爱加密加固产品原理分析_定制版
作者:互联网
一、背景 二、整体框架 三、SO保护壳分析 四、DEX保护壳分析 五、Native原理分析 六、总结
一、背景
最近朋友让我帮忙对他们银行APP进行黑盒分析,检测其安全性,探未知程序漏洞与安全性测试,提升业务整体安全能力,我拿到APP后进行安装抓包后发现都是加密传输的,用JEB进行反编译找数据组合的地方,发现APP用某加固了,所以有了此文。
二、整体框架
主要对DEX整体加密、DEX代码分离运行时解密还原,java方法native化,大致框架如下图2-1所示:
图2-1
三、SO保护壳分析
3.1、so层壳流程分析
壳入口点:
LOAD:C5FD5960 EXPORT .init_proc
LOAD:C5FD5960 .init_proc
LOAD:C5FD5960
LOAD:C5FD5960 var_4= -4
LOAD:C5FD5960
LOAD:C5FD5960 C0 46 NOP
LOAD:C5FD5962 FF B5 PUSH {R0-R7,LR}
LOAD:C5FD5964 00 A1 18 39 ADRL R1, 0xC5FD5950
LOAD:C5FD5968 0D 1C MOVS R5, R1
LOAD:C5FD596A 0C 68 LDR R4, [R1] ; off_C5FD5950
LOAD:C5FD596C 2D 1B SUBS R5, R5, R4
LOAD:C5FD596E 4B 68 LDR R3, [R1,#(off_C5FD5954 - 0xC5FD5950)] ; ijiami
LOAD:C5FD5970 5B 19 ADDS R3, R3, R5
LOAD:C5FD5972 08 93 STR R3, [SP,#0x24+var_4]
LOAD:C5FD5974 C8 68 LDR R0, [R1,#(off_C5FD595C - 0xC5FD5950)]
LOAD:C5FD5976 40 19 ADDS R0, R0, R5
LOAD:C5FD5976
LOAD:C5FD5978
LOAD:C5FD5978 loc_C5FD5978 ; CODE XREF: sub_C5FD59DE+C↓j
LOAD:C5FD5978 8B 68 LDR R3, [R1,#(dword_C5FD5958 - 0xC5FD5950)]
LOAD:C5FD597A 5B 19 ADDS R3, R3, R5
LOAD:C5FD597C 18 21 MOVS R1, #0x18
LOAD:C5FD597E 09 18 ADDS R1, R1, R0
LOAD:C5FD5980 08 B4 PUSH {R3}
LOAD:C5FD5982 82 B0 SUB SP, SP, #8
LOAD:C5FD5984 00 B5 PUSH {LR} ; sub_C5FD6104
LOAD:C5FD5986 4C 68 LDR R4, [R1,#(loc_C5F927C4 - 0xC5F927C0)]
LOAD:C5FD5988 0C 31 ADDS R1, #0xC
LOAD:C5FD598A 09 19 ADDS R1, R1, R4
LOAD:C5FD598C 00 F0 A0 F9 BL sub_C5FD5CD0 ; dword_C601B200
LOAD:C5FD598C
LOAD:C5FD5990 03 05 LSLS R3, R0, #0x14
LOAD:C5FD5992 1B 0D LSRS R3, R3, #0x14 ; x.35
LOAD:C5FD5994 E4 18 ADDS R4, R4, R3
LOAD:C5FD5996 04 34 ADDS R4, #4
LOAD:C5FD5998 10 B4 PUSH {R4}
LOAD:C5FD599A C0 1A SUBS R0, R0, R3
LOAD:C5FD599C 01 B4 PUSH {R0}
LOAD:C5FD599E E4 1A SUBS R4, R4, R3
LOAD:C5FD59A0 C0 18 ADDS R0, R0, R3 ; off_C6012420
LOAD:C5FD59A2 9B 08 LSRS R3, R3, #2
LOAD:C5FD59A4 08 B4 PUSH {R3} ; y.36
LOAD:C5FD59A6 00 00 MOVS R0, R0
LOAD:C5FD59A8 00 F0 19 F8 BL sub_C5FD59DE
LOAD:C5FD59A8
LOAD:C5FD59AC 1B 06 LSLS R3, R3, #0x18
LOAD:C5FD59AE 89 08 LSRS R1, R1, #2
LOAD:C5FD59B0 1B 0E LSRS R3, R3, #0x18
LOAD:C5FD59B2 89 00 LSLS R1, R1, #2
LOAD:C5FD59B4 50 2B CMP R3, #0x50 ; 'P'
LOAD:C5FD59B6 11 D1 BNE locret_C5FD59DC
LOAD:C5FD59B6
LOAD:C5FD59B8 0E E0 B loc_C5FD59D8
LOAD:C5FD59B8
LOAD:C5FD59BA
LOAD:C5FD59BA loc_C5FD59BA ; CODE XREF: .init_proc+7A↓j
LOAD:C5FD59BA 04 39 SUBS R1, #4
LOAD:C5FD59BC 42 58 LDR R2, [R0,R1]
LOAD:C5FD59BE 13 01 LSLS R3, R2, #4
LOAD:C5FD59C0 1B 0F LSRS R3, R3, #0x1C
LOAD:C5FD59C2 0B 2B CMP R3, #0xB
LOAD:C5FD59C4 08 D1 BNE loc_C5FD59D8
LOAD:C5FD59C4
LOAD:C5FD59C6 89 08 LSRS R1, R1, #2
LOAD:C5FD59C8 53 1A SUBS R3, R2, R1
LOAD:C5FD59CA 89 00 LSLS R1, R1, #2
LOAD:C5FD59CC 12 0E LSRS R2, R2, #0x18
LOAD:C5FD59CE 1B 02 LSLS R3, R3, #8
LOAD:C5FD59D0 12 06 LSLS R2, R2, #0x18
LOAD:C5FD59D2 1B 0A LSRS R3, R3, #8
LOAD:C5FD59D4 1A 43 ORRS R2, R3
LOAD:C5FD59D6 42 50 STR R2, [R0,R1]
LOAD:C5FD59D6
LOAD:C5FD59D8
LOAD:C5FD59D8 loc_C5FD59D8 ; CODE XREF: .init_proc+58↑j
LOAD:C5FD59D8 ; .init_proc+64↑j
LOAD:C5FD59D8 00 29 CMP R1, #0
LOAD:C5FD59DA EE D1 BNE loc_C5FD59BA
LOAD:C5FD59DA
LOAD:C5FD59DC
LOAD:C5FD59DC locret_C5FD59DC ; CODE XREF: .init_proc+56↑j
LOAD:C5FD59DC 70 47 BX LR ; sub_C5FD6104
从壳入口点特征可以大致判断出是UPX,我尝试通过upx -d进行脱壳出现异常,修改特征为upx!还是不能正常脱壳,应该是被变异了,考虑通过IDA进行动态调试脱壳。
dump so
将断点断在linker中调用壳入口的地方,启动调试,如图3-1所示:
图3-1
壳执行完成将解压完代码在内存中dump出来,如图3-1-2所示
图3-1-2
3.2、so层壳脱壳与修复
修复Elf32_Off、修复shdr、修复phdr、修复重定位,如图3-2所示:
图3-2
修复后可以正常反编译,代码有ollvm混淆,字符串加密,如图3-2-1所示:
图3-2-1
四、DEX保护壳分析
4.1、Jni_onLoad
Jni_onLoad主要就是动态注册几个Native方法,代码如下:
jint JNI_OnLoad(JavaVM *vm, void *reserved)
{
_BOOL4 v2; // r2
int v3; // r4
int v4; // r3
int v5; // r3
int v6; // r2
v3 = 0;
v4 = 0;
if ( 2 * *y_21_ptr[0] > 191 )
v3 = 1;
if ( *y_21_ptr[0] > 9 )
v4 = 1;
v5 = v4 & ((*x_20_ptr[0] - 1) * *x_20_ptr[0]);
v2 = (*x_20_ptr[0] ^ *y_21_ptr[0]) < 130;
v6 = (v2 & v3 | v5) ^ 1 | v2 & v3 ^ v5;
while ( v6 != 1 )
;
return RegisterNatives_sub_5252C((int)vm, reserved);
}
int __fastcall RegisterNatives_sub_5252C(JNIEnv *a1)
{
jclass v2; // r8
int v3; // r5
int v4; // r3
void ***v5; // r5
jclass v6; // r6
int v7; // r0
int v8; // r5
int v9; // r6
int v10; // r1
int v11; // r3
int v12; // r1
int v13; // r1
_BOOL4 v14; // r2
_BOOL4 v15; // r6
int v16; // r5
int v17; // r1
int v18; // r3
int v19; // r2
jclass v21; // r8
__int64 v22; // r0
int v23; // r6
__int64 v24; // r2
int v25; // r1
int v26; // r0
int v27; // r6
int v28; // r3
int v29; // r6
int v30; // r6
int v31; // r3
int v32; // r2
int v33; // r0
int v34; // r0
int v35; // r0
const char *funcname; // [sp+4h] [bp-74h] BYREF
int *v37; // [sp+8h] [bp-70h]
int (__fastcall *v38)(int, int, int, int); // [sp+Ch] [bp-6Ch]
void *v39; // [sp+10h] [bp-68h]
int *v40; // [sp+14h] [bp-64h]
int (__fastcall *v41)(int, int, int, int); // [sp+18h] [bp-60h]
int v42; // [sp+1Ch] [bp-5Ch]
int *v43; // [sp+20h] [bp-58h]
int (*v44)(); // [sp+24h] [bp-54h]
int *v45; // [sp+28h] [bp-50h]
int *v46; // [sp+2Ch] [bp-4Ch]
int (*v47)(); // [sp+30h] [bp-48h]
const char *funcname_1; // [sp+34h] [bp-44h]
int *v49; // [sp+38h] [bp-40h]
bool (*v50)(); // [sp+3Ch] [bp-3Ch]
int v51; // [sp+40h] [bp-38h]
int v52; // [sp+44h] [bp-34h]
int (*v53)(); // [sp+48h] [bp-30h]
int v54; // [sp+4Ch] [bp-2Ch]
int v55; // [sp+50h] [bp-28h]
int (*v56)(int, int, int, int, int); // [sp+54h] [bp-24h]
int v57; // [sp+58h] [bp-20h]
v57 = *(_DWORD *)_stack_chk_guard_ptr;
if ( !(_BYTE)dword_C532E1E0 )
sub_C52A6FA8(10);
sub_C52A75BC(a1);
sub_C52D37F4(a1);
v2 = (*a1)->FindClass(a1, *((_DWORD *)(*off_C5325018)[93] + 1));
if ( !v2 )
{
v14 = (*y_239_ptr[0] ^ *x_238_ptr[0]) < 234;
v15 = 8 * *y_239_ptr[0] > 268;
v16 = v15 ^ v14;
v17 = 0;
v18 = 0;
v19 = !v14 && !v15;
if ( *y_239_ptr[0] < 10 )
v17 = 1;
if ( !((*x_238_ptr[0] * (*x_238_ptr[0] - 1)) << 31) )
v18 = 1;
while ( !(v17 | v18 | v19 | v16) )
;
return 255;
}
v3 = 0;
v4 = 0;
if ( *y_239_ptr[0] < 137 )
v3 = 1;
if ( !(((*x_238_ptr[0] - 1) * *x_238_ptr[0]) << 31) )
v4 = 1;
while ( (v4 | ((*x_238_ptr[0] ^ *y_239_ptr[0]) > 7) | v3) != 1 )
;
v5 = off_C5325018;
v6 = (*a1)->FindClass(a1, *(_DWORD *)(*off_C5325018)[93]);
(*((void (__fastcall **)(JNIEnv *))(*v5)[4] + 25))(a1);
if ( v6 )
{
funcname = "l";
v38 = l_sub_3EDA8;
v39 = &unk_C531D5EA;
v41 = r_sub_40E14;
v42 = (int)&dword_C532A248 + 1;
v37 = &dword_C532A1F0;
v40 = &dword_C532A1F0;
v43 = &dword_C532A1F0;
v44 = ra_sub_41368;
v45 = &dword_C532A24C;
v46 = &dword_C532A250;
v47 = b2b_sub_416B4;
funcname_1 = "m";
v49 = &dword_C532A258;
v50 = m_sub_41700;
v51 = (int)&dword_C532A26C + 3;
v52 = (int)&dword_C532A270 + 2;
v53 = sa_nullsub_1;
v54 = (int)&dword_C532A298 + 2;
v55 = (int)&dword_C532A29C + 1;
v56 = al_sub_41750;
v7 = (*a1)->RegisterNatives(a1, v2, (const JNINativeMethod *)&funcname, 7);
v8 = 0;
v9 = 0;
v10 = *x_238_ptr[0];
if ( *y_239_ptr[0] < 21 )
v8 = 1;
v11 = (*x_238_ptr[0] - 1) * v10;
v12 = ((v10 ^ *y_239_ptr[0]) > 80) | v8;
if ( !(v11 << 31) )
v9 = 1;
v13 = v12 | v9;
while ( v13 != 1 )
;
if ( v7 <= -1 )
return 255;
}
else
{
funcname = "l";
v38 = l_sub_3EDA8;
v39 = &unk_C531D5EA;
v41 = r_sub_40E14;
v42 = (int)&dword_C532A248 + 1;
v37 = &dword_C532A1F0;
v40 = &dword_C532A1F0;
v43 = &dword_C532A1F0;
v44 = ra_sub_41368;
v45 = &dword_C532A24C;
v46 = &dword_C532A250;
v47 = b2b_sub_416B4;
funcname_1 = "m";
v49 = &dword_C532A258;
v50 = m_sub_41700;
v51 = (int)&dword_C532A26C + 3;
v52 = (int)&dword_C532A270 + 2;
v53 = sa_nullsub_1;
if ( (*a1)->RegisterNatives(a1, v2, (const JNINativeMethod *)&funcname, 6) < 0 )
return 255;
while ( (*x_238_ptr[0] ^ *y_239_ptr[0]) <= 31
&& 2 * *y_239_ptr[0] >= 286
&& *y_239_ptr[0] >= 10
&& ((*x_238_ptr[0] - 1) * *x_238_ptr[0]) << 31 != 0 )
;
}
v21 = (*a1)->FindClass(a1, (char *)&aRr9Pm + 2);
HIDWORD(v22) = *y_239_ptr[0];
LODWORD(v22) = 0;
v23 = (int)*off_C5325018;
if ( *y_239_ptr[0] > 9 )
LODWORD(v22) = 1;
if ( 16 * HIDWORD(v22) > 354 && (HIDWORD(v22) ^ *x_238_ptr[0]) <= 19 )
{
HIDWORD(v22) = (((unsigned __int8)*x_238_ptr[0] - 1) * (unsigned __int8)*x_238_ptr[0]) & 1;
if ( (unsigned int)v22 == HIDWORD(v22) )
{
if ( v22 )
goto LABEL_39;
}
}
while ( 1 )
{
(*(void (__fastcall **)(JNIEnv *))(*(_DWORD *)(v23 + 0x10) + 100))(a1);
LODWORD(v24) = 0;
v25 = *y_239_ptr[0];
v26 = *x_238_ptr[0];
if ( *y_239_ptr[0] > 9 )
LODWORD(v24) = 1;
if ( 16 * v25 < 121 )
break;
if ( (v25 ^ v26) > 195 )
break;
HIDWORD(v24) = (((_BYTE)v26 - 1) * (_BYTE)v26) & 1;
if ( (unsigned int)v24 != HIDWORD(v24) || !v24 )
break;
LABEL_39:
(*(void (__fastcall **)(JNIEnv *))(*(_DWORD *)(v23 + 0x10) + 100))(a1);
}
if ( !v21 )
goto LABEL_47;
funcname = (char *)&dword_C532A21C + 3;
v37 = (int *)((char *)&dword_C532A220 + 2);
v38 = (int (__fastcall *)(int, int, int, int))off_C5325374;
if ( (*a1)->RegisterNatives(a1, v21, (const JNINativeMethod *)&funcname, 1) < 0 )
return 255;
v27 = 0;
v28 = 0;
v26 = *x_238_ptr[0];
v25 = *y_239_ptr[0];
if ( *y_239_ptr[0] < 366 )
v27 = 1;
v29 = v27 | ((*y_239_ptr[0] ^ *x_238_ptr[0]) > 185);
if ( !((*x_238_ptr[0] * (*x_238_ptr[0] - 1)) << 31) )
v28 = 1;
while ( (v28 | v29) != 1 )
;
LABEL_47:
v30 = 0;
v31 = 0;
v32 = v26 * (v26 - 1);
v33 = v26 ^ v25;
if ( v25 <= 294 )
v30 = 1;
v34 = (v33 > 137) | v30;
if ( !(v32 << 31) )
v31 = 1;
v35 = v34 | v31;
while ( !v35 )
;
return 1;
}
注册的native方法:
