某老牌反作弊产品分析-(存在加密漏洞可被中间人攻击)
作者:互联网
本文仅限学习交流,请勿用于非法以及商业用途,由于时间和水平有限,文中错漏之处在所难免,请多多批评指正。
目录: 一、产品基本介绍 二、产品整体框架 三、JAVA与JNI初始化 四、VM虚拟机基本逻辑 五、环境检测与设备信息采集 六、加密流程分析 七、加密漏洞还原与中人间攻击过程 八、总结
一、产品基本介绍
产品应用场景主要用于营销活动反作弊、渠道推广反作弊、交易安全保护、账户安全保护、接口安全保护。渠道买量、应用推广、小程序推广。
产品功能:
虚假行为分析
从设备与账户维度进行聚类关联分析、行为异常分析,甄别虚假作弊用户、IP、设备,锁定源头风险。
终端风险感知
有效识别模拟器、群控、作弊设备、模拟器、农场工具。
大数据关联分析
结合渠道大数据与风险数据,筛选出可疑对象和目标,通过特定业务判断完成风险环形数据的合围,支持算法模型的嵌入。
二、产品整体框架
2.1、产品使用步骤
2.1.1. 前端接入:根据前端类型选择对应 SDK 进行接入,支持 Android App、iOS iApp、小程 序(头条小程序、微信小程序、支付宝小程序)、WEB/WAP/H5。
2.1.2. 接入验证:前后端接入完成后,联合客户端、服务端进行整体联调。
2.1.3. 运行APP成功返回blackbox设备指纹。
2.2、整体对接数据流程时序图
2.3、产品整体架构
接入产品逆向分析还原出基本的产品架构,如图2-3所示
图2-3
三、JAVA与JNI初始化
3.1、在应用启动的时候,比如在应用的首页 Activity 的 onCreate 方法中调用以下方法:
// FMAgent.ENV_SANDBOX 表示沙盒环境 // FMAgent.ENV_PRODUCTION 表示生产环境 FMAgent.initWithCallback(this, FMAgent.ENV_PRODUCTION, new FMCallback() { @Override public void onEvent(String s) { tdBlackbox = s; Log.e(TAG,"blackbox:"+tdBlackbox); runOnUiThread(new Runnable() { @Override public void run() { tv1.setText("blackbox内容是:"+tdBlackbox); } }); } });
3.2、加载SO
JSONObject v6 = null; try { if(Build.VERSION.SDK_INT >= 17) { System.loadLibrary("tdvm"); } System.loadLibrary("tongdun"); goto label_405; } catch(Throwable v6_1) { }
3.3、执行NI_OnLoad注册Native方法
.text:000000709EAE5E4C RegisterNatives_sub_786D163E4C .text:000000709EAE5E4C .text:000000709EAE5E4C var_38= -0x38 .text:000000709EAE5E4C var_2C= -0x2C .text:000000709EAE5E4C var_28= -0x28 .text:000000709EAE5E4C var_20= -0x20 .text:000000709EAE5E4C var_18= -0x18 .text:000000709EAE5E4C var_10= -0x10 .text:000000709EAE5E4C .text:000000709EAE5E4C ; __unwind { // 1000 .text:000000709EAE5E4C FF 03 01 D1 SUB SP, SP, #0x40 .text:000000709EAE5E50 FE 1B 00 F9 STR X30, [SP,#0x40+var_10] .text:000000709EAE5E54 E1 17 00 F9 STR X1, [SP,#0x40+var_18] .text:000000709EAE5E58 E2 13 00 F9 STR X2, [SP,#0x40+var_20] .text:000000709EAE5E5C E3 0F 00 F9 STR X3, [SP,#0x40+var_28] .text:000000709EAE5E60 E4 17 00 B9 STR W4, [SP,#0x40+var_2C] .text:000000709EAE5E64 E1 17 40 F9 LDR X1, [SP,#0x40+var_18] .text:000000709EAE5E68 E2 13 40 F9 LDR X2, [SP,#0x40+var_20] .text:000000709EAE5E6C E3 0F 40 F9 LDR X3, [SP,#0x40+var_28] .text:000000709EAE5E70 E4 17 40 B9 LDR W4, [SP,#0x40+var_2C] .text:000000709EAE5E74 E0 07 00 F9 STR X0, [SP,#0x40+var_38] .text:000000709EAE5E78 E0 03 01 AA MOV X0, X1 .text:000000709EAE5E7C E1 03 02 AA MOV X1, X2 .text:000000709EAE5E80 E2 03 03 AA MOV X2, X3 .text:000000709EAE5E84 E3 03 04 2A MOV W3, W4 .text:000000709EAE5E88 E8 07 40 F9 LDR X8, [SP,#0x40+var_38] .text:000000709EAE5E8C 00 01 3F D6 BLR X8 ; RegisterNatives .text:000000709EAE5E8C .text:000000709EAE5E90 FE 1B 40 F9 LDR X30, [SP,#0x40+var_10] .text:000000709EAE5E94 FF 03 01 91 ADD SP, SP, #0x40 ; '@' .text:000000709EAE5E98 C0 03 5F D6 RET //native方法 getData2, signature: (Ljava/lang/String;)[B tongdun, signature: (Landroid/content/Context;)V tongdun2, signature: (Landroid/content/Context;)V XOnEvent, signature: (Landroid/content/Context;)Ljava/lang/String; onSensorChanged, signature: (Landroid/hardware/SensorManager;Lcn/tongdun/android/shell/common/s;Landroid/hardware/SensorEvent;)V
3.4、整体流程如图3-4所示
图3-4
四、VM虚拟机基本逻辑
4.1、VM逻辑主要在模块libtdvm.so中,该模块导出两个方法:
td_eea7e05642c04e240c51 //解压解密VMBycode td_b13d6928ba611f6a6e37 //解析执行VMBycode
libtongdun.so模块中的大部分方法都会调用上面两个方法,传入vmbycode解析执行。
4.2、VM流程与分析思路
td_eea7e05642c04e240c51方法解压解密后VMBycode后进入VM,代码如下:
.text:000000709EA954F0 EnterVM_sub_709EA954F0 .text:000000709EA954F0 .text:000000709EA954F0 var_AC= -0xAC .text:000000709EA954F0 databass= -0xA8 .text:000000709EA954F0 bycode= -0xA0 .text:000000709EA954F0 var_98= -0x98 .text:000000709EA954F0 var_90= -0x90 .text:000000709EA954F0 var_88= -0x88 .text:000000709EA954F0 var_80= -0x80 .text:000000709EA954F0 databass1= -0x78 .text:000000709EA954F0 var_70= -0x70 .text:000000709EA954F0 var_68= -0x68 .text:000000709EA954F0 var_60= -0x60 .text:000000709EA954F0 var_50= -0x50 .text:000000709EA954F0 var_40= -0x40 .text:000000709EA954F0 var_30= -0x30 .text:000000709EA954F0 var_20= -0x20 .text:000000709EA954F0 var_10= -0x10 .text:000000709EA954F0 var_s0= 0 .text:000000709EA954F0 .text:000000709EA954F0 ; __unwind { .text:000000709EA954F0 FF 03 03 D1 SUB SP, SP, #0xC0 .text:000000709EA954F4 E8 2B 00 FD STR D8, [SP,#0xB0+var_60] .text:000000709EA954F8 FC 6F 06 A9 STP X28, X27, [SP,#0xB0+var_50] .text:000000709EA954FC FA 67 07 A9 STP X26, X25, [SP,#0xB0+var_40] .text:000000709EA95500 F8 5F 08 A9 STP X24, X23, [SP,#0xB0+var_30] .text:000000709EA95504 F6 57 09 A9 STP X22, X21, [SP,#0xB0+var_20] .text:000000709EA95508 F4 4F 0A A9 STP X20, X19, [SP,#0xB0+var_10] .text:000000709EA9550C FD 7B 0B A9 STP X29, X30, [SP,#0xB0+var_s0] .text:000000709EA95510 FD C3 02 91 ADD X29, SP, #0xB0 .text:000000709EA95514 48 D0 3B D5 MRS X8, #3, c13, c0, #2 .text:000000709EA95518 08 15 40 F9 LDR X8, [X8,#0x28] .text:000000709EA9551C F3 03 00 AA MOV X19, X0 .text:000000709EA95520 E8 27 00 F9 STR X8, [SP,#0xB0+var_68] .text:000000709EA95524 68 02 40 F9 LDR X8, [X19] .text:000000709EA95528 69 0A 40 F9 LDR X9, [X19,#0x10] .text:000000709EA9552C 1F 01 09 EB CMP X8, X9 .text:000000709EA95530 6A 1C 01 54 B.GE loc_709EA978BC .text:000000709EA95530 .text:000000709EA95534 7C 16 40 F9 LDR X28, [X19,#0x28] ; 解压后bycode .text:000000709EA95538 77 02 40 F9 LDR X23, [X19] .text:000000709EA9553C 09 02 A0 52 09 21 83 72 MOV W9, #0x101908 .text:000000709EA95544 3A 00 00 D0 ADRP X26, #jpt_709EA958A0@PAGE .text:000000709EA95548 FB 00 00 B0 ADRP X27, #dword_709EAB2008@PAGE .text:000000709EA9554C 5A 43 3B 91 ADD X26, X26, #jpt_709EA958A0@PAGEOFF .text:000000709EA95550 2D 00 09 8B ADD X13, X1, X9 .text:000000709EA95554 FC 37 01 A9 STP X28, X13, [SP,#0xB0+bycode] .text:000000709EA95558 C8 00 00 14 B dsp_loc_786D55A878 ; 取解压后VMbycode
解析VMbycode执行对应的Hnadle:
.text:000000709EA95878 dsp_loc_786D55A878 .text:000000709EA95878 15 69 7C B8 LDR W21, [X8,X28] ; 取解压后VMbycode .text:000000709EA9587C A8 72 19 53 UBFX W8, W21, #0x19, #4 .text:000000709EA95880 08 11 00 51 SUB W8, W8, #4 ; switch 12 cases .text:000000709EA95884 75 3E 00 B9 STR W21, [X19,#0x3C] .text:000000709EA95888 B7 01 00 F9 STR X23, [X13] .text:000000709EA9588C 77 0B 00 B9 STR W23, [X27,#dword_709EAB2008@PAGEOFF] .text:000000709EA95890 1F 2D 00 71 CMP W8, #0xB .text:000000709EA95894 68 00 01 54 B.HI dsp_def_786E9038A0 .text:000000709EA95894 .text:000000709EA95898 48 7B A8 B8 LDRSW X8, [X26,X8,LSL#2] .text:000000709EA9589C 08 01 1A 8B ADD X8, X8, X26 .text:000000709EA958A0 00 01 1F D6 BR X8 ; switch jump
4.3、常见Handle一览
常见的算术运算
.text:000000709EA93DD8 ADD_sub_709EA93DD8 .text:000000709EA93DD8 ; __unwind { .text:000000709EA93DD8 68 00 02 0B ADD W8, W3, W2 .text:000000709EA93DDC 28 00 00 B9 STR W8, [X1] .text:000000709EA93DE0 C0 03 5F D6 RET
.text:000000709EA93E08 SUB_sub_709EA93E08 .text:000000709EA93E08 ; __unwind { .text:000000709EA93E08 48 00 03 4B SUB W8, W2, W3 .text:000000709EA93E0C 28 00 00 B9 STR W8, [X1] .text:000000709EA93E10 C0 03 5F D6 RET
.text:000000709EA93E20 AND_sub_709EA93E20 .text:000000709EA93E20 ; __unwind { .text:000000709EA93E20 68 00 02 0A AND W8, W3, W2 .text:000000709EA93E24 28 00 00 B9 STR W8, [X1] .text:000000709EA93E28 C0 03 5F D6 RET
.text:000000709EA93E44 EOR_sub_786E901E44 .text:000000709EA93E44 ; __unwind { .text:000000709EA93E44 68 00 02 4A EOR W8, W3, W2 .text:000000709EA93E48 28 00 00 B9 STR W8, [X1] .text:000000709EA93E4C C0 03 5F D6 RET
.text:000000709EA93FAC MUL_sub_709EA93FAC .text:000000709EA93FAC ; __unwind { .text:000000709EA93FAC 68 7C 02 1B MUL W8, W3, W2 .text:000000709EA93FB0 28 00 00 B9 STR W8, [X1] .text:000000709EA93FB4 C0 03 5F D6 RET
.text:000000709EA97B60 getdatabas_sub_786E905B60 .text:000000709EA97B60 .text:000000709EA97B60 var_20= -0x20 .text:000000709EA97B60 var_18= -0x18 .text:000000709EA97B60 var_C= -0xC .text:000000709EA97B60 var_8= -8 .text:000000709EA97B60 var_s0= 0 .text:000000709EA97B60 .text:000000709EA97B60 ; __unwind { .text:000000709EA97B60 FF C3 00 D1 SUB SP, SP, #0x30 .text:000000709EA97B64 FD 7B 02 A9 STP X29, X30, [SP,#0x20+var_s0] .text:000000709EA97B68 FD 83 00 91 ADD X29, SP, #0x20 .text:000000709EA97B6C 49 D0 3B D5 MRS X9, #3, c13, c0, #2 .text:000000709EA97B70 29 15 40 F9 LDR X9, [X9,#0x28] .text:000000709EA97B74 E8 03 00 AA MOV X8, X0 .text:000000709EA97B78 E0 03 1F AA MOV X0, XZR .text:000000709EA97B7C A9 83 1F F8 STUR X9, [X29,#var_8] .text:000000709EA97B80 FF 03 00 F9 STR XZR, [SP,#0x20+var_20] .text:000000709EA97B84 3F 7C 00 71 CMP W1, #0x1F .text:000000709EA97B88 E0 02 00 54 B.EQ loc_709EA97BE4 .text:000000709EA97B88 .text:000000709EA97B8C 3F 74 00 71 CMP W1, #0x1D .text:000000709EA97B90 E1 00 00 54 B.NE loc_709EA97BAC .text:000000709EA97B90 .text:000000709EA97B94 00 21 40 F9 LDR X0, [X8,#0x40] .text:000000709EA97B98 E8 03 00 32 MOV W8, #1 .text:000000709EA97B9C A8 43 1F B8 STUR W8, [X29,#var_C] .text:000000709EA97BA0 E8 03 00 91 MOV X8, SP .text:000000709EA97BA4 E8 07 00 F9 STR X8, [SP,#0x20+var_18] .text:000000709EA97BA8 0A 00 00 14 B loc_709EA97BD0 .text:000000709EA97BA8 .text:000000709EA97BAC loc_709EA97BAC .text:000000709EA97BAC 00 21 40 F9 LDR X0, [X8,#0x40] .text:000000709EA97BB0 3F 78 00 71 CMP W1, #0x1E .text:000000709EA97BB4 61 00 00 54 B.NE loc_709EA97BC0 .text:000000709EA97BB4 .text:000000709EA97BB8 E8 03 1F 32 MOV W8, #2 .text:000000709EA97BBC 02 00 00 14 B loc_709EA97BC4 .text:000000709EA97BBC .text:000000709EA97BC0 .text:000000709EA97BC0 loc_709EA97BC0 .text:000000709EA97BC0 28 1C 03 11 ADD W8, W1, #0xC7 .text:000000709EA97BC0 .text:000000709EA97BC4 .text:000000709EA97BC4 loc_709EA97BC4 .text:000000709EA97BC4 E9 03 00 91 MOV X9, SP .text:000000709EA97BC8 A8 43 1F B8 STUR W8, [X29,#var_C] .text:000000709EA97BCC E9 07 00 F9 STR X9, [SP,#0x20+var_18] .text:000000709EA97BCC .text:000000709EA97BD0 .text:000000709EA97BD0 loc_709EA97BD0 .text:000000709EA97BD0 A1 33 00 D1 SUB X1, X29, #-var_C .text:000000709EA97BD4 E2 23 00 91 ADD X2, SP, #0x20+var_18 .text:000000709EA97BD8 E3 03 00 32 MOV W3, #1 .text:000000709EA97BDC 2A EF FF 97 BL getdatabasse_sub_786E901884 .text:000000709EA97BDC .text:000000709EA97BE0 E0 03 40 F9 LDR X0, [SP,#0x20+var_20] .text:000000709EA97BE0 .text:000000709EA97BE4 .text:000000709EA97BE4 loc_709EA97BE4 .text:000000709EA97BE4 48 D0 3B D5 MRS X8, #3, c13, c0, #2 .text:000000709EA97BE8 08 15 40 F9 LDR X8, [X8,#0x28] .text:000000709EA97BEC A9 83 5F F8 LDUR X9, [X29,#var_8] .text:000000709EA97BF0 1F 01 09 EB CMP X8, X9 .text:000000709EA97BF4 81 00 00 54 B.NE loc_709EA97C04 .text:000000709EA97BF4 .text:000000709EA97BF8 FD 7B 42 A9 LDP X29, X30, [SP,#0x20+var_s0] .text:000000709EA97BFC FF C3 00 91 ADD SP, SP, #0x30 ; '0' .text:000000709EA97C00 C0 03 5F D6 RET
以上Handle都是加密时要用到的。
4.4、眺出VM调用其它模块的Handle
.text:000000709EA936C0 call_loc_709EA936C0 .text:000000709EA936C0 FF 03 02 D1 SUB SP, SP, #0x80 .text:000000709EA936C4 20 01 3F D6 BLR X9 ; 调用tongdun.so .text:000000709EA936C4 .text:000000709EA936C8 FF 03 02 91 ADD SP, SP, #0x80 .text:000000709EA936CC E8 E3 40 B9 LDR W8, [SP,#0x2E0+var_200] .text:000000709EA936D0 48 00 00 35 CBNZ W8, loc_709EA936D8 .text:000000709EA936D0 .text:000000709EA936D4 5F 00 00 14 B loc_709EA93850
如果不还原算法的话调试时重点关注这个Handle就能大致分析清楚整体的逻辑。如果要做算法还原就得分析每一个Handle。
五、环境检测与设备信息采集
5.1、随机数AES加密存放本地
如果是第一次运行APP判断本地是否有随机数ID,如果没有就生成用AES加密存放在三个地方做为钉子文件:
SharedPreferences td-client-id-3 /data/user/0/包名/files/.td-3 /storage/emulated/0/.td-3 存不同的地用不同的AES KEY key bs3ggr0ismnzmdwxkacrq88xs9uj3l06 ykj314o0nd8423k2cimo5fvx0k234sc5 phx7ryl7sjppatga3nfl1caircw6ct79
AES加密是反射调用JAVA实现:
.text:000000709EB4EA6C ; R1:原数据,R2:key .text:000000709EB4EA6C AES_sub_786D1CCA6C .text:000000709EB4EA6C var_CC= -0xCC .text:000000709EB4EA6C anonymous_1= -0xC8 .text:000000709EB4EA6C anonymous_2= -0xC0 .text:000000709EB4EA6C anonymous_3= -0xB8 .text:000000709EB4EA6C anonymous_4= -0xB0 .text:000000709EB4EA6C anonymous_5= -0xA8 .text:000000709EB4EA6C anonymous_6= -0xA0 .text:000000709EB4EA6C anonymous_7= -0x98 .text:000000709EB4EA6C anonymous_8= -0x90 .text:000000709EB4EA6C anonymous_9= -0x88 .text:000000709EB4EA6C anonymous_10= -0x80 .text:000000709EB4EA6C anonymous_11= -0x78 .text:000000709EB4EA6C anonymous_12= -0x70 .text:000000709EB4EA6C anonymous_13= -0x68 .text:000000709EB4EA6C anonymous_14= -0x60 .text:000000709EB4EA6C anonymous_15= -0x58 .text:000000709EB4EA6C anonymous_16= -0x50 .text:000000709EB4EA6C anonymous_17= -0x48 .text:000000709EB4EA6C anonymous_18= -0x40 .text:000000709EB4EA6C anonymous_19= -0x38 .text:000000709EB4EA6C anonymous_20= -0x30 .text:000000709EB4EA6C anonymous_21= -0x28 .text:000000709EB4EA6C anonymous_22= -0x20 .text:000000709EB4EA6C anonymous_23= -0x18 .text:000000709EB4EA6C var_10= -0x10 .text:000000709EB4EA6C var_s0= 0 .text:000000709EB4EA6C .text:000000709EB4EA6C ; __unwind { // 1000 .text:000000709EB4EA6C FC 0F 1E F8 STR X28, [SP,#-0x10+var_10]! .text:000000709EB4EA70 FD 7B 01 A9 STP X29, X30, [SP,#0x10+var_s0] .text:000000709EB4EA74 FD 43 00 91 ADD X29, SP, #0x10 .text:000000709EB4EA78 FF 43 08 D1 SUB SP, SP, #0x210 .text:000000709EB4EA7C A8 83 03 D1 SUB X8, X29, #-(var_E5+5) .text:000000709EB4EA80 00 2D 00 F9 STR X0, [X8,#0x58] .text:000000709EB4EA84 01 29 00 F9 STR X1, [X8,#0x50] .text:000000709EB4EA88 02 25 00 F9 STR X2, [X8,#0x48] .text:000000709EB4EA8C 03 21 00 F9 STR X3, [X8,#0x40] .text:000000709EB4EA90 00 29 40 F9 LDR X0, [X8,#0x50] .text:000000709EB4EA94 00 35 00 F9 STR X0, [X8,#0x68] .text:000000709EB4EA98 89 5F 89 52 49 A1+MOV W9, #0xB50A4AFC .text:000000709EB4EA98 B6 72 .text:000000709EB4EAA0 E9 AF 00 B9 STR W9, [SP,#0x220+var_174] .text:000000709EB4EAA4 E8 53 00 F9 STR X8, [SP,#0x220+var_180] .text:000000709EB4EAA8 01 00 00 14 B loc_709EB4EAAC .text:000000709EB4EAA8 .text:000000709EB4EAAC .text:000000709EB4EAAC loc_709EB4EAAC .text:000000709EB4EAAC E8 AF 40 B9 LDR W8, [SP,#0x220+var_174] .text:000000709EB4EAB0 E9 03 08 2A MOV W9, W8 .text:000000709EB4EAB4 4A 7D 9C 52 0A 0F+MOV W10, #0x8878E3EA .text:000000709EB4EAB4 B1 72 .text:000000709EB4EABC 08 01 0A 6B SUBS W8, W8, W10 .text:000000709EB4EAC0 E9 9F 00 B9 STR W9, [SP,#0x220+var_184] .text:000000709EB4EAC4 E8 9B 00 B9 STR W8, [SP,#0x220+var_188] .text:000000709EB4EAC8 00 07 00 54 B.EQ loc_709EB4EBA8 .text:000000709EB4EAC8 .text:000000709EB4EACC 01 00 00 14 B loc_709EB4EAD0 .text:000000709EB4EACC .text:000000709EB4EAD0 .text:000000709EB4EAD0 loc_709EB4EAD0 .text:000000709EB4EAD0 88 5D 86 52 A8 84+MOV W8, #0x9C2532EC .text:000000709EB4EAD0 B3 72 .text:000000709EB4EAD8 E9 9F 40 B9 LDR W9, [SP,#0x220+var_184] .text:000000709EB4EADC 28 01 08 6B SUBS W8, W9, W8 .text:000000709EB4EAE0 E8 97 00 B9 STR W8, [SP,#0x220+var_18C] .text:000000709EB4EAE4 80 3B 00 54 B.EQ loc_709EB4F254 .text:000000709EB4EAE4 .text:000000709EB4EAE8 01 00 00 14 B loc_709EB4EAEC .text:000000709EB4EAE8 .text:000000709EB4EAEC .text:000000709EB4EAEC loc_709EB4EAEC .text:000000709EB4EAEC 88 5F 89 52 48 A1+MOV W8, #0xB50A4AFC .text:000000709EB4EAEC B6 72 .text:000000709EB4EAF4 E9 9F 40 B9 LDR W9, [SP,#0x220+var_184] .text:000000709EB4EAF8 28 01 08 6B SUBS W8, W9, W8 .text:000000709EB4EAFC E8 93 00 B9 STR W8, [SP,#0x220+var_190] .text:000000709EB4EB00 E0 03 00 54 B.EQ loc_709EB4EB7C .text:000000709EB4EB00 .text:000000709EB4EB04 01 00 00 14 B loc_709EB4EB08 .text:000000709EB4EB04 .text:000000709EB4EB08 .text:000000709EB4EB08 loc_709EB4EB08 .text:000000709EB4EB08 A8 61 87 52 48 30+MOV W8, #0xB9823B0D .text:000000709EB4EB08 B7 72 .text:000000709EB4EB10 E9 9F 40 B9 LDR W9, [SP,#0x220+var_184] .text:000000709EB4EB14 28 01 08 6B SUBS W8, W9, W8 .text:000000709EB4EB18 E8 8F 00 B9 STR W8, [SP,#0x220+var_194] .text:000000709EB4EB1C E0 38 00 54 B.EQ loc_709EB4F238 .text:000000709EB4EB1C .text:000000709EB4EB20 01 00 00 14 B loc_709EB4EB24 .text:000000709EB4EB20 .text:000000709EB4EB24 .text:000000709EB4EB24 loc_709EB4EB24 .text:000000709EB4EB24 88 3C 99 52 48 99+MOV W8, #0xCCCAC9E4 .text:000000709EB4EB24 B9 72 .text:000000709EB4EB2C E9 9F 40 B9 LDR W9, [SP,#0x220+var_184] .text:000000709EB4EB30 28 01 08 6B SUBS W8, W9, W8 .text:000000709EB4EB34 E8 8B 00 B9 STR W8, [SP,#0x220+var_198] .text:000000709EB4EB38 E0 04 00 54 B.EQ loc_709EB4EBD4 .text:000000709EB4EB38 .text:000000709EB4EB3C 01 00 00 14 B loc_709EB4EB40 .text:000000709EB4EB3C .text:000000709EB4EB40 .text:000000709EB4EB40 loc_709EB4EB40 .text:000000709EB4EB40 A8 C9 8A 52 E8 1C+MOV W8, #0x48E7564D .text:000000709EB4EB40 A9 72 .text:000000709EB4EB48 E9 9F 40 B9 LDR W9, [SP,#0x220+var_184] .text:000000709EB4EB4C 28 01 08 6B SUBS W8, W9, W8 .text:000000709EB4EB50 E8 87 00 B9 STR W8, [SP,#0x220+var_19C] .text:000000709EB4EB54 E0 40 00 54 B.EQ loc_709EB4F370 .text:000000709EB4EB54 .text:000000709EB4EB58 01 00 00 14 B loc_709EB4EB5C .text:000000709EB4EB58 .text:000000709EB4EB5C .text:000000709EB4EB5C loc_709EB4EB5C .text:000000709EB4EB5C 08 81 97 52 28 4C+MOV W8, #0x5A61BC08 .text:000000709EB4EB5C AB 72 .text:000000709EB4EB64 E9 9F 40 B9 LDR W9, [SP,#0x220+var_184] .text:000000709EB4EB68 28 01 08 6B SUBS W8, W9, W8 .text:000000709EB4EB6C E8 83 00 B9 STR W8, [SP,#0x220+var_1A0] .text:000000709EB4EB70 E0 40 00 54 B.EQ loc_709EB4F38C .text:000000709EB4EB70 .text:000000709EB4EB74 01 00 00 14 B loc_709EB4EB78 .text:000000709EB4EB74 .text:000000709EB4EB78 .text:000000709EB4EB78 loc_709EB4EB78 .text:000000709EB4EB78 0B 02 00 14 B loc_709EB4F3A4 .text:000000709EB4EB78 .text:000000709EB4EB7C .text:000000709EB4EB7C loc_709EB4EB7C .text:000000709EB4EB7C E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EB80 09 35 40 F9 LDR X9, [X8,#0x68] .text:000000709EB4EB84 29 01 00 F1 SUBS X9, X9, #0 .text:000000709EB4EB88 AA C9 8A 52 EA 1C+MOV W10, #0x48E7564D .text:000000709EB4EB88 A9 72 .text:000000709EB4EB90 4B 7D 9C 52 0B 0F+MOV W11, #0x8878E3EA .text:000000709EB4EB90 B1 72 .text:000000709EB4EB98 6A 11 8A 1A CSEL W10, W11, W10, NE .text:000000709EB4EB9C EA AF 00 B9 STR W10, [SP,#0x220+var_174] .text:000000709EB4EBA0 