forked from FightingForWhat/taobao-reverse-documents
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlibsgmainso-6.4.36分析.txt
1579 lines (1485 loc) · 71.6 KB
/
libsgmainso-6.4.36分析.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/**
* Author: sp00f
* 本人聲明: 該項目僅用於學習和交流目的,不能用於其他目的,否則後果自負;
* 另外該項目所有權僅屬於我個人,你可以下載或者fork該項目,但不能用於其他目的(如發表文章、出書、投稿等),否則必究。
* 你可以吐槽我,不过还是希望尊重我的辛苦成果,有不对的地方,可以指出,大家互相探讨
* 对于逆向我也是个小学生,水平有限,还请大佬们一笑而过
* 出于时间考虑,我分析完之后,没有对调试过程返回来看,但应该大致描述清楚了
* 如果纰漏,请见谅
*
*/
libsgmainso-6.4.36邏輯分析
//////////////////////////////////////////////////////////////
難點:
動態跳轉
動態生成參數,參數變形
函數隱藏(需要通過一個類似的梉跳過去,函數地址加密)
函數前面加一段垃圾代碼
字符串加密
部分關鍵代碼存在llvm混淆
垃圾代碼,靜態分析對抗,擾亂ida分析
多種加密算法
核心函數如進入到do_command_native的函數不是連續的,函數的連續性被記錄到一系列的
結構體中,下一個塊需要的獲取需要重新執行do_command_inner
LOAD:0000B110 JNI_OnLoad
LOAD:0000B110
LOAD:0000B110 var_4 = -4
LOAD:0000B110 07 B5 PUSH {R0-R2,LR}
LOAD:0000B112 07 A1 ADR R1, 0xB130 // B130
LOAD:0000B114 09 00 MOVS R1, R1
LOAD:0000B116 05 39 SUBS R1, #5 // B130 - 0X5 = B12B
LOAD:0000B118 00 00 MOVS R0, R0
LOAD:0000B11A 08 00 MOVS R0, R1 // B12B
LOAD:0000B11C 12 00 MOVS R2, R2
LOAD:0000B11E 10 30 ADDS R0, #0x10 // B12B + 0X10 = B13B
LOAD:0000B120 03 90 STR R0, [SP,#0xC] // SP + 0XC = R0 = B13B
LOAD:0000B122 07 BD POP {R0-R2,PC} // PC = sp + 0xc = B13B, thumb指令跳转到0000B13A
执行完上述代码,r0,r1,r2,lr值不变,变的仅仅是pc,cpu会马上执行pc处的指令
=================================================================================================
代码段共56处匹配这样的特征,想办法patch这样的逻辑
patch 后
LOAD:0000B110 JNI_OnLoad
LOAD:0000B122 B loc_B13A
===================================================================================================
因为是thumb指令,地址起始奇数
LOAD:0000B13A ; ---------------------------------------------------------------------------
特徵
LOAD:0000B13A CODE16
LOAD:0000B13A PUSH {R0,R1,LR}
LOAD:0000B13C LDR R0, =8
LOAD:0000B13E LDR R1, loc_B140 // 沒有意義, nop掉
LOAD:0000B140
LOAD:0000B140 loc_B140
LOAD:0000B140 BLX sub_494C /// 分发器
LOAD:0000B140 ; ---------------------------------------------------------------------------
LOAD:0000B144 dword_B144 DCD 8
-------------------------------------------------------------------------------------------
跳轉表,共40個跳轉, 計算pc時的纍加值:
LOAD:0000B144
LOAD:0000B144 ;第一個index = 8
LOAD:0000B144 ; 找到8對應的偏移,它下一個index即下一個邏輯
LOAD:0000B148 A8 00 00 00 DCD 0xA8 ; b1ec
LOAD:0000B14C BC 00 00 00 DCD 0xBC ; b200
LOAD:0000B150 CC 00 00 00 DCD 0xCC ; b120
LOAD:0000B154 E0 00 00 00 DCD 0xE0 ; b224
LOAD:0000B158 F0 00 00 00 DCD 0xF0 ; b234
LOAD:0000B15C 00 01 00 00 DCD 0x100 ; b244
LOAD:0000B160 10 01 00 00 DCD 0x110 ; b254
LOAD:0000B164 20 01 00 00 DCD 0x120 ; b264 偏移為8,表值為0x120,第一個對應lr + off = b144 + 0x120
LOAD:0000B168 34 01 00 00 DCD 0x134 ; b278
LOAD:0000B16C 4C 01 00 00 DCD 0x14C ; b290
LOAD:0000B170 68 01 00 00 DCD 0x168 ; b2ac
LOAD:0000B174 7C 01 00 00 DCD 0x17C ; b2c0
LOAD:0000B178 94 01 00 00 DCD 0x194 ; b2d8
LOAD:0000B17C AC 01 00 00 DCD 0x1AC ; b2f0
LOAD:0000B180 D4 01 00 00 DCD 0x1D4 ; b318
LOAD:0000B184 EC 01 00 00 DCD 0x1EC ; b330
LOAD:0000B188 08 02 00 00 DCD 0x208 ; b34c
LOAD:0000B18C 24 02 00 00 DCD 0x224 ; b368
LOAD:0000B190 40 02 00 00 DCD 0x240 ; b384
LOAD:0000B194 68 02 00 00 DCD 0x268 ; b3ac
LOAD:0000B198 7C 02 00 00 DCD 0x27C ; b3c0
LOAD:0000B19C 90 02 00 00 DCD 0x290 ; b3d4
LOAD:0000B1A0 A4 02 00 00 DCD 0x2A4 ; b3e0
LOAD:0000B1A4 B8 02 00 00 DCD 0x2B8 ; b3fc
LOAD:0000B1A8 CC 02 00 00 DCD 0x2CC ; b410
LOAD:0000B1AC E0 02 00 00 DCD 0x2E0 ; b424
LOAD:0000B1B0 FC 02 00 00 DCD 0x2FC ; b440
LOAD:0000B1B4 10 03 00 00 DCD 0x310 ; b454
LOAD:0000B1B8 24 03 00 00 DCD 0x324 ; b468
LOAD:0000B1BC 3C 03 00 00 DCD 0x33C ; b480
LOAD:0000B1C0 58 03 00 00 DCD 0x358 ; b49c
LOAD:0000B1C4 6C 03 00 00 DCD 0x36C ; b4b0
LOAD:0000B1C8 90 03 00 00 DCD 0x390 ; b4d4
LOAD:0000B1CC AC 03 00 00 DCD 0x3AC ; b4f0
LOAD:0000B1D0 C4 03 00 00 DCD 0x3C4 ; b508
LOAD:0000B1D4 D8 03 00 00 DCD 0x3D8 ; b51c
LOAD:0000B1D8 F0 03 00 00 DCD 0x3F0 ; b534
LOAD:0000B1DC 14 04 00 00 DCD 0x414 ; b558
LOAD:0000B1E0 28 04 00 00 DCD 0x428 ; b56c
LOAD:0000B1E4 40 04 00 00 DCD 0x440 ; b584
LOAD:0000B1E8 5C 04 00 00 DCD 0x45C ; b5a0
-------------------------------------------------------------------------------------------------------------
以第一次跳轉為例:
LOAD:0000494C sub_494C
LOAD:0000494C arg_8 = 8
LOAD:0000494C BIC R1, LR, #1 // LR = B144 , 最低一位清零 R1 还是B144
//LOAD:0000B164 DCD 0x120
LOAD:00004950 00 11 91 E7 LDR R1, [R1,R0,LSL#2] // R1 = [B144 + 0x8 << 2] = [B144 + 0X20] = [B164] = 0x120
LOAD:00004954 ADD R1, R1, LR // R1 = B144 + 0x120 = B264
LOAD:00004958 LDR LR, [SP,#8] // LR = B144
LOAD:0000495C STR R1, [SP,#8] // B264
LOAD:00004960 03 80 BD E8 LDMFD SP!, {R0,R1,PC} // R0 = [SP], R1 = [SP + 4], PC = [SP + 8] 跳转到B264
隨便列舉幾個跳轉:
1 = 0xb264
2 = 0x1511c
3 = 0x24764
4 = 0x5f2ac
5 = 0x71e70
6 = 0x72dbc
7 = 0x9a14
...
