nProtect APPGuard安卓反外挂分析
工具与环境:
IDA7.0
JEB2.2.5
Nexus 5
Android 4.4
目录:
一:app简单分析与java层反编译
二: compatible.so反调试与反反调试
三: compatible.so注册jni函数分析
四: stub.so反调试与反反调试
五: stub.so注册jni函数分析
六: Assembly-CSharp.dll解密分析
七: libengine模块分析
八:总结
一:app简单分析与java层反编译
整体图:
1.最近在学习手游保护方面的技术,本文是学习过程中分析某反外挂的一点记录,高手莫要见笑,有不对的地方还请指教,首先简单通过资源目录中文件名做基本了解,
在lib目录中有libmono.so、libunity.so,资源目录中存在(assets\bin\Data\Managed\Assembly-CSharp.dll),应该是unity 3D编写,通过反编译发现该文件己被加密,在资源目录下armeabi文件夹中还存放着libengine.sox与libstub.sox文件,看名字猜测很可能这两个文件就是反外挂其中的一些模块了,在看看lib目录下只有libcompatible.so模块比较可疑。如下图所示:
当我们用调试器附加游戏程进时会有如下提示:
被发现有调试器附加,下节我们将分析它的反调试机制。
2.通过JEB反编译来看看大致流程,反编译后先找到application类,代码如下图:
主要是加载so模块,so名称字符串被加密了,解密出来后so名称"compatible",将compatible.so放到IDA中反编译发现函数名被混淆了,字符串己加密,如下图:
通过以上简单分析,我们主要关注的重点关注的模块主要有lib目录下的libcompatible.so与资源目录中的libengine.sox与libstub.sox,还有就是发现java层的字符串与函数名都被混淆,so模块中的字符串也函数名也被混淆。
3.拷贝资源,解密libstub.sox并加载 。
在Lcom/inca/security/Core/AppGuardEngine初始函数<init>(Landroid/content/Context;Lcom/inca/security/AppGuard/AppGuardEventListener;Z)V中将判断X86或ARM平台并将对应的\assets\appguard中的libengine.sox、libstub.sox、update.dat拷贝到程序安装目录。JEB未能正常反编译出java代码,看smali代码。
1 :1946 2 00001946 const/4 v9, 3 3 00001948 if-ge v6, v9, :1C16 4 :194C 5 0000194C invoke-static Binder->getABI()I 6 00001952 move-result v6 7 00001954 move-object/from16 v0, p0 8 00001958 move-object/from16 v1, p1 9 0000195C invoke-virtual AppGuardEngine->iiIIIiiiIi(Context, I)Z, v0, v1, v6 # 拷贝资源 10 00001962 move-result v6 11 00001964 if-eqz v6, :1BE0 12 :1968 13 00001968 new-instance v6, qb 14 0000196C invoke-static JNISoxProxy->getContext()Context 15 00001972 move-result-object v9 16 00001974 invoke-direct qb-><init>(Context)V, v6, v9 17 0000197A const-string v9, "fChY~_h\u0004yEr" # libstub.sox 18 0000197E invoke-virtual qb->iiIIIiiiIi([B)V, v6, v8 19 00001984 invoke-static b->iiIIIiiiIi(String)String, v9 20 0000198A move-result-object v9 21 0000198C const-string v10, "j\u000Fd\u0015r\u0013dHu\t" # libstub.so 22 00001990 invoke-static yb->iiIIIiiiIi(String)String, v10 23 00001996 move-result-object v10 24 00001998 const/4 v11, 0 25 0000199A invoke-virtual qb->iiIIIiiiIi(String, String, [B)Z, v6, v9, v10, v11 # 解密libstub.sox((最终传入so层解密private static native byte[] iIiIIIiIiI(byte[] arg0, int arg1))) 26 000019A0 move-result v6 27 000019A2 if-eqz v6, :1BE0 28 :19A6 29 000019A6 new-instance v6, File 30 000019AA new-instance v9, StringBuilder 31 000019AE invoke-direct StringBuilder-><init>()V, v9 32 000019B4 const/4 v10, 0 33 000019B6 invoke-static JNISoxProxy->getContext()Context 34 000019BC move-result-object v11 35 000019BE invoke-virtual Context->getFilesDir()File, v11 36 000019C4 move-result-object v11 37 000019C6 invoke-virtual File->getAbsolutePath()String, v11 38 000019CC move-result-object v11 39 000019CE invoke-virtual StringBuilder->insert(I, String)StringBuilder, v9, v10, v11 40 000019D4 move-result-object v9 41 000019D6 const-string v10, "%FcHy^\u007FH$Ye" # /libstub.so 42 000019DA invoke-static b->iiIIIiiiIi(String)String, v10 43 000019E0 move-result-object v10 44 000019E2 invoke-virtual StringBuilder->append(String)StringBuilder, v9, v10 45 000019E8 move-result-object v9 46 000019EA invoke-virtual StringBuilder->toString()String, v9 47 000019F0 move-result-object v9 48 000019F2 invoke-direct File-><init>(String)V, v6, v9 49 000019F8 invoke-virtual File->exists()Z, v6 50 :19FE 51 000019FE move-result v9 52 00001A00 if-eqz v9, :1BE0 53 :1A04 54 00001A04 invoke-virtual File->getAbsolutePath()String, v6 55 00001A0A move-result-object v9 56 00001A0C invoke-static System->load(String)V, v9 # 加载指定路径的SO 57 00001A12 invoke-direct/range AppGuardEngine->lllIIIlllI(Context)V, p0 .. p1 # 调用Native 58 :1A18 59 00001A18 invoke-virtual File->delete()Z, v6 60 00001A1E new-instance v6, File 61 00001A22 new-instance v9, StringBuilder 62 00001A26 invoke-direct StringBuilder-><init>()V, v9 63 00001A2C const/4 v10, 0 64 00001A2E invoke-static JNISoxProxy->getContext()Context 65 00001A34 move-result-object v11 66 00001A36 invoke-virtual Context->getFilesDir()File, v11 67 00001A3C move-result-object v11 68 00001A3E invoke-virtual File->getAbsolutePath()String, v11 69 00001A44 move-result-object v11 70 00001A46 invoke-virtual StringBuilder->insert(I, String)StringBuilder, v9, v10, v11 71 00001A4C move-result-object v9 72 00001A4E const-string v10, ")\no\u0004u\u0012s\u0004(\u0015i\u001E" # /libstub.sox 73 00001A52 invoke-static yb->iiIIIiiiIi(String)String, v10 74 00001A58 move-result-object v10 75 00001A5A invoke-virtual StringBuilder->append(String)StringBuilder, v9, v10 76 00001A60 move-result-object v9 77 00001A62 invoke-virtual StringBuilder->toString()String, v9 78 00001A68 move-result-object v9 79 00001A6A invoke-direct File-><init>(String)V, v6, v9 80 00001A70 invoke-virtual File->delete()Z, v6
4. 解密libstub.sox模块。
解密函数在类com/inca/security/qb中iiIIIiiiIi函数,代码如下:
1 @SuppressLint(value={"SdCardPath"}) public boolean iiIIIiiiIi(String arg25, String arg26, byte[] arg27) throws IOException, InvalidKeyException { 2 Object v18; 3 Object v5_2; 4 long v16_1; 5 Method v8_3; 6 Class v11_2; 7 Object v7_2; 8 Object v4_7; 9 Method v15; // doFinal 10 Method v14_1; // init java.security.Key 11 Object v13_1; // RSA/ECB/PKCS1Padding 12 int v8_1; 13 int v7; 14 FileInputStream v13; 15 Method v4_6; 16 byte[] v7_1; 17 boolean v4_2; 18 Method v5_1; // read 19 byte[] v12; 20 byte[] v11; 21 Object v10; // / 22 Class v9; // java.io.FileInputStream 23 try { 24 v9 = Class.forName(vb.iiIIIiiiIi("&3:3b;#|\n; 7\u0005<<\'8\u00018 )3!")); // java.io.FileInputStream 25 Constructor v4_1 = v9.getConstructor(String.class); 26 v10 = v4_1.newInstance(arg25.indexOf(yb.iiIIIiiiIi("I")) == 0 ? arg25 : new StringBuilder().insert(0, this.iiIiiiIIIi).append(arg25).toString()); // / 27 v11 = new byte[16]; 28 v12 = new byte[4]; 29 v5_1 = v9.getMethod(vb.iiIIIiiiIi(" )3("), byte[].class, Integer.TYPE, Integer.TYPE); // read 30 v5_1.invoke(v10, v11, Integer.valueOf(0), Integer.valueOf(3)); 31 if(v11[0] == 83 && v11[1] == 79 && v11[2] == 88) { // 判断开头是否为SOX 32 goto label_82; 33 } 34 35 v4_2 = false; 36 return v4_2; 37 } 38 catch(Exception v4) { 39 goto label_78; 40 } 41 42 label_82: 43 int v4_3 = 3; 44 try { 45 v5_1.invoke(v10, v11, Integer.valueOf(0), Integer.valueOf(2)); 46 if((((short)((((short)v11[0])) | (((short)v11[1])) << 8))) != 1) { 47 return false; 48 } 49 50 v5_1.invoke(v10, v11, Integer.valueOf(0), Integer.valueOf(1)); 51 v5_1.invoke(v10, v11, Integer.valueOf(0), Integer.valueOf(2)); 52 v5_1.invoke(v10, v11, Integer.valueOf(0), Integer.valueOf(2)); 53 v5_1.invoke(v10, v11, Integer.valueOf(0), Integer.valueOf(4)); 54 v5_1.invoke(v10, v11, Integer.valueOf(0), Integer.valueOf(4)); 55 v5_1.invoke(v10, v12, Integer.valueOf(0), Integer.valueOf(4)); 56 v5_1.invoke(v10, v11, Integer.valueOf(0), Integer.valueOf(12)); 57 v5_1.invoke(v10, v11, Integer.valueOf(0), Integer.valueOf(16)); 58 v5_1.invoke(v10, v11, Integer.valueOf(0), Integer.valueOf(16)); 59 byte[] v4_5 = null; 60 if(v11[0] == 0 || v11[1] == 0 || v11[14] == 0 || v11[15] == 0) { 61 v7_1 = v4_5; 62 v4_6 = v5_1; 63 goto label_291; 64 label_276: 65 while(v7 < 64) { 66 v13.read(v11); 67 if(v8_1 == v14) { 68 v4_5 = new byte[16]; 69 System.arraycopy(v11, 0, v4_5, 0, 16); 70 } 71 72 v7 = v8_1 + 1; 73 v8_1 = v7; 74 } 75 76 v13.close(); 77 v7_1 = v4_5; 78 v4_6 = v5_1; 79 } 80 else { 81 File v8 = new File(String.format(yb.iiIIIiiiIi("CuI#\u0015(\u0012v\r"), arg25.substring(0, arg25.lastIndexOf(47)), qb.iiIIIiiiIi(v11))); // %s/%s.tpk 82 if(v8.exists()) { 83 v13 = new FileInputStream(v8); 84 v13.read(v11); 85 int v14 = (Math.abs(v11[0] << 24 | v11[4] << 16 | v11[8] << 8 | v11[12]) + 1) % 64; 86 v7 = 1; 87 v8_1 = 1; 88 goto label_276; 89 } 90 else { 91 return false; 92 } 93 } 94 95 label_291: 96 v4_6.invoke(v10, v11, Integer.valueOf(0), Integer.valueOf(4)); 97 v4_5 = new byte[(v11[3] & 255) << 24 | 0 | (v11[2] & 255) << 16 | (v11[1] & 255) << 8 | v11[0] & 255]; 98 v5_1 = v9.getMethod(vb.iiIIIiiiIi(" )3("), byte[].class); // read 99 v5_1.invoke(v10, v4_5); 100 Class v8_2 = Class.forName(yb.iiIIIiiiIi("\fg\u0010g\u001E(\u0005t\u001Fv\u0012iHE\u000Fv\u000Ec\u0014")); // javax.crypto.Cipher 101 Method v11_1 = v8_2.getMethod(vb.iiIIIiiiIi("+78\u001B\"!83\"1)"), String.class); // getInstance 102 v13_1 = v11_1.invoke(null, yb.iiIIIiiiIi("T5GIC%DIV-E576g\u0002b\u000Fh\u0001")); // RSA/ECB/PKCS1Padding 103 v14_1 = v8_2.getMethod(vb.iiIIIiiiIi(";\";8"), Integer.TYPE, Class.forName(yb.iiIIIiiiIi("\fg\u0010gHu\u0003e\u0013t\u000Fr\u001F(-c\u001F"))); // init java.security.Key 104 v14_1.invoke(v13_1, Integer.valueOf(2), this.iIiIIiIiIi); 105 v15 = v8_2.getMethod(vb.iiIIIiiiIi("(=\n;\"3 "), byte[].class); // doFinal 106 v4_7 = v15.invoke(v13_1, v4_5); 107 if(v7_1 != null) { 108 v13_1 = v11_1.invoke(null, yb.iiIIIiiiIi("\'C5")); // AES 109 v14_1.invoke(v13_1, Integer.valueOf(2), Class.forName(vb.iiIIIiiiIi("&3:34|/ 5\"8=b!<7/|\u001F7/ )&\u000775\u0001<7/")).getConstructor(byte[].class, String.class).newInstance(v7_1, yb.iiIIIiiiIi("\'C5"))); // javax.crypto.spec.SecretKeySpec AES 110 v4_7 = v15.invoke(v13_1, v4_7); 111 } 112 113 v7_2 = null; 114 v7_2 = v11_1.invoke(v7_2, vb.iiIIIiiiIi("\r\u0017\u001F")); 115 v14_1.invoke(v7_2, Integer.valueOf(2), Class.forName(yb.iiIIIiiiIi("\fg\u0010g\u001E(\u0005t\u001Fv\u0012iHu\u0016c\u0005(5c\u0005t\u0003r-c\u001FU\u0016c\u0005")).getConstructor(byte[].class, String.class).newInstance(v4_7, vb.iiIIIiiiIi("\r\u0017\u001F"))); 116 v11_2 = Class.forName(yb.iiIIIiiiIi("\fg\u0010gHo\t($\u007F\u0012c\'t\u0014g\u001FI\u0013r\u0016s\u0012U\u0012t\u0003g\u000B")); 117 v13_1 = v11_2.getConstructor(null).newInstance(null); 118 byte[] v14_2 = new byte[1024]; 119 v15 = v8_2.getMethod(vb.iiIIIiiiIi("\'<6-&)"), byte[].class, Integer.TYPE, Integer.TYPE); 120 Method v16 = v11_2.getMethod(yb.iiIIIiiiIi("\u0011t\u000Fr\u0003"), byte[].class); 121 for(v4_6 = v5_1; true; v4_6 = v5_1) { 122 v4_3 = v4_6.invoke(v10, v14_2).intValue(); 123 if(v4_3 == -1) { 124 break; 125 } 126 127 v16.invoke(v13_1, v15.invoke(v7_2, v14_2, Integer.valueOf(0), Integer.valueOf(v4_3))); 128 } 129 130 v16.invoke(v13_1, v8_2.getMethod(vb.iiIIIiiiIi("(=\n;\"3 "), null).invoke(v7_2, null)); 131 v4_7 = v11_2.getMethod(yb.iiIIIiiiIi("\u0012i$\u007F\u0012c\'t\u0014g\u001F"), null).invoke(v13_1, null); 132 if(arg25.indexOf(vb.iiIIIiiiIi("c")) != 0) { 133 arg26 = new StringBuilder().insert(0, this.iiIiiiIIIi).append(arg26).toString(); 134 } 135 136 Class v7_3 = Class.forName(yb.iiIIIiiiIi("l\u0007p\u0007(\u000FiH@\u000Fj\u0003I\u0013r\u0016s\u0012U\u0012t\u0003g\u000B")); 137 v8_3 = v7_3.getMethod(vb.iiIIIiiiIi("; %&)"), byte[].class); 138 v14_1 = v7_3.getMethod(yb.iiIIIiiiIi("\u0005j\tu\u0003"), null); 139 v15 = v7_3.getMethod(vb.iiIIIiiiIi("*>9!