E9 3F 00 F9 STR X9, [SP,#0x220+var_1A8] .text:000000709EB4EBA4 00 02 00 14 B loc_709EB4F3A4 .text:000000709EB4EBA4 .text:000000709EB4EBA8 .text:000000709EB4EBA8 loc_709EB4EBA8 .text:000000709EB4EBA8 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EBAC 09 25 40 F9 LDR X9, [X8,#0x48] .text:000000709EB4EBB0 29 01 00 F1 SUBS X9, X9, #0 .text:000000709EB4EBB4 AA C9 8A 52 EA 1C+MOV W10, #0x48E7564D .text:000000709EB4EBB4 A9 72 .text:000000709EB4EBBC 8B 3C 99 52 4B 99+MOV W11, #0xCCCAC9E4 .text:000000709EB4EBBC B9 72 .text:000000709EB4EBC4 6A 11 8A 1A CSEL W10, W11, W10, NE .text:000000709EB4EBC8 EA AF 00 B9 STR W10, [SP,#0x220+var_174] .text:000000709EB4EBCC E9 3B 00 F9 STR X9, [SP,#0x220+var_1B0] .text:000000709EB4EBD0 F5 01 00 14 B loc_709EB4F3A4 .text:000000709EB4EBD0 .text:000000709EB4EBD4 .text:000000709EB4EBD4 loc_709EB4EBD4 .text:000000709EB4EBD4 88 03 00 D0 08 81+ADRL X8, td_8162780960521470701 ; "AES" .text:000000709EB4EBD4 39 91 .text:000000709EB4EBDC E9 53 40 F9 LDR X9, [SP,#0x220+var_180] .text:000000709EB4EBE0 28 1D 00 F9 STR X8, [X9,#0x38] .text:000000709EB4EBE4 88 03 00 D0 08 91+ADRL X8, td_18178131887862966684 ; "AES/ECB/PKCS5Padding" .text:000000709EB4EBE4 39 91 .text:000000709EB4EBEC 28 19 00 F9 STR X8, [X9,#0x30] .text:000000709EB4EBF0 20 2D 40 F9 LDR X0, [X9,#0x58] .text:000000709EB4EBF4 21 1D 40 F9 LDR X1, [X9,#0x38] .text:000000709EB4EBF8 BB 68 00 94 BL NewStringUTF_sub_786D1E6EE4 .text:000000709EB4EBF8 .text:000000709EB4EBFC E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EC00 00 15 00 F9 STR X0, [X8,#0x28] .text:000000709EB4EC04 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4EC08 01 19 40 F9 LDR X1, [X8,#0x30] .text:000000709EB4EC0C B6 68 00 94 BL NewStringUTF_sub_786D1E6EE4 .text:000000709EB4EC0C .text:000000709EB4EC10 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EC14 00 11 00 F9 STR X0, [X8,#0x20] .text:000000709EB4EC18 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4EC1C EA 03 1B 32 MOV W10, #0x20 ; ' ' .text:000000709EB4EC20 E1 03 0A 2A MOV W1, W10 .text:000000709EB4EC24 EA 6F 00 B9 STR W10, [SP,#0x220+var_1B4] .text:000000709EB4EC28 98 69 00 94 BL NewByteArray_sub_786D1E7288 .text:000000709EB4EC28 .text:000000709EB4EC2C E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EC30 00 0D 00 F9 STR X0, [X8,#0x18] .text:000000709EB4EC34 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4EC38 01 0D 40 F9 LDR X1, [X8,#0x18] .text:000000709EB4EC3C 04 25 40 F9 LDR X4, [X8,#0x48] .text:000000709EB4EC40 EA 03 1F 2A MOV W10, WZR .text:000000709EB4EC44 E2 03 0A 2A MOV W2, W10 .text:000000709EB4EC48 E3 6F 40 B9 LDR W3, [SP,#0x220+var_1B4] .text:000000709EB4EC4C EA 6B 00 B9 STR W10, [SP,#0x220+var_1B8] .text:000000709EB4EC50 BC 69 00 94 BL SetByteArrayRegion_sub_786D1E7340 .text:000000709EB4EC50 .text:000000709EB4EC54 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EC58 00 29 40 F9 LDR X0, [X8,#0x50] ; s .text:000000709EB4EC5C DD 45 FE 97 BL .strlen .text:000000709EB4EC5C .text:000000709EB4EC60 EA 03 00 2A MOV W10, W0 .text:000000709EB4EC64 AA 43 13 B8 STUR W10, [X29,#var_CC] .text:000000709EB4EC68 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EC6C 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4EC70 A1 43 53 B8 LDUR W1, [X29,#var_CC] .text:000000709EB4EC74 85 69 00 94 BL NewByteArray_sub_786D1E7288 .text:000000709EB4EC74 .text:000000709EB4EC78 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EC7C 00 05 00 F9 STR X0, [X8,#8] .text:000000709EB4EC80 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4EC84 01 05 40 F9 LDR X1, [X8,#8] .text:000000709EB4EC88 A3 43 53 B8 LDUR W3, [X29,#var_CC] .text:000000709EB4EC8C 04 29 40 F9 LDR X4, [X8,#0x50] .text:000000709EB4EC90 E2 6B 40 B9 LDR W2, [SP,#0x220+var_1B8] .text:000000709EB4EC94 AB 69 00 94 BL SetByteArrayRegion_sub_786D1E7340 .text:000000709EB4EC94 .text:000000709EB4EC98 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EC9C 09 2D 40 F9 LDR X9, [X8,#0x58] .text:000000709EB4ECA0 CA 14 80 52 MOV W10, #0xA6 .text:000000709EB4ECA4 AA 03 10 38 STURB W10, [X29,#var_100] .text:000000709EB4ECA8 CA 02 80 52 MOV W10, #0x16 .text:000000709EB4ECAC AA 13 10 38 STURB W10, [X29,#var_FF] .text:000000709EB4ECB0 E2 0C 80 52 MOV W2, #0x67 ; 'g' .text:000000709EB4ECB4 A2 23 10 38 STURB W2, [X29,#var_FE] .text:000000709EB4ECB8 AA 33 10 38 STURB W10, [X29,#var_FD] .text:000000709EB4ECBC EA 10 80 52 MOV W10, #0x87 .text:000000709EB4ECC0 AA 43 10 38 STURB W10, [X29,#var_FC] .text:000000709EB4ECC4 4A 1E 80 52 MOV W10, #0xF2 .text:000000709EB4ECC8 AA 53 10 38 STURB W10, [X29,#var_FB] .text:000000709EB4ECCC C2 06 80 52 MOV W2, #0x36 ; '6' .text:000000709EB4ECD0 A2 63 10 38 STURB W2, [X29,#var_FA] .text:000000709EB4ECD4 E3 04 80 52 MOV W3, #0x27 ; ''' .text:000000709EB4ECD8 A3 73 10 38 STURB W3, [X29,#var_F9] .text:000000709EB4ECDC EB 12 80 52 MOV W11, #0x97 .text:000000709EB4ECE0 AB 83 10 38 STURB W11, [X29,#var_F8] .text:000000709EB4ECE4 EC 0B 00 32 MOV W12, #7 .text:000000709EB4ECE8 AC 93 10 38 STURB W12, [X29,#var_F7] .text:000000709EB4ECEC ED 08 80 52 MOV W13, #0x47 ; 'G' .text:000000709EB4ECF0 AD A3 10 38 STURB W13, [X29,#var_F6] .text:000000709EB4ECF4 CE 1E 80 52 MOV W14, #0xF6 .text:000000709EB4ECF8 AE B3 10 38 STURB W14, [X29,#var_F5] .text:000000709EB4ECFC AA C3 10 38 STURB W10, [X29,#var_F4] .text:000000709EB4ED00 EE 06 80 52 MOV W14, #0x37 ; '7' .text:000000709EB4ED04 AE D3 10 38 STURB W14, [X29,#var_F3] .text:000000709EB4ED08 AC E3 10 38 STURB W12, [X29,#var_F2] .text:000000709EB4ED0C CE 0A 80 52 MOV W14, #0x56 ; 'V' .text:000000709EB4ED10 AE F3 10 38 STURB W14, [X29,#var_F1] .text:000000709EB4ED14 A2 03 11 38 STURB W2, [X29,#var_F0] .text:000000709EB4ED18 AA 13 11 38 STURB W10, [X29,#var_EF] .text:000000709EB4ED1C AA 06 80 52 MOV W10, #0x35 ; '5' .text:000000709EB4ED20 AA 23 11 38 STURB W10, [X29,#var_EE] .text:000000709EB4ED24 AE 33 11 38 STURB W14, [X29,#var_ED] .text:000000709EB4ED28 A2 43 11 38 STURB W2, [X29,#var_EC] .text:000000709EB4ED2C A3 53 11 38 STURB W3, [X29,#var_EB] .text:000000709EB4ED30 AE 63 11 38 STURB W14, [X29,#var_EA] .text:000000709EB4ED34 AD 73 11 38 STURB W13, [X29,#var_E9] .text:000000709EB4ED38 8D 16 80 52 MOV W13, #0xB4 .text:000000709EB4ED3C AD 83 11 38 STURB W13, [X29,#var_E8] .text:000000709EB4ED40 AE 93 11 38 STURB W14, [X29,#var_E7] .text:000000709EB4ED44 AB A3 11 38 STURB W11, [X29,#var_E6] .text:000000709EB4ED48 AA B3 11 38 STURB W10, [X29,#var_E5] .text:000000709EB4ED4C AC C3 11 38 STURB W12, [X29,#var_E5+1] .text:000000709EB4ED50 AE D3 11 38 STURB W14, [X29,#var_E5+2] .text:000000709EB4ED54 A2 E3 11 38 STURB W2, [X29,#var_E5+3] .text:000000709EB4ED58 EA 6B 40 B9 LDR W10, [SP,#0x220+var_1B8] .text:000000709EB4ED5C AA F3 11 38 STURB W10, [X29,#var_E5+4] .text:000000709EB4ED60 A0 03 04 D1 SUB X0, X29, #-var_100 .text:000000709EB4ED64 00 3D 00 F9 STR X0, [X8,#0x78] .text:000000709EB4ED68 00 3D 40 F9 LDR X0, [X8,#0x78] .text:000000709EB4ED6C 00 39 00 F9 STR X0, [X8,#0x70] .text:000000709EB4ED70 E9 33 00 F9 STR X9, [SP,#0x220+var_1C0] .text:000000709EB4ED74 01 00 00 14 B loc_709EB4ED78 .text:000000709EB4ED74 .text:000000709EB4ED78 .text:000000709EB4ED78 loc_709EB4ED78 .text:000000709EB4ED78 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4ED7C 09 3D 40 F9 LDR X9, [X8,#0x78] .text:000000709EB4ED80 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4ED84 8A 01 00 34 CBZ W10, loc_709EB4EDB4 .text:000000709EB4ED84 .text:000000709EB4ED88 01 00 00 14 B loc_709EB4ED8C .text:000000709EB4ED8C .text:000000709EB4ED8C loc_709EB4ED8C .text:000000709EB4ED8C E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4ED90 09 3D 40 F9 LDR X9, [X8,#0x78] .text:000000709EB4ED94 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4ED98 4B 7D 04 53 LSR W11, W10, #4 .text:000000709EB4ED9C 4B 1D 1C 33 BFI W11, W10, #4, #8 .text:000000709EB4EDA0 2B 01 00 39 STRB W11, [X9] .text:000000709EB4EDA4 09 3D 40 F9 LDR X9, [X8,#0x78] .text:000000709EB4EDA8 29 05 00 91 ADD X9, X9, #1 .text:000000709EB4EDAC 09 3D 00 F9 STR X9, [X8,#0x78] .text:000000709EB4EDB0 F2 FF FF 17 B loc_709EB4ED78 .text:000000709EB4EDB0 .text:000000709EB4EDB4 .text:000000709EB4EDB4 loc_709EB4EDB4 .text:000000709EB4EDB4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EDB8 01 39 40 F9 LDR X1, [X8,#0x70] .text:000000709EB4EDBC E0 33 40 F9 LDR X0, [SP,#0x220+var_1C0] .text:000000709EB4EDC0 8E 69 00 94 BL FindClass_sub_786D1E73F8 .text:000000709EB4EDC0 .text:000000709EB4EDC4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EDC8 00 01 00 F9 STR X0, [X8] .text:000000709EB4EDCC 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4EDD0 01 01 40 F9 LDR X1, [X8] .text:000000709EB4EDD4 04 0D 40 F9 LDR X4, [X8,#0x18] .text:000000709EB4EDD8 05 15 40 F9 LDR X5, [X8,#0x28] .text:000000709EB4EDDC 42 01 00 D0 42 98+ADRL X2, td_9741829121851609613 ; "<init>" .text:000000709EB4EDDC 32 91 .text:000000709EB4EDE4 43 01 00 D0 63 B4+ADRL X3, td_1727475097158774760 ; "([BLjava/lang/String;)V" .text:000000709EB4EDE4 32 91 .text:000000709EB4EDEC B3 01 00 94 BL CallVoidMethod_sub_786D1CD4B8 .text:000000709EB4EDEC .text:000000709EB4EDF0 E0 8F 00 F9 STR X0, [SP,#0x220+var_108] .text:000000709EB4EDF4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EDF8 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4EDFC C9 14 80 52 MOV W9, #0xA6 .text:000000709EB4EE00 E9 F3 03 39 STRB W9, [SP,#0xFC] .text:000000709EB4EE04 C9 02 80 52 MOV W9, #0x16 .text:000000709EB4EE08 E9 F7 03 39 STRB W9, [SP,#0xFD] .text:000000709EB4EE0C EA 0C 80 52 MOV W10, #0x67 ; 'g' .text:000000709EB4EE10 EA FB 03 39 STRB W10, [SP,#0xFE] .text:000000709EB4EE14 E9 FF 03 39 STRB W9, [SP,#0x220+var_121] .text:000000709EB4EE18 E9 10 80 52 MOV W9, #0x87 .text:000000709EB4EE1C E9 03 04 39 STRB W9, [SP,#0x220+var_120] .text:000000709EB4EE20 49 1E 80 52 MOV W9, #0xF2 .text:000000709EB4EE24 E9 07 04 39 STRB W9, [SP,#0x220+var_11F] .text:000000709EB4EE28 CA 06 80 52 MOV W10, #0x36 ; '6' .text:000000709EB4EE2C EA 0B 04 39 STRB W10, [SP,#0x220+var_11E] .text:000000709EB4EE30 EA 04 80 52 MOV W10, #0x27 ; ''' .text:000000709EB4EE34 EA 0F 04 39 STRB W10, [SP,#0x220+var_11D] .text:000000709EB4EE38 EB 12 80 52 MOV W11, #0x97 .text:000000709EB4EE3C EB 13 04 39 STRB W11, [SP,#0x220+var_11C] .text:000000709EB4EE40 EB 0B 00 32 MOV W11, #7 .text:000000709EB4EE44 EB 17 04 39 STRB W11, [SP,#0x220+var_11B] .text:000000709EB4EE48 EC 08 80 52 MOV W12, #0x47 ; 'G' .text:000000709EB4EE4C EC 1B 04 39 STRB W12, [SP,#0x220+var_11A] .text:000000709EB4EE50 CC 1E 80 52 MOV W12, #0xF6 .text:000000709EB4EE54 EC 1F 04 39 STRB W12, [SP,#0x220+var_119] .text:000000709EB4EE58 E9 23 04 39 STRB W9, [SP,#0x220+var_118] .text:000000709EB4EE5C 89 06 80 52 MOV W9, #0x34 ; '4' .text:000000709EB4EE60 E9 27 04 39 STRB W9, [SP,#0x220+var_117] .text:000000709EB4EE64 C9 12 80 52 MOV W9, #0x96 .text:000000709EB4EE68 E9 2B 04 39 STRB W9, [SP,#0x220+var_116] .text:000000709EB4EE6C EB 2F 04 39 STRB W11, [SP,#0x220+var_115] .text:000000709EB4EE70 C9 10 80 52 MOV W9, #0x86 .text:000000709EB4EE74 E9 33 04 39 STRB W9, [SP,#0x220+var_114] .text:000000709EB4EE78 C9 0A 80 52 MOV W9, #0x56 ; 'V' .text:000000709EB4EE7C E9 37 04 39 STRB W9, [SP,#0x220+var_113] .text:000000709EB4EE80 EA 3B 04 39 STRB W10, [SP,#0x220+var_113+1] .text:000000709EB4EE84 E9 03 1F 2A MOV W9, WZR .text:000000709EB4EE88 E9 3F 04 39 STRB W9, [SP,#0x220+var_113+2] .text:000000709EB4EE8C E1 F3 03 91 ADD X1, SP, #0xFC .text:000000709EB4EE90 01 65 00 F9 STR X1, [X8,#0xC8] .text:000000709EB4EE94 01 65 40 F9 LDR X1, [X8,#0xC8] .text:000000709EB4EE98 01 61 00 F9 STR X1, [X8,#0xC0] .text:000000709EB4EE9C E0 2F 00 F9 STR X0, [SP,#0x220+var_1C8] .text:000000709EB4EEA0 01 00 00 14 B loc_709EB4EEA4 .text:000000709EB4EEA0 .text:000000709EB4EEA4 .text:000000709EB4EEA4 loc_709EB4EEA4 .text:000000709EB4EEA4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EEA8 09 65 40 F9 LDR X9, [X8,#0xC8] .text:000000709EB4EEAC 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4EEB0 8A 01 00 34 CBZ W10, loc_709EB4EEE0 .text:000000709EB4EEB0 .text:000000709EB4EEB4 01 00 00 14 B loc_709EB4EEB8 .text:000000709EB4EEB4 .text:000000709EB4EEB8 .text:000000709EB4EEB8 loc_709EB4EEB8 .text:000000709EB4EEB8 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EEBC 09 65 40 F9 LDR X9, [X8,#0xC8] .text:000000709EB4EEC0 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4EEC4 4B 7D 04 53 LSR W11, W10, #4 .text:000000709EB4EEC8 4B 1D 1C 33 BFI W11, W10, #4, #8 .text:000000709EB4EECC 2B 01 00 39 STRB W11, [X9] .text:000000709EB4EED0 09 65 40 F9 LDR X9, [X8,#0xC8] .text:000000709EB4EED4 29 05 00 91 ADD X9, X9, #1 .text:000000709EB4EED8 09 65 00 F9 STR X9, [X8,#0xC8] .text:000000709EB4EEDC F2 FF FF 17 B loc_709EB4EEA4 .text:000000709EB4EEE0 .text:000000709EB4EEE0 loc_709EB4EEE0 .text:000000709EB4EEE0 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EEE4 01 61 40 F9 LDR X1, [X8,#0xC0] .text:000000709EB4EEE8 04 11 40 F9 LDR X4, [X8,#0x20] .text:000000709EB4EEEC 02 03 00 B0 42 D0+ADRL X2, td_4822081916216048550 ; "getInstance" .text:000000709EB4EEEC 11 91 .text:000000709EB4EEF4 03 03 00 B0 63 BC+ADRL X3, td_12347290237301947307 ; "(Ljava/lang/String;)Ljavax/crypto/Ciphe"... .text:000000709EB4EEF4 12 91 .text:000000709EB4EEFC E0 2F 40 F9 LDR X0, [SP,#0x220+var_1C8] .text:000000709EB4EF00 80 01 00 94 BL CallVoidMethod_sub_786D1CD500 .text:000000709EB4EF00 .text:000000709EB4EF04 E0 8B 00 F9 STR X0, [SP,#0x220+var_113+3] .text:000000709EB4EF08 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EF0C 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4EF10 E1 8B 40 F9 LDR X1, [SP,#0x220+var_113+3] .text:000000709EB4EF14 C9 12 80 52 MOV W9, #0x96 .text:000000709EB4EF18 E9 D3 03 39 STRB W9, [SP,#0x220+var_12E+2] .text:000000709EB4EF1C CA 1C 80 52 MOV W10, #0xE6 .text:000000709EB4EF20 EA D7 03 39 STRB W10, [SP,#0x220+var_12E+3] .text:000000709EB4EF24 E9 DB 03 39 STRB W9, [SP,#0x220+var_12E+4] .text:000000709EB4EF28 E9 08 80 52 MOV W9, #0x47 ; 'G' .text:000000709EB4EF2C E9 DF 03 39 STRB W9, [SP,#0x220+var_12E+5] .text:000000709EB4EF30 E9 03 1F 2A MOV W9, WZR .text:000000709EB4EF34 E9 E3 03 39 STRB W9, [SP,#0x220+var_12E+6] .text:000000709EB4EF38 E2 D3 03 91 ADD X2, SP, #0x220+var_12E+2 .text:000000709EB4EF3C 02 5D 00 F9 STR X2, [X8,#0xB8] .text:000000709EB4EF40 02 5D 40 F9 LDR X2, [X8,#0xB8] .text:000000709EB4EF44 02 59 00 F9 STR X2, [X8,#0xB0] .text:000000709EB4EF48 E0 2B 00 F9 STR X0, [SP,#0x220+var_1D0] .text:000000709EB4EF4C E1 27 00 F9 STR X1, [SP,#0x220+var_1D8] .text:000000709EB4EF50 01 00 00 14 B loc_709EB4EF54 .text:000000709EB4EF50 .text:000000709EB4EF54 .text:000000709EB4EF54 loc_709EB4EF54 .text:000000709EB4EF54 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EF58 09 5D 40 F9 LDR X9, [X8,#0xB8] .text:000000709EB4EF5C 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4EF60 8A 01 00 34 CBZ W10, loc_709EB4EF90 .text:000000709EB4EF60 .text:000000709EB4EF64 01 00 00 14 B loc_709EB4EF68 .text:000000709EB4EF64 .text:000000709EB4EF68 .text:000000709EB4EF68 loc_709EB4EF68 .text:000000709EB4EF68 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EF6C 09 5D 40 F9 LDR X9, [X8,#0xB8] .text:000000709EB4EF70 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4EF74 4B 7D 04 53 LSR W11, W10, #4 .text:000000709EB4EF78 4B 1D 1C 33 BFI W11, W10, #4, #8 .text:000000709EB4EF7C 2B 01 00 39 STRB W11, [X9] .text:000000709EB4EF80 09 5D 40 F9 LDR X9, [X8,#0xB8] .text:000000709EB4EF84 29 05 00 91 ADD X9, X9, #1 .text:000000709EB4EF88 09 5D 00 F9 STR X9, [X8,#0xB8] .text:000000709EB4EF8C F2 FF FF 17 B loc_709EB4EF54 .text:000000709EB4EF8C .text:000000709EB4EF90 .text:000000709EB4EF90 loc_709EB4EF90 .text:000000709EB4EF90 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4EF94 09 59 40 F9 LDR X9, [X8,#0xB0] .text:000000709EB4EF98 4A 10 80 52 MOV W10, #0x82 .text:000000709EB4EF9C EA 73 03 39 STRB W10, [SP,#0x220+var_144] .text:000000709EB4EFA0 8A 12 80 52 MOV W10, #0x94 .text:000000709EB4EFA4 EA 77 03 39 STRB W10, [SP,#0x220+var_143] .text:000000709EB4EFA8 8A 18 80 52 MOV W10, #0xC4 .text:000000709EB4EFAC EA 7B 03 39 STRB W10, [SP,#0x220+var_142] .text:000000709EB4EFB0 CA 14 80 52 MOV W10, #0xA6 .text:000000709EB4EFB4 EA 7F 03 39 STRB W10, [SP,#0x220+var_141] .text:000000709EB4EFB8 CA 02 80 52 MOV W10, #0x16 .text:000000709EB4EFBC EA 83 03 39 STRB W10, [SP,#0x220+var_140] .text:000000709EB4EFC0 EB 0C 80 52 MOV W11, #0x67 ; 'g' .text:000000709EB4EFC4 EB 87 03 39 STRB W11, [SP,#0x220+var_13F] .text:000000709EB4EFC8 EA 8B 03 39 STRB W10, [SP,#0x220+var_13E] .text:000000709EB4EFCC 4A 1E 80 52 MOV W10, #0xF2 .text:000000709EB4EFD0 EA 8F 03 39 STRB W10, [SP,#0x220+var_13D] .text:000000709EB4EFD4 EB 06 80 52 MOV W11, #0x37 ; '7' .text:000000709EB4EFD8 EB 93 03 39 STRB W11, [SP,#0x220+var_13C] .text:000000709EB4EFDC CB 0A 80 52 MOV W11, #0x56 ; 'V' .text:000000709EB4EFE0 EB 97 03 39 STRB W11, [SP,#0x220+var_13B] .text:000000709EB4EFE4 CC 06 80 52 MOV W12, #0x36 ; '6' .text:000000709EB4EFE8 EC 9B 03 39 STRB W12, [SP,#0x220+var_13A] .text:000000709EB4EFEC EC 0A 80 52 MOV W12, #0x57 ; 'W' .text:000000709EB4EFF0 EC 9F 03 39 STRB W12, [SP,#0x220+var_139] .text:000000709EB4EFF4 EC 04 80 52 MOV W12, #0x27 ; ''' .text:000000709EB4EFF8 EC A3 03 39 STRB W12, [SP,#0x220+var_138] .text:000000709EB4EFFC CC 12 80 52 MOV W12, #0x96 .text:000000709EB4F000 EC A7 03 39 STRB W12, [SP,#0x220+var_137] .text:000000709EB4F004 EC 08 80 52 MOV W12, #0x47 ; 'G' .text:000000709EB4F008 EC AB 03 39 STRB W12, [SP,#0x220+var_136] .text:000000709EB4F00C EC 12 80 52 MOV W12, #0x97 .text:000000709EB4F010 EC AF 03 39 STRB W12, [SP,#0x220+var_135] .text:000000709EB4F014 EA B3 03 39 STRB W10, [SP,#0x220+var_134] .text:000000709EB4F018 8A 16 80 52 MOV W10, #0xB4 .text:000000709EB4F01C EA B7 03 39 STRB W10, [SP,#0x220+var_133] .text:000000709EB4F020 EB BB 03 