l(Landroid/app/Application;Ljava/lang/String;)Z r(Landroid/app/Application;Ljava/lang/String;)Z ra(Landroid/app/Application;Ljava/lang/String;)Z b2b([BI)[B m(Ljava/lang/String;I)V sa(Ljava/lang/String;Ljava/lang/String;)V al(Ljava/lang/ClassLoader;Landroid/content/pm/ApplicationInfo;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/ClassLoader;
4.2、java层到native层
在壳的java层重写了android.app.AppComponentFactory类的几个关键方法,其中instantiateClassLoader是比较核心的,它最终会走到Native方法al中。
@Override // android.app.AppComponentFactory
@TargetApi(29)
public ClassLoader instantiateClassLoader(ClassLoader arg4, ApplicationInfo arg5) {
if(!this.supportInstantiateClassLoader) {
File v1 = new File(arg5.dataDir, "files");
if(!v1.exists()) {
v1.mkdirs();
}
S.p_solutePath = v1.getAbsolutePath();
S.f_PackageCodePath = arg5.sourceDir;
S.l(null);
arg4 = N.al(arg4, arg5, this.packageName, this.orignAppName); // 调用native方法
arg5.className = this.orignAppName;
this.supportInstantiateClassLoader = true;
}
if(S.l) {
this.acf = this.getACF(arg4);
return this.acf == null ? super.instantiateClassLoader(arg4, arg5) : this.acf.instantiateClassLoader(arg4, arg5);
}
return super.instantiateClassLoader(arg4, arg5);
}
4.3、反调试
反射调用 isDebuggerConnected
.text&ARM.extab:C52C8060 isDebuggerConnected_sub_C608A060
.text&ARM.extab:C52C8060 ; CODE XREF: l_sub_3EDA8+33C↓p
.text&ARM.extab:C52C8060 ; al_sub_41750+324↓p
.text&ARM.extab:C52C8060 ; DATA XREF: l_sub_3EDA8+33A↓o
.text&ARM.extab:C52C8060 ; al_sub_41750+322↓o
.text&ARM.extab:C52C8060 ; .data:C5328140↓o
.text&ARM.extab:C52C8060
.text&ARM.extab:C52C8060 var_18= -0x18
.text&ARM.extab:C52C8060 var_C= -0xC
.text&ARM.extab:C52C8060
.text&ARM.extab:C52C8060 ; __unwind {
.text&ARM.extab:C52C8060 80 B5 PUSH {R7,LR}
.text&ARM.extab:C52C8062 6F 46 MOV R7, SP
.text&ARM.extab:C52C8064 84 B0 SUB SP, SP, #0x10
.text&ARM.extab:C52C8066 28 48 LDR R0, =(__stack_chk_guard_ptr - 0xC52C806E)
.text&ARM.extab:C52C8068 28 49 LDR R1, =(off_C5325018 - 0xC52C8072)
.text&ARM.extab:C52C806A 78 44 ADD R0, PC ; __stack_chk_guard_ptr
.text&ARM.extab:C52C806C 28 4A LDR R2, =(aAndroidOsDebug - 0xC52C8078) ; "+\x1C\x10I\x1A1\fx3 o\x1B(&/(J"
.text&ARM.extab:C52C806E 79 44 ADD R1, PC ; off_C5325018
.text&ARM.extab:C52C8070 28 4B LDR R3, =(byte_C5328846 - 0xC52C807C)
.text&ARM.extab:C52C8072 00 68 LDR R0, [R0]
.text&ARM.extab:C52C8074 7A 44 ADD R2, PC ; "+\x1C\x10I\x1A1\fx3 o\x1B(&/(J"
.text&ARM.extab:C52C8076 09 68 LDR R1, [R1] ; off_C5326004
.text&ARM.extab:C52C8078 7B 44 ADD R3, PC ; byte_C5328846
.text&ARM.extab:C52C807A 00 68 LDR R0, [R0]
.text&ARM.extab:C52C807C 03 90 STR R0, [SP,#0x18+var_C]
.text&ARM.extab:C52C807E 09 68 LDR R1, [R1] ; off_C532DDC0
.text&ARM.extab:C52C8080 88 68 LDR R0, [R1,#(off_C532DDC8 - 0xC532DDC0)]
.text&ARM.extab:C52C8082 09 69 LDR R1, [R1,#(off_C532DDD0 - 0xC532DDC0)] ; off_C53266C4
.text&ARM.extab:C52C8084 D1 F8 38 C0 LDR.W R12, [R1,#0x38] ; CallStaticBooleanMethodV_isDebuggerConnected_sub_C609F484
.text&ARM.extab:C52C8088 23 49 LDR R1, =(aIsdebuggerconn - 0xC52C808E) ; "#\x010^\x17-\x0F09!\x030#*?,>\x17\x10;"
.text&ARM.extab:C52C808A 79 44 ADD R1, PC ; "#\x010^\x17-\x0F09!\x030#*?,>\x17\x10;"
.text&ARM.extab:C52C808C 00 91 STR R1, [SP,#0x18+var_18]
.text&ARM.extab:C52C808E 79 1F SUBS R1, R7, #5 ; isDebuggerConnected
.text&ARM.extab:C52C8090 E0 47 BLX R12 ; CallStaticBooleanMethodV
.text&ARM.extab:C52C8090
.text&ARM.extab:C52C8092 20 B1 CBZ R0, loc_C52C809E
.text&ARM.extab:C52C8092
.text&ARM.extab:C52C8094 17 F8 05 0C LDRB.W R0, [R7,#-5]
.text&ARM.extab:C52C8098 08 B1 CBZ R0, loc_C52C809E
.text&ARM.extab:C52C8098
.text&ARM.extab:C52C809A 01 20 MOVS R0, #1
.text&ARM.extab:C52C809C 28 E0 B loc_C52C80F0
检测模拟器
.text&ARM.extab:C52C45A0 check_qemu_anitdbg_sub_C60B05A0
.text&ARM.extab:C52C45A0
.text&ARM.extab:C52C45A0 var_40= -0x40
.text&ARM.extab:C52C45A0 var_38= -0x38
.text&ARM.extab:C52C45A0 var_2C= -0x2C
.text&ARM.extab:C52C45A0 var_28= -0x28
.text&ARM.extab:C52C45A0 anonymous_0= -0x24
.text&ARM.extab:C52C45A0 var_20= -0x20
.text&ARM.extab:C52C45A0
.text&ARM.extab:C52C45A0 ; __unwind {
.text&ARM.extab:C52C45A0 F0 B5 PUSH {R4-R7,LR}
.text&ARM.extab:C52C45A2 03 AF ADD R7, SP, #0xC
.text&ARM.extab:C52C45A4 2D E9 00 0F PUSH.W {R8-R11}
.text&ARM.extab:C52C45A8 89 B0 SUB SP, SP, #0x24
.text&ARM.extab:C52C45AA 80 46 MOV R8, R0
.text&ARM.extab:C52C45AC DF F8 E8 07 LDR.W R0, =(x.196_ptr - 0xC52C45BA)
.text&ARM.extab:C52C45B0 DF F8 E8 17 LDR.W R1, =(y.197_ptr - 0xC52C45C4)
.text&ARM.extab:C52C45B4 00 24 MOVS R4, #0
.text&ARM.extab:C52C45B6 78 44 ADD R0, PC ; x.196_ptr
.text&ARM.extab:C52C45B8 DF F8 E4 27 LDR.W R2, =(__stack_chk_guard_ptr - 0xC52C45C8)
.text&ARM.extab:C52C45BC DF F8 E4 37 LDR.W R3, =(off_C5325018 - 0xC52C45CA)
.text&ARM.extab:C52C45C0 79 44 ADD R1, PC ; y.197_ptr
.text&ARM.extab:C52C45C2 00 68 LDR R0, [R0] ; x.196
.text&ARM.extab:C52C45C4 7A 44 ADD R2, PC ; __stack_chk_guard_ptr
.text&ARM.extab:C52C45C6 7B 44 ADD R3, PC ; off_C5325018
.text&ARM.extab:C52C45C8 09 68 LDR R1, [R1] ; y.197
.text&ARM.extab:C52C45CA 12 68 LDR R2, [R2]
.text&ARM.extab:C52C45CC 00 25 MOVS R5, #0
.text&ARM.extab:C52C45CE 06 68 LDR R6, [R0]
.text&ARM.extab:C52C45D0 18 68 LDR R0, [R3] ; off_C5326004
.text&ARM.extab:C52C45D2 73 1E SUBS R3, R6, #1
.text&ARM.extab:C52C45D4 09 68 LDR R1, [R1]
.text&ARM.extab:C52C45D6 73 43 MULS R3, R6
.text&ARM.extab:C52C45D8 00 68 LDR R0, [R0] ; off_C532DDC0
.text&ARM.extab:C52C45DA 12 68 LDR R2, [R2]
.text&ARM.extab:C52C45DC 08 92 STR R2, [SP,#0x40+var_20]
.text&ARM.extab:C52C45DE 61 29 CMP R1, #0x61 ; 'a'
.text&ARM.extab:C52C45E0 81 EA 06 02 EOR.W R2, R1, R6
.text&ARM.extab:C52C45E4 C8 BF IT GT
.text&ARM.extab:C52C45E6 01 24 MOVGT R4, #1
.text&ARM.extab:C52C45E8 62 2A CMP R2, #0x62 ; 'b'
.text&ARM.extab:C52C45EA 4F F0 00 06 MOV.W R6, #0
.text&ARM.extab:C52C45EE B8 BF IT LT
.text&ARM.extab:C52C45F0 01 26 MOVLT R6, #1
.text&ARM.extab:C52C45F2 09 29 CMP R1, #9
.text&ARM.extab:C52C45F4 C8 BF IT GT
.text&ARM.extab:C52C45F6 01 25 MOVGT R5, #1
.text&ARM.extab:C52C45F8 26 40 ANDS R6, R4
.text&ARM.extab:C52C45FA 2B 40 ANDS R3, R5
.text&ARM.extab:C52C45FC 86 EA 03 05 EOR.W R5, R6, R3
.text&ARM.extab:C52C4600 1E 43 ORRS R6, R3
.text&ARM.extab:C52C4602 86 F0 01 06 EOR.W R6, R6, #1
.text&ARM.extab:C52C4606 2E 43 ORRS R6, R5
.text&ARM.extab:C52C4606
.text&ARM.extab:C52C4608 01 2E CMP R6, #1
.text&ARM.extab:C52C460A FD D1 BNE loc_C52C4608
.text&ARM.extab:C52C460A
.text&ARM.extab:C52C460C 90 F8 7C 60 LDRB.W R6, [R0,#(dword_C532DE3C - 0xC532DDC0)]
.text&ARM.extab:C52C4610 00 2E CMP R6, #0
.text&ARM.extab:C52C4612 00 F0 BD 80 BEQ.W loc_C52C4790
.text&ARM.extab:C52C4612
.text&ARM.extab:C52C4616 88 00 LSLS R0, R1, #2
.text&ARM.extab:C52C4618 16 28 CMP R0, #0x16
.text&ARM.extab:C52C461A 4F F0 00 00 MOV.W R0, #0
.text&ARM.extab:C52C461E 4F F0 00 01 MOV.W R1, #0
.text&ARM.extab:C52C4622 C8 BF IT GT
.text&ARM.extab:C52C4624 01 20 MOVGT R0, #1
.text&ARM.extab:C52C4626 EA 2A CMP R2, #0xEA
.text&ARM.extab:C52C4628 B8 BF IT LT
.text&ARM.extab:C52C462A 01 21 MOVLT R1, #1
.text&ARM.extab:C52C462C 08 40 ANDS R0, R1
.text&ARM.extab:C52C462E 98 42 CMP R0, R3
.text&ARM.extab:C52C4630 02 D1 BNE loc_C52C4638
.text&ARM.extab:C52C4630
.text&ARM.extab:C52C4632 18 43 ORRS R0, R3
.text&ARM.extab:C52C4634 40 F0 E0 80 BNE.W loc_C52C47F8
.text&ARM.extab:C52C4634
.text&ARM.extab:C52C4638
.text&ARM.extab:C52C4638 loc_C52C4638
.text&ARM.extab:C52C4638 DF F8 6C 17 LDR.W R1, =(aDevQemuPipe - 0xC52C4646) ; "e\x16\x11MZ)\r:)\f06=!Z"
.text&ARM.extab:C52C463C 00 24 MOVS R4, #0
.text&ARM.extab:C52C463E DF F8 6C 07 LDR.W R0, =(aDevSocketQemud - 0xC52C4648) ; "e\x16\x11MZ+\a4764p<!7:.r"
.text&ARM.extab:C52C4642 79 44 ADD R1, PC ; "e\x16\x11MZ)\r:)\f06=!Z"
.text&ARM.extab:C52C4644 78 44 ADD R0, PC ; "e\x16\x11MZ+\a4764p<!7:.r" ; name
.text&ARM.extab:C52C4646 CD E9 06 01 STRD.W R0, R1, [SP,#0x40+var_28]
.text&ARM.extab:C52C464A 00 21 MOVS R1, #0 ; type
.text&ARM.extab:C52C464C E1 F7 3A E9 BLX access ; /dev/socket/qemud
.text&ARM.extab:C52C464C
.text&ARM.extab:C52C4650 01 30 ADDS R0, #1
.text&ARM.extab:C52C4652 00 F0 E6 80 BEQ.W loc_C52C4822
.text&ARM.extab:C52C4652
.text&ARM.extab:C52C4656
.text&ARM.extab:C52C4656 loc_C52C4656
.text&ARM.extab:C52C4656 4F F0 01 0C MOV.W R12, #1
.text&ARM.extab:C52C4656
.text&ARM.extab:C52C465A
.text&ARM.extab:C52C465A loc_C52C465A
.text&ARM.extab:C52C465A DF F8 54 07 LDR.W R0, =(x.196_ptr - 0xC52C4668)
.text&ARM.extab:C52C465E 00 25 MOVS R5, #0
.text&ARM.extab:C52C4660 DF F8 50 17 LDR.W R1, =(y.197_ptr - 0xC52C466A)
.text&ARM.extab:C52C4664 78 44 ADD R0, PC ; x.196_ptr
.text&ARM.extab:C52C4666 79 44 ADD R1, PC ; y.197_ptr
.text&ARM.extab:C52C4668 00 68 LDR R0, [R0] ; x.196
.text&ARM.extab:C52C466A 09 68 LDR R1, [R1] ; y.197
.text&ARM.extab:C52C466C 00 68 LDR R0, [R0]
.text&ARM.extab:C52C466E 09 68 LDR R1, [R1]
.text&ARM.extab:C52C4670 42 1E SUBS R2, R0, #1
.text&ARM.extab:C52C4672 81 EA 00 03 EOR.W R3, R1, R0
.text&ARM.extab:C52C4676 42 43 MULS R2, R0
.text&ARM.extab:C52C4678 13 2B CMP R3, #0x13
.text&ARM.extab:C52C467A 4F F0 00 00 MOV.W R0, #0
.text&ARM.extab:C52C467E 4F EA 01 16 MOV.W R6, R1,LSL#4
.text&ARM.extab:C52C4682 C8 BF IT GT
.text&ARM.extab:C52C4684 01 20 MOVGT R0, #1
.text&ARM.extab:C52C4686 B6 F5 B2 7F CMP.W R6, #0x164
.text&ARM.extab:C52C468A 4F F0 00 06 MOV.W R6, #0
.text&ARM.extab:C52C468E D8 BF IT LE
.text&ARM.extab:C52C4690 01 26 MOVLE R6, #1
.text&ARM.extab:C52C4692 0A 29 CMP R1, #0xA
