安卓逆向-在空引用处强行写入返回值还是出现空指针问题，怎么办

du1263794094 · 发表于 2024-3-5 00:13

本帖最后由 du1263794094 于 2024-3-5 11:45 编辑

先看Android Studio里用Logcat抓取到的出错日志（app包名及缩写已用*代替）

[Java] 纯文本查看 复制代码

FATAL EXCEPTION: main
                 Process: com.******.********, PID: 32729
                 java.lang.RuntimeException: Unable to start activity ComponentInfo{com.******.********/com.******.********.activity.device.**ChooseDeviceActivity}: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String com.******.********.common.model.wallet.**Wallet.getGuid()' on a null object reference
                         at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3307)
                         at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3446)
                         at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:83)
                         at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
                         at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
                         at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2043)
                         at android.os.Handler.dispatchMessage(Handler.java:107)
                         at android.os.Looper.loop(Looper.java:227)
                         at android.app.ActivityThread.main(ActivityThread.java:7533)
                         at java.lang.reflect.Method.invoke(Native Method)
                         at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:539)
                         at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:953)
                 Caused by: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String com.******.********.common.model.wallet.**Wallet.getGuid()' on a null object reference
                         at com.******.********.activity.device.**ChooseDeviceActivity.loadData(**ChooseDeviceActivity.java:253)
                         at com.******.********.activity.device.**ChooseDeviceActivity.initUI(**ChooseDeviceActivity.java:130)
                         at com.******.********.activity.device.**ChooseDeviceActivity.onCreate(**ChooseDeviceActivity.java:121)
                         at android.app.Activity.performCreate(Activity.java:7893)
                         at android.app.Activity.performCreate(Activity.java:7880)
                         at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1307)
                         at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3282)
                         at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3446) 
                         at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:83) 
                         at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135) 
                         at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95) 
                         at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2043) 
                         at android.os.Handler.dispatchMessage(Handler.java:107) 
                         at android.os.Looper.loop(Looper.java:227) 
                         at android.app.ActivityThread.main(ActivityThread.java:7533) 
                         at java.lang.reflect.Method.invoke(Native Method) 
                         at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:539) 
                         at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:953)

问题出在调取java.lang.String com.******.********.common.model.wallet.**Wallet.getGuid()这个方法时得到了空引用，我在dex文件里找到了对应的方法名

[Java] 纯文本查看 复制代码

.method public getGuid()Ljava/lang/String;   
 .registers 2

    .line 89
    iget-object v0, p0, Lcom/******/********/common/model/wallet/**Wallet;->guid:Ljava/lang/String;


    return-object v0
.end method

我在返回v0的值前写一句乱打的但是位数正确的guid

[Java] 纯文本查看 复制代码

.method public getGuid()Ljava/lang/String;
    .registers 2

    .line 89
    iget-object v0, p0, Lcom/******/********/common/model/wallet/**Wallet;->guid:Ljava/lang/String;

    const-string v0, "{\"guid\":\"a3775fc7bbf409abac4a11153ad27a15\"}"

    return-object v0
.end method

保存好后运行，还是点击相同的功能按钮，结果还是崩了，logcat日志跟最上面的那段一模一样，还是调取那个方法名时得到了空引用，怎么改才避免空引用呢？

尝试写全整段账号信息看能不能运行，还是闪退了，logcat抓取到的出错日志仍然是最上面那段，一模一样

[Java] 纯文本查看 复制代码

.method public getGuid()Ljava/lang/String;
    .registers 2

    .line 89
    iget-object v0, p0, Lcom/******/********/common/model/wallet/**Wallet;->guid:Ljava/lang/String;