39 STRB W11, [SP,#0x220+var_132] .text:000000709EB4F024 EC BF 03 39 STRB W12, [SP,#0x220+var_131] .text:000000709EB4F028 6A 16 80 52 MOV W10, #0xB3 .text:000000709EB4F02C EA C3 03 39 STRB W10, [SP,#0x220+var_130] .text:000000709EB4F030 4A 12 80 52 MOV W10, #0x92 .text:000000709EB4F034 EA C7 03 39 STRB W10, [SP,#0x220+var_12F] .text:000000709EB4F038 AA 0C 80 52 MOV W10, #0x65 ; 'e' .text:000000709EB4F03C EA CB 03 39 STRB W10, [SP,#0x220+var_12E] .text:000000709EB4F040 EA 03 1F 2A MOV W10, WZR .text:000000709EB4F044 EA CF 03 39 STRB W10, [SP,#0x220+var_12E+1] .text:000000709EB4F048 ED 73 03 91 ADD X13, SP, #0x220+var_144 .text:000000709EB4F04C 0D 55 00 F9 STR X13, [X8,#0xA8] .text:000000709EB4F050 0D 55 40 F9 LDR X13, [X8,#0xA8] .text:000000709EB4F054 0D 51 00 F9 STR X13, [X8,#0xA0] .text:000000709EB4F058 E9 23 00 F9 STR X9, [SP,#0x220+var_1E0] .text:000000709EB4F05C 01 00 00 14 B loc_709EB4F060 .text:000000709EB4F060 .text:000000709EB4F060 loc_709EB4F060 .text:000000709EB4F060 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F064 09 55 40 F9 LDR X9, [X8,#0xA8] .text:000000709EB4F068 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4F06C 8A 01 00 34 CBZ W10, loc_709EB4F09C .text:000000709EB4F06C .text:000000709EB4F070 01 00 00 14 B loc_709EB4F074 .text:000000709EB4F074 .text:000000709EB4F074 loc_709EB4F074 .text:000000709EB4F074 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F078 09 55 40 F9 LDR X9, [X8,#0xA8] .text:000000709EB4F07C 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4F080 4B 7D 04 53 LSR W11, W10, #4 .text:000000709EB4F084 4B 1D 1C 33 BFI W11, W10, #4, #8 .text:000000709EB4F088 2B 01 00 39 STRB W11, [X9] .text:000000709EB4F08C 09 55 40 F9 LDR X9, [X8,#0xA8] .text:000000709EB4F090 29 05 00 91 ADD X9, X9, #1 .text:000000709EB4F094 09 55 00 F9 STR X9, [X8,#0xA8] .text:000000709EB4F098 F2 FF FF 17 B loc_709EB4F060 .text:000000709EB4F09C .text:000000709EB4F09C loc_709EB4F09C .text:000000709EB4F09C E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F0A0 03 51 40 F9 LDR X3, [X8,#0xA0] .text:000000709EB4F0A4 E5 8F 40 F9 LDR X5, [SP,#0x220+var_108] .text:000000709EB4F0A8 E4 03 00 32 MOV W4, #1 .text:000000709EB4F0AC E0 2B 40 F9 LDR X0, [SP,#0x220+var_1D0] .text:000000709EB4F0B0 E1 27 40 F9 LDR X1, [SP,#0x220+var_1D8] .text:000000709EB4F0B4 E2 23 40 F9 LDR X2, [SP,#0x220+var_1E0] .text:000000709EB4F0B8 22 01 00 94 BL CallVoidMethod_sub_786D1CD540 .text:000000709EB4F0B8 .text:000000709EB4F0BC E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F0C0 01 2D 40 F9 LDR X1, [X8,#0x58] .text:000000709EB4F0C4 E2 8B 40 F9 LDR X2, [SP,#0x220+var_113+3] .text:000000709EB4F0C8 C4 08 80 52 MOV W4, #0x46 ; 'F' .text:000000709EB4F0CC E4 23 03 39 STRB W4, [SP,#0x220+var_15B+3] .text:000000709EB4F0D0 C4 1E 80 52 MOV W4, #0xF6 .text:000000709EB4F0D4 E4 27 03 39 STRB W4, [SP,#0x220+var_15B+4] .text:000000709EB4F0D8 84 0C 80 52 MOV W4, #0x64 ; 'd' .text:000000709EB4F0DC E4 2B 03 39 STRB W4, [SP,#0x220+var_15B+5] .text:000000709EB4F0E0 C4 12 80 52 MOV W4, #0x96 .text:000000709EB4F0E4 E4 2F 03 39 STRB W4, [SP,#0x220+var_15B+6] .text:000000709EB4F0E8 C4 1C 80 52 MOV W4, #0xE6 .text:000000709EB4F0EC E4 33 03 39 STRB W4, [SP,#0x220+var_15B+7] .text:000000709EB4F0F0 C4 02 80 52 MOV W4, #0x16 .text:000000709EB4F0F4 E4 37 03 39 STRB W4, [SP,#0x220+var_153] .text:000000709EB4F0F8 C4 18 80 52 MOV W4, #0xC6 .text:000000709EB4F0FC E4 3B 03 39 STRB W4, [SP,#0x220+var_152] .text:000000709EB4F100 E4 03 1F 2A MOV W4, WZR .text:000000709EB4F104 E4 3F 03 39 STRB W4, [SP,#0x220+var_151] .text:000000709EB4F108 E3 23 03 91 ADD X3, SP, #0x220+var_15B+3 .text:000000709EB4F10C 03 4D 00 F9 STR X3, [X8,#0x98] .text:000000709EB4F110 03 4D 40 F9 LDR X3, [X8,#0x98] .text:000000709EB4F114 03 49 00 F9 STR X3, [X8,#0x90] .text:000000709EB4F118 E0 3F 00 B9 STR W0, [SP,#0x220+var_1E4] .text:000000709EB4F11C E1 1B 00 F9 STR X1, [SP,#0x220+var_1F0] .text:000000709EB4F120 E2 17 00 F9 STR X2, [SP,#0x220+var_1F8] .text:000000709EB4F124 01 00 00 14 B loc_709EB4F128 .text:000000709EB4F124 .text:000000709EB4F128 .text:000000709EB4F128 loc_709EB4F128 .text:000000709EB4F128 ; AES_sub_786D1CCA6C+6F4↓j .text:000000709EB4F128 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F12C 09 4D 40 F9 LDR X9, [X8,#0x98] .text:000000709EB4F130 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4F134 8A 01 00 34 CBZ W10, loc_709EB4F164 .text:000000709EB4F134 .text:000000709EB4F138 01 00 00 14 B loc_709EB4F13C .text:000000709EB4F138 .text:000000709EB4F13C .text:000000709EB4F13C loc_709EB4F13C .text:000000709EB4F13C E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F140 09 4D 40 F9 LDR X9, [X8,#0x98] .text:000000709EB4F144 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4F148 4B 7D 04 53 LSR W11, W10, #4 .text:000000709EB4F14C 4B 1D 1C 33 BFI W11, W10, #4, #8 .text:000000709EB4F150 2B 01 00 39 STRB W11, [X9] .text:000000709EB4F154 09 4D 40 F9 LDR X9, [X8,#0x98] .text:000000709EB4F158 29 05 00 91 ADD X9, X9, #1 .text:000000709EB4F15C 09 4D 00 F9 STR X9, [X8,#0x98] .text:000000709EB4F160 F2 FF FF 17 B loc_709EB4F128 .text:000000709EB4F160 .text:000000709EB4F164 .text:000000709EB4F164 loc_709EB4F164 .text:000000709EB4F164 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F168 09 49 40 F9 LDR X9, [X8,#0x90] .text:000000709EB4F16C 4A 10 80 52 MOV W10, #0x82 .text:000000709EB4F170 EA 03 03 39 STRB W10, [SP,#0x220+var_160] .text:000000709EB4F174 AA 16 80 52 MOV W10, #0xB5 .text:000000709EB4F178 EA 07 03 39 STRB W10, [SP,#0x220+var_15F] .text:000000709EB4F17C 8B 04 80 52 MOV W11, #0x24 ; '$' .text:000000709EB4F180 EB 0B 03 39 STRB W11, [SP,#0x220+var_15E] .text:000000709EB4F184 4C 12 80 52 MOV W12, #0x92 .text:000000709EB4F188 EC 0F 03 39 STRB W12, [SP,#0x220+var_15D] .text:000000709EB4F18C EA 13 03 39 STRB W10, [SP,#0x220+var_15C] .text:000000709EB4F190 EB 17 03 39 STRB W11, [SP,#0x220+var_15B] .text:000000709EB4F194 EA 03 1F 2A MOV W10, WZR .text:000000709EB4F198 EA 1B 03 39 STRB W10, [SP,#0x220+var_15B+1] .text:000000709EB4F19C ED 03 03 91 ADD X13, SP, #0x220+var_160 .text:000000709EB4F1A0 0D 45 00 F9 STR X13, [X8,#0x88] .text:000000709EB4F1A4 0D 45 40 F9 LDR X13, [X8,#0x88] .text:000000709EB4F1A8 0D 41 00 F9 STR X13, [X8,#0x80] .text:000000709EB4F1AC E9 13 00 F9 STR X9, [SP,#0x220+var_200] .text:000000709EB4F1B0 01 00 00 14 B loc_709EB4F1B4 .text:000000709EB4F1B0 .text:000000709EB4F1B4 .text:000000709EB4F1B4 loc_709EB4F1B4 .text:000000709EB4F1B4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F1B8 09 45 40 F9 LDR X9, [X8,#0x88] .text:000000709EB4F1BC 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4F1C0 8A 01 00 34 CBZ W10, loc_709EB4F1F0 .text:000000709EB4F1C0 .text:000000709EB4F1C4 01 00 00 14 B loc_709EB4F1C8 .text:000000709EB4F1C4 .text:000000709EB4F1C8 .text:000000709EB4F1C8 loc_709EB4F1C8 .text:000000709EB4F1C8 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F1CC 09 45 40 F9 LDR X9, [X8,#0x88] .text:000000709EB4F1D0 2A 01 40 39 LDRB W10, [X9] .text:000000709EB4F1D4 4B 7D 04 53 LSR W11, W10, #4 .text:000000709EB4F1D8 4B 1D 1C 33 BFI W11, W10, #4, #8 .text:000000709EB4F1DC 2B 01 00 39 STRB W11, [X9] .text:000000709EB4F1E0 09 45 40 F9 LDR X9, [X8,#0x88] .text:000000709EB4F1E4 29 05 00 91 ADD X9, X9, #1 .text:000000709EB4F1E8 09 45 00 F9 STR X9, [X8,#0x88] .text:000000709EB4F1EC F2 FF FF 17 B loc_709EB4F1B4 .text:000000709EB4F1EC .text:000000709EB4F1F0 .text:000000709EB4F1F0 loc_709EB4F1F0 .text:000000709EB4F1F0 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F1F4 03 41 40 F9 LDR X3, [X8,#0x80] .text:000000709EB4F1F8 04 05 40 F9 LDR X4, [X8,#8] .text:000000709EB4F1FC E0 1B 40 F9 LDR X0, [SP,#0x220+var_1F0] .text:000000709EB4F200 E1 17 40 F9 LDR X1, [SP,#0x220+var_1F8] .text:000000709EB4F204 E2 13 40 F9 LDR X2, [SP,#0x220+var_200] .text:000000709EB4F208 E0 00 00 94 BL CallVoidMethod_sub_786D1CD588 .text:000000709EB4F208 .text:000000709EB4F20C E0 6B 00 F9 STR X0, [SP,#0x220+var_150] .text:000000709EB4F210 E8 6B 40 F9 LDR X8, [SP,#0x220+var_150] .text:000000709EB4F214 08 01 00 F1 SUBS X8, X8, #0 .text:000000709EB4F218 89 5D 86 52 A9 84+MOV W9, #0x9C2532EC .text:000000709EB4F218 B3 72 .text:000000709EB4F220 AA 61 87 52 4A 30+MOV W10, #0xB9823B0D .text:000000709EB4F220 B7 72 .text:000000709EB4F228 49 01 89 1A CSEL W9, W10, W9, EQ .text:000000709EB4F22C E9 AF 00 B9 STR W9, [SP,#0x220+var_174] .text:000000709EB4F230 E8 0F 00 F9 STR X8, [SP,#0x220+var_208] .text:000000709EB4F234 5C 00 00 14 B loc_709EB4F3A4 .text:000000709EB4F234 .text:000000709EB4F238 .text:000000709EB4F238 loc_709EB4F238 .text:000000709EB4F238 E8 03 1F AA MOV X8, XZR .text:000000709EB4F23C E9 53 40 F9 LDR X9, [SP,#0x220+var_180] .text:000000709EB4F240 28 31 00 F9 STR X8, [X9,#0x60] .text:000000709EB4F244 0A 81 97 52 2A 4C+MOV W10, #0x5A61BC08 .text:000000709EB4F244 AB 72 .text:000000709EB4F24C EA AF 00 B9 STR W10, [SP,#0x220+var_174] .text:000000709EB4F250 55 00 00 14 B loc_709EB4F3A4 .text:000000709EB4F250 .text:000000709EB4F254 .text:000000709EB4F254 loc_709EB4F254 .text:000000709EB4F254 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F258 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4F25C E1 6B 40 F9 LDR X1, [SP,#0x220+var_150] .text:000000709EB4F260 A3 67 00 94 BL GetArrayLength_sub_786D1E70EC .text:000000709EB4F260 .text:000000709EB4F264 E0 BF 00 B9 STR W0, [SP,#0x220+var_164] .text:000000709EB4F268 E0 BF 40 B9 LDR W0, [SP,#0x220+var_164] .text:000000709EB4F26C 00 04 00 11 ADD W0, W0, #1 .text:000000709EB4F270 E1 03 00 2A MOV W1, W0 .text:000000709EB4F274 20 7C 40 93 SXTW X0, W1 ; size .text:000000709EB4F278 26 44 FE 97 BL .malloc .text:000000709EB4F278 .text:000000709EB4F27C E0 5B 00 F9 STR X0, [SP,#0x220+var_170] .text:000000709EB4F280 E0 5B 40 F9 LDR X0, [SP,#0x220+var_170] ; void * .text:000000709EB4F284 E9 BF 40 B9 LDR W9, [SP,#0x220+var_164] .text:000000709EB4F288 29 05 00 11 ADD W9, W9, #1 .text:000000709EB4F28C E1 03 09 2A MOV W1, W9 .text:000000709EB4F290 22 7C 40 93 SXTW X2, W1 ; size_t .text:000000709EB4F294 E9 03 1F 2A MOV W9, WZR .text:000000709EB4F298 E1 03 09 2A MOV W1, W9 ; int .text:000000709EB4F29C E9 17 00 B9 STR W9, [SP,#0x220+var_20C] .text:000000709EB4F2A0 B4 44 FE 97 BL .memset .text:000000709EB4F2A0 .text:000000709EB4F2A4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F2A8 02 2D 40 F9 LDR X2, [X8,#0x58] .text:000000709EB4F2AC E1 6B 40 F9 LDR X1, [SP,#0x220+var_150] .text:000000709EB4F2B0 E3 BF 40 B9 LDR W3, [SP,#0x220+var_164] .text:000000709EB4F2B4 E4 5B 40 F9 LDR X4, [SP,#0x220+var_170] .text:000000709EB4F2B8 E0 07 00 F9 STR X0, [SP,#0x220+var_218] .text:000000709EB4F2BC E0 03 02 AA MOV X0, X2 .text:000000709EB4F2C0 E2 17 40 B9 LDR W2, [SP,#0x220+var_20C] .text:000000709EB4F2C4 07 68 00 94 BL GetByteArrayRegion_sub_786D1E72E0 .text:000000709EB4F2C4 .text:000000709EB4F2C8 E9 BF 40 B9 LDR W9, [SP,#0x220+var_164] .text:000000709EB4F2CC E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F2D0 00 21 40 F9 LDR X0, [X8,#0x40] .text:000000709EB4F2D4 09 00 00 B9 STR W9, [X0] .text:000000709EB4F2D8 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4F2DC 01 15 40 F9 LDR X1, [X8,#0x28] .text:000000709EB4F2E0 AA 64 00 94 BL DeleteLocalRef_sub_786D1E6588 .text:000000709EB4F2E0 .text:000000709EB4F2E4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F2E8 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4F2EC 01 11 40 F9 LDR X1, [X8,#0x20] .text:000000709EB4F2F0 A6 64 00 94 BL DeleteLocalRef_sub_786D1E6588 .text:000000709EB4F2F0 .text:000000709EB4F2F4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F2F8 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4F2FC 01 0D 40 F9 LDR X1, [X8,#0x18] .text:000000709EB4F300 A2 64 00 94 BL DeleteLocalRef_sub_786D1E6588 .text:000000709EB4F300 .text:000000709EB4F304 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F308 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4F30C 01 05 40 F9 LDR X1, [X8,#8] .text:000000709EB4F310 9E 64 00 94 BL DeleteLocalRef_sub_786D1E6588 .text:000000709EB4F310 .text:000000709EB4F314 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F318 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4F31C 01 01 40 F9 LDR X1, [X8] .text:000000709EB4F320 9A 64 00 94 BL DeleteLocalRef_sub_786D1E6588 .text:000000709EB4F320 .text:000000709EB4F324 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F328 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4F32C E1 8F 40 F9 LDR X1, [SP,#0x220+var_108] .text:000000709EB4F330 96 64 00 94 BL DeleteLocalRef_sub_786D1E6588 .text:000000709EB4F330 .text:000000709EB4F334 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F338 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4F33C E1 8B 40 F9 LDR X1, [SP,#0x220+var_113+3] .text:000000709EB4F340 92 64 00 94 BL DeleteLocalRef_sub_786D1E6588 .text:000000709EB4F340 .text:000000709EB4F344 E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F348 00 2D 40 F9 LDR X0, [X8,#0x58] .text:000000709EB4F34C E1 6B 40 F9 LDR X1, [SP,#0x220+var_150] .text:000000709EB4F350 8E 64 00 94 BL DeleteLocalRef_sub_786D1E6588 .text:000000709EB4F350 .text:000000709EB4F354 E8 5B 40 F9 LDR X8, [SP,#0x220+var_170] .text:000000709EB4F358 E0 53 40 F9 LDR X0, [SP,#0x220+var_180] .text:000000709EB4F35C 08 30 00 F9 STR X8, [X0,#0x60] .text:000000709EB4F360 09 81 97 52 29 4C+MOV W9, #0x5A61BC08 .text:000000709EB4F360 AB 72 .text:000000709EB4F368 E9 AF 00 B9 STR W9, [SP,#0x220+var_174] .text:000000709EB4F36C 0E 00 00 14 B loc_709EB4F3A4 .text:000000709EB4F370 .text:000000709EB4F370 loc_709EB4F370 .text:000000709EB4F370 E8 03 1F AA MOV X8, XZR .text:000000709EB4F374 E9 53 40 F9 LDR X9, [SP,#0x220+var_180] .text:000000709EB4F378 28 31 00 F9 STR X8, [X9,#0x60] .text:000000709EB4F37C 0A 81 97 52 2A 4C+MOV W10, #0x5A61BC08 .text:000000709EB4F37C AB 72 .text:000000709EB4F384 EA AF 00 B9 STR W10, [SP,#0x220+var_174] .text:000000709EB4F388 07 00 00 14 B loc_709EB4F3A4 .text:000000709EB4F388 .text:000000709EB4F38C loc_709EB4F38C .text:000000709EB4F38C E8 53 40 F9 LDR X8, [SP,#0x220+var_180] .text:000000709EB4F390 00 31 40 F9 LDR X0, [X8,#0x60] .text:000000709EB4F394 FF 43 08 91 ADD SP, SP, #0x210 .text:000000709EB4F398 FD 7B 41 A9 LDP X29, X30, [SP,#0x10+var_s0] .text:000000709EB4F39C FC 07 42 F8 LDR X28, [SP+0x10+var_10],#0x20 .text:000000709EB4F3A0 C0 03 5F D6 RET .text:000000709EB4F3A0
如果本地有存放就读取与设备信息一起上报服务器。
5.2、检测系统环境风险
检测多开:
读取maps查找是否有对应的包名特征
//特征 com.bly.dkplat com.lbe.parallel com.excelliance.dualaid io.va.exposed com.lody.virtual com.qihoo.magic io.virtualapp com.deniu.multi xposed com.android.fcamera com.bly.dkplat com.lbe.parallel com.excelliance.dualaid io.va.exposed com.lody.virtual .text:000000709EB69F20 .text:000000709EB69F20 ; 检测多开 .text:000000709EB69F20 check_dkplat_sub_7363EE8F20 .text:000000709EB69F20 .text:000000709EB69F20 anonymous_0= -0x8C4 .text:000000709EB69F20 anonymous_1= -0x8C0 .text:000000709EB69F20 anonymous_2= -0x8BC .text:000000709EB69F20 anonymous_3= -0x8B8 .text:000000709EB69F20 anonymous_4= -0x8B4 .text:000000709EB69F20 anonymous_5= -0x8B0 .text:000000709EB69F20 anonymous_6= -0x8A4 .text:000000709EB69F20 anonymous_7= -0x8A0 .text:000000709EB69F20 anonymous_8= -0x898 .text:000000709EB69F20 anonymous_9= -0x88C .text:000000709EB69F20 anonymous_10= -0x888 .text:000000709EB69F20 anonymous_11= -0x880 .text:000000709EB69F20 var_87C= -0x87C .text:000000709EB69F20 var_878= -0x878 .text:000000709EB69F20 anonymous_12= -0x870 .text:000000709EB69F20 anonymous_13= -0x868 .text:000000709EB69F20 var_60= -0x60 .text:000000709EB69F20 var_54= -0x54 .text:000000709EB69F20 var_50= -0x50 .text:000000709EB69F20 anonymous_14= -0x42 .text:000000709EB69F20 var_38= -0x38 .text:000000709EB69F20 var_30= -0x30 .text:000000709EB69F20 var_28= -0x28 .text:000000709EB69F20 var_20= -0x20 .text:000000709EB69F20 var_18= -0x18 .text:000000709EB69F20 var_10= -0x10 .text:000000709EB69F20 var_s0= 0 .text:000000709EB69F20 .text:000000709EB69F20 ; __unwind { // 1000 .text:000000709EB69F20 FC 4F BE A9 STP X28, X19, [SP,#-0x10+var_10]! .text:000000709EB69F24 FD 7B 01 A9 STP X29, X30, [SP,#0x10+var_s0] .text:000000709EB69F28 FD 43 00 91 ADD X29, SP, #0x10 .text:000000709EB69F2C FF 03 23 D1 SUB SP, SP, #0x8C0 .text:000000709EB69F30 F3 03 00 91 MOV X19, SP .text:000000709EB69F34 A8 01 80 12 MOV W8, #0xFFFFFFF2 .text:000000709EB69F38 E9 03 40 B2 MOV X9, #1 .text:000000709EB69F3C EA 0B 00 32 MOV W10, #7 .text:000000709EB69F40 EB 04 80 52 MOV W11, #0x27 ; ''' .text:000000709EB69F44 2C 01 80 12 MOV W12, #0xFFFFFFF6 .text:000000709EB69F48 CD 06 80 52 MOV W13, #0x36 ; '6' .text:000000709EB69F4C EE 06 80 52 MOV W14, #0x37 ; '7' .text:000000709EB69F50 CF 0A 80 52 MOV W15, #0x56 ; 'V' .text:000000709EB69F54 30 07 80 12 MOV W16, #0xFFFFFFC6 .text:000000709EB69F58 D1 0C 80 52 MOV W17, #0x66 ; 'f' .text:000000709EB69F5C 32 05 80 12 MOV W18, #0xFFFFFFD6 .text:000000709EB69F60 C3 02 80 52 MOV W3, #0x16 .text:000000709EB69F64 04 00 80 52 MOV W4, #0 .text:000000709EB69F68 05 00 80 D2 MOV X5, #0 .text:000000709EB69F6C E6 03 00 32 MOV W6, #1 .text:000000709EB69F70 A7 43 01 D1 SUB X7, X29, #-var_50 .text:000000709EB69F74 A0 83 1D F8 STUR X0, [X29,#var_28] .text:000000709EB69F78 A1 03 1D F8 STUR X1, [X29,#var_30] .text:000000709EB69F7C A2 83 1C F8 STUR X2, [X29,#var_38] .text:000000709EB69F80 E0 03 07 AA MOV X0, X7 .text:000000709EB69F84 08 00 00 39 STRB W8, [X0] .text:000000709EB69F88 01 00 09 8B ADD X1, X0, X9 .text:000000709EB69F8C 0A 04 00 39 STRB W10, [X0,#1] .text:000000709EB69F90 20 00 09 8B ADD X0, X1, X9 .text:000000709EB69F94 2B 04 00 39 STRB W11, [X1,#1] .text:000000709EB69F98 01 00 09 8B ADD X1, X0, X9 .text:000000709EB69F9C 0C 04 00 39 STRB W12, [X0,#1] .text:000000709EB69FA0 20 00 09 8B ADD X0, X1, X9 .text:000000709EB69FA4 2D 04 00 39 STRB W13, [X1,#1] .text:000000709EB69FA8 01 00 09 8B ADD X1, X0, X9 .text:000000709EB69FAC 08 