.text&ARM.extab:C52C4694 46 EA 00 06 ORR.W R6, R6, R0
.text&ARM.extab:C52C4698 B8 BF IT LT
.text&ARM.extab:C52C469A 01 25 MOVLT R5, #1
.text&ARM.extab:C52C469C 12 F0 01 02 ANDS.W R2, R2, #1
.text&ARM.extab:C52C46A0 4F F0 00 00 MOV.W R0, #0
.text&ARM.extab:C52C46A4 08 BF IT EQ
.text&ARM.extab:C52C46A6 01 20 MOVEQ R0, #1
.text&ARM.extab:C52C46A8 09 29 CMP R1, #9
.text&ARM.extab:C52C46AA C8 BF IT GT
.text&ARM.extab:C52C46AC 01 24 MOVGT R4, #1
.text&ARM.extab:C52C46AE 14 40 ANDS R4, R2
.text&ARM.extab:C52C46B0 94 EA 06 0F TEQ.W R4, R6
.text&ARM.extab:C52C46B4 1E BF ITTT NE
.text&ARM.extab:C52C46B6 28 43 ORRNE R0, R5
.text&ARM.extab:C52C46B8 30 40 ANDNE R0, R6
.text&ARM.extab:C52C46BA 01 28 CMPNE R0, #1
.text&ARM.extab:C52C46BC 40 F0 9C 80 BNE.W loc_C52C47F8
.text&ARM.extab:C52C46BC
.text&ARM.extab:C52C46C0 E4 2B CMP R3, #0xE4
.text&ARM.extab:C52C46C2 4F F0 00 03 MOV.W R3, #0
.text&ARM.extab:C52C46C6 4F EA 41 06 MOV.W R6, R1,LSL#1
.text&ARM.extab:C52C46CA C8 BF IT GT
.text&ARM.extab:C52C46CC 01 23 MOVGT R3, #1
.text&ARM.extab:C52C46CE 86 2E CMP R6, #0x86
.text&ARM.extab:C52C46D0 4F F0 00 06 MOV.W R6, #0
.text&ARM.extab:C52C46D4 B8 BF IT LT
.text&ARM.extab:C52C46D6 01 26 MOVLT R6, #1
.text&ARM.extab:C52C46D8 00 20 MOVS R0, #0
.text&ARM.extab:C52C46DA 09 29 CMP R1, #9
.text&ARM.extab:C52C46DC C8 BF IT GT
.text&ARM.extab:C52C46DE 01 20 MOVGT R0, #1
.text&ARM.extab:C52C46E0 00 2A CMP R2, #0
.text&ARM.extab:C52C46E2 18 BF IT NE
.text&ARM.extab:C52C46E4 01 22 MOVNE R2, #1
.text&ARM.extab:C52C46E6 80 EA 02 01 EOR.W R1, R0, R2
.text&ARM.extab:C52C46EA 10 43 ORRS R0, R2
.text&ARM.extab:C52C46EC 80 F0 01 00 EOR.W R0, R0, #1
.text&ARM.extab:C52C46F0 33 43 ORRS R3, R6
.text&ARM.extab:C52C46F2 08 43 ORRS R0, R1
.text&ARM.extab:C52C46F4 18 43 ORRS R0, R3
.text&ARM.extab:C52C46F4
.text&ARM.extab:C52C46F6
.text&ARM.extab:C52C46F6 loc_C52C46F6
.text&ARM.extab:C52C46F6 01 28 CMP R0, #1
.text&ARM.extab:C52C46F8 FD D1 BNE loc_C52C46F6
.text&ARM.extab:C52C46F8
.text&ARM.extab:C52C46FA BC F1 00 0F CMP.W R12, #0
.text&ARM.extab:C52C46FE 79 D1 BNE loc_C52C47F4
.text&ARM.extab:C52C46FE
.text&ARM.extab:C52C4700 DF F8 C0 06 LDR.W R0, =(aProcTtyDrivers - 0xC52C470C) ; "e\x02\x06T\x16w\x1C#%|$-$2?=9r"
.text&ARM.extab:C52C4704 DF F8 C0 16 LDR.W R1, =(aR - 0xC52C4712) ; "r"
.text&ARM.extab:C52C4708 78 44 ADD R0, PC ; "e\x02\x06T\x16w\x1C#%|$-$2?=9r" ; filename
.text&ARM.extab:C52C470A CD F8 14 80 STR.W R8, [SP,#0x40+var_2C]
.text&ARM.extab:C52C470E 79 44 ADD R1, PC ; "r" ; modes
.text&ARM.extab:C52C4710 E1 F7 BA E8 BLX fopen ; /proc/tty/drivers
.text&ARM.extab:C52C4710
.text&ARM.extab:C52C4714 83 46 MOV R11, R0
.text&ARM.extab:C52C4716 BB F1 00 0F CMP.W R11, #0
.text&ARM.extab:C52C471A 2F D0 BEQ loc_C52C477C
.text&ARM.extab:C52C471A
.text&ARM.extab:C52C471C 42 F2 94 00 MOVW R0, #0x2094 ; size
.text&ARM.extab:C52C4720 E1 F7 8E E8 BLX malloc
.text&ARM.extab:C52C4720
.text&ARM.extab:C52C4724 06 46 MOV R6, R0
.text&ARM.extab:C52C4726 42 F2 14 00 MOVW R0, #0x2014
.text&ARM.extab:C52C472A 06 EB 00 08 ADD.W R8, R6, R0
.text&ARM.extab:C52C472E 42 F2 04 00 MOVW R0, #0x2004
.text&ARM.extab:C52C4732 06 EB 00 09 ADD.W R9, R6, R0
.text&ARM.extab:C52C4736 06 F5 80 54 ADD.W R4, R6, #0x1000
.text&ARM.extab:C52C473A 06 F5 00 5A ADD.W R10, R6, #0x2000
.text&ARM.extab:C52C473A
.text&ARM.extab:C52C473E
.text&ARM.extab:C52C473E loc_C52C473E ; CODE XREF: check_qemu_anitdbg_sub_C60B05A0+1CE↓j
.text&ARM.extab:C52C473E DF F8 24 17 LDR.W R1, =(byte_C532821D - 0xC52C474C)
.text&ARM.extab:C52C4742 58 46 MOV R0, R11 ; stream
.text&ARM.extab:C52C4744 32 46 MOV R2, R6
.text&ARM.extab:C52C4746 23 46 MOV R3, R4
.text&ARM.extab:C52C4748 79 44 ADD R1, PC ; byte_C532821D ; format
.text&ARM.extab:C52C474A CD E9 00 A9 STRD.W R10, R9, [SP,#0x40+var_40]
.text&ARM.extab:C52C474E CD F8 08 80 STR.W R8, [SP,#0x40+var_38]
.text&ARM.extab:C52C4752 E1 F7 20 EA BLX fscanf
.text&ARM.extab:C52C4752
.text&ARM.extab:C52C4756 DF F8 10 17 LDR.W R1, =(dword_C532822C - 0xC52C4766)
.text&ARM.extab:C52C475A 05 46 MOV R5, R0
.text&ARM.extab:C52C475C 30 46 MOV R0, R6 ; s1
.text&ARM.extab:C52C475E 4F F4 80 52 MOV.W R2, #0x1000 ; n
.text&ARM.extab:C52C4762 79 44 ADD R1, PC ; dword_C532822C ; s2
.text&ARM.extab:C52C4764 E1 F7 78 E8 BLX strncmp
.text&ARM.extab:C52C4764
.text&ARM.extab:C52C4768 00 28 CMP R0, #0
.text&ARM.extab:C52C476A 43 D0 BEQ loc_C52C47F4
.text&ARM.extab:C52C476A
.text&ARM.extab:C52C476C 68 1C ADDS R0, R5, #1
.text&ARM.extab:C52C476E E6 D1 BNE loc_C52C473E
.text&ARM.extab:C52C476E
.text&ARM.extab:C52C4770 30 46 MOV R0, R6 ; ptr
.text&ARM.extab:C52C4772 E1 F7 42 E8 BLX free
.text&ARM.extab:C52C4772
.text&ARM.extab:C52C4776 58 46 MOV R0, R11 ; stream
.text&ARM.extab:C52C4778 E1 F7 9E E8 BLX fclose
.text&ARM.extab:C52C4778
.text&ARM.extab:C52C477C
.text&ARM.extab:C52C477C loc_C52C477C
.text&ARM.extab:C52C477C 01 F0 18 FB BL check_qemu_sub_C60B1DB0
.text&ARM.extab:C52C477C
.text&ARM.extab:C52C4780 C0 BB CBNZ R0, loc_C52C47F4
.text&ARM.extab:C52C4780
.text&ARM.extab:C52C4782 DF F8 48 06 LDR.W R0, =(off_C5325018 - 0xC52C478E)
.text&ARM.extab:C52C4786 DD F8 14 80 LDR.W R8, [SP,#0x40+var_2C]
.text&ARM.extab:C52C478A 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52C478C 00 68 LDR R0, [R0] ; off_C5326004
.text&ARM.extab:C52C478E 00 68 LDR R0, [R0] ; off_C532DDC0
.text&ARM.extab:C52C478E
.text&ARM.extab:C52C4790
.text&ARM.extab:C52C4790 loc_C52C4790
.text&ARM.extab:C52C4790 90 F8 FC 10 LDRB.W R1, [R0,#(dword_C532DEBC - 0xC532DDC0)]
.text&ARM.extab:C52C4794 00 29 CMP R1, #0
.text&ARM.extab:C52C4796 00 F0 90 82 BEQ.W loc_C52C4CBA
.text&ARM.extab:C52C4796
.text&ARM.extab:C52C479A DF F8 34 16 LDR.W R1, =(x.196_ptr - 0xC52C47A8)
.text&ARM.extab:C52C479E 00 26 MOVS R6, #0
.text&ARM.extab:C52C47A0 DF F8 30 26 LDR.W R2, =(y.197_ptr - 0xC52C47AA)
.text&ARM.extab:C52C47A4 79 44 ADD R1, PC ; x.196_ptr
.text&ARM.extab:C52C47A6 7A 44 ADD R2, PC ; y.197_ptr
.text&ARM.extab:C52C47A8 09 68 LDR R1, [R1] ; x.196
.text&ARM.extab:C52C47AA 12 68 LDR R2, [R2] ; y.197
.text&ARM.extab:C52C47AC 09 68 LDR R1, [R1]
.text&ARM.extab:C52C47AE 12 68 LDR R2, [R2]
.text&ARM.extab:C52C47B0 4B 1E SUBS R3, R1, #1
.text&ARM.extab:C52C47B2 4B 43 MULS R3, R1
.text&ARM.extab:C52C47B4 51 40 EORS R1, R2
.text&ARM.extab:C52C47B6 92 29 CMP R1, #0x92
.text&ARM.extab:C52C47B8 4F F0 00 01 MOV.W R1, #0
.text&ARM.extab:C52C47BC 4F EA C2 05 MOV.W R5, R2,LSL#3
.text&ARM.extab:C52C47C0 C8 BF IT GT
.text&ARM.extab:C52C47C2 01 21 MOVGT R1, #1
.text&ARM.extab:C52C47C4 B5 F5 E4 7F CMP.W R5, #0x1C8
.text&ARM.extab:C52C47C8 4F F0 00 05 MOV.W R5, #0
.text&ARM.extab:C52C47CC B8 BF IT LT
.text&ARM.extab:C52C47CE 01 25 MOVLT R5, #1
.text&ARM.extab:C52C47D0 0A 2A CMP R2, #0xA
.text&ARM.extab:C52C47D2 4F F0 00 02 MOV.W R2, #0
.text&ARM.extab:C52C47D6 41 EA 05 01 ORR.W R1, R1, R5
.text&ARM.extab:C52C47DA B8 BF IT LT
.text&ARM.extab:C52C47DC 01 22 MOVLT R2, #1
.text&ARM.extab:C52C47DE DB 07 LSLS R3, R3, #0x1F
.text&ARM.extab:C52C47E0 08 BF IT EQ
.text&ARM.extab:C52C47E2 01 26 MOVEQ R6, #1
.text&ARM.extab:C52C47E4 32 43 ORRS R2, R6
.text&ARM.extab:C52C47E6 11 43 ORRS R1, R2
.text&ARM.extab:C52C47E6
.text&ARM.extab:C52C47E8
.text&ARM.extab:C52C47E8 loc_C52C47E8
.text&ARM.extab:C52C47E8 01 29 CMP R1, #1
.text&ARM.extab:C52C47EA FD D1 BNE loc_C52C47E8
.text&ARM.extab:C52C47EA
.text&ARM.extab:C52C47EC 80 6B LDR R0, [R0,#(off_C532DDF8 - 0xC532DDC0)] ; off_C532812C
.text&ARM.extab:C52C47EE 40 6A LDR R0, [R0,#0x24] ; sub_C52C9AF8
.text&ARM.extab:C52C47F0 80 47 BLX R0
.text&ARM.extab:C52C47F0
.text&ARM.extab:C52C47F2 30 B3 CBZ R0, loc_C52C4842
.text&ARM.extab:C52C47F2
.text&ARM.extab:C52C47F4
.text&ARM.extab:C52C47F4 loc_C52C47F4
.text&ARM.extab:C52C47F4 01 20 MOVS R0, #1
.text&ARM.extab:C52C47F6 C1 E2 B loc_C52C4D7C
.text&ARM.extab:C52C47F6
.text&ARM.extab:C52C47F8
.text&ARM.extab:C52C47F8 loc_C52C47F8
.text&ARM.extab:C52C47F8 DF F8 BC 15 LDR.W R1, =(aDevQemuPipe - 0xC52C4804) ; "e\x16\x11MZ)\r:)\f06=!Z"
.text&ARM.extab:C52C47FC DF F8 BC 05 LDR.W R0, =(aDevSocketQemud - 0xC52C4806) ; "e\x16\x11MZ+\a4764p<!7:.r"
.text&ARM.extab:C52C4800 79 44 ADD R1, PC ; "e\x16\x11MZ)\r:)\f06=!Z"
.text&ARM.extab:C52C4802 78 44 ADD R0, PC ; "e\x16\x11MZ+\a4764p<!7:.r" ; name
.text&ARM.extab:C52C4804 CD E9 06 01 STRD.W R0, R1, [SP,#0x40+var_28]
.text&ARM.extab:C52C4808 00 21 MOVS R1, #0 ; type
.text&ARM.extab:C52C480A E1 F7 5C E8 BLX access
.text&ARM.extab:C52C480A
.text&ARM.extab:C52C480E 01 30 ADDS R0, #1
.text&ARM.extab:C52C4810 7F F4 12 AF BNE.W loc_C52C4638
.text&ARM.extab:C52C4810
.text&ARM.extab:C52C4814 DF F8 A8 05 LDR.W R0, =(aDevQemuPipe - 0xC52C481E) ; "e\x16\x11MZ)\r:)\f06=!Z"
.text&ARM.extab:C52C4818 00 21 MOVS R1, #0 ; type
.text&ARM.extab:C52C481A 78 44 ADD R0, PC ; "e\x16\x11MZ)\r:)\f06=!Z" ; name
.text&ARM.extab:C52C481C E1 F7 52 E8 BLX access
.text&ARM.extab:C52C481C
.text&ARM.extab:C52C4820 0A E7 B loc_C52C4638
.text&ARM.extab:C52C4820
.text&ARM.extab:C52C4822
.text&ARM.extab:C52C4822 loc_C52C4822
.text&ARM.extab:C52C4822 06 AE ADD R6, SP, #0x40+var_28
.text&ARM.extab:C52C4824 01 25 MOVS R5, #1
.text&ARM.extab:C52C4824
.text&ARM.extab:C52C4826
.text&ARM.extab:C52C4826 loc_C52C4826
.text&ARM.extab:C52C4826 01 2D CMP R5, #1
.text&ARM.extab:C52C4828 08 D8 BHI loc_C52C483C
.text&ARM.extab:C52C4828