    const-string v0, "{\"code\":1,\"data\":{\"alias\":\"用户:13166668888\",\"countBorrowingMoney\":0.0000,\"countCredit\":0.0000,\"countMortgageMoney\":0.0000,\"createTime\":\"2020-05-25 10:45:15\",\"creator\":\"管理员\",\"dummyMoney\":0.0000,\"guid\":\"a3775fc7bbf409abac4a11153ad27a15\",\"isSystem\":0,\"modifier\":\"管理员\",\"modifyTime\":\"2020-05-25 10:45:15\",\"money\":666.0000,\"payStatus\":1,\"phone\":\"13166668888\",\"status\":1,\"userGuid\":\"a754ed85adb62a3ecb3a0112bc00b810\",\"version\":\"1.0\",\"yesCertification\":0,\"yesEnterprise\":0},\"message\":\"success\",\"total\":1}"

    return-object v0
.end method

附-正常登陆账号获取到的抓包信息
{"code":1,"data":{"alias":"用户:13166668888","countBorrowingMoney":0.0000,"countCredit":0.0000,"countMortgageMoney":0.0000,"createTime":"2020-05-2510:45:15","creator":"管理员","dummyMoney":0.0000,"guid":"a3775fc7bbf409abac4a11153ad27a15","isSystem":0,"modifier":"管理员","modifyTime":"2020-05-2510:45:15","money":0.0000,"payStatus":1,"phone":"13166668888","status":1,"userGuid":"a754ed85adb62a3ecb3a0112bc00b810","version":"1.0","yesCertification":0,"yesEnterprise":0},"message":"success","total":1}

侃遍天下无二人 · 发表于 2024-3-5 00:13

那就是传入的JSON格式错了，它这里面要求传入数组，你再看看正确的响应是啥样的，要是确定没问题就把字符串用中括号包起来

侃遍天下无二人 · 发表于 2024-3-5 12:06

你理解错了，整个**Wallet都是空的，所以getguid自然没法调用，尝试改成静态方法看看

du1263794094 · 发表于 2024-3-5 12:44

侃遍天下无二人发表于 2024-3-5 12:06
你理解错了，整个**Wallet都是空的，所以getguid自然没法调用，尝试改成静态方法看看

（我小白一个，大佬轻点打）不太懂程序语言和对应的逻辑，改成下面这样还是不行，报错日志跟前面一样，我是不是没改对地方啊？还是语句也没写对？

[Java] 纯文本查看 复制代码

.method public getGuid()Ljava/lang/String;
    .registers 2
 
    .line 89
    sget-object v0, Lcom/******/********/common/model/wallet/**Wallet;->guid:Ljava/lang/String;
 
    const-string v0, "{\"guid\":\"a3775fc7bbf409abac4a11153ad27a15\"}"
 
    return-object v0
.end method

侃遍天下无二人 · 发表于 2024-3-5 16:10

du1263794094 发表于 2024-3-5 12:44
（我小白一个，大佬轻点打）不太懂程序语言和对应的逻辑，改成下面这样还是不行，报错日志跟前面一样，我 ...

肯定没改对地方，具体改哪里需要你往上翻一层，把调用它的代码贴出来看看，不要打码

du1263794094 · 发表于 2024-3-5 16:40

侃遍天下无二人发表于 2024-3-5 12:06
你理解错了，整个**Wallet都是空的，所以getguid自然没法调用，尝试改成静态方法看看

您提醒我**Wallet是空的，我把getGuid这个方法名对应的**Wallet.smali转为Java，注意到以下代码

[Java] 纯文本查看 复制代码

package com.huiyou.xiaoding.common.model.wallet;
import com.huiyou.xiaoding.common.model.base.HYModel;
public class HYWallet extends HYModel (
    private String alias;
    private String avatarUri;
    ......（省略）
    private String guid
    ......（省略）

意思是导入HYModel这个包，然后HYWallet这个类继承了HYModel这个类并扩展，我理解对吗？
如果这样理解是对的，那我应该到HYModel.smali里去写值是吗？
我打开HYModel.smali转Java看到这样的代码，他也是导入别的包作为数据来源的

[Java] 纯文本查看 复制代码

package com.huiyou.xiaoding.common.model.base;

import com.huiyou.xiaoding.common.utils.DataVOUtils;
import java.util.HashMap

public class HYModel {
    public String zb_jsonValue(){
        return DataVOUtils.jsonValue(this);
    }

    public HasMap<String, Object> zb_mapValue(){
        return DataVOUtils.mapValue(this);
    }
}