---------------------------------------------------------------------------------------------
其他混淆跳轉輔助指令特徵:
LOAD:0000494C
LOAD:0000494C ; =============== S U B R O U T I N E =======================================
LOAD:0000494C
LOAD:0000494C
LOAD:0000494C dyna_pc ; CODE XREF: j_dyna_pcj
LOAD:0000494C ; LOAD:loc_4C20p ...
LOAD:0000494C
LOAD:0000494C arg_8 = 8
LOAD:0000494C
LOAD:0000494C 01 10 CE E3 BIC R1, LR, #1
LOAD:00004950 00 11 91 E7 LDR R1, [R1,R0,LSL#2] ; lr(最低位清零) + (r0 << 2)
LOAD:00004954 0E 10 81 E0 ADD R1, R1, LR
LOAD:00004958 08 E0 9D E5 LDR LR, [SP,#8]
LOAD:0000495C 08 10 8D E5 STR R1, [SP,#8]
LOAD:00004960 03 80 BD E8 LDMFD SP!, {R0,R1,PC} ; 1 = 0xb264
LOAD:00004960 ; End of function dyna_pc ; 2 = 0x1511c
LOAD:00004960 ; 3 = 0x24764
LOAD:00004960 ; 4 = 0x5f2ac
LOAD:00004960 ; 5 = 0x71e70
LOAD:00004960 ; 6 = 0x72dbc
LOAD:00004960 ; 7 = 0x9a14
LOAD:00004960 ; ...
LOAD:00004964
LOAD:00004964 ; =============== S U B R O U T I N E =======================================
LOAD:00004964
LOAD:00004964 ; 完成pc = pc + 8
LOAD:00004964 ; 待彈出寄存器值為 lr + [lr]
LOAD:00004964 ; 目的是完成動態生成函數參數
LOAD:00004964
LOAD:00004964 dyna_mkarg ; CODE XREF: sub_4ADC:loc_4AE0j
LOAD:00004964 ; LOAD:00004D16p ...
LOAD:00004964
LOAD:00004964 anonymous_0 = 0
LOAD:00004964 arg_C = 0xC
LOAD:00004964 arg_10 = 0x10
LOAD:00004964
LOAD:00004964 01 00 CE E3 BIC R0, LR, #1
LOAD:00004968 00 10 90 E5 LDR R1, [R0]
LOAD:0000496C 01 10 90 E7 LDR R1, [R0,R1]
LOAD:00004970 04 E0 8E E2 ADD LR, LR, #4
LOAD:00004974 0C E0 8D E5 STR LR, [SP,#0xC] ; pc = lr + 4 ,下一條指令処
LOAD:00004978 10 10 8D E5 STR R1, [SP,#0x10] ; 後面pop 寄存器的值
LOAD:0000497C 03 C0 BD E8 LDMFD SP!, {R0,R1,LR,PC} ; pc = pc + 8
LOAD:0000497C
LOAD:00004980
LOAD:00004980 ; =============== S U B R O U T I N E =======================================
LOAD:00004980
LOAD:00004980
LOAD:00004980 sub_4980 ; CODE XREF: sub_4ABC:loc_4AC0j
LOAD:00004980
LOAD:00004980 arg_8 = 8
LOAD:00004980
LOAD:00004980 01 10 CE E3 BIC R1, LR, #1
LOAD:00004984 00 11 91 E7 LDR R1, [R1,R0,LSL#2]
LOAD:00004988 81 00 8E E0 ADD R0, LR, R1,LSL#1
LOAD:0000498C 08 E0 9D E5 LDR LR, [SP,#arg_8]
LOAD:00004990 08 00 8D E5 STR R0, [SP,#arg_8]
LOAD:00004994 03 80 BD E8 LDMFD SP!, {R0,R1,PC}
LOAD:00004994 ; End of function sub_4980
LOAD:00004994
LOAD:00004998
LOAD:00004998 ; =============== S U B R O U T I N E =======================================
LOAD:00004998
LOAD:00004998
LOAD:00004998 sub_4998 ; CODE XREF: sub_4AC4:loc_4AC8j
LOAD:00004998 ; LOAD:000098FCp ...
