安卓逆向入门-Unicorn入门

入门

安装:

1
pip install unicorn capstone

入门:

1
2
3
4
5
6
7
8
9
10
11
12
13
from unicorn import *
from unicorn.x86_const import * #32-bit x86
X86_CODE32=b"\x41\x4a" #INC ecx;DEC dex;
ADDRESS=0x1000000 #模拟运行时地址
mu=Uc(UC_ARCH_X86,UC_MODE_32) #初始化Unicorn实例 硬件架构、硬件模式
mu.mem_map(ADDRESS,2*1024*1024) #再ADDRESS处映射2MB内存空间 所有CPU操作只能访问该内存 默认权限rwx 首地址和内存长度必须为0x1000整数倍 否则抛出UC_ERR_ARG异常
mu.mem_write(ADDRESS,X86_CODE32) #代码装入分配的内存中
mu.reg_write(UC_X86_REG_ECX,0x1234) #设置寄存器值
mu.reg_write(UC_X86_REG_EDX,0x7890)
mu.emu_start(ADDRESS,ADDRESS+len(X86_CODE32)) #开始模拟 代码地址、模拟停止地址、模拟时间、模拟指令数
r_ecx=mu.reg_read(UC_X86_REG_ECX)
r_edx=mu.reg_read(UC_X86_REG_EDX)
print("ECX=0x%x,EDX=0x%x"%(r_ecx,r_edx))

Hook

Unicorn的Hook API:

1
mu.hook_add(UC_HOOK_CODE,hook_code,begin=ADDRESS,end=ADDRESS) #实现Hook函数hook_code 被Hook代码起始地址begin 被Hook代码终止地址end

在上述程序中添加Hook逻辑:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from unicorn import *
from unicorn.x86_const import *
def hook_code(mu,address,size,user_data):
print("Tracing instruction at 0x%x,instruction size=0x%x"%(address,size))
X86_CODE32=b"\x41\x4a"
ADDRESS=0x1000000
mu=Uc(UC_ARCH_X86,UC_MODE_32)
mu.mem_map(ADDRESS,2*1024*1024)
mu.mem_write(ADDRESS,X86_CODE32)
mu.reg_write(UC_X86_REG_ECX,0x1234)
mu.reg_write(UC_X86_REG_EDX,0x7890)
mu.hook_add(UC_HOOK_CODE,hook_code,begin=ADDRESS,end=ADDRESS+len(X86_CODE32))
mu.emu_start(ADDRESS,ADDRESS+len(X86_CODE32))
r_ecx=mu.reg_read(UC_X86_REG_ECX)
r_edx=mu.reg_read(UC_X86_REG_EDX)
print("ECX=0x%x,EDX=0x%x"%(r_ecx,r_edx))

实战入门

样本:https://eternal.red/assets/files/2017/UE/fibonacci。

这程序越跑越慢,用Unicorn对他进行分析优化。反汇编如下,发现调用递归Fibonacci函数,第一个参数为函数值,第二个参数为0或1,求返回值:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
__int64 __fastcall main(int a1, char **a2, char **a3)
{
char *v3; // rbp
int v4; // ebx
__int64 v5; // r8
char v6; // r9
__int64 v7; // r8
char v8; // cl
_DWORD v10[7]; // [rsp+Ch] [rbp-1Ch] BYREF

v3 = (char *)&unk_4007E1;
v4 = 0;
setbuf(stdout, 0LL);
printf("The flag is: ");
while ( 1 )
{
LODWORD(v5) = 0;
do
{
v10[0] = 0;
sub_400670((unsigned int)(v4 + v5), v10);
v8 = v7;
v5 = v7 + 1;
}
while ( v5 != 8 );
v4 += 8;
if ( (unsigned __int8)(v10[0] << v8) == v6 )
break;
++v3;
_IO_putc(v6 ^ (unsigned __int8)(LOBYTE(v10[0]) << v8), stdout);
}
_IO_putc(10, stdout);
return 0LL;
}
__int64 __fastcall sub_400670(int a1, _DWORD *a2)
{
int v3; // r12d
__int64 result; // rax
unsigned int v5; // esi
unsigned int v6; // esi