我又该去DataVOUtils写值对吧？DataVOUtils.smali代码全文如下

[Java] 纯文本查看 复制代码

.class public Lcom/huiyou/xiaoding/common/utils/DataVOUtils;
.super Ljava/lang/Object;
.source "DataVOUtils.java"


# direct methods
.method public constructor <init>()V
    .registers 1

    .line 13
    invoke-direct {p0}, Ljava/lang/Object;-><init>()V

    return-void
.end method

.method public static buildObjc(Ljava/lang/Object;Ljava/lang/Class;)Ljava/lang/Object;
    .registers 4
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "<T:",
            "Ljava/lang/Object;",
            ">(",
            "Ljava/lang/Object;",
            "Ljava/lang/Class<",
            "TT;>;)TT;"
        }
    .end annotation

    .line 16
    invoke-static {p0}, Lcom/huiyou/xiaoding/common/utils/StringUtils;->isNullOrEmpty(Ljava/lang/Object;)Z

    move-result v0

    const/4 v1, 0x0

    if-eqz v0, :cond_8

    return-object v1

    .line 20
    :cond_8
    :try_start_8
    invoke-static {p0}, Lcom/huiyou/xiaoding/common/utils/DataVOUtils;->jsonValue(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object p0

    .line 21
    invoke-static {p0, p1}, Lcom/alibaba/fastjson/JSON;->parseObject(Ljava/lang/String;Ljava/lang/Class;)Ljava/lang/Object;

    move-result-object p0
    :try_end_10
    .catch Ljava/lang/Exception; {:try_start_8 .. :try_end_10} :catch_11

    return-object p0

    :catch_11
    move-exception p0

    .line 24
    invoke-virtual {p0}, Ljava/lang/Exception;->toString()Ljava/lang/String;

    move-result-object p0

    const-string p1, "DataVOUtils"

    invoke-static {p1, p0}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I

    return-object v1
.end method

.method public static buildObjc(Ljava/lang/String;Ljava/lang/Class;)Ljava/lang/Object;
    .registers 4
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "<T:",
            "Ljava/lang/Object;",
            ">(",
            "Ljava/lang/String;",
            "Ljava/lang/Class<",
            "TT;>;)TT;"
        }
    .end annotation

    .line 30
    invoke-static {p0}, Lcom/huiyou/xiaoding/common/utils/StringUtils;->isNullOrEmpty(Ljava/lang/Object;)Z

    move-result v0

    const/4 v1, 0x0

    if-eqz v0, :cond_8

    return-object v1

    .line 34
    :cond_8
    :try_start_8
    invoke-static {p0, p1}, Lcom/alibaba/fastjson/JSON;->parseObject(Ljava/lang/String;Ljava/lang/Class;)Ljava/lang/Object;

    move-result-object p0
    :try_end_c
    .catch Ljava/lang/Exception; {:try_start_8 .. :try_end_c} :catch_d

    return-object p0

    :catch_d
    move-exception p0

    .line 37
    invoke-virtual {p0}, Ljava/lang/Exception;->toString()Ljava/lang/String;

    move-result-object p0

    const-string p1, "DataVOUtils"

    invoke-static {p1, p0}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I

    return-object v1
.end method

.method public static buildObjcs(Ljava/lang/String;Ljava/lang/Class;)Ljava/util/List;
    .registers 3
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "<T:",
            "Ljava/lang/Object;",
            ">(",
            "Ljava/lang/String;",
            "Ljava/lang/Class<",
            "TT;>;)",
            "Ljava/util/List<",
            "TT;>;"
        }
    .end annotation