LOAD:00004998
LOAD:00004998 arg_8 = 8
LOAD:00004998
LOAD:00004998 01 00 CE E3 BIC R0, LR, #1
LOAD:0000499C 00 10 90 E5 LDR R1, [R0]
LOAD:000049A0 0E 10 81 E0 ADD R1, R1, LR
LOAD:000049A4 08 E0 9D E5 LDR LR, [SP,#arg_8]
LOAD:000049A8 08 10 8D E5 STR R1, [SP,#arg_8]
LOAD:000049AC 03 80 BD E8 LDMFD SP!, {R0,R1,PC}
LOAD:000049AC ; End of function sub_4998
LOAD:000049AC
LOAD:000049B0
LOAD:000049B0 ; =============== S U B R O U T I N E =======================================
LOAD:000049B0
LOAD:000049B0
LOAD:000049B0 sub_49B0
LOAD:000049B0
LOAD:000049B0 arg_C = 0xC
LOAD:000049B0 arg_10 = 0x10
LOAD:000049B0
LOAD:000049B0 01 00 CE E3 BIC R0, LR, #1
LOAD:000049B4 00 10 90 E5 LDR R1, [R0]
LOAD:000049B8 00 10 81 E0 ADD R1, R1, R0
LOAD:000049BC 04 E0 8E E2 ADD LR, LR, #4
LOAD:000049C0 0C E0 8D E5 STR LR, [SP,#arg_C]
LOAD:000049C4 10 10 8D E5 STR R1, [SP,#arg_10]
LOAD:000049C8 03 C0 BD E8 LDMFD SP!, {R0,R1,LR,PC}
LOAD:000049C8 ; End of function sub_49B0
LOAD:000049C8
LOAD:000049CC
LOAD:000049CC ; =============== S U B R O U T I N E =======================================
LOAD:000049CC
LOAD:000049CC
LOAD:000049CC sub_49CC
LOAD:000049CC
LOAD:000049CC var_4 = -4
LOAD:000049CC
LOAD:000049CC 03 40 2D E9 STMFD SP!, {R0,R1,LR}
LOAD:000049D0 0E 10 A0 E1 MOV R1, LR
LOAD:000049D4 A1 10 A0 E1 MOV R1, R1,LSR#1
LOAD:000049D8 81 10 A0 E1 MOV R1, R1,LSL#1
LOAD:000049DC 01 00 A0 E1 MOV R0, R1
LOAD:000049E0 00 10 91 E5 LDR R1, [R1]
LOAD:000049E4 00 10 81 E0 ADD R1, R1, R0
LOAD:000049E8 00 10 91 E5 LDR R1, [R1]
LOAD:000049EC 08 10 8D E5 STR R1, [SP,#0xC+var_4]
LOAD:000049F0 04 E0 8E E2 ADD LR, LR, #4
LOAD:000049F4 03 80 BD E8 LDMFD SP!, {R0,R1,PC}
LOAD:000049F4 ; End of function sub_49CC
LOAD:000049F4
LOAD:000049F8
LOAD:000049F8 ; =============== S U B R O U T I N E =======================================
LOAD:000049F8
LOAD:000049F8
LOAD:000049F8 sub_49F8
LOAD:000049F8
LOAD:000049F8 arg_4 = 4
LOAD:000049F8
LOAD:000049F8 04 E0 9D E5 LDR LR, [SP,#arg_4]
LOAD:000049FC 04 00 8D E5 STR R0, [SP,#arg_4]
LOAD:00004A00 01 80 BD E8 LDMFD SP!, {R0,PC}
LOAD:00004A00 ; End of function sub_49F8
LOAD:00004A00
LOAD:00004A04
LOAD:00004A04 ; =============== S U B R O U T I N E =======================================
LOAD:00004A04
LOAD:00004A04
LOAD:00004A04 sub_4A04
LOAD:00004A04
LOAD:00004A04 arg_C = 0xC
LOAD:00004A04 arg_10 = 0x10
LOAD:00004A04 arg_14 = 0x14
LOAD:00004A04
LOAD:00004A04 0E 10 A0 E1 MOV R1, LR
LOAD:00004A08 A1 10 A0 E1 MOV R1, R1,LSR#1
LOAD:00004A0C 81 10 A0 E1 MOV R1, R1,LSL#1
LOAD:00004A10 01 00 A0 E1 MOV R0, R1
LOAD:00004A14 00 10 91 E5 LDR R1, [R1]
LOAD:00004A18 00 10 81 E0 ADD R1, R1, R0
LOAD:00004A1C 00 00 91 E5 LDR R0, [R1]
LOAD:00004A20 04 10 91 E5 LDR R1, [R1,#4]
LOAD:00004A24 10 00 8D E5 STR R0, [SP,#arg_10]
LOAD:00004A28 14 10 8D E5 STR R1, [SP,#arg_14]
LOAD:00004A2C 04 E0 8E E2 ADD LR, LR, #4
LOAD:00004A30 0C E0 8D E5 STR LR, [SP,#arg_C]
LOAD:00004A34 03 40 BD E8 LDMFD SP!, {R0,R1,LR}
LOAD:00004A38 04 F0 9D E4 LDR PC, [SP-0xC+arg_C],#4
LOAD:00004A38 ; End of function sub_4A04
LOAD:00004A38
LOAD:00004A3C
LOAD:00004A3C ; =============== S U B R O U T I N E =======================================
LOAD:00004A3C
LOAD:00004A3C
LOAD:00004A3C sub_4A3C ; CODE XREF: sub_4AE4:loc_4AE8j
LOAD:00004A3C
LOAD:00004A3C var_8 = -8
LOAD:00004A3C var_4 = -4
LOAD:00004A3C arg_8 = 8
LOAD:00004A3C
LOAD:00004A3C 04 70 2D E5 STR R7, [SP,#-4]!
LOAD:00004A40 00 70 0F E1 MRS R7, CPSR
LOAD:00004A44 04 20 2D E5 STR R2, [SP,#-4]!
LOAD:00004A48 01 10 CE E3 BIC R1, LR, #1
LOAD:00004A4C 80 01 B1 E7 LDR R0, [R1,R0,LSL#3]!