if ( a1 )
{
if ( a1 == 1 )
{
result = sub_400670(0LL, a2);
}
else
{
v3 = sub_400670((unsigned int)(a1 - 2), a2);
result = v3 + (unsigned int)sub_400670((unsigned int)(a1 - 1), a2);
}
v5 = (((unsigned int)result - (((unsigned int)result >> 1) & 0x55555555)) >> 2) & 0x33333333;
v6 = v5
+ ((result - (((unsigned int)result >> 1) & 0x55555555)) & 0x33333333)
+ ((v5 + (((_DWORD)result - (((unsigned int)result >> 1) & 0x55555555)) & 0x33333333)) >> 4);
*a2 ^= ((BYTE1(v6) & 0xF) + (v6 & 0xF) + (unsigned __int8)((((v6 >> 8) & 0xF0F0F) + (v6 & 0xF0F0F0F)) >> 16)) & 1;
}
else
{
*a2 ^= 1u;
return 1LL;
}
return result;
}

先尝试跑起来:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from unicorn import *
from unicorn.x86_const import *
import struct
def read(name):
with open(name,"rb") as f:
return f.read()
def u32(data): #4字节小端序字符串转整数
return struct.unpack("I",data)[0]
def p32(num): #整数转4字节小端序字符串
return struct.pack("I",num)
def hook_code(mu,address,size,user_data):
print("Tracing instruction at 0x%x,instruction size=0x%x"%(address,size))
mu=Uc(UC_ARCH_X86,UC_MODE_64) #x86-64
BASE=0x400000
STACK_ADDR=0x0
STACK_SIZE=1024*1024
mu.mem_map(BASE,1024*1024)
mu.mem_map(STACK_ADDR,STACK_SIZE)
mu.mem_write(BASE,read("./fibonacci"))
mu.reg_write(UC_X86_REG_RSP,STACK_ADDR+STACK_SIZE-1)
mu.hook_add(UC_HOOK_CODE,hook_code)
mu.emu_start(0x00000000004004E0,0x0000000000400575)

发现报错,原因是有些调用指令访问不到,没载入虚拟内存。

1
2
3
4
5
6
7
8
9
10
11
12
13
Tracing instruction at 0x4004e0,instruction size=0x1
Tracing instruction at 0x4004e1,instruction size=0x1
Tracing instruction at 0x4004e2,instruction size=0x2
Tracing instruction at 0x4004e4,instruction size=0x5
Tracing instruction at 0x4004e9,instruction size=0x2
Tracing instruction at 0x4004eb,instruction size=0x4
Tracing instruction at 0x4004ef,instruction size=0x7
Traceback (most recent call last):
File "demo.py", line 22, in <module>
mu.emu_start(0x00000000004004E0,0x0000000000400575)
File "D:\Python\lib\site-packages\unicorn\unicorn.py", line 547, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