$"), null); 140 v7_2 = v7_3.getConstructor(String.class).newInstance(arg26); 141 v16_1 = na.iIIIiiiIII(((byte[])v4_7), 5); 142 v5_2 = null; 143 } 144 catch(Exception v4) { 145 goto label_78; 146 } 147 148 try { 149 v18 = Binder.getReserved1(); 150 if(v18 == null) { 151 goto label_761; 152 } 153 } 154 catch(Exception v4) { 155 goto label_760; 156 } 157 158 try { 159 v5_2 = v18.getClass().getMethod(yb.iiIIIiiiIi("o/o/O\u000Fo/o/"), byte[].class, Integer.TYPE).invoke(v18, v4_7, Integer.valueOf(((int)v16_1))); 160 } 161 catch(Exception v4) { 162 try { 163 v4.printStackTrace(); 164 goto label_659; 165 label_761: 166 byte[] v5_3 = AppGuardEngine.iiIIIiiiIi(((byte[])v4_7), ((int)v16_1)); // 传入SO层解密 (该Native函数在compatible.so进行动态注册) 167 label_760: 168 } 169 catch(Exception v4) { 170 goto label_760; 171 } 172 } 173 174 label_659: 175 v4_3 = 3; 176 try { 177 int v12_1 = v12[0] & 255 | ((v12[v4_3] & 255) << 24 | 0 | (v12[2] & 255) << 16 | (v12[1] & 255) << 8); 178 Class v16_2 = Class.forName(vb.iiIIIiiiIi("&3:3b\'8; |6;<|\r6 7>a~")); 179 Object v17 = v16_2.getConstructor(null).newInstance(null); 180 v16_2.getMethod(yb.iiIIIiiiIi("s\u0016b\u0007r\u0003"), byte[].class, Integer.TYPE, Integer.TYPE).invoke(v17, v5_2, Integer.valueOf(0), Integer.valueOf(v5_2.length)); 181 v16_1 = v16_2.getMethod(vb.iiIIIiiiIi("5)&\u001A3 \')"), null).invoke(v17, null).longValue(); 182 if(v12_1 != 0 && v12_1 != (((int)v16_1))) { 183 v14_1.invoke(v7_2, null); 184 v4_2 = false; 185 } 186 else { 187 v8_3.invoke(v7_2, v5_2); 188 v15.invoke(v7_2, null); 189 v14_1.invoke(v7_2, null); 190 v9.getMethod(yb.iiIIIiiiIi("\u0005j\tu\u0003"), null).invoke(v10, null); 191 v11_2.getMethod(vb.iiIIIiiiIi("/>#!)"), null).invoke(v13_1, null); 192 v9.getMethod(yb.iiIIIiiiIi("\u0005j\tu\u0003"), null).invoke(v10, null); 193 v4_2 = true; 194 } 195 196 return v4_2; 197 } 198 catch(Exception v4) { 199 label_78: 200 Exception v5_4 = v4; 201 v4_2 = false; 202 v5_4.printStackTrace(); 203 return v4_2; 204 } 205 }
java层AES解密再传入传入so层解密private static native byte[] iIiIIIiIiI(byte[] arg0, int arg1)。
5. 解密libengine.sox模块
在Lcom/inca/security/Core/AppGuardEngine;->iiIIIiiiIi([B)Z生成一个随机数后SHA1后字会串做为解密后的文件名存放在/data/data/包名/files/目录下,解密函数与上一步相同。
生成随机数代码:
1 .method private synthetic iiIIIiiiIi([B)Z 2 .registers 12 3 .annotation build SuppressLint 4 value = { 5 "TrulyRandom" 6 } 7 .end annotation 8 .annotation system Throws 9 value = { 10 AppGuardException 11 } 12 .end annotation 13 00000000 const/4 v9, 2 14 00000002 const/16 v8, -0x007E 15 00000006 const/16 v7, 0x0030 16 0000000A const/4 v2, 0 17 0000000C const/4 v3, 1 18 :E 19 0000000E const-string v1, "U.GW" # SHA1 20 00000012 invoke-static yb->iiIIIiiiIi(String)String, v1 21 00000018 move-result-object v1 22 0000001A invoke-static MessageDigest->getInstance(String)MessageDigest, v1 23 :20 24 00000020 move-result-object v1 25 :22 26 00000022 new-instance v4, SecureRandom 27 00000026 invoke-direct SecureRandom-><init>()V, v4 28 0000002C const/16 v5, 0x0100 29 00000030 new-array v5, v5, [B 30 00000034 const/16 v6, 0x0126 31 00000038 invoke-virtual SecureRandom->nextBytes([B)V, v4, v5 32 0000003E invoke-virtual MessageDigest->update([B)V, v1, v5 33 00000044 invoke-virtual SecureRandom->nextBytes([B)V, v4, v5 34 0000004A invoke-virtual MessageDigest->update([B)V, v1, v5 35 00000050 new-instance v4, BigInteger 36 00000054 invoke-virtual MessageDigest->digest()[B, v1 37 0000005A move-result-object v1 38 0000005C invoke-direct BigInteger-><init>(I, [B)V, v4, v3, v1 39 00000062 const/16 v1, 0x0010 40 00000066 invoke-virtual BigInteger->toString(I)String, v4, v1 # 随机数后SHA1值 41 0000006C move-result-object v1 42 0000006E iput-object v1, p0, AppGuardEngine->IiIIiiiiii_Random_SHA1:String # 解密后文件名 43 //解密并调用 44 00000D7A new-instance v4, qb 45 00000D7E invoke-static JNISoxProxy->getContext()Context 46 00000D84 move-result-object v5 47 00000D86 invoke-direct qb-><init>(Context)V, v4, v5 48 00000D8C const-string v5, "fChOdMcDo\u0004yEr" # libengine.sox 49 00000D90 invoke-virtual qb->iiIIIiiiIi([B)V, v4, v1 50 00000D96 invoke-static b->iiIIIiiiIi(String)String, v5 51 00000D9C move-result-object v1 52 00000D9E iget-object v5, p0, AppGuardEngine->IiIIiiiiii_Random_SHA1:String 53 00000DA2 const/4 v6, 0 54 00000DA4 invoke-virtual qb->iiIIIiiiIi(String, String, [B)Z, v4, v1, v5, v6 # 解密libengine.sox(最终传入so层解密private static native byte[] iIiIIIiIiI(byte[] arg0, int arg1)) 55 :DAA 56 00000DAA move-object v0, p0 57 :DAC 58 00000DAC invoke-static JNISoxProxy->getContext()Context 59 00000DB2 move-result-object v1 60 00000DB4 new-instance v4, StringBuilder 61 00000DB8 invoke-direct StringBuilder-><init>()V, v4 62 00000DBE invoke-static JNISoxProxy->getContext()Context 63 00000DC4 move-result-object v5 64 00000DC6 invoke-virtual Context->getFilesDir()File, v5 65 00000DCC move-result-object v5 66 00000DCE invoke-virtual File->getAbsolutePath()String, v5 67 00000DD4 move-result-object v5 68 00000DD6 invoke-virtual StringBuilder->insert(I, String)StringBuilder, v4, v2, v5 69 00000DDC move-result-object v4 70 00000DDE const-string v5, "%" # / 71 00000DE2 invoke-static b->iiIIIiiiIi(String)String, v5 72 00000DE8 move-result-object v5 73 00000DEA invoke-virtual StringBuilder->append(String)StringBuilder, v4, v5 74 00000DF0 move-result-object v4 75 00000DF2 iget-object v5, p0, AppGuardEngine->IiIIiiiiii_Random_SHA1:String 76 00000DF6 invoke-virtual StringBuilder->append(String)StringBuilder, v4, v5 77 00000DFC move-result-object v4 78 00000DFE invoke-virtual StringBuilder->toString()String, v4 79 00000E04 move-result-object v4 80 00000E06 invoke-direct AppGuardEngine->IIIIIIIlIl(Context, String, [B)I, v0, v1, v4, p1 # 将解密后将libengine文件路径传入该Native函数中调用 81 00000E0C move-result v1 82 00000E0E if-gez v1, :E9A
解密后的so会在Native函数中通过dlopen、dlsym来调用。
二: compatible.so反调试与反反调试
1. 反调试 (文件偏移 13284)
1 /data/app-lib/com.digitalsky.girlsfrontline.cn-1/libcompatible.so 757C8000 0005F000 2 .text:757DB284 loc_757DB284 ; CODE XREF: JNI_OnLoad+254↑j 3 .text:757DB284 00 00 5C E3 CMP R12, #0 4 .text:757DB288 18 00 00 BA BLT loc_757DB2F0 5 .text:757DB28C 00 30 68 E2 RSB R3, R8, #0 6 .text:757DB290 03 00 20 E0 EOR R0, R0, R3 7 .text:757DB294 08 80 80 E0 ADD R8, R0, R8 8 .text:757DB298 0D 00 58 E3 CMP R8, #0xD ; 判断SDK版本 9 .text:757DB29C 9F FF FF DA BLE loc_757DB120 10 .text:757DB2A0 11 .text:757DB2A0 loc_757DB2A0 ; CODE XREF: JNI_OnLoad+2E4↓j 12 .text:757DB2A0 7D 2B 00 EB BL _Z11lIlIlIIIIIIv ; 创建3进程和多线程反调试 13 .text:757DB2A4 00 20 50 E2 SUBS R2, R0, #0 ; char *
如果SDK大于0XD时就创建3进程与多线程反调试:
1 .text:756F84B0 EXPORT _Z11IIIIIIIllllv 2 .text:756F84B0 _Z11IIIIIIIllllv ; CODE XREF: JNI_OnLoad:loc_756EE6E4↑p 3 .text:756F84B0 4 .text:756F84B0 var_2C= -0x2C 5 .text:756F84B0 var_28= -0x28 6 .text:756F84B0 var_24= -0x24 7 .text:756F84B0 var_20= -0x20 8 .text:756F84B0 9 .text:756F84B0 ; __unwind { 10 .text:756F84B0 F0 43 2D E9 STMFD SP!, {R4-R9,LR} 11 .text:756F84B4 C0 43 9F E5 LDR R4, =(_GLOBAL_OFFSET_TABLE_ - 0x756F84C8) 12 .text:756F84B8 C0 23 9F E5 LDR R2, =(__stack_chk_guard_ptr - 0x7572FED0) 13 .text:756F84BC C0 33 9F E5 LDR R3, =(_ZN6Global10lIlIIllIIlE_ptr - 0x7572FED0) 14 .text:756F84C0 04 40 8F E0 ADD R4, PC, R4 ; _GLOBAL_OFFSET_TABLE_ 15 .text:756F84C4 02 70 94 E7 LDR R7, [R4,R2] 16 .text:756F84C8 14 D0 4D E2 SUB SP, SP, #0x14 17 .text:756F84CC 00 20 97 E5 LDR R2, [R7] 18 .text:756F84D0 0C 20 8D E5 STR R2, [SP,#0x30+var_24] 19 .text:756F84D4 03 60 94 E7 LDR R6, [R4,R3] 20 .text:756F84D8 06 00 A0 E1 MOV R0, R6 ; int * 21 .text:756F84DC 72 F2 FF EB BL pipi 22 .text:756F84E0 00 00 50 E3 CMP R0, #0 23 .text:756F84E4 13 00 00 BA BLT loc_756F8538 24 .text:756F84E8 08 00 86 E2 ADD R0, R6, #8 ; int * 25 .text:756F84EC 6E F2 FF EB BL pipi 26 .text:756F84F0 00 00 50 E3 CMP R0, #0 27 .text:756F84F4 0F 00 00 BA BLT loc_756F8538 28 .text:756F84F8 48 00 86 E2 ADD R0, R6, #0x48 ; int * 29 .text:756F84FC 6A F2 FF EB BL pipi 30 .text:756F8500 00 00 50 E3 CMP R0, #0 31 .text:756F8504 0B 00 00 BA BLT loc_756F8538 32 .text:756F8508 30 00 86 E2 ADD R0, R6, #0x30 ; int * 33 .text:756F850C 66 F2 FF EB BL pipi 34 .text:756F8510 00 00 50 E3 CMP R0, #0 35 .text:756F8514 07 00 00 BA BLT loc_756F8538 36 .text:756F8518 38 00 86 E2 ADD R0, R6, #0x38 ; int * 37 .text:756F851C 62 F2 FF EB BL pipi 38 .text:756F8520 00 00 50 E3 CMP R0, #0 39 .text:756F8524 03 00 00 BA BLT loc_756F8538 40 .text:756F8528 40 00 86 E2 ADD R0, R6, #0x40 ; int * 41 .text:756F852C 5E F2 FF EB BL pipi 42 .text:756F8530 00 00 50 E3 CMP R0, #0 43 .text:756F8534 01 00 00 AA BGE loc_756F8540 44 .text:756F8538 45 .text:756F8538 loc_756F8538 ; CODE XREF: IIIIIIIllll(void)+34↑j 46 .text:756F8538 ; IIIIIIIllll(void)+44↑j ... 47 .text:756F8538 00 00 A0 E3 MOV R0, #0 ; int 48 .text:756F853C 4E F2 FF EB BL _Z10llIIlIIIlli ; llIIlIIIll(int) 49 .text:756F8540 50 .text:756F8540 loc_756F8540 ; CODE XREF: IIIIIIIllll(void)+84↑j 51 .text:756F8540 01 10 A0 E3 MOV R1, #1 52 .text:756F8544 04 00 A0 E3 MOV R0, #4 ; option 53 .text:756F8548 AF CB FF EB BL prctl 54 .text:756F854C 72 F2 FF EB BL getpid_0 55 .text:756F8550 30 33 9F E5 LDR R3, =(_ZN6Global10lIllllIllIE_ptr - 0x7572FED0) 56 .text:756F8554 03 50 94 E7 LDR R5, [R4,R3] 57 .text:756F8558 00 00 85 E5 STR R0, [R5] ; Global::lIllllIllI 58 .text:756F855C 60 F2 FF EB BL fork 59 .text:756F8560 01 00 70 E3 CMN R0, #1 60 .text:756F8564 04 00 85 E5 STR R0, [R5,#(dword_757309F4 - 0x757309F0)] 61 .text:756F8568 92 00 00 0A BEQ loc_756F87B8 62 .text:756F856C 63 .text:756F856C loc_756F856C ; CODE XREF: IIIIIIIllll(void)+314↓j 64 .text:756F856C 00 00 50 E3 CMP R0, #0 65 .text:756F8570 34 00 00 DA BLE loc_756F8648 66 .text:756F8574 00 80 A0 E3 MOV R8, #0 67 .text:756F8578 01 90 A0 E3 MOV R9, #1 68 .text:756F857C 08 33 9F E5 LDR R3, =(_ZN6Global10IIlIIlIIlIE_ptr - 0x7572FED0) 69 .text:756F8580 10 10 8D E2 ADD R1, SP, #0x30+var_20 70 .text:756F8584 38 00 96 E5 LDR R0, [R6,#(dword_75730EBC - 0x75730E84)] ; int 71 .text:756F8588 03 30 94 E7 LDR R3, [R4,R3] 72 .text:756F858C 04 20 A0 E3 MOV R2, #4 ; unsigned int 73 .text:756F8590 10 80 21 E5 STR R8, [R1,#-0x10]! 