

pollux's Dairy

FUPK源码阅读

pollux's Dairy

FUPK源码阅读

字数统计: 804阅读时长: 5 min

 2019/12/15   Share

• 
• 
• 
• 
• 

1、获得完整的DEX

在frameworks/base/core/java/android/app/ActivityThread.java的handleBindApplication处插桩

try {
    UpkConfig config = new UpkConfig();
    if (config.load() && config.mTargetPackage.equals(data.info.getPackageName())) {
        Fupk upk = new Fupk(config.mTargetPackage);
        upk.unpackAfter(10000);
    }
} catch (Throwable t) {
}

创建Fupk的实例，创建实例过程加载so文件，然后调用其unpackAfter函数，其中调用unpackNow初始化其类变量appLoader，最后调用native函数core_Fupk::unpackAll

public final static String hookSo = "/data/local/tmp/libFupk3.so";

static {
  System.load(Global.hookSo);
}

该so文件存在JNI_OnLoad函数，在app/src/main/cpp/main.cpp中，主要做了两部分内容：1、动态注册native函数core_Fupk::unpackAll；2、通过dlopen、dlsym函数获得libdvm.so中的接口（函数指针）

core_Fupk::registerNativeMethod(env)

回到core_Fupk::unpackAll，该函数首先将dump方法的函数绑定到app/src/main/cpp/DexHelper/DexDumper.cpp中的fupk_ExportMethod中

然后调用了app/src/main/cpp/DexHelper/Fupk.cpp中的对象的unpackAll方法

void ::core_Fupk::unpackAll(JNIEnv *env, jobject obj, jstring folder) {
    interface->ExportMethod = fupk_ExportMethod;
    Fupk upk(env, sFolder, obj);
    upk.unpackAll();

在实例化Fupk对象时，通过自定义接口dlsym(libdvm, "dvmGetUserDexFiles");获得gDvm.userDexFiles返回的HashTable，从中提取DvmDex信息

auto dvmDex = mCookie.getCookieAt(i, name, mIgnoreCase);

struct DvmDex {
    /* pointer to the DexFile we're associated with */
    DexFile*            pDexFile;

    /* clone of pDexFile->pHeader (it's used frequently enough) */
    const DexHeader*    pHeader;

    /* interned strings; parallel to "stringIds" */
    struct StringObject** pResStrings;

    /* resolved classes; parallel to "typeIds" */
    struct ClassObject** pResClasses;

    /* resolved methods; parallel to "methodIds" */
    struct Method**     pResMethods;

    /* resolved instance fields; parallel to "fieldIds" */
    /* (this holds both InstField and StaticField) */
    struct Field**      pResFields;

    /* interface method lookup cache */
    struct AtomicCache* pInterfaceCache;

    /* shared memory region with file contents */
    bool                isMappedReadOnly;
    MemMapping          memMap;

    jobject dex_object;

    /* lock ensuring mutual exclusion during updates */
    pthread_mutex_t     modLock; // TODO import
};

这样就获得了内存中完整的Dex，下面开始主动调用方法

DexDumper dumper(mEnv, dvmDex, mUpkObj);
dumper.rebuild();//dump方法体@cs

这个mUpkObj是内核中Fupk的实例，创建DexDumper实例后，开始主动调用其方法

//app/src/main/cpp/DexHelper/DexDumper.cpp
bool DexDumper::rebuild() {
  jclass upkClazz = mEnv->GetObjectClass(mUpkObj);
  auto loaderObject = JniInfo::GetObjectField(mEnv, mUpkObj, "appLoader", "Ljava/lang/ClassLoader;");
  auto tryLoadClass_method = mEnv->GetMethodID(upkClazz, "tryLoadClass", "(Ljava/lang/String;)Ljava/lang/Class;");

2、类的主动加载

1. 获得内核Fupk实例的Class
2. 获得ClassLoader实例systemClassLoader
3. 获得tryLoadClass方法id

auto jClazz = mEnv->CallObjectMethod(mUpkObj, tryLoadClass_method, jDotDescriptor);//通过tryLoadClass获取类对象

参数jDotDescriptor即为获得的类签名

// I will load the class from java(the loader may has been replaced)
public Class tryLoadClass(String className) {
    try {
        return FRefInvoke.getClass(appLoader, className);
    } catch (Exception e) {
        e.printStackTrace();
    }
    return null;
}

public static Class getClass(ClassLoader loader, String class_name) throws Exception{
    if (loader != null) {
        try {
            return loader.loadClass(class_name);//主动加载@cs
        } catch (Exception e){
            // class not found from loader, used Class.forName instead
        }
    }
    return Class.forName(class_name);
}

通过tryLoadClass函数，使用systemClassLoader去主动加载这个类

3、主动调用方法，dump方法体

回到native层

后面通过DexDumper::fixMethodByDvm主动调用方法

bool DexDumper::fixMethodByDvm(DexSharedData &shared, DexMethod *dexMethod,
                               ClassDefBuilder* builder, u4 &lastIndex) {
    lastIndex = lastIndex + dexMethod->methodIdx;
    auto m = builder->getMethodMap(lastIndex);

    assert(m != nullptr && "Unable to fix MethodBy Dvm, this should happened");

    shared.mCurMethod = dexMethod;
    FupkImpl::fupkInvokeMethod(m);//调用方法@cs
    shared.mCurMethod = nullptr;
    return true;
}