这种代码有:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
.text:00000000004004E0                             ; __int64 __fastcall main(int, char **, char **)
.text:00000000004004E0 main proc near ; DATA XREF: start+1D↓o
.text:00000000004004E0
.text:00000000004004E0 var_1C = dword ptr -1Ch
.text:00000000004004E0
.text:00000000004004E0 ; __unwind {
.text:00000000004004E0 000 55 push rbp
.text:00000000004004E1 008 53 push rbx
.text:00000000004004E2 010 31 F6 xor esi, esi ; buf
.text:00000000004004E4 010 BD E1 07 40 00 mov ebp, offset unk_4007E1
.text:00000000004004E9 010 31 DB xor ebx, ebx ; Logical Exclusive OR
.text:00000000004004EB 010 48 83 EC 18 sub rsp, 18h ; Integer Subtraction
.text:00000000004004EF 028 48 8B 3D 42 0B 20 00 mov rdi, cs:stdout ; stream 这里
.text:00000000004004F6 028 E8 B5 FF FF FF call _setbuf ; Call Procedure 这里
.text:00000000004004FB 028 BF D0 07 40 00 mov edi, offset format ; "The flag is: "
.text:0000000000400500 028 31 C0 xor eax, eax ; Logical Exclusive OR
.text:0000000000400502 028 E8 B9 FF FF FF call _printf ; Call Procedure 这里
.text:0000000000400507 028 41 B9 49 00 00 00 mov r9d, 49h ; 'I'
.text:000000000040050D 028 0F 1F 00 nop dword ptr [rax] ; No Operation
.text:0000000000400510
.text:0000000000400510 loc_400510: ; CODE XREF: main+8A↓j
.text:0000000000400510 028 45 31 C0 xor r8d, r8d ; Logical Exclusive OR
.text:0000000000400513 028 EB 06 jmp short loc_40051B ; Jump
.text:0000000000400513 ; ---------------------------------------------------------------------------
.text:0000000000400515 028 0F 1F 00 align 8
.text:0000000000400518
.text:0000000000400518 loc_400518: ; CODE XREF: main+67↓j
.text:0000000000400518 028 41 89 F9 mov r9d, edi
.text:000000000040051B
.text:000000000040051B loc_40051B: ; CODE XREF: main+33↑j
.text:000000000040051B 028 42 8D 3C 03 lea edi, [rbx+r8] ; Load Effective Address
.text:000000000040051F 028 48 8D 74 24 0C lea rsi, [rsp+28h+var_1C] ; Load Effective Address
.text:0000000000400524 028 C7 44 24 0C 00 00 00 00 mov [rsp+28h+var_1C], 0
.text:000000000040052C 028 E8 3F 01 00 00 call sub_400670 ; Call Procedure
.text:0000000000400531 028 8B 7C 24 0C mov edi, [rsp+28h+var_1C]
.text:0000000000400535 028 44 89 C1 mov ecx, r8d
.text:0000000000400538 028 49 83 C0 01 add r8, 1 ; Add
.text:000000000040053C 028 D3 E7 shl edi, cl ; Shift Logical Left
.text:000000000040053E 028 89 F8 mov eax, edi
.text:0000000000400540 028 44 31 CF xor edi, r9d ; Logical Exclusive OR
.text:0000000000400543 028 49 83 F8 08 cmp r8, 8 ; Compare Two Operands
.text:0000000000400547 028 75 CF jnz short loc_400518 ; Jump if Not Zero (ZF=0)
.text:0000000000400549 028 83 C3 08 add ebx, 8 ; Add
.text:000000000040054C 028 44 38 C8 cmp al, r9b ; Compare Two Operands
.text:000000000040054F 028 48 8B 35 E2 0A 20 00 mov rsi, cs:stdout ; fp 这里
.text:0000000000400556 028 74 18 jz short loc_400570 ; Jump if Zero (ZF=1)
.text:0000000000400558 028 40 0F BE FF movsx edi, dil ; c
.text:000000000040055C 028 48 83 C5 01 add rbp, 1 ; Add
.text:0000000000400560 028 E8 6B FF FF FF call __IO_putc ; Call Procedure
.text:0000000000400565 028 44 0F B6 4D FF movzx r9d, byte ptr [rbp-1] ; Move with Zero-Extend
.text:000000000040056A 028 EB A4 jmp short loc_400510 ; Jump
.text:000000000040056A ; ---------------------------------------------------------------------------
.text:000000000040056C 028 0F 1F 40 00 align 10h
.text:0000000000400570
.text:0000000000400570 loc_400570: ; CODE XREF: main+76↑j
.text:0000000000400570 028 BF 0A 00 00 00 mov edi, 0Ah ; c
.text:0000000000400575 028 E8 56 FF FF FF call __IO_putc ; Call Procedure
.text:000000000040057A 028 48 83 C4 18 add rsp, 18h ; Add
.text:000000000040057E 010 31 C0 xor eax, eax ; Logical Exclusive OR
.text:0000000000400580 010 5B pop rbx
.text:0000000000400581 008 5D pop rbp
.text:0000000000400582 000 C3 retn ; Return Near from Procedure
.text:0000000000400582 ; } // starts at 4004E0
.text:0000000000400582 main endp