04 00 39 STRB W8, [X0,#1] .text:000000709EB69FB0 20 00 09 8B ADD X0, X1, X9 .text:000000709EB69FB4 2E 04 00 39 STRB W14, [X1,#1] .text:000000709EB69FB8 01 00 09 8B ADD X1, X0, X9 .text:000000709EB69FBC 0F 04 00 39 STRB W15, [X0,#1] .text:000000709EB69FC0 20 00 09 8B ADD X0, X1, X9 .text:000000709EB69FC4 30 04 00 39 STRB W16, [X1,#1] .text:000000709EB69FC8 01 00 09 8B ADD X1, X0, X9 .text:000000709EB69FCC 11 04 00 39 STRB W17, [X0,#1] .text:000000709EB69FD0 20 00 09 8B ADD X0, X1, X9 .text:000000709EB69FD4 28 04 00 39 STRB W8, [X1,#1] .text:000000709EB69FD8 01 00 09 8B ADD X1, X0, X9 .text:000000709EB69FDC 12 04 00 39 STRB W18, [X0,#1] .text:000000709EB69FE0 20 00 09 8B ADD X0, X1, X9 .text:000000709EB69FE4 23 04 00 39 STRB W3, [X1,#1] .text:000000709EB69FE8 01 00 09 8B ADD X1, X0, X9 .text:000000709EB69FEC 0A 04 00 39 STRB W10, [X0,#1] .text:000000709EB69FF0 29 00 09 8B ADD X9, X1, X9 .text:000000709EB69FF4 2E 04 00 39 STRB W14, [X1,#1] .text:000000709EB69FF8 24 05 00 39 STRB W4, [X9,#1] .text:000000709EB69FFC A7 83 1E F8 STUR X7, [X29,#var_18] .text:000000709EB6A000 A9 83 5E F8 LDUR X9, [X29,#var_18] .text:000000709EB6A004 A9 03 1E F8 STUR X9, [X29,#var_20] .text:000000709EB6A008 65 2E 00 F9 STR X5, [X19,#0x8D0+var_878] .text:000000709EB6A00C 66 56 00 B9 STR W6, [X19,#0x8D0+var_87C] .text:000000709EB6A00C .text:000000709EB6A010 .text:000000709EB6A010 loc_709EB6A010 .text:000000709EB6A010 08 00 80 52 MOV W8, #0 .text:000000709EB6A014 A9 83 5E F8 LDUR X9, [X29,#var_18] .text:000000709EB6A018 2A 01 40 39 LDRB W10, [X9] .text:000000709EB6A01C 4A 1D 00 53 UXTB W10, W10 .text:000000709EB6A020 EB 1F 00 32 MOV W11, #0xFF .text:000000709EB6A024 08 01 0B 0A AND W8, W8, W11 .text:000000709EB6A028 5F 01 08 6B CMP W10, W8 .text:000000709EB6A02C E8 07 9F 1A CSET W8, NE .text:000000709EB6A030 48 00 00 37 TBNZ W8, #0, loc_709EB6A038 .text:000000709EB6A030 .text:000000709EB6A034 16 00 00 14 B loc_709EB6A08C .text:000000709EB6A034 .text:000000709EB6A038 .text:000000709EB6A038 loc_709EB6A038 .text:000000709EB6A038 E8 0F 1C 32 MOV W8, #0xF0 .text:000000709EB6A03C E9 0F 00 32 MOV W9, #0xF .text:000000709EB6A040 EA 03 1E 32 MOV W10, #4 .text:000000709EB6A044 EB 03 40 B2 MOV X11, #1 .text:000000709EB6A048 AC 83 5E F8 LDUR X12, [X29,#var_18] .text:000000709EB6A04C 8D 01 40 39 LDRB W13, [X12] .text:000000709EB6A050 AD 1D 00 53 UXTB W13, W13 .text:000000709EB6A054 AD 29 CA 1A ASR W13, W13, W10 .text:000000709EB6A058 A9 01 09 0A AND W9, W13, W9 .text:000000709EB6A05C AC 83 5E F8 LDUR X12, [X29,#var_18] .text:000000709EB6A060 8D 01 40 39 LDRB W13, [X12] .text:000000709EB6A064 AD 1D 00 53 UXTB W13, W13 .text:000000709EB6A068 AA 21 CA 1A LSL W10, W13, W10 .text:000000709EB6A06C 48 01 08 0A AND W8, W10, W8 .text:000000709EB6A070 28 01 08 2A ORR W8, W9, W8 .text:000000709EB6A074 AC 83 5E F8 LDUR X12, [X29,#var_18] .text:000000709EB6A078 88 01 00 39 STRB W8, [X12] .text:000000709EB6A07C AC 83 5E F8 LDUR X12, [X29,#var_18] .text:000000709EB6A080 8B 01 0B 8B ADD X11, X12, X11 .text:000000709EB6A084 AB 83 1E F8 STUR X11, [X29,#var_18] .text:000000709EB6A088 E2 FF FF 17 B loc_709EB6A010 .text:000000709EB6A088 .text:000000709EB6A08C loc_709EB6A08C .text:000000709EB6A08C 48 19 97 52 A8 CA+MOV W8, #0x9E55B8CA .text:000000709EB6A08C B3 72 .text:000000709EB6A094 E9 F7 7E B2 MOV X9, #0xFFFFFFFFFFFFFFFC .text:000000709EB6A098 EA 03 00 32 MOV W10, #1 .text:000000709EB6A09C EB 03 75 B2 MOV X11, #0x800 .text:000000709EB6A0A0 01 00 80 52 MOV W1, #0 .text:000000709EB6A0A4 AC 03 5E F8 LDUR X12, [X29,#var_20] .text:000000709EB6A0A8 AC 03 1C F8 STUR X12, [X29,#anonymous_14+2] .text:000000709EB6A0AC A0 03 5C F8 LDUR X0, [X29,#anonymous_14+2] .text:000000709EB6A0B0 68 52 00 B9 STR W8, [X19,#0x50] .text:000000709EB6A0B4 69 26 00 F9 STR X9, [X19,#0x48] .text:000000709EB6A0B8 6A 46 00 B9 STR W10, [X19,#0x44] .text:000000709EB6A0BC 6B 1E 00 F9 STR X11, [X19,#0x38] .text:000000709EB6A0C0 11 01 00 94 BL open_sub_786D1E8504 ; maps .text:000000709EB6A0C0 .text:000000709EB6A0C4 A0 C3 1A B8 STUR W0, [X29,#var_54] .text:000000709EB6A0C8 69 1E 40 F9 LDR X9, [X19,#0x38] .text:000000709EB6A0CC A9 03 1A F8 STUR X9, [X29,#var_60] .text:000000709EB6A0D0 7F 36 00 F9 STR XZR, [X19,#0x68] .text:000000709EB6A0D4 68 46 40 B9 LDR W8, [X19,#0x44] .text:000000709EB6A0D8 EB 03 08 2A MOV W11, W8 .text:000000709EB6A0DC 6B 7D 40 D3 UBFX X11, X11, #0, #0x20 ; ' ' .text:000000709EB6A0E0 6C 26 40 F9 LDR X12, [X19,#0x48] .text:000000709EB6A0E4 6B 7D 0C 9B MUL X11, X11, X12 .text:000000709EB6A0E8 ED 03 00 91 MOV X13, SP .text:000000709EB6A0EC AB 01 0B 8B ADD X11, X13, X11 .text:000000709EB6A0F0 6B ED 7C 92 AND X11, X11, #0xFFFFFFFFFFFFFFF0 .text:000000709EB6A0F4 7F 01 00 91 MOV SP, X11 .text:000000709EB6A0F8 6A 52 40 B9 LDR W10, [X19,#0x50] .text:000000709EB6A0FC 6A 01 00 B9 STR W10, [X11] .text:000000709EB6A100 6B 1A 00 F9 STR X11, [X19,#0x30] .text:000000709EB6A100 .text:000000709EB6A104 .text:000000709EB6A104 loc_709EB6A104 .text:000000709EB6A104 48 19 97 52 A8 CA+MOV W8, #0x9E55B8CA .text:000000709EB6A104 B3 72 .text:000000709EB6A10C 69 1A 40 F9 LDR X9, [X19,#0x30] .text:000000709EB6A110 2A 01 40 B9 LDR W10, [X9] .text:000000709EB6A114 1F 01 0A 6B CMP W8, W10 .text:000000709EB6A118 E8 17 9F 1A CSET W8, EQ .text:000000709EB6A11C 6A 2E 00 B9 STR W10, [X19,#0x2C] .text:000000709EB6A120 48 09 00 37 TBNZ W8, #0, loc_709EB6A248 .text:000000709EB6A120 .text:000000709EB6A124 01 00 00 14 B loc_709EB6A128 .text:000000709EB6A124 .text:000000709EB6A128 .text:000000709EB6A128 loc_709EB6A128 .text:000000709EB6A128 E8 03 97 52 C8 4D+MOV W8, #0x4A6EB81F .text:000000709EB6A128 A9 72 .text:000000709EB6A130 69 2E 40 B9 LDR W9, [X19,#0x2C] .text:000000709EB6A134 1F 01 09 6B CMP W8, W9 .text:000000709EB6A138 E8 17 9F 1A CSET W8, EQ .text:000000709EB6A13C 48 0B 00 37 TBNZ W8, #0, loc_709EB6A2A4 .text:000000709EB6A13C .text:000000709EB6A140 01 00 00 14 B loc_709EB6A144 .text:000000709EB6A140 .text:000000709EB6A144 .text:000000709EB6A144 loc_709EB6A144 .text:000000709EB6A144 A8 7E 85 52 28 6F+MOV W8, #0x63792BF5 .text:000000709EB6A144 AC 72 .text:000000709EB6A14C 69 2E 40 B9 LDR W9, [X19,#0x2C] .text:000000709EB6A150 1F 01 09 6B CMP W8, W9 .text:000000709EB6A154 E8 17 9F 1A CSET W8, EQ .text:000000709EB6A158 28 0B 00 37 TBNZ W8, #0, loc_709EB6A2BC .text:000000709EB6A158 .text:000000709EB6A15C 01 00 00 14 B loc_709EB6A160 .text:000000709EB6A15C .text:000000709EB6A160 .text:000000709EB6A160 loc_709EB6A160 .text:000000709EB6A160 C8 FB 95 52 E8 2D+MOV W8, #0xD16FAFDE .text:000000709EB6A160 BA 72 .text:000000709EB6A168 69 2E 40 B9 LDR W9, [X19,#0x2C] .text:000000709EB6A16C 1F 01 09 6B CMP W8, W9 .text:000000709EB6A170 E8 17 9F 1A CSET W8, EQ .text:000000709EB6A174 E8 0B 00 37 TBNZ W8, #0, loc_709EB6A2F0 .text:000000709EB6A174 .text:000000709EB6A178 01 00 00 14 B loc_709EB6A17C .text:000000709EB6A178 .text:000000709EB6A17C .text:000000709EB6A17C loc_709EB6A17C .text:000000709EB6A17C A8 4A 90 52 68 F1+MOV W8, #0xE78B8255 .text:000000709EB6A17C BC 72 .text:000000709EB6A184 69 2E 40 B9 LDR W9, [X19,#0x2C] .text:000000709EB6A188 1F 01 09 6B CMP W8, W9 .text:000000709EB6A18C E8 17 9F 1A CSET W8, EQ .text:000000709EB6A190 28 0D 00 37 TBNZ W8, #0, loc_709EB6A334 .text:000000709EB6A190 .text:000000709EB6A194 01 00 00 14 B loc_709EB6A198 .text:000000709EB6A194 .text:000000709EB6A198 .text:000000709EB6A198 loc_709EB6A198 .text:000000709EB6A198 C8 CB 8B 52 C8 2E+MOV W8, #0xD9765E5E .text:000000709EB6A198 BB 72 .text:000000709EB6A1A0 69 2E 40 B9 LDR W9, [X19,#0x2C] .text:000000709EB6A1A4 1F 01 09 6B CMP W8, W9 .text:000000709EB6A1A8 E8 17 9F 1A CSET W8, EQ .text:000000709EB6A1AC E8 0C 00 37 TBNZ W8, #0, loc_709EB6A348 .text:000000709EB6A1AC .text:000000709EB6A1B0 01 00 00 14 B loc_709EB6A1B4 .text:000000709EB6A1B0 .text:000000709EB6A1B4 .text:000000709EB6A1B4 loc_709EB6A1B4 .text:000000709EB6A1B4 A8 AB 9E 52 88 EC+MOV W8, #0xF64F55D .text:000000709EB6A1B4 A1 72 .text:000000709EB6A1BC 69 2E 40 B9 LDR W9, [X19,#0x2C] .text:000000709EB6A1C0 1F 01 09 6B CMP W8, W9 .text:000000709EB6A1C4 E8 17 9F 1A CSET W8, EQ .text:000000709EB6A1C8 28 0F 00 37 TBNZ W8, #0, loc_709EB6A3AC .text:000000709EB6A1C8 .text:000000709EB6A1CC 01 00 00 14 B loc_709EB6A1D0 .text:000000709EB6A1CC .text:000000709EB6A1D0 .text:000000709EB6A1D0 loc_709EB6A1D0 .text:000000709EB6A1D0 88 2D 9E 52 C8 CE+MOV W8, #0x6676F16C .text:000000709EB6A1D0 AC 72 .text:000000709EB6A1D8 69 2E 40 B9 LDR W9, [X19,#0x2C] .text:000000709EB6A1DC 1F 01 09 6B CMP W8, W9 .text:000000709EB6A1E0 E8 17 9F 1A CSET W8, EQ .text:000000709EB6A1E4 E8 0F 00 37 TBNZ W8, #0, loc_709EB6A3E0 .text:000000709EB6A1E4 .text:000000709EB6A1E8 01 00 00 14 B loc_709EB6A1EC .text:000000709EB6A1E8 .text:000000709EB6A1EC .text:000000709EB6A1EC loc_709EB6A1EC .text:000000709EB6A1EC C8 C4 81 52 88 04+MOV W8, #0x90240E26 .text:000000709EB6A1EC B2 72 .text:000000709EB6A1F4 69 2E 40 B9 LDR W9, [X19,#0x2C] .text:000000709EB6A1F8 1F 01 09 6B CMP W8, W9 .text:000000709EB6A1FC E8 17 9F 1A CSET W8, EQ .text:000000709EB6A200 A8 0F 00 37 TBNZ W8, #0, loc_709EB6A3F4 .text:000000709EB6A200 .text:000000709EB6A204 01 00 00 14 B loc_709EB6A208 .text:000000709EB6A204 .text:000000709EB6A208 .text:000000709EB6A208 loc_709EB6A208 .text:000000709EB6A208 48 1F 91 52 48 A8+MOV W8, #0x8D4288FA .text:000000709EB6A208 B1 72 .text:000000709EB6A210 69 2E 40 B9 LDR W9, [X19,#0x2C] .text:000000709EB6A214 1F 01 09 6B CMP W8, W9 .text:000000709EB6A218 E8 17 9F 1A CSET W8, EQ .text:000000709EB6A21C C8 0F 00 37 TBNZ W8, #0, loc_709EB6A414 .text:000000709EB6A21C .text:000000709EB6A220 01 00 00 14 B loc_709EB6A224 .text:000000709EB6A220 .text:000000709EB6A224 .text:000000709EB6A224 loc_709EB6A224 .text:000000709EB6A224 A8 ED 81 52 A8 CD+MOV W8, #0x1E6D0F6D .text:000000709EB6A224 A3 72 .text:000000709EB6A22C 69 2E 40 B9 LDR W9, [X19,#0x2C] .text:000000709EB6A230 1F 01 09 6B CMP W8, W9 .text:000000709EB6A234 E8 17 9F 1A CSET W8, EQ .text:000000709EB6A238 88 10 00 37 TBNZ W8, #0, loc_709EB6A448 .text:000000709EB6A238 .text:000000709EB6A23C 01 00 00 14 B loc_709EB6A240 .text:000000709EB6A23C .text:000000709EB6A240 .text:000000709EB6A240 loc_709EB6A240 .text:000000709EB6A240 01 00 00 14 B loc_709EB6A244 .text:000000709EB6A240 .text:000000709EB6A244 .text:000000709EB6A244 loc_709EB6A244 .text:000000709EB6A244 89 00 00 14 B loc_709EB6A468 .text:000000709EB6A244 .text:000000709EB6A248 .text:000000709EB6A248 loc_709EB6A248 .text:000000709EB6A248 68 C2 01 91 ADD X8, X19, #0x70 ; 'p' .text:000000709EB6A24C E2 2B 40 B2 MOV X2, #0x7FF ; nbytes .text:000000709EB6A250 A9 ED 81 52 A9 CD+MOV W9, #0x1E6D0F6D .text:000000709EB6A250 A3 72 .text:000000709EB6A258 EA 03 97 52 CA 4D+MOV W10, #0x4A6EB81F .text:000000709EB6A258 A9 72 .text:000000709EB6A260 0B 00 80 D2 MOV X11, #0 .text:000000709EB6A264 A0 C3 5A B8 LDUR W0, [X29,#var_54] ; fd .text:000000709EB6A268 E1 03 08 AA MOV X1, X8 ; buf .text:000000709EB6A26C 6B 12 00 F9 STR X11, [X19,#0x20] .text:000000709EB6A270 6A 1E 00 B9 STR W10, [X19,#0x1C] .text:000000709EB6A274 69 1A 00 B9 STR W9, [X19,#0x18] .text:000000709EB6A278 42 D8 FD 97 BL .read ; 读maps .text:000000709EB6A278 .text:000000709EB6A27C 68 12 40 F9 LDR X8, [X19,#0x20] .text:000000709EB6A280 1F 00 08 EB CMP X0, X8 .text:000000709EB6A284 E9 07 9F 1A CSET W9, NE .text:000000709EB6A288 3F 01 00 72 TST W9, #1 .text:000000709EB6A28C 69 1E 40 B9 LDR W9, [X19,#0x1C] .text:000000709EB6A290 6A 1A 40 B9 LDR W10, [X19,#0x18] .text:000000709EB6A294 2C 11 8A 1A CSEL W12, W9, W10, NE .text:000000709EB6A298 6B 1A 40 F9 LDR X11, [X19,#0x30] .text:000000709EB6A29C 6C 01 00 B9 STR W12, [X11] .text:000000709EB6A2A0 72 00 00 14 B loc_709EB6A468 .text:000000709EB6A2A0 .text:000000709EB6A2A4 .text:000000709EB6A2A4 loc_709EB6A2A4 .text:000000709EB6A2A4 A8 7E 85 52 28 6F+MOV W8, #0x63792BF5 .text:000000709EB6A2A4 AC 72 .text:000000709EB6A2AC 7F 32 00 F9 STR XZR, [X19,#0x60] .text:000000709EB6A2B0 69 1A 40 F9 LDR X9, [X19,#0x30] .text:000000709EB6A2B4 28 01 00 B9 STR W8, [X9] .text:000000709EB6A2B8 6C 00 00 14 B loc_709EB6A468 .text:000000709EB6A2B8 .text:000000709EB6A2BC .text:000000709EB6A2BC loc_709EB6A2BC .text:000000709EB6A2BC 48 1F 91 52 48 A8+MOV W8, #0x8D4288FA .text:000000709EB6A2BC B1 72 .text:000000709EB6A2C4 C9 FB 95 52 E9 2D+MOV W9, #0xD16FAFDE .text:000000709EB6A2C4 BA 72 .text:000000709EB6A2CC 6A 32 40 F9 LDR X10, [X19,#0x60] .text:000000709EB6A2D0 AB 03 5D F8 LDUR X11, [X29,#var_30] .text:000000709EB6A2D4 5F 01 0B EB CMP X10, X11 .text:000000709EB6A2D8 EC 27 9F 1A CSET W12, CC .text:000000709EB6A2DC 9F 01 00 72 TST W12, #1 .text:000000709EB6A2E0 28 11 88 1A CSEL W8, W9, W8, NE .text:000000709EB6A2E4 6A 1A 40 F9 LDR X10, [X19,#0x30] .text:000000709EB6A2E8 48 01 00 B9 STR W8, [X10] .text:000000709EB6A2EC 5F 00 00 14 B loc_709EB6A468 .text:000000709EB6A2EC .text:000000709EB6A2F0 .text:000000709EB6A2F0 loc_709EB6A2F0 .text:000000709EB6A2F0 C8 CB 8B 52 C8 2E+MOV W8, #0xD9765E5E .text:000000709EB6A2F0 BB 72 .text:000000709EB6A2F8 A9 4A 90 52 69 F1+MOV W9, #0xE78B8255 .text:000000709EB6A2F8 BC 72 .text:000000709EB6A300 EA 03 00 32 MOV W10, #1 .text:000000709EB6A304 AB 83 5C F8 LDUR X11, [X29,#var_38] .text:000000709EB6A308 6C 32 40 F9 LDR X12, [X19,#0x60] .text:000000709EB6A30C 6B 01 0C 8B ADD X11, X11, X12 .text:000000709EB6A310 6D 01 40 39 LDRB W13, [X11] .text:000000709EB6A314 AD 1D 00 53 UXTB W13, W13 .text:000000709EB6A318 BF 01 0A 6B CMP W13, W10 .text:000000709EB6A31C EA 17 9F 1A CSET W10, EQ .text:000000709EB6A320 5F 01 00 72 TST W10, #1 .text:000000709EB6A324 28 11 88 1A CSEL W8, W9, W8, NE .text:000000709EB6A328 6B 1A 40 F9 LDR X11, [X19,#0x30] .text:000000709EB6A32C 68 01 00 B9 STR W8, [X11] ; 字符串解密 .text:000000709EB6A330 4E 00 00 14 B loc_709EB6A468 .text:000000709EB6A330 .text:000000709EB6A334 .text:000000709EB6A334 loc_709EB6A334 .text:000000709EB6A334 C8 C4 81 52 88 04+MOV W8, #0x90240E26 .text:000000709EB6A334 B2 72 .text:000000709EB6A33C 69 1A 40 F9 LDR X9, [X19,#0x30] .text:000000709EB6A340 28 01 00 B9 STR W8, [X9] .text:000000709EB6A344 49 00 00 14 B loc_709EB6A468 .text:000000709EB6A344 .text:000000709EB6A348 .text:000000709EB6A348 loc_709EB6A348 .text:000000709EB6A348 68 C2 01 91 ADD X8, X19, #0x70 ; 'p' .text:000000709EB6A34C E9 03 7D B2 MOV X9, #8 .text:000000709EB6A350 8A 2D 9E 52 CA CE+MOV W10, #0x6676F16C .text:000000709EB6A350 AC 72 .text:000000709EB6A358 AB AB 9E 52 8B EC+MOV W11, #0xF64F55D .text:000000709EB6A358 A1 72 .text:000000709EB6A360 AC 83 5D F8 LDUR X12, [X29,#var_28] .text:000000709EB6A364 6D 32 40 F9 LDR X13, [X19,#0x60] .text:000000709EB6A368 29 7D 0D 9B MUL X9, X9, X13 .text:000000709EB6A36C 89 01 09 8B ADD X9, X12, X9 .text:000000709EB6A370 21 01 40 F9 LDR X1, [X9] ; needle .text:000000709EB6A374 E0 03 08 AA MOV X0, X8 ; haystack .text:000000709EB6A378 6B 16 00 B9 STR W11, [X19,#0x14] .text:000000709EB6A37C 6A 12 00 B9 STR W10, [X19,#0x10] .text:000000709EB6A380 1C D8 FD 97 BL .strstr ; 查找多开特征 .text:000000709EB6A380 .text:000000709EB6A384 68 2E 40 F9 LDR X8, [X19,#0x58] .text:000000709EB6A388 1F 00 08 EB CMP X0, X8 .text:000000709EB6A38C EA 07 9F 1A CSET W10, NE .text:000000709EB6A390 5F 01 00 72 TST W10, #1 .text:000000709EB6A394 6A 16 40 B9 LDR W10, [X19,#0x14] .text:000000709EB6A398 6B 12 40 B9 LDR W11, [X19,#0x10] .text:000000709EB6A39C 4E 11 8B 1A CSEL W14, W10, W11, NE .text:000000709EB6A3A0 69 1A 40 F9 LDR X9, [X19,#0x30] .text:000000709EB6A3A4 2E 01 00 B9 STR W14, [X9] .text:000000709EB6A3A8 30 00 00 14 B loc_709EB6A468 .text:000000709EB6A3A8 .text:000000709EB6A3AC .text:000000709EB6A3AC loc_709EB6A3AC .text:000000709EB6A3AC 88 2D 9E 52 C8 CE+MOV W8, #0x6676F16C .text:000000709EB6A3AC AC 72 .text:000000709EB6A3B4 A9 83 5C F8 LDUR X9, [X29,#var_38] .text:000000709EB6A3B8 6A 32 40 F9 LDR X10, [X19,#0x60] .text:000000709EB6A3BC 29 01 0A 8B ADD X9, X9, X10 .text:000000709EB6A3C0 6B 56 40 B9 LDR W11, [X19,#0x54] .text:000000709EB6A3C4 2B 01 00 39 STRB W11, [X9] .text:000000709EB6A3C8 69 36 40 F9 LDR X9, [X19,#0x68] .text:000000709EB6A3CC 29 05 00 91 ADD X9, X9, #1 .text:000000709EB6A3D0 69 36 00 F9 STR X9, [X19,#0x68] .text:000000709EB6A3D4 69 1A 40 F9 LDR X9, [X19,#0x30] .text:000000709EB6A3D8 28 01 00 B9 STR W8, [X9] .text:000000709EB6A3DC 23 00 00 14 B loc_709EB6A468 .text:000000709EB6A3DC .text:000000709EB6A3E0 .text:000000709EB6A3E0 loc_709EB6A3E0 .text:000000709EB6A3E0 C8 C4 81 52 88 04+MOV W8, #0x90240E26 .text:000000709EB6A3E0 B2 72 .text:000000709EB6A3E8 69 1A 40 F9 LDR X9, [X19,#0x30] .text:000000709EB6A3EC 28 01 00 B9 STR W8, [X9] .text:000000709EB6A3F0 1E 00 00 14 B loc_709EB6A468 .text:000000709EB6A3F0 .text:000000709EB6A3F4 .text:000000709EB6A3F4 loc_709EB6A3F4 .text:000000709EB6A3F4 A8 7E 85 52 28 6F+MOV W8, #0x63792BF5 .text:000000709EB6A3F4 AC 72 .text:000000709EB6A3FC 69 32 40 F9 LDR X9, [X19,#0x60] .text:000000709EB6A400 29 05 00 91 ADD X9, X9, #1 .text:000000709EB6A404 69 32 00 F9 STR X9, [X19,#0x60] .text:000000709EB6A408 69 1A 40 F9 LDR X9, [X19,#0x30] .text:000000709EB6A40C 28 01 00 B9 STR W8, [X9] .text:000000709EB6A410 16 00 00 14 B loc_709EB6A468 .text:000000709EB6A410 .text:000000709EB6A414 .text:000000709EB6A414 loc_709EB6A414 .text:000000709EB6A414 68 C2 01 91 ADD X8, X19, #0x70 ; 'p' .text:000000709EB6A418 49 19 97 52 A9 CA+MOV W9, #0x9E55B8CA .text:000000709EB6A418 B3 72 .text:000000709EB6A420 E2 03 75 B2 MOV X2, #0x800 ; size_t .text:000000709EB6A424 0A 00 80 52 MOV W10, #0 .text:000000709EB6A428 E0 03 08 AA MOV X0, X8 ; void * .text:000000709EB6A42C E1 03 0A 2A MOV W1, W10 ; int .text:000000709EB6A430 69 0E 00 B9 STR W9, [X19,#0xC] .text:000000709EB6A434 4F D8 FD 97 BL .memset .text:000000709EB6A434 .text:000000709EB6A438 69 0E 40 B9 LDR W9, [X19,#0xC] .text:000000709EB6A43C 68 1A 40 F9 LDR X8, [X19,#0x30] .text:000000709EB6A440 09 01 00 B9 STR W9, [X8] .text:000000709EB6A444 09 00 00 14 B loc_709EB6A468 .text:000000709EB6A444 .text:000000709EB6A448 .text:000000709EB6A448 loc_709EB6A448 .text:000000709EB6A448 A0 C3 5A B8 LDUR W0, [X29,#var_54] ; fd .text:000000709EB6A44C 81 D7 FD 97 BL .close .text:000000709EB6A44C .text:000000709EB6A450 68 36 40 F9 LDR X8, [X19,#0x68] .text:000000709EB6A454 E0 03 08 AA MOV X0, X8 .text:000000709EB6A458 BF 43 00 D1 SUB SP, X29, #0x10 .text:000000709EB6A45C FD 7B 41 A9 LDP X29, X30, [SP,#0x10+var_s0] .text:000000709EB6A460 FC 4F C2 A8 LDP X28, X19, [SP+0x10+var_10],#0x20 .text:000000709EB6A464 C0 03 5F D6 RET