LOAD:00004A50 04 10 91 E5 LDR R1, [R1,#4]
LOAD:00004A54 00 00 51 E3 CMP R1, #0
LOAD:00004A58 0E 00 00 0A BEQ loc_4A98
LOAD:00004A5C 01 00 11 E3 TST R1, #1
LOAD:00004A60 7F 20 A0 13 MOVNE R2, #0x7F ; ''
LOAD:00004A64 21 22 02 10 ANDNE R2, R2, R1,LSR#4
LOAD:00004A68 02 00 40 10 SUBNE R0, R0, R2
LOAD:00004A6C 02 00 11 E3 TST R1, #2
LOAD:00004A70 7F 20 A0 13 MOVNE R2, #0x7F ; ''
LOAD:00004A74 A1 25 02 10 ANDNE R2, R2, R1,LSR#11
LOAD:00004A78 02 00 80 10 ADDNE R0, R0, R2
LOAD:00004A7C 04 00 11 E3 TST R1, #4
LOAD:00004A80 FF 20 A0 13 MOVNE R2, #0xFF
LOAD:00004A84 21 29 02 10 ANDNE R2, R2, R1,LSR#18
LOAD:00004A88 02 00 20 10 EORNE R0, R0, R2
LOAD:00004A8C 01 2E A0 E1 MOV R2, R1,LSL#28
LOAD:00004A90 C2 0F 20 E0 EOR R0, R0, R2,ASR#31
LOAD:00004A94 21 0D 80 E0 ADD R0, R0, R1,LSR#26
LOAD:00004A98
LOAD:00004A98 loc_4A98 ; CODE XREF: sub_4A3C+1Cj
LOAD:00004A98 0E 00 80 E0 ADD R0, R0, LR
LOAD:00004A9C 04 20 9D E4 LDR R2, [SP],#4
LOAD:00004AA0 07 F0 29 E1 MSR CPSR_cf, R7
LOAD:00004AA4 04 70 9D E4 LDR R7, [SP],#4
LOAD:00004AA8 08 E0 9D E5 LDR LR, [SP,#8]
LOAD:00004AAC 08 00 8D E5 STR R0, [SP,#8]
LOAD:00004AB0 03 80 BD E8 LDMFD SP!, {R0,R1,PC}
LOAD:00004AB0 ; End of function sub_4A3C
----------------------------------------------------------------------------------------------
在拿一個調整表做例子:
LOAD:00009884 01 48 LDR R0, =5
LOAD:00009888 FB F7 60 E8 BLX dyna_pc
LOAD:0000988C 05 00 00 00 dword_988C DCD 5
LOAD:00009890 1C 00 00 00 DCD 0x1C
LOAD:00009894 40 00 00 00 DCD 0x40
LOAD:00009898 E4 00 00 00 DCD 0xE4
LOAD:0000989C 3C 01 00 00 DCD 0x13C
LOAD:000098A0 88 01 00 00 DCD 0x188
LOAD:000098A4 08 02 00 00 DCD 0x208
同上,規律是dyna_pc + 4 (即下一條指令地址[是r0的值] + offset[0 - 5], 因爲表大小為9890 - 98A4 共5個),
因此證明一共5個跳轉經過這裏,經證明確實如此:
Down j LOAD:000098C4 BL loc_9888
Down j LOAD:00009966 BL loc_9888
Down j LOAD:000099BE BL loc_9888
Down j LOAD:00009A0C BL loc_9888
Down j LOAD:00009A8A BL loc_9888
-------------------------------------------------------------------------------------------
sub_494C的特征,代码段中仅存在一处
LOAD:0000B264 ; ---------------------------------------------------------------------------
LOAD:0000B264 PUSH.W {R4-R8,LR}
LOAD:0000B268 ADD R7, SP, #0xC
LOAD:0000B26A PUSH {R0,R1,LR}
LOAD:0000B26C LDR R0, =0x20
LOAD:0000B26E BL loc_B140 // 又跳回了LOAD:0000B140 BLX sub_494C
LOAD:0000B26E ; ---------------------------------------------------------------------------
可以看到并想象程序中有多种类似的跳转,
特征:
PUSH {R0,R1,LR}
LDR R0, =number
NOP
patch代码摘自网络,被放置在put_unconditional_branch.py文件中,
在B26A处执行patch脚本,运行结果如下:B26A处指令变成了B loc_B4B0
LOAD:0000B264 ; ---------------------------------------------------------------------------
LOAD:0000B264 2D E9 F0 41 PUSH.W {R4-R8,LR}
LOAD:0000B268 03 AF ADD R7, SP, #0xC
LOAD:0000B26A 21 E1 B loc_B4B0
LOAD:0000B26C 01 48 LDR R0, =0x20
LOAD:0000B26E FF F7 67 FF BL loc_B140
LOAD:0000B26E ; ---------------------------------------------------------------------------
LOAD:0000B4B0 ; ---------------------------------------------------------------------------
LOAD:0000B4B0
LOAD:0000B4B0 loc_B4B0
LOAD:0000B4B0 82 B0 SUB SP, SP, #8
LOAD:0000B4B2 82 B0 SUB SP, SP, #8 // 这段代码包含一个blx跳转,该跳转
LOAD:0000B4B4 03 B5 PUSH {R0,R1,LR} // 仅仅是完成了跳到下一个指令的位置
LOAD:0000B4B6 F9 F7 56 EA BLX sub_4964 // 并且计算出指定寄存器的值
LOAD:0000B4BA EA 00 LSLS R2, R5, #3 // 这段类似代码都可以被patch掉
LOAD:0000B4BC 00 00 MOVS R0, R0 //
LOAD:0000B4BE 02 BC POP {R1} //
LOAD:0000B4C0 00 28 CMP R0, #0 //
LOAD:0000B4C2 79 44 ADD R1, PC //
LOAD:0000B4C4 09 68 LDR R1, [R1]
LOAD:0000B4C6 03 B5 PUSH {R0,R1,LR}
LOAD:0000B4C8 01 48 LDR R0, =0x27
LOAD:0000B4CA FF F7 39 FE BL loc_B140
LOAD:0000B4CA ; ---------------------------------------------------------------------------
sub_4964处指令只是完成了 PC = R1 = B5A4, LR = B4BE(它下一条指令处), R0, R1略
LOAD:00004964 ; =============== S U B R O U T I N E =======================================
LOAD:00004964
LOAD:00004964
LOAD:00004964 sub_4964
LOAD:00004964
LOAD:00004964
LOAD:00004964 arg_C = 0xC
LOAD:00004964 arg_10 = 0x10
LOAD:00004964
LOAD:00004964 01 00 CE E3 BIC R0, LR, #1 // LR最低位清零,最终R0仍为B4BA
LOAD:00004968 00 10 90 E5 LDR R1, [R0] // R1 = [B4BA] = 0XEA
LOAD:0000496C 01 10 90 E7 LDR R1, [R0,R1] // R1 = B4BA + 0XEA = B5A4
LOAD:00004970 04 E0 8E E2 ADD LR, LR, #4 // B4BA + 4 = B4BE
LOAD:00004974 0C E0 8D E5 STR LR, [SP,#0xC]
LOAD:00004978 10 10 8D E5 STR R1, [SP,#0x10]
LOAD:0000497C 03 C0 BD E8 LDMFD SP!, {R0,R1,LR,PC} // PC = B4BE(它下一条指令处)
LOAD:0000497C ; End of function sub_4964
LOAD:0000497C
LOAD:00004980 ; ---------------------------------------------------------------------------
特征如下:
SUB SP, SP, #8
PUSH {R0,R1,LR}
....