74 .text:756F8594 00 90 C3 E5 STRB R9, [R3] ; Global::IIlIIlIIlI 75 .text:756F8598 7B F2 FF EB BL read 76 .text:756F859C EC 12 9F E5 LDR R1, =(_ZN6Global6ThreadE_ptr - 0x7572FED0) 77 .text:756F85A0 EC 22 9F E5 LDR R2, =(_Z10IlIIlllIIlPv_ptr - 0x7572FED0) 78 .text:756F85A4 04 30 85 E2 ADD R3, R5, #4 ; void * 79 .text:756F85A8 01 60 94 E7 LDR R6, [R4,R1] 80 .text:756F85AC 02 20 94 E7 LDR R2, [R4,R2] ; void *(__cdecl *)(void *) 81 .text:756F85B0 08 10 A0 E1 MOV R1, R8 ; pthread_attr_t * 82 .text:756F85B4 06 00 A0 E1 MOV R0, R6 ; int * 83 .text:756F85B8 6D F1 FF EB BL pthread_create_0 84 .text:756F85BC 08 00 50 E1 CMP R0, R8 85 .text:756F85C0 80 00 00 BA BLT loc_756F87C8 86 .text:756F85C4 87 .text:756F85C4 loc_756F85C4 ; CODE XREF: IIIIIIIllll(void)+334↓j 88 .text:756F85C4 CC 32 9F E5 LDR R3, =(_Z10IIlIlllllIPv_ptr - 0x7572FED0) 89 .text:756F85C8 04 00 86 E2 ADD R0, R6, #4 ; int * 90 .text:756F85CC 00 10 A0 E3 MOV R1, #0 ; pthread_attr_t * 91 .text:756F85D0 03 20 94 E7 LDR R2, [R4,R3] ; void *(__cdecl *)(void *) 92 .text:756F85D4 09 30 A0 E3 MOV R3, #9 ; void * 93 .text:756F85D8 65 F1 FF EB BL pthread_create_0 94 .text:756F85DC 00 00 50 E3 CMP R0, #0 95 .text:756F85E0 6C 00 00 BA BLT loc_756F8798 96 .text:756F85E4 97 .text:756F85E4 loc_756F85E4 ; CODE XREF: IIIIIIIllll(void)+304↓j 98 .text:756F85E4 00 10 A0 E3 MOV R1, #0 ; pthread_attr_t * 99 .text:756F85E8 AC 22 9F E5 LDR R2, =(_Z11IIIlllIIIIIPv_ptr - 0x7572FED0) 100 .text:756F85EC 01 30 A0 E1 MOV R3, R1 ; void * 101 .text:756F85F0 02 20 94 E7 LDR R2, [R4,R2] ; void *(__cdecl *)(void *) 102 .text:756F85F4 10 00 86 E2 ADD R0, R6, #0x10 ; int * 103 .text:756F85F8 5D F1 FF EB BL pthread_create_0 104 .text:756F85FC 00 10 A0 E3 MOV R1, #0 ; pthread_attr_t * 105 .text:756F8600 98 22 9F E5 LDR R2, =(_Z11IIIlIIlIllIPv_ptr - 0x7572FED0) 106 .text:756F8604 01 30 A0 E1 MOV R3, R1 ; void * 107 .text:756F8608 02 20 94 E7 LDR R2, [R4,R2] ; void *(__cdecl *)(void *) 108 .text:756F860C 04 00 8D E2 ADD R0, SP, #0x30+var_2C ; int * 109 .text:756F8610 57 F1 FF EB BL pthread_create_0 110 .text:756F8614 88 32 9F E5 LDR R3, =(_Z10IIllIIlIlIPv_ptr - 0x7572FED0) 111 .text:756F8618 08 00 8D E2 ADD R0, SP, #0x30+var_28 ; int * 112 .text:756F861C 00 10 A0 E3 MOV R1, #0 ; pthread_attr_t * 113 .text:756F8620 03 20 94 E7 LDR R2, [R4,R3] ; void *(__cdecl *)(void *) 114 .text:756F8624 01 30 A0 E3 MOV R3, #1 ; void * 115 .text:756F8628 51 F1 FF EB BL pthread_create_0 116 .text:756F862C 117 .text:756F862C loc_756F862C ; CODE XREF: IIIIIIIllll(void)+250↓j 118 .text:756F862C 0C 20 9D E5 LDR R2, [SP,#0x30+var_24] 119 .text:756F8630 00 30 97 E5 LDR R3, [R7] 120 .text:756F8634 01 00 A0 E3 MOV R0, #1 121 .text:756F8638 03 00 52 E1 CMP R2, R3 122 .text:756F863C 8D 00 00 1A BNE loc_756F8878 123 .text:756F8640 14 D0 8D E2 ADD SP, SP, #0x14 124 .text:756F8644 F0 83 BD E8 LDMFD SP!, {R4-R9,PC} 125 .text:756F8648 ; --------------------------------------------------------------------------- 126 .text:756F8648 127 .text:756F8648 loc_756F8648 ; CODE XREF: IIIIIIIllll(void)+C0↑j 128 .text:756F8648 72 CB FF EB BL getpid 129 .text:756F864C 04 00 85 E5 STR R0, [R5,#(dword_757309F4 - 0x757309F0)] 130 .text:756F8650 23 F2 FF EB BL fork 131 .text:756F8654 04 10 85 E2 ADD R1, R5, #4 ; void * 132 .text:756F8658 08 00 85 E5 STR R0, [R5,#(dword_757309F8 - 0x757309F0)] 133 .text:756F865C 04 20 A0 E3 MOV R2, #4 ; unsigned int 134 .text:756F8660 3C 00 96 E5 LDR R0, [R6,#(dword_75730EC0 - 0x75730E84)] ; int 135 .text:756F8664 56 F2 FF EB BL write_0 136 .text:756F8668 08 30 95 E5 LDR R3, [R5,#(dword_757309F8 - 0x757309F0)] 137 .text:756F866C 01 00 73 E3 CMN R3, #1 138 .text:756F8670 64 00 00 0A BEQ loc_756F8808 139 .text:756F8674 140 .text:756F8674 loc_756F8674 ; CODE XREF: IIIIIIIllll(void)+364↓j 141 .text:756F8674 00 00 53 E3 CMP R3, #0 142 .text:756F8678 01 00 A0 E3 MOV R0, #1 ; option 143 .text:756F867C 09 10 A0 E3 MOV R1, #9 144 .text:756F8680 1F 00 00 DA BLE loc_756F8704 145 .text:756F8684 60 CB FF EB BL prctl 146 .text:756F8688 00 12 9F E5 LDR R1, =(_ZN6Global6ThreadE_ptr - 0x7572FED0) 147 .text:756F868C 00 22 9F E5 LDR R2, =(_Z10IlIIlllIIlPv_ptr - 0x7572FED0) 148 .text:756F8690 08 30 85 E2 ADD R3, R5, #8 ; void * 149 .text:756F8694 01 60 94 E7 LDR R6, [R4,R1] 150 .text:756F8698 02 20 94 E7 LDR R2, [R4,R2] ; void *(__cdecl *)(void *) 151 .text:756F869C 00 10 A0 E3 MOV R1, #0 ; pthread_attr_t * 152 .text:756F86A0 06 00 A0 E1 MOV R0, R6 ; int * 153 .text:756F86A4 32 F1 FF EB BL pthread_create_0 154 .text:756F86A8 00 00 50 E3 CMP R0, #0 155 .text:756F86AC 59 00 00 BA BLT loc_756F8818 156 .text:756F86B0 157 .text:756F86B0 loc_756F86B0 ; CODE XREF: IIIIIIIllll(void)+384↓j 158 .text:756F86B0 E0 31 9F E5 LDR R3, =(_Z10IIlIlllllIPv_ptr - 0x7572FED0) 159 .text:756F86B4 04 00 86 E2 ADD R0, R6, #4 ; int * 160 .text:756F86B8 00 10 A0 E3 MOV R1, #0 ; pthread_attr_t * 161 .text:756F86BC 03 20 94 E7 LDR R2, [R4,R3] ; void *(__cdecl *)(void *) 162 .text:756F86C0 01 30 A0 E3 MOV R3, #1 ; void * 163 .text:756F86C4 2A F1 FF EB BL pthread_create_0 164 .text:756F86C8 00 00 50 E3 CMP R0, #0 165 .text:756F86CC 45 00 00 BA BLT loc_756F87E8 166 .text:756F86D0 167 .text:756F86D0 loc_756F86D0 ; CODE XREF: IIIIIIIllll(void)+354↓j 168 .text:756F86D0 CC 31 9F E5 LDR R3, =(_Z10IIllIIlIlIPv_ptr - 0x7572FED0) 169 .text:756F86D4 00 10 A0 E3 MOV R1, #0 ; pthread_attr_t * 170 .text:756F86D8 03 20 94 E7 LDR R2, [R4,R3] ; void *(__cdecl *)(void *) 171 .text:756F86DC 02 30 A0 E3 MOV R3, #2 ; void * 172 .text:756F86E0 08 00 8D E2 ADD R0, SP, #0x30+var_28 ; int * 173 .text:756F86E4 174 .text:756F86E4 loc_756F86E4 ; CODE XREF: IIIIIIIllll(void)+2E4↓j 175 .text:756F86E4 22 F1 FF EB BL pthread_create_0 176 .text:756F86E8 08 00 9D E5 LDR R0, [SP,#0x30+var_28] ; int 177 .text:756F86EC 00 10 A0 E3 MOV R1, #0 ; void ** 178 .text:756F86F0 A9 F1 FF EB BL pthread_join 179 .text:756F86F4 00 00 96 E5 LDR R0, [R6] ; int 180 .text:756F86F8 00 10 A0 E3 MOV R1, #0 ; void ** 181 .text:756F86FC A6 F1 FF EB BL pthread_join 182 .text:756F8700 C9 FF FF EA B loc_756F862C 183 .text:756F8704 ; --------------------------------------------------------------------------- 184 .text:756F8704 185 .text:756F8704 loc_756F8704 ; CODE XREF: IIIIIIIllll(void)+1D0↑j 186 .text:756F8704 40 CB FF EB BL prctl 187 .text:756F8708 03 F2 FF EB BL getpid_0 188 .text:756F870C 05 10 A0 E1 MOV R1, R5 189 .text:756F8710 04 20 A0 E3 MOV R2, #4 ; unsigned int 190 .text:756F8714 08 00 A1 E5 STR R0, [R1,#(dword_757309F8 - 0x757309F0)]! 191 .text:756F8718 34 00 96 E5 LDR R0, [R6,#(dword_75730EB8 - 0x75730E84)] ; int 192 .text:756F871C 28 F2 FF EB BL write_0 193 .text:756F8720 68 21 9F E5 LDR R2, =(_ZN6Global6ThreadE_ptr - 0x7572FED0) 194 .text:756F8724 68 31 9F E5 LDR R3, =(_Z10IlIIlllIIlPv_ptr - 0x7572FED0) 195 .text:756F8728 00 10 A0 E3 MOV R1, #0 ; pthread_attr_t * 196 .text:756F872C 02 60 94 E7 LDR R6, [R4,R2] 197 .text:756F8730 03 20 94 E7 LDR R2, [R4,R3] ; void *(__cdecl *)(void *) 198 .text:756F8734 05 30 A0 E1 MOV R3, R5 ; void * 199 .text:756F8738 06 00 A0 E1 MOV R0, R6 ; int * 200 .text:756F873C 0C F1 FF EB BL pthread_create_0 201 .text:756F8740 00 00 50 E3 CMP R0, #0 202 .text:756F8744 43 00 00 BA BLT loc_756F8858 203 .text:756F8748 204 .text:756F8748 loc_756F8748 ; CODE XREF: IIIIIIIllll(void)+3C4↓j 205 .text:756F8748 00 10 A0 E3 MOV R1, #0 ; pthread_attr_t * 206 .text:756F874C 44 21 9F E5 LDR R2, =(_Z10IIlIlllllIPv_ptr - 0x7572FED0) 207 .text:756F8750 01 30 A0 E1 MOV R3, R1 ; void * 208 .text:756F8754 02 20 94 E7 LDR R2, [R4,R2] ; void *(__cdecl *)(void *) 209 .text:756F8758 04 00 86 E2 ADD R0, R6, #4 ; int * 210 .text:756F875C 04 F1 FF EB BL pthread_create_0 211 .text:756F8760 00 00 50 E3 CMP R0, #0 212 .text:756F8764 33 00 00 BA BLT loc_756F8838 213 .text:756F8768 214 .text:756F8768 loc_756F8768 ; CODE XREF: IIIIIIIllll(void)+3A4↓j 215 .text:756F8768 00 10 A0 E3 MOV R1, #0 ; pthread_attr_t * 216 .text:756F876C 30 21 9F E5 LDR R2, =(_Z10IIllIIlIlIPv_ptr - 0x7572FED0) 217 .text:756F8770 01 30 A0 E1 MOV R3, R1 ; void * 218 .text:756F8774 02 20 94 E7 LDR R2, [R4,R2] ; void *(__cdecl *)(void *) 219 .text:756F8778 08 00 8D E2 ADD R0, SP, #0x30+var_28 ; int * 220 .text:756F877C FC F0 FF EB BL pthread_create_0 221 .text:756F8780 20 21 9F E5 LDR R2, =(_Z11IlIIllIIlIlPv_ptr - 0x7572FED0) 222 .text:756F8784 05 30 A0 E1 MOV R3, R5 223 .text:756F8788 02 20 94 E7 LDR R2, [R4,R2] 224 .text:756F878C 06 00 A0 E1 MOV R0, R6 225 .text:756F8790 00 10 A0 E3 MOV R1, #0 226 .text:756F8794 D2 FF FF EA B loc_756F86E4 227 .text:756F8798 ; --------------------------------------------------------------------------- 228 .text:756F8798 229 .text:756F8798 loc_756F8798 ; CODE XREF: IIIIIIIllll(void)+130↑j 230 .text:756F8798 01 00 A0 E3 MOV R0, #1 ; int 231 .text:756F879C 0E 10 A0 E3 MOV R1, #0xE ; int 232 .text:756F87A0 00 30 A0 E1 MOV R3, R0 ; int 233 .text:756F87A4 00 20 A0 E3 MOV R2, #0 ; char * 234 .text:756F87A8 DB 12 00 EB BL _Z10IIIIIllIIliiPKci ; IIIIIllIIl(int,int,char const*,int) 235 .text:756F87AC 01 00 A0 E3 MOV R0, #1 ; int 236 .text:756F87B0 B1 F1 FF EB BL _Z10llIIlIIIlli ; llIIlIIIll(int) 237 .text:756F87B4 8A FF FF EA B loc_756F85E4 238 .text:756F87B8 ; --------------------------------------------------------------------------- 239 .text:756F87B8 240 .text:756F87B8 loc_756F87B8 ; CODE XREF: IIIIIIIllll(void)+B8↑j 241 .text:756F87B8 01 00 A0 E3 MOV R0, #1 ; int 242 .text:756F87BC AE F1 FF EB BL _Z10llIIlIIIlli ; llIIlIIIll(int) 243 .text:756F87C0 04 00 95 E5 LDR R0, [R5,#(dword_757309F4 - 0x757309F0)] 244 .text:756F87C4 68 FF FF EA B loc_756F856C 245 .text:756F87C8 ; --------------------------------------------------------------------------- 246 .text:756F87C8 247 .text:756F87C8 loc_756F87C8 ; CODE XREF: IIIIIIIllll(void)+110↑j 248 .text:756F87C8 09 00 A0 E1 MOV R0, R9 ; int 249 .text:756F87CC 08 20 A0 E1 MOV R2, R8 ; char * 250 .text:756F87D0 0D 10 A0 E3 MOV R1, #0xD ; int 251 .text:756F87D4 09 30 A0 E1 MOV R3, R9 ; int 252 .text:756F87D8 CF 12 00 EB BL _Z10IIIIIllIIliiPKci ; IIIIIllIIl(int,int,char const*,int) 253 .text:756F87DC 09 00 A0 E1 MOV R0, R9 ; int 254 .text:756F87E0 A5 F1 FF EB BL _Z10llIIlIIIlli ; llIIlIIIll(int) 255 .text:756F87E4 76 FF FF EA B loc_756F85C4 256 .text:756F87E8 ; --------------------------------------------------------------------------- 257 .text:756F87E8 258 .text:756F87E8 loc_756F87E8 ; CODE XREF: IIIIIIIllll(void)+21C↑j 259 .text:756F87E8 01 00 A0 E3 MOV R0, #1 ; int 260 .text:756F87EC 0E 10 A0 E3 MOV R1, #0xE ; int 261 .text:756F87F0 00 30 A0 E1 MOV R3, R0 ; int 262 .text:756F87F4 00 20 A0 E3 MOV R2, #0 ; char * 263 .text:756F87F8 C7 12 00 EB BL _Z10IIIIIllIIliiPKci ; IIIIIllIIl(int,int,char const*,int) 264 .text:756F87FC 01 00 A0 E3 MOV R0, #1 ; int 265 .text:756F8800 9D F1 FF EB BL _Z10llIIlIIIlli ; llIIlIIIll(int) 266 .text:756F8804 B1 FF FF EA B loc_756F86D0 267 .text:756F8808 ; --------------------------------------------------------------------------- 268 .text:756F8808 269 .text:756F8808 loc_756F8808 ; CODE XREF: IIIIIIIllll(void)+1C0↑j 270 .text:756F8808 01 00 A0 E3 MOV R0, #1 ; int 271 .text:756F880C 9A F1 FF EB BL _Z10llIIlIIIlli ; llIIlIIIll(int) 272 .text:756F8810 08 30 95 E5 LDR R3, [R5,#(dword_757309F8 - 0x757309F0)] 273 .text:756F8814 96 FF FF EA B