5.3、检测xposed
反射loadclass检测是否有xposed
getSystemClassLoader loadClass de/robv/android/xposed/XposedBridge .text:000000709EAFB72C laodclass_sub_73683BA72C .text:000000709EAFB72C .text:000000709EAFB72C var_38= -0x38 .text:000000709EAFB72C var_30= -0x30 .text:000000709EAFB72C var_28= -0x28 .text:000000709EAFB72C var_20= -0x20 .text:000000709EAFB72C var_18= -0x18 .text:000000709EAFB72C var_10= -0x10 .text:000000709EAFB72C .text:000000709EAFB72C ; __unwind { // 1000 .text:000000709EAFB72C FF 03 01 D1 SUB SP, SP, #0x40 .text:000000709EAFB730 FE 1B 00 F9 STR X30, [SP,#0x40+var_10] .text:000000709EAFB734 E0 17 00 F9 STR X0, [SP,#0x40+var_18] .text:000000709EAFB738 E1 13 00 F9 STR X1, [SP,#0x40+var_20] .text:000000709EAFB73C E2 0F 00 F9 STR X2, [SP,#0x40+var_28] .text:000000709EAFB740 E3 0B 00 F9 STR X3, [SP,#0x40+var_30] .text:000000709EAFB744 E4 07 00 F9 STR X4, [SP,#0x40+var_38] .text:000000709EAFB748 E0 17 40 F9 LDR X0, [SP,#0x40+var_18] .text:000000709EAFB74C E1 13 40 F9 LDR X1, [SP,#0x40+var_20] .text:000000709EAFB750 E2 0F 40 F9 LDR X2, [SP,#0x40+var_28] .text:000000709EAFB754 E3 0B 40 F9 LDR X3, [SP,#0x40+var_30] .text:000000709EAFB758 E4 07 40 F9 LDR X4, [SP,#0x40+var_38] .text:000000709EAFB75C 50 59 01 94 BL calljavamethond_sub_786D1CFC9C .text:000000709EAFB75C .text:000000709EAFB760 FE 1B 40 F9 LDR X30, [SP,#0x40+var_10] .text:000000709EAFB764 FF 03 01 91 ADD SP, SP, #0x40 ; '@' .text:000000709EAFB768 C0 03 5F D6 RET
查找进程中是否有包含关键字
xposedbridge libxposed_art.so com.saurik.substrate
5.4、检测magisk
特征 df | grep /sbin/.magisk mount | grep /sbin/.magisk ps | grep magisk strstr /sbin/.magisk /sbin/.magisk .text:000000709EAF75B4 check_magisk_sub_786D1755B4 .text:000000709EAF75B4 .text:000000709EAF75B4 var_FC= -0xFC .text:000000709EAF75B4 var_8= -8 .text:000000709EAF75B4 var_s0= 0 .text:000000709EAF75B4 .text:000000709EAF75B4 ; __unwind { // 1000 .text:000000709EAF75B4 FC 0F 1E F8 STR X28, [SP,#-0x10+var_10]! .text:000000709EAF75B8 FD 7B 01 A9 STP X29, X30, [SP,#0x10+var_s0] .text:000000709EAF75BC FD 43 00 91 ADD X29, SP, #0x10 .text:000000709EAF75C0 FF C3 05 D1 SUB SP, SP, #0x170 .text:000000709EAF75C4 A8 03 03 D1 SUB X8, X29, #-var_C0 .text:000000709EAF75C8 00 45 00 F9 STR X0, [X8,#0x88] .text:000000709EAF75CC 09 00 80 12 MOV W9, #0xFFFFFFFF .text:000000709EAF75D0 A9 43 1C B8 STUR W9, [X29,#var_3C] .text:000000709EAF75D4 E0 03 1F AA MOV X0, XZR .text:000000709EAF75D8 00 3D 00 F9 STR X0, [X8,#0x78] .text:000000709EAF75DC 00 39 00 F9 STR X0, [X8,#0x70] .text:000000709EAF75E0 00 35 00 F9 STR X0, [X8,#0x68] .text:000000709EAF75E4 00 31 00 F9 STR X0, [X8,#0x60] .text:000000709EAF75E8 00 2D 00 F9 STR X0, [X8,#0x58] .text:000000709EAF75EC 00 29 00 F9 STR X0, [X8,#0x50] .text:000000709EAF75F0 00 25 00 F9 STR X0, [X8,#0x48] .text:000000709EAF75F4 A0 03 18 F8 STUR X0, [X29,#var_80] .text:000000709EAF75F8 A0 83 17 F8 STUR X0, [X29,#var_88] .text:000000709EAF75FC A0 03 17 F8 STUR X0, [X29,#var_90] .text:000000709EAF7600 A0 83 16 F8 STUR X0, [X29,#var_98] .text:000000709EAF7604 A0 03 16 F8 STUR X0, [X29,#var_A0] .text:000000709EAF7608 A0 83 15 F8 STUR X0, [X29,#var_A8] .text:000000709EAF760C A0 03 15 F8 STUR X0, [X29,#var_B0] .text:000000709EAF7610 A0 83 14 F8 STUR X0, [X29,#var_B8] .text:000000709EAF7614 A0 03 14 F8 STUR X0, [X29,#var_C0] .text:000000709EAF7618 02 45 40 F9 LDR X2, [X8,#0x88] .text:000000709EAF761C 81 04 00 D0 21 D4+ADRL X1, td_17041652666579103358 ; " %s | grep /sbin/.magisk" .text:000000709EAF761C 2D 91 .text:000000709EAF7624 A0 03 03 D1 SUB X0, X29, #-var_C0 .text:000000709EAF7628 A9 23 00 D1 SUB X9, X29, #-var_8 .text:000000709EAF762C 20 01 10 F8 STUR X0, [X9,#-0x100] .text:000000709EAF7630 A9 43 00 D1 SUB X9, X29, #-var_10 .text:000000709EAF7634 28 01 10 F8 STUR X8, [X9,#-0x100] .text:000000709EAF7638 81 11 00 94 BL sprintf_sub_786D179C3C .text:000000709EAF7638 .text:000000709EAF763C E9 03 16 32 MOV W9, #0x400 .text:000000709EAF7640 A9 C3 13 B8 STUR W9, [X29,#var_C4] .text:000000709EAF7644 A9 C3 53 B8 LDUR W9, [X29,#var_C4] .text:000000709EAF7648 E8 03 09 2A MOV W8, W9 .text:000000709EAF764C E1 03 00 91 MOV X1, SP .text:000000709EAF7650 A1 03 13 F8 STUR X1, [X29,#var_D0] .text:000000709EAF7654 08 3D 00 91 ADD X8, X8, #0xF .text:000000709EAF7658 08 71 7C 92 AND X8, X8, #0x1FFFFFFF0 .text:000000709EAF765C E1 03 00 91 MOV X1, SP .text:000000709EAF7660 28 00 08 EB SUBS X8, X1, X8 .text:000000709EAF7664 1F 01 00 91 MOV SP, X8 .text:000000709EAF7668 E1 03 08 AA MOV X1, X8 .text:000000709EAF766C A2 C3 93 B8 LDURSW X2, [X29,#var_C4] ; size_t .text:000000709EAF7670 E9 03 1F 2A MOV W9, WZR .text:000000709EAF7674 AA 53 00 D1 SUB X10, X29, #-var_14 .text:000000709EAF7678 40 01 10 B8 STUR W0, [X10,#-0x100] .text:000000709EAF767C E0 03 08 AA MOV X0, X8 ; void * .text:000000709EAF7680 A8 83 00 D1 SUB X8, X29, #-var_20 .text:000000709EAF7684 01 01 10 F8 STUR X1, [X8,#-0x100] .text:000000709EAF7688 E1 03 09 2A MOV W1, W9 ; int .text:000000709EAF768C B9 A3 FF 97 BL .memset .text:000000709EAF768C .text:000000709EAF7690 C1 04 00 90 21 78+ADRL X1, td_9163600524673654173 ; modes .text:000000709EAF7690 27 91 .text:000000709EAF7698 A8 23 00 D1 SUB X8, X29, #-var_8 .text:000000709EAF769C 08 01 50 F8 LDUR X8, [X8,#-0x100] .text:000000709EAF76A0 A9 A3 00 D1 SUB X9, X29, #-var_28 .text:000000709EAF76A4 20 01 10 F8 STUR X0, [X9,#-0x100] .text:000000709EAF76A8 E0 03 08 AA MOV X0, X8 ; command .text:000000709EAF76AC 89 A3 FF 97 BL .popen ; 执行命令 .text:000000709EAF76AC .text:000000709EAF76B0 A8 43 00 D1 SUB X8, X29, #-var_10 .text:000000709EAF76B4 08 01 50 F8 LDUR X8, [X8,#-0x100] .text:000000709EAF76B8 00 4D 00 F9 STR X0, [X8,#0x98] .text:000000709EAF76BC 00 4D 40 F9 LDR X0, [X8,#0x98] .text:000000709EAF76C0 A0 83 12 F8 STUR X0, [X29,#var_D8] .text:000000709EAF76C4 89 2C 97 52 69 B0+MOV W9, #0xED83B964 .text:000000709EAF76C4 BD 72 .text:000000709EAF76CC A9 43 10 B8 STUR W9, [X29,#var_FC] .text:000000709EAF76D0 01 00 00 14 B loc_709EAF76D4 .text:000000709EAF76D0 .text:000000709EAF76D4 .text:000000709EAF76D4 loc_709EAF76D4 .text:000000709EAF76D4 A8 43 50 B8 LDUR W8, [X29,#var_FC] .text:000000709EAF76D8 E9 03 08 2A MOV W9, W8 .text:000000709EAF76DC AA 73 83 52 2A E7+MOV W10, #0x87391B9D .text:000000709EAF76DC B0 72 .text:000000709EAF76E4 08 01 0A 6B SUBS W8, W8, W10 .text:000000709EAF76E8 AA B3 00 D1 SUB X10, X29, #-var_2C .text:000000709EAF76EC 49 01 10 B8 STUR W9, [X10,#-0x100] .text:000000709EAF76F0 A9 C3 00 D1 SUB X9, X29, #-var_30 .text:000000709EAF76F4 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF76F8 80 15 00 54 B.EQ loc_709EAF79A8 .text:000000709EAF76F8 .text:000000709EAF76FC 01 00 00 14 B loc_709EAF7700 .text:000000709EAF76FC .text:000000709EAF7700 .text:000000709EAF7700 loc_709EAF7700 .text:000000709EAF7700 48 87 82 52 88 E3+MOV W8, #0xC71C143A .text:000000709EAF7700 B8 72 .text:000000709EAF7708 A9 B3 00 D1 SUB X9, X29, #-var_2C .text:000000709EAF770C 29 01 50 B8 LDUR W9, [X9,#-0x100] .text:000000709EAF7710 28 01 08 6B SUBS W8, W9, W8 .text:000000709EAF7714 A9 D3 00 D1 SUB X9, X29, #-var_34 .text:000000709EAF7718 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF771C 00 18 00 54 B.EQ loc_709EAF7A1C .text:000000709EAF771C .text:000000709EAF7720 01 00 00 14 B loc_709EAF7724 .text:000000709EAF7720 .text:000000709EAF7724 .text:000000709EAF7724 loc_709EAF7724 .text:000000709EAF7724 08 01 9D 52 68 89+MOV W8, #0xD44BE808 .text:000000709EAF7724 BA 72 .text:000000709EAF772C A9 B3 00 D1 SUB X9, X29, #-var_2C .text:000000709EAF7730 29 01 50 B8 LDUR W9, [X9,#-0x100] .text:000000709EAF7734 28 01 08 6B SUBS W8, W9, W8 .text:000000709EAF7738 A9 E3 00 D1 SUB X9, X29, #-var_38 .text:000000709EAF773C 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF7740 20 1A 00 54 B.EQ loc_709EAF7A84 .text:000000709EAF7740 .text:000000709EAF7744 01 00 00 14 B loc_709EAF7748 .text:000000709EAF7744 .text:000000709EAF7748 .text:000000709EAF7748 loc_709EAF7748 .text:000000709EAF7748 88 2C 97 52 68 B0+MOV W8, #0xED83B964 .text:000000709EAF7748 BD 72 .text:000000709EAF7750 A9 B3 00 D1 SUB X9, X29, #-var_2C .text:000000709EAF7754 29 01 50 B8 LDUR W9, [X9,#-0x100] .text:000000709EAF7758 28 01 08 6B SUBS W8, W9, W8 .text:000000709EAF775C A9 F3 00 D1 SUB X9, X29, #-var_3C .text:000000709EAF7760 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF7764 40 08 00 54 B.EQ loc_709EAF786C .text:000000709EAF7764 .text:000000709EAF7768 01 00 00 14 B loc_709EAF776C .text:000000709EAF7768 .text:000000709EAF776C .text:000000709EAF776C loc_709EAF776C .text:000000709EAF776C 48 0E 8C 52 88 A1+MOV W8, #0xFD0C6072 .text:000000709EAF776C BF 72 .text:000000709EAF7774 A9 B3 00 D1 SUB X9, X29, #-var_2C .text:000000709EAF7778 29 01 50 B8 LDUR W9, [X9,#-0x100] .text:000000709EAF777C 28 01 08 6B SUBS W8, W9, W8 .text:000000709EAF7780 A9 03 01 D1 SUB X9, X29, #-var_40 .text:000000709EAF7784 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF7788 C0 18 00 54 B.EQ loc_709EAF7AA0 .text:000000709EAF7788 .text:000000709EAF778C 01 00 00 14 B loc_709EAF7790 .text:000000709EAF778C .text:000000709EAF7790 .text:000000709EAF7790 loc_709EAF7790 .text:000000709EAF7790 A8 23 87 52 68 B4+MOV W8, #0xFDA3391D .text:000000709EAF7790 BF 72 .text:000000709EAF7798 A9 B3 00 D1 SUB X9, X29, #-var_2C .text:000000709EAF779C 29 01 50 B8 LDUR W9, [X9,#-0x100] .text:000000709EAF77A0 28 01 08 6B SUBS W8, W9, W8 .text:000000709EAF77A4 A9 13 01 D1 SUB X9, X29, #-var_44 .text:000000709EAF77A8 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF77AC E0 14 00 54 B.EQ loc_709EAF7A48 .text:000000709EAF77AC .text:000000709EAF77B0 01 00 00 14 B loc_709EAF77B4 .text:000000709EAF77B0 .text:000000709EAF77B4 .text:000000709EAF77B4 loc_709EAF77B4 .text:000000709EAF77B4 E8 15 90 52 A8 8E+MOV W8, #0x147580AF .text:000000709EAF77B4 A2 72 .text:000000709EAF77BC A9 B3 00 D1 SUB X9, X29, #-var_2C .text:000000709EAF77C0 29 01 50 B8 LDUR W9, [X9,#-0x100] .text:000000709EAF77C4 28 01 08 6B SUBS W8, W9, W8 .text:000000709EAF77C8 A9 23 01 D1 SUB X9, X29, #-var_48 .text:000000709EAF77CC 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF77D0 80 07 00 54 B.EQ loc_709EAF78C0 .text:000000709EAF77D0 .text:000000709EAF77D4 01 00 00 14 B loc_709EAF77D8 .text:000000709EAF77D4 .text:000000709EAF77D8 .text:000000709EAF77D8 loc_709EAF77D8 .text:000000709EAF77D8 28 D8 87 52 88 44+MOV W8, #0x62243EC1 .text:000000709EAF77D8 AC 72 .text:000000709EAF77E0 A9 B3 00 D1 SUB X9, X29, #-var_2C .text:000000709EAF77E4 29 01 50 B8 LDUR W9, [X9,#-0x100] .text:000000709EAF77E8 28 01 08 6B SUBS W8, W9, W8 .text:000000709EAF77EC A9 33 01 D1 SUB X9, X29, #-var_4C .text:000000709EAF77F0 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF77F4 80 0F 00 54 B.EQ loc_709EAF79E4 .text:000000709EAF77F4 .text:000000709EAF77F8 01 00 00 14 B loc_709EAF77FC .text:000000709EAF77F8 .text:000000709EAF77FC .text:000000709EAF77FC loc_709EAF77FC .text:000000709EAF77FC 48 8D 8B 52 28 E2+MOV W8, #0x67115C6A .text:000000709EAF77FC AC 72 .text:000000709EAF7804 A9 B3 00 D1 SUB X9, X29, #-var_2C .text:000000709EAF7808 29 01 50 B8 LDUR W9, [X9,#-0x100] .text:000000709EAF780C 28 01 08 6B SUBS W8, W9, W8 .text:000000709EAF7810 A9 43 01 D1 SUB X9, X29, #-var_50 .text:000000709EAF7814 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF7818 00 11 00 54 B.EQ loc_709EAF7A38 .text:000000709EAF7818 .text:000000709EAF781C 01 00 00 14 B loc_709EAF7820 .text:000000709EAF781C .text:000000709EAF7820 .text:000000709EAF7820 loc_709EAF7820 .text:000000709EAF7820 68 82 99 52 88 24+MOV W8, #0x7924CC13 .text:000000709EAF7820 AF 72 .text:000000709EAF7828 A9 B3 00 D1 SUB X9, X29, #-var_2C .text:000000709EAF782C 29 01 50 B8 LDUR W9, [X9,#-0x100] .text:000000709EAF7830 28 01 08 6B SUBS W8, W9, W8 .text:000000709EAF7834 A9 53 01 D1 SUB X9, X29, #-var_54 .text:000000709EAF7838 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF783C 20 03 00 54 B.EQ loc_709EAF78A0 .text:000000709EAF783C .text:000000709EAF7840 01 00 00 14 B loc_709EAF7844 .text:000000709EAF7840 .text:000000709EAF7844 .text:000000709EAF7844 loc_709EAF7844 .text:000000709EAF7844 A8 9D 8F 52 A8 94+MOV W8, #0x7CA57CED .text:000000709EAF7844 AF 72 .text:000000709EAF784C A9 B3 00 D1 SUB X9, X29, #-var_2C .text:000000709EAF7850 29 01 50 B8 LDUR W9, [X9,#-0x100] .text:000000709EAF7854 28 01 08 6B SUBS W8, W9, W8 .text:000000709EAF7858 A9 63 01 D1 SUB X9, X29, #-var_58 .text:000000709EAF785C 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF7860 00 13 00 54 B.EQ loc_709EAF7AC0 .text:000000709EAF7860 .text:000000709EAF7864 01 00 00 14 B loc_709EAF7868 .text:000000709EAF7864 .text:000000709EAF7868 .text:000000709EAF7868 loc_709EAF7868 .text:000000709EAF7868 9D 00 00 14 B loc_709EAF7ADC .text:000000709EAF7868 .text:000000709EAF786C .text:000000709EAF786C loc_709EAF786C .text:000000709EAF786C A8 43 00 D1 SUB X8, X29, #-var_10 .text:000000709EAF7870 08 01 50 F8 LDUR X8, [X8,#-0x100] .text:000000709EAF7874 09 4D 40 F9 LDR X9, [X8,#0x98] .text:000000709EAF7878 29 01 00 F1 SUBS X9, X9, #0 .text:000000709EAF787C EA 15 90 52 AA 8E+MOV W10, #0x147580AF .text:000000709EAF787C A2 72 .text:000000709EAF7884 6B 82 99 52 8B 24+MOV W11, #0x7924CC13 .text:000000709EAF7884 AF 72 .text:000000709EAF788C 6A 01 8A 1A CSEL W10, W11, W10, EQ .text:000000709EAF7890 AA 43 10 B8 STUR W10, [X29,#var_FC] .text:000000709EAF7894 A8 83 01 D1 SUB X8, X29, #-var_60 .text:000000709EAF7898 09 01 10 F8 STUR X9, [X8,#-0x100] .text:000000709EAF789C 90 00 00 14 B loc_709EAF7ADC .text:000000709EAF789C .text:000000709EAF78A0 .text:000000709EAF78A0 loc_709EAF78A0 .text:000000709EAF78A0 E8 03 1F 2A MOV W8, WZR .text:000000709EAF78A4 A8 43 1D B8 STUR W8, [X29,#var_2C] .text:000000709EAF78A8 E8 03 00 32 MOV W8, #1 .text:000000709EAF78AC A8 43 12 B8 STUR W8, [X29,#var_DC] .text:000000709EAF78B0 A8 9D 8F 52 A8 94+MOV W8, #0x7CA57CED .text:000000709EAF78B0 AF 72 .text:000000709EAF78B8 A8 43 10 B8 STUR W8, [X29,#var_FC] .text:000000709EAF78BC 88 00 00 14 B loc_709EAF7ADC .text:000000709EAF78BC .text:000000709EAF78C0 .text:000000709EAF78C0 loc_709EAF78C0 .text:000000709EAF78C0 E8 03 1F 2A MOV W8, WZR .text:000000709EAF78C4 A8 03 12 B8 STUR W8, [X29,#var_E0] .text:000000709EAF78C8 49 1E 80 52 MOV W9, #0xF2 .text:000000709EAF78CC A9 83 10 38 STURB W9, [X29,#var_F8] .text:000000709EAF78D0 EA 06 80 52 MOV W10, #0x37 ; '7' .text:000000709EAF78D4 AA 93 10 38 STURB W10, [X29,#var_F7] .text:000000709EAF78D8 CB 04 80 52 MOV W11, #0x26 ; '&' .text:000000709EAF78DC AB A3 10 38 STURB W11, [X29,#var_F6] .text:000000709EAF78E0 CB 12 80 52 MOV W11, #0x96 .text:000000709EAF78E4 AB B3 10 38 STURB W11, [X29,#var_F5] .text:000000709EAF78E8 CC 1C 80 52 MOV W12, #0xE6 .text:000000709EAF78EC AC C3 10 38 STURB W12, [X29,#var_F4] .text:000000709EAF78F0 A9 D3 10 38 STURB W9, [X29,#var_F3] .text:000000709EAF78F4 49 1C 80 52 MOV W9, #0xE2 .text:000000709EAF78F8 A9 E3 10 38 STURB W9, [X29,#var_F2] .text:000000709EAF78FC C9 1A 80 52 MOV W9, #0xD6 .text:000000709EAF7900 A9 F3 10 38 STURB W9, [X29,#var_F1] .text:000000709EAF7904 C9 02 80 52 MOV W9, #0x16 .text:000000709EAF7908 A9 03 11 38 STURB W9, [X29,#var_F0] .text:000000709EAF790C C9 0E 80 52 MOV W9, #0x76 ; 'v' .text:000000709EAF7910 A9 13 11 38 STURB W9, [X29,#var_EF] .text:000000709EAF7914 AB 23 11 38 STURB W11, [X29,#var_EE] .text:000000709EAF7918 AA 33 11 38 STURB W10, [X29,#var_ED] .text:000000709EAF791C C9 16 80 52 MOV W9, #0xB6 .text:000000709EAF7920 A9 43 11 38 STURB W9, [X29,#var_EC] .text:000000709EAF7924 A8 53 11 38 STURB W8, [X29,#var_EB] .text:000000709EAF7928 AD E3 03 D1 SUB X13, X29, #-var_F8 .text:000000709EAF792C A8 43 00 D1 SUB X8, X29, #-var_10 .text:000000709EAF7930 0E 01 50 F8 LDUR X14, [X8,#-0x100] .text:000000709EAF7934 CD 55 00 F9 STR X13, [X14,#0xA8] .text:000000709EAF7938 CD 55 40 F9 LDR X13, [X14,#0xA8] .text:000000709EAF793C CD 51 00 F9 STR X13, [X14,#0xA0] .text:000000709EAF7940 01 00 00 14 B loc_709EAF7944 .text:000000709EAF7940 .text:000000709EAF7944 .text:000000709EAF7944 loc_709EAF7944 .text:000000709EAF7944 A8 43 00 D1 SUB X8, X29, #-var_10 .text:000000709EAF7948 08 01 50 F8 LDUR X8, [X8,#-0x100] .text:000000709EAF794C 09 55 40 F9 LDR X9, [X8,#0xA8] .text:000000709EAF7950 2A 01 40 39 LDRB W10, [X9] .text:000000709EAF7954 AA 01 00 34 CBZ W10, loc_709EAF7988 .text:000000709EAF7954 .text:000000709EAF7958 01 00 00 14 B loc_709EAF795C .text:000000709EAF7958 .text:000000709EAF795C .text:000000709EAF795C loc_709EAF795C .text:000000709EAF795C A8 43 00 D1 SUB X8, X29, #-var_10 .text:000000709EAF7960 08 01 50 F8 LDUR X8, [X8,#-0x100] .text:000000709EAF7964 09 55 40 F9 LDR X9, [X8,#0xA8] .text:000000709EAF7968 2A 01 40 39 LDRB W10, [X9] .text:000000709EAF796C 4B 7D 04 53 LSR W11, W10, #4 .text:000000709EAF7970 4B 1D 1C 33 BFI W11, W10, #4, #8 .text:000000709EAF7974 2B 01 00 39 STRB W11, [X9] .text:000000709EAF7978 09 55 40 F9 LDR X9, [X8,#0xA8] .text:000000709EAF797C 29 05 00 91 ADD X9, X9, #1 .text:000000709EAF7980 09 55 00 F9 STR X9, [X8,#0xA8] .text:000000709EAF7984 F0 FF FF 17 B loc_709EAF7944 .text:000000709EAF7984 .text:000000709EAF7988 .text:000000709EAF7988 loc_709EAF7988 .text:000000709EAF7988 A8 43 00 D1 SUB X8, X29, #-var_10 .text:000000709EAF798C 08 01 50 F8 LDUR X8, [X8,#-0x100] .text:000000709EAF7990 09 51 40 F9 LDR X9, [X8,#0xA0] .text:000000709EAF7994 A9 83 11 F8 STUR