POP xxx
摘自网络的patch代码见patches.py文件,在B4B2处进行patch后代码变化如下:
LOAD:0000B4B0 ; ---------------------------------------------------------------------------
LOAD:0000B4B0
LOAD:0000B4B0 loc_B4B0
LOAD:0000B4B0 82 B0 SUB SP, SP, #8
LOAD:0000B4B2 00 BF NOP
LOAD:0000B4B4 01 49 LDR R1, =0xB5A4 // = 0x7F73A
LOAD:0000B4B6 09 68 LDR R1, [R1]
LOAD:0000B4B8 02 E0 B loc_B4C0
LOAD:0000B4B8 ; ---------------------------------------------------------------------------
LOAD:0000B4BA EA 00 word_B4BA DCW 0xEA
LOAD:0000B4BC A4 B5 00 00 dword_B4BC DCD 0xB5A4
LOAD:0000B4C0 ; ---------------------------------------------------------------------------
LOAD:0000B4C0
LOAD:0000B4C0 loc_B4C0 ; CODE XREF: LOAD:0000B4B8j
LOAD:0000B4C0 00 28 CMP R0, #0
LOAD:0000B4C2 79 44 ADD R1, PC // __stack_chk_guard
LOAD:0000B4C4 09 68 LDR R1, [R1]
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
另一块类似代码,特征:
LOAD:0007203C 03 B5 PUSH {R0,R1,LR}
LOAD:0007203E 00 BF NOP
LOAD:00072040 92 F7 AA EC BLX sub_4998
LOAD:00072044 0C 00 MOVS R4, R1
-------------------------------------------------------------------------------------------------------------------
LOAD:00004998
LOAD:00004998
LOAD:00004998 sub_4998
LOAD:00004998
LOAD:00004998
LOAD:00004998 arg_8 = 8
LOAD:00004998
LOAD:00004998 01 00 CE E3 BIC R0, LR, #1 // 对LR = 0x72044最低位清零,仍为72044
LOAD:0000499C 00 10 90 E5 LDR R1, [R0] // 取R1 = [0x72044] = 0xc
LOAD:000049A0 0E 10 81 E0 ADD R1, R1, LR // 对LR = 0x72044 + 0xc = 0x72050
LOAD:000049A4 08 E0 9D E5 LDR LR, [SP,#8]
LOAD:000049A8 08 10 8D E5 STR R1, [SP,#8]
LOAD:000049AC 03 80 BD E8 LDMFD SP!, {R0,R1,PC} // PC = 0x72050
LOAD:000049AC ; End of function sub_4998
----------------------------------------------------------------------------------------------------------------
摘自网络命名位put_unconditional_branch1.py文件patch 0x7203C。
LOAD:0007203C B loc_72050
LOAD:0007203E NOP
LOAD:00072040 BLX sub_4998
LOAD:00072044 MOVS R4, R1
LOAD:00072046 MOVS R0, R0
---------------------------------------------------------------------------------------------------------------
另一種計算pc的特徵:
LOAD:00009A50 FA F7 A2 EF BLX sub_4998
LOAD:00009A50 ; ---------------------------------------------------------------------------
LOAD:00009A54 7A FF FF FF DCD 0xFFFFFF7A
LOAD:00009A58 ; ---------------------------------------------------------------------------
sub_4998
LOAD:00004998 arg_8 = 8
LOAD:00004998
LOAD:00004998 01 00 CE E3 BIC R0, LR, #1 // lr = 9A54
LOAD:0000499C 00 10 90 E5 LDR R1, [R0] // 0xFFFFFF7A
LOAD:000049A0 0E 10 81 E0 ADD R1, R1, LR // 0x9ace = 9A54 + 0x7a
LOAD:000049A4 08 E0 9D E5 LDR LR, [SP,#8]
LOAD:000049A8 08 10 8D E5 STR R1, [SP,#8]
LOAD:000049AC 03 80 BD E8 LDMFD SP!, {R0,R1,PC} // 0x9ace
以上指令等價於下面僞代碼:
bl (lr + [lr])
---------------------------------------------------------------------------------------------------------------
另一種計算pc的特徵:
LOAD:00009BBC 00 F0 0C B8 B.W loc_9BD8
LOAD:00009BC0 ; ---------------------------------------------------------------------------
LOAD:00009BD8 loc_9BD8
LOAD:00009BD8
LOAD:00009BD8 71 46 MOV R1, LR // lr = 9BC0
LOAD:00009BDA 02 A5 ADR R5, 0x9BE4
LOAD:00009BDC 55 F8 21 10 LDR.W R1, [R5,R1,LSL#2] ; 30ae4 = 0xFE6B
LOAD:00009BE0 29 44 ADD R1, R5 ; 19A4F
LOAD:00009BE2 08 47 BX R1 // 動態跳轉
LOAD:00009BE2 ; ---------------------------------------------------------------------------
LOAD:00009BE4 DD FF FF FF DCD 0xFFFFFFDD
LOAD:00009BE8 ; ---------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
另一種計算pc的特徵(同時動態計算寄存器值,參數動態生成):
LOAD:00004D12 82 B0 SUB SP, SP, #8
LOAD:00004D14 03 B5 PUSH {R0,R1,LR}
LOAD:00004D16 FF F7 26 EE BLX sub_4964
LOAD:00004D16 ; ---------------------------------------------------------------------------
LOAD:00004D1A EE 31 00 00 DCD 0x31EE
LOAD:00004D1E ; ---------------------------------------------------------------------------
LOAD:00004D1E 01 BC POP {R0} // pop xxx,動態生成參數
sub_4964
LOAD:00004964 01 00 CE E3 BIC R0, LR, #1 // 4D1A
LOAD:00004968 00 10 90 E5 LDR R1, [R0] // 0x31EE
LOAD:0000496C 01 10 90 E7 LDR R1, [R0,R1] // r1 = [4D1A + 0x31EE] = [7f08] = 0x85ECC
LOAD:00004970 04 E0 8E E2 ADD LR, LR, #4 // lr = 4D1E
LOAD:00004974 0C E0 8D E5 STR LR, [SP,#0xC] // lr + 4 ,下一條指令処
LOAD:00004978 10 10 8D E5 STR R1, [SP,#0x10] // 待彈出寄存器值0x85ECC
LOAD:0000497C 03 C0 BD E8 LDMFD SP!, {R0,R1,LR,PC} // pc = pc + 8
等同於僞代碼:
arg_addr = [lr + [lr]]
r{0-3} = arg_addr
---------------------------------------------------------------------------------------------------------------
程序JNI_OnLoad邏輯:
libsgmainso_6.4.36.so B3F2D000 B3FB6000 R . X D . byte 00 public CODE 32 00 00
sp = BE903640 B1200284 debug038:B1200284
第一個動態pc:
libsgmainso_6.4.36.so:B3F38140 BLX dyna_pc
動態arg:
libsgmainso_6.4.36.so:B3F384B6 BLX dyna_arg
libsgmainso_6.4.36.so:AFE80210 BL loc_AFEF14F4(重命名為goto_create_global_objs)
sub_7C4F4(); // 創建全局 jboolean, jinteger、jstring
调试时跳过这里,否则可能崩溃
LOAD:0000B584 71 F0 14 F8 BL goto_getenv(7C5B0)