    .line 43
    invoke-static {p0}, Lcom/huiyou/xiaoding/common/utils/StringUtils;->isNullOrEmpty(Ljava/lang/Object;)Z

    move-result v0

    if-eqz v0, :cond_8

    const/4 p0, 0x0

    return-object p0

    .line 46
    :cond_8
    invoke-static {p0, p1}, Lcom/alibaba/fastjson/JSON;->parseArray(Ljava/lang/String;Ljava/lang/Class;)Ljava/util/List;

    move-result-object p0

    return-object p0
.end method

.method public static jsonValue(Ljava/lang/Object;)Ljava/lang/String;
    .registers 1

    if-nez p0, :cond_5

    const-string p0, ""

    return-object p0

    .line 54
    :cond_5
    invoke-static {p0}, Lcom/alibaba/fastjson/JSON;->toJSONString(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object p0

    return-object p0
.end method

.method public static mapValue(Ljava/lang/Object;)Ljava/util/HashMap;
    .registers 2
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "(",
            "Ljava/lang/Object;",
            ")",
            "Ljava/util/HashMap<",
            "Ljava/lang/String;",
            "Ljava/lang/Object;",
            ">;"
        }
    .end annotation

    .line 60
    invoke-static {p0}, Lcom/huiyou/xiaoding/common/utils/DataVOUtils;->jsonValue(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object p0

    const-class v0, Ljava/util/Map;

    invoke-static {p0, v0}, Lcom/alibaba/fastjson/JSON;->parseObject(Ljava/lang/String;Ljava/lang/Class;)Ljava/lang/Object;

    move-result-object p0

    check-cast p0, Ljava/util/Map;

    .line 61
    new-instance v0, Ljava/util/HashMap;

    invoke-direct {v0, p0}, Ljava/util/HashMap;-><init>(Ljava/util/Map;)V

    return-object v0
.end method

DataVOUtils.smali转换为Java如下

[Java] 纯文本查看 复制代码

package com.huiyou.xiaoding.common.utils;

import android.util.Log;
import com.alibaba.fastjson.JSON;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

public class DataVOUtils {
    public static <T> T buildObjc(Object obj, Class<T> cls) {
        if (StringUtils.isNullOrEmpty(obj)) {
            return null;
        }
        try {
            return (T) JSON.parseObject(jsonValue(obj), cls);
        } catch (Exception e) {
            Log.e("DataVOUtils", e.toString());
            return null;
        }
    }

    public static <T> T buildObjc(String str, Class<T> cls) {
        if (StringUtils.isNullOrEmpty(str)) {
            return null;
        }
        try {
            return (T) JSON.parseObject(str, cls);
        } catch (Exception e) {
            Log.e("DataVOUtils", e.toString());
            return null;
        }
    }

    public static <T> List<T> buildObjcs(String str, Class<T> cls) {
        if (StringUtils.isNullOrEmpty(str)) {
            return null;
        }
        return JSON.parseArray(str, cls);
    }

    public static String jsonValue(Object obj) {
        return obj == null ? "" : JSON.toJSONString(obj);
    }

    public static HashMap<String, Object> mapValue(Object obj) {
        return new HashMap<>((Map) JSON.parseObject(jsonValue(obj), Map.class));
    }
}

貌似是涉及到判断，json字串符与对象转换之类的内容了，又是一个新的知识点

，再麻烦大佬看看下一步该怎么做（小声问一句：我对这几个包的立关系理解是——DataVOUtils从服务器获取用户信息并转换格式，Model从DataVOUtils获取成果分门别类区分开用户的各条信息并组装，形成用户模型，其他的包比如Wallet要获取什么信息就从Model里获取，是不是啊？）

du1263794094 · 发表于 2024-3-5 16:50

侃遍天下无二人发表于 2024-3-5 16:10
肯定没改对地方，具体改哪里需要你往上翻一层，把调用它的代码贴出来看看，不要打码

HYModel.smali的全文代码我也贴出来

[Java] 纯文本查看 复制代码

.class public Lcom/huiyou/xiaoding/common/model/base/HYModel;
.super Ljava/lang/Object;
.source "HYModel.java"