X9, [X29,#var_E8] .text:000000709EAF7998 AA 73 83 52 2A E7+MOV W10, #0x87391B9D .text:000000709EAF7998 B0 72 .text:000000709EAF79A0 AA 43 10 B8 STUR W10, [X29,#var_FC] .text:000000709EAF79A4 4E 00 00 14 B loc_709EAF7ADC .text:000000709EAF79A4 .text:000000709EAF79A8 .text:000000709EAF79A8 loc_709EAF79A8 .text:000000709EAF79A8 A1 C3 53 B8 LDUR W1, [X29,#var_C4] ; n .text:000000709EAF79AC A2 83 52 F8 LDUR X2, [X29,#var_D8] ; stream .text:000000709EAF79B0 A8 83 00 D1 SUB X8, X29, #-var_20 .text:000000709EAF79B4 00 01 50 F8 LDUR X0, [X8,#-0x100] ; s .text:000000709EAF79B8 82 A3 FF 97 BL .fgets .text:000000709EAF79B8 .text:000000709EAF79BC 00 00 00 F1 SUBS X0, X0, #0 .text:000000709EAF79C0 A1 23 87 52 61 B4+MOV W1, #0xFDA3391D .text:000000709EAF79C0 BF 72 .text:000000709EAF79C8 28 D8 87 52 88 44+MOV W8, #0x62243EC1 .text:000000709EAF79C8 AC 72 .text:000000709EAF79D0 08 11 81 1A CSEL W8, W8, W1, NE .text:000000709EAF79D4 A8 43 10 B8 STUR W8, [X29,#var_FC] .text:000000709EAF79D8 A8 A3 01 D1 SUB X8, X29, #-var_68 .text:000000709EAF79DC 00 01 10 F8 STUR X0, [X8,#-0x100] .text:000000709EAF79E0 3F 00 00 14 B loc_709EAF7ADC .text:000000709EAF79E0 .text:000000709EAF79E4 .text:000000709EAF79E4 loc_709EAF79E4 .text:000000709EAF79E4 A1 83 51 F8 LDUR X1, [X29,#var_E8] ; needle .text:000000709EAF79E8 A8 83 00 D1 SUB X8, X29, #-var_20 .text:000000709EAF79EC 00 01 50 F8 LDUR X0, [X8,#-0x100] ; haystack .text:000000709EAF79F0 80 A2 FF 97 BL .strstr ; 查找特征 .text:000000709EAF79F0 .text:000000709EAF79F4 00 00 00 F1 SUBS X0, X0, #0 .text:000000709EAF79F8 48 8D 8B 52 28 E2+MOV W8, #0x67115C6A .text:000000709EAF79F8 AC 72 .text:000000709EAF7A00 49 87 82 52 89 E3+MOV W9, #0xC71C143A .text:000000709EAF7A00 B8 72 .text:000000709EAF7A08 28 11 88 1A CSEL W8, W9, W8, NE .text:000000709EAF7A0C A8 43 10 B8 STUR W8, [X29,#var_FC] .text:000000709EAF7A10 A8 C3 01 D1 SUB X8, X29, #-var_70 .text:000000709EAF7A14 00 01 10 F8 STUR X0, [X8,#-0x100] .text:000000709EAF7A18 31 00 00 14 B loc_709EAF7ADC .text:000000709EAF7A18 .text:000000709EAF7A1C .text:000000709EAF7A1C loc_709EAF7A1C .text:000000709EAF7A1C A8 03 52 B8 LDUR W8, [X29,#var_E0] .text:000000709EAF7A20 08 05 00 11 ADD W8, W8, #1 .text:000000709EAF7A24 A8 03 12 B8 STUR W8, [X29,#var_E0] .text:000000709EAF7A28 A8 23 87 52 68 B4+MOV W8, #0xFDA3391D .text:000000709EAF7A28 BF 72 .text:000000709EAF7A30 A8 43 10 B8 STUR W8, [X29,#var_FC] .text:000000709EAF7A34 2A 00 00 14 B loc_709EAF7ADC .text:000000709EAF7A34 .text:000000709EAF7A38 .text:000000709EAF7A38 loc_709EAF7A38 .text:000000709EAF7A38 A8 73 83 52 28 E7+MOV W8, #0x87391B9D .text:000000709EAF7A38 B0 72 .text:000000709EAF7A40 A8 43 10 B8 STUR W8, [X29,#var_FC] .text:000000709EAF7A44 26 00 00 14 B loc_709EAF7ADC .text:000000709EAF7A44 .text:000000709EAF7A48 .text:000000709EAF7A48 loc_709EAF7A48 .text:000000709EAF7A48 A0 83 52 F8 LDUR X0, [X29,#var_D8] ; stream .text:000000709EAF7A4C F9 A1 FF 97 BL .pclose .text:000000709EAF7A4C .text:000000709EAF7A50 A8 03 52 B8 LDUR W8, [X29,#var_E0] .text:000000709EAF7A54 08 01 00 71 SUBS W8, W8, #0 .text:000000709EAF7A58 49 0E 8C 52 89 A1+MOV W9, #0xFD0C6072 .text:000000709EAF7A58 BF 72 .text:000000709EAF7A60 0A 01 9D 52 6A 89+MOV W10, #0xD44BE808 .text:000000709EAF7A60 BA 72 .text:000000709EAF7A68 49 11 89 1A CSEL W9, W10, W9, NE .text:000000709EAF7A6C A9 43 10 B8 STUR W9, [X29,#var_FC] .text:000000709EAF7A70 A9 D3 01 D1 SUB X9, X29, #-var_74 .text:000000709EAF7A74 20 01 10 B8 STUR W0, [X9,#-0x100] .text:000000709EAF7A78 A9 E3 01 D1 SUB X9, X29, #-var_78 .text:000000709EAF7A7C 28 01 10 B8 STUR W8, [X9,#-0x100] .text:000000709EAF7A80 17 00 00 14 B loc_709EAF7ADC .text:000000709EAF7A80 .text:000000709EAF7A84 .text:000000709EAF7A84 loc_709EAF7A84 .text:000000709EAF7A84 E8 03 00 32 MOV W8, #1 .text:000000709EAF7A88 A8 43 1D B8 STUR W8, [X29,#var_2C] .text:000000709EAF7A8C A8 43 12 B8 STUR W8, [X29,#var_DC] .text:000000709EAF7A90 A8 9D 8F 52 A8 94+MOV W8, #0x7CA57CED .text:000000709EAF7A90 AF 72 .text:000000709EAF7A98 A8 43 10 B8 STUR W8, [X29,#var_FC] .text:000000709EAF7A9C 10 00 00 14 B loc_709EAF7ADC .text:000000709EAF7A9C .text:000000709EAF7AA0 .text:000000709EAF7AA0 loc_709EAF7AA0 .text:000000709EAF7AA0 E8 03 1F 2A MOV W8, WZR .text:000000709EAF7AA4 A8 43 1D B8 STUR W8, [X29,#var_2C] .text:000000709EAF7AA8 E8 03 00 32 MOV W8, #1 .text:000000709EAF7AAC A8 43 12 B8 STUR W8, [X29,#var_DC] .text:000000709EAF7AB0 A8 9D 8F 52 A8 94+MOV W8, #0x7CA57CED .text:000000709EAF7AB0 AF 72 .text:000000709EAF7AB8 A8 43 10 B8 STUR W8, [X29,#var_FC] .text:000000709EAF7ABC 08 00 00 14 B loc_709EAF7ADC .text:000000709EAF7ABC .text:000000709EAF7AC0 .text:000000709EAF7AC0 loc_709EAF7AC0 .text:000000709EAF7AC0 A8 03 53 F8 LDUR X8, [X29,#var_D0] .text:000000709EAF7AC4 1F 01 00 91 MOV SP, X8 .text:000000709EAF7AC8 A0 43 5D B8 LDUR W0, [X29,#var_2C] .text:000000709EAF7ACC BF 43 00 D1 SUB SP, X29, #0x10 .text:000000709EAF7AD0 FD 7B 41 A9 LDP X29, X30, [SP,#0x10+var_s0] .text:000000709EAF7AD4 FC 07 42 F8 LDR X28, [SP+0x10+var_10],#0x20 .text:000000709EAF7AD8 C0 03 5F D6 RET
5.5、检测自动点击
access /data/data/net.aisence.Touchelper /data/data/com.cyjh.mobileanjian /data/data/com.touchsprite.android cn.testin.itestin com.tencent.wetest com.alibaba.mtl.mdp.kguard com.tencent.wetest.softkeyboard com.baidu.crowdtest.mobileinfo
5.6、检测模拟器
access /system/lib/libc_malloc_debug_qemu.so /sys/qemu_trace /system/bin/qemu-props /dev/socket/qemud /dev/qemu_pipe /dev/socket/genyd /dev/socket/baseband_genyd /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq /system/bin/androVM-prop /system/bin/microvirt-prop /system/lib/libdroid4x.so /system/bin/windroyed /system/bin/microvirtd /system/bin/nox-props /system/bin/ttVM-prop /system/bin/droid4x-prop /data/.bluestacks.prop /data/local/tmp/tc/mobileagent /sdcard/.f22 /sdcard/.f22/PhoneInfo.f22 /sdcard/.f22/wxpic /dev/vboxuser /dev/vboxguest /system/bin/genybaseband //查找包名 com.ami.duosupdater.ui com.bluestacks.home com.bluestacks.windowsfilemanager com.bluestacks.settings com.bluestacks.bluestackslocationprovider com.ami.launchmetro com.ami.syncduosservices com.bluestacks.appsettings com.bluestacks.bstfolder com.bluestacks.BstCommandProcessor com.bluestacks.s2p com.kaopu001.tiantianserver __system_property_get init.svc.vbox86-setup init.svc.droid4x init.svc.su_kpbs_daemon init.svc.noxd init.svc.ttVM_x86-setup init.svc.xxkmsg init.svc.microvirtd ro.kernel.android.qemud androVM.vbox_dpi androVM.vbox_graph_mode ro.product.manufacturer persist.phone.id persist.hide_10070 persist.hide_xxxx qemu.sf.fake_camera qemu.sf.lcd_density ro.bootloader init.svc.qemu-props
5.7、检测云手机
access getPackageInfo //比较包名 com.haimawan.cloudappstore com.picoo.launcher com.svox.pico com.baidu.mtc.ysera com.baidu.mtc.new_monkey.test com.baidu.crowdtest.mobileinfo cn.testin.itestin
5.8、采集设备信息
初始化获取设备信息的类名与对应的方法名
000000709EDF9090 00 00 00 00 00 00 00 00 05 00 00 00 61 6E 64 72 ............andr 000000709EDF90A0 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te 000000709EDF90B0 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager.. 000000709EDF90C0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 44 ............getD 000000709EDF90D0 65 76 69 63 65 49 64 00 00 00 00 00 00 00 00 00 eviceId......... 000000709EDF90E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF90F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9120 00 00 00 00 00 00 00 00 06 00 00 00 61 6E 64 72 ............andr 000000709EDF9130 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te 000000709EDF9140 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager.. 000000709EDF9150 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 56 ............getV 000000709EDF9160 6F 69 63 65 4D 61 69 6C 4E 75 6D 62 65 72 00 00 oiceMailNumber.. 000000709EDF9170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF91A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF91B0 00 00 00 00 00 00 00 00 07 00 00 00 61 6E 64 72 ............andr 000000709EDF91C0 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te 000000709EDF91D0 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager.. 000000709EDF91E0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 53 ............getS 000000709EDF91F0 69 6D 53 65 72 69 61 6C 4E 75 6D 62 65 72 00 00 imSerialNumber.. 000000709EDF9200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9240 00 00 00 00 00 00 00 00 08 00 00 00 61 6E 64 72 ............andr 000000709EDF9250 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te 000000709EDF9260 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager.. 000000709EDF9270 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 4E ............getN 000000709EDF9280 65 74 77 6F 72 6B 43 6F 75 6E 74 72 79 49 73 6F etworkCountryIso 000000709EDF9290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF92A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF92B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF92C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF92D0 00 00 00 00 00 00 00 00 09 00 00 00 61 6E 64 72 ............andr 000000709EDF92E0 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te 000000709EDF92F0 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager.. 000000709EDF9300 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 4E ............getN 000000709EDF9310 65 74 77 6F 72 6B 4F 70 65 72 61 74 6F 72 4E 61 etworkOperatorNa 000000709EDF9320 6D 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 me.............. 000000709EDF9330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9360 00 00 00 00 00 00 00 00 0A 00 00 00 61 6E 64 72 ............andr 000000709EDF9370 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te 000000709EDF9380 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager.. 000000709EDF9390 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 53 ............getS 000000709EDF93A0 69 6D 4F 70 65 72 61 74 6F 72 4E 61 6D 65 00 00 imOperatorName.. 000000709EDF93B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF93C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF93D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF93E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF93F0 00 00 00 00 00 00 00 00 0B 00 00 00 61 6E 64 72 ............andr 000000709EDF9400 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te 000000709EDF9410 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager.. 000000709EDF9420 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 50 ............getP 000000709EDF9430 68 6F 6E 65 54 79 70 65 00 00 00 00 00 00 00 00 honeType........ 000000709EDF9440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9480 00 00 00 00 00 00 00 00 0C 00 00 00 61 6E 64 72 ............andr 000000709EDF9490 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te 000000709EDF94A0 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager.. 000000709EDF94B0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 4E ............getN 000000709EDF94C0 65 74 77 6F 72 6B 54 79 70 65 00 00 00 00 00 00 etworkType...... 000000709EDF94D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF94E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF94F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9510 00 00 00 00 00 00 00 00 0D 00 00 00 61 6E 64 72 ............andr 000000709EDF9520 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te 000000709EDF9530 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager.. 000000709EDF9540 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 43 ............getC 000000709EDF9550 65 6C 6C 4C 6F 63 61 74 69 6F 6E 00 00 00 00 00 ellLocation..... 000000709EDF9560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF95A0 00 00 00 00 00 00 00 00 0E 00 00 00 61 6E 64 72 ............andr 000000709EDF95B0 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te 000000709EDF95C0 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager.. 000000709EDF95D0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 44 ............getD 000000709EDF95E0 65 76 69 63 65 53 6F 66 74 77 61 72 65 56 65 72 eviceSoftwareVer 000000709EDF95F0 73 69 6F 6E 00 00 00 00 00 00 00 00 00 00 00 00 sion............ 000000709EDF9600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9630 00 00 00 00 00 00 00 00 0F 00 00 00 61 6E 64 72 ............andr 000000709EDF9640 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif 000000709EDF9650 69 49 6E 66 6F 00 00 00 00 00 00 00 00 00 00 00 iInfo........... 000000709EDF9660 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 4D ............getM 000000709EDF9670 61 63 41 64 64 72 65 73 73 00 00 00 00 00 00 00 acAddress....... 000000709EDF9680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF96A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF96B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF96C0 00 00 00 00 00 00 00 00 10 00 00 00 61 6E 64 72 ............andr 000000709EDF96D0 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif 000000709EDF96E0 69 49 6E 66 6F 00 00 00 00 00 00 00 00 00 00 00 iInfo........... 000000709EDF96F0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 49 ............getI 000000709EDF9700 70 41 64 64 72 65 73 73 00 00 00 00 00 00 00 00 pAddress........ 000000709EDF9710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9750 00 00 00 00 00 00 00 00 11 00 00 00 61 6E 64 72 ............andr 000000709EDF9760 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif 000000709EDF9770 69 49 6E 66 6F 00 00 00 00 00 00 00 00 00 00 00 iInfo........... 000000709EDF9780 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 53 ............getS 000000709EDF9790 53 49 44 00 00 00 00 00 00 00 00 00 00 00 00 00 SID............. 000000709EDF97A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF97B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF97C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF97D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF97E0 00 00 00 00 00 00 00 00 12 00 00 00 61 6E 64 72 ............andr 000000709EDF97F0 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif 000000709EDF9800 69 49 6E 66 6F 00 00 00 00 00 00 00 00 00 00 00 iInfo........... 000000709EDF9810 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 42 ............getB 000000709EDF9820 53 53 49 44 00 00 00 00 00 00 00 00 00 00 00 00 SSID............ 000000709EDF9830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9870 00 00 00 00 00 00 00 00 13 00 00 00 61 6E 64 72 ............andr 000000709EDF9880 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif 000000709EDF9890 69 4D 61 6E 61 67 65 72 00 00 00 00 00 00 00 00 iManager........ 000000709EDF98A0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 43 ............getC 000000709EDF98B0 6F 6E 6E 65 63 74 69 6F 6E 49 6E 66 6F 00 00 00 onnectionInfo... 000000709EDF98C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF98D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF98E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF98F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9900 00 00 00 00 00 00 00 00 14 00 00 00 61 6E 64 72 ............andr 000000709EDF9910 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif 000000709EDF9920 69 4D 61 6E 61 67 65 72 00 00 00 00 00 00 00 00 iManager........ 000000709EDF9930 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 44 ............getD 000000709EDF9940 68 63 70 49 6E 66 6F 00 00 00 00 00 00 00 00 00 hcpInfo......... 000000709EDF9950 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9960 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9970 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9980 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9990 00 00 00 00 00 00 00 00 15 00 00 00 61 6E 64 72 ............andr 000000709EDF99A0 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif 000000709EDF99B0 69 4D 61 6E 61 67 65 72 00 00 00 00 00 00 00 00 iManager........ 000000709EDF99C0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 53 ............getS 000000709EDF99D0 63 61 6E 52 65 73 75 6C 74 73 00 00 00 00 00 00 canResults...... 000000709EDF99E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF99F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9A00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9A10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9A20 00 00 00 00 00 00 00 00 16 00 00 00 6A 61 76 61 ............java 000000709EDF9A30 2E 6E 65 74 2E 4E 65 74 77 6F 72 6B 49 6E 74 65 .net.NetworkInte 000000709EDF9A40 72 66 61 63 65 00 00 00 00 00 00 00 00 00 00 00 rface........... 000000709EDF9A50 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 4E ............getN 000000709EDF9A60 65 74 77 6F 72 6B 49 6E 74 65 72 66 61 63 65 73 etworkInterfaces 000000709EDF9A70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9A80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9A90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9AA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9AB0 00 00 00 00 00 00 00 00 17 00 00 00 61 6E 64 72 ............andr 000000709EDF9AC0 6F 69 64 2E 6E 65 74 2E 50 72 6F 78 79 00 00 00 oid.net.Proxy... 000000709EDF9AD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9AE0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 48 ............getH 000000709EDF9AF0 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ost............. 000000709EDF9B00 00 00 00 00 00 00 00 00 00 00 00 00 61 6E 64 72 ............andr 000000709EDF9B10 6F 69 64 2E 63 6F 6E 74 65 6E 74 2E 43 6F 6E 74 oid.content.Cont 000000709EDF9B20 65 78 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ext............. 000000709EDF9B30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000709EDF9B40 00 00 00 00 00 00 00 00 18 00 00 00 61 6E 64 72 ............andr 000000709EDF9B50 6F 69 64 2E 6E 65 74 2E 50 72 6F 78 79 00 00 00 oid.net.Proxy...
