ExceptionRaised[dynarmic.cpp->ExceptionRaised:231]

[hackdoors]

unidbg使用自带hookzz出现异常，这是怎么回事啊

[hackdoors]

package com.hack.lesson5;

import com.alibaba.fastjson.support.hsf.HSFJSONUtils;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.HookStatus;
import com.github.unidbg.arm.backend.DynarmicFactory;
import com.github.unidbg.hook.HookContext;
import com.github.unidbg.hook.IHook;
import com.github.unidbg.hook.ReplaceCallback;
import com.github.unidbg.hook.hookzz.HookZz;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.DalvikModule;
import com.github.unidbg.linux.android.dvm.DvmObject;
import com.github.unidbg.linux.android.dvm.StringObject;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.linux.android.dvm.jni.ProxyDvmObject;
import com.github.unidbg.memory.Memory;
import com.sun.jna.Pointer;
import unicorn.Unicorn;

import java.io.File;
import java.util.ArrayList;
import java.util.List;

public class MainActivity {
private final AndroidEmulator emulator;
private final VM vm;
private final Memory memory;
private final Module module;

public MainActivity(){
    emulator= AndroidEmulatorBuilder.for32Bit().addBackendFactory(new DynarmicFactory(true)).build();
    memory=emulator.getMemory();
    memory.setLibraryResolver(new AndroidResolver(23));

    vm=emulator.createDalvikVM();
    DalvikModule dalvikModule=vm.loadLibrary(new File("unidbg-android/src/test/java/com/hack/lesson5/libnative-lib.so"),true);
    module=dalvikModule.getModule();

    vm.callJNI_OnLoad(emulator,module);
}

public void callAdd(){
    DvmObject object= ProxyDvmObject.createObject(vm,this);
    final int result = object.callJniMethodInt(emulator, "add(II)I", 3,2);
    System.out.println("call the so add function result is ==>"+result);

}

public void hook(){
    //unidbg集成了HookZz框架
    HookZz hook = HookZz.getInstance(emulator);
    //直接hook add函数的地址，比通过符号hook更具有“普适性”
    hook.replace(module.base + 0x3DC + 1, new ReplaceCallback() {
        @Override
        public HookStatus onCall(Emulator<?> emulator, HookContext context, long originFunction) {
            //R2和R3才是参数，R0是env，R1是object
            System.out.println(String.format("R2: %d, R3: %d",context.getIntArg(2),context.getIntArg(3)));
            //把第二个参数R3改成5
            emulator.getBackend().reg_write(Unicorn.UC_ARM_REG_R3,5);
            return super.onCall(emulator, context, originFunction);
        }
        @Override
        public void postCall(Emulator<?> emulator, HookContext context) {
            emulator.getBackend().reg_write(Unicorn.UC_ARM_REG_R0,10);
            //返回值放R0，这里直接修改返回值
            super.postCall(emulator, context);
        }
    }, true);
}
//psvm快速输入
public static void main(String[] args) {
    long start = System.currentTimeMillis();
    MainActivity mainActivity=new MainActivity();
    System.out.println("load the vm "+(System.currentTimeMillis()-start)+"ms");
    mainActivity.hook();
    mainActivity.callAdd();


}

}

[hackdoors]

nativelib代码如下

[hackdoors]

#include <jni.h>
#include
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

extern "C"
JNIEXPORT jint JNICALL
Java_com_hack_lesson5_MainActivity_add(JNIEnv *env, jobject thiz, jint a,jint b) {
if(a<0){
a=-a;
}
if(b<0){
b=-b;
}
return a+b;
}