cHM6Ly93d3cud2FuZG91amlhLmNvbS9hcHBzLzYyMzM3MzkvaGlzdG9yeV92ODQzMTE0MQ==

[sign-cc]

list 0 :-1534962946
[14:48:53 785] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x76f84423, global=true
[14:48:53 785] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0xffffffff857edf86, global=true
[14:48:53 785] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x6737fd8f, global=true
JNIEnv->CallStaticObjectMethodV(class com/xingin/tiny/internal/t, b(0xa48252fe, [class android/content/Context, "getSharedPreferencesPath", ["String"]]) => java.lang.reflect.Method@6737fd8f) was called from RX@0x1219c934[libtiny.so]0x19c934
[14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.BaseVM] (BaseVM:146) - addObject hash=0x6737fd8f, global=false
[14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$225:3563) - ExceptionCheck throwable=null
[14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=unidbg@0x799e72a69aeb4952, version=0x10006
[14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$20:309) - DeleteLocalRef object=unidbg@0x63e2203c
[14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$234:3901) - GetEnv vm=unidbg@0xfffe0080, env=unidbg@0xfffe1640[libmediandk.so]0x640, version=0x10006
[14:48:53 786] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$20:309) - DeleteLocalRef object=unidbg@0x3b084709
[14:48:53 786] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:410) - handleInterrupt intno=2, NR=-130880, svcNumber=0x103, PC=unidbg@0xfffe00c4, LR=RX@0x12249e28[libtiny.so]0x249e28, syscall=null
java.lang.UnsupportedOperationException
at com.github.unidbg.linux.android.dvm.DalvikVM64$4.handle(DalvikVM64.java:96)
at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:119)
at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.java:352)
at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:109)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312)
at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend.java:389)
at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378)
at com.github.unidbg.thread.Function64.run(Function64.java:39)
at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19)
at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:165)
at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:97)
at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341)
at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:262)
at com.github.unidbg.Module.emulateFunction(Module.java:163)
at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:135)
at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:316)
at com.xhs._8431.Tiny.init1(Tiny.java:1122)
at com.xhs._8431.Tiny.main(Tiny.java:1167)
debugger break at: 0xfffe00c4 @ Runnable|Function64 address=0x120d2544, arguments=[unidbg@0xfffe1640[libmediandk.so]0x640, -1733448322, 1184568860, 36333492]

x0=0xfffe1640(-125376) x1=0x6737fd8f x2=0x10006 x3=0xe4fff190 x4=0x3b084709 x5=0xffffffff x6=0x1 x7=0xe4fff718 x8=0xfffe00c0 x9=0x0 x10=0xe4fff190 x11=0x0 x12=0xe4fff200 x13=0x2 x14=0x3
x15=0xab x16=0xac x17=0x124c6000 x18=0x12602020 x19=0xefcdea78 x20=0xfffe1640 x21=0x12619260 x22=0x6737fd8f x23=0x3a1cfd55 x24=0xe4fff718 x25=0x1208d2e5 x26=0x9dface6f x27=0x57c67984 x28=0xfacd8979 fp=0xe4fff2a0
q0=0xe4fff19000000000e4fff200(1.8981897767E-314, 1.8981897213E-314) q1=0xffffff80ffffffd800000000e4fff160(1.8981896976E-314, NaN) q2=0x761db22743897aecb1f12cd8(2.29505005888314112E17, 9.790689612E-315) q3=0x799e72a69aeb49527118101522e3eb18(6.120729363268888E236, 6.746720486162527E277) q4=0x10000000000000001(4.9E-324, 4.9E-324) q5=0x40000000000000004(2.0E-323, 2.0E-323) q6=0x20000000000000002(1.0E-323, 1.0E-323) q7=0x510000000000000051(4.0E-322, 4.0E-322) q8=0x0(0.0) q9=0x0(0.0) q10=0x0(0.0) q11=0x0(0.0) q12=0x0(0.0) q13=0x0(0.0) q14=0x0(0.0) q15=0x0(0.0)
q16=0x30510000000000002051(4.0874E-320, 6.111E-320) q17=0x0(0.0) q18=0x30510000000000002051(4.0874E-320, 6.111E-320) q19=0x0(0.0) q20=0x0(0.0) q21=0x0(0.0) q22=0x0(0.0) q23=0x0(0.0) q24=0x0(0.0) q25=0x0(0.0) q26=0x0(0.0) q27=0x0(0.0) q28=0x0(0.0) q29=0x0(0.0) q30=0x0(0.0) q31=0x0(0.0)
LR=RX@0x12249e28[libtiny.so]0x249e28
SP=0xe4fff270
PC=unidbg@0xfffe00c4
nzcv: N=0, Z=1, C=1, V=0, EL0, use SP_EL0