多层反射获取设备信息
双重反射获取设备信息 forName getDeclaredMethod getModifiers .text:000000709EB03C70 62 9E 43 F9 LDR X2, [X19,#0x738] .text:000000709EB03C74 64 3A 43 F9 LDR X4, [X19,#0x670] .text:000000709EB03C78 60 6A 41 F9 LDR X0, [X19,#0x2D0] .text:000000709EB03C7C 61 66 41 F9 LDR X1, [X19,#0x2C8] .text:000000709EB03C80 63 EA 41 F9 LDR X3, [X19,#0x3D0] .text:000000709EB03C84 68 62 01 F9 STR X8, [X19,#0x2C0] .text:000000709EB03C88 69 5E 01 F9 STR X9, [X19,#0x2B8] .text:000000709EB03C8C 6A 5A 01 F9 STR X10, [X19,#0x2B0] .text:000000709EB03C90 6B AE 02 B9 STR W11, [X19,#0x2AC] .text:000000709EB03C94 6C AA 02 B9 STR W12, [X19,#0x2A8] .text:000000709EB03C98 6D A6 02 B9 STR W13, [X19,#0x2A4] .text:000000709EB03C9C D2 0D 00 94 BL GetStaticMethodID_sub_786D1853E4 ; forName .text:000000709EB0682C 0C 00 80 52 MOV W12, #0 .text:000000709EB06830 60 86 43 F9 LDR X0, [X19,#0x708] .text:000000709EB06834 6D E6 46 B9 LDR W13, [X19,#0x6E4] .text:000000709EB06838 EE 03 0D 2A MOV W14, W13 .text:000000709EB0683C CE 7D 40 93 SXTW X14, W14 .text:000000709EB06840 29 7D 0E 9B MUL X9, X9, X14 .text:000000709EB06844 6E B2 41 F9 LDR X14, [X19,#0x360] .text:000000709EB06848 C9 01 09 8B ADD X9, X14, X9 .text:000000709EB0684C 28 01 08 8B ADD X8, X9, X8 .text:000000709EB06850 E1 03 08 AA MOV X1, X8 .text:000000709EB06854 6C 72 00 B9 STR W12, [X19,#0x70] .text:000000709EB06858 6A 6E 00 B9 STR W10, [X19,#0x6C] .text:000000709EB0685C 6B 6A 00 B9 STR W11, [X19,#0x68] .text:000000709EB06860 A1 89 01 94 BL NewStringUTF_sub_786D1E6EE4 ; 方法名 .text:000000709EB06860 .text:000000709EB06864 60 3A 02 F9 STR X0, [X19,#0x470] .text:000000709EB06868 68 86 43 F9 LDR X8, [X19,#0x708] .text:000000709EB0686C 08 01 40 F9 LDR X8, [X8] .text:000000709EB06870 00 85 40 F9 LDR X0, [X8,#0x108] .text:000000709EB06874 61 86 43 F9 LDR X1, [X19,#0x708] .text:000000709EB06878 62 7E 43 F9 LDR X2, [X19,#0x6F8] .text:000000709EB0687C 63 AE 41 F9 LDR X3, [X19,#0x358] .text:000000709EB06880 64 AA 41 F9 LDR X4, [X19,#0x350] .text:000000709EB06884 00 04 00 94 BL GetMethodID_sub_709EB06884 ; getDeclaredMethod .text:000000709EB06884 .text:000000709EB06888 60 36 02 F9 STR X0, [X19,#0x468] .text:000000709EB0688C 68 86 43 F9 LDR X8, [X19,#0x708] .text:000000709EB06890 08 01 40 F9 LDR X8, [X8] .text:000000709EB06894 00 91 43 F9 LDR X0, [X8,#0x720] .text:000000709EB06898 61 86 43 F9 LDR X1, [X19,#0x708] .text:000000709EB0689C 0E 04 00 94 BL ExceptionCheck_sub_709EB068D4 .text:000000709EB06954 0A 00 80 52 MOV W10, #0 .text:000000709EB06958 6B 86 43 F9 LDR X11, [X19,#0x708] .text:000000709EB0695C 6B 01 40 F9 LDR X11, [X11] .text:000000709EB06960 60 89 40 F9 LDR X0, [X11,#0x110] .text:000000709EB06964 61 86 43 F9 LDR X1, [X19,#0x708] .text:000000709EB06968 62 36 43 F9 LDR X2, [X19,#0x668] .text:000000709EB0696C 63 36 42 F9 LDR X3, [X19,#0x468] .text:000000709EB06970 64 3A 42 F9 LDR X4, [X19,#0x470] .text:000000709EB06974 65 22 43 F9 LDR X5, [X19,#0x640] .text:000000709EB06978 68 62 00 B9 STR W8, [X19,#0x60] .text:000000709EB0697C 69 5E 00 B9 STR W9, [X19,#0x5C] .text:000000709EB06980 6A 5A 00 B9 STR W10, [X19,#0x58] .text:000000709EB06984 E6 03 00 94 BL CallObjectMethod_sub_709EB0691C ; 获取设备信息
其它设备信息:
在跳出VM的Hadnle处下断点即可分析出获取其它的设备信息。
5.9、VM加密设备信息
每获取一次设备信息加密一次,在VM中执行对应Handle加密。
.text000000709EA93920 A8 02 40 B9 LDR W8, [X21] .text:000000709EA93924 98 02 40 F9 LDR X24, [X20] .text:000000709EA93928 09 91 03 51 SUB W9, W8, #0xE4 .text:000000709EA9392C 0A F1 01 51 SUB W10, W8, #0x7C ; '|' .text:000000709EA93930 3F 81 00 71 CMP W9, #0x20 ; ' ' .text:000000709EA93934 48 31 88 1A CSEL W8, W10, W8, CC .text:000000709EA93938 09 1D 03 51 SUB W9, W8, #0xC7 .text:000000709EA9393C 3F 71 00 71 CMP W9, #0x1C .text:000000709EA93940 A8 00 00 54 B.HI loc_709EA93954 .text:000000709EA93940 .text:000000709EA93944 C8 4E 29 8B ADD X8, X22, W9,UXTW#3 .text:000000709EA93948 08 21 40 F9 LDR X8, [X8,#0x40] ; 值的基址,取值 .text:000000709EA9394C 08 03 00 F9 STR X8, [X24] ; 存值 .text:000000709EA93950 37 00 00 14 B loc_709EA93A2C .text:000000709EA941E4 ; __unwind { .text:000000709EA941E4 68 00 02 8B ADD X8, X3, X2 .text:000000709EA941E8 28 00 00 F9 STR X8, [X1] .text:000000709EA941EC C0 03 5F D6 RET .text:000000709EA941EC ; } // starts at 709EA941E4 .text:000000709EA941EC .text:000000709EA941EC .text:000000709EA941F0 .text:000000709EA941F0 .text:000000709EA941F0 .text:000000709EA941F0 sub_709EA941F0 .text:000000709EA941F0 ; __unwind { .text:000000709EA941F0 48 00 03 CB SUB X8, X2, X3 .text:000000709EA941F4 28 00 00 F9 STR X8, [X1] .text:000000709EA941F8 C0 03 5F D6 RET .text:000000709EA941F8 ; } // starts at 709EA941F0 .text:000000709EA941F8 .text:000000709EA941F8 ; End of function sub_709EA941F0 .text:000000709EA941F8 .text:000000709EA941FC .text:000000709EA941FC .text:000000709EA941FC .text:000000709EA941FC SUB_sub_709EA941FC .text:000000709EA941FC ; __unwind { .text:000000709EA941FC 48 00 03 CB SUB X8, X2, X3 .text:000000709EA94200 28 00 00 F9 STR X8, [X1] .text:000000709EA94204 C0 03 5F D6 RET .text:000000709EA94204 ; } // starts at 709EA941FC .text:000000709EA94204 .text:000000709EA94204 ; End of function SUB_sub_709EA941FC .text:000000709EA94204 .text:000000709EA94208 ; __unwind { .text:000000709EA94208 E8 03 01 2A MOV W8, W1 .text:000000709EA9420C 3F 34 00 71 CMP W1, #0xD ; switch 14 cases .text:000000709EA94210 E8 04 00 54 B.HI def_709EA94224 ; .text:000000709EA94210 .text:000000709EA94214 29 00 00 F0 29 C1 38 91 ADRL X9, jpt_709EA94224 .text:000000709EA9421C 28 79 A8 B8 LDRSW X8, [X9,X8,LSL#2] .text:000000709EA94220 08 01 09 8B ADD X8, X8, X9 .text:000000709EA94224 00 01 1F D6 BR X8 ; switch jump
六、加密流程分析
6.1、压缩设备数据
计算设备信息CRC与设备数据组合
.text:000000709EB765F8 EncData_sub_70576365F8 .text:000000709EB765F8 ; __unwind { // 1000 .text:000000709EB765F8 28 7A AB 52 A8 32+MOV W8, #0x5BD1E995 .text:000000709EB765F8 9D 72 .text:000000709EB76600 49 00 01 4A EOR W9, W2, W1 .text:000000709EB76604 2A 10 00 71 SUBS W10, W1, #4 .text:000000709EB76608 E3 01 00 54 B.CC loc_709EB76644 .text:000000709EB76608 .text:000000709EB7660C 4B 75 1E 12 AND W11, W10, #0xFFFFFFFC .text:000000709EB76610 6C 11 00 91 ADD X12, X11, #4 .text:000000709EB76614 ED 03 00 AA MOV X13, X0 .text:000000709EB76614 .text:000000709EB76618 .text:000000709EB76618 loc_709EB76618 .text:000000709EB76618 AE 45 40 B8 LDR W14, [X13],#4 .text:000000709EB7661C 29 7D 08 1B MUL W9, W9, W8 .text:000000709EB76620 21 10 00 51 SUB W1, W1, #4 .text:000000709EB76624 CE 7D 08 1B MUL W14, W14, W8 .text:000000709EB76628 CE 61 4E 4A EOR W14, W14, W14,LSR#24 .text:000000709EB7662C CE 7D 08 1B MUL W14, W14, W8 .text:000000709EB76630 C9 01 09 4A EOR W9, W14, W9 .text:000000709EB76634 3F 0C 00 71 CMP W1, #3 .text:000000709EB76638 08 FF FF 54 B.HI loc_709EB76618 .text:000000709EB76638 .text:000000709EB7663C 41 01 0B 4B SUB W1, W10, W11 .text:000000709EB76640 00 00 0C 8B ADD X0, X0, X12 .text:000000709EB76640 .text:000000709EB76644 .text:000000709EB76644 loc_709EB76644 .text:000000709EB76644 3F 04 00 71 CMP W1, #1 .text:000000709EB76648 20 01 00 54 B.EQ loc_709EB7666C .text:000000709EB76648 .text:000000709EB7664C 3F 08 00 71 CMP W1, #2 .text:000000709EB76650 A0 00 00 54 B.EQ loc_709EB76664 .text:000000709EB76650 .text:000000709EB76654 3F 0C 00 71 CMP W1, #3 .text:000000709EB76658 01 01 00 54 B.NE loc_709EB76678 .text:000000709EB76658 .text:000000709EB7665C 0A 08 40 39 LDRB W10, [X0,#2] .text:000000709EB76660 29 41 0A 4A EOR W9, W9, W10,LSL#16 .text:000000709EB76660 .text:000000709EB76664 .text:000000709EB76664 loc_709EB76664 .text:000000709EB76664 0A 04 40 39 LDRB W10, [X0,#1] .text:000000709EB76668 29 21 0A 4A EOR W9, W9, W10,LSL#8 .text:000000709EB76668 .text:000000709EB7666C .text:000000709EB7666C loc_709EB7666C .text:000000709EB7666C 0A 00 40 39 LDRB W10, [X0] .text:000000709EB76670 49 01 09 4A EOR W9, W10, W9 .text:000000709EB76674 29 7D 08 1B MUL W9, W9, W8 .text:000000709EB76674 .text:000000709EB76678 .text:000000709EB76678 loc_709EB76678 .text:000000709EB76678 29 35 49 4A EOR W9, W9, W9,LSR#13 .text:000000709EB7667C 28 7D 08 1B MUL W8, W9, W8 .text:000000709EB76680 00 3D 48 4A EOR W0, W8, W8,LSR#15 .text:000000709EB76684 C0 03 5F D6 RET
压缩组合后设备数据
__int64 __fastcall sub_705762D9DC(__int64 a1, _QWORD *a2, __int64 a3, __int64 a4, unsigned int a5) { int v5; // w8 int v6; // w0 int v7; // w0 int v8; // w11 unsigned int v10; // [xsp+54h] [xbp-CCh] int i; // [xsp+58h] [xbp-C8h] unsigned int v12; // [xsp+5Ch] [xbp-C4h] __int64 v13; // [xsp+60h] [xbp-C0h] BYREF int v14; // [xsp+68h] [xbp-B8h] __int64 v15; // [xsp+78h] [xbp-A8h] unsigned int v16; // [xsp+80h] [xbp-A0h] __int64 v17; // [xsp+88h] [xbp-98h] __int64 v18; // [xsp+A0h] [xbp-80h] __int64 v19; // [xsp+A8h] [xbp-78h] __int64 v20; // [xsp+B0h] [xbp-70h] unsigned int v21; // [xsp+D4h] [xbp-4Ch] __int64 v22; // [xsp+D8h] [xbp-48h] __int64 v23; // [xsp+E0h] [xbp-40h] _QWORD *v24; // [xsp+E8h] [xbp-38h] __int64 v25; // [xsp+F0h] [xbp-30h] unsigned int v26; // [xsp+FCh] [xbp-24h] __int64 v27; // [xsp+100h] [xbp-20h] __int64 v28; // [xsp+108h] [xbp-18h] v25 = a1; v24 = a2; v23 = a3; v22 = a4; v21 = a5; v13 = a3; v14 = a4; v15 = a1; v16 = *a2; v27 = v16; v28 = *a2; for ( i = 1425515106; ; i = 2121135395 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( i == 1425515106 ) { if ( v27 == v28 ) v5 = 1946294605; else v5 = 711699392; i = v5; } if ( i != 711699392 ) break; v26 = -5; i = 2121135395; } if ( i != 1946294605 ) break; v18 = 0LL; v19 = 0LL; v20 = 0LL; v12 = sub_709EB6DFD8(&v13, v21, "2.3.3", 112LL); if ( v12 ) v6 = 1708398168; else v6 = -1398807773; i = v6; } if ( i != 1708398168 ) break; v26 = v12; i = 2121135395; } if ( i != -1398807773 ) break; v12 = sub_709EB6ECDC(&v13, 4LL); if ( v12 == 1 ) v7 = 1641238281; else v7 = -1560729400; i = v7; } if ( i != -1560729400 ) break; sub_709EB6E244(&v13); if ( v12 ) v8 = -1477061934; else v8 = -1711647064; i = v8; } if ( i != -1711647064 ) break; i = 584363032; v10 = -5; } if ( i != -1477061934 ) break; i = 584363032; v10 = v12; } if ( i != 584363032 ) break; v26 = v10; i = 2121135395; } if ( i != 1641238281 ) break; *v24 = v17; v12 = sub_709EB6E244(&v13); v26 = v12; } return v26; }
6.2、生成AES KEY IV
随机数组合生成AES KEY IV
gettimeofday srand .text:000000709EB328A0 sprintf_sub_70575F28A0 .text:000000709EB328A0 .text:000000709EB328A0 var_24= -0x24 .text:000000709EB328A0 format= -0x20 .text:000000709EB328A0 s= -0x18 .text:000000709EB328A0 var_10= -0x10 .text:000000709EB328A0 .text:000000709EB328A0 ; __unwind { // 1000 .text:000000709EB328A0 FF C3 00 D1 SUB SP, SP, #0x30 .text:000000709EB328A4 FE 13 00 F9 STR X30, [SP,#0x30+var_10] .text:000000709EB328A8 E0 0F 00 F9 STR X0, [SP,#0x30+s] .text:000000709EB328AC E1 0B 00 F9 STR X1, [SP,#0x30+format] .text:000000709EB328B0 E2 0F 00 B9 STR W2, [SP,#0x30+var_24] .text:000000709EB328B4 E0 0F 40 F9 LDR X0, [SP,#0x30+s] ; s .text:000000709EB328B8 E1 0B 40 F9 LDR X1, [SP,#0x30+format] ; format .text:000000709EB328BC E2 0F 40 B9 LDR W2, [SP,#0x30+var_24] .text:000000709EB328C0 98 B6 FE 97 BL .sprintf .text:000000709EB328C0 .text:000000709EB328C4 FE 13 40 F9 LDR X30, [SP,#0x30+var_10] .text:000000709EB328C8 FF C3 00 91 ADD SP, SP, #0x30 ; '0' .text:000000709EB328CC C0 03 5F D6 RET //生成随机数AES KEY IV fda958f6-07e5-47 KEY e4ae2f7b-96b5-4a IV
6.3、RSA加密AES KEY IV
将随机数AES KEY IV组合成一个字符串fda958f6-07e5-47e4ae2f7b-96b5-4a,RSA私钥加密该字符串。
RSA私钥:(隐去部分)
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALE2OfQ8BYg9Lq4nKGTamXyia6raCc1adzCOsFrnk/VN0s2W8yQJfYdq+QUNRHv0zANW0Uafh7nHCWeBn/GOC26xTsUku3/ElECGthT5ED0MOO8EQ6dhci4So/Y/fNuAczqDFk5RKRbmo1gz7xuCdUTQYmD+h1cjl95HGrY6TMinAgMBAAECgYBCHYwjvh0GRmVbHkrozdID+QkYdj6/+eeMG0BauhmupLlocNAH+u51joiXxOpvINbYzBRKOAzIWCT/FBKbabaDl5IhuUwV+CJ90SBLAbs/Wd+QjnUhXbyKb+Tm3+Uz2y26xWc7XdhGNe3Wjyz2+fN8CbfdC2SlUnibADOEQXJFIQJBAOUgSH/+uyIJKo6DOHJSfrhDlYX875H4Yq8ifuS1R7hQcK5T8sYV/OIzTRSvFaYL+FG8nA9vr8rulojcDPYzqrcCQQDF/yuUtb1wliR+zH7iE/5pv0dGfuwhSec777TYuLEP6VnX68zI/Kyq2JdIYYO7MidjH4bFd50NnRacHi3AtKGRAkEAiU+Gg0Y6CVSq70sOSdzMWksOUYTaYYUURtaKay+Ecp2qWZ6vkCxfJ4QM/odKlv73aqx4bfvFwvymtBADqIwgEwJBAIHtZq3ZbQz6mcxTaVf2Atdl2+HY3B8kHgdoz2YAHMDyQjC83c9ub+hU5UFsLEOlL8+OGqRuT7NlSDb+Xsu8POECQQDPcNOysMNbrLh1mGe6ydUsojSbheAIOZPQ/lhUbhzPXAXTYaPkTq7uty6SYZOMtWLxIFZ1eA9HHm3tJOCgC888
反射调用JAVA加密:
.text:000000709EB328D0 decode_sub_70575F28D0 .text:000000709EB328D0 .text:000000709EB328D0 var_3C= -0x3C .text:000000709EB328D0 var_38= -0x38 .text:000000709EB328D0 var_30= -0x30 .text:000000709EB328D0 var_28= -0x28 .text:000000709EB328D0 var_20= -0x20 .text:000000709EB328D0 var_18= -0x18 .text:000000709EB328D0 var_10= -0x10 .text:000000709EB328D0 .text:000000709EB328D0 ; __unwind { // 1000 .text:000000709EB328D0 FF 03 01 D1 SUB SP, SP, #0x40 .text:000000709EB328D4 FE 1B 00 F9 STR X30, [SP,#0x40+var_10] .text:000000709EB328D8 E0 17 00 F9 STR X0, [SP,#0x40+var_18] .text:000000709EB328DC E1 13 00 F9 STR X1, [SP,#0x40+var_20] .text:000000709EB328E0 E2 0F 00 F9 STR X2, [SP,#0x40+var_28] .text:000000709EB328E4 E3 0B 00 F9 STR X3, [SP,#0x40+var_30] .text:000000709EB328E8 E4 07 00 F9 STR X4, [SP,#0x40+var_38] .text:000000709EB328EC E5 07 00 B9 STR W5, [SP,#0x40+var_3C] .text:000000709EB328F0 E0 17 40 F9 LDR X0, [SP,#0x40+var_18] .text:000000709EB328F4 E1 13 40 F9 LDR X1, [SP,#0x40+var_20] .text:000000709EB328F8 E2 0F 40 F9 LDR X2, [SP,#0x40+var_28] .text:000000709EB328FC E3 0B 40 F9 LDR X3, [SP,#0x40+var_30] .text:000000709EB32900 E4 07 40 F9 LDR X4, [SP,#0x40+var_38] .text:000000709EB32904 E5 07 40 B9 LDR W5, [SP,#0x40+var_3C] .text:000000709EB32908 2B 83 00 94 BL CallObjectMethod_sub_786D1D15B4 .text:000000709EB32908 .text:000000709EB3290C FE 1B 40 F9 LDR X30, [SP,#0x40+var_10] .text:000000709EB32910 FF 03 01 91 ADD SP, SP, #0x40 ; '@' .text:000000709EB32914 C0 03 5F D6 RET .text:000000709EB32958 getInstance_sub_70575F2958 .text:000000709EB32958 .text:000000709EB32958 var_38= -0x38 .text:000000709EB32958 var_30= -0x30 .text:000000709EB32958 var_28= -0x28 .text:000000709EB32958 var_20= -0x20 .text:000000709EB32958 var_18= -0x18 .text:000000709EB32958 var_10= -0x10 .text:000000709EB32958 .text:000000709EB32958 ; __unwind { // 1000 .text:000000709EB32958 FF 03 01 D1 SUB SP, SP, #0x40 .text:000000709EB3295C FE 1B 00 F9 STR X30, [SP,#0x40+var_10] .text:000000709EB32960 E0 17 00 F9 STR X0, [SP,#0x40+var_18] .text:000000709EB32964 E1 13 00 F9 STR X1, [SP,#0x40+var_20] .text:000000709EB32968 E2 0F 00 F9 STR X2, [SP,#0x40+var_28] .text:000000709EB3296C E3 0B 00 F9 STR X3, [SP,#0x40+var_30] .text:000000709EB32970 E4 07 00 F9 STR X4, [SP,#0x40+var_38] .text:000000709EB32974 E0 17 40 F9 LDR X0, [SP,#0x40+var_18] .text:000000709EB32978 E1 13 40 F9 LDR X1, [SP,#0x40+var_20] .text:000000709EB3297C E2 0F 40 F9 LDR X2, [SP,#0x40+var_28] .text:000000709EB32980 E3 0B 40 F9 LDR X3, [SP,#0x40+var_30] .text:000000709EB32984 E4 07 40 F9 LDR X4, [SP,#0x40+var_38] .text:000000709EB32988 0B 83 00 94 BL CallObjectMethod_sub_786D1D15B4 .text:000000709EB32988 .text:000000709EB3298C FE 1B 40 F9 LDR X30, [SP,#0x40+var_10] .text:000000709EB32990 FF 03 01 91 ADD SP, SP, #0x40 ; '@' .text:000000709EB32994 C0 03 5F D6 RET .text:000000709EB32998 generatePrivate_sub_70575F2998 .text:000000709EB32998 .text:000000709EB32998 var_38= -0x38 .text:000000709EB32998 var_30= -0x30 .text:000000709EB32998 var_28= -0x28 .text:000000709EB32998 var_20= -0x20 .text:000000709EB32998 var_18= -0x18 .text:000000709EB32998 var_10= -0x10 .text:000000709EB32998 .text:000000709EB32998 ; __unwind { // 1000 .text:000000709EB32998 FF 03 01 D1 SUB SP, SP, #0x40 .text:000000709EB3299C FE 1B 00 F9 STR X30, [SP,#0x40+var_10] .text:000000709EB329A0 E0 17 00 F9 STR X0, [SP,#0x40+var_18] .text:000000709EB329A4 E1 13 00 F9 STR X1, [SP,#0x40+var_20] .text:000000709EB329A8 E2 0F 00 F9 STR X2, [SP,#0x40+var_28] .text:000000709EB329AC E3 0B 00 F9 STR X3, [SP,#0x40+var_30] .text:000000709EB329B0 E4 07 00 F9 STR X4, [SP,#0x40+var_38] .text:000000709EB329B4 E0 17 40 F9 LDR X0, [SP,#0x40+var_18] .text:000000709EB329B8 E1 13 40 F9 LDR X1, [SP,#0x40+var_20] .text:000000709EB329BC E2 0F 40 F9 LDR X2, [SP,#0x40+var_28] .text:000000709EB329C0 E3 0B 40 F9 LDR X3, [SP,#0x40+var_30] .text:000000709EB329C4 E4 07 40 F9 LDR X4, [SP,#0x40+var_38] .text:000000709EB329C8 B5 7C 00 94 BL calljavamethond_sub_786D1CFC9C .text:000000709EB329C8 .text:000000709EB329CC FE 1B 40 F9 LDR X30, [SP,#0x40+var_10] .text:000000709EB329D0 FF 03 01 91 ADD SP, SP, #0x40 ; '@' .text:000000709EB329D4 C0 03 5F D6 RET .text:000000709EB32A60 doFinal_sub_70575F2A60 .text:000000709EB32A60 .text:000000709EB32A60 var_38= -0x38 .text:000000709EB32A60 var_30= -0x30 .text:000000709EB32A60 var_28= -0x28 .text:000000709EB32A60 var_20= -0x20 .text:000000709EB32A60 var_18= -0x18 .text:000000709EB32A60 var_10= -0x10 .text:000000709EB32A60 .text:000000709EB32A60 ; __unwind { // 1000 .text:000000709EB32A60 FF 03 01 D1 SUB SP, SP, #0x40 .text:000000709EB32A64 FE 1B 00 F9 STR X30, [SP,#0x40+var_10] .text:000000709EB32A68 E0 17 00 F9 STR X0, [SP,#0x40+var_18] .text:000000709EB32A6C E1 13 00 F9 STR X1, [SP,#0x40+var_20] .text:000000709EB32A70 E2 0F 00 F9 STR X2, [SP,#0x40+var_28] .text:000000709EB32A74 E3 0B 00 F9 STR X3, [SP,#0x40+var_30] .text:000000709EB32A78 E4 07 00 F9 STR X4, [SP,#0x40+var_38] .text:000000709EB32A7C E0 17 40 F9 LDR X0, [SP,#0x40+var_18] .text:000000709EB32A80 E1 13 40 F9 LDR X1, [SP,#0x40+var_20] .text:000000709EB32A84 E2 0F 40 F9 LDR X2, [SP,#0x40+var_28] .text:000000709EB32A88 E3 0B 40 F9 LDR X3, [SP,#0x40+var_30] .text:000000709EB32A8C E4 07 40 F9 LDR X4, [SP,#0x40+var_38] .text:000000709EB32A90 83 7C 00 94 BL calljavamethond_sub_786D1CFC9C .text:000000709EB32A90 .text:000000709EB32A94 FE 1B 40 F9 LDR X30, [SP,#0x40+var_10] .text:000000709EB32A98 FF 03 01 91 ADD SP, SP, #0x40 ; '@' .text:000000709EB32A9C C0 03 5F D6 RET
