[IOT安全][原创]ofo小黄车车锁逆向分析笔记
mailto: wangkai0351@gmail.com
【未经同意禁止转载】
main函数反汇编结果
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // r0
int v8; // r0
int v10; // r0
int v11; // r1
int v12; // r2
int v13; // r3
_BYTE *v14; // r0
unsigned __int8 v15; // r1
int v16; // r2
int v17; // r3
_BYTE *v18; // r0
int v19; // r1
int v20; // r2
int v21; // r3
int v22; // r0
int v23; // r0
int v24; // r1
int v25; // r2
int v26; // r3
char v27; // [sp+8h] [bp-10h]
strcpy(&v27, "Start.....\n");
MEMORY[0x40000578] = 1;
sub_1F7F4();
if ( sub_1D744(0, 7, 536882692, 0) )
((void (*)(void))loc_1D600)();
sub_1EBB0();
sub_1FE30();
v10 = sub_18F94();
sub_1E47C(v10, v11, v12, v13);
sub_1F600();
sub_1F6E8();
sub_1BEB8();
sub_1BA44();
v14 = sub_181F2((_BYTE *)0x200029FC, 0x2Du);
sub_1F734((int)v14, v15, v16, v17);
sub_21DD8();
sub_1D510();
sub_1F1DC();
if ( sub_1DF04(3) )
((void (*)(void))loc_1D600)();
__asm { SVC 0x77 ; 'w' }
sub_1D2DC();
sub_18CB0();
nullsub_1();
if ( MEMORY[0x200020C4] )
sub_1CCF4();
sub_2278C();
sub_205F4(10);
sub_1B3AE();
sub_205F4(10);
sub_1B440();
sub_205F4(10);
sub_1FEB8();
sub_1B3AE();
sub_205F4(10);
sub_20FEC(22);
sub_20FEC(21);
sub_19976(MEMORY[0x20002019]);
MEMORY[0x2000209C] = 20;
MEMORY[0x40007000] = 1;
v18 = sub_22628();
sub_1F814((int)v18, v19, v20, v21);
sub_20C0C();
sub_21460();
if ( MEMORY[0x200020C4] == 2 )
MEMORY[0x2000208C] -= 60;
while ( 1 )
{
do
{
if ( MEMORY[0x20002007] == 1 || MEMORY[0x20002007] == 2 )
{
MEMORY[0x20002007] = 0;
sub_1BB38(4393);
sub_205F4(500);
sub_1B8D0();
MEMORY[0x20002D5C] = 0;
}
v22 = sub_1BF60();
if ( v22 )
{
sub_1B48C();
sub_1A448();
if ( MEMORY[0x20002111] )
{
--MEMORY[0x20002111];
sub_1BA44();
}
if ( MEMORY[0x200020C4] )
((void (*)(void))loc_19CAC)();
else
sub_1C7FC();
v23 = sub_1ABB8();
v22 = sub_1AC84(v23, v24, v25, v26);
}
sub_21440(v22);
}
while ( !MEMORY[0x20002003] );
if ( MEMORY[0x20002003] == 1 )
break;
if ( MEMORY[0x20002003] == 2 && sub_199AC() != 1 )
goto LABEL_2;
}
__asm { SVC 0x45 ; 'E' }
((void (__fastcall *)(signed int, _DWORD))loc_1D600)(255, 0);
__asm { SVC 0x44 ; 'D' }
((void (__fastcall *)(signed int, _DWORD))loc_1D600)(177, 0);
sub_21A18();
v3 = sub_205F4(20);
((void (__fastcall *)(int))loc_1B858)(v3);
LABEL_2:
__asm { SVC 0x45 ; 'E' }
((void (__fastcall *)(signed int, _DWORD))loc_1D600)(255, 0);
__asm { SVC 0x44 ; 'D' }
v8 = ((int (__fastcall *)(signed int, _DWORD))loc_1D600)(193, 0);
((void (__fastcall *)(int))loc_1B858)(v8);
return sub_1CC78();
}
在把函数分隔好之后,接下来的工作是函数名称和全局变量名称的补全,这部分极其枯燥,因为最常见的方式(编译SDK例程用bindiff比较)经尝试后走不通,所以只能肉眼识别函数功能。
剩余内容稍后奉上。
posted on 2019-05-24 13:54 大单GreatDane 阅读(297) 评论(0) 编辑 收藏 举报