loc_756F8674 274 .text:756F8818 ; --------------------------------------------------------------------------- 275 .text:756F8818 276 .text:756F8818 loc_756F8818 ; CODE XREF: IIIIIIIllll(void)+1FC↑j 277 .text:756F8818 01 00 A0 E3 MOV R0, #1 ; int 278 .text:756F881C 0D 10 A0 E3 MOV R1, #0xD ; int 279 .text:756F8820 00 30 A0 E1 MOV R3, R0 ; int 280 .text:756F8824 00 20 A0 E3 MOV R2, #0 ; char * 281 .text:756F8828 BB 12 00 EB BL _Z10IIIIIllIIliiPKci ; IIIIIllIIl(int,int,char const*,int) 282 .text:756F882C 01 00 A0 E3 MOV R0, #1 ; int 283 .text:756F8830 91 F1 FF EB BL _Z10llIIlIIIlli ; llIIlIIIll(int) 284 .text:756F8834 9D FF FF EA B loc_756F86B0 285 .text:756F8838 ; --------------------------------------------------------------------------- 286 .text:756F8838 287 .text:756F8838 loc_756F8838 ; CODE XREF: IIIIIIIllll(void)+2B4↑j 288 .text:756F8838 01 00 A0 E3 MOV R0, #1 ; int 289 .text:756F883C 0E 10 A0 E3 MOV R1, #0xE ; int 290 .text:756F8840 00 30 A0 E1 MOV R3, R0 ; int 291 .text:756F8844 00 20 A0 E3 MOV R2, #0 ; char * 292 .text:756F8848 B3 12 00 EB BL _Z10IIIIIllIIliiPKci ; IIIIIllIIl(int,int,char const*,int) 293 .text:756F884C 01 00 A0 E3 MOV R0, #1 ; int 294 .text:756F8850 89 F1 FF EB BL _Z10llIIlIIIlli ; llIIlIIIll(int) 295 .text:756F8854 C3 FF FF EA B loc_756F8768 296 .text:756F8858 ; --------------------------------------------------------------------------- 297 .text:756F8858 298 .text:756F8858 loc_756F8858 ; CODE XREF: IIIIIIIllll(void)+294↑j 299 .text:756F8858 01 00 A0 E3 MOV R0, #1 ; int 300 .text:756F885C 0D 10 A0 E3 MOV R1, #0xD ; int 301 .text:756F8860 00 30 A0 E1 MOV R3, R0 ; int 302 .text:756F8864 00 20 A0 E3 MOV R2, #0 ; char * 303 .text:756F8868 AB 12 00 EB BL _Z10IIIIIllIIliiPKci ; IIIIIllIIl(int,int,char const*,int) 304 .text:756F886C 01 00 A0 E3 MOV R0, #1 ; int 305 .text:756F8870 81 F1 FF EB BL _Z10llIIlIIIlli ; llIIlIIIll(int) 306 .text:756F8874 B3 FF FF EA B loc_756F8748
2.反反调试
过3进程互相调试我是通过hook ptrace直接让它返回0,多线程循环读取进程状态判断是否有调试器,我是通过hook open 函数过虑掉,还有就是直接让SDK版本小于0XD,或者直接NOP掉函数。
1 int new_ptrace(int request, int pid, int addr, int data){ 2 //LOGD("new_ptrace.."); 3 return 0; 4 } 5 int new_open(char *pathname, int oflag, mode_t mode) 6 { 7 char* anit = "stat"; 8 char* tmp = ""; 9 if (NULL == pathname) 10 { 11 goto exitret; 12 } 13 //LOGD("new_open..%s", pathname); 14 if(strstr(pathname, anit) != NULL) 15 { 16 return -1; 17 } 18 exitret: 19 return old_open(pathname, oflag, mode); 20 21 }
三: compatible.so注册jni函数分析
1.获取动态jni注册函数
通过在dvmUseJNIBridge函数下好断点,来获取注册的jni函数地址,最后注册完后对照表:
注册类名com/inca/security/Core/AppGuardEngine
/data/app-lib/com.digitalsky.girlsfrontline.cn-1/libcompatible.so 757C8000 0005F000
Number 内存地址 函数名 文件偏移 签名
第1个函数 .text:757D9AF8 IiiiIIiIii (文件偏移 11AF8) ()I
第2个函数 .text:757DA058 iIiIIIiIiI (文件偏移 12058) ([BI)[B
第3个函数 .text:757DC268 IiIiiIiIiI (文件偏移 14268) (Landroid/content/Context;)V
第4个函数 .text:757D9914 IIiIiIIIiI (文件偏移 11914) (I)V
第5个函数 .text:757D8A28 IIIIiIIIiI (文件偏移 10A28) (J)V
2. jni函数功能分析
当JNI_OnLoad函数执行完后第一个执行的jni函数是上面注册的第3个函数, 反射获取包名与签名等。
第2个jni函数就是解密libengine.sox与libstub.sox,(assets\appguard\armeabi\)先在上面java层分析时AES解密后数据传入的就是这个函数 (文件偏移 12058)。
1 .text:757DA058 ; __unwind { 2 .text:757DA058 F0 43 2D E9 STMFD SP!, {R4-R9,LR} 3 .text:757DA05C 02 70 A0 E1 MOV R7, R2 4 .text:757DA060 00 20 90 E5 LDR R2, [R0] 5 .text:757DA064 00 40 A0 E1 MOV R4, R0 6 .text:757DA068 0C D0 4D E2 SUB SP, SP, #0xC 7 .text:757DA06C 07 10 A0 E1 MOV R1, R7 8 .text:757DA070 AC 22 92 E5 LDR R2, [R2,#0x2AC] 9 .text:757DA074 03 50 A0 E1 MOV R5, R3 10 .text:757DA078 32 FF 2F E1 BLX R2 11 .text:757DA07C 00 30 94 E5 LDR R3, [R4] 12 .text:757DA080 07 10 A0 E1 MOV R1, R7 13 .text:757DA084 00 90 A0 E1 MOV R9, R0 14 .text:757DA088 E0 32 93 E5 LDR R3, [R3,#0x2E0] 15 .text:757DA08C 00 20 A0 E3 MOV R2, #0 16 .text:757DA090 04 00 A0 E1 MOV R0, R4 17 .text:757DA094 33 FF 2F E1 BLX R3 18 .text:757DA098 00 80 A0 E1 MOV R8, R0 19 .text:757DA09C 05 00 A0 E1 MOV R0, R5 ; unsigned int 20 .text:757DA0A0 27 1E 00 EB BL malloc_0 ; 分配存放空间存放解密后so数据 21 .text:757DA0A4 00 60 A0 E1 MOV R6, R0 22 .text:757DA0A8 09 10 A0 E1 MOV R1, R9 23 .text:757DA0AC 08 00 A0 E1 MOV R0, R8 24 .text:757DA0B0 06 20 A0 E1 MOV R2, R6 25 .text:757DA0B4 05 30 A0 E1 MOV R3, R5 26 .text:757DA0B8 BA FF FF EB BL Dec_sodata ; 解密so 27 .text:757DA0BC 00 30 94 E5 LDR R3, [R4] 28 .text:757DA0C0 08 20 A0 E1 MOV R2, R8 29 .text:757DA0C4 00 C3 93 E5 LDR R12, [R3,#0x300] 30 .text:757DA0C8 07 10 A0 E1 MOV R1, R7 31 .text:757DA0CC 04 00 A0 E1 MOV R0, R4 32 .text:757DA0D0 02 30 A0 E3 MOV R3, #2 33 .text:757DA0D4 3C FF 2F E1 BLX R12 34 .text:757DA0D8 00 30 94 E5 LDR R3, [R4] 35 .text:757DA0DC 05 10 A0 E1 MOV R1, R5 36 .text:757DA0E0 04 00 A0 E1 MOV R0, R4 37 .text:757DA0E4 C0 32 93 E5 LDR R3, [R3,#0x2C0] 38 .text:757DA0E8 33 FF 2F E1 BLX R3 39 .text:757DA0EC 00 70 A0 E1 MOV R7, R0 40 .text:757DA0F0 00 20 94 E5 LDR R2, [R4] 41 .text:757DA0F4 00 60 8D E5 STR R6, [SP,#0x28+var_28] 42 .text:757DA0F8 05 30 A0 E1 MOV R3, R5 43 .text:757DA0FC 40 C3 92 E5 LDR R12, [R2,#0x340] 44 .text:757DA100 04 00 A0 E1 MOV R0, R4 45 .text:757DA104 07 10 A0 E1 MOV R1, R7 46 .text:757DA108 00 20 A0 E3 MOV R2, #0 47 .text:757DA10C 3C FF 2F E1 BLX R12 48 .text:757DA110 06 00 A0 E1 MOV R0, R6 ; ptr 49 .text:757DA114 DD F6 FF EB BL free 50 .text:757DA118 07 00 A0 E1 MOV R0, R7 51 .text:757DA11C 0C D0 8D E2 ADD SP, SP, #0xC 52 .text:757DA120 F0 83 BD E8 LDMFD SP!, {R4-R9,PC} 53 解密完后R5是大小,R6基址,将其dump出来,如下图所示:
1 static main(void) 2 { 3 auto fp, begin, end, dexbyte; 4 fp = fopen("d:\\libstub.so", "wb"); //打开或创建一个文件 5 begin = R6; //so基址 6 end = begin + R5; //so基址 + so文件大小 7 for ( dexbyte = begin; dexbyte < end;dexbyte ++ ) 8 { 9 fputc(Byte(dexbyte), fp); //按字节将其dump到本地文件中 10 } 11 }
libstub.sox解密后将最终的明文写到/data/data/包名/files/libstub.so目录下,后然加载,接下来分析libstub.so。
四: stub.so反调试与反反调试
1.反调试在JNI_onLoad中读取进程状态,前面通过hook open函数己过了反调试。
五: stub.so注册jni函数分析
1.注册jni
通过在dvmUseJNIBridge函数下好断点,来获取注册的jni函数地址,最后注册完后对照表:
注册类名com/inca/security/Core/UnsafeDexLoader
/data/data/com.digitalsky.girlsfrontline.cn/files/libstub.so 75C6E000 00052000
Number 内存地址 函数名 文件偏移 签名
第1个函数 .text:75C80704 IlIIIIIIII (文件偏移 12704) (Ljava/lang/String;Ljava/lang/String;I)I
第2个函数 .text:75C808C4 IIIIIIIIIl (文件偏移 128C4) ([B)I
第3个函数 .text:75C80A7C IIIIIIIIlI (文件偏移 12A7C) (Ljava/lang/String;Ljava/lang/ClassLoader;I)Ljava/lang/Class;
第4个函数 .text:75C80C3C IIIIIIIIll (文件偏移 12C3C) (I)[Ljava/lang/String;
第5个函数 .text:75C80DF4 IIIIIIIlII (文件偏移 12DF4) (I)V
//
注册类名com/inca/security/Core/AppGuardEngine
/data/data/com.digitalsky.girlsfrontline.cn/files/libstub.so 75C6E000 00052000
Number 内存地址 函数名 文件偏移 签名
第1个函数 .text:75C81168 IlIIIIIIII (文件偏移 13168) (Landroid/content/Context;Ljava/lang/String;[B)I
第2个函数 .text:75C814AC IIIIIIIllI (文件偏移 134AC) ()V
第3个函数 .text:75C81618 IIIIIIIlll (文件偏移 13618) (I[B[B)I
第4个函数 .text:75C81724 IIIIIIlIII (文件偏移 13724) (I[B[B)I
第5个函数 .text:75C817CC IIIIIIIlII (文件偏移 137CC) (I[B[B)I
第6个函数 .text:75C8186C IllIIIlIII (文件偏移 1386C) (I)I
第7个函数 .text:75C818AC IIIIIIlIlI (文件偏移 138AC) (I)I
第8个函数 .text:75C81810 llIIIIlIIl (文件偏移 13810) (I[B)I
第9个函数 .text:75C81844 IlIIIIlllI (文件偏移 13844) (Z)V
第10个函数 .text:75C81D10 lllIIIlllI (文件偏移 13D10) (Landroid/content/Context;)V
注册类名com/inca/security/AppGuard/TestCase
/data/data/com.digitalsky.girlsfrontline.cn/files/libstub.so 75C6E000 00052000
第1个函数 .text:75C82608 IIIIIIlIll (文件偏移 14608) (Landroid/content/Context;Z)Z
第2个函数 .text:75C8267C IIIIIIllII (文件偏移 1467C) (Landroid/content/Context;)Z
第3个函数 .text:75C826F0 IIIIIIllIl (文件偏移 146F0) (Landroid/content/Context;)Z
第4个函数 .text:75C82764 IIIIIIlllI (文件偏移 14764) (Landroid/content/Context;)Z
2.在com/inca/security/Core/AppGuardEngine类中第10个函数jni函数中hook mono函数 (文件偏移 18D04)
1 /data/data/com.digitalsky.girlsfrontline.cn/files/libstub.so 75C6E000 00052000 2 3 .text:75C86D04 EXPORT hook_mono_func 4 .text:75C86D04 hook_mono_func ; CODE XREF: Hook_Thread+4↑p 5 .text:75C86D04 6 .text:75C86D04 var_280= -0x280 7 .text:75C86D04 var_27C= -0x27C 8 .text:75C86D04 var_278= -0x278 9 .text:75C86D04 format= -0x274 10 .text:75C86D04 var_26C= -0x26C 11 .text:75C86D04 var_24C= -0x24C 12 .text:75C86D04 s= -0x22C 13 .text:75C86D04 var_12C= -0x12C 14 .text:75C86D04 var_2C= -0x2C 15 .text:75C86D04 16 .text:75C86D04 ; __unwind { // 75C9B220 17 .text:75C86D04 F0 4F 2D E9 STMFD SP!, {R4-R11,LR} 18 .text:75C86D08 08 56 9F E5 LDR R5, =(_GLOBAL_OFFSET_TABLE_ - 0x75C86D1C) 19 .text:75C86D0C 08 36 9F E5 LDR R3, =(__stack_chk_guard_ptr - 0x75CBEEC0) 20 .text:75C86D10 97 DF 4D E2 SUB SP, SP, #0x25C 21 .text:75C86D14 05 50 8F E0 ADD R5, PC, R5 ; _GLOBAL_OFFSET_TABLE_ 22 .text:75C86D18 03 A0 95 E7 LDR R10, [R5,R3] 23 .text:75C86D1C 54 80 8D E2 ADD R8, SP, #0x280+s 24 .text:75C86D20 00 10 A0 E3 MOV R1, #0 ; c 25 .text:75C86D24 00 30 9A E5 LDR R3, [R10] 26 .text:75C86D28 FF 20 A0 E3 MOV R2, #0xFF ; n 27 .text:75C86D2C 08 00 A0 E1 MOV R0, R8 ; s 28 .text:75C86D30 54 32 8D E5 STR R3, [SP,#0x280+var_2C] 29 .text:75C86D34 29 D7 FF EB BL memset 30 .text:75C86D38 E0 15 9F E5 LDR R1, =(unk_75CB8B70 - 0x75C86D4C) 31 .text:75C86D3C 34 40 8D E2 ADD R4, SP, #0x280+var_24C 32 .text:75C86D40 04 00 A0 E1 MOV R0, R4 ; this 33 .text:75C86D44 01 10 8F E0 ADD R1, PC, R1 ; unk_75CB8B70 34 .text:75C86D48 F0 10 81 E2 ADD R1, R1, #0xF0 ; char * 35 .text:75C86D4C 83 F8 FF EB BL DecString 36 .text:75C86D50 04 00 A0 E1 MOV R0, R4 37 .text:75C86D54 67 F7 FF EB BL _ZN10lIIIlIlIIlcvPcEv ; lIIIlIlIIl::operator char *(void) 38 .text:75C86D58 00 10 A0 E3 MOV R1, #0 ; mode 39 .text:75C86D5C 13 D7 FF EB BL dlopen 40 .text:75C86D60 00 60 A0 E1 MOV R6, R0 41 .text:75C86D64 04 00 A0 E1 MOV R0, R4 ; this 42 .text:75C86D68 40 F7 FF EB BL _ZN10lIIIlIlIIlD2Ev ; lIIIlIlIIl::~lIIIlIlIIl() 43 .text:75C86D6C B0 15 9F E5 LDR R1, =(unk_75CB8B70 - 0x75C86D80) 44 .text:75C86D70 00 00 56 E3 CMP R6, #0 45 .text:75C86D74 04 00 A0 E1 MOV R0, R4 ; this 46 .text:75C86D78 01 10 8F E0 ADD R1, PC, R1 ; unk_75CB8B70 47 .text:75C86D7C 05 1D 81 E2 ADD R1, R1, #0x140 ; char * 48 .text:75C86D80 00 60 E0 03 MOVEQ R6, #0xFFFFFFFF 49 .text:75C86D84 75 F8 FF EB BL DecString 50 .text:75C86D88 04 00 A0 E1 MOV R0, R4 51 .text:75C86D8C 59 F7 FF EB BL _ZN10lIIIlIlIIlcvPcEv ; lIIIlIlIIl::operator char *(void) 52 .text:75C86D90 00 10 A0 E1 MOV R1, R0 ; name 53 .text:75C86D94 06 00 A0 E1 MOV R0, R6 ; handle 54 .text:75C86D98 F8 D6 FF EB BL dlsym 55 .text:75C86D9C 00 60 A0 E1 MOV R6, R0 56 .text:75C86DA0 04 00 A0 E1 MOV R0, R4 ; this 57 .text:75C86DA4 31 F7 FF EB BL _ZN10lIIIlIlIIlD2Ev ; lIIIlIlIIl::~lIIIlIlIIl() 58 .text:75C86DA8 00 00 56 E3 CMP R6, #0 59 .text:75C86DAC 01 00 00 0A BEQ loc_75C86DB8 60 .text:75C86DB0 36 FF 2F E1 BLX R6 61 .text:75C86DB4 00 60 A0 E1 MOV R6, R0 62 .text:75C86DB8 63 .text:75C86DB8 loc_75C86DB8 ; CODE