unidbg去除间接跳转尝试

2023-07-19

好久没用过unidbg了, 捡起来试试…

0x0 前言

分析过程中发现部分函数无法F5, 读了下指令发现间接跳转, IDA没法解析, 遂搜了一波, 参考了佬的文章解决了

0x1 间接跳转结构

从图中结构来看间接跳转的实现为

第一部分通过一些位移和亦或运算得出2个数组的下标值放在两个寄存器里(这里是w8和w10), 通过一个条件判断使用哪个下标
off_4C30D0是地址数组列表, 并且是固定的, 通过*(baseAryAddr+index)的方式取地址给寄存器, 并通过br reg的方式跳转

0x2 去除间接跳转方案

既然知道间接跳转是通过取数组内容的方式实现的, 那么要做的是

拿到条件跳转的具体条件
拿到数组下标, 通过固定数组地址+下标的方式拿到要跳转的两个地址
覆盖跳转位置, 写一条条件跳转, 写一条绝对跳转, 这样IDA的F5就可以识别了

//            133b04:csel w8, w8, w10, eq
//            133b08:add x21, x21, #0xd0
//            133b0c:ldr x8, [x21, w8, uxtw #3]
//            133b10:stp w9, w11, [sp, #8]
//            133b14:br x8
//            优化至
//            133b04:csel w8, w8, w10, eq
//            133b08:add x21, x21, #0xd0
//            133b0c:ldr x8, [x21, w8, uxtw #3]
//            133b10:beq addrA
//            133b14:b addrB

0x3 Unidbg实现去除

总体实现思路如下

模拟执行中保存每条指令和寄存器环境入栈
遇到br reg指令, 回溯找到LDR reg0, [reg1,reg2,UXTW#3]指令, 取数组首地址
再回溯找到CSEL reg0, reg0, reg1, COND指令, 取跳转条件和两个数组下标值
通过数组首地址+下标的方式取出两个要跳转的地址, 把br reg的位置及上一条修改成要跳转位置

算了

talk is cheap, show the code

package com.mario;


import capstone.Capstone;
import capstone.api.Instruction;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.LibraryResolver;
import com.github.unidbg.Module;
import com.github.unidbg.Symbol;
import com.github.unidbg.arm.HookStatus;
import com.github.unidbg.arm.backend.*;
import com.github.unidbg.arm.context.RegisterContext;
import com.github.unidbg.hook.HookContext;
import com.github.unidbg.hook.ReplaceCallback;
import com.github.unidbg.hook.hookzz.Dobby;
import com.github.unidbg.hook.hookzz.HookEntryInfo;
import com.github.unidbg.hook.hookzz.IHookZz;
import com.github.unidbg.hook.hookzz.InstrumentCallback;
import com.github.unidbg.hook.whale.IWhale;
import com.github.unidbg.hook.whale.Whale;
import com.github.unidbg.hook.xhook.IxHook;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.XHookImpl;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.jni.ProxyClassFactory;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.memory.MemoryBlock;
import com.github.unidbg.memory.MemoryMap;
import com.github.unidbg.pointer.UnidbgPointer;
import com.github.unidbg.utils.Inspector;
import com.sun.jna.Pointer;
import keystone.Keystone;
import keystone.KeystoneArchitecture;
import keystone.KeystoneEncoded;
import keystone.KeystoneMode;
import unicorn.Arm64Const;
import unicorn.Unicorn;
import unicorn.UnicornConst;
import unicorn.UnicornException;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.*;

public class test {

    private static LibraryResolver createLibraryResolver() {
        return new AndroidResolver(28);
    }

    private static AndroidEmulator createARMEmulator() {
        return AndroidEmulatorBuilder.for64Bit()
                .setProcessName("com.xxxxx")
                .addBackendFactory(new HypervisorFactory(true))
                .build();
    }

    private final AndroidEmulator emulator;
    private final Module module;

    public static  String inName = "unidbg-android/src/test/resources/example_binaries/arm64-v8a/libxxxx.so";
    public static  String outName = "unidbg-android/src/test/resources/example_binaries/arm64-v8a/libxxxx_patch.so";