RSA私钥加密后的AES KEY IV:
00000000 98 93 1B 85 66 82 76 26 88 2B 09 13 AA 22 4E 76 00000020 9B 3F 47 93 8B A7 CD D7 A6 48 3D C9 70 55 29 6A 00000040 57 B7 65 AE F4 3E 2C CB 5C E1 CD 6B 57 B5 86 2F 00000060 1D 81 FC A3 56 27 64 13 27 42 A0 84 C3 23 CD 0D 00000080 05 D1 0D B0 22 36 FE 36 B5 17 61 6F 19 14 1D B1 00000100 67 A0 1F F4 F2 09 83 CA C1 9A C4 64 14 F4 54 7D 00000120 DA
6.4、AES加密压缩后设备数据
用随机数生成的KEY加密压缩后的设备数据:
// X0:key,x1:长度,X2:返回值 __int64 __fastcall AES_initkey_sub_70576377C8(unsigned int *a1, int a2, unsigned int *a3) { unsigned int v3; // w8 unsigned int v29; // w17 v3 = -1; if ( a1 && a3 ) { if ( a2 != 128 && a2 != 256 && a2 != 192 ) return 4294967294LL; if ( a2 == 128 ) { v4 = 10; } else if ( a2 == 192 ) { v4 = 12; } else { v4 = 14; } a3[60] = v4; v6 = _byteswap_ulong(*a1); *a3 = v6; a3[1] = _byteswap_ulong(a1[1]); a3[2] = _byteswap_ulong(a1[2]); a3[3] = _byteswap_ulong(a1[3]); if ( a2 == 128 ) { v7 = 0LL; v8 = a3 + 4; do { v9 = *(v8 - 1); v6 ^= dword_709EBD4F74[BYTE2(v9)] & 0xFF000000 ^ dword_709EBD5374[BYTE1(v9)] & 0xFF0000 ^ dword_709EBD5774[(unsigned __int8)v9] & 0xFF00 ^ byte_709EBD5B74[4 * HIBYTE(v9)] ^ *(_DWORD *)((char *)&unk_709EBD5F74 + v7); v10 = *(v8 - 2); v7 += 4LL; v11 = *(v8 - 3) ^ v6; *v8 = v6; v8[1] = v11; v12 = v10 ^ v11; v8[2] = v12; v8[3] = v9 ^ v12; v8 += 4; } while ( v7 != 40 ); } else { a3[4] = _byteswap_ulong(a1[4]); a3[5] = _byteswap_ulong(a1[5]); if ( a2 == 192 ) { v13 = 0LL; for ( i = a3 + 6; ; i += 6 ) { v16 = *(i - 1); v6 ^= dword_709EBD4F74[BYTE2(v16)] & 0xFF000000 ^ dword_709EBD5374[BYTE1(v16)] & 0xFF0000 ^ dword_709EBD5774[(unsigned __int8)v16] & 0xFF00 ^ byte_709EBD5B74[4 * HIBYTE(v16)] ^ *(_DWORD *)((char *)&unk_709EBD5F74 + v13); v17 = *(i - 3); v18 = *(i - 5) ^ v6; v19 = *(i - 4) ^ v18; *i = v6; i[1] = v18; i[2] = v19; i[3] = v17 ^ v19; if ( v13 == 28 ) break; v13 += 4LL; v15 = *(i - 2) ^ v17 ^ v19; i[4] = v15; i[5] = v16 ^ v15; } } else { a3[6] = _byteswap_ulong(a1[6]); a3[7] = _byteswap_ulong(a1[7]); v20 = 0LL; for ( j = a3 + 8; ; j += 8 ) { v25 = *(j - 1); v6 ^= dword_709EBD4F74[BYTE2(v25)] & 0xFF000000 ^ dword_709EBD5374[BYTE1(v25)] & 0xFF0000 ^ dword_709EBD5774[(unsigned __int8)v25] & 0xFF00 ^ byte_709EBD5B74[4 * HIBYTE(v25)] ^ *(_DWORD *)((char *)&unk_709EBD5F74 + v20); v26 = *(j - 5); v27 = *(j - 7) ^ v6; v28 = *(j - 6) ^ v27; *j = v6; j[1] = v27; j[2] = v28; j[3] = v26 ^ v28; if ( v20 == 24 ) break; v29 = v26 ^ v28; v22 = dword_709EBD4F74[HIBYTE(v29)] & 0xFF000000 ^ *(j - 4) ^ dword_709EBD5374[BYTE2(v29)] & 0xFF0000 ^ dword_709EBD5774[BYTE1(v29)] & 0xFF00 ^ byte_709EBD5B74[4 * (unsigned __int8)v29]; v23 = *(j - 2); v24 = *(j - 3) ^ v22; j[4] = v22; j[5] = v24; v20 += 4LL; j[6] = v23 ^ v24; j[7] = v25 ^ v23 ^ v24; } } } return 0; } return v3; } // X0:原数据,X1:返回,x2:大小,x3:初始化后key,x4:IV long double __fastcall AES_enc_data_sub_705760C380( _QWORD *a1, long double *a2, unsigned __int64 a3, __int64 a4, long double *a5, void (__fastcall *a6)(long double *, long double *, __int64)) { unsigned __int64 v6; // x24 unsigned __int64 v10; // x8 unsigned __int64 v11; // x22 unsigned __int64 v12; // x27 long double *v13; // x26 unsigned __int64 v14; // x19 long double *v15; // x8 _QWORD *v16; // x28 long double *v17; // x25 long double *v18; // x8 __int64 v19; // x24 unsigned __int64 v20; // x25 _QWORD *v21; // x22 long double *v22; // x10 unsigned __int64 v23; // x27 unsigned __int64 v24; // x10 unsigned __int64 v25; // x13 __int128 v26; // q0 __int128 v27; // q1 _OWORD *v28; // x14 unsigned __int64 v29; // x9 __int64 v30; // x14 long double *v31; // x23 __int64 v32; // x13 __int64 v33; // x15 unsigned __int64 v34; // x10 __int64 v35; // x11 long double *v36; // x17 unsigned __int64 v37; // x14 unsigned __int64 v38; // x13 int8x16_t v39; // q0 int8x16_t v40; // q1 int8x16_t v41; // q2 int8x16_t v42; // q3 int8x16_t *v43; // x15 unsigned __int64 v44; // x11 unsigned __int64 v45; // x12 long double result; // q0 _QWORD *v48; // [xsp+8h] [xbp-58h] _QWORD *v49; // [xsp+8h] [xbp-58h] v6 = a3; v10 = a3 - 16; if ( a3 < 0x10 ) { v18 = a5; v13 = a2; v14 = a3; } else { v11 = v10 & 0xFFFFFFFFFFFFFFF0LL; v12 = (v10 & 0xFFFFFFFFFFFFFFF0LL) + 16; v13 = (long double *)((char *)a2 + v12); v14 = v10 - (v10 & 0xFFFFFFFFFFFFFFF0LL); v15 = a5; v16 = a1; v17 = a2; v48 = a1; do { *(_QWORD *)v17 = *(_QWORD *)v15 ^ *v16; *((_QWORD *)v17 + 1) = *((_QWORD *)v15 + 1) ^ v16[1]; a6(v17, v17, a4); v6 -= 16LL; v15 = v17++; v16 += 2; } while ( v6 > 0xF ); v18 = (long double *)((char *)a2 + v11); a1 = (_QWORD *)((char *)v48 + v12); } if ( v14 ) { v19 = 0LL; v20 = -(__int64)v14; v21 = a1; v22 = v13; v23 = v14; v49 = a1; while ( 1 ) { v30 = 2 * v19; v29 = 0LL; v31 = v22; if ( v20 <= 0xFFFFFFFFFFFFFFF0LL ) v32 = -16LL; else v32 = v20; if ( 16 * v19 - v14 <= 0xFFFFFFFFFFFFFFF0LL ) v33 = -16LL; else v33 = 16 * v19 - v14; v34 = (unsigned __int64)&v13[(unsigned __int64)v30 / 2]; v35 = -v33; if ( (unsigned __int64)-v33 <= 0x1F ) goto LABEL_26; v29 = 0LL; if ( (v35 & 0xFFFFFFFFFFFFFFE0LL) == 0 ) goto LABEL_26; v36 = (long double *)((char *)&v13[(unsigned __int64)v30 / 2 - 1] - v33 + 15); if ( v34 <= (unsigned __int64)&v49[v30 - 1] - v33 + 7 && &v49[v30] <= (_QWORD *)v36 ) goto LABEL_26; if ( v34 <= (unsigned __int64)v18 - v33 - 1 && v18 <= v36 ) goto LABEL_26; v37 = 0LL; v38 = -v32 & 0xFFFFFFFFFFFFFFE0LL; v29 = v35 & 0xFFFFFFFFFFFFFFE0LL; do { v39 = *(int8x16_t *)&v21[v37 / 8]; v40 = *(int8x16_t *)&v21[v37 / 8 + 2]; v41 = *(int8x16_t *)&v18[v37 / 0x10]; v42 = *(int8x16_t *)&v18[v37 / 0x10 + 1]; v43 = (int8x16_t *)&v31[v37 / 0x10]; v37 += 32LL; *v43 = veorq_s8(v41, v39); v43[1] = veorq_s8(v42, v40); } while ( v38 != v37 ); if ( (v35 & 0xFFFFFFFFFFFFFFE0LL) != v35 ) { LABEL_26: do { *((_BYTE *)v31 + v29) = *((_BYTE *)v18 + v29) ^ *((_BYTE *)v21 + v29); ++v29; } while ( v29 <= 0xF && v29 < v23 ); } if ( v29 > 0xF ) goto LABEL_34; v44 = 16 - v29; if ( 16 - v29 > 0x1F && (v45 = v44 & 0xFFFFFFFFFFFFFFE0LL, (v44 & 0xFFFFFFFFFFFFFFE0LL) != 0) && (v34 + v29 > (unsigned __int64)v18 + 15 || (char *)v18 + v29 > (char *)v13 + ((16 * v19) | 0xF)) ) { v24 = v29 + v45; v25 = v44 & 0xFFFFFFFFFFFFFFE0LL; do { v26 = *(_OWORD *)((char *)v18 + v29); v27 = *(_OWORD *)((char *)v18 + v29 + 16); v28 = (_OWORD *)((char *)v31 + v29); v29 += 32LL; v25 -= 32LL; *v28 = v26; v28[1] = v27; } while ( v25 ); if ( v44 == v45 ) goto LABEL_34; } else { v24 = v29; } do { *((_BYTE *)v31 + v24) = *((_BYTE *)v18 + v24); ++v24; } while ( v24 != 16 ); LABEL_34: a6(v31, v31, a4); if ( v23 >= 0x11 ) { v23 -= 16LL; v21 += 2; v22 = v31 + 1; ++v19; v20 += 16LL; v18 = v31; if ( v23 ) continue; } goto LABEL_38; } } v31 = v18; LABEL_38: result = *v31; *a5 = *v31; return result; }
6.5、组合数据发送服务器
RSA加密后的AES KEY IV与AES加密的设备数据组合发送给服务器,组合格式图6-5所示:
图6-5
url https://fp.fraudmetrix.cn/android3_5/profile.json?partner=missfreshaq&version=3.6.7&clientSeqId=1654331726915998700 反射调用如下类发送网络 cn/tongdun/android/shell/common/HttpHelper private static String connect(URL arg9, byte[] body, String url, int arg12) throws Exception { int v4; int v1; HttpsURLConnection v9; if(arg9.getProtocol().toLowerCase().equals("https")) { v9 = (HttpsURLConnection)arg9.openConnection(Proxy.NO_PROXY); if(arg12 == 1) { HttpHelper.trustSSL(v9); } else if(arg12 == 2) { v9.setHostnameVerifier(HttpHelper.NAME_VERIFY); } } else { v9 = (HttpURLConnection)arg9.openConnection(Proxy.NO_PROXY); } HttpHelper.setHttpParams(v9); v9.setRequestMethod("POST"); OutputStream v11 = v9.getOutputStream(); v11.write(body); v11.flush(); int v10 = v9.getResponseCode(); if(v10 != 200) { String v9_1 = "Connect failed, response code " + v10; xxo000000xxxoo00_Log.xxo0o0ox0oxxoo(v9_1); return v9_1; } try { Map v10_2 = v9.getHeaderFields(); if(v10_2 != null) { List v10_3 = (List)v10_2.get("Set-Cookie"); if(v10_3 != null && v10_3.size() > 0) { int v12 = v10_3.size(); v1 = 0; while(true) { label_60: if(v1 >= v12) { break; } String v2 = (String)v10_3.get(v1); if(v2.contains("XXID=")) { String[] v2_1 = v2.split(";"); v4 = 0; while(true) { label_76: if(v4 >= v2_1.length) { break; } String v5 = v2_1[v4]; if(!v5.startsWith("XXID")) { ++v4; goto label_76; } String v5_1 = v5.substring(5, v5.length()); if(TextUtils.isEmpty(v5_1)) { ++v4; goto label_76; } FMAgent.xxid = v5_1; break; } } ++v1; } } } } catch(Exception v10_1) { v10_1.printStackTrace(); } goto label_99; ++v4; goto label_76; ++v1; goto label_60; label_99: InputStream v9_2 = v9.getInputStream(); BufferedReader v10_4 = new BufferedReader(new InputStreamReader(v9_2, "utf-8")); StringBuilder v12_1 = new StringBuilder(); while(true) { String v0 = v10_4.readLine(); if(v0 == null) { break; } v12_1.append(v0); } v9_2.close(); v11.close(); return v12_1.toString(); }
成功后服务器返回blackbox:
{"code":"000","desc":"k9OCtUBncUi1/r3N84z30FFW3AwxnmZnJfuKa2bhCcS/s9mKZAuBFnJ6BYRDDpUkz+fxJhWvD+bbun3eUbCyiw=="}
这个值是根据硬件ID,OAID、文件ID生成。
七、加密漏洞还原与中人间攻击过程
7.1、通过私钥解析出公钥
理论上我们很难从私钥(只有d,n)中推导公钥的,也无法通过公钥推导出私钥,但是该SDK使用了私钥为PKCS编码格式,该私钥数据可以按如下结构进行解析:
RSAPrivateKey ::= SEQUENCE { versionVersion, modulusINTEGER, -- n publicExponentINTEGER, -- e privateExponentINTEGER, -- d prime1INTEGER, -- p prime2INTEGER, -- q exponent1INTEGER, -- d mod (p-1) exponent2INTEGER, -- d mod (q-1) coefficientINTEGER, -- (inverse of q) mod p otherPrimeInfosOtherPrimeInfos OPTIONAL }
从结构中可以看出私钥其实是含有生成密钥对的p和q以及公私钥对(e,n)。通过私钥格式分析可以分析出公钥数据,用代码实现如下:
加载私钥:
/** * 从字符串中获取私钥 * @param privateKeyStr * @return * @throws Exception */ public static RSAPrivateKey loadPrivateKeyByStr(String privateKeyStr) throws Exception { try { byte[] buffer = java.util.Base64.getDecoder().decode(privateKeyStr); PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(buffer); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); return (RSAPrivateKey) keyFactory.generatePrivate(keySpec); } catch (NoSuchAlgorithmException e) { throw new Exception("无此算法"); } catch (InvalidKeySpecException e) { throw new Exception("私钥非法"); } catch (NullPointerException e) { throw new Exception("私钥数据为空"); } } public static String gethexPublicKey(String modulus, String exponent) { try { BigInteger b1 = new BigInteger(modulus,16); //此处为进制数 BigInteger b2 = new BigInteger(exponent,16); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); RSAPublicKeySpec keySpec = new RSAPublicKeySpec(b1, b2); RSAPublicKey publicKey = (RSAPublicKey) keyFactory.generatePublic(keySpec); String publicKeyString = Base64.encode(publicKey.getEncoded()); return publicKeyString; } catch (Exception e) { e.printStackTrace(); return null; } }
解析出公钥:
//从SDK中的私钥解析出公钥(隐去部分) String strprivatekey = "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALE2OfQ8BYg9Lq4nKGTamXyia6raCc1adzCOsFrnk/VN0s2W8yQJfYdq+QUNRHv0zANW0Uafh7nHCWeBn/GOC26xTsUku3/ElECGthT5ED0MOO8EQ6dhci4So/Y/fNuAczqDFk5RKRbmo1gz7xuCdUTQYmD+h1cjl95HGrY6TMinAgMBAAECgYBCHYwjvh0GRmVbHkrozdID+QkYdj6/+eeMG0BauhmupLlocNAH+u51joiXxOpvINbYzBRKOAzIWCT/FBKbabaDl5IhuUwV+CJ90SBLAbs/Wd+QjnUhXbyKb+Tm3+Uz2y26xWc7XdhGNe3Wjyz2+fN8CbfdC2SlUnibADOEQXJFIQJBAOUgSH/+uyIJKo6DOHJSfrhDlYX875H4Yq8ifuS1R7hQcK5T8sYV/OIzTRSvFaYL+FG8nA9vr8rulojcDPYzqrcCQQDF/yuUtb1wliR+zH7iE/5pv0dGfuwhSec777TYuLEP6VnX68zI/Kyq2JdIYYO7MidjH4bFd50NnRacHi3AtKGRAkEAiU+Gg0Y6CVSq70sOSdzMWksOUYTaYYUURtaKay+Ecp2qWZ6vkCxfJ4QM/odKlv73aqx4bfvFwvymtBADqIwgEwJBAIHtZq3ZbQz6mcxTaVf2Atdl2+HY3B8kHgdoz2YAHMDyQjC83c9ub+hU5UFsLEOlL8+OGqRuT7NlSDb+Xsu8POECQQDPcNOysMNbrLh1mGe6ydUsojSbheAIOZPQ/lhUbhzPXAXTYaPkTq7uty6SYZOMtWLxIFZ1eA9HHm3tJOCgC888"; RSAPrivateKey privateKey = RSAUtils.loadPrivateKeyByStr(strprivatekey); // 得到公钥 BigInteger modulus = privateKey.getModulus(); byte[] bmodulus = modulus.toByteArray(); String modulusString = StringToHex.bytesToHex(bmodulus); System.out.println("modulusString:"+modulusString); String publicKeyString = RSAEncrypt.gethexPublicKey(modulusString, "010001"); System.out.println("publicKeyString:"+publicKeyString);
7.2、公钥解密出AES KEY IV
得到公钥后做解密测试,只要能把上报到服务器端的请求体中加密的AES KEY IV解密出来就能解出AES加密的设备数据。
//私钥加密的AES KEY IV byte[] keydata = { (byte)0x98, (byte)0x93, 0x1B, (byte)0x85, 0x66, (byte)0x82, 0x76, 0x26, (byte)0x88, 0x2B, 0x09, 0x13, (byte)0xAA, 0x22, 0x4E, 0x76, (byte)0x9B, 0x3F, 0x47, (byte)0x93, (byte)0x8B, (byte)0xA7, (byte)0xCD, (byte)0xD7, (byte)0xA6, 0x48, 0x3D, (byte)0xC9, 0x70, 0x55, 0x29, 0x6A, 0x57, (byte)0xB7, 0x65, (byte)0xAE, (byte)0xF4, 0x3E, 0x2C, (byte)0xCB, 0x5C, (byte)0xE1, (byte)0xCD, 0x6B, 0x57, (byte)0xB5, (byte)0x86, 0x2F, 0x1D, (byte)0x81, (byte)0xFC, (byte)0xA3, 0x56, 0x27, 0x64, 0x13, 0x27, 0x42, (byte)0xA0, (byte)0x84, (byte)0xC3, 0x23, (byte)0xCD, 0x0D, 0x05, (byte)0xD1, 0x0D, (byte)0xB0, 0x22, 0x36, (byte)0xFE, 0x36, (byte)0xB5, 0x17, 0x61, 0x6F, 0x19, 0x14, 0x1D, (byte)0xB1, 0x67, (byte)0xA0, 0x1F, (byte)0xF4, (byte)0xF2, 0x09, (byte)0x83, (byte)0xCA, (byte)0xC1, (byte)0x9A, (byte)0xC4, 0x64, 0x14, (byte)0xF4, 0x54, 0x7D, (byte)0xDA, 0x3A, 0x40, 0x75, 0x28, 0x6B, (byte)0x9C, 0x2D, 0x34, 0x02, 0x3A, 0x7C, 0x74, 0x58, (byte)0xD0, 0x68, 0x4C, 0x1D, (byte)0xD3, (byte)0x80, (byte)0xD0, (byte)0xF8, 0x49, 0x17, (byte)0x99, (byte)0xE3, (byte)0xB9, 0x25, (byte)0x8C, 0x44, (byte)0xFA, (byte)0xC4 }; String publicKey = publicKeyString; //公钥解出出AEK KEY IV String aeskey = new String(RSAUtils.publicKeyDecrypt(publicKey, keydata)); //前16字节是AES key, 后16字节是IV System.out.println("aeskey:"+aeskey); //解密后的值 fda958f6-07e5-47e4ae2f7b-96b5-4a
7.3、AES解密出压缩后设备数据
/** * * @param FilePath 待解密的 deump 压缩后的设备数据 * @return 解密后的压缩数据 */ public static byte[] aesDecrypt(String FilePath, String key, String iv) { try { if (FilePath.isEmpty() || key.isEmpty()){ return null; } // 将字符串转为byte,返回解码后的byte[] byte[] encryptBytes = {}; encryptBytes = FileUtils.getContent(FilePath); // 创建密码器 KeyGenerator kgen = KeyGenerator.getInstance(EncryptAesUtil.AES); kgen.init(128); // 初始化为解密模式的密码器 Cipher cipher = Cipher.getInstance(ALGORITHMS); cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(key.getBytes(), EncryptAesUtil.AES), new IvParameterSpec(iv.getBytes(StandardCharsets.UTF_8))); byte[] decryptBytes = cipher.doFinal(encryptBytes); String decstr = bytesToHex(decryptBytes); System.out.println("decryptBytes:"+decstr); return decryptBytes; } catch (Exception e) { System.out.println(e.getMessage() + e); } return null; } //前16字节是AES key, 后16字节是IV String key = "fda958f6-07e5-47"; String iv = "e4ae2f7b-96b5-4a"; //AES 解密压缩后设备数据 EncryptAesUtil.aesDecrypt("dump_deviceinfo_AES.data",key, iv);
还有一层解密是VM中的,要还原大部分Handle,VM代码没有强混淆,分析起来还是比较容易的,这里就留一个坑吧,给有意愿深入搞搞的同学入坑。
八、总结
业务:
该产品也是多年的老品牌,最近几年从营销与渠道反作弊转向金融安全领域,可能在营销与渠道反作弊发力点偏弱,产品从体验、移定、易用、安全方面都有很多的不足点。
代码:
产品包休过大,架构不够精简,模块过多,代码冗余,对抗逆向方面将部分算法进行VM还是比较有效的。很多空数据加密时未做判断,导致空数据时也要执行VM引擎影响性能。
安全:
安全能力还是可以的,代码中字符串加密,代码逻辑通过AB两个模块拆分逻辑,A模块中大多数方法逻辑通过B模块中的VM引擎来实现,增加逆向度,不足点就是使用了不安全的密钥加密方式。
样本获取方式,关注公众号,公众号输入框回复“td” 获取下载链接。
标签:中间人,00,加密,text,SP,40,var,F9,反作弊 来源: https://www.cnblogs.com/2014asm/p/16387590.html