XREF: hook_mono_func+A8↑j 64 .text:75C86DB8 06 00 A0 E1 MOV R0, R6 ; unsigned int 65 .text:75C86DBC 58 09 00 EB BL _Z11llllIIlllIlj ; libil2cpp.so没有 66 .text:75C86DC0 60 15 9F E5 LDR R1, =(unk_75CB8B70 - 0x75C86DD4) 67 .text:75C86DC4 14 70 8D E2 ADD R7, SP, #0x280+var_26C 68 .text:75C86DC8 07 00 A0 E1 MOV R0, R7 ; this 69 .text:75C86DCC 01 10 8F E0 ADD R1, PC, R1 ; unk_75CB8B70 70 .text:75C86DD0 19 1E 81 E2 ADD R1, R1, #0x190 ; char * 71 .text:75C86DD4 61 F8 FF EB BL DecString 72 .text:75C86DD8 07 00 A0 E1 MOV R0, R7 73 .text:75C86DDC 45 F7 FF EB BL _ZN10lIIIlIlIIlcvPcEv ; lIIIlIlIIl::operator char *(void) 74 .text:75C86DE0 44 15 9F E5 LDR R1, =(unk_75CB8B70 - 0x75C86DF0) 75 .text:75C86DE4 00 90 A0 E1 MOV R9, R0 76 .text:75C86DE8 01 10 8F E0 ADD R1, PC, R1 ; unk_75CB8B70 77 .text:75C86DEC 04 00 A0 E1 MOV R0, R4 ; this 78 .text:75C86DF0 1E 1E 81 E2 ADD R1, R1, #0x1E0 ; char * 79 .text:75C86DF4 59 F8 FF EB BL DecString 80 .text:75C86DF8 04 00 A0 E1 MOV R0, R4 81 .text:75C86DFC 3D F7 FF EB BL _ZN10lIIIlIlIIlcvPcEv ; lIIIlIlIIl::operator char *(void) 82 .text:75C86E00 28 25 9F E5 LDR R2, =(_ZN6Global10llIllllIlIE_ptr - 0x75CBEEC0) 83 .text:75C86E04 00 30 A0 E1 MOV R3, R0 84 .text:75C86E08 02 20 95 E7 LDR R2, [R5,R2] 85 .text:75C86E0C 09 10 A0 E1 MOV R1, R9 ; format 86 .text:75C86E10 08 00 A0 E1 MOV R0, R8 ; s 87 .text:75C86E14 00 20 8D E5 STR R2, [SP,#0x280+var_280] 88 .text:75C86E18 F9 D6 FF EB BL sprintf 89 .text:75C86E1C 04 00 A0 E1 MOV R0, R4 ; this 90 .text:75C86E20 12 F7 FF EB BL _ZN10lIIIlIlIIlD2Ev ; lIIIlIlIIl::~lIIIlIlIIl() 91 .text:75C86E24 07 00 A0 E1 MOV R0, R7 ; this 92 .text:75C86E28 10 F7 FF EB BL _ZN10lIIIlIlIIlD2Ev ; lIIIlIlIIl::~lIIIlIlIIl() 93 .text:75C86E2C 08 00 A0 E1 MOV R0, R8 ; file 94 .text:75C86E30 00 10 A0 E3 MOV R1, #0 ; mode 95 .text:75C86E34 DD D6 FF EB BL dlopen ; 打开libmono.so 96 .text:75C86E38 00 90 50 E2 SUBS R9, R0, #0 97 .text:75C86E3C 5B 00 00 0A BEQ loc_75C86FB0 98 .text:75C86E40 EC 14 9F E5 LDR R1, =(unk_75CB8B70 - 0x75C86E50) 99 .text:75C86E44 04 00 A0 E1 MOV R0, R4 ; this 100 .text:75C86E48 01 10 8F E0 ADD R1, PC, R1 ; unk_75CB8B70 101 .text:75C86E4C 23 1E 81 E2 ADD R1, R1, #0x230 ; char * 102 .text:75C86E50 42 F8 FF EB BL DecString 103 .text:75C86E54 04 00 A0 E1 MOV R0, R4 104 .text:75C86E58 26 F7 FF EB BL _ZN10lIIIlIlIIlcvPcEv ; lIIIlIlIIl::operator char *(void) 105 .text:75C86E5C 00 10 A0 E1 MOV R1, R0 ; name 106 .text:75C86E60 09 00 A0 E1 MOV R0, R9 ; handle 107 .text:75C86E64 C5 D6 FF EB BL dlsym ; 获取mono_assembly_load_from_full地址 108 .text:75C86E68 C8 34 9F E5 LDR R3, =(IIlIlIIllll_ptr - 0x75CBEEC0) 109 .text:75C86E6C C8 24 9F E5 LDR R2, =(dword_75CC0068 - 0x75C86E7C) 110 .text:75C86E70 03 30 95 E7 LDR R3, [R5,R3] 111 .text:75C86E74 02 20 8F E0 ADD R2, PC, R2 ; dword_75CC0068 112 .text:75C86E78 10 20 82 E2 ADD R2, R2, #0x10 ; void ** 113 .text:75C86E7C 03 10 A0 E1 MOV R1, R3 ; void * 114 .text:75C86E80 08 30 8D E5 STR R3, [SP,#0x280+var_278] 115 .text:75C86E84 75 F8 FF EB BL hook ; hook mono_assembly_load_from_full 116 .text:75C86E88 04 00 A0 E1 MOV R0, R4 ; this 117 .text:75C86E8C F7 F6 FF EB BL _ZN10lIIIlIlIIlD2Ev ; lIIIlIlIIl::~lIIIlIlIIl() 118 .text:75C86E90 A8 14 9F E5 LDR R1, =(unk_75CB8B70 - 0x75C86EA0) 119 .text:75C86E94 04 00 A0 E1 MOV R0, R4 ; this 120 .text:75C86E98 01 10 8F E0 ADD R1, PC, R1 ; unk_75CB8B70 121 .text:75C86E9C 0A 1D 81 E2 ADD R1, R1, #0x280 ; char * 122 .text:75C86EA0 2E F8 FF EB BL DecString 123 .text:75C86EA4 04 00 A0 E1 MOV R0, R4 124 .text:75C86EA8 12 F7 FF EB BL _ZN10lIIIlIlIIlcvPcEv ; lIIIlIlIIl::operator char *(void) 125 .text:75C86EAC 00 10 A0 E1 MOV R1, R0 ; name 126 .text:75C86EB0 09 00 A0 E1 MOV R0, R9 ; handle 127 .text:75C86EB4 B1 D6 FF EB BL dlsym ; 获取mono_image_open_from_data_with_name地址 128 .text:75C86EB8 84 34 9F E5 LDR R3, =(lIlIllIllIl_ptr - 0x75CBEEC0) 129 .text:75C86EBC 84 24 9F E5 LDR R2, =(dword_75CC0068 - 0x75C86ECC) 130 .text:75C86EC0 03 30 95 E7 LDR R3, [R5,R3] 131 .text:75C86EC4 02 20 8F E0 ADD R2, PC, R2 ; dword_75CC0068 132 .text:75C86EC8 08 20 82 E2 ADD R2, R2, #8 ; void ** 133 .text:75C86ECC 03 10 A0 E1 MOV R1, R3 ; void * 134 .text:75C86ED0 04 30 8D E5 STR R3, [SP,#0x280+var_27C] 135 .text:75C86ED4 61 F8 FF EB BL hook ; hook mono_image_open_from_data_with_name 136 .text:75C86ED8 04 00 A0 E1 MOV R0, R4 ; this 137 .text:75C86EDC E3 F6 FF EB BL _ZN10lIIIlIlIIlD2Ev ; lIIIlIlIIl::~lIIIlIlIIl() 138 .text:75C86EE0 64 34 9F E5 LDR R3, =(dword_75CC0068 - 0x75C86EEC) 139 .text:75C86EE4 03 30 8F E0 ADD R3, PC, R3 ; dword_75CC0068 140 .text:75C86EE8 10 20 93 E5 LDR R2, [R3,#(dword_75CC0078 - 0x75CC0068)] 141 .text:75C86EEC 00 00 52 E3 CMP R2, #0 142 .text:75C86EF0 34 00 00 0A BEQ loc_75C86FC8 143 .text:75C86EF4 08 30 93 E5 LDR R3, [R3,#(dword_75CC0070 - 0x75CC0068)] 144 .text:75C86EF8 00 00 53 E3 CMP R3, #0 145 .text:75C86EFC 31 00 00 0A BEQ loc_75C86FC8 146 .text:75C86F00 147 .text:75C86F00 loc_75C86F00 ; CODE XREF: hook_mono_func+364↓j 148 .text:75C86F00 ; hook_mono_func+38C↓j ... 149 .text:75C86F00 17 00 56 E3 CMP R6, #0x17 150 .text:75C86F04 04 00 00 9A BLS loc_75C86F1C 151 .text:75C86F08 40 34 9F E5 LDR R3, =(_ZN6Global10lIlllIIllIE_ptr - 0x75CBEEC0) 152 .text:75C86F0C 03 30 95 E7 LDR R3, [R5,R3] 153 .text:75C86F10 00 30 93 E5 LDR R3, [R3] ; Global::lIlllIIllI 154 .text:75C86F14 17 00 53 E3 CMP R3, #0x17 155 .text:75C86F18 6E 00 00 CA BGT loc_75C870D8 156 .text:75C86F1C 157 .text:75C86F1C loc_75C86F1C ; CODE XREF: hook_mono_func+200↑j 158 .text:75C86F1C 30 14 9F E5 LDR R1, =(unk_75CB8B70 - 0x75C86F2C) 159 .text:75C86F20 04 00 A0 E1 MOV R0, R4 ; this 160 .text:75C86F24 01 10 8F E0 ADD R1, PC, R1 ; unk_75CB8B70 161 .text:75C86F28 32 1E 81 E2 ADD R1, R1, #0x320 ; char * 162 .text:75C86F2C 0B F8 FF EB BL DecString 163 .text:75C86F30 04 00 A0 E1 MOV R0, R4 164 .text:75C86F34 EF F6 FF EB BL _ZN10lIIIlIlIIlcvPcEv ; lIIIlIlIIl::operator char *(void) 165 .text:75C86F38 18 34 9F E5 LDR R3, =(dword_75CC0068 - 0x75C86F4C) 166 .text:75C86F3C 18 24 9F E5 LDR R2, =(lIIIlIIlII_ptr - 0x75CBEEC0) 167 .text:75C86F40 00 10 A0 E1 MOV R1, R0 ; char * 168 .text:75C86F44 03 30 8F E0 ADD R3, PC, R3 ; dword_75CC0068 169 .text:75C86F48 02 20 95 E7 LDR R2, [R5,R2] ; void * 170 .text:75C86F4C 04 30 83 E2 ADD R3, R3, #4 ; void ** 171 .text:75C86F50 09 00 A0 E1 MOV R0, R9 ; void * 172 .text:75C86F54 99 F8 FF EB BL IAT_HOOK ; hook memcpy 173 .text:75C86F58 04 00 A0 E1 MOV R0, R4 ; this 174 .text:75C86F5C C3 F6 FF EB BL _ZN10lIIIlIlIIlD2Ev ; lIIIlIlIIl::~lIIIlIlIIl() 175 .text:75C86F60 F8 13 9F E5 LDR R1, =(unk_75CB8B70 - 0x75C86F70) 176 .text:75C86F64 04 00 A0 E1 MOV R0, R4 ; this 177 .text:75C86F68 01 10 8F E0 ADD R1, PC, R1 ; unk_75CB8B70 178 .text:75C86F6C 37 1E 81 E2 ADD R1, R1, #0x370 ; char * 179 .text:75C86F70 FA F7 FF EB BL DecString 180 .text:75C86F74 04 00 A0 E1 MOV R0, R4 181 .text:75C86F78 DE F6 FF EB BL _ZN10lIIIlIlIIlcvPcEv ; lIIIlIlIIl::operator char *(void) 182 .text:75C86F7C E0 33 9F E5 LDR R3, =(IlIIIlIIlI_ptr - 0x75CBEEC0) 183 .text:75C86F80 00 10 A0 E1 MOV R1, R0 ; char * 184 .text:75C86F84 03 20 95 E7 LDR R2, [R5,R3] ; void * 185 .text:75C86F88 D8 33 9F E5 LDR R3, =(dword_75CC0068 - 0x75C86F98) 186 .text:75C86F8C 09 00 A0 E1 MOV R0, R9 ; void * 187 .text:75C86F90 03 30 8F E0 ADD R3, PC, R3 ; dword_75CC0068 ; void ** 188 .text:75C86F94 89 F8 FF EB BL IAT_HOOK ; hook mmap 189 .text:75C86F98 190 .text:75C86F98 loc_75C86F98 ; CODE XREF: hook_mono_func+4C0↓j 191 .text:75C86F98 04 00 A0 E1 MOV R0, R4 ; this 192 .text:75C86F9C B3 F6 FF EB BL _ZN10lIIIlIlIIlD2Ev ; lIIIlIlIIl::~lIIIlIlIIl() 193 .text:75C86FA0 194 .text:75C86FA0 loc_75C86FA0 ; CODE XREF: hook_mono_func+484↓j 195 .text:75C86FA0 01 20 A0 E3 MOV R2, #1 196 .text:75C86FA4 C0 33 9F E5 LDR R3, =(_ZN6Global10lllllllIIIE_ptr - 0x75CBEEC0) 197 .text:75C86FA8 03 30 95 E7 LDR R3, [R5,R3] 198 .text:75C86FAC 00 20 C3 E5 STRB R2, [R3] ; Global::lllllllIII 199 .text:75C86FB0 200 .text:75C86FB0 loc_75C86FB0 ; CODE XREF: hook_mono_func+138↑j 201 .text:75C86FB0 54 22 9D E5 LDR R2, [SP,#0x280+var_2C] 202 .text:75C86FB4 00 30 9A E5 LDR R3, [R10] 203 .text:75C86FB8 03 00 52 E1 CMP R2, R3 204 .text:75C86FBC A4 00 00 1A BNE loc_75C87254 205 .text:75C86FC0 97 DF 8D E2 ADD SP, SP, #0x25C 206 .text:75C86FC4 F0 8F BD E8 LDMFD SP!, {R4-R11,PC}
六: Assembly-CSharp.dll解密分析
1. 在mono的hook函数中解密Assembly-CSharp.dll,代码如下:
1 .text:75C7A138 EXPORT hook_mono_image_open_from_data_with_name 2 .text:75C7A138 hook_mono_image_open_from_data_with_name 3 .text:75C7A138 ; DATA XREF: .got:lIlIllIllIl_ptr↓o 4 .text:75C7A138 5 .text:75C7A138 var_4F0= -0x4F0 6 .text:75C7A138 var_4EC= -0x4EC 7 .text:75C7A138 var_4E8= -0x4E8 8 .text:75C7A138 var_4E4= -0x4E4 9 .text:75C7A138 var_4DC= -0x4DC 10 .text:75C7A138 var_4D8= -0x4D8 11 .text:75C7A138 var_4D4= -0x4D4 12 .text:75C7A138 var_4D0= -0x4D0 13 .text:75C7A138 var_4CC= -0x4CC 14 .text:75C7A138 var_4C8= -0x4C8 15 .text:75C7A138 var_4C4= -0x4C4 16 .text:75C7A138 var_60= -0x60 17 .text:75C7A138 var_54= -0x54 18 .text:75C7A138 var_50= -0x50 19 .text:75C7A138 var_4C= -0x4C 20 .text:75C7A138 var_48= -0x48 21 .text:75C7A138 var_44= -0x44 22 .text:75C7A138 var_43= -0x43 23 .text:75C7A138 var_42= -0x42 24 .text:75C7A138 var_41= -0x41 25 .text:75C7A138 var_40= -0x40 26 .text:75C7A138 var_3F= -0x3F 27 .text:75C7A138 var_3E= -0x3E 28 .text:75C7A138 var_3D= -0x3D 29 .text:75C7A138 var_2C= -0x2C 30 .text:75C7A138 arg_0= 0 31 .text:75C7A138 arg_4= 4 32 .text:75C7A138 33 .text:75C7A138 ; __unwind { // 75C8F220 34 .text:75C7A138 F0 4F 2D E9 STMFD SP!, {R4-R11,LR} 35 .text:75C7A13C 13 DD 4D E2 SUB SP, SP, #0x4C0 36 .text:75C7A140 0C D0 4D E2 SUB SP, SP, #0xC 37 .text:75C7A144 F4 74 9D E5 LDR R7, [SP,#0x4F0+arg_4] 38 .text:75C7A148 54 84 9F E5 LDR R8, =(_GLOBAL_OFFSET_TABLE_ - 0x75C7A168) 39 .text:75C7A14C 54 C4 9F E5 LDR R12, =(__stack_chk_guard_ptr - 0x75CB2EC0) 40 .text:75C7A150 00 60 97 E2 MOVS R6, R7 41 .text:75C7A154 01 60 A0 13 MOVNE R6, #1 42 .text:75C7A158 00 00 57 E3 CMP R7, #0 43 .text:75C7A15C FF 00 51 13 CMPNE R1, #0xFF 44 .text:75C7A160 08 80 8F E0 ADD R8, PC, R8 ; _GLOBAL_OFFSET_TABLE_ 45 .text:75C7A164 0C C0 98 E7 LDR R12, [R8,R12] 46 .text:75C7A168 01 50 A0 E1 MOV R5, R1 47 .text:75C7A16C 08 C0 8D E5 STR R12, [SP,#0x4F0+var_4E8] 48 .text:75C7A170 00 C0 9C E5 LDR R12, [R12] 49 .text:75C7A174 00 40 A0 E1 MOV R4, R0 50 .text:75C7A178 0C 20 8D E5 STR R2, [SP,#0x4F0+var_4E4] 51 .text:75C7A17C C4 C4 8D E5 STR R12, [SP,#0x4F0+var_2C] 52 .text:75C7A180 DE 00 00 9A BLS loc_75C7A500 53 .text:75C7A184 20 14 9F E5 LDR R1, =(unk_75CACB70 - 0x75C7A198) 54 .text:75C7A188 2C 60 8D E2 ADD R6, SP, #0x4F0+var_4C4 55 .text:75C7A18C 06 00 A0 E1 MOV R0, R6 ; this 56 .text:75C7A190 01 10 8F E0 ADD R1, PC, R1 ; unk_75CACB70 ; char * 57 .text:75C7A194 03 90 A0 E1 MOV R9, R3 58 .text:75C7A198 70 FB FF EB BL DecString 59 .text:75C7A19C 06 00 A0 E1 MOV R0, R6 60 .text:75C7A1A0 54 FA FF EB BL _ZN10lIIIlIlIIlcvPcEv ; lIIIlIlIIl::operator char *(void) 61 .text:75C7A1A4 00 10 A0 E1 MOV R1, R0 ; needle 62 .text:75C7A1A8 07 00 A0 E1 MOV R0, R7 ; haystack 63 .text:75C7A1AC 29 DA FF EB BL strstr ; 判断是否加载Assembly-CSharp.dll 64 .text:75C7A1B0 00 A0 A0 E1 MOV R10, R0 65 .text:75C7A1B4 06 00 A0 E1 MOV R0, R6 ; this 66 .text:75C7A1B8 2C FA FF EB BL _ZN10lIIIlIlIIlD2Ev ; lIIIlIlIIl::~lIIIlIlIIl() 67 .text:75C7A1BC 00 00 5A E3 CMP R10, #0 68 .text:75C7A1C0 A5 00 00 0A BEQ loc_75C7A45C 69 .text:75C7A1C4 E4 A3 9F E5 LDR R10, =unk_49F54EEB ; 准备解密 70 .text:75C7A1C8 E4 E3 9F E5 LDR LR, =0x8B3BE89F 71 .text:75C7A1CC E4 C3 9F E5 LDR R12, =0xC6EF3720 72 .text:75C7A1D0 0A 30 A0 E1 MOV R3, R10 73 .text:75C7A1D4 74 .text:75C7A1D4 loc_75C7A1D4 ; CODE XREF: hook_mono_image_open_from_data_with_name+104↓j 75 .text:75C7A1D4 E0 13 9F E5 LDR R1, =0x815AA0CD 76 .text:75C7A1D8 E0 23 9F E5 LDR R2, =0xA1C489F7 77 .text:75C7A1DC 03 B2 A0 E1 MOV R11, R3,LSL#4 78 .text:75C7A1E0 A3 02 A0 E1 MOV R0, R3,LSR#5 79 .text:75C7A1E4 01 10 8B E0 ADD R1, R11, R1 80 .text:75C7A1E8 02 20 80 E0 ADD R2, R0, R2 81 .text:75C7A1EC 03 30 8C E0 ADD R3, R12, R3 82 .text:75C7A1F0 01 20 22 E0 EOR R2, R2, R1 83 .text:75C7A1F4 03 20 22 E0 EOR R2, R2, R3 84 .text:75C7A1F8 C4 13 9F E5 LDR R1, =0x95A8882C 85 .text:75C7A1FC C4 33 9F E5 LDR R3, =0x9D2CC113 86 .text:75C7A200 0E E0 62 E0 RSB LR, R2, LR 87 .text:75C7A204 0C 20 8E E0 ADD R2, LR, R12 88 .text:75C7A208 0E B2 A0 E1 MOV R11, LR,LSL#4 89 .text:75C7A20C AE 02 A0 E1 MOV R0, LR,LSR#5 90 .text:75C7A210 61 C4 8C E2 ADD R12, R12, #0x61000000 91 .text:75C7A214 01 10 8B E0 ADD R1, R11, R1 92 .text:75C7A218 03 30 80 E0 ADD R3, R0, R3 93 .text:75C7A21C 32 C7 8C E2 ADD R12, R12, #0xC80000 94 .text:75C7A220 01 30 23 E0 EOR R3, R3, R1 95 .text:75C7A224 86 CC 8C E2 ADD R12, R12, #0x8600 96 .text:75C7A228 02 30 23 E0 EOR R3, R3, R2 97 .text:75C7A22C 47 C0 8C E2 ADD R12, R12, #0x47 98 .text:75C7A230 0A 30 63 E0 RSB R3, R3, R10 99 .text:75C7A234 00 00 5C E3 CMP R12, #0 100 .text:75C7A238 03 A0 A0 E1 MOV R10, R3 101 .text:75C7A23C E4 FF FF 1A BNE loc_75C7A1D4 102 .text:75C7A240 00 10 D4 E5 LDRB R1, [R4] 103 .text:75C7A244 FF 20 03 E2 AND R2, R3, #0xFF 104 .text:75C7A248 28 E0 8D E5 STR LR, [SP,#0x4F0+var_4C8] 105 .text:75C7A24C 02 00 51 E1 CMP R1, R2 106 .text:75C7A250 24 30 8D E5 STR R3, [SP,#0x4F0+var_4CC] 107 .text:75C7A254 80 00 00 1A BNE loc_75C7A45C 108 .text:75C7A258 01 20 D4 E5 LDRB R2, [R4,#1] 109 .text:75C7A25C 25 30 DD E5 LDRB R3, [SP,#0x4F0+var_4CC+1] 110 .text:75C7A260 03 00 52 E1 CMP R2, R3 111 .text:75C7A264 7C 00 00 1A BNE loc_75C7A45C 112 .text:75C7A268 02 20 D4 E5 LDRB R2, [R4,#2] 113 .text:75C7A26C 26 30 DD E5 LDRB R3, [SP,#0x4F0+var_4CC+2] 114 .text:75C7A270 03 00 52 E1 CMP R2, R3 115 .text:75C7A274 78 00 00 1A BNE loc_75C7A45C 116 .text:75C7A278 03 20 D4 E5 LDRB R2, [R4,#3] 117 .text:75C7A27C 27 30 DD E5 LDRB R3, [SP,#0x4F0+var_4CC+3] 118 .text:75C7A280 03 00 52 E1 CMP R2, R3 119 .text:75C7A284 74 00 00 1A BNE loc_75C7A45C 120 .text:75C7A288 04 20 D4 E5 LDRB R2, [R4,#4] 121 .text:75C7A28C 28 30 DD E5 LDRB R3, [SP,#0x4F0+var_4C8] 122 .text:75C7A290 03 00 52 E1 CMP R2, R3 123 .text:75C7A294 70 00 00 1A BNE loc_75C7A45C 124 .text:75C7A298 2C 33 9F E5 LDR R3, =(_ZN6Global10IIlllllllIE_ptr - 0x75CB2EC0) 125 .text:75C7A29C 9C C4 8D E5 STR R12, [SP,#0x4F0+var_54] 126 .text:75C7A2A0 A0 C4 8D E5 STR R12, [SP,#0x4F0+var_50] 127 .text:75C7A2A4 03 30 98 E7 LDR R3, [R8,R3] 128 .text:75C7A2A8 00 30 D3 E5 LDRB R3, [R3] ; Global::IIlllllllI 129 .text:75C7A2AC 00 00 53 E3 CMP R3, #0 130 .text:75C7A2B0 A7 00 00 0A BEQ loc_75C7A554 131 .text:75C7A2B4 14 33 9F E5 LDR R3, =(_ZN6Global10IllIlIIllIE_ptr - 0x75CB2EC0) 132 .text:75C7A2B8 03 30 98 E7 LDR R3, [R8,R3] 133 .text:75C7A2BC 00 30 93 E5 LDR R3, [R3] ; Global::IllIlIIllI 134 .text:75C7A2C0 00 A0 D3 E5 LDRB R10, [R3] 135 .text:75C7A2C4 01 80 D3 E5 LDRB R8, [R3,#1] 136 .text:75C7A2C8 02 E0 D3 E5 LDRB LR, [R3,#2] 137 .text:75C7A2CC 03 C0 D3 E5 LDRB R12, [R3,#3] 138 .text:75C7A2D0 04 00 D3 E5 LDRB R0, [R3,#4] 139 .text:75C7A2D4 05 10 D3 E5 LDRB R1, [R3,#5] 140 .text:75C7A2D8 06 20 D3 E5 LDRB R2, [R3,#6] 141 .text:75C7A2DC 07 30 D3 E5 LDRB R3, [R3,#7] 142 .text:75C7A2E0 9C A4 CD E5 STRB R10, [SP,#0x4F0+var_54] 143 .text:75C7A2E4 9D 84 CD E5 STRB R8, [SP,#0x4F0+var_54+1] 144 .text:75C7A2E8 9E E4 CD E5 STRB LR, [SP,#0x4F0+var_54+2] 145 .text:75C7A2EC 9F C4 CD E5 STRB R12, [SP,#0x4F0+var_54+3] 146 .text:75C7A2F0 A0 04 CD E5 STRB R0, [SP,#0x4F0+var_50] 147 .text:75C7A2F4 A1 14 CD E5 STRB R1, [SP,#0x4F0+var_50+1] 148 .text:75C7A2F8 A2 24 CD E5 STRB R2, [SP,#0x4F0+var_50+2] 149 .text:75C7A2FC A3 34 CD E5 STRB R3, [SP,#0x4F0+var_50+3] 150 .text:75C7A300 151 .text:75C7A300 loc_75C7A300 ; CODE XREF: hook_mono_image_open_from_data_with_name+440↓j 152 .text:75C7A300 06 00 A0 E1 MOV R0, R6 ; this 153 .text:75C7A304 2E F1 FF EB BL _ZN10llIlIlIlllC2Ev ; llIlIlIlll::llIlIlIlll(void) 154 .text:75C7A308 10 30 A0 E3 MOV R3, #0x10 ; int 155 .text:75C7A30C 05 C0 D4 E5 LDRB R12, [R4,#5] 156 .text:75C7A310 9C E4 9D E5 LDR LR, [SP,#0x4F0+var_54] 157 .text:75C7A314 08 10 D4 E5 LDRB R1, [R4,#8] 158 .text:75C7A318 09 20 D4 E5 LDRB R2, [R4,#9] 159 .text:75C7A31C 07 00 D4 E5 LDRB R0, [R4,#7] 160 .text:75C7A320 06 A0 D4 E5 LDRB R10, [R4,#6] 161 .text:75C7A324 00 30 8D E5 STR R3, [SP,#0x4F0+var_4F0] ; int 162 .text:75C7A328 A0 B4 9D E5 LDR R11, [SP,#0x4F0+var_50] 163 .text:75C7A32C A4 E4 8D E5 STR LR, [SP,#0x4F0+var_4C] 164 .text:75C7A330 0A 80 D4 E5 LDRB R8, [R4,#0xA] 165 .text:75C7A334 0B E0 D4 E5 LDRB LR, [R4,#0xB] 166 .text:75C7A338 AC C4 CD E5 STRB R12, [SP,#0x4F0+var_44] 167 .text:75C7A33C 0C C0 D4 E5 LDRB R12, [R4,#0xC] 168 .text:75C7A340 AF 14 CD E5 STRB R1, [SP,#0x4F0+var_41] 169 .text:75C7A344 B0 24 CD E5 STRB R2, [SP,#0x4F0+var_40] 170 .text:75C7A348 4A 1E 8D E2 ADD R1, SP, #0x4F0+var_50 171 .text:75C7A34C 4B 2E 8D E2 ADD R2, SP, #0x4F0+var_40 172 .text:75C7A350 AE 04 CD E5 STRB R0, [SP,#0x4F0+var_42] 173 .text:75C7A354 04 10 81 E2 ADD R1, R1, #4 ; char * 174 .text:75C7A358 06 00 A0 E1 MOV R0, R6 ; this 175 .text:75C7A35C 04 20 82 E2 ADD R2, R2, #4 ; char * 176 .text:75C7A360 A8 B4 8D E5 STR R11, [SP,#0x4F0+var_48] 177 .text:75C7A364 AD A4 CD E5 STRB R10, [SP,#0x4F0+var_43] 178 .text:75C7A368 B1 84 CD E5 STRB R8, [SP,#0x4F0+var_3F] 179 .text:75C7A36C B2 E4 CD E5 STRB LR, [SP,#0x4F0+var_3E] 180 .text:75C7A370 B3 C4 CD E5 STRB R12, [SP,#0x4F0+var_3D] 181 .text:75C7A374 16 F1 FF EB BL _ZN10llIlIlIlll10lIIIIlIlIIEPKcS1_ii ; llIlIlIlll::lIIIIlIlII(char const*,char const*,int,int) 182 .text:75C7A378 0F 20 D4 E5 LDRB R2, [R4,#0xF] 183 .text:75C7A37C 10 30 D4 E5 LDRB R3, [R4,#0x10] 184 .text:75C7A380 0D 00 D4 E5 LDRB R0, [R4,#0xD] 185 .text:75C7A384 0E 10 D4 E5 LDRB R1, [R4,#0xE] 186 .text:75C7A388 16 20 CD E5 STRB R2, [SP,#0x4F0+var_4DC+2] 187 .text:75C7A38C 17 30 CD E5 STRB R3, [SP,#0x4F0+var_4DC+3] 188 .text:75C7A390 11 20 D4 E5 LDRB R2, [R4,#0x11] 189 .text:75C7A394 12 30 D4 E5 LDRB R3, [R4,#0x12] 190 .text:75C7A398 14 00 CD E5 STRB R0, [SP,#0x4F0+var_4DC] 191 .text:75C7A39C 15 10 CD E5 STRB R1, [SP,#0x4F0+var_4DC+1] 192 .text:75C7A3A0 14 A0 9D E5 LDR R10, [SP,#0x4F0+var_4DC] 193 .text:75C7A3A4 13 80 D4 E5 LDRB R8, [R4,#0x13] 194 .text:75C7A3A8 14 E0 D4 E5 LDRB LR, [R4,#0x14] 195 .text:75C7A3AC 15 C0 D4 E5 LDRB R12, [R4,#0x15] 196 .text:75C7A3B0 16 10 D4 E5 LDRB R1, [R4,#0x16] 197 .text:75C7A3B4 18 20 CD E5 STRB R2, [SP,#0x4F0+var_4D8] 198 .text:75C7A3B8 19 30 CD E5 STRB R3, [SP,#0x4F0+var_4D8+1] 199 .text:75C7A3BC 17 20 D4 E5 LDRB R2, [R4,#0x17] 200 .text:75C7A3C0 18 30 D4 E5 LDRB R3, [R4,#0x18] 201 .text:75C7A3C4 0A 00 A0 E1 MOV R0, R10 ; unsigned int 202 .text:75C7A3C8 1A 80 CD E5 STRB R8, [SP,#0x4F0+var_4D8+2] 203 .text:75C7A3CC 1B E0 CD E5 STRB LR, [SP,#0x4F0+var_4D8+3] 204 .text:75C7A3D0 1C C0 CD E5 STRB R12, [SP,#0x4F0+var_4D4] 205 .text:75C7A3D4 1D 10 CD E5 STRB R1, [SP,#0x4F0+var_4D4+1] 206 .text:75C7A3D8 1E 20 CD E5 STRB R2, [SP,#0x4F0+var_4D4+2] 207 .text:75C7A3DC 1F 30 CD E5 STRB R3, [SP,#0x4F0+var_4D4+3] 208 .text:75C7A3E0 9C E0 FF EB BL malloc_0 209 .text:75C7A3E4 00 10 A0 E3 MOV R1, #0 210 .text:75C7A3E8 00 80 A0 E1 MOV R8, R0 211 .text:75C7A3EC 00 20 A0 E1 MOV R2, R0 ; char * 212 .text:75C7A3F0 00 10 8D E5 STR R1, [SP,#0x4F0+var_4F0] ; int 213 .text:75C7A3F4 0A 30 A0 E1 MOV R3, R10 ; unsigned int 214 .text:75C7A3F8 06 00 A0 E1 MOV R0, R6 ; this 215 .text:75C7A3FC 19 10 84 E2 ADD R1, R4, #0x19 ; char * 216 .text:75C7A400 12 F9 FF EB BL _ZN10llIlIlIlll10lllIIIllIIEPKcPcji ; llIlIlIlll::lllIIIllII(char const*,char *,uint,int) 217 .text:75C7A404 1C B0 9D E5 LDR R11, [SP,#0x4F0+var_4D4] 218 .text:75C7A408 0B 00 A0 E1 MOV R0, R11 ; unsigned int 219 .text:75C7A40C 91 E0 FF EB BL malloc_0 ; 分配内存放解密后数据 220 .text:75C7A410 00 C0 A0 E3 MOV R12, #0 221 .text:75C7A414 20 30 8D E2 ADD R3, SP, #0x4F0+var_4D0 222 .text:75C7A418 00 A0 A0 E1 MOV R10, R0 223 .text:75C7A41C 04 30 8D E5 STR R3, [SP,#0x4F0+var_4EC] 224 .text:75C7A420 18 20 9D E5 LDR R2, [SP,#0x4F0+var_4D8] 225 .text:75C7A424 00 30 A0 E1 MOV R3, R0 226 .text:75C7A428 00 B0 8D E5 STR R11, [SP,#0x4F0+var_4F0] 227 .text:75C7A42C 01 00 A0 E3 MOV R0, #1 228 .text:75C7A430 08 10 A0 E1 MOV R1, R8 229 .text:75C7A434 20 C0 8D E5 STR R12, [SP,#0x4F0+var_4D0] 230 .text:75C7A438 21 1E 00 EB BL _Z10IlllIIIIll10IIlIlIlllIPKhjPhjPj ; 解密出明文dll 231 .text:75C7A43C 00 00 50 E3 CMP R0, #0 232 .text:75C7A440 3A 00 00 0A BEQ loc_75C7A530 233 .text:75C7A444 234 .text:75C7A444 loc_75C7A444 ; CODE XREF: hook_mono_image_open_from_data_with_name+418↓j 235 .text:75C7A444 0A 00 A0 E1 MOV R0, R10 ; void * 236 .text:75C7A448 90 E0 FF EB BL _Z10IIIIIllIIlPv ; IIIIIllIIl(void *) 237 .text:75C7A44C 08 00 A0 E1 MOV R0, R8 ; void * 238 .text:75C7A450 8E E0 FF EB BL _Z10IIIIIllIIlPv ; IIIIIllIIl(void *) 239 .text:75C7A454 06 00 A0 E1 MOV R0, R6 ; this 240 .text:75C7A458 DC F0 FF EB BL _ZN10llIlIlIlllD2Ev ; llIlIlIlll::~llIlIlIlll() 241 .text:75C7A45C 242 .text:75C7A45C loc_75C7A45C ; CODE XREF: hook_mono_image_open_from_data_with_name+88↑j 243 .text:75C7A45C ; hook_mono_image_open_from_data_with_name+11C↑j ... 