.text&ARM.extab:C52C482A 56 F8 25 00 LDR.W R0, [R6,R5,LSL#2] ; name
.text&ARM.extab:C52C482E 00 21 MOVS R1, #0 ; type
.text&ARM.extab:C52C4830 E1 F7 48 E8 BLX access ; /dev/qemu_pipe
.text&ARM.extab:C52C4830
.text&ARM.extab:C52C4834 01 35 ADDS R5, #1
.text&ARM.extab:C52C4836 01 30 ADDS R0, #1
.text&ARM.extab:C52C4838 F5 D0 BEQ loc_C52C4826
.text&ARM.extab:C52C4838
检测特征:
init.svc.qemud init.svc.qemu-props qemu.hw.mainkeys qemu.sf.fake_camera qemu.sf.lcd_density ro.bootloader ro.bootmode
检测脱壳机与frida
.text&ARM.extab:C52C60B8 check_frida_Youpk_sub_C60B20B8
.text&ARM.extab:C52C60B8
.text&ARM.extab:C52C60B8 var_9C= -0x9C
.text&ARM.extab:C52C60B8 var_98= -0x98
.text&ARM.extab:C52C60B8 var_14= -0x14
.text&ARM.extab:C52C60B8
.text&ARM.extab:C52C60B8 ; __unwind {
.text&ARM.extab:C52C60B8 F0 B5 PUSH {R4-R7,LR}
.text&ARM.extab:C52C60BA 03 AF ADD R7, SP, #0xC
.text&ARM.extab:C52C60BC 4D F8 04 BD PUSH.W {R11}
.text&ARM.extab:C52C60C0 A4 B0 SUB SP, SP, #0x90
.text&ARM.extab:C52C60C2 98 48 LDR R0, =(__stack_chk_guard_ptr - 0xC52C60CE)
.text&ARM.extab:C52C60C4 00 22 MOVS R2, #0
.text&ARM.extab:C52C60C6 98 49 LDR R1, =(aDataDexname - 0xC52C60D0) ; "e\x16\x15O\x14w\f2$=!2(D"
.text&ARM.extab:C52C60C8 00 23 MOVS R3, #0
.text&ARM.extab:C52C60CA 78 44 ADD R0, PC ; __stack_chk_guard_ptr
.text&ARM.extab:C52C60CC 79 44 ADD R1, PC ; "e\x16\x15O\x14w\f2$=!2(D"
.text&ARM.extab:C52C60CE 00 68 LDR R0, [R0]
.text&ARM.extab:C52C60D0 00 68 LDR R0, [R0]
.text&ARM.extab:C52C60D2 23 90 STR R0, [SP,#0xA0+var_14]
.text&ARM.extab:C52C60D4 6F F0 63 00 MOV R0, #0xFFFFFF9C
.text&ARM.extab:C52C60D8 80 B4 PUSH {R7}
.text&ARM.extab:C52C60DA 40 F2 4E 17 MOVW R7, #0x14E ; __NR_faccessat
.text&ARM.extab:C52C60DE 00 DF SVC 0
.text&ARM.extab:C52C60E0 80 BC POP {R7}
.text&ARM.extab:C52C60E2 10 F5 80 5F CMN.W R0, #0x1000
.text&ARM.extab:C52C60E6 15 D9 BLS loc_C52C6114
.text&ARM.extab:C52C60E6
.text&ARM.extab:C52C60E8 90 49 LDR R1, =(off_C5325018 - 0xC52C60F0)
.text&ARM.extab:C52C60EA 45 42 NEGS R5, R0
.text&ARM.extab:C52C60EC 79 44 ADD R1, PC ; off_C5325018
.text&ARM.extab:C52C60EE 0E 68 LDR R6, [R1] ; off_C5326004
.text&ARM.extab:C52C60F0 DF F7 1E EC BLX __errno
.text&ARM.extab:C52C60F0
.text&ARM.extab:C52C60F4 04 46 MOV R4, R0
.text&ARM.extab:C52C60F6 8E 49 LDR R1, =(aCnYoulorUnpack - 0xC52C6100) ; ")\x1C[B\x1A-\x048.|\x151=%9$/\x00t"
.text&ARM.extab:C52C60F8 25 60 STR R5, [R4]
.text&ARM.extab:C52C60FA 30 68 LDR R0, [R6] ; off_C532DDC0
.text&ARM.extab:C52C60FC 79 44 ADD R1, PC ; ")\x1C[B\x1A-\x048.|\x151=%9$/\x00t"
.text&ARM.extab:C52C60FE 80 68 LDR R0, [R0,#(off_C532DDC8 - 0xC532DDC0)]
.text&ARM.extab:C52C6100 02 68 LDR R2, [R0]
.text&ARM.extab:C52C6102 92 69 LDR R2, [R2,#0x18]
.text&ARM.extab:C52C6104 90 47 BLX R2
.text&ARM.extab:C52C6104
.text&ARM.extab:C52C6106 31 68 LDR R1, [R6] ; off_C532DDC0
.text&ARM.extab:C52C6108 05 46 MOV R5, R0
.text&ARM.extab:C52C610A 88 68 LDR R0, [R1,#(off_C532DDC8 - 0xC532DDC0)]
.text&ARM.extab:C52C610C 09 69 LDR R1, [R1,#(off_C532DDD0 - 0xC532DDC0)] ; off_C53266C4
.text&ARM.extab:C52C610E 49 6E LDR R1, [R1,#0x64] ; ExceptionClear_sub_C609E948
.text&ARM.extab:C52C6110 88 47 BLX R1 ; off_C5323DD0
.text&ARM.extab:C52C6110
.text&ARM.extab:C52C6112 75 B1 CBZ R5, loc_C52C6132
.text&ARM.extab:C52C6112
.text&ARM.extab:C52C6114
.text&ARM.extab:C52C6114 01 25 MOVS R5, #1
.text&ARM.extab:C52C6114
.text&ARM.extab:C52C6116
.text&ARM.extab:C52C6116 loc_C52C6116 ; CODE XREF: check_frida_Youpk_sub_C60B20B8+9C↓j
.text&ARM.extab:C52C6116 ; check_frida_Youpk_sub_C60B20B8+BA↓j
.text&ARM.extab:C52C6116 ; check_frida_Youpk_sub_C60B20B8+26A↓j
.text&ARM.extab:C52C6116 A1 48 LDR R0, =(__stack_chk_guard_ptr - 0xC52C611E)
.text&ARM.extab:C52C6118 23 99 LDR R1, [SP,#0xA0+var_14]
.text&ARM.extab:C52C611A 78 44 ADD R0, PC ; __stack_chk_guard_ptr
.text&ARM.extab:C52C611C 00 68 LDR R0, [R0]
.text&ARM.extab:C52C611E 00 68 LDR R0, [R0]
.text&ARM.extab:C52C6120 40 1A SUBS R0, R0, R1
.text&ARM.extab:C52C6122 01 BF ITTTT EQ
.text&ARM.extab:C52C6124 28 46 MOVEQ R0, R5
.text&ARM.extab:C52C6126 24 B0 ADDEQ SP, SP, #0x90
.text&ARM.extab:C52C6128 5D F8 04 BB POPEQ.W {R11}
.text&ARM.extab:C52C612C F0 BD POPEQ {R4-R7,PC}
.text&ARM.extab:C52C612C
.text&ARM.extab:C52C612E DF F7 6A EB BLX __stack_chk_fail
.text&ARM.extab:C52C612E
.text&ARM.extab:C52C6132
.text&ARM.extab:C52C6132
.text&ARM.extab:C52C6132 loc_C52C6132 ; CODE XREF: check_frida_Youpk_sub_C60B20B8+5A↑j
.text&ARM.extab:C52C6132 80 48 LDR R0, =(off_C5325018 - 0xC52C6138)
.text&ARM.extab:C52C6134 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52C6136 00 68 LDR R0, [R0] ; off_C5326004
.text&ARM.extab:C52C6138 00 68 LDR R0, [R0] ; off_C532DDC0
.text&ARM.extab:C52C613A 41 6F LDR R1, [R0,#(dword_C532DE34 - 0xC532DDC0)]
.text&ARM.extab:C52C613C 18 29 CMP R1, #0x18
.text&ARM.extab:C52C613E 19 DB BLT loc_C52C6174
.text&ARM.extab:C52C613E
.text&ARM.extab:C52C6140 00 68 LDR R0, [R0] ; off_C5326504
.text&ARM.extab:C52C6142 01 22 MOVS R2, #1
.text&ARM.extab:C52C6144 7D 49 LDR R1, =(_ZN3art8Unpacker12dumpAllDexesEv - 0xC52C614E) ; "\x15(:\b\x14*\x1Co\t=0>./?={@\x10N\x18("...
.text&ARM.extab:C52C6146 01 25 MOVS R5, #1
.text&ARM.extab:C52C6148 C3 68 LDR R3, [R0,#0xC] ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C614A 79 44 ADD R1, PC ; "\x15(:\b\x14*\x1Co\t=0>./?={@\x10N\x18("...
.text&ARM.extab:C52C614C 7A 48 LDR R0, =(byte_C5328177 - 0xC52C6152)
.text&ARM.extab:C52C614E 78 44 ADD R0, PC ; byte_C5328177
.text&ARM.extab:C52C6150 98 47 BLX R3 ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C6150
.text&ARM.extab:C52C6152 00 28 CMP R0, #0
.text&ARM.extab:C52C6154 DF D1 BNE loc_C52C6116
.text&ARM.extab:C52C6154
.text&ARM.extab:C52C6156 7A 48 LDR R0, =(off_C5325018 - 0xC52C6162)
.text&ARM.extab:C52C6158 01 22 MOVS R2, #1
.text&ARM.extab:C52C615A 7B 49 LDR R1, =(aZn3art4aupk13a - 0xC52C6164) ; "\x15(:\b\x14*\x1Cc\x1D&04|w;::\x195I"...
.text&ARM.extab:C52C615C 01 25 MOVS R5, #1
.text&ARM.extab:C52C615E 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52C6160 79 44 ADD R1, PC ; "\x15(:\b\x14*\x1Cc\x1D&04|w;::\x195I"...
.text&ARM.extab:C52C6162 00 68 LDR R0, [R0] ; off_C5326004
.text&ARM.extab:C52C6164 00 68 LDR R0, [R0] ; off_C532DDC0
.text&ARM.extab:C52C6166 00 68 LDR R0, [R0] ; off_C5326504
.text&ARM.extab:C52C6168 C3 68 LDR R3, [R0,#0xC] ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C616A 76 48 LDR R0, =(byte_C5328177 - 0xC52C6170)
.text&ARM.extab:C52C616C 78 44 ADD R0, PC ; byte_C5328177
.text&ARM.extab:C52C616E 98 47 BLX R3 ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C616E
.text&ARM.extab:C52C6170 00 28 CMP R0, #0
.text&ARM.extab:C52C6172 D0 D1 BNE loc_C52C6116
.text&ARM.extab:C52C6172
.text&ARM.extab:C52C6174
.text&ARM.extab:C52C6174 loc_C52C6174
.text&ARM.extab:C52C6174 75 49 LDR R1, =(aDataLocalTmpUn - 0xC52C6182) ; "e\x16\x15O\x14w\x048?2,p9)*`?\x1C\x04Z"...
.text&ARM.extab:C52C6176 6F F0 63 00 MOV R0, #0xFFFFFF9C
.text&ARM.extab:C52C617A 00 22 MOVS R2, #0
.text&ARM.extab:C52C617C 00 23 MOVS R3, #0
.text&ARM.extab:C52C617E 79 44 ADD R1, PC ; "e\x16\x15O\x14w\x048?2,p9)*`?\x1C\x04Z"...
.text&ARM.extab:C52C6180 4F F2 00 05 CF F6 FF 75 MOV R5, #0xFFFFF000
.text&ARM.extab:C52C6188 80 B4 PUSH {R7}
.text&ARM.extab:C52C618A 40 F2 4E 17 MOVW R7, #0x14E ; __NR_faccessat
.text&ARM.extab:C52C618E 00 DF SVC 0 ; /data/local/tmp/unpacker.config
.text&ARM.extab:C52C6190 80 BC POP {R7}
.text&ARM.extab:C52C6192 A8 42 CMP R0, R5
.text&ARM.extab:C52C6194 BE D9 BLS loc_C52C6114
.text&ARM.extab:C52C6194
.text&ARM.extab:C52C6196 6E 49 LDR R1, =(aDataLocalTmpAu - 0xC52C61A4) ; "e\x16\x15O\x14w\x048?2,p9)*`+\a\x04P[;"...
.text&ARM.extab:C52C6198 40 42 NEGS R0, R0
.text&ARM.extab:C52C619A 20 60 STR R0, [R4]
.text&ARM.extab:C52C619C 6F F0 63 00 MOV R0, #0xFFFFFF9C
.text&ARM.extab:C52C61A0 79 44 ADD R1, PC ; "e\x16\x15O\x14w\x048?2,p9)*`+\a\x04P[;"...
.text&ARM.extab:C52C61A2 00 22 MOVS R2, #0
.text&ARM.extab:C52C61A4 00 23 MOVS R3, #0
.text&ARM.extab:C52C61A6 80 B4 PUSH {R7}
.text&ARM.extab:C52C61A8 40 F2 4E 17 MOVW R7, #0x14E ; __NR_faccessat
.text&ARM.extab:C52C61AC 00 DF SVC 0 ; /data/local/tmp/aupk.config
.text&ARM.extab:C52C61AE 80 BC POP {R7}
.text&ARM.extab:C52C61B0 A8 42 CMP R0, R5
.text&ARM.extab:C52C61B2 AF D9 BLS loc_C52C6114
.text&ARM.extab:C52C61B2
.text&ARM.extab:C52C61B4 67 49 LDR R1, =(aDataFart - 0xC52C61C2) ; "e\x16\x15O\x14w\x0E6.'@"
.text&ARM.extab:C52C61B6 40 42 NEGS R0, R0
.text&ARM.extab:C52C61B8 20 60 STR R0, [R4]
.text&ARM.extab:C52C61BA 6F F0 63 00 MOV R0, #0xFFFFFF9C
.text&ARM.extab:C52C61BE 79 44 ADD R1, PC ; "e\x16\x15O\x14w\x0E6.'@"
.text&ARM.extab:C52C61C0 00 22 MOVS R2, #0
.text&ARM.extab:C52C61C2 00 23 MOVS R3, #0
.text&ARM.extab:C52C61C4 80 B4 PUSH {R7}
.text&ARM.extab:C52C61C6 40 F2 4E 17 MOVW R7, #0x14E ; __NR_faccessat
.text&ARM.extab:C52C61CA 00 DF SVC 0 ; /data/fart
.text&ARM.extab:C52C61CC 80 BC POP {R7}
.text&ARM.extab:C52C61CE A8 42 CMP R0, R5
.text&ARM.extab:C52C61D0 A0 D9 BLS loc_C52C6114
.text&ARM.extab:C52C61D0
.text&ARM.extab:C52C61D2 61 4A LDR R2, =(aDataLocalTmpRe - 0xC52C61DC) ; "e\x16\x15O\x14w\x048?2,p9)*`8\x17Z]\a1"...
.text&ARM.extab:C52C61D4 40 42 NEGS R0, R0
.text&ARM.extab:C52C61D6 61 49 LDR R1, =(aReFridaServer - 0xC52C61E0) ; "8\x17Z]\a1\f6r %-;!(O"
.text&ARM.extab:C52C61D8 7A 44 ADD R2, PC ; "e\x16\x15O\x14w\x048?2,p9)*`8\x17Z]\a1"...