# direct methods
.method public constructor <init>()V
    .registers 1

    .line 12
    invoke-direct {p0}, Ljava/lang/Object;-><init>()V

    return-void
.end method


# virtual methods
.method public zb_jsonValue()Ljava/lang/String;
    .registers 2

    .line 17
    invoke-static {p0}, Lcom/huiyou/xiaoding/common/utils/DataVOUtils;->jsonValue(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v0

    return-object v0
.end method

.method public zb_mapValue()Ljava/util/HashMap;
    .registers 2
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "()",
            "Ljava/util/HashMap<",
            "Ljava/lang/String;",
            "Ljava/lang/Object;",
            ">;"
        }
    .end annotation

    .line 22
    invoke-static {p0}, Lcom/huiyou/xiaoding/common/utils/DataVOUtils;->mapValue(Ljava/lang/Object;)Ljava/util/HashMap;

    move-result-object v0

    return-object v0
.end method

转为Java如下

[Java] 纯文本查看 复制代码

package com.huiyou.xiaoding.common.model.base;
import com.huiyou.xiaoding.common.utils.DataVOUtils;
import java.util.HashMap;

public class HYModel {
    public String zb_jsonValue() {
        return DataVOUtils.jsonValue(this);
    }

    public HashMap<String, Object> zb_mapValue() {
        return DataVOUtils.mapValue(this);
    }
}

du1263794094 · 发表于 2024-3-5 23:18

侃遍天下无二人发表于 2024-3-5 16:10
肯定没改对地方，具体改哪里需要你往上翻一层，把调用它的代码贴出来看看，不要打码

前面我说DataVOUtils是对Json进行加工的地方，并且HYModel也是通过以下方法从DataVOUtils获取成果的

[Java] 纯文本查看 复制代码

.method public zb_jsonValue()Ljava/lang/String;
    .registers 2

    .line 17
    invoke-static {p0}, Lcom/huiyou/xiaoding/common/utils/DataVOUtils;->jsonValue(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v0

    return-object v0
.end method

我就跳转到DataVOUtils里看jsonValue方法是怎么返回值的

[Java] 纯文本查看 复制代码

.method public static jsonValue(Ljava/lang/Object;)Ljava/lang/String;
    .registers 1


    if-nez p0, :cond_6

    const-string p0, ""

    return-object p0

    .line 54
    :cond_6
    invoke-static {p0}, Lcom/alibaba/fastjson/JSON;->toJSONString(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object p0


    return-object p0
.end method

他首先要判断p0的值，不等于0则跳cond_6，调取toJSONString这个静态方法和p0参数，然后把前面的方法调取结果赋值给p0
是不是p0就是json字串符了？toJSONString也是对象转为json字串符的意思吗？
我尝试在判断处把p0值改为1，直接跳到调取JSONString静态方法结果这里，并在返回p0引用值之前，写入登录信息，改动如下

[Java] 纯文本查看 复制代码

.method public static jsonValue(Ljava/lang/Object;)Ljava/lang/String;
    .registers 1

    const/4 p0, 0x1

    if-nez p0, :cond_6

    const-string p0, ""

    return-object p0

    .line 54
    :cond_6
    invoke-static {p0}, Lcom/alibaba/fastjson/JSON;->toJSONString(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object p0

    const-string p0, "{\"code\":1,\"data\":{\"alias\":\"学生:13114525896\",\"countBorrowingMoney\":0.0000,\"countCredit\":0.0000,\"countMortgageMoney\":0.0000,\"createTime\":\"2020-05-25 10:45:15\",\"creator\":\"管理员\",\"dummyMoney\":0.0000,\"guid\":\"a3775fc7bbf409abac4a11153ad27a15\",\"isSystem\":0,\"modifier\":\"管理员\",\"modifyTime\":\"2020-05-25 10:45:15\",\"money\":0.0000,\"payStatus\":1,\"phone\":\"13114525896\",\"status\":1,\"userGuid\":\"a754ed85adb62a3ecb3a0112bc00b810\",\"version\":\"1.0\",\"yesCertification\":0,\"yesEnterprise\":0},\"message\":\"success\",\"total\":1}"