[sign-cc]

从ida中查看 BLR x8 指向了错误地址导致的

[sign-cc]

frida hook返回值是一个反射对象

[sign-cc]

看起来像是Systemcall报错了，handleInterrupt intno=2, NR=-130880, svcNumber=0x103, 但是查系统调用表查不到对应的值

[sign-cc]

@zhkl0228

[sign-cc]

但是看报错异常仿佛是反射方法pointer 找不到

[createnewdemo]

哥们 解决了吗？我也遇到了；

[sign-cc]

@createnewdemo 没，要不要一起研究研究，我问了下其它人说都不行

[createnewdemo]

q320783214 一起研究一下

[sign-cc]

但是从trace 的情况来看 返回的是一个MethodId

[sign-cc]

@createnewdemo 加了

[airqj]

这问题解决了吗

[sign-cc]

@airqj 暂无方法

[2382323268]

你们的xhs是什么版本，为啥我没遇到这样的问题

[sign-cc]

@2382323268 8+以上都有

[2382323268]

@2382323268 8+以上都有

为什么我是直接返回null，是有哪里没补到吗

[sign-cc]

@2382323268 截图看看

[2382323268]

@2382323268 截图看看

 // 1.创建设备（32位或64位模拟器）， 具体看so文件在哪个目录。 在armeabi-v7a就选择32位
        emulator = AndroidEmulatorBuilder
                .for64Bit()
                .addBackendFactory(new Unicorn2Factory(true))
                .setProcessName(unidbgSoEnum.getPackageName()).build();

        // 2.获取内存对象（可以操作内存）
        memory = emulator.getMemory();

        // 3.设置安卓sdk版本（只支持19、23）
        memory.setLibraryResolver(new AndroidResolver(23));

        // 4.创建虚拟机（运行安卓代码需要虚拟机，就想运行py代码需要python解释器一样）
        vm = emulator.createDalvikVM(new File(path + unidbgSoEnum.getApk()));
        function.apply(emulator, vm, memory);

        vm.setJni(this);
        //是否展示调用过程的细节
        vm.setVerbose(true);
        emulator.getSyscallHandler().addIOResolver(this);


        // 5.加载so文件
        DalvikModule dm = }vm.loadLibrary(unidbgSoEnum.getSo(), true);

        // traceCode()可以查看so文件中的调用过程
        // emulator.traceCode();

        // 6.dm代表so文件，dm.getModule()得到module对象，基于module对象可以访问so中的成员。
        module = dm.getModule();
        dm.callJNI_OnLoad(emulator);



    public Object a() {
        DvmClass cls = vm.resolveClass("com/xxx/tiny/internal/t");
        String method = "a(I[Ljava/lang/Object;)Ljava/lang/Object;";
        ArrayObject arrayObject = new ArrayObject(new StringObject(vm, "POST"), new StringObject(vm, "https://xxx.xxx.com/test"), new ByteArray(vm, "test".getBytes(StandardCharsets.UTF_8)));
        DvmObject<?> dvmObject = cls.callStaticJniMethodObject(emulator, method, 0, arrayObject);
        System.out.println("dvmObject = " + dvmObject);
        return null;
    }