.text&ARM.extab:C52C61DA 20 60 STR R0, [R4]
.text&ARM.extab:C52C61DC 79 44 ADD R1, PC ; "8\x17Z]\a1\f6r %-;!(O" ; needle
.text&ARM.extab:C52C61DE 10 46 MOV R0, R2 ; haystack
.text&ARM.extab:C52C61E0 DF F7 5E EB BLX strstr
.text&ARM.extab:C52C61E0
.text&ARM.extab:C52C61E4 00 28 CMP R0, #0
.text&ARM.extab:C52C61E6 95 D0 BEQ loc_C52C6114
.text&ARM.extab:C52C61E6
.text&ARM.extab:C52C61E8 5D 48 LDR R0, =(off_C5325018 - 0xC52C61EE)
.text&ARM.extab:C52C61EA 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52C61EC 00 68 LDR R0, [R0] ; off_C5326004
.text&ARM.extab:C52C61EE 00 68 LDR R0, [R0] ; off_C532DDC0
.text&ARM.extab:C52C61F0 41 6F LDR R1, [R0,#(dword_C532DE34 - 0xC532DDC0)]
.text&ARM.extab:C52C61F2 18 29 CMP R1, #0x18
.text&ARM.extab:C52C61F4 08 DB BLT loc_C52C6208
.text&ARM.extab:C52C61F4
.text&ARM.extab:C52C61F6 00 68 LDR R0, [R0] ; off_C5326504
.text&ARM.extab:C52C61F8 00 22 MOVS R2, #0
.text&ARM.extab:C52C61FA 5D 49 LDR R1, =(myfartInvoke - 0xC52C6202) ; "'\v\x12Z\a,!9*<+:M"
.text&ARM.extab:C52C61FC C3 68 LDR R3, [R0,#0xC] ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C61FE 79 44 ADD R1, PC ; "'\v\x12Z\a,!9*<+:M"
.text&ARM.extab:C52C6200 5A 48 LDR R0, =(byte_C5328177 - 0xC52C6206)
.text&ARM.extab:C52C6202 78 44 ADD R0, PC ; byte_C5328177
.text&ARM.extab:C52C6204 98 47 BLX R3 ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C6204
.text&ARM.extab:C52C6206 09 E0 B loc_C52C621C
.text&ARM.extab:C52C6206
.text&ARM.extab:C52C6208
.text&ARM.extab:C52C6208
.text&ARM.extab:C52C6208 loc_C52C6208
.text&ARM.extab:C52C6208 56 48 LDR R0, =(byte_C5328177 - 0xC52C6210)
.text&ARM.extab:C52C620A 00 21 MOVS R1, #0 ; mode
.text&ARM.extab:C52C620C 78 44 ADD R0, PC ; byte_C5328177 ; file
.text&ARM.extab:C52C620E DF F7 0C EB BLX dlopen
.text&ARM.extab:C52C620E
.text&ARM.extab:C52C6212 30 B1 CBZ R0, loc_C52C6222
.text&ARM.extab:C52C6212
.text&ARM.extab:C52C6214 54 49 LDR R1, =(myfartInvoke - 0xC52C621A) ; "'\v\x12Z\a,!9*<+:M"
.text&ARM.extab:C52C6216 79 44 ADD R1, PC ; "'\v\x12Z\a,!9*<+:M" ; name
.text&ARM.extab:C52C6218 DF F7 0C EB BLX dlsym
.text&ARM.extab:C52C6218
.text&ARM.extab:C52C621C
.text&ARM.extab:C52C621C loc_C52C621C
.text&ARM.extab:C52C621C 00 28 CMP R0, #0
.text&ARM.extab:C52C621E 7F F4 79 AF BNE.W loc_C52C6114
.text&ARM.extab:C52C621E
.text&ARM.extab:C52C6222
.text&ARM.extab:C52C6222 loc_C52C6222
.text&ARM.extab:C52C6222 54 48 LDR R0, =(off_C5325018 - 0xC52C6228)
.text&ARM.extab:C52C6224 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52C6226 00 68 LDR R0, [R0] ; off_C5326004
.text&ARM.extab:C52C6228 00 68 LDR R0, [R0] ; off_C532DDC0
.text&ARM.extab:C52C622A 90 F8 FA 10 LDRB.W R1, [R0,#(dword_C532DEB8+2 - 0xC532DDC0)]
.text&ARM.extab:C52C622E 00 29 CMP R1, #0
.text&ARM.extab:C52C6230 6D D0 BEQ loc_C52C630E
.text&ARM.extab:C52C6230
.text&ARM.extab:C52C6232 02 A8 ADD R0, SP, #0xA0+var_98
.text&ARM.extab:C52C6234 80 21 MOVS R1, #0x80
.text&ARM.extab:C52C6236 DF F7 CE EA BLX __aeabi_memclr8
.text&ARM.extab:C52C6236
.text&ARM.extab:C52C623A 4F 48 LDR R0, =(x.216_ptr - 0xC52C6246)
.text&ARM.extab:C52C623C 00 26 MOVS R6, #0
.text&ARM.extab:C52C623E 4F 49 LDR R1, =(y.217_ptr - 0xC52C6248)
.text&ARM.extab:C52C6240 00 23 MOVS R3, #0
.text&ARM.extab:C52C6242 78 44 ADD R0, PC ; x.216_ptr
.text&ARM.extab:C52C6244 79 44 ADD R1, PC ; y.217_ptr
.text&ARM.extab:C52C6246 00 68 LDR R0, [R0] ; x.216
.text&ARM.extab:C52C6248 09 68 LDR R1, [R1] ; y.217
.text&ARM.extab:C52C624A 00 68 LDR R0, [R0]
.text&ARM.extab:C52C624C 09 68 LDR R1, [R1]
.text&ARM.extab:C52C624E 42 1E SUBS R2, R0, #1
.text&ARM.extab:C52C6250 09 29 CMP R1, #9
.text&ARM.extab:C52C6252 C8 BF IT GT
.text&ARM.extab:C52C6254 01 26 MOVGT R6, #1
.text&ARM.extab:C52C6256 42 43 MULS R2, R0
.text&ARM.extab:C52C6258 48 40 EORS R0, R1
.text&ARM.extab:C52C625A 67 28 CMP R0, #0x67 ; 'g'
.text&ARM.extab:C52C625C 4F F0 00 00 MOV.W R0, #0
.text&ARM.extab:C52C6260 4F EA 01 11 MOV.W R1, R1,LSL#4
.text&ARM.extab:C52C6264 C8 BF IT GT
.text&ARM.extab:C52C6266 01 20 MOVGT R0, #1
.text&ARM.extab:C52C6268 B1 F5 AF 7F CMP.W R1, #0x15E
.text&ARM.extab:C52C626C D8 BF IT LE
.text&ARM.extab:C52C626E 01 23 MOVLE R3, #1
.text&ARM.extab:C52C6270 02 F0 01 02 AND.W R2, R2, #1
.text&ARM.extab:C52C6274 18 43 ORRS R0, R3
.text&ARM.extab:C52C6276 86 EA 02 05 EOR.W R5, R6, R2
.text&ARM.extab:C52C627A 32 43 ORRS R2, R6
.text&ARM.extab:C52C627C 82 F0 01 02 EOR.W R2, R2, #1
.text&ARM.extab:C52C6280 2A 43 ORRS R2, R5
.text&ARM.extab:C52C6282 10 43 ORRS R0, R2
.text&ARM.extab:C52C6282
.text&ARM.extab:C52C6284
.text&ARM.extab:C52C6284 loc_C52C6284
.text&ARM.extab:C52C6284 01 28 CMP R0, #1
.text&ARM.extab:C52C6286 FD D1 BNE loc_C52C6284
.text&ARM.extab:C52C6286
.text&ARM.extab:C52C6288 3D 48 LDR R0, =(unk_C53284EF - 0xC52C6290)
.text&ARM.extab:C52C628A 02 A9 ADD R1, SP, #0xA0+var_98
.text&ARM.extab:C52C628C 78 44 ADD R0, PC ; unk_C53284EF
.text&ARM.extab:C52C628E FF F7 51 FE BL system_property_get_sub_C60B1F34
.text&ARM.extab:C52C628E
.text&ARM.extab:C52C6292 3C 49 LDR R1, =(x.216_ptr - 0xC52C629C)
.text&ARM.extab:C52C6294 00 26 MOVS R6, #0
.text&ARM.extab:C52C6296 3C 4A LDR R2, =(y.217_ptr - 0xC52C629E)
.text&ARM.extab:C52C6298 79 44 ADD R1, PC ; x.216_ptr
.text&ARM.extab:C52C629A 7A 44 ADD R2, PC ; y.217_ptr
.text&ARM.extab:C52C629C 09 68 LDR R1, [R1] ; x.216
.text&ARM.extab:C52C629E 12 68 LDR R2, [R2] ; y.217
.text&ARM.extab:C52C62A0 09 68 LDR R1, [R1]
.text&ARM.extab:C52C62A2 12 68 LDR R2, [R2]
.text&ARM.extab:C52C62A4 4B 1E SUBS R3, R1, #1
.text&ARM.extab:C52C62A6 4B 43 MULS R3, R1
.text&ARM.extab:C52C62A8 51 40 EORS R1, R2
.text&ARM.extab:C52C62AA 0A 29 CMP R1, #0xA
.text&ARM.extab:C52C62AC 4F F0 00 01 MOV.W R1, #0
.text&ARM.extab:C52C62B0 4F EA 42 05 MOV.W R5, R2,LSL#1
.text&ARM.extab:C52C62B4 C8 BF IT GT
.text&ARM.extab:C52C62B6 01 21 MOVGT R1, #1
.text&ARM.extab:C52C62B8 E7 2D CMP R5, #0xE7
.text&ARM.extab:C52C62BA 4F F0 00 05 MOV.W R5, #0
.text&ARM.extab:C52C62BE B8 BF IT LT
.text&ARM.extab:C52C62C0 01 25 MOVLT R5, #1
.text&ARM.extab:C52C62C2 0A 2A CMP R2, #0xA
.text&ARM.extab:C52C62C4 4F F0 00 02 MOV.W R2, #0
.text&ARM.extab:C52C62C8 41 EA 05 01 ORR.W R1, R1, R5
.text&ARM.extab:C52C62CC B8 BF IT LT
.text&ARM.extab:C52C62CE 01 22 MOVLT R2, #1
.text&ARM.extab:C52C62D0 DB 07 LSLS R3, R3, #0x1F
.text&ARM.extab:C52C62D2 08 BF IT EQ
.text&ARM.extab:C52C62D4 01 26 MOVEQ R6, #1
.text&ARM.extab:C52C62D6 32 43 ORRS R2, R6
.text&ARM.extab:C52C62D8 11 43 ORRS R1, R2
.text&ARM.extab:C52C62D8
.text&ARM.extab:C52C62DA
.text&ARM.extab:C52C62DA loc_C52C62DA
.text&ARM.extab:C52C62DA 01 29 CMP R1, #1
.text&ARM.extab:C52C62DC FD D1 BNE loc_C52C62DA
.text&ARM.extab:C52C62DC
.text&ARM.extab:C52C62DE 01 28 CMP R0, #1
.text&ARM.extab:C52C62E0 07 DB BLT loc_C52C62F2
.text&ARM.extab:C52C62E0
.text&ARM.extab:C52C62E2 2A 49 LDR R1, =(dword_C5328508+2 - 0xC52C62EA)
.text&ARM.extab:C52C62E4 02 A8 ADD R0, SP, #0xA0+var_98
.text&ARM.extab:C52C62E6 79 44 ADD R1, PC ; dword_C5328508
.text&ARM.extab:C52C62E8 1A F0 B3 FC BL strstr_sub_C60AAC52
.text&ARM.extab:C52C62E8
.text&ARM.extab:C52C62EC 00 28 CMP R0, #0
.text&ARM.extab:C52C62EE 7F F4 11 AF BNE.W loc_C52C6114
.text&ARM.extab:C52C62EE
.text&ARM.extab:C52C62F2
.text&ARM.extab:C52C62F2 loc_C52C62F2
.text&ARM.extab:C52C62F2 27 48 LDR R0, =(off_C5325018 - 0xC52C62FE)
.text&ARM.extab:C52C62F4 00 21 MOVS R1, #0
.text&ARM.extab:C52C62F6 27 4A LDR R2, =(sub_C52C63A0+1 - 0xC52C6300)
.text&ARM.extab:C52C62F8 00 23 MOVS R3, #0
.text&ARM.extab:C52C62FA 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52C62FC 7A 44 ADD R2, PC ; sub_C52C63A0
.text&ARM.extab:C52C62FE 04 68 LDR R4, [R0] ; off_C5326004
.text&ARM.extab:C52C6300 20 68 LDR R0, [R4] ; off_C532DDC0
.text&ARM.extab:C52C6302 D0 F8 98 01 LDR.W R0, [R0,#(off_C532DF58 - 0xC532DDC0)]
.text&ARM.extab:C52C6306 06 68 LDR R6, [R0]
.text&ARM.extab:C52C6308 01 A8 ADD R0, SP, #0xA0+var_9C
.text&ARM.extab:C52C630A B0 47 BLX R6
.text&ARM.extab:C52C630A
.text&ARM.extab:C52C630C 20 68 LDR R0, [R4] ; off_C532DDC0
.text&ARM.extab:C52C630C
.text&ARM.extab:C52C630E
.text&ARM.extab:C52C630E loc_C52C630E ; CODE XREF: check_frida_Youpk_sub_C60B20B8+178↑j
.text&ARM.extab:C52C630E D0 F8 98 01 LDR.W R0, [R0,#(off_C532DF58 - 0xC532DDC0)]
.text&ARM.extab:C52C6312 00 21 MOVS R1, #0
.text&ARM.extab:C52C6314 20 4A LDR R2, =(T2_Check_frida_sub_C6087910+1 - 0xC52C6320) ; POP {R4-R7,PC}
.text&ARM.extab:C52C6316 00 23 MOVS R3, #0
.text&ARM.extab:C52C6318 00 25 MOVS R5, #0
.text&ARM.extab:C52C631A 06 68 LDR R6, [R0]
.text&ARM.extab:C52C631C 7A 44 ADD R2, PC ; T2_Check_frida_sub_C6087910 ; POP {R4-R7,PC}
.text&ARM.extab:C52C631E 01 A8 ADD R0, SP, #0xA0+var_9C
.text&ARM.extab:C52C6320 B0 47 BLX R6 ; pthread_create
.text&ARM.extab:C52C6320
.text&ARM.extab:C52C6322 F8 E6 B loc_C52C6116
检测特征:
_ZN3art8Unpacker12dumpAllDexesEv _ZN3art4Aupk13aupkArtMethodE re.frida.server /data/local/tmp/re.frida.server
检测调试器进程状态与调试端口
.text&ARM.extab:C52C42EC anitdbg1_sub_2F2EC
.text&ARM.extab:C52C42EC
.text&ARM.extab:C52C42EC var_120= -0x120
.text&ARM.extab:C52C42EC s= -0xA0
.text&ARM.extab:C52C42EC var_20= -0x20
.text&ARM.extab:C52C42EC
.text&ARM.extab:C52C42EC ; __unwind {
.text&ARM.extab:C52C42EC F0 B5 PUSH {R4-R7,LR}
.text&ARM.extab:C52C42EE 03 AF ADD R7, SP, #0xC
.text&ARM.extab:C52C42F0 2D E9 00 0F PUSH.W {R8-R11}
.text&ARM.extab:C52C42F4 E1 B0 SUB SP, SP, #0x184
.text&ARM.extab:C52C42F6 7B 48 LDR R0, =(__stack_chk_guard_ptr - 0xC52C42FE)
.text&ARM.extab:C52C42F8 80 21 MOVS R1, #0x80
.text&ARM.extab:C52C42FA 78 44 ADD R0, PC ; __stack_chk_guard_ptr
.text&ARM.extab:C52C42FC 00 68 LDR R0, [R0]
.text&ARM.extab:C52C42FE 00 68 LDR R0, [R0]
.text&ARM.extab:C52C4300 60 90 STR R0, [SP,#0x1A0+var_20]
.text&ARM.extab:C52C4302 40 A8 ADD R0, SP, #0x1A0+s
.text&ARM.extab:C52C4304 E1 F7 66 EA BLX __aeabi_memclr8
.text&ARM.extab:C52C4304
.text&ARM.extab:C52C4308 20 A8 ADD R0, SP, #0x1A0+var_120
.text&ARM.extab:C52C430A 80 21 MOVS R1, #0x80
.text&ARM.extab:C52C430C E1 F7 62 EA BLX __aeabi_memclr8
.text&ARM.extab:C52C430C
.text&ARM.extab:C52C4310 68 46 MOV R0, SP
.text&ARM.extab:C52C4312 80 21 MOVS R1, #0x80
.text&ARM.extab:C52C4314 E1 F7 5E EA BLX __aeabi_memclr8
.text&ARM.extab:C52C4314
.text&ARM.extab:C52C4318 73 48 LDR R0, =(aProcSelfStatus - 0xC52C4326) ; "e\x02\x06T\x16w\x1B205o,9%.:9r"
.text&ARM.extab:C52C431A 00 21 MOVS R1, #0
.text&ARM.extab:C52C431C 4F F4 80 72 MOV.W R2, #0x100
.text&ARM.extab:C52C4320 00 23 MOVS R3, #0
.text&ARM.extab:C52C4322 78 44 ADD R0, PC ; "e\x02\x06T\x16w\x1B205o,9%.:9r"
.text&ARM.extab:C52C4324 80 B4 PUSH {R7}
.text&ARM.extab:C52C4326 4F F0 05 07 MOV.W R7, #5 ; __NR_open
.text&ARM.extab:C52C432A 00 DF SVC 0
.text&ARM.extab:C52C432C 80 BC POP {R7}
.text&ARM.extab:C52C432E 04 46 MOV R4, R0
.text&ARM.extab:C52C4330 14 F5 80 5F CMN.W R4, #0x1000