.text:0000000000400670 ; __int64 __fastcall sub_400670(int, _DWORD *)
.text:0000000000400670 sub_400670 proc near ; CODE XREF: main+4C↑p
.text:0000000000400670 ; sub_400670+19↓p ...
.text:0000000000400670 ; __unwind {
.text:0000000000400670 000 85 FF test edi, edi ; Logical Compare
.text:0000000000400672 000 41 54 push r12
.text:0000000000400674 008 55 push rbp
.text:0000000000400675 010 48 89 F5 mov rbp, rsi
.text:0000000000400678 010 53 push rbx
.text:0000000000400679 018 74 7D jz short loc_4006F8 ; Jump if Zero (ZF=1)
.text:000000000040067B 018 83 FF 01 cmp edi, 1 ; Compare Two Operands
.text:000000000040067E 018 89 FB mov ebx, edi
.text:0000000000400680 018 0F 84 8A 00 00 00 jz loc_400710 ; Jump if Zero (ZF=1)
.text:0000000000400686 018 8D 7F FE lea edi, [rdi-2] ; Load Effective Address
.text:0000000000400689 018 E8 E2 FF FF FF call sub_400670 ; Call Procedure
.text:000000000040068E 018 8D 7B FF lea edi, [rbx-1] ; Load Effective Address
.text:0000000000400691 018 41 89 C4 mov r12d, eax
.text:0000000000400694 018 48 89 EE mov rsi, rbp
.text:0000000000400697 018 E8 D4 FF FF FF call sub_400670 ; Call Procedure
.text:000000000040069C 018 44 01 E0 add eax, r12d ; Add
.text:000000000040069F 018 89 C2 mov edx, eax
.text:00000000004006A1 018 89 C3 mov ebx, eax
.text:00000000004006A3 018 D1 EA shr edx, 1 ; Shift Logical Right
.text:00000000004006A5 018 81 E2 55 55 55 55 and edx, 55555555h ; Logical AND
.text:00000000004006AB 018 29 D3 sub ebx, edx ; Integer Subtraction
.text:00000000004006AD 018 89 D9 mov ecx, ebx
.text:00000000004006AF 018 89 DA mov edx, ebx
.text:00000000004006B1 018 C1 E9 02 shr ecx, 2 ; Shift Logical Right
.text:00000000004006B4 018 81 E1 33 33 33 33 and ecx, 33333333h ; Logical AND
.text:00000000004006BA 018 89 CE mov esi, ecx
.text:00000000004006BC
.text:00000000004006BC loc_4006BC: ; CODE XREF: sub_400670+C2↓j
.text:00000000004006BC 018 81 E2 33 33 33 33 and edx, 33333333h ; Logical AND
.text:00000000004006C2 018 8D 0C 16 lea ecx, [rsi+rdx] ; Load Effective Address
.text:00000000004006C5 018 89 CA mov edx, ecx
.text:00000000004006C7 018 C1 EA 04 shr edx, 4 ; Shift Logical Right
.text:00000000004006CA 018 01 CA add edx, ecx ; Add
.text:00000000004006CC 018 89 D6 mov esi, edx
.text:00000000004006CE 018 81 E2 0F 0F 0F 0F and edx, 0F0F0F0Fh ; Logical AND
.text:00000000004006D4 018 C1 EE 08 shr esi, 8 ; Shift Logical Right
.text:00000000004006D7 018 81 E6 0F 0F 0F 00 and esi, 0F0F0Fh ; Logical AND
.text:00000000004006DD 018 8D 0C 16 lea ecx, [rsi+rdx] ; Load Effective Address
.text:00000000004006E0 018 89 CA mov edx, ecx
.text:00000000004006E2 018 C1 EA 10 shr edx, 10h ; Shift Logical Right
.text:00000000004006E5 018 01 CA add edx, ecx ; Add
.text:00000000004006E7 018 83 E2 01 and edx, 1 ; Logical AND
.text:00000000004006EA 018 31 55 00 xor [rbp+0], edx ; Logical Exclusive OR
.text:00000000004006ED 018 5B pop rbx
.text:00000000004006EE 010 5D pop rbp
.text:00000000004006EF 008 41 5C pop r12
.text:00000000004006F1 000 C3 retn ; Return Near from Procedure
.text:00000000004006F1 ; ---------------------------------------------------------------------------
.text:00000000004006F2 000 66 0F 1F 44 00 00 align 8
.text:00000000004006F8
.text:00000000004006F8 loc_4006F8: ; CODE XREF: sub_400670+9↑j
.text:00000000004006F8 018 BA 01 00 00 00 mov edx, 1
.text:00000000004006FD 018 31 55 00 xor [rbp+0], edx ; Logical Exclusive OR
.text:0000000000400700 018 B8 01 00 00 00 mov eax, 1
.text:0000000000400705 018 5B pop rbx
.text:0000000000400706 010 5D pop rbp
.text:0000000000400707 008 41 5C pop r12
.text:0000000000400709 000 C3 retn ; Return Near from Procedure
.text:0000000000400709 ; ---------------------------------------------------------------------------
.text:000000000040070A 000 66 0F 1F 44 00 00 align 10h
.text:0000000000400710
.text:0000000000400710 loc_400710: ; CODE XREF: sub_400670+10↑j
.text:0000000000400710 018 31 FF xor edi, edi ; Logical Exclusive OR
.text:0000000000400712 018 E8 59 FF FF FF call sub_400670 ; Call Procedure
.text:0000000000400717 018 89 C2 mov edx, eax
.text:0000000000400719 018 89 C7 mov edi, eax
.text:000000000040071B 018 D1 EA shr edx, 1 ; Shift Logical Right
.text:000000000040071D 018 81 E2 55 55 55 55 and edx, 55555555h ; Logical AND
.text:0000000000400723 018 29 D7 sub edi, edx ; Integer Subtraction
.text:0000000000400725 018 89 FE mov esi, edi
.text:0000000000400727 018 89 FA mov edx, edi
.text:0000000000400729 018 C1 EE 02 shr esi, 2 ; Shift Logical Right
.text:000000000040072C 018 81 E6 33 33 33 33 and esi, 33333333h ; Logical AND
.text:0000000000400732 018 EB 88 jmp short loc_4006BC ; Jump
.text:0000000000400732 ; } // starts at 400670
.text:0000000000400732 sub_400670 endp