下面是控制台输出

024-12-30 14:20:20.964 CST INFO  [main] com.xy.imitator.so.env.CoreEnv[c.x.i.s.e.CoreEnv:95] - 系统文件 fileName = /dev/__properties__
File opened '/dev/__properties__' with oflags=0x88000 from RX@0x405d2854[libc.so]0x22854
File closed '/dev/__properties__' from RX@0x405cece4[libc.so]0x1ece4
2024-12-30 14:20:20.970 CST INFO  [main] com.xy.imitator.so.env.CoreEnv[c.x.i.s.e.CoreEnv:127] - 系统属性 key = ro.kernel.qemu
2024-12-30 14:20:20.973 CST INFO  [main] com.xy.imitator.so.env.CoreEnv[c.x.i.s.e.CoreEnv:127] - 系统属性 key = libc.debug.malloc
2024-12-30 14:20:20.996 CST INFO  [main] com.xy.imitator.so.env.CoreEnv[c.x.i.s.e.CoreEnv:95] - 系统文件 fileName = /proc/stat
File opened '/proc/stat' with oflags=0x80000 from RX@0x405d2854[libc.so]0x22854
Read 1871 bytes from '/proc/stat'
Read 0 bytes from '/proc/stat'
File closed '/proc/stat' from RX@0x405cece4[libc.so]0x1ece4
JNIEnv->FindClass(com/xingin/tiny/internal/t) was called from RX@0x401c6e70[libtiny.so]0x1c6e70
JNIEnv->RegisterNatives(com/xingin/tiny/internal/t, unidbg@0xbffff6b0, 1) was called from RX@0x401c6ebc[libtiny.so]0x1c6ebc
RegisterNative(com/xingin/tiny/internal/t, a(I[Ljava/lang/Object;)Ljava/lang/Object;, RX@0x401ab2d0[libtiny.so]0x1ab2d0)
Find native function Java_com_xingin_tiny_internal_t_a => RX@0x401ab2d0[libtiny.so]0x1ab2d0
JNIEnv->GetObjectArrayElement(["POST", "https://xxx.xxx/test", [B@74844216], 0) => "POST" was called from RX@0x401c25c0[libtiny.so]0x1c25c0
JNIEnv->GetObjectArrayElement(["POST", "https://xxx.xxx/test", [B@74844216], 1) => "https://xxx.xxx/test" was called from RX@0x401c25c0[libtiny.so]0x1c25c0
JNIEnv->GetObjectArrayElement(["POST", "https://xxx.xxx/test", [B@74844216], 2) => [B@74844216 was called from RX@0x401c25c0[libtiny.so]0x1c25c0
JNIEnv->GetStringUtfChars("POST") was called from RX@0x4038282c[libtiny.so]0x38282c
JNIEnv->ReleaseStringUTFChars("POST") was called from RX@0x403828b8[libtiny.so]0x3828b8
JNIEnv->GetStringUtfChars("https://xxx.xxx/test") was called from RX@0x4038282c[libtiny.so]0x38282c
JNIEnv->ReleaseStringUTFChars("https://xxx.xxx/test") was called from RX@0x403828b8[libtiny.so]0x3828b8
JNIEnv->GetArrayLength([B@74844216 => 250) was called from RX@0x401c47a0[libtiny.so]0x1c47a0
JNIEnv->GetByteArrayRegion([B@74844216, 0, 250, RW@0x4077b000) was called from RX@0x401c63f8[libtiny.so]0x1c63f8
dvmObject = null

[2382323268]

@sign-cc 要不要留个q或者v交流一下，我这啥错都不报

[sign-cc]

@2382323268 你没有跑初始化

[2382323268]

@2382323268 你没有跑初始化

啥意思，我看源码只有一个native方法呀

[sign-cc]

你调用的这个方法前面还有几步初始化操作

[sign-cc]

@2382323268

[2382323268]

@2382323268
怎么初始化啊，请教一下，我不知道是我unidbg没初始化，还是xhs有其他初始化步骤我漏了，

[sign-cc]

@2382323268 frida hook 下面的函数
DvmClass cls = vm.resolveClass("com/xxx/tiny/internal/t");
String method = "a(I[Ljava/lang/Object;)Ljava/lang/Object;";
清除缓存，

你这个int参数 0也不对啊

[2382323268]

@2382323268 frida hook 下面的函数 DvmClass cls = vm.resolveClass("com/xxx/tiny/internal/t"); String method = "a(I[Ljava/lang/Object;)Ljava/lang/Object;"; 清除缓存， 你这个int参数 0也不对啊

这个参数是828356434，但是还是不行

[sign-cc]

@2382323268 你根据函数偏移地址来hook so方法，打印int参数你就知道了 在 828356434 还有俩初始化

[2382323268]

@2382323268 你根据函数偏移地址来hook so方法，打印int参数你就知道了 在 828356434 还有俩初始化

偏移地址hook还没学，我直接hook方法发现被调用了好多次，是少了154082137和816426162吗

[sign-cc]

@2382323268 不是，你先学学吧

[2382323268]

@2382323268 不是，你先学学吧

找到函数地址了 hook不了， 可能是我用模拟器的原因，，，

[2382323268]