.text&ARM.extab:C52C4334 31 D9 BLS loc_C52C439A
.text&ARM.extab:C52C4334
.text&ARM.extab:C52C4336 74 48 LDR R0, =(x.174_ptr - 0xC52C433E)
.text&ARM.extab:C52C4338 74 49 LDR R1, =(y.175_ptr - 0xC52C4340)
.text&ARM.extab:C52C433A 78 44 ADD R0, PC ; x.174_ptr
.text&ARM.extab:C52C433C 79 44 ADD R1, PC ; y.175_ptr
.text&ARM.extab:C52C433E 00 68 LDR R0, [R0] ; x.174
.text&ARM.extab:C52C4340 09 68 LDR R1, [R1] ; y.175
.text&ARM.extab:C52C4342 00 68 LDR R0, [R0]
.text&ARM.extab:C52C4344 09 68 LDR R1, [R1]
.text&ARM.extab:C52C4346 46 1E SUBS R6, R0, #1
.text&ARM.extab:C52C4348 81 EA 00 02 EOR.W R2, R1, R0
.text&ARM.extab:C52C434C 70 43 MULS R0, R6
.text&ARM.extab:C52C434E A3 2A CMP R2, #0xA3
.text&ARM.extab:C52C4350 4F F0 00 02 MOV.W R2, #0
.text&ARM.extab:C52C4354 4F EA 41 06 MOV.W R6, R1,LSL#1
.text&ARM.extab:C52C4358 B8 BF IT LT
.text&ARM.extab:C52C435A 01 22 MOVLT R2, #1
.text&ARM.extab:C52C435C B6 F5 A7 7F CMP.W R6, #0x14E
.text&ARM.extab:C52C4360 4F F0 00 06 MOV.W R6, #0
.text&ARM.extab:C52C4364 C8 BF IT GT
.text&ARM.extab:C52C4366 01 26 MOVGT R6, #1
.text&ARM.extab:C52C4368 09 29 CMP R1, #9
.text&ARM.extab:C52C436A C8 BF IT GT
.text&ARM.extab:C52C436C 01 23 MOVGT R3, #1
.text&ARM.extab:C52C436E 00 F0 01 00 AND.W R0, R0, #1
.text&ARM.extab:C52C4372 86 EA 02 05 EOR.W R5, R6, R2
.text&ARM.extab:C52C4376 32 43 ORRS R2, R6
.text&ARM.extab:C52C4378 83 EA 00 01 EOR.W R1, R3, R0
.text&ARM.extab:C52C437C 18 43 ORRS R0, R3
.text&ARM.extab:C52C437E 82 F0 01 02 EOR.W R2, R2, #1
.text&ARM.extab:C52C4382 80 F0 01 00 EOR.W R0, R0, #1
.text&ARM.extab:C52C4386 2A 43 ORRS R2, R5
.text&ARM.extab:C52C4388 08 43 ORRS R0, R1
.text&ARM.extab:C52C438A 10 43 ORRS R0, R2
.text&ARM.extab:C52C438A
.text&ARM.extab:C52C438C
.text&ARM.extab:C52C438C loc_C52C438C ; CODE XREF: anitdbg1_sub_2F2EC+A2↓j
.text&ARM.extab:C52C438C 01 28 CMP R0, #1
.text&ARM.extab:C52C438E FD D1 BNE loc_C52C438C
.text&ARM.extab:C52C438E
.text&ARM.extab:C52C4390 64 42 NEGS R4, R4
.text&ARM.extab:C52C4392 E1 F7 CE EA BLX __errno
.text&ARM.extab:C52C4392
.text&ARM.extab:C52C4396 04 60 STR R4, [R0]
.text&ARM.extab:C52C4398 81 E0 B loc_C52C449E
.text&ARM.extab:C52C4398
.text&ARM.extab:C52C439A
.text&ARM.extab:C52C439A loc_C52C439A ; CODE XREF: anitdbg1_sub_2F2EC+48↑j
.text&ARM.extab:C52C439A 00 2C CMP R4, #0
.text&ARM.extab:C52C439C C0 F2 7F 80 BLT.W loc_C52C449E
.text&ARM.extab:C52C439C
.text&ARM.extab:C52C43A0 40 A9 ADD R1, SP, #0x1A0+s
.text&ARM.extab:C52C43A2 20 46 MOV R0, R4
.text&ARM.extab:C52C43A4 80 22 MOVS R2, #0x80
.text&ARM.extab:C52C43A6 FF F7 A1 FA BL read_sub_C60848EC
.text&ARM.extab:C52C43A6
.text&ARM.extab:C52C43AA 01 28 CMP R0, #1
.text&ARM.extab:C52C43AC 39 DB BLT loc_C52C4422
.text&ARM.extab:C52C43AC
.text&ARM.extab:C52C43AE DF F8 3C 81 LDR.W R8, =(aPoqn1h - 0xC52C43C2) ; ":.POQN1h"
.text&ARM.extab:C52C43B2 40 AE ADD R6, SP, #0x1A0+s
.text&ARM.extab:C52C43B4 DF F8 38 91 LDR.W R9, =(byte_C532816A - 0xC52C43C8)
.text&ARM.extab:C52C43B8 20 AD ADD R5, SP, #0x1A0+var_120
.text&ARM.extab:C52C43BA DF F8 38 A1 LDR.W R10, =(aPoqn1h - 0xC52C43CA) ; ":.POQN1h"
.text&ARM.extab:C52C43BE F8 44 ADD R8, PC ; ":.POQN1h"
.text&ARM.extab:C52C43C0 DF F8 34 B1 LDR.W R11, =(dword_C532816C+1 - 0xC52C43CC)
.text&ARM.extab:C52C43C4 F9 44 ADD R9, PC ; byte_C532816A
.text&ARM.extab:C52C43C6 FA 44 ADD R10, PC ; ":.POQN1h"
.text&ARM.extab:C52C43C8 FB 44 ADD R11, PC ; dword_C532816C
.text&ARM.extab:C52C43C8
.text&ARM.extab:C52C43CA
.text&ARM.extab:C52C43CA loc_C52C43CA ; CODE XREF: anitdbg1_sub_2F2EC+134↓j
.text&ARM.extab:C52C43CA 30 46 MOV R0, R6 ; s
.text&ARM.extab:C52C43CC 41 46 MOV R1, R8 ; delim
.text&ARM.extab:C52C43CE E1 F7 28 EB BLX strtok
.text&ARM.extab:C52C43CE
.text&ARM.extab:C52C43D2 02 46 MOV R2, R0
.text&ARM.extab:C52C43D4 00 2A CMP R2, #0
.text&ARM.extab:C52C43D6 15 D0 BEQ loc_C52C4404
.text&ARM.extab:C52C43D6
.text&ARM.extab:C52C43D8 28 46 MOV R0, R5 ; s
.text&ARM.extab:C52C43DA 49 46 MOV R1, R9 ; format
.text&ARM.extab:C52C43DC E1 F7 00 EA BLX sprintf
.text&ARM.extab:C52C43DC
.text&ARM.extab:C52C43E0 00 20 MOVS R0, #0 ; s
.text&ARM.extab:C52C43E2 51 46 MOV R1, R10 ; delim
.text&ARM.extab:C52C43E4 E1 F7 1C EB BLX strtok
.text&ARM.extab:C52C43E4
.text&ARM.extab:C52C43E8 02 46 MOV R2, R0
.text&ARM.extab:C52C43EA 5A B1 CBZ R2, loc_C52C4404
.text&ARM.extab:C52C43EA
.text&ARM.extab:C52C43EC 49 49 LDR R1, =(byte_C532816A - 0xC52C43F4)
.text&ARM.extab:C52C43EE 68 46 MOV R0, SP ; s
.text&ARM.extab:C52C43F0 79 44 ADD R1, PC ; byte_C532816A ; format
.text&ARM.extab:C52C43F2 E1 F7 F6 E9 BLX sprintf
.text&ARM.extab:C52C43F2
.text&ARM.extab:C52C43F6 28 46 MOV R0, R5
.text&ARM.extab:C52C43F8 59 46 MOV R1, R11
.text&ARM.extab:C52C43FA 80 22 MOVS R2, #0x80
.text&ARM.extab:C52C43FC 1C F0 60 FC BL sub_C52E0CC0
.text&ARM.extab:C52C43FC
.text&ARM.extab:C52C4400 00 28 CMP R0, #0
.text&ARM.extab:C52C4402 5A D0 BEQ loc_C52C44BA
.text&ARM.extab:C52C4402
.text&ARM.extab:C52C4404
.text&ARM.extab:C52C4404 loc_C52C4404 ; CODE XREF: anitdbg1_sub_2F2EC+EA↑j
.text&ARM.extab:C52C4404 ; anitdbg1_sub_2F2EC+FE↑j
.text&ARM.extab:C52C4404 30 46 MOV R0, R6
.text&ARM.extab:C52C4406 80 21 MOVS R1, #0x80
.text&ARM.extab:C52C4408 E1 F7 E4 E9 BLX __aeabi_memclr8
.text&ARM.extab:C52C4408
.text&ARM.extab:C52C440C 28 46 MOV R0, R5
.text&ARM.extab:C52C440E 80 21 MOVS R1, #0x80
.text&ARM.extab:C52C4410 E1 F7 E0 E9 BLX __aeabi_memclr8
.text&ARM.extab:C52C4410
.text&ARM.extab:C52C4414 20 46 MOV R0, R4
.text&ARM.extab:C52C4416 31 46 MOV R1, R6
.text&ARM.extab:C52C4418 80 22 MOVS R2, #0x80
.text&ARM.extab:C52C441A FF F7 67 FA BL read_sub_C60848EC
.text&ARM.extab:C52C441A
.text&ARM.extab:C52C441E 00 28 CMP R0, #0
.text&ARM.extab:C52C4420 D3 DC BGT loc_C52C43CA
.text&ARM.extab:C52C4420
.text&ARM.extab:C52C4422
.text&ARM.extab:C52C4422 loc_C52C4422 ; CODE XREF: anitdbg1_sub_2F2EC+C0↑j
.text&ARM.extab:C52C4422 00 25 MOVS R5, #0
.text&ARM.extab:C52C4422
.text&ARM.extab:C52C4424
.text&ARM.extab:C52C4424 loc_C52C4424 ; CODE XREF: anitdbg1_sub_2F2EC+1D6↓j
.text&ARM.extab:C52C4424 01 2C CMP R4, #1
.text&ARM.extab:C52C4426 A4 BF ITT GE
.text&ARM.extab:C52C4428 20 46 MOVGE R0, R4
.text&ARM.extab:C52C442A FF F7 23 FB BLGE close_sub_C6084A74
.text&ARM.extab:C52C442A
.text&ARM.extab:C52C442E 01 2D CMP R5, #1
.text&ARM.extab:C52C4430 52 DB BLT loc_C52C44D8
.text&ARM.extab:C52C4430
.text&ARM.extab:C52C4432 32 48 LDR R0, =(off_C5325018 - 0xC52C4438)
.text&ARM.extab:C52C4434 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52C4436 00 68 LDR R0, [R0] ; off_C5326004
.text&ARM.extab:C52C4438 00 68 LDR R0, [R0] ; off_C532DDC0
.text&ARM.extab:C52C443A D0 F8 94 01 LDR.W R0, [R0,#(dword_C532DF54 - 0xC532DDC0)]
.text&ARM.extab:C52C443E A8 42 CMP R0, R5
.text&ARM.extab:C52C4440 48 D0 BEQ loc_C52C44D4
.text&ARM.extab:C52C4440
.text&ARM.extab:C52C4442 80 B4 PUSH {R7}
.text&ARM.extab:C52C4444 4F F0 14 07 MOV.W R7, #0x14
.text&ARM.extab:C52C4448 00 DF SVC 0
.text&ARM.extab:C52C444A 80 BC POP {R7}
.text&ARM.extab:C52C444C 4F F2 00 08 CF F6 FF 78 MOV R8, #0xFFFFF000
.text&ARM.extab:C52C4454 04 46 MOV R4, R0
.text&ARM.extab:C52C4456 44 45 CMP R4, R8
.text&ARM.extab:C52C4458 05 D9 BLS loc_C52C4466
.text&ARM.extab:C52C4458
过反调试的方法就是直接path返回。
4.4、解密指令资源
读取ijiami.ajm
.text&ARM.extab:C52B9E3C Read_ijiami.ajm_sub_C2167E3C
.text&ARM.extab:C52B9E3C
.text&ARM.extab:C52B9E3C var_128= -0x128
.text&ARM.extab:C52B9E3C var_120= -0x120
.text&ARM.extab:C52B9E3C var_1C= -0x1C
.text&ARM.extab:C52B9E3C
.text&ARM.extab:C52B9E3C ; __unwind {
.text&ARM.extab:C52B9E3C F0 B5 PUSH {R4-R7,LR}
.text&ARM.extab:C52B9E3E 03 AF ADD R7, SP, #0xC
.text&ARM.extab:C52B9E40 2D E9 00 0B PUSH.W {R8,R9,R11}
.text&ARM.extab:C52B9E44 C4 B0 SUB SP, SP, #0x110
.text&ARM.extab:C52B9E46 81 46 MOV R9, R0
.text&ARM.extab:C52B9E48 1D 48 LDR R0, =(__stack_chk_guard_ptr - 0xC52B9E52)
.text&ARM.extab:C52B9E4A 02 AC ADD R4, SP, #0x128+var_120
.text&ARM.extab:C52B9E4C 0E 46 MOV R6, R1
.text&ARM.extab:C52B9E4E 78 44 ADD R0, PC ; __stack_chk_guard_ptr
.text&ARM.extab:C52B9E50 4F F4 80 71 MOV.W R1, #0x100
.text&ARM.extab:C52B9E54 90 46 MOV R8, R2
.text&ARM.extab:C52B9E56 00 68 LDR R0, [R0]
.text&ARM.extab:C52B9E58 00 68 LDR R0, [R0]
.text&ARM.extab:C52B9E5A 43 90 STR R0, [SP,#0x128+var_1C]
.text&ARM.extab:C52B9E5C 20 46 MOV R0, R4
.text&ARM.extab:C52B9E5E EB F7 BA EC BLX __aeabi_memclr8
.text&ARM.extab:C52B9E5E
.text&ARM.extab:C52B9E62 18 48 LDR R0, =(off_C5325018 - 0xC52B9E6A)
.text&ARM.extab:C52B9E64 18 49 LDR R1, =(dword_C5326A88 - 0xC52B9E6C)
.text&ARM.extab:C52B9E66 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52B9E68 79 44 ADD R1, PC ; dword_C5326A88 ; format
.text&ARM.extab:C52B9E6A 05 68 LDR R5, [R0] ; off_C5326004
.text&ARM.extab:C52B9E6C 28 68 LDR R0, [R5] ; off_C532DDC0
.text&ARM.extab:C52B9E6E D0 F8 74 01 LDR.W R0, [R0,#(off_C532DF34 - 0xC532DDC0)]
.text&ARM.extab:C52B9E72 82 69 LDR R2, [R0,#0x18]
.text&ARM.extab:C52B9E74 20 46 MOV R0, R4 ; s
.text&ARM.extab:C52B9E76 EB F7 B4 EC BLX sprintf
.text&ARM.extab:C52B9E76
.text&ARM.extab:C52B9E7A 2A 68 LDR R2, [R5] ; off_C532DDC0
.text&ARM.extab:C52B9E7C 92 F8 FE 00 LDRB.W R0, [R2,#(dword_C532DEBC+2 - 0xC532DDC0)]
.text&ARM.extab:C52B9E80 30 B1 CBZ R0, loc_C52B9E90
.text&ARM.extab:C52B9E80
.text&ARM.extab:C52B9E82 02 A9 ADD R1, SP, #0x128+var_120
.text&ARM.extab:C52B9E84 48 46 MOV R0, R9
.text&ARM.extab:C52B9E86 32 46 MOV R2, R6
.text&ARM.extab:C52B9E88 43 46 MOV R3, R8
.text&ARM.extab:C52B9E8A 00 F0 21 F8 BL read_apk_sub_C6083ED0
.text&ARM.extab:C52B9E8A
.text&ARM.extab:C52B9E8E 0A E0 B loc_C52B9EA6
.text&ARM.extab:C52B9E8E
.text&ARM.extab:C52B9E90
.text&ARM.extab:C52B9E90 loc_C52B9E90
.text&ARM.extab:C52B9E90 90 68 LDR R0, [R2,#(off_C532DDC8 - 0xC532DDC0)]
.text&ARM.extab:C52B9E92 D2 F8 94 10 LDR.W R1, [R2,#(dword_C532DE54 - 0xC532DDC0)]
.text&ARM.extab:C52B9E96 D2 F8 74 21 LDR.W R2, [R2,#(off_C532DF34 - 0xC532DDC0)]
.text&ARM.extab:C52B9E9A 93 69 LDR R3, [R2,#0x18]
.text&ARM.extab:C52B9E9C 4A 46 MOV R2, R9
.text&ARM.extab:C52B9E9E CD E9 00 68 STRD.W R6, R8, [SP,#0x128+var_128]
.text&ARM.extab:C52B9EA2 00 F0 89 F9 BL AAssetManager_read_sub_C52BA1B8
.text&ARM.extab:C52B9EA2
.text&ARM.extab:C52B9EA6
.text&ARM.extab:C52B9EA6 loc_C52B9EA6
.text&ARM.extab:C52B9EA6 09 49 LDR R1, =(__stack_chk_guard_ptr - 0xC52B9EAE)
.text&ARM.extab:C52B9EA8 43 9A LDR R2, [SP,#0x128+var_1C]
.text&ARM.extab:C52B9EAA 79 44 ADD R1, PC ; __stack_chk_guard_ptr
.text&ARM.extab:C52B9EAC 09 68 LDR R1, [R1]
.text&ARM.extab:C52B9EAE 09 68 LDR R1, [R1]
.text&ARM.extab:C52B9EB0 89 1A SUBS R1, R1, R2
.text&ARM.extab:C52B9EB2 02 BF ITTT EQ
.text&ARM.extab:C52B9EB4 44 B0 ADDEQ SP, SP, #0x110
.text&ARM.extab:C52B9EB6 BD E8 00 0B POPEQ.W {R8,R9,R11}
.text&ARM.extab:C52B9EBA F0 BD POPEQ {R4-R7,PC}
解密解析指令