244 .text:75C7A45C F0 34 9D E5 LDR R3, [SP,#0x4F0+arg_0] 245 .text:75C7A460 6C 11 9F E5 LDR R1, =(dword_75CB4068 - 0x75C7A474) 246 .text:75C7A464 04 70 8D E5 STR R7, [SP,#0x4F0+var_4EC] 247 .text:75C7A468 00 30 8D E5 STR R3, [SP,#0x4F0+var_4F0] 248 .text:75C7A46C 01 10 8F E0 ADD R1, PC, R1 ; dword_75CB4068 249 .text:75C7A470 08 C0 91 E5 LDR R12, [R1,#(dword_75CB4070 - 0x75CB4068)] 250 .text:75C7A474 0C 20 9D E5 LDR R2, [SP,#0x4F0+var_4E4] 251 .text:75C7A478 09 30 A0 E1 MOV R3, R9 252 .text:75C7A47C 04 00 A0 E1 MOV R0, R4 253 .text:75C7A480 05 10 A0 E1 MOV R1, R5 254 .text:75C7A484 3C FF 2F E1 BLX R12 255 .text:75C7A488 00 80 A0 E1 MOV R8, R0 256 .text:75C7A48C 257 .text:75C7A48C loc_75C7A48C ; CODE XREF: hook_mono_image_open_from_data_with_name+3F4↓j 258 .text:75C7A48C 44 11 9F E5 LDR R1, =(unk_75CACB70 - 0x75C7A49C) 259 .text:75C7A490 06 00 A0 E1 MOV R0, R6 ; this 260 .text:75C7A494 01 10 8F E0 ADD R1, PC, R1 ; unk_75CACB70 ; char * 261 .text:75C7A498 B0 FA FF EB BL DecString 262 .text:75C7A49C 06 00 A0 E1 MOV R0, R6 263 .text:75C7A4A0 94 F9 FF EB BL _ZN10lIIIlIlIIlcvPcEv ; lIIIlIlIIl::operator char *(void) 264 .text:75C7A4A4 00 10 A0 E1 MOV R1, R0 ; needle 265 .text:75C7A4A8 07 00 A0 E1 MOV R0, R7 ; haystack 266 .text:75C7A4AC 69 D9 FF EB BL strstr 267 .text:75C7A4B0 00 70 A0 E1 MOV R7, R0 268 .text:75C7A4B4 06 00 A0 E1 MOV R0, R6 ; this 269 .text:75C7A4B8 6C F9 FF EB BL _ZN10lIIIlIlIIlD2Ev ; lIIIlIlIIl::~lIIIlIlIIl() 270 .text:75C7A4BC 00 00 57 E3 CMP R7, #0 271 .text:75C7A4C0 00 00 55 13 CMPNE R5, #0 272 .text:75C7A4C4 04 00 00 0A BEQ loc_75C7A4DC 273 .text:75C7A4C8 00 30 A0 E3 MOV R3, #0 274 .text:75C7A4CC 05 50 84 E0 ADD R5, R4, R5 275 .text:75C7A4D0 276 .text:75C7A4D0 loc_75C7A4D0 ; CODE XREF: hook_mono_image_open_from_data_with_name+3A0↓j 277 .text:75C7A4D0 01 30 C4 E4 STRB R3, [R4],#1 278 .text:75C7A4D4 05 00 54 E1 CMP R4, R5 279 .text:75C7A4D8 FC FF FF 1A BNE loc_75C7A4D0 280 .text:75C7A4DC 281 .text:75C7A4DC loc_75C7A4DC ; CODE XREF: hook_mono_image_open_from_data_with_name+38C↑j 282 .text:75C7A4DC ; hook_mono_image_open_from_data_with_name+3EC↓j 283 .text:75C7A4DC 08 30 9D E5 LDR R3, [SP,#0x4F0+var_4E8] 284 .text:75C7A4E0 C4 24 9D E5 LDR R2, [SP,#0x4F0+var_2C] 285 .text:75C7A4E4 08 00 A0 E1 MOV R0, R8 286 .text:75C7A4E8 00 30 93 E5 LDR R3, [R3] 287 .text:75C7A4EC 03 00 52 E1 CMP R2, R3 288 .text:75C7A4F0 24 00 00 1A BNE loc_75C7A588 289 .text:75C7A4F4 13 DD 8D E2 ADD SP, SP, #0x4C0 290 .text:75C7A4F8 0C D0 8D E2 ADD SP, SP, #0xC 291 .text:75C7A4FC F0 8F BD E8 LDMFD SP!, {R4-R11,PC}
解密后 dump dll R10是基址,R11是大小,如下图:
1 static main(void) 2 { 3 auto fp, begin, end, dexbyte; 4 fp = fopen("d:\\dump.dll", "wb"); //打开或创建一个文件 5 begin = R10; //dll基址 6 end = begin + R11; //dll基址 + dll文件大小 7 for ( dexbyte = begin; dexbyte < end;dexbyte ++ ) 8 { 9 fputc(Byte(dexbyte), fp); //按字节将其dump到本地文件中 10 } 11 }
将dump出来的dll反编后如下图:
3.在hook_mono_assembly_load_from_full主要是计算将解密dll的PE头清楚后的计算crc值。
七: libengine模块分析
1. 在com/inca/security/Core/AppGuardEngine类中注册的第一个Native函数中通过dlopen、dlsym调用libengine.sox解密的so
JNI比函数 .text:75C81168 IlIIIIIIII (文件偏移 13168) (Landroid/content/Context;Ljava/lang/String;[B)I
2.通过dlopen、dlsym获取下面3个函数。
以下这几个函数被调用
Initialize (文件偏移27144)
CreateObject (文件偏移2A2F4)
Clazz::IlIllllIIl (文件偏移2B1B0)
3. Initialize函数
1 //反调试 2 /data/data/com.digitalsky.girlsfrontline.cn/files/95c72528dc4c1ef12d2bf750585fed56eca973a8 7CE87000 00102000 3 .text:7CEAE17A loc_7CEAE17A ; CODE XREF: Initialize+32↑j 4 .text:7CEAE17A CC 4B LDR R3, =(_ZN10lllllIIIll11IIlIlIIIlllE_ptr - 0x7CF87D44) 5 .text:7CEAE17C EB 58 LDR R3, [R5,R3] 6 .text:7CEAE17E 1E 60 STR R6, [R3] ; lllllIIIll::IIlIlIIIlll 7 .text:7CEAE180 19 F0 B6 FD BL Anit_Dbg ; 反调试(读进程状态) 8 .text:7CEAE184 B8 42 CMP R0, R7 9 .text:7CEAE186 00 D0 BEQ loc_7CEAE18A 10 .text:7CEAE188 D4 E1 B loc_7CEAE534 11 12 //动态获取函数 13 .text:7CEAE33A loc_7CEAE33A ; CODE XREF: Initialize+1F2↑j 14 .text:7CEAE33A 1A 60 STR R2, [R3] ; Global::llIlIllllI 15 .text:7CEAE33C 1E F0 DA FC BL GetlibcFunc 16 .text:7CEAE340 1F F0 76 FD BL GetlibdvmFunc 17 .text:7CEAE344 00 28 CMP R0, #0 18 .text:7CEAE346 04 D0 BEQ loc_7CEAE352 19 .text:7CEAE348 67 4B LDR R3, =(_ZN6Global11llllIIlIlIIE_ptr - 0x7CF87D44) 20 .text:7CEAE34A EB 58 LDR R3, [R5,R3] 21 .text:7CEAE34C 04 93 STR R3, [SP,#0x1A8+var_198] 22 .text:7CEAE34E 01 23 MOVS R3, #1 23 .text:7CEAE350 1E E0 B loc_7CEAE390
4. CreateObject函数
计算libengine.sox解密后的函数crc (文件偏移 2A1F6)
1 /data/data/com.digitalsky.girlsfrontline.cn/files/95c72528dc4c1ef12d2bf750585fed56eca973a8 7CF7A000 00102000 2 3 .text:7CFA41F6 loc_7CFA41F6 ; CODE XREF: IlllIIIlll::IlllIIIlll(_JNIEnv *,void *)+324↓j 4 .text:7CFA41F6 39 4B LDR R3, =(_ZN6Global11lIIIIIIIIIIE_ptr - 0x7D07AD44) 5 .text:7CFA41F8 07 9A LDR R2, [SP,#0xF8+var_DC] 6 .text:7CFA41FA F3 58 LDR R3, [R6,R3] 7 .text:7CFA41FC 10 1C MOVS R0, R2 ; void * 8 .text:7CFA41FE 1A 60 STR R2, [R3] ; Global::lIIIIIIIIII 9 .text:7CFA4200 34 F0 26 F8 BL GetCrc32 ; 计算libengine.sox解密后的函数crc 10 .text:7CFA4204 36 4B LDR R3, =(_ZN6Global11lIIlIlIIIlIE_ptr - 0x7D07AD44) 11 计算CRC函数代码如下: 12 .text:7CFD8250 EXPORT GetCrc32 13 .text:7CFD8250 GetCrc32 ; CODE XREF: IlllIIIlll::IlllIIIlll(_JNIEnv *,void *)+2E4↑p 14 .text:7CFD8250 ; IlllIllIll::lIIIllIlIll(lIIIllIlllII *,int,IIlIllIlllll *,bool *,char *,bool)+88↑p ... 15 .text:7CFD8250 ; __unwind { 16 .text:7CFD8250 F8 B5 PUSH {R3-R7,LR} 17 .text:7CFD8252 22 4B LDR R3, =(_ZN6Global10lIIllIllIlE_ptr - 0x7CFD825A) 18 .text:7CFD8254 00 25 MOVS R5, #0 19 .text:7CFD8256 7B 44 ADD R3, PC ; _ZN6Global10lIIllIllIlE_ptr 20 .text:7CFD8258 1B 68 LDR R3, [R3] ; Global::lIIllIllIl 21 .text:7CFD825A 1B 68 LDR R3, [R3] ; Global::lIIllIllIl 22 .text:7CFD825C 17 2B CMP R3, #0x17 23 .text:7CFD825E 3B DC BGT loc_7CFD82D8 24 .text:7CFD8260 04 1C MOVS R4, R0 25 .text:7CFD8262 17 2B CMP R3, #0x17 26 .text:7CFD8264 08 D1 BNE loc_7CFD8278 27 .text:7CFD8266 1E 48 LDR R0, =(_ZN6Global11IlIIIIlllllE_ptr - 0x7CFD826E) 28 .text:7CFD8268 1E 49 LDR R1, =(aN - 0x7CFD8272) 29 .text:7CFD826A 78 44 ADD R0, PC ; _ZN6Global11IlIIIIlllllE_ptr 30 .text:7CFD826C 00 68 LDR R0, [R0] ; Global::IlIIIIlllll 31 .text:7CFD826E 79 44 ADD R1, PC ; "N" 32 .text:7CFD8270 48 F0 BE FB BL j_strcmp 33 .text:7CFD8274 A8 42 CMP R0, R5 34 .text:7CFD8276 2F D0 BEQ loc_7CFD82D8 35 .text:7CFD8278 36 .text:7CFD8278 loc_7CFD8278 ; CODE XREF: GetCrc32+14↑j 37 .text:7CFD8278 00 26 MOVS R6, #0 38 .text:7CFD827A 23 1C MOVS R3, R4 39 .text:7CFD827C 30 1C MOVS R0, R6 ; this 40 .text:7CFD827E B0 33 ADDS R3, #0xB0 41 .text:7CFD8280 1F 68 LDR R7, [R3] 42 .text:7CFD8282 43 .text:7CFD8282 loc_7CFD8282 ; CODE XREF: GetCrc32+84↓j 44 .text:7CFD8282 23 1C MOVS R3, R4 45 .text:7CFD8284 B4 33 ADDS R3, #0xB4 46 .text:7CFD8286 1B 68 LDR R3, [R3] 47 .text:7CFD8288 9E 42 CMP R6, R3 ; 判断是否结束 48 .text:7CFD828A 24 D2 BCS loc_7CFD82D6 49 .text:7CFD828C 23 1C MOVS R3, R4 50 .text:7CFD828E BC 33 ADDS R3, #0xBC 51 .text:7CFD8290 1B 68 LDR R3, [R3] 52 .text:7CFD8292 B2 00 LSLS R2, R6, #2 53 .text:7CFD8294 D5 58 LDR R5, [R2,R3] 54 .text:7CFD8296 55 .text:7CFD8296 loc_7CFD8296 ; CODE XREF: GetCrc32+80↓j 56 .text:7CFD8296 00 2D CMP R5, #0 57 .text:7CFD8298 1B D0 BEQ loc_7CFD82D2 58 .text:7CFD829A 2B 01 LSLS R3, R5, #4 59 .text:7CFD829C FB 18 ADDS R3, R7, R3 ; unsigned int 60 .text:7CFD829E 19 7B LDRB R1, [R3,#0xC] 61 .text:7CFD82A0 0A 11 ASRS R2, R1, #4 62 .text:7CFD82A2 01 3A SUBS R2, #1 63 .text:7CFD82A4 01 2A CMP R2, #1 64 .text:7CFD82A6 0E D8 BHI loc_7CFD82C6 65 .text:7CFD82A8 DA 89 LDRH R2, [R3,#0xE] 66 .text:7CFD82AA 00 2A CMP R2, #0 67 .text:7CFD82AC 0B D0 BEQ loc_7CFD82C6 68 .text:7CFD82AE 0F 22 MOVS R2, #0xF 69 .text:7CFD82B0 0A 40 ANDS R2, R1 70 .text:7CFD82B2 02 2A CMP R2, #2 71 .text:7CFD82B4 07 D1 BNE loc_7CFD82C6 72 .text:7CFD82B6 22 1C MOVS R2, R4 73 .text:7CFD82B8 8C 32 ADDS R2, #0x8C 74 .text:7CFD82BA 11 68 LDR R1, [R2] 75 .text:7CFD82BC 5A 68 LDR R2, [R3,#4] 76 .text:7CFD82BE 51 18 ADDS R1, R2, R1 ; unsigned int 77 .text:7CFD82C0 9A 68 LDR R2, [R3,#8] ; unsigned __int8 * 78 .text:7CFD82C2 E5 F7 F1 FF BL adler_adler32 ; R1函数首地址,R2函数大小 79 .text:7CFD82C6 80 .text:7CFD82C6 loc_7CFD82C6 ; CODE XREF: GetCrc32+56↑j 81 .text:7CFD82C6 ; GetCrc32+5C↑j ... 82 .text:7CFD82C6 23 1C MOVS R3, R4 83 .text:7CFD82C8 C0 33 ADDS R3, #0xC0 84 .text:7CFD82CA 1B 68 LDR R3, [R3] 85 .text:7CFD82CC AD 00 LSLS R5, R5, #2 86 .text:7CFD82CE 5D 59 LDR R5, [R3,R5] 87 .text:7CFD82D0 E1 E7 B loc_7CFD8296 88 .text:7CFD82D2 ; --------------------------------------------------------------------------- 89 .text:7CFD82D2 90 .text:7CFD82D2 loc_7CFD82D2 ; CODE XREF: GetCrc32+48↑j 91 .text:7CFD82D2 01 36 ADDS R6, #1 92 .text:7CFD82D4 D5 E7 B loc_7CFD8282 93 .text:7CFD82D6 ; --------------------------------------------------------------------------- 94 .text:7CFD82D6 95 .text:7CFD82D6 loc_7CFD82D6 ; CODE XREF: GetCrc32+3A↑j 96 .text:7CFD82D6 05 1C ADDS R5, R0, #0 97 .text:7CFD82D8 98 .text:7CFD82D8 loc_7CFD82D8 ; CODE XREF: GetCrc32+E↑j 99 .text:7CFD82D8 ; GetCrc32+26↑j 100 .text:7CFD82D8 28 1C MOVS R0, R5 101 .text:7CFD82DA F8 BD POP {R3-R7,PC}
5. IlIllllIIl 函数
计算libc.so代码节的crc值 与.text节的CRC(文件偏移398AE)
1 /data/data/com.digitalsky.girlsfrontline.cn/files/95c72528dc4c1ef12d2bf750585fed56eca973a8 77763000 00102000 2 .text:7779C8AE 59 68 LDR R1, [R3,#4] 3 .text:7779C8B0 33 69 LDR R3, [R6,#0x10] ; unsigned int 4 .text:7779C8B2 C9 18 ADDS R1, R1, R3 ; unsigned int 5 .text:7779C8B4 0A F0 F8 FC BL _ZN5adler7adler32EmPKhj ; 计算libc.so代码节的crc值 AA4AC826
6.计算libcompatible.so函数的Crc与.text节的CRC
1 .text:7C88BAB2 2 .text:7C88BAB2 ; IlllIIIIlIl(IlIIlIIIll *) 3 .text:7C88BAB2 EXPORT _Z11IlllIIIIlIlP10IlIIlIIIll 4 .text:7C88BAB2 _Z11IlllIIIIlIlP10IlIIlIIIll ; CODE XREF: IlllIllIll::IlIllIllll(lIIIllIlllII *,int,IIlIllIlllll *,bool *,char *,bool)+196↑p 5 .text:7C88BAB2 ; IlllIllIll::IlllIllIll(_jobject *,int,long long,long long,uint,char **,char **,char **,char **,char **)+80C↑p 6 .text:7C88BAB2 ; __unwind { 7 .text:7C88BAB2 F8 B5 PUSH {R3-R7,LR} 8 .text:7C88BAB4 00 26 MOVS R6, #0 9 .text:7C88BAB6 FC 30 ADDS R0, #0xFC 10 .text:7C88BAB8 04 1C MOVS R4, R0 11 .text:7C88BABA 87 6C LDR R7, [R0,#0x48] 12 .text:7C88BABC 30 1C ADDS R0, R6, #0 ; this 13 .text:7C88BABE 14 .text:7C88BABE loc_7C88BABE ; CODE XREF: IlllIIIIlIl(IlIIlIIIll *)+4E↓j 15 .text:7C88BABE A3 6A LDR R3, [R4,#0x28] 16 .text:7C88BAC0 9E 42 CMP R6, R3 ; 判断函数个数是否结束 17 .text:7C88BAC2 1E D2 BCS locret_7C88BB02 18 .text:7C88BAC4 22 6B LDR R2, [R4,#0x30] 19 .text:7C88BAC6 B3 00 LSLS R3, R6, #2 20 .text:7C88BAC8 9D 58 LDR R5, [R3,R2] 21 .text:7C88BACA 22 .text:7C88BACA loc_7C88BACA ; CODE XREF: IlllIIIIlIl(IlIIlIIIll *)+4A↓j 23 .text:7C88BACA 00 2D CMP R5, #0 24 .text:7C88BACC 17 D0 BEQ loc_7C88BAFE ; i++ 25 .text:7C88BACE 2B 01 LSLS R3, R5, #4 26 .text:7C88BAD0 FB 18 ADDS R3, R7, R3 ; unsigned int 27 .text:7C88BAD2 19 7B LDRB R1, [R3,#0xC] 28 .text:7C88BAD4 0A 11 ASRS R2, R1, #4 29 .text:7C88BAD6 01 3A SUBS R2, #1 30 .text:7C88BAD8 01 2A CMP R2, #1 31 .text:7C88BADA 0C D8 BHI loc_7C88BAF6 32 .text:7C88BADC DA 89 LDRH R2, [R3,#0xE] 33 .text:7C88BADE 00 2A CMP R2, #0 34 .text:7C88BAE0 09 D0 BEQ loc_7C88BAF6 35 .text:7C88BAE2 0F 22 MOVS R2, #0xF 36 .text:7C88BAE4 0A 40 ANDS R2, R1 37 .text:7C88BAE6 02 2A CMP R2, #2 38 .text:7C88BAE8 05 D1 BNE loc_7C88BAF6 39 .text:7C88BAEA 5A 68 LDR R2, [R3,#4] 40 .text:7C88BAEC 21 6A LDR R1, [R4,#0x20] 41 .text:7C88BAEE 51 18 ADDS R1, R2, R1 ; unsigned int 42 .text:7C88BAF0 9A 68 LDR R2, [R3,#8] ; unsigned __int8 * 43 .text:7C88BAF2 E5 F7 D9 FB BL adler_adler32 ; 计算crc32 44 .text:7C88BAF6 45 .text:7C88BAF6 loc_7C88BAF6 ; CODE XREF: IlllIIIIlIl(IlIIlIIIll *)+28↑j 46 .text:7C88BAF6 ; IlllIIIIlIl(IlIIlIIIll *)+2E↑j ... 