对这些指令Hook以下,直接修改RIP,执行后面的指令。而且打印字符时调用的glibc库也没加载入虚拟内存,也需要Hook:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from unicorn import *
from unicorn.x86_const import *
import struct
def read(name):
with open(name,"rb") as f:
return f.read()
def u32(data): #4字节小端序字符串转整数
return struct.unpack("I",data)[0]
def p32(num): #整数转4字节小端序字符串
return struct.pack("I",num)
instructions_skip_list=[0x00000000004004EF,0x00000000004004F6,0x0000000000400502,0x000000000040054F]
FIBONACCI_ENTRY=0x0000000000400670
FIBONACCI_END=[0x00000000004006F1,0x0000000000400709]
stack=[]
d={}
def hook_code(mu,address,size,user_data):
print("Tracing instruction at 0x%x,instruction size=0x%x"%(address,size))
if address in instructions_skip_list:
mu.reg_write(UC_X86_REG_RIP,address+size)
elif address==0x0000000000400560:
c=mu.reg_read(UC_X86_REG_RDI)
print(chr(c))
mu.reg_write(UC_X86_REG_RIP,address+size)
elif address==FIBONACCI_ENTRY:
arg0=mu.reg_read(UC_X86_REG_RDI)
r_rsi=m.reg_read(UC_X86_REG_RSI)
arg1=u32(mu.mem_read(r_rsi,4))
if (arg0,arg1) in d:
(ret_rax,ret_ref)=d[(arg0,arg1)]
mu.reg_write(UC_X86_REG_RAX,ret_rax)
mu.mem_write(r_rsi,p32(ret_ref))
mu.reg_write(UC_X86_REG_RIP,0x0000000000400582)
else:
stack.append((arg0,arg1,r_rsi))
elif address in FIBONACCI_END:
(arg0,arg1,r_rsi)=stack.pop()
ret_rax=mu.reg_read(UC_X86_REG_RAX)
ret_ref=u32(mu.mem_read(r_rsi,4))
d[(arg0,arg1)]=(ret_rax,ret_ref)
mu=Uc(UC_ARCH_X86,UC_MODE_64) #x86-64
BASE=0x400000
STACK_ADDR=0x0
STACK_SIZE=1024*1024
mu.mem_map(BASE,1024*1024)
mu.mem_map(STACK_ADDR,STACK_SIZE)
mu.mem_write(BASE,read("./fibonacci"))
mu.reg_write(UC_X86_REG_RSP,STACK_ADDR+STACK_SIZE-1)
mu.hook_add(UC_HOOK_CODE,hook_code)
mu.emu_start(0x00000000004004E0,0x0000000000400575)