我补到这一步了，你知道xhs frida 如何过检测吗，我hook其他代码没问题，hook我要补的哪个方法 frida 就自动关闭了 app版本是8.47

[sign-cc]

@2382323268 libmasao的过检测方式，你去搜搜

[wucaizi]

public abstract java.io.File android.content.Context.getSharedPreferencesPath(java.lang.String)。 这个问题解决了吗。应该怎么构造呢

[2382323268]

但是从trace 的情况来看 返回的是一个MethodId

我在卡在这里了，补环境的时候 返回methodid就行吗

[sign-cc]

@2382323268 你图片上传失败了

[sign-cc]

@wucaizi 暂无解决方法

[2382323268]

@2382323268 你图片上传失败了

你哪个反射的可以解决，你有开多线程吗 我卡在哪里了

[sign-cc]

@2382323268 反射你怎么解决掉的

[2382323268]

@2382323268 反射你怎么解决掉的

留个微信交流呗，我卡住了 看看能不能一起解决

[2382323268]

我这边b方法他少调用了 一步，导致我卡在这里了，少了448838572这步

[2382323268]

@2382323268 反射你怎么解决掉的

看见直接加我v吧 wxw991203

[sign-cc]

@2382323268 加了

[Wan9xy]

call JNIOnLoad
JNIEnv->FindClass(com/xingin/tiny/internal/t) was called from RX@0x4018da1c[libtiny.so]0x18da1c
JNIEnv->RegisterNatives(com/xingin/tiny/internal/t, unidbg@0xbffff688, 1) was called from RX@0x4018d934[libtiny.so]0x18d934
RegisterNative(com/xingin/tiny/internal/t, a(I[Ljava/lang/Object;)Ljava/lang/Object;, RX@0x4016d62c[libtiny.so]0x16d62c)
Called a(int, [Object)
JNIEnv->GetArrayLength([java.lang.Integer@2dc54ad4, [B@d9345cd, [B@2d710f1a] => 3) was called from RX@0x40172514[libtiny.so]0x172514
JNIEnv->GetObjectArrayElement([java.lang.Integer@2dc54ad4, [B@d9345cd, [B@2d710f1a], 0) => java.lang.Integer@2dc54ad4 was called from RX@0x4016e354[libtiny.so]0x16e354
[09:31:41 038] WARN [com.github.unidbg.linux.ARM64SyscallHandler] (ARM64SyscallHandler:399) - handleInterrupt intno=2, NR=-130144, svcNumber=0x131, PC=unidbg@0xfffe03a4, LR=RX@0x404b605c[libtiny.so]0x4b605c, syscall=null
java.lang.NullPointerException: Cannot invoke "com.github.unidbg.pointer.UnidbgPointer.toIntPeer()" because "jmethodID" is null
at com.github.unidbg.linux.android.dvm.DalvikVM64$50.handle(DalvikVM64.java:857)
at com.github.unidbg.linux.ARM64SyscallHandler.hook(ARM64SyscallHandler.java:118)
at com.github.unidbg.arm.backend.Unicorn2Backend$11.hook(Unicorn2Backend.java:347)
at com.github.unidbg.arm.backend.unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:109)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Native Method)
at com.github.unidbg.arm.backend.unicorn.Unicorn.emu_start(Unicorn.java:312)
at com.github.unidbg.arm.backend.Unicorn2Backend.emu_start(Unicorn2Backend.java:384)
at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:380)
at com.github.unidbg.thread.Function64.run(Function64.java:39)
at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19)
at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:175)
at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:99)
at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:340)
at com.github.unidbg.arm.AbstractARM64Emulator.eFunc(AbstractARM64Emulator.java:262)
at com.github.unidbg.Module.emulateFunction(Module.java:163)
at com.github.unidbg.linux.LinuxModule.callFunction(LinuxModule.java:262)
at com.libtiny.tiny.a(tiny.java:78)
at com.libtiny.tiny.main(tiny.java:117)
[09:31:41 040] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x4016d62c[libtiny.so]0x16d62c exception sp=unidbg@0xbfffb950, msg=Cannot invoke "com.github.unidbg.pointer.UnidbgPointer.toIntPeer()" because "jmethodID" is null, offset=5ms
Called a(int, [Object)

@sign-cc 哥能不能一块研究一下，Wan9xyo我的v
@2382323268 我加过你了好兄弟，你通过一下