47 .text:7C88BAF6 63 6B LDR R3, [R4,#0x34] 48 .text:7C88BAF8 AD 00 LSLS R5, R5, #2 49 .text:7C88BAFA 5D 59 LDR R5, [R3,R5] 50 .text:7C88BAFC E5 E7 B loc_7C88BACA 51 .text:7C88BAFE ; --------------------------------------------------------------------------- 52 .text:7C88BAFE 53 .text:7C88BAFE loc_7C88BAFE ; CODE XREF: IlllIIIIlIl(IlIIlIIIll *)+1A↑j 54 .text:7C88BAFE 01 36 ADDS R6, #1 ; i++ 55 .text:7C88BB00 DD E7 B loc_7C88BABE 56 .text:7C88BB02 ; --------------------------------------------------------------------------- 57 .text:7C88BB02 58 .text:7C88BB02 locret_7C88BB02 ; CODE XREF: IlllIIIIlIl(IlIIlIIIll *)+10↑j 59 .text:7C88BB02 F8 BD POP {R3-R7,PC} 60 计算so的.text节代码的crc值 (文件偏移 39860) 61 ,text:7C866860 ; IlllIllIll::IlllIllIll(_jobject *,int,long long,long long,uint,char **,char **,char **,char **,char **)+8E2↑j 62 .text:7C866860 00 23 MOVS R3, #0 63 .text:7C866862 06 93 STR R3, [SP,#0xB20+var_B08] 64 .text:7C866864 03 9B LDR R3, [SP,#0xB20+var_B14] 65 .text:7C866866 00 2B CMP R3, #0 66 .text:7C866868 2C D0 BEQ loc_7C8668C4 ; 结束 67 .text:7C86686A 68 .text:7C86686A loc_7C86686A ; CODE XREF: IlllIllIll::IlllIllIll(_jobject *,int,long long,long long,uint,char **,char **,char **,char **,char **)+94A↓j 69 .text:7C86686A 06 9B LDR R3, [SP,#0xB20+var_B08] 70 .text:7C86686C 09 9A LDR R2, [SP,#0xB20+var_AFC] 71 .text:7C86686E 93 42 CMP R3, R2 ; 判断是否结束 72 .text:7C866870 28 D0 BEQ loc_7C8668C4 ; 结束 73 .text:7C866872 28 1C MOVS R0, R5 ; this 74 .text:7C866874 06 99 LDR R1, [SP,#0xB20+var_B08] ; unsigned int 75 .text:7C866876 1C F0 46 FE BL _ZN10lIIIIllIII10lIlIIlIIll10IlIIlIlIllEj ; lIIIIllIII::lIlIIlIIll::IlIIlIlIll(uint) 76 .text:7C86687A 03 9B LDR R3, [SP,#0xB20+var_B14] 77 .text:7C86687C 02 68 LDR R2, [R0] 78 .text:7C86687E 06 1C MOVS R6, R0 79 .text:7C866880 98 18 ADDS R0, R3, R2 80 .text:7C866882 2B 68 LDR R3, [R5] 81 .text:7C866884 5A 68 LDR R2, [R3,#4] 82 .text:7C866886 9B 68 LDR R3, [R3,#8] 83 .text:7C866888 D3 18 ADDS R3, R2, R3 84 .text:7C86688A 98 42 CMP R0, R3 85 .text:7C86688C 1C D8 BHI loc_7C8668C8 86 .text:7C86688E 53 49 LDR R1, =(aText - 0x7C866896) 87 .text:7C866890 05 22 MOVS R2, #5 88 .text:7C866892 79 44 ADD R1, PC ; ".text" 89 .text:7C866894 6C F0 74 FE BL j_strncmp ; 判断是否为.text 90 .text:7C866898 00 28 CMP R0, #0 91 .text:7C86689A 0F D1 BNE loc_7C8668BC 92 .text:7C86689C D7 23 MOVS R3, #0xD7 93 .text:7C86689E 72 69 LDR R2, [R6,#0x14] ; unsigned __int8 * 94 .text:7C8668A0 9B 00 LSLS R3, R3, #2 95 .text:7C8668A2 FA 50 STR R2, [R7,R3] 96 .text:7C8668A4 D8 23 MOVS R3, #0xD8 97 .text:7C8668A6 31 69 LDR R1, [R6,#0x10] 98 .text:7C8668A8 9B 00 LSLS R3, R3, #2 99 .text:7C8668AA F9 50 STR R1, [R7,R3] 100 .text:7C8668AC 2B 68 LDR R3, [R5] 101 .text:7C8668AE 59 68 LDR R1, [R3,#4] 102 .text:7C8668B0 33 69 LDR R3, [R6,#0x10] ; unsigned int 103 .text:7C8668B2 C9 18 ADDS R1, R1, R3 ; unsigned int 104 .text:7C8668B4 0A F0 F8 FC BL adler_adler32 ; 计算libc.so代码节的crc值 105 .text:7C8668B8 0A 9B LDR R3, [SP,#0xB20+var_AF8] 106 .text:7C8668BA F8 50 STR R0, [R7,R3] 107 .text:7C8668BC 108 .text:7C8668BC loc_7C8668BC ; CODE XREF: IlllIllIll::IlllIllIll(_jobject *,int,long long,long long,uint,char **,char **,char **,char **,char **)+922↑j 109 .text:7C8668BC 06 9B LDR R3, [SP,#0xB20+var_B08] 110 .text:7C8668BE 01 33 ADDS R3, #1
7.判断是否有种破解工具与是否在模拟器中运行,创建线程检测比较CRC值。
检测是否有的非法工具部分字符串如下:
1 LuckyPatcher v4.1.9(幸运破解器) 2 LuckyPatcher v5.8.9 3 gamehacker (烧饼游戏修改器) 4 com.cih.game_cih:*(金手指) 5 (com.huluxia.gametools)葫芦侠 6 Cheat Engine修改器 7 tcpdump 8 GenyMotion(模拟器) 9 Windroy 10 BlueStacks 11 org.sbtools.gamespeed燒餅修改器 12 org.game.master 游戏修改大师 13 在线程中比较CRC值。 14 .text:7D34674C Cmp_Crc32 ; CODE XREF: IlllIllIll::IIIlllIlllII(lIIIllIlllII *,IIlIllIlllll *)+40A↓p 15 .text:7D34674C ; IlllIllIll::lIllllllIlII(lIIIllIlllII *,IIlIllIlllll *)+4EA↓p ... 16 .text:7D34674C 17 .text:7D34674C var_20 = -0x20 18 .text:7D34674C var_1C = -0x1C 19 .text:7D34674C arg_0 = 0 20 .text:7D34674C arg_8 = 8 21 .text:7D34674C 22 .text:7D34674C ; __unwind { 23 .text:7D34674C F7 B5 PUSH {R0-R2,R4-R7,LR} 24 .text:7D34674E 0A AC ADD R4, SP, #0x20+arg_8 25 .text:7D346750 24 78 LDRB R4, [R4] 26 .text:7D346752 00 94 STR R4, [SP,#0x20+var_20] 27 .text:7D346754 00 29 CMP R1, #0 28 .text:7D346756 05 D0 BEQ loc_7D346764 29 .text:7D346758 09 25 MOVS R5, #9 30 .text:7D34675A D4 00 LSLS R4, R2, #3 31 .text:7D34675C 0C 19 ADDS R4, R1, R4 32 .text:7D34675E 65 60 STR R5, [R4,#4] 33 .text:7D346760 00 25 MOVS R5, #0 34 .text:7D346762 A5 60 STR R5, [R4,#8] 35 .text:7D346764 36 .text:7D346764 loc_7D346764 ; CODE XREF: Cmp_Crc32+A↑j 37 .text:7D346764 00 9C LDR R4, [SP,#0x20+var_20] 38 .text:7D346766 00 2C CMP R4, #0 39 .text:7D346768 07 D1 BNE loc_7D34677A 40 .text:7D34676A 8C 24 E4 00 MOVS R4, #0x460 41 .text:7D34676E 04 19 ADDS R4, R0, R4 42 .text:7D346770 24 68 LDR R4, [R4] 43 .text:7D346772 A4 05 LSLS R4, R4, #0x16 44 .text:7D346774 01 D5 BPL loc_7D34677A 45 .text:7D346776 46 .text:7D346776 loc_7D346776 ; CODE XREF: Cmp_Crc32+38↓j 47 .text:7D346776 ; Cmp_Crc32+58↓j 48 .text:7D346776 00 20 MOVS R0, #0 49 .text:7D346778 46 E0 B locret_7D346808 50 .text:7D34677A ; --------------------------------------------------------------------------- 51 .text:7D34677A 52 .text:7D34677A loc_7D34677A ; CODE XREF: Cmp_Crc32+1C↑j 53 .text:7D34677A ; Cmp_Crc32+28↑j 54 .text:7D34677A 24 4C LDR R4, =(_ZN6Global10llIIIlIlIIE_ptr - 0x7D346780) 55 .text:7D34677C 7C 44 ADD R4, PC ; _ZN6Global10llIIIlIlIIE_ptr 56 .text:7D34677E 24 68 LDR R4, [R4] ; Global::llIIIlIlII 57 .text:7D346780 26 78 LDRB R6, [R4] ; Global::llIIIlIlII 58 .text:7D346782 00 2E CMP R6, #0 59 .text:7D346784 F7 D1 BNE loc_7D346776 60 .text:7D346786 1D 1C MOVS R5, R3 61 .text:7D346788 21 4B LDR R3, =(_ZN6Global11lIIIIIIIIIIE_ptr - 0x7D346790) 62 .text:7D34678A 04 1C MOVS R4, R0 63 .text:7D34678C 7B 44 ADD R3, PC ; _ZN6Global11lIIIIIIIIIIE_ptr 64 .text:7D34678E 1B 68 LDR R3, [R3] ; Global::lIIIIIIIIII 65 .text:7D346790 01 92 STR R2, [SP,#0x20+var_1C] 66 .text:7D346792 0F 1C MOVS R7, R1 67 .text:7D346794 18 68 LDR R0, [R3] ; void * 68 .text:7D346796 29 F0 5B FD BL GetCrc32 69 .text:7D34679A 1E 4B LDR R3, =(_ZN6Global11lIIlIlIIIlIE_ptr - 0x7D3467A0) 70 .text:7D34679C 7B 44 ADD R3, PC ; _ZN6Global11lIIlIlIIIlIE_ptr 71 .text:7D34679E 1B 68 LDR R3, [R3] ; Crc32Dword_E13E1FA9 72 .text:7D3467A0 1B 68 LDR R3, [R3] 73 .text:7D3467A2 98 42 CMP R0, R3 ; 比较crc32值 74 .text:7D3467A4 E7 D0 BEQ loc_7D346776 75 .text:7D3467A6 1C 4A LDR R2, =(_ZN10IlllIllIll11llllIllIIIlE - 0x7D3467AC) 76 .text:7D3467A8 7A 44 ADD R2, PC ; IlllIllIll::llllIllIIIl 77 .text:7D3467AA 13 68 LDR R3, [R2] ; IlllIllIll::llllIllIIIl 78 .text:7D3467AC 01 33 ADDS R3, #1 79 .text:7D3467AE 13 60 STR R3, [R2] ; IlllIllIll::llllIllIIIl 80 .text:7D3467B0 00 2D CMP R5, #0 81 .text:7D3467B2 1D D0 BEQ loc_7D3467F0 82 .text:7D3467B4 02 21 MOVS R1, #2 83 .text:7D3467B6 2A 68 LDR R2, [R5] 84 .text:7D3467B8 13 01 LSLS R3, R2, #4 85 .text:7D3467BA EB 18 ADDS R3, R5, R3 86 .text:7D3467BC 59 60 STR R1, [R3,#4] 87 .text:7D3467BE 0A 21 MOVS R1, #0xA 88 .text:7D3467C0 DE 60 STR R6, [R3,#0xC] 89 .text:7D3467C2 99 60 STR R1, [R3,#8] 90 .text:7D3467C4 1E 61 STR R6, [R3,#0x10] 91 .text:7D3467C6 08 9B LDR R3, [SP,#0x20+arg_0] 92 .text:7D3467C8 01 32 ADDS R2, #1 93 .text:7D3467CA 2A 60 STR R2, [R5] 94 .text:7D3467CC 00 2B CMP R3, #0 95 .text:7D3467CE 02 D0 BEQ loc_7D3467D6 96 .text:7D3467D0 01 23 MOVS R3, #1 97 .text:7D3467D2 08 9A LDR R2, [SP,#0x20+arg_0] 98 .text:7D3467D4 13 70 STRB R3, [R2] 99 .text:7D3467D6 100 .text:7D3467D6 loc_7D3467D6 ; CODE XREF: Cmp_Crc32+82↑j 101 .text:7D3467D6 00 9B LDR R3, [SP,#0x20+var_20] 102 .text:7D3467D8 00 2B CMP R3, #0 103 .text:7D3467DA 09 D1 BNE loc_7D3467F0 104 .text:7D3467DC 8D 23 DB 00 MOVS R3, #0x468 105 .text:7D3467E0 E3 18 ADDS R3, R4, R3 106 .text:7D3467E2 1B 68 LDR R3, [R3] 107 .text:7D3467E4 9B 05 LSLS R3, R3, #0x16 108 .text:7D3467E6 03 D4 BMI loc_7D3467F0 109 .text:7D3467E8 0C 4A LDR R2, =0x49C 110 .text:7D3467EA A3 58 LDR R3, [R4,R2] 111 .text:7D3467EC 01 33 ADDS R3, #1 112 .text:7D3467EE A3 50 STR R3, [R4,R2] 113 .text:7D3467F0 114 .text:7D3467F0 loc_7D3467F0 ; CODE XREF: Cmp_Crc32+66↑j 115 .text:7D3467F0 ; Cmp_Crc32+8E↑j ... 116 .text:7D3467F0 00 2F CMP R7, #0 117 .text:7D3467F2 04 D0 BEQ loc_7D3467FE 118 .text:7D3467F4 01 9B LDR R3, [SP,#0x20+var_1C] 119 .text:7D3467F6 DA 00 LSLS R2, R3, #3 120 .text:7D3467F8 AA 23 MOVS R3, #0xAA 121 .text:7D3467FA BA 18 ADDS R2, R7, R2 122 .text:7D3467FC 93 60 STR R3, [R2,#8] 123 .text:7D3467FE 124 .text:7D3467FE loc_7D3467FE ; CODE XREF: Cmp_Crc32+A6↑j 125 .text:7D3467FE 01 20 MOVS R0, #1 126 .text:7D346800 07 4B LDR R3, =(_ZN6Global10lIlIIllIIlE_ptr - 0x7D346806) 127 .text:7D346802 7B 44 ADD R3, PC ; _ZN6Global10lIlIIllIIlE_ptr 128 .text:7D346804 1B 68 LDR R3, [R3] ; Global::lIlIIllIIl 129 .text:7D346806 58 72 STRB R0, [R3,#(byte_7D413581 - 0x7D413578)] 130 .text:7D346808 131 .text:7D346808 locret_7D346808 ; CODE XREF: Cmp_Crc32+2C↑j 132 .text:7D346808 FE BD POP {R1-R7,PC}
截图监控
1 .text:7D34B944 2A 49 LDR R1, =(unk_7D3E51F8 - 0x7D34B94E) 2 .text:7D34B946 3D 59 LDR R5, [R7,R4] 3 .text:7D34B948 7F AC ADD R4, SP, #0xB20+var_924 4 .text:7D34B94A 79 44 ADD R1, PC ; unk_7D3E51F8 5 .text:7D34B94C 20 1C MOVS R0, R4 ; this 6 .text:7D34B94E 4C 31 ADDS R1, #0x4C ; 'L' ; char * 7 .text:7D34B950 0A F0 62 F8 BL DecString 8 .text:7D34B954 20 1C MOVS R0, R4 9 .text:7D34B956 09 F0 77 FF BL _ZN10IIllIIlIIIcvPcEv ; IIllIIlIII::operator char *(void) 10 .text:7D34B95A 01 1C MOVS R1, R0 11 .text:7D34B95C 04 22 MOVS R2, #4 12 .text:7D34B95E 28 1C MOVS R0, R5 13 .text:7D34B960 6D F0 9E F8 BL j_inotify_add_watch ; 截图监控 14 .text:7D34B964 E0 25 AD 00 MOVS R5, #0x380 15 .text:7D34B968 78 51 STR R0, [R7,R5] 16 .text:7D34B96A 20 1C MOVS R0, R4 ; this 17 .text:7D34B96C 09 F0 42 FF BL _ZN10IIllIIlIIID2Ev ; IIllIIlIII::~IIllIIlIII() 18 .text:7D34B970 7B 59 LDR R3, [R7,R5] 19 .text:7D34B972 00 2B CMP R3, #0 20 .text:7D34B974 10 DA BGE loc_7D34B998 21 .text:7D34B976 00 23 MOVS R3, #0 22 .text:7D34B978 1E 4A LDR R2, =(a5eddcc418cda8d - 0x7D34B988)
八:总结
1.该反外挂系统主要有字符串加密保护,客户端完整性检查(CRC+签
名),函数及变量、反调试保护,系统so文件校验, 自身so文件校验,U3D防护,画面截屏保护,内存防修改保护,但是so本身只做了函数名混淆与字符串加密,代码没有做保护处理,逆向起来还是比较容易。
样本:链接: https://pan.baidu.com/s/1dFPbyLj 密码: 7h2r
欢迎关注公众号:
当把学习当成一种习惯!