一定要在Linux下尝试运行,Windows下在修改RIP后会出错。

ARM

下载交叉编译器:https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads

编译HelloWorld:

1
2
3
4
5
#include <stdio.h>
int main(void){
printf("Hello world");
return 0;
};

编译:

1
2
arm-none-linux-gnueabihf-gcc ./helloworld.c -fPIC -marm -shared -o ./libhello.so
readelf -h ./libhello.so

生成为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
.text:000003C0                             ; int __fastcall main(int argc, const char **argv, const char **envp)
.text:000003C0 EXPORT main
.text:000003C0 main ; DATA XREF: LOAD:000001AC↑o
.text:000003C0 000 00 48 2D E9 PUSH {R11,LR} ; Push registers
.text:000003C4 008 04 B0 8D E2 ADD R11, SP, #4 ; Rd = Op1 + Op2
.text:000003C8 008 14 30 9F E5 LDR R3, =(aHelloWorld - 0x3D4) ; Load from Memory
.text:000003CC 008 03 30 8F E0 ADD R3, PC, R3 ; Rd = Op1 + Op2
.text:000003D0 008 03 00 A0 E1 MOV R0, R3 ; format
.text:000003D4 008 C1 FF FF EB BL printf ; Branch with Link
.text:000003D8 008 00 30 A0 E3 MOV R3, #0 ; Rd = Op2
.text:000003DC 008 03 00 A0 E1 MOV R0, R3 ; Rd = Op2
.text:000003E0 008 00 88 BD E8 POP {R11,PC} ; Pop registers
.text:000003E0 ; End of function main
.text:000003E0
.text:000003E0 ; ---------------------------------------------------------------------------
.text:000003E4 AC 00 00 00 off_3E4 DCD aHelloWorld - 0x3D4 ; DATA XREF: main+8↑r
.text:000003E4 ; .text ends ; "Hello world"

用Unicorn调试.so文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from unicorn import *
from unicorn.arm_const import *
from capstone import *
from capstone.arm import *
def hook_code(mu,address,size,user_data):
inst_code=mu.mem_read(address,size)
for inst in cs.disasm(inst_code,size):
print("0x%x:\t%s\t%s"%(address,inst.mnemonic,inst.op_str))
if address==0x000003D4:
result=mu.mem_read(mu.reg_read(UC_ARM_REG_R3),16)
print("result:",result.decode(encoding="utf-8"))
mu.reg_write(UC_ARM_REG_PC,0x000003E0)
uc=Uc(UC_ARCH_ARM,UC_MODE_ARM) #此处ARM32 还有UC_ARCH_ARM64 ARM32有UC_MODE_ARM和UC_MODE_THUMB两种模式
base=0x00000000
code_size=8*0x1000*0x1000
uc.mem_map(base,code_size)
stack_addr=base+code_size
stack_size=0x1000
stack_top=stack_addr+stack_size-0x8
uc.mem_map(stack_addr,stack_size)
fd=open("./libhello2.so","rb")
SO_DATA=fd.read()
uc.mem_write(base,SO_DATA)
start_base=base+0x000003C0
end_addr=base+0x000003E0
uc.reg_write(UC_ARM_REG_SP,stack_top)
cs=Cs(CS_ARCH_ARM,CS_MODE_ARM)
uc.hook_add(UC_HOOK_CODE,hook_code,begin=start_base,end=end_addr)
uc.emu_start(start_base,end_addr)

OLLVM脱壳

先搁着,官方OLLVM基于LLVM4,早就过时了。Github上有基于LLVM17的移植版,自己手动该代码移植还怪麻烦的,而且也没有预编译版。