    return-object p0
.end method

保存运行，结果直接闪退，还不是点了一些按钮之后才闪退，Logcat日志这样写的

[Java] 纯文本查看 复制代码

FATAL EXCEPTION: main
Process: com.huiyou.xiaoding, PID: 4459
java.lang.VerifyError: Verifier rejected class com.huiyou.xiaoding.common.utils.DataVOUtils: java.lang.String com.huiyou.xiaoding.common.utils.DataVOUtils.jsonValue(java.lang.Object) failed to verify: java.lang.String com.huiyou.xiaoding.common.utils.DataVOUtils.jsonValue(java.lang.Object): [0x6] register v0 has type Precise Constant: 1 but expected Reference: java.lang.Object (declaration of 'com.huiyou.xiaoding.common.utils.DataVOUtils' appears in base.apk!classes3.dex)
    at com.huiyou.xiaoding.common.utils.DataVOUtils.buildObjc(DataVOUtils.java:30)
    at com.huiyou.xiaoding.core.HYDataCore.getUserResponse(HYDataCore.java:72)
    at com.huiyou.xiaoding.core.HYCore.<init>(HYCore.java:48)
    at com.huiyou.xiaoding.core.HYCore.sharedCore(HYCore.java:32)
    at com.huiyou.xiaoding.core.HYConfig.serverToken(HYConfig.java:184)
    at com.huiyou.xiaoding.http.HYHttpAction.request(HYHttpAction.java:146)
    at com.huiyou.xiaoding.http.HYCommonAction.contractCode(HYCommonAction.java:65)
    at com.huiyou.xiaoding.core.HYDataCore.getAppIsAgree(HYDataCore.java:253)
    at com.huiyou.xiaoding.activity.main.MainActivity.onCreate(MainActivity.java:106)

我的理解是，出现验证错误，原因验证器拒绝DataVOUtils这个类，拒绝原因是DataVOUtils下jsonValue验证失败，失败原因是jsonValue的v0寄存器有精确常数1，但他希望参考classes3.dex文件里的DataVOUtils的声明。
我想知道我改的地方对不对，改的内容对不对，怎么解决这个报错，请大佬赐教

侃遍天下无二人 · 发表于 2024-3-6 01:33

du1263794094 发表于 2024-3-5 23:18
前面我说DataVOUtils是对Json进行加工的地方，并且HYModel也是通过以下方法从DataVOUtils获取成果的
[mw ...

把这个转Java看下呀

invoke-static {p0}, Lcom/alibaba/fastjson/JSON;->toJSONString(Ljava/lang/Object;)Ljava/lang/String;

这里有明显错误，相当于 JSON.toJSONString(1)，你应该把代码改成这样

.method public static jsonValue(Ljava/lang/Object;)Ljava/lang/String;
.registers 1

const-string p0, "{\"code\":1,\"data\":{\"alias\":\"学生:13114525896\",\"countBorrowingMoney\":0.0000,\"countCredit\":0.0000,\"countMortgageMoney\":0.0000,\"createTime\":\"2020-05-25 10:45:15\",\"creator\":\"管理员\",\"dummyMoney\":0.0000,\"guid\":\"a3775fc7bbf409abac4a11153ad27a15\",\"isSystem\":0,\"modifier\":\"管理员\",\"modifyTime\":\"2020-05-25 10:45:15\",\"money\":0.0000,\"payStatus\":1,\"phone\":\"13114525896\",\"status\":1,\"userGuid\":\"a754ed85adb62a3ecb3a0112bc00b810\",\"version\":\"1.0\",\"yesCertification\":0,\"yesEnterprise\":0},\"message\":\"success\",\"total\":1}"

return-object p0
.end method

du1263794094 · 发表于 2024-3-6 11:42

侃遍天下无二人发表于 2024-3-6 01:33
把这个转Java看下呀这里有明显错误，相当于 JSON.toJSONString(1)，你应该把代码改成这样

您让我把下面这段smali转java

[Java] 纯文本查看 复制代码

invoke-static {p0}, Lcom/alibaba/fastjson/JSON;->toJSONString(Ljava/lang/Object;)Ljava/lang/String;

转换结果如下

[Java] 纯文本查看 复制代码

public static String jsonValue(Object obj) {
        return obj == null ? "" : JSON.toJSONString(obj);
    }