    //保存指令和寄存器环境类：
    class InsAndCtx
    {
        long addr;
        Instruction ins;
        List<Number> regs;

        public long getAddr() {
            return addr;
        }

        public void setAddr(long addr) {
            this.addr = addr;
        }

        public void setIns(Instruction ins) {
            this.ins = ins;
        }

        public Instruction getIns() {
            return ins;
        }

        public void setRegs(List<Number> regs) {
            this.regs = regs;
        }

        public List<Number> getRegs() {
            return regs;
        }
    }

    //patch类
    class PatchIns{
        long addr;//patch 地址
        String ins;//patch的指令

        public long getAddr() {
            return addr;
        }

        public void setAddr(long addr) {
            this.addr = addr;
        }

        public String getIns() {
            return ins;
        }

        public void setIns(String ins) {
            this.ins = ins;
        }
    }

    public Number getRegValue(String reg,List<Number> regsaved)
    {
        if(reg.equals("xzr"))
        {
            return 0;
        }
        return regsaved.get(Integer.parseInt(reg.substring(1)));
    }


    public int readInt32(Backend bk, long addr)
    {
        byte[] bytes = bk.mem_read(addr, 4);
        int n = bytes[0] << 24;
        n |= (bytes[1] & 0xff) << 16;
        n |= (bytes[2] & 0xff) << 8;
        n |= (bytes[3] & 0xff);
        return n;
    }

    public long readInt64(Backend bk, long addr) { // 01, 02, 03, 04, 05, 06, 07, 08 -> 0x0807060504030201
        // endian-safe read 64-bit integer
        byte[] bytes = bk.mem_read(addr, 8);
        long value = 0;
        for (int i = 7; i >= 0; i--) {
            value = (value << 8) | (bytes[i] & 0xFF);
        }
        return value;
    }

    public long StringToLong(String bt)
    {
        return Long.parseLong(bt,16);
    }


    // 指令栈
    public static Stack<InsAndCtx> instructions;

    //所有需要patch的指令
    public static  List<PatchIns> patchs;

    //保存指令寄存器环境
    public List<Number> saveRegs(Backend bk)
    {
        List<Number> nb = new ArrayList<>();
        for(int i=0;i<29;i++)
        {
            nb.add(bk.reg_read(i+ Arm64Const.UC_ARM64_REG_X0));
        }
        nb.add(bk.reg_read(Arm64Const.UC_ARM64_REG_FP));
        nb.add(bk.reg_read(Arm64Const.UC_ARM64_REG_LR));
        return nb;
    }


    //指令hook，每条指令执行前保存环境
    public void processBr(int start, int end)
    {
        emulator.getBackend().hook_add_new(new CodeHook() {
            @Override
            public void hook(Backend backend, long address, int size, Object user) {
                Capstone capstone = new Capstone(Capstone.CS_ARCH_ARM64,Capstone.CS_MODE_ARM);
                byte[] bytes = emulator.getBackend().mem_read(address, 4);
                Instruction[] disasm = capstone.disasm(bytes, 0);
                System.out.printf("%x:%s %s\n",address-module.base ,disasm[0].getMnemonic(),disasm[0].getOpStr());

                //记录指令
                InsAndCtx iac = new InsAndCtx();
                iac.setIns(disasm[0]);
                iac.setRegs(saveRegs(backend));
                iac.setAddr(address);
                instructions.push(iac);


                //跳过 函数调用 跳转 内存访问
                Instruction ins = instructions.peek().getIns();
                String root = ins.getMnemonic();
                if(root.charAt(0) == 'b' || ins.getMnemonic().contains("ld") || ins.getMnemonic().contains("st"))
                {
                    long nextAddr = instructions.peek().getAddr() + 4;
                    backend.reg_write(Arm64Const.UC_ARM64_REG_PC, nextAddr);
                }

                //处理间接跳转
                do_processbr(backend);
            }

            @Override
            public void onAttach(UnHook unHook) {
                System.out.println("attach");
            }

            @Override
            public void detach() {
                System.out.println("detach");
            }



        },module.base+start, module.base+end,null);
    }

    //指令栈回溯，根据处理结果，生成patchIns，供最后统一patch
    public void do_processbr(Backend backend)
    {
        Instruction ins = instructions.peek().getIns();
        if(ins.getMnemonic().equals("br") && ins.getOpStr().contains("x"))
        {
            String cond = "";
            long brInsAddr = instructions.peek().getAddr() - module.base;
            String stpInsStr = "";
            long funcAryAddr = -1; //函数数组地址
            long condOffset1 = -1; //条件偏移1
            long condOffset2 = -1; //条件偏移2

            try {
                while (!instructions.empty())
                {
                    instructions.pop();
                    ins = instructions.peek().getIns();


                    // 判断是否为取地址数组指令
                    if(ins.getMnemonic().toLowerCase(Locale.ROOT).equals("ldr"))
                    {
                        String[] sp = ins.getOpStr().toLowerCase().split(",");
                        if(sp.length == 4)
                        {
                            if(sp[0].trim().toLowerCase(Locale.ROOT).contains("x") && sp[3].trim().toLowerCase(Locale.ROOT).contains("xtw #3]"))
                            {
                                String reg = sp[1].toLowerCase(Locale.ROOT).trim().substring(1);
                                funcAryAddr = getRegValue(reg,instructions.peek().getRegs()).longValue()-module.base; //取地址数组偏移
                                if( !(funcAryAddr+module.base>module.base && funcAryAddr+module.base < module.base+module.size) )
                                {
                                    break;
                                }
      