.text&ARM.extab:C52E924E 09 9D LDR R5, [SP,#0x48+ptr] .text&ARM.extab:C52E9250 4F F4 80 62 MOV.W R2, #0x400 .text&ARM.extab:C52E9254 05 F1 18 09 ADD.W R9, R5, #0x18 .text&ARM.extab:C52E9258 D5 E9 04 16 LDRD.W R1, R6, [R5,#0x10] .text&ARM.extab:C52E925C 48 46 MOV R0, R9 .text&ARM.extab:C52E925E 00 F0 E5 F8 BL Dec_ijiami.ajm_sub_C219742C ;解密数据 .text&ARM.extab:C52E925E .text&ARM.extab:C52E9262 06 F1 18 00 ADD.W R0, R6, #0x18 .text&ARM.extab:C52E9266 4F F4 80 51 MOV.W R1, #0x1000 .text&ARM.extab:C52E926A F7 F7 C9 FD BL getsize_sub_C218EE00 .text&ARM.extab:C52E926A .text&ARM.extab:C52E926E 01 46 MOV R1, R0 ; len .text&ARM.extab:C52E9270 00 20 MOVS R0, #0 .text&ARM.extab:C52E9272 CD E9 00 40 STRD.W R4, R0, [SP,#0x48+fd] ; fd .text&ARM.extab:C52E9276 00 20 MOVS R0, #0 ; addr .text&ARM.extab:C52E9278 03 22 MOVS R2, #3 ; prot .text&ARM.extab:C52E927A 21 23 MOVS R3, #0x21 ; '!' ; flags .text&ARM.extab:C52E927C BC F7 9A EB BLX mmap .text&ARM.extab:C52E927C .text&ARM.extab:C52E9280 07 96 STR R6, [SP,#0x48+var_2C] .text&ARM.extab:C52E9282 80 46 MOV R8, R0 .text&ARM.extab:C52E9284 2B 69 LDR R3, [R5,#0x10] .text&ARM.extab:C52E9286 08 F1 18 00 ADD.W R0, R8, #0x18 .text&ARM.extab:C52E928A 07 A9 ADD R1, SP, #0x48+var_2C .text&ARM.extab:C52E928C 4A 46 MOV R2, R9 .text&ARM.extab:C52E928E 05 F0 7C EF BLX Dec_Parse_sub_C219D188 ; 解析解密后的指令格式,R0:返回地址,R2:解密后的数据,R3:解密后数据大小 .text&ARM.extab:C52E928E .text&ARM.extab:C52E9292 00 28 CMP R0, #0 .text&ARM.extab:C52E9294 40 F0 A2 80 BNE.W loc_C52E93DC .text&ARM.extab:C52E9294 .text&ARM.extab:C52E9298 09 9C LDR R4, [SP,#0x48+ptr] .text&ARM.extab:C52E929A 40 46 MOV R0, R8 .text&ARM.extab:C52E929C 18 22 MOVS R2, #0x18 .text&ARM.extab:C52E929E 21 46 MOV R1, R4 .text&ARM.extab:C52E92A0 BC F7 94 EB BLX __aeabi_memcpy .text&ARM.extab:C52E92A0 .text&ARM.extab:C52E92A4 24 B1 CBZ R4, loc_C52E92B0 .text&ARM.extab:C52E92A4 .text&ARM.extab:C52E92A6 20 46 MOV R0, R4 ; ptr .text&ARM.extab:C52E92A8 BC F7 A6 EA BLX free .text&ARM.extab:C52E92A8 .text&ARM.extab:C52E92AC 00 20 MOVS R0, #0 .text&ARM.extab:C52E92AE 09 90 STR R0, [SP,#0x48+ptr] .text&ARM.extab:C52E92AE .text&ARM.extab:C52E92B0 .text&ARM.extab:C52E92B0 loc_C52E92B0 .text&ARM.extab:C52E92B0 D8 F8 0C 00 LDR.W R0, [R8,#0xC] .text&ARM.extab:C52E92B4 00 24 MOVS R4, #0 .text&ARM.extab:C52E92B6 00 28 CMP R0, #0 .text&ARM.extab:C52E92B8 00 F0 90 80 BEQ.W loc_C52E93DC .text&ARM.extab:C52E92B8 .text&ARM.extab:C52E92BC 51 48 LDR R0, =(x.49_ptr - 0xC52E92C6) .text&ARM.extab:C52E92BE D8 F8 08 A0 LDR.W R10, [R8,#8] .text&ARM.extab:C52E92C2 78 44 ADD R0, PC ; x.49_ptr .text&ARM.extab:C52E92C4 00 68 LDR R0, [R0] ; x.49 .text&ARM.extab:C52E92C6 06 90 STR R0, [SP,#0x48+var_30] .text&ARM.extab:C52E92C8 4F 48 LDR R0, =(y.50_ptr - 0xC52E92CE) .text&ARM.extab:C52E92CA 78 44 ADD R0, PC ; y.50_ptr .text&ARM.extab:C52E92CC 00 68 LDR R0, [R0] ; y.50 .text&ARM.extab:C52E92CE 05 90 STR R0, [SP,#0x48+var_34] .text&ARM.extab:C52E92D0 4E 48 LDR R0, =(off_C5325018 - 0xC52E92D6) .text&ARM.extab:C52E92D2 78 44 ADD R0, PC ; off_C5325018 .text&ARM.extab:C52E92D4 00 68 LDR R0, [R0] ; off_C5326004 .text&ARM.extab:C52E92D6 04 90 STR R0, [SP,#0x48+var_38] .text&ARM.extab:C52E92D8 4D 48 LDR R0, =(off_C5325018 - 0xC52E92DE) .text&ARM.extab:C52E92DA 78 44 ADD R0, PC ; off_C5325018 .text&ARM.extab:C52E92DC D0 F8 00 B0 LDR.W R11, [R0] ; off_C5326004 .text&ARM.extab:C52E92E0 4C 48 LDR R0, =(off_C5325018 - 0xC52E92E6) .text&ARM.extab:C52E92E2 78 44 ADD R0, PC ; off_C5325018 .text&ARM.extab:C52E92E4 00 68 LDR R0, [R0] ; off_C5326004 .text&ARM.extab:C52E92E6 03 90 STR R0, [SP,#0x48+var_3C] .text&ARM.extab:C52E92E6 .text&ARM.extab:C52E92E8 .text&ARM.extab:C52E92E8 loc_C52E92E8 .text&ARM.extab:C52E92E8 06 98 LDR R0, [SP,#0x48+var_30] .text&ARM.extab:C52E92EA 00 26 MOVS R6, #0 .text&ARM.extab:C52E92EC 00 68 LDR R0, [R0] .text&ARM.extab:C52E92EE 41 1E SUBS R1, R0, #1 .text&ARM.extab:C52E92F0 01 FB 00 F2 MUL.W R2, R1, R0 .text&ARM.extab:C52E92F4 05 99 LDR R1, [SP,#0x48+var_34] .text&ARM.extab:C52E92F6 09 68 LDR R1, [R1] .text&ARM.extab:C52E92F8 09 29 CMP R1, #9 .text&ARM.extab:C52E92FA 02 F0 01 03 AND.W R3, R2, #1 .text&ARM.extab:C52E92FE C8 BF IT GT .text&ARM.extab:C52E9300 01 26 MOVGT R6, #1 .text&ARM.extab:C52E9302 8D 00 LSLS R5, R1, #2 .text&ARM.extab:C52E9304 86 EA 03 02 EOR.W R2, R6, R3 .text&ARM.extab:C52E9308 1E 43 ORRS R6, R3 .text&ARM.extab:C52E930A 86 F0 01 06 EOR.W R6, R6, #1 .text&ARM.extab:C52E930E 16 43 ORRS R6, R2 .text&ARM.extab:C52E9310 81 EA 00 02 EOR.W R2, R1, R0 .text&ARM.extab:C52E9314 8A 2A CMP R2, #0x8A .text&ARM.extab:C52E9316 4F F0 00 00 MOV.W R0, #0 .text&ARM.extab:C52E931A C8 BF IT GT .text&ARM.extab:C52E931C 01 20 MOVGT R0, #1 .text&ARM.extab:C52E931E B5 F5 F8 7F CMP.W R5, #0x1F0 .text&ARM.extab:C52E9322 4F F0 00 05 MOV.W R5, #0 .text&ARM.extab:C52E9326 B8 BF IT LT .text&ARM.extab:C52E9328 01 25 MOVLT R5, #1 .text&ARM.extab:C52E932A 5A F8 08 90 LDR.W R9, [R10,R8] .text&ARM.extab:C52E932E 28 43 ORRS R0, R5 .text&ARM.extab:C52E9330 30 43 ORRS R0, R6 .text&ARM.extab:C52E9332 0A EB 08 06 ADD.W R6, R10, R8 .text&ARM.extab:C52E9332 .text&ARM.extab:C52E9336 .text&ARM.extab:C52E9336 loc_C52E9336 ; CODE XREF: Read_ijiami.ajm_sub_C2197218+120↓j .text&ARM.extab:C52E9336 01 28 CMP R0, #1 .text&ARM.extab:C52E9338 FD D1 BNE loc_C52E9336 .text&ARM.extab:C52E9338 .text&ARM.extab:C52E933A 38 48 LDR R0, =(dword_C532E200 - 0xC52E9340) .text&ARM.extab:C52E933C 78 44 ADD R0, PC ; dword_C532E200 .text&ARM.extab:C52E933E 00 68 LDR R0, [R0] .text&ARM.extab:C52E9340 38 BB CBNZ R0, loc_C52E9392 .text&ARM.extab:C52E9340 .text&ARM.extab:C52E9342 00 2B CMP R3, #0 .text&ARM.extab:C52E9344 4F F0 00 00 MOV.W R0, #0 .text&ARM.extab:C52E9348 08 BF IT EQ .text&ARM.extab:C52E934A 01 20 MOVEQ R0, #1 .text&ARM.extab:C52E934C 0A 29 CMP R1, #0xA .text&ARM.extab:C52E934E 4F F0 00 03 MOV.W R3, #0 .text&ARM.extab:C52E9352 4F EA C1 01 MOV.W R1, R1,LSL#3 .text&ARM.extab:C52E9356 B8 BF IT LT .text&ARM.extab:C52E9358 01 23 MOVLT R3, #1 .text&ARM.extab:C52E935A 10 2A CMP R2, #0x10 .text&ARM.extab:C52E935C 4F F0 00 02 MOV.W R2, #0 .text&ARM.extab:C52E9360 40 EA 03 00 ORR.W R0, R0, R3 .text&ARM.extab:C52E9364 C8 BF IT GT .text&ARM.extab:C52E9366 01 22 MOVGT R2, #1 .text&ARM.extab:C52E9368 70 29 CMP R1, #0x70 ; 'p' .text&ARM.extab:C52E936A 4F F0 00 01 MOV.W R1, #0 .text&ARM.extab:C52E936E B8 BF IT LT .text&ARM.extab:C52E9370 01 21 MOVLT R1, #1 .text&ARM.extab:C52E9372 11 43 ORRS R1, R2 .text&ARM.extab:C52E9374 08 43 ORRS R0, R1 .text&ARM.extab:C52E9374 .text&ARM.extab:C52E9376 .text&ARM.extab:C52E9376 loc_C52E9376 ; CODE XREF: Read_ijiami.ajm_sub_C2197218+160↓j .text&ARM.extab:C52E9376 01 28 CMP R0, #1 .text&ARM.extab:C52E9378 FD D1 BNE loc_C52E9376 .text&ARM.extab:C52E9378 .text&ARM.extab:C52E937A 04 98 LDR R0, [SP,#0x48+var_38] .text&ARM.extab:C52E937C 00 21 MOVS R1, #0 ; char ** .text&ARM.extab:C52E937E 10 22 MOVS R2, #0x10 ; int .text&ARM.extab:C52E9380 00 68 LDR R0, [R0] .text&ARM.extab:C52E9382 D0 F8 B4 00 LDR.W R0, [R0,#0xB4] .text&ARM.extab:C52E9386 1C 30 ADDS R0, #0x1C ; char * .text&ARM.extab:C52E9388 BC F7 CA EC BLX strtol .text&ARM.extab:C52E9388 .text&ARM.extab:C52E938C 24 49 LDR R1, =(dword_C532E200 - 0xC52E9392) .text&ARM.extab:C52E938E 79 44 ADD R1, PC ; dword_C532E200 .text&ARM.extab:C52E9390 08 60 STR R0, [R1] .text&ARM.extab:C52E9390 .text&ARM.extab:C52E9392 .text&ARM.extab:C52E9392 loc_C52E9392 ; CODE XREF: Read_ijiami.ajm_sub_C2197218+128↑j .text&ARM.extab:C52E9392 A9 EB 00 01 SUB.W R1, R9, R0 .text&ARM.extab:C52E9396 31 60 STR R1, [R6] .text&ARM.extab:C52E9398 DB F8 00 00 LDR.W R0, [R11] ; off_C532DDC0 .text&ARM.extab:C52E939C C2 6B LDR R2, [R0,#(off_C532DDFC - 0xC532DDC0)] ; off_C5326420 .text&ARM.extab:C52E939E 21 48 LDR R0, =(dword_C532E200 - 0xC52E93A4) .text&ARM.extab:C52E93A0 78 44 ADD R0, PC ; dword_C532E200 .text&ARM.extab:C52E93A2 12 69 LDR R2, [R2,#0x10] ; getDecCode_sub_C20E39D2 ; R0:解密指令解析格式后地址指针,R1:Debug info .text&ARM.extab:C52E93A4 C0 68 LDR R0, [R0,#(dword_C532E20C - 0xC532E200)] .text&ARM.extab:C52E93A6 90 47 BLX R2 ; getDecCode_sub_C20E39D2 ; R0:解密指令解析格式后地址指针,R1:Debug info .text&ARM.extab:C52E93A6 .text&ARM.extab:C52E93A8 68 B9 CBNZ R0, loc_C52E93C6 .text&ARM.extab:C52E93A8 .text&ARM.extab:C52E93AA 03 98 LDR R0, [SP,#0x48+var_3C] .text&ARM.extab:C52E93AC 31 68 LDR R1, [R6] .text&ARM.extab:C52E93AE 00 68 LDR R0, [R0] .text&ARM.extab:C52E93B0 C2 6B LDR R2, [R0,#0x3C] .text&ARM.extab:C52E93B2 1D 48 LDR R0, =(dword_C532E200 - 0xC52E93B8) .text&ARM.extab:C52E93B4 78 44 ADD R0, PC ; dword_C532E200 .text&ARM.extab:C52E93B6 D3 68 LDR R3, [R2,#0xC] .text&ARM.extab:C52E93B8 32 46 MOV R2, R6 .text&ARM.extab:C52E93BA C0 68 LDR R0, [R0,#(dword_C532E20C - 0xC532E200)] .text&ARM.extab:C52E93BC 98 47 BLX R3 .text&ARM.extab:C52E93BC .text&ARM.extab:C52E93BE B0 68 LDR R0, [R6,#8] .text&ARM.extab:C52E93C0 50 44 ADD R0, R10 .text&ARM.extab:C52E93C2 00 F1 0C 0A ADD.W R10, R0, #0xC .text&ARM.extab:C52E93C2 .text&ARM.extab:C52E93C6 .text&ARM.extab:C52E93C6 loc_C52E93C6 .text&ARM.extab:C52E93C6 D8 F8 0C 00 LDR.W R0, [R8,#0xC] .text&ARM.extab:C52E93CA 01 34 ADDS R4, #1 .text&ARM.extab:C52E93CC 84 42 CMP R4, R0 .text&ARM.extab:C52E93CE 8B D3 BCC loc_C52E92E8 .text&ARM.extab:C52E93CE .text&ARM.extab:C52E93D0 09 98 LDR R0, [SP,#0x48+ptr] ; ptr .text&ARM.extab:C52E93D2 00 28 CMP R0, #0 .text&ARM.extab:C52E93D4 18 BF IT NE .text&ARM.extab:C52E93D6 BC F7 10 EA BLXNE free .text&ARM.extab:C52E93D6
4.5、hook关键方法
hook类加载方法
art::ClassLinker::LoadMethod
art::DexFileVerifier::Verify
.text&ARM.extab:C52BE1A8 loc_C52BE1A8
.text&ARM.extab:C52BE1A8 01 28 CMP R0, #1
.text&ARM.extab:C52BE1AA FD D1 BNE loc_C52BE1A8
.text&ARM.extab:C52BE1AA
.text&ARM.extab:C52BE1AC 2A 48 LDR R0, =(off_C5325018 - 0xC52BE1B2)
.text&ARM.extab:C52BE1AE 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52BE1B0 00 68 LDR R0, [R0] ; off_C5326004
.text&ARM.extab:C52BE1B2 00 68 LDR R0, [R0] ; off_C532DDC0
.text&ARM.extab:C52BE1B4 90 F8 70 10 LDRB.W R1, [R0,#(dword_C532DE30 - 0xC532DDC0)]
.text&ARM.extab:C52BE1B8 A1 B1 CBZ R1, loc_C52BE1E4
.text&ARM.extab:C52BE1B8
.text&ARM.extab:C52BE1BA 28 48 LDR R0, =(aDexlibaocSo+3 - 0xC52BE1C2) ; "\x1D1:2*0v\x1E\x1A2"
.text&ARM.extab:C52BE1BC 00 21 MOVS R1, #0 ; mode
.text&ARM.extab:C52BE1BE 78 44 ADD R0, PC ; "\x1D1:2*0v\x1E\x1A2" ; file
.text&ARM.extab:C52BE1C0 E7 F7 32 EB BLX dlopen ; dexlibaoc.so
.text&ARM.extab:C52BE1C0
.text&ARM.extab:C52BE1C4 58 B1 CBZ R0, Hook_Func_LoadMethod_loc_C60B21DE
.text&ARM.extab:C52BE1C4
.text&ARM.extab:C52BE1C6 E7 F7 DA EC BLX dlclose
.text&ARM.extab:C52BE1C6
.text&ARM.extab:C52BE1CA 25 48 LDR R0, =(off_C5325018 - 0xC52BE1D0)
.text&ARM.extab:C52BE1CC 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52BE1CE 00 68 LDR R0, [R0] ; off_C5326004
.text&ARM.extab:C52BE1D0 00 68 LDR R0, [R0] ; off_C532DDC0
.text&ARM.extab:C52BE1D2 40 6F LDR R0, [R0,#(dword_C532DE34 - 0xC532DDC0)]