然后我按您说的改DataVOUtils里jsonValue的代码，删除判断跳转之类的，直接赋p0为一串字符串
jsonValue方法原本代码：

[Java] 纯文本查看 复制代码

.method public static jsonValue(Ljava/lang/Object;)Ljava/lang/String;
    .registers 1

    if-nez p0, :cond_5

    const-string p0, ""

    return-object p0

    .line 54
    :cond_5
    invoke-static {p0}, Lcom/alibaba/fastjson/JSON;->toJSONString(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object p0

    return-object p0
.end method

我的修改：

[Java] 纯文本查看 复制代码

.method public static jsonValue(Ljava/lang/Object;)Ljava/lang/String;
    .registers 1

const-string p0, "{\"code\":1,\"data\":{\"alias\":\"学生:13114525896\",\"countBorrowingMoney\":0.0000,\"countCredit\":0.0000,\"countMortgageMoney\":0.0000,\"createTime\":\"2020-05-25 10:45:15\",\"creator\":\"管理员\",\"dummyMoney\":0.0000,\"guid\":\"a3775fc7bbf409abac4a11153ad27a15\",\"isSystem\":0,\"modifier\":\"管理员\",\"modifyTime\":\"2020-05-25 10:45:15\",\"money\":0.0000,\"payStatus\":1,\"phone\":\"13114525896\",\"status\":1,\"userGuid\":\"a754ed85adb62a3ecb3a0112bc00b810\",\"version\":\"1.0\",\"yesCertification\":0,\"yesEnterprise\":0},\"message\":\"success\",\"total\":1}"


    return-object p0
.end method

保存运行，还是闪退了，logcat日志如下

[Java] 纯文本查看 复制代码

FATAL EXCEPTION: main
Process: com.huiyou.xiaoding, PID: 12610
            com.alibaba.fastjson.JSONException: exepct '[', but {, pos 1, json : {"code":1,"data":{"alias":"学生:13114525896","countBorrowingMoney":0.0000,"countCredit":0.0000,"countMortgageMoney":0.0000,"createTime":"2020-05-25 10:45:15","creator":"管理员","dummyMoney":0.0000,"guid":"a3775fc7bbf409abac4a11153ad27a15","isSystem":0,"modifier":"管理员","modifyTime":"2020-05-25 10:45:15","money":0.0000,"payStatus":1,"phone":"13114525896","status":1,"userGuid":"a754ed85adb62a3ecb3a0112bc00b810","version":"1.0","yesCertification":0,"yesEnterprise":0},"message":"success","total":1}
  at com.alibaba.fastjson.parser.DefaultJSONParser.parseArray(DefaultJSONParser.java:658)
  at com.alibaba.fastjson.parser.DefaultJSONParser.parseArray(DefaultJSONParser.java:646)
  at com.alibaba.fastjson.parser.DefaultJSONParser.parseArray(DefaultJSONParser.java:641)
  at com.alibaba.fastjson.JSON.parseArray(JSON.java:518)
  at com.huiyou.xiaoding.common.utils.DataVOUtils.buildObjcs(DataVOUtils.java:46)
  at com.huiyou.xiaoding.http.HYCommonAction$2.onResponse(HYCommonAction.java:71)
  at com.huiyou.xiaoding.http.HYHttpAction$2.onResponse(HYHttpAction.java:171)
  at com.huiyou.xiaoding.http.HYHttpAction$4$2.run(HYHttpAction.java:331)
  at android.os.Handler.handleCallback(Handler.java:938)
  at android.os.Handler.dispatchMessage(Handler.java:99)
  at android.os.Looper.loop(Looper.java:246)
  at android.app.ActivityThread.main(ActivityThread.java:8512)
  at java.lang.reflect.Method.invoke(Native Method)
  at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:602)
  at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1130)

帐号		自动登录	找回密码
密码			注册[Register]

[经验求助] 安卓逆向-在空引用处强行写入返回值还是出现空指针问题，怎么办

最佳答案

点评

点评

求M1卡（水卡）校验算法破解

个人中心