---------------------------------------------------------------------------------------------------------------
#sub_72CCC(),被重命名為goto_do_httpuitl
主要完成對com/taobao/wireless/security/adapter/common/HttpUtil的各種方法的查找
獲取對應的MethodId並保存
sub77dbc(), 代码複合patch代码第二種特征,但是这里应该不被patch,被patch的地方
82 B0 SUB SP, SP, #8
03 B5 PUSH {R0,R1,LR}
91 F7 CC ED BLX dyna_arg
32 01 LSLS R2, R6, #4
00 00 MOVS R0, R0
01 BC POP {R0}
应该满足两个SUB SP, SP, #8指令,因此運行patch代碼,patch整個代碼段
會出錯,它會把{R0,R1,LR}指令patch成b xxxx導致運行失敗。
sp = BE903620 AFE80111 libsgmainso_6.4.36.so:AFE80111
BL sub_B3FA0E24(sub_73e24(),被重命名為goto_decrypt_entry)
arg:B3FB2FA9, BE9035C3,0x35 // 參數1為加密數據緩存區,參數2是解密數據緩存區
sub_B3FA0E56(sub_73e56, 被重命名為decrypt_entry),比較重要的函數涉及創建容器結構體和解密
BL unk_B3FA7F78(goto_create_vdata)
BL sub_B3FA7FB6(create_vdata)
arg:vdata1,"DcO/lcK+h?m3c*q@",0x10
//vdata1->make_vdata 填充數據
libsgmainso_6.4.36.so:B3FA0E94 98 47 BLX R3(7AA5D)
拷貝"DcO/lcK+h?m3c*vaq@"到vdata1的data1中
第二次調用make_vdata,arg:vdata2,B3FB2FA9,52 // 參數2是數據緩存區
這次是把下面這52個字節拷貝到vdata2的data2中
0xF9,0xA7,0x21,0x3D,0x8C,0x3E,0xFE,0x77,0x18,0x40,0xDB,0x2A,
0xAD,0x4A,0xC5,0xF9,0xA1,0x56,0x75,0x54,0x23,0xBE,0xC7,0xA6,
0x7A,0x35,0xEC,0x8E,0xB2,5,0x74,0x11,0x93,0x58,0x7F,0x6E,0x3A,
0xE3,0x4F,0x9D,0x54,3,0x7E,0x6B,0xFA,0x1B,0x5B,0xE3,0xF8,0xC1,2,0xF9
dcryptdata:BE903578
memset(BE903578, 0, 20)
arg:BE903578,BE903594,20,20
// 進入解密函數,dcryptdata結構對應内存
[stack]:BE903578 DCD 0
[stack]:BE90357C DCD 3 ; caseno
[stack]:BE903580 DCD 0
[stack]:BE903584 DCD 0
[stack]:BE903588 DCD 0xACC1C890 ; vdata1
[stack]:BE90358C DCD 0xACC1C8C8 ; vdata2
libsgmainso_6.4.36.so:B3FA0ED8 BL sub_B3F8E15C(重命名為goto_dcrypto)
goto_dcrypto(dcryptdata, )
進入sub_611b4(被重命名為decrypto)進行解密,解密出:
"com/taobao/wireless/security/adapter/common/HttpUtil"
libsgmainso_6.4.36.so AFE75000 AFEFE000 R . X D . byte 00 public CODE 32 00 00
調用findclass查找該class,調用NewGlobalRef創建該類的ref
arg: httputilref,
bl sub_72d60()
// 參數1加密數據,參數2為解密緩衝區,參數3為長度
BL goto_decrypt_entry(encdata, decdata, len);
BL goto_create_vdata
memset (BE9035A0, 0, 0x1d)
拷貝加密數據到vdata2
memset dcryptdata 結構BE903558
BL goto_dcrypto, 解密出字符串"sendSyncHttpGetRequestBridge"
調用env->getStaticMethodID,75F247D8
sub_72e54()
解密出數據"sendSyncHttpPostRequestBridge"
調用env->getStaticMethodID, 75F24828
在解密出"downloadFileBridge"
調用env->getStaticMethodID, 75F24788
調用env->DeleteLocalRef刪除httputilref
至此sub_72CCC()結束
---------------------------------------------------------------------------------------------------------------
sub_73634()被重命名為goto_do_umidAdapter
主要完成對com/taobao/wireless/security/adapter/umid/UmidAdapter的方法的查找
並保存其MethodId
sub_7366A()
BL goto_decrypt_entry(,, 54)
解密出"com/taobao/wireless/security/adapter/umid/UmidAdapter"
調用env->findclass找到UmidAdapterClass 00100025,調用env->NewGlobalRef UmidAdapterRef
調用env->DeleteLocalRef, 刪除UmidAdapterClass
BL goto_decrypt_entry(AFEFB113, BE9035B8, 16)
解密出"umidInitAdapter"
調用env->getStaticMethodID(UmidAdapterRef, "umidInitAdapter") 75F248C8
sub_73634()結束
---------------------------------------------------------------------------------------------------------------
sub_73E24() goto_decrypt_entry(AFEF8EA6, BE9035E8, 49)
解密出"com/taobao/wireless/security/adapter/JNICLibrary"
libsgmainso_6.4.36.so B3F2D000 B3FB7000 R . X D . byte 00 public CODE 32 00 00
調用env->findclass查找JNICLibrary 00200025
bl 9EE4
sub_9ee4() 被重命名為goto_create_command_vdata,主要是調用sub_9F1C完成創建兩個大的結構體
sub_9F1C() // make_global_command_ptr
首先讀取off_90804処的值是否為NULL(被重命名為global_command_entryptr
它保存著下面的global_command_entry結構的指針)
struct global_command_entry { // 記錄著生成和執行command的核心方法
void* goto_make_command_entry; // 對應sub_9B3C; 生成command結構核心算法
void* goto_do_command1; // // 對應sub_9d82; command_native_inner
void* goto_do_command2; // 對應sub_9e7e; 和sub_9d82差不多
};
ACC11F60 = malloc(12); // 這是個什麽結構體,暫且命名為tmp_vdata
debug014:ACC11F60 DCD 0xB3F36A99 // 對應sub_9B3C; 生成command結構核心算法
debug014:ACC11F64 DCD 0xB3F36DF5 // 對應sub_9d82; command_native_inner
debug014:ACC11F68 DCD 0xB3F36E49 // 對應sub_9e7e; 和sub_9d82差不多
sub_7B86C(32,0) // 重命名為create_command_vdata(int len, int w); // len表示結構體大小,w未知
struct command_nest {
void* nf1;
void* nf2;
int len;
};
struct command_vdata {
struct data** datalist; // 第一層$8bitstruct
int data_count;
int data_size;
void* f1;
void* f2;
void* f3;
struct command_nest* nest;
};
ACC3A3D0 = malloc(36);
創建command_vdata結構體,對應内存結構:
debug014:ACC3A3D0 DCD 0xACC49300 ; command_vdata1
debug014:ACC3A3D4 DCD 0
debug014:ACC3A3D8 DCD 0x20
debug014:ACC3A3DC DCD 0xB3FA88F9
debug014:ACC3A3E0 DCD 0xB3FA89B5
debug014:ACC3A3E4 DCD 0xB3FA89F5
debug014:ACC3A3E8 DCD 0xB3FA8A81
debug014:ACC3A3EC DCD 0xB3FA8AF1
debug014:ACC3A3F0 DCD 0
創建data結構體(chunk)
ACC49300 = malloc(128);
創建第二個command_vdata結構體ACC3A3A8
debug014:ACC3A3A8 DCD 0xACC49280 ; command_vdata2
debug014:ACC3A3AC DCD 0
debug014:ACC3A3B0 DCD 0x20
debug014:ACC3A3B4 DCD 0xB3FA88F9
debug014:ACC3A3B8 DCD 0xB3FA89B5
debug014:ACC3A3BC DCD 0xB3FA89F5
debug014:ACC3A3C0 DCD 0xB3FA8A81
debug014:ACC3A3C4 DCD 0xB3FA8AF1
debug014:ACC3A3C8 DCD 0
創建第二個data結構體ACC49280