                            }
                        }
                    }

                  
          //取下标和条件
          if(ins.getMnemonic().trim().toLowerCase(Locale.ROOT).equals("csel"))
                    {
                        String[] sp = ins.getOpStr().toLowerCase(Locale.ROOT).split(",");
                        if(sp.length == 4)
                        {
                            cond = sp[3].trim();
                            if(sp[0].trim().contains("w"))
                            {
                                String reg1 = sp[1].trim();
                                String reg2 = sp[2].trim();
                                condOffset1 = getRegValue(reg1,instructions.peek().getRegs()).longValue() * 8;
                                condOffset2 = getRegValue(reg2,instructions.peek().getRegs()).longValue() * 8;

                                if(funcAryAddr == -1 || condOffset1 == -1 || condOffset2 == -1 || cond.equals(""))
                                {
                                    break;
                                }
                                else
                                {
                                    long offset1 = readInt64(emulator.getBackend(), module.base+funcAryAddr+condOffset1) - module.base;
                                    long offset2 = readInt64(emulator.getBackend(),module.base+funcAryAddr+condOffset2) - module.base;

                                    String condBr = "b"+cond.toLowerCase(Locale.ROOT) + " 0x"+ Integer.toHexString((int) (offset1 - (brInsAddr-4)));
                                    String br = "b 0x" + Integer.toHexString((int)(offset2 - brInsAddr));
                                    PatchIns pi1 = new PatchIns();
                                    pi1.setAddr(brInsAddr-4);
                                    pi1.setIns(condBr);
                                    patchs.add(pi1);
                                    PatchIns pi2 = new PatchIns();
                                    pi2.setAddr(brInsAddr);
                                    pi2.setIns(br);
                                    patchs.add(pi2);

                                    break;
                                }
                            }
                        }
                    }

                }
            }catch (Exception e)
            {
                e.printStackTrace();
            }
        }
    }

    //遍历patch表，执行patch，生成新的so，使用Ketstone将汇编转为机器码。
    public void patch()
    {
        try {
            File f = new File(inName);
            FileInputStream fis = new FileInputStream(f);
            byte[] data = new byte[(int) f.length()];
            fis.read(data);
            fis.close();
            for(PatchIns pi:patchs)
            {
                System.out.println("procrss addr:"+Integer.toHexString((int) pi.addr)+",code:"+pi.getIns());
                Keystone ks = new Keystone(KeystoneArchitecture.Arm64, KeystoneMode.LittleEndian);
                KeystoneEncoded assemble = ks.assemble(pi.getIns());
                for(int i=0;i<assemble.getMachineCode().length;i++)
                {
                    data[(int) pi.addr+i] = assemble.getMachineCode()[i];
                }
            }
            File fo = new File(outName);
            FileOutputStream fos = new FileOutputStream(fo);
            fos.write(data);
            fos.flush();
            fos.close();
            System.out.println("finish");
        }
        catch (Exception e)
        {
            e.printStackTrace();
        }
    }


    private test() {
        emulator = createARMEmulator();
        final Memory memory = emulator.getMemory();
        memory.setLibraryResolver(createLibraryResolver());

        VM vm = emulator.createDalvikVM();
        vm.setDvmClassFactory(new ProxyClassFactory());
        vm.setVerbose(true);

        DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/resources/example_binaries/arm64-v8a/libxxxx.so"), false);
        vm.loadLibrary(new File("unidbg-android/target/classes/android/sdk23/lib64/libc.so"), false);
        vm.loadLibrary(new File("unidbg-android/src/test/resources/example_binaries/lib64/libm.so"), false);
        vm.loadLibrary(new File("unidbg-android/src/test/resources/example_binaries/lib64/libstdc++.so"), false);
        vm.loadLibrary(new File("unidbg-android/src/test/resources/example_binaries/lib64/ld-android.so"), false);


        this.module = dm.getModule();

        //保存的指令栈
        instructions = new Stack<>();
        //保存的patch列表
        patchs = new ArrayList<>();


        //patch检测区域
        processBr(0x307D30, 0x307FF4);

        //调用函数
        Number number = module.callFunction(emulator, 0x307D30);

        //开始patch
        patch();
    }

    private void destroy() throws IOException {
        emulator.close();
        System.out.println("destroy");
    }

    public static void main(String[] args) throws Exception {
        com.mario.test test = new com.mario.test();

        test.destroy();
    }

}

0x4 处理完的效果

处理前
处理后

参考

感谢大佬文章, 去除思路及代码基本借鉴该文章.
直达连接