FupkImpl::fupkInvokeMethod(m)即为

app/src/main/cpp/DexHelper/DexDumper.cpp中的fupk_ExportMethod方法

该方法插桩到了内核中的invoke函数中

在fupk_ExportMethod中，将方法指针保存在了shared变量中

shared->extra.append((char*)item, code_item_len);//保存方法体@cs

原文作者：Po1lux

原文链接：http://yoursite.com/2019/12/15/FUPK源码阅读/

发表日期：December 15th 2019, 10:28:04 pm

更新日期：March 27th 2020, 6:46:45 pm

版权声明：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

• Next Post
  ubuntu16.04 处理wifi问题小记
• Previous Post
  Android-6.0.0_r1源码分析-Java层加载Dex和类的过程

Powered by Hexotheme Archer

PV: :)

CATALOG

1. 1. 1、获得完整的DEX
2. 2. 2、类的主动加载
3. 3. 3、主动调用方法，dump方法体



• Archive
• Tag
• Cate

Total : 56

2020

• 04/11de5811cdab48a0f5e656384bd3feff88
• 03/30C++虚表杂记
• 03/2651ff4f42e4a8218a6d27ec8cd9874f37
• 03/25android-6.0.0源码分析-zygote启动过程
• 02/23mineucore-内核线程管理学习笔记
• 02/21mineucore-x86-32下的中断处理
• 02/20mineucore-x86-32系统启动流程
• 02/19inlineHookS安卓内联hook框架
• 01/31内存壳学习
• 01/04汇编分析一个so文件中的变形RC4和变形base64算法

2019

• 12/17ubuntu-16.04 源码编译 Android-6.0.0_r1 与调试
• 12/17ubuntu16.04 处理wifi问题小记
• 12/15FUPK源码阅读
• 12/14Android-6.0.0_r1源码分析-Java层加载Dex和类的过程
• 12/09NDK开发学习记录
• 12/02初试反调试
• 12/01手机和AS中debug环境配置问题小记
• 11/27nexus5环境配置
• 11/23通过在native层动态修改内存中的Dalvik指令来学习Dex文件格式
• 11/20IDA notebook
• 11/08使用frida Hook动态加载Dex
• 11/06frida-notebook
• 11/04Linux Kernel ROP
• 10/06mineucore-虚拟内存管理学习笔记
• 10/03mineucore-物理内存管理学习笔记
• 09/22seccomp沙箱机制 & 2019ByteCTF VIP
• 06/252019-SCTF-easy_heap[fastbin attack]
• 06/252019-SCTF-one_heap[tcache的counts中存在的数据类型判断漏洞]
• 06/102019-TCTF(final)-babyheap2.29
• 05/272018-0CTF-heapstorm2
• 05/052019-sixstarsCTF-babyshell[shellcode]
• 05/042019-sixstarsCTF-heap_master
• 05/032018-hitcon-baby_tcache
• 05/032018-Hitcon-children_tcache
• 05/022019-sixstarsCTF-girlfriend[libc2.29,tcache]
• 05/012019-sixstarsCTF-quicksort
• 04/172018-网顶杯CTF-blind
• 04/132019-西湖论剑CTF-Strom_note-[off by one, largebin attack]
• 04/102019-西湖论剑CTF-noinfoleak
• 04/092019-西湖论剑CTF-story
• 04/042018-SUCTF-lock2-[fmt,栈溢出,Canary]
• 04/012018-SUCTF-note
• 03/29House_of_Orange在2.24glibc下的利用
• 03/272016-Hitcon-House_of_Orange
• 03/242018-SUCTF-Heap-[off by one,unlink]
• 03/202016-BCTF-bcloud-[Heap of Force]
• 03/10libc源码分析-chunk的释放
• 03/082014-hack.lu CTF-OREO-[House of spirit]
• 03/022016-HCTF-fheap-[fastbin UAF,PIE,DynELF use fmt]

2018

• 10/202016 ZCTF note2
• 10/172014 HITCON stkof
• 10/11QiangwangCup-2015-shellman
• 09/30X-CTF Quals 2016 - b0verfl0w
• 09/16格式化字符串漏洞总结
• 09/15FengyunCup-2016-safedoor
• 09/13pwnable.kr-brain fuck

unlink fastbin attack House of spirit House of Force UAF DynELF PIE format string off by one x64 64bit 格式化字符串漏洞 栈溢出 Canary tcache libc-2.29 chunk overlapping chunk extend shellcode，系统调用 libc2.29 stack overflow fmt rop 2016，CTFs，fsb CTF stack pivoting OS pwnable fsb



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true

heap stack android-reverse learning-note android-system Operating-System pwnable conclusion