然後把它倆存儲在以下地方:
off_8CA7C g_search_command_vdata DCD 0xACC3A3D0, do_command 第四個參數為0,查找
off_8CA78 gcommand_build_vdata DCD 0xACC3A3A8, do_command 第四個參數為1,生成
在off_90804処保存global_command_entry指針
---------------------------------------------------------------------------------------------------------------
bl sub_71D68(),重命名為goto_do_SPUtility2
主要是查找com/taobao/wireless/security/adapter/common/SPUtility2的一些methoidID
sub_73DD4()啥也沒乾
sub_71E70只是用來構造參數
sub_72080()
解密得到"com/taobao/wireless/security/adapter/common/SPUtility2"
調用env->findclass找到SPUtility2Class 00000029
調用env->NewGlobalRef創建SPUtility2Ref 001003DA
sub_72134()
解密"readFromSPUnified"
調用env-getStaticMethodID, 75F26B48
解密"saveToFileUnifiedForNative"
調用env-getStaticMethodID, 75F26C88
sub_720C8()
解密出 "removeFromSPUnifiedp"
調用env-getStaticMethodID, 75F26BE8
sub_71FD0()
解密出"readSS"
解密出"writeSS",調用env-getStaticMethodID, 75F26D78
sub_71EB0()
調用env-getStaticMethodID("readSS"), 75F26B98
解密出"read", "write"
調用env-getStaticMethodID("read"),75F26AF8
調用env-getStaticMethodID("write"),75F26D28
---------------------------------------------------------------------------------------------------------------
sub_e7dc()
sub_E890()
解密出"(I)Ljava/lang/String;"
解密出"com/taobao/wireless/security/adapter/datacollection/DeviceInfoCapturer"
調用findclass,0010002D,調用NewGlobalRef創建該類的ref 001003DE
調用DeleteLocalRef, 刪除本地DeviceInfoCapturer類的ref
解密出"doCommandForString"
調用env-getStaticMethodID("doCommandForString"),75F27048 存儲在off_8CA94処
存儲在以下位置:
off_8CA94 global_DeviceInfoCapturer_methodId DCD 0x75F27048
off_8CA98 global_DeviceInfoCapturer_ref DCD 0xB6F33E04
#########################################################################################
#sub_9B3C
這是一個重要的函數,每個command依賴的數據結構都需要經過它來生成
這個函數經過了llvm混淆,在不去掉llvm混淆時分析起來還是比較費勁的。
command 最主要的參數是三個:
command / 10000 ; // n1
command % 10000 / 100 ; // n2
command % 100 ; // n2
由此三個參數構成了三層結構(由外向内順序是n1->n2->n3),其中最終的加密后的地址保存在
n3層結構中(只是異或加密),解密密匙保存在n2層結構中(是用time做種子生成的隨機數,
每次都不一樣,每個app可能都不一樣)。
每個command相關地址并不是函數的實際地址(是包含實際地址的封裝),是執行函數的一個入口(梉),
這個入口需要進一步做處理才能跳轉到實際函數的地址。
一個函數會被分成不同的塊,由n3層結構決定,例如:
command(1, 17, 1) { // 隨便假設的
stub2->do_command_parser->real_func_addr
stub1->do_command_parser->real_func_addr
stub3->do_command_parser->real_func_addr
stub4->do_command_parser->real_func_addr
}
在上面的分析中我們已經看到它生成了一個全局的command_entryptr,它記錄著生產command相關結構
和反向按結構找到梉的算法。
同時還生成了兩個gcommand_vdata1和gcommand_vdata2的n1第一層指針結構(分別為查找和生成時使用)
主要結構如下(僞定義):
n1 -> first struct{8 bit: n2_addr, count} -> n2 -> second {24 bit: n3_addr, count} -> n3 ->
third {16 bit: stub_addr, count}
無論是正向生成command相關結構,還是反向依賴參數查找結構都需要這三個參數
1、正向生成command相關結構,傳遞的參數是1
2、反向查找command相關結構,傳遞的參數是0
#後續在酌情添加
開始分析:
sub_9B3C() // goto_make_command_entry
以第一次分析爲例(我只記錄關鍵邏輯):
[stack]:BE8915C8 DCD 0xB3E7B2B5 ; sp
[stack]:BE8915CC DCD 0x100025
sub_9B3C(1, 9, 1, 1, build_addr) ->
// goto_build_or_unpack_command
sub_9854(gcommand_build_vdata, 1, 9, 1, 1, ...) ->
sub_9a14(gcommand_build_vdata, 1, 9, 1, 1, build_addr = 0xB3E7B2B5) // build_addr = 0x102B5
struct $8bitstruct { // 第一層結構
int command_arg1; // command arg1
struct command_vdata* vdata; // 指向第二層
};
struct $24bitstruct { // 第二層結構
int command_arg1; // command arg1
int command_arg2; // command arg2
long time;
int c; // (time >> 31)
struct command_vdata* vdata; // 指向第三層
int d; // 未知
};
struct $16bitstruct { // 第三層結構
int command_arg1; // command arg1
int command_arg2; // command arg2
int command_arg3; // command arg3
int xoraddr;
};
// w = 0代表查找, w = 1代表創建
// n1, n2, n3 為command 三層索引
// build_addr 正向時為被處理地址, 反向時為返回地址
void* sub_9a14(command_vdata* g_build_vdata, int n1, int n2, int n3, w = 1, void* build_addr) {
int data_count = g_build_vdata->data_count;
int i = 0;
if (data_count < 1) {
if (w == 0) {
return 0x26b0;
}
struct $8bitstruct* _8bitstruct = (struct $8bitstruct*) malloc(8); // B4E01130
memset(_8bitstruct, 0, 8);
_8bitstruct->command_arg1 = n1;
// -> 7BB98
// vdata = ACB4A3F8, datalist = ACB32980
// vdata 初始化略; 默認data_size為120字節
struct command_vdata* second_command_vdata = (struct command_vdata*) malloc(36);
_8bitstruct->vdata = second_command_vdata;
// make_command_vdata, 填充數據
// 這裏僅僅執行了 vdata->datalist->d = _8bitstruct;
// vdata->data_count++;
g_build_vdata->f2(g_build_vdata, 0, _8bitstruct);
if(second_command_vdata->data_count < 1) {
if (w == NULL) {
return 0x26B1;
}
// ACB12478
struct $24bitstruct* _24bitstr = (struct $24bitstruct*) malloc(24);
memset(_24bitstr, 0, 24);
_24bitstr->command_arg1 = n1; // command arg1
_24bitstr->command_arg2 = n2; // command arg2
time_t seed;
seed = time(NULL); // 5E58B699
srand(seed);
int random_time = (int) rand() >> 31; // 074D4C00
int c = (int) random_time >> 31; // 0
_24bitstr->time = random_time;
_24bitstr->c = c;
// 創建第三層command_vdata結構
// vdata = ACB4A498; data = ACB32A00
// vdata 初始化略
struct command_vdata* third_command_vdata = (struct command_vdata*) malloc(36);
_24bitstr->vdata = third_command_vdata;
// 這裏僅僅執行了 vdata->datalist->d = _24bitstr;
