JEB 学习笔记

Posted by API Caller on February 17, 2020

headless

看见文档有, 但网络上资料很少.

Plugin Dev

Java

以前老听人说要用 eclipse, 试了下发现 IDEA + ant 也很容易.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public class SamplePlugin extends AbstractEnginesPlugin {
                               // ^ change that for another plugin type

    @Override
    public void load(IEnginesContext context) {
        GlobalLog.getLogger().info("Loading sample plugin");
    }

    @Override
    public void execute(IEnginesContext context, Map<String, String> params) {
        GlobalLog.getLogger().info("Executing sample plugin");
    }

    @Override
    public IPluginInformation getPluginInformation() {
        return new PluginInformation("SamplePlugin", "A sample plugin", "Author", Version.create(1, 0, 0));
    }
}

Python

Environment

  • Jython-Installer

  • IDEA + Jython

    • 值得注意的是不支持 venv 等虚拟环境, 指定 jython 路径
    • jeb.jar 拷贝过去, 右键 Add as Library, 即可有自动补全.
    • 官网文档稀烂, 可以直接在 scripts/samples 找对应的拷贝到项目里配合 Introducing JEB Extensions 查看, 有注释且适配新 API.

Plugins

jeb2-androsig

试了几个, 效果不太行, 还很不完善的样子. 姑且记一下

JebAndroidSigPlugin Version: v1.1.4
DB Version: androsig_1.1_db_20190515.zip

Android Code Recognition

弹出的选项 源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Minimum number of instructions required to analyze a method by signature hashcode
(methods with less than \"method size bar\" will be ignored by hashcode but can still be matched later).
Value range: >= 0 (Default value: 6). The bigger will reduce false positive, the smaller will increase matching results
Method size bar _______

Minimum percentage of instructions to validate a class match
(classes where (total matched instructions / total instructions) < "matched instructions percentage bar" will be ignored by hashcode detection, but can still be matched via context matching)
Value range: 0.0 - 1.0 (Default value: 0.5). The bigger will reduce false positive, the smaller will increase matching results
Matched instructions percentage bar _______

Minimum number of found methods required to analyze a method when only one method matched by hashcode
(this is a security mechanism for easy matching methods - when only one hashcode matches for a method - and the percentage bar is reached - in particular, the is easy when class is small)
Value range: >= 0 (Default value: 10). The bigger will reduce false positive, the smaller will increase matching results
Minimum found methods on one match _______

Minimum number of java or android api parameters (or return value) used in a method signature to consider a method is complex
(this is a security mechanism for easy matching methods: the expectation is to have at least "Minimum number of complex parameters\" to consider that the matching is safe. This is to avoid percentage bar matching when only getter/setter matches for example)
Value range: >= 0 (Default value: 2). The bigger will reduce false positive, the smaller will increase matching results
Minimum number of complex parameters _______

Generating signatures

譬如 protobuf, 翻阅 aosp-mirror/platform_external_protobuf:

1
2
3
4
5
# 制作 jar
wget https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.6.1/protobuf-java-3.6.1.jar

# jar to dex
dx.bat --dex --output protobuf-java-3.6.1.dex protobuf-java-3.6.1.jar

然后路径规则翻源码 可知:

Lcom/google/protobuf/.*


Ref