// vdata->data_count++;
second_command_vdata->f2(second_command_vdata, _24bitstr); // make_command_vdata
if (third_command_vdata->data_count < 1) {
if (w == 0) {
return 0x270F;
}
// ACB3B540
struct $16bitstruct* _16bitstr = (struct $16bitstruct*) malloc(16);
_16bitstr->command_arg1 = n1;
_16bitstr->command_arg2 = n2;
_16bitstr->command_arg3 = n3;
// make_command_vdata, 填充數據
// 這裏僅僅執行了 vdata->datalist->d = _16bitstr;
// vdata->data_count++;
third_command_vdata->f2(third_command_vdata, _16bitstr);// make_command_vdata
// 異或加密地址存儲
_16bitstr->xoraddr = _24bitstr->time ^ build_addr;
return 0;
} else {
i = 0;
while (i < third_command_vdata->data_count) {
// 這裏後面在說
}
}
} else {
i = 0;
while(i < second_command_vdata->data_count) {
// 這裏後面在說
}
}
} else {
struct data** datalist = g_build_vdata->datalist;
struct $8bitstruct* _8bitstr = NULL;
for (int i = 0 ; i < g_build_vdata->data_count; i++) {
_8bitstr = datalist[i];
if(_8bitstr->command_arg1 == n1) {
break;
}
}
// 取第二層機構
struct command_vdata* second_command_vdata = _8bitstr->vdata;
if (second_command_vdata->data_count < 1 ) {
return 0x26B1;
}
datalist = second_command_vdata->datalist;
struct $24bitstruct* _24bitstr = NULL;
for (int j = 0 ; j < second_command_vdata->data_count ; j++) {
if((struct $24bitstruct*) datalist[i]->command_arg2 == n2) {
_24bitstr = datalist[i];
break;
}
}
if (w == 0) {
return ??;
}
if (_24bitstr == NULL) {
_24bitstr = malloc(24);
// 創建$24bitstruct 結構體
// 創建third_command_vdata ACB4A4C0;同上
// 更新second_command_vdata datalist同時data_count++等
// ACB124C0 24bitstr,
// 創建完后調用
}
// 取第三層
struct $16bitstruct* _16bitstr = NULL;
struct command_vdata* third_command_vdata = _24bitstr->vdata;
if(third_command_vdata->data_count < 1) {
}
for (j = 0; j < third_command_vdata->data_count; j++) {
if ((struct $16bitstruct*) third_command_vdata[j]->command_arg3 == n3) {
_16bitstr = third_command_vdata[j];
break;
}
}
if (w == 0) {
return ??;
}
if (_16bitstr == NULL) {
_16bitstr = malloc(16);
// ACB11F50
// 創建$16bitstruct; 同上
return 0;
}
}
}
#########################################################################################
---------------------------------------------------------------------------------------------------------------
sub_69D68() 啥也沒乾
---------------------------------------------------------------------------------------------------------------
sub_197B4() 被重命名為goto_do_DataReportJniBridgerer
主要是處理com/taobao/wireless/security/adapter/datareport/DataReportJniBridgerer這個類的方法,同上
sub_1990C()
解密出"com/taobao/wireless/security/adapter/datareport/DataReportJniBridgerer"
調用findclass, 0000002D
調用NewGlobalRef創建該類的ref 001003E2
sub_19998()
下面忘記下斷點了,丟失信息了
解密出"sendReportBridge", 調用getStaticMethodID, 忘記記錄了
解密出 "accsAvaiableBridge", 調用getStaticMethodID, 忘記記錄了
解密出"()I" , 調用getStaticMethodID, 忘記記錄了
解密出"registerAccsListnerBridge"
解密出"()I" , 調用getStaticMethodID, 忘記記錄了
他們被分別保存在off_8CB80起始的地址処
sub_73D90() 讀取global_command_entry指針的值
繼續調用sub_9b3c(1, 0xb, 0x34, 1, build_addr = B3E84725 = 0x19725) 詳細分析見上面
---------------------------------------------------------------------------------------------------------------
sub_E240()
sub_e280()
又sub_9B3C(1, 7, 1, 1, build_addr = 0xB3E791D5 = off_E1D5)同上, 不在繼續分析
---------------------------------------------------------------------------------------------------------------
sub_B8B0()
繼續調用sub_9B3C(1, 1, 1, 1, build_addr = 0xB3E76921 = off_B921) 同上略
繼續調用sub_9B3C(1, 1, 2, 1, build_addr = 0xB3E76FD9 = off_BFD9) 同上略
---------------------------------------------------------------------------------------------------------------
sub_5F0F4()
sub_5F11E()
sub_9B3C() 同上略
---------------------------------------------------------------------------------------------------------------
sub_5F0F4(env, clazz)
sub_9B3C() 同上略
sub_9B3C() 同上略
---------------------------------------------------------------------------------------------------------------
sub_70640(env, clazz)
sub_9B3C() 同上略
sub_9B3C() 同上略
---------------------------------------------------------------------------------------------------------------
sub_11F3C(env)
sub_14FEE()
sub_1511C(),中間很多調用findclass和調用都略
解密出"android/content/Context",調用findclass
sub_151A4()
解密出"getPackageManager","()Landroid/content/pm/PackageManager;"
調用getStaticMethodID 70FC7458
解密出"getContentResolver", "()Landroid/content/ContentResolver;"
調用getStaticMethodID 70FC7458
解密出"getSystemService","(Ljava/lang/String;)Ljava/lang/Object;"
調用getStaticMethodID 70FC7BA8
解密出"WIFI_SERVICE","Ljava/lang/String;"
調用GetStaticFieldID 70FC66E8
調用NewGlobalRef創建該類的ref 001003E6
調用DeleteLocalRef刪除該類本地ref
解密出"android/content/pm/PackageManager", "getPackageInfo",,調用findclass
"(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;"
調用getStaticMethodID 70FAFA30
調用DeleteLocalRef刪除該類本地ref
解密出"android/content/pm/PackageInfo"
"applicationInfo", "Landroid/content/pm/ApplicationInfo;"
調用GetFieldID 71052F08
解密出 "firstInstallTime1","J"
調用GetFieldID 71053100