.text&ARM.extab:C52BE1D4 16 28 CMP R0, #0x16
.text&ARM.extab:C52BE1D6 02 DC BGT Hook_Func_LoadMethod_loc_C60B21DE
.text&ARM.extab:C52BE1D6
.text&ARM.extab:C52BE1D8 01 F0 5E F9 BL sub_C52BF498
.text&ARM.extab:C52BE1D8
.text&ARM.extab:C52BE1DC 2E E0 B loc_C52BE23C
.text&ARM.extab:C52BE1DE
.text&ARM.extab:C52BE1DE Hook_Func_LoadMethod_loc_C60B21DE
.text&ARM.extab:C52BE1DE FD F7 39 F9 BL Hook_Func_LoadMethod_sub_C60AF454 ;hook类加载方法
.text&ARM.extab:C52BE1DE
.text&ARM.extab:C52BE1E2 2B E0 B loc_C52BE23C
.text&ARM.extab:C52BE1E2
.text&ARM.extab:C52BE1E4
.text&ARM.extab:C52BE1E4 loc_C52BE1E4
.text&ARM.extab:C52BE1E4 80 6F LDR R0, [R0,#(off_C532DE38 - 0xC532DDC0)] ; sub_C52A9400
.text&ARM.extab:C52BE1E6 80 47 BLX R0 ; dword_C5295000
.text&ARM.extab:C52BE1E6
.text&ARM.extab:C52BE1E8 30 B3 CBZ R0, loc_C52BE238
.text&ARM.extab:C52BE1E8
.text&ARM.extab:C52BE1EA 1E 48 LDR R0, =(off_C5325018 - 0xC52BE1F2)
.text&ARM.extab:C52BE1EC 1E 4E LDR R6, =(dword_C5327B64 - 0xC52BE1F8)
.text&ARM.extab:C52BE1EE 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52BE1F0 1E 49 LDR R1, =(dword_C5327B74+2 - 0xC52BE1FC)
.text&ARM.extab:C52BE1F2 1F 4A LDR R2, =(sub_C52BE944+1 - 0xC52BE200)
.text&ARM.extab:C52BE1F4 7E 44 ADD R6, PC ; dword_C5327B64
.text&ARM.extab:C52BE1F6 05 68 LDR R5, [R0] ; off_C5326004
.text&ARM.extab:C52BE1F8 79 44 ADD R1, PC ; dword_C5327B74
.text&ARM.extab:C52BE1FA 1E 4B LDR R3, =(off_C532DFEC - 0xC52BE204)
.text&ARM.extab:C52BE1FC 7A 44 ADD R2, PC ; sub_C52BE944
.text&ARM.extab:C52BE1FE 28 68 LDR R0, [R5] ; off_C532DDC0
.text&ARM.extab:C52BE200 7B 44 ADD R3, PC ; off_C532DFEC
.text&ARM.extab:C52BE202 00 68 LDR R0, [R0] ; off_C5326504
.text&ARM.extab:C52BE204 04 68 LDR R4, [R0] ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE206 30 46 MOV R0, R6
.text&ARM.extab:C52BE208 A0 47 BLX R4 ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE208
.text&ARM.extab:C52BE20A 28 68 LDR R0, [R5] ; off_C532DDC0
.text&ARM.extab:C52BE20C 1A 49 LDR R1, =(dword_C5327B98 - 0xC52BE216)
.text&ARM.extab:C52BE20E 1B 4A LDR R2, =(sub_C52BE9A4+1 - 0xC52BE21A)
.text&ARM.extab:C52BE210 00 68 LDR R0, [R0] ; off_C5326504
.text&ARM.extab:C52BE212 79 44 ADD R1, PC ; dword_C5327B98
.text&ARM.extab:C52BE214 1A 4B LDR R3, =(off_C532DFF0 - 0xC52BE21E)
.text&ARM.extab:C52BE216 7A 44 ADD R2, PC ; sub_C52BE9A4
.text&ARM.extab:C52BE218 04 68 LDR R4, [R0] ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE21A 7B 44 ADD R3, PC ; off_C532DFF0
.text&ARM.extab:C52BE21C 30 46 MOV R0, R6
.text&ARM.extab:C52BE21E A0 47 BLX R4 ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE21E
.text&ARM.extab:C52BE220 28 68 LDR R0, [R5] ; off_C532DDC0
.text&ARM.extab:C52BE222 18 49 LDR R1, =(dword_C5327BA4+3 - 0xC52BE22C)
.text&ARM.extab:C52BE224 18 4A LDR R2, =(sub_C52BE9C0+1 - 0xC52BE230)
.text&ARM.extab:C52BE226 00 68 LDR R0, [R0] ; off_C5326504
.text&ARM.extab:C52BE228 79 44 ADD R1, PC ; dword_C5327BA4
.text&ARM.extab:C52BE22A 18 4B LDR R3, =(off_C532DFF4 - 0xC52BE234)
.text&ARM.extab:C52BE22C 7A 44 ADD R2, PC ; sub_C52BE9C0
.text&ARM.extab:C52BE22E 05 68 LDR R5, [R0] ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE230 7B 44 ADD R3, PC ; off_C532DFF4
.text&ARM.extab:C52BE232 30 46 MOV R0, R6
.text&ARM.extab:C52BE234 A8 47 BLX R5 ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE234
.text&ARM.extab:C52BE236 01 E0 B loc_C52BE23C
.text&ARM.extab:C52BE236
.text&ARM.extab:C52BE238
.text&ARM.extab:C52BE238 loc_C52BE238
.text&ARM.extab:C52BE238 FC F7 5E FE BL sub_C52BAEF8
.text&ARM.extab:C52BE238
.text&ARM.extab:C52BE23C
.text&ARM.extab:C52BE23C loc_C52BE23C ; CODE XREF: init_proc_sub_C608813C+10↑j
.text&ARM.extab:C52BE23C ; init_proc_sub_C608813C+A0↑j
.text&ARM.extab:C52BE23C ; init_proc_sub_C608813C+A6↑j
.text&ARM.extab:C52BE23C ; init_proc_sub_C608813C+FA↑j
.text&ARM.extab:C52BE23C 00 20 MOVS R0, #0
.text&ARM.extab:C52BE23E 5D F8 04 BB POP.W {R11}
.text&ARM.extab:C52BE242 F0 BD POP {R4-R7,PC}
4.6、读取DEX资源文件解密并加载DEX
读取ijiami.dat并解密出dex
.text&ARM.extab:C52DA440 read_ijiami.dat_sub_C60CE440
.text&ARM.extab:C52DA440
.text&ARM.extab:C52DA440
.text&ARM.extab:C52DA440 ; __unwind {
.text&ARM.extab:C52DA440 F0 B5 PUSH {R4-R7,LR}
.text&ARM.extab:C52DA442 03 AF ADD R7, SP, #0xC
.text&ARM.extab:C52DA444 2D E9 00 0F PUSH.W {R8-R11}
.text&ARM.extab:C52DA448 AD F5 0B 7D SUB.W SP, SP, #0x22C
.text&ARM.extab:C52DA44C B0 48 LDR R0, =(__stack_chk_guard_ptr - 0xC52DA458)
.text&ARM.extab:C52DA44E 0A AC ADD R4, SP, #0x248+var_220
.text&ARM.extab:C52DA450 4F F4 00 71 MOV.W R1, #0x200
.text&ARM.extab:C52DA454 78 44 ADD R0, PC ; __stack_chk_guard_ptr
.text&ARM.extab:C52DA456 00 68 LDR R0, [R0]
.text&ARM.extab:C52DA458 00 68 LDR R0, [R0]
.text&ARM.extab:C52DA45A 8A 90 STR R0, [SP,#0x248+var_20]
.text&ARM.extab:C52DA45C 00 20 MOVS R0, #0
.text&ARM.extab:C52DA45E 07 90 STR R0, [SP,#0x248+var_22C]
.text&ARM.extab:C52DA460 20 46 MOV R0, R4
.text&ARM.extab:C52DA462 CB F7 B8 E9 BLX __aeabi_memclr8
.text&ARM.extab:C52DA462
.text&ARM.extab:C52DA466 AB 48 LDR R0, =(off_C5325018 - 0xC52DA46E)
.text&ARM.extab:C52DA468 AB 49 LDR R1, =(dword_C532B01C+2 - 0xC52DA470)
.text&ARM.extab:C52DA46A 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52DA46C 79 44 ADD R1, PC ; dword_C532B01C ; format
.text&ARM.extab:C52DA46E 00 68 LDR R0, [R0] ; off_C5326004
.text&ARM.extab:C52DA470 00 68 LDR R0, [R0] ; off_C532DDC0
.text&ARM.extab:C52DA472 D0 F8 80 20 LDR.W R2, [R0,#(dword_C532DE40 - 0xC532DDC0)]
.text&ARM.extab:C52DA476 D0 F8 B4 00 LDR.W R0, [R0,#(off_C532DE74 - 0xC532DDC0)]
.text&ARM.extab:C52DA47A 00 F1 10 03 ADD.W R3, R0, #0x10
.text&ARM.extab:C52DA47E 20 46 MOV R0, R4 ; s
.text&ARM.extab:C52DA480 CB F7 AE E9 BLX sprintf
.text&ARM.extab:C52DA480
.text&ARM.extab:C52DA484 08 A9 ADD R1, SP, #0x248+var_228
.text&ARM.extab:C52DA486 09 AA ADD R2, SP, #0x248+var_224
.text&ARM.extab:C52DA488 07 AB ADD R3, SP, #0x248+var_22C
.text&ARM.extab:C52DA48A 20 46 MOV R0, R4
.text&ARM.extab:C52DA48C 00 F0 58 F9 BL read_ijiami.dat_sub_C60CE740
.text&ARM.extab:C52DA48C
.text&ARM.extab:C52DA490 00 28 CMP R0, #0
.text&ARM.extab:C52DA492 00 F0 08 81 BEQ.W loc_C52DA6A6
.text&ARM.extab:C52DA492
.text&ARM.extab:C52DA496 DD F8 24 80 LDR.W R8, [SP,#0x248+var_224]
.text&ARM.extab:C52DA49A DD E9 07 10 LDRD.W R1, R0, [SP,#0x248+var_22C]
.text&ARM.extab:C52DA49E 00 F1 28 05 ADD.W R5, R0, #0x28 ; '('
.text&ARM.extab:C52DA4A2 00 20 MOVS R0, #0
.text&ARM.extab:C52DA4A4 A8 F1 28 04 SUB.W R4, R8, #0x28 ; '('
.text&ARM.extab:C52DA4A8 03 29 CMP R1, #3
.text&ARM.extab:C52DA4AA 08 95 STR R5, [SP,#0x248+var_228]
.text&ARM.extab:C52DA4AC 09 94 STR R4, [SP,#0x248+var_224]
.text&ARM.extab:C52DA4AE 08 BF IT EQ
.text&ARM.extab:C52DA4B0 01 20 MOVEQ R0, #1
.text&ARM.extab:C52DA4B2 02 29 CMP R1, #2
.text&ARM.extab:C52DA4B4 4F F0 00 01 MOV.W R1, #0
.text&ARM.extab:C52DA4B8 08 BF IT EQ
.text&ARM.extab:C52DA4BA 01 21 MOVEQ R1, #1
.text&ARM.extab:C52DA4BC 91 EA 00 0F TEQ.W R1, R0
.text&ARM.extab:C52DA4C0 04 D1 BNE loc_C52DA4CC
.text&ARM.extab:C52DA4C0
.text&ARM.extab:C52DA4C2 08 A8 ADD R0, SP, #0x248+var_228
.text&ARM.extab:C52DA4C4 21 46 MOV R1, R4
.text&ARM.extab:C52DA4C6 01 22 MOVS R2, #1
.text&ARM.extab:C52DA4C8 00 F0 72 FA BL DecDex_sub_C60CE9B0 ; 解密出dex明文
.text&ARM.extab:C52DA4C8
.text&ARM.extab:C52DA4CC
.text&ARM.extab:C52DA4CC loc_C52DA4CC
.text&ARM.extab:C52DA4CC 93 48 LDR R0, =(x.304_ptr - 0xC52DA4D8)
.text&ARM.extab:C52DA4CE 00 26 MOVS R6, #0
.text&ARM.extab:C52DA4D0 93 49 LDR R1, =(y.305_ptr - 0xC52DA4DA)
.text&ARM.extab:C52DA4D2 00 23 MOVS R3, #0
.text&ARM.extab:C52DA4D4 78 44 ADD R0, PC ; x.304_ptr
.text&ARM.extab:C52DA4D6 79 44 ADD R1, PC ; y.305_ptr
.text&ARM.extab:C52DA4D8 00 68 LDR R0, [R0] ; x.304
.text&ARM.extab:C52DA4DA 09 68 LDR R1, [R1] ; y.305
.text&ARM.extab:C52DA4DC 00 68 LDR R0, [R0]
.text&ARM.extab:C52DA4DE 09 68 LDR R1, [R1]
.text&ARM.extab:C52DA4E0 42 1E SUBS R2, R0, #1
.text&ARM.extab:C52DA4E2 B1 F5 95 7F CMP.W R1, #0x12A
.text&ARM.extab:C52DA4E6 B8 BF IT LT
.text&ARM.extab:C52DA4E8 01 26 MOVLT R6, #1
.text&ARM.extab:C52DA4EA 42 43 MULS R2, R0
.text&ARM.extab:C52DA4EC 48 40 EORS R0, R1
.text&ARM.extab:C52DA4EE 3B 28 CMP R0, #0x3B ; ';'
.text&ARM.extab:C52DA4F0 4F F0 00 00 MOV.W R0, #0
.text&ARM.extab:C52DA4F4 C8 BF IT GT
.text&ARM.extab:C52DA4F6 01 20 MOVGT R0, #1
.text&ARM.extab:C52DA4F8 30 43 ORRS R0, R6
.text&ARM.extab:C52DA4FA D1 07 LSLS R1, R2, #0x1F
.text&ARM.extab:C52DA4FC 08 BF IT EQ
.text&ARM.extab:C52DA4FE 01 23 MOVEQ R3, #1
.text&ARM.extab:C52DA500 18 43 ORRS R0, R3
.text&ARM.extab:C52DA500
.text&ARM.extab:C52DA502
.text&ARM.extab:C52DA502 loc_C52DA502
.text&ARM.extab:C52DA502 01 28 CMP R0, #1
.text&ARM.extab:C52DA504 FD D1 BNE loc_C52DA502
.text&ARM.extab:C52DA504
.text&ARM.extab:C52DA506 87 48 LDR R0, =(off_C5325018 - 0xC52DA50C)
.text&ARM.extab:C52DA508 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52DA50A 00 68 LDR R0, [R0] ; off_C5326004
.text&ARM.extab:C52DA50C D0 F8 00 A0 LDR.W R10, [R0] ; off_C532DDC0
.text&ARM.extab:C52DA510 08 EB 05 00 ADD.W R0, R8, R5
.text&ARM.extab:C52DA514 50 F8 2C 6C LDR.W R6, [R0,#-0x2C]
.text&ARM.extab:C52DA518 CA F8 D4 60 STR.W R6, [R10,#(dword_C532DE94 - 0xC532DDC0)]
.text&ARM.extab:C52DA51C 01 2E CMP R6, #1
.text&ARM.extab:C52DA51E C0 F2 C2 80 BLT.W loc_C52DA6A6
.text&ARM.extab:C52DA51E
.text&ARM.extab:C52DA522 81 48 LDR R0, =(x.306_ptr - 0xC52DA52C)
.text&ARM.extab:C52DA524 A4 EB C6 02 SUB.W R2, R4, R6,LSL#3
.text&ARM.extab:C52DA528 78 44 ADD R0, PC ; x.306_ptr
.text&ARM.extab:C52DA52A 00 68 LDR R0, [R0] ; x.306
.text&ARM.extab:C52DA52C 01 90 STR R0, [SP,#0x248+var_244]
.text&ARM.extab:C52DA52E 7F 48 LDR R0, =(y.307_ptr - 0xC52DA534)
.text&ARM.extab:C52DA530 78 44 ADD R0, PC ; y.307_ptr
.text&ARM.extab:C52DA532 00 68 LDR R0, [R0] ; y.307
.text&ARM.extab:C52DA534 00 90 STR R0, [SP,#0x248+var_248]
.text&ARM.extab:C52DA536 7E 48 LDR R0, =(off_C5325018 - 0xC52DA53C)
.text&ARM.extab:C52DA538 78 44 ADD R0, PC ; off_C5325018
.text&ARM.extab:C52DA53A 00 68 LDR R0, [R0] ; off_C5326004
.text&ARM.extab:C52DA53C 03 90 STR R0, [SP,#0x248+var_23C]
.text&ARM.extab:C52DA53C
.text&ARM.extab:C52DA53E
.text&ARM.extab:C52DA53E loc_C52DA53E
.text&ARM.extab:C52DA53E 51 59 LDR R1, [R2,R5]
.text&ARM.extab:C52DA540 DA F8 98 00 LDR.W R0, [R10,#0x98]
.text&ARM.extab:C52DA544 06 92 STR R2, [SP,#0x248+var_230]
.text&ARM.extab:C52DA546 01 EB 05 0B ADD.W R11, R1, R5
.text&ARM.extab:C52DA54A 08 B1 CBZ R0, loc_C52DA550
.text&ARM.extab:C52DA54A
.text&ARM.extab:C52DA54C 84 6D LDR R4, [R0,#0x58]
.text&ARM.extab:C52DA54E 12 E0 B loc_C52DA576
.text&ARM.extab:C52DA54E
.text&ARM.extab:C52DA550
.text&ARM.extab:C52DA550 loc_C52DA550
.text&ARM.extab:C52DA550 01 98 LDR R0, [SP,#0x248+var_244]
.text&ARM.extab:C52DA552 00 9A LDR R2, [SP,#0x248+var_248]
.text&ARM.extab:C52DA554 02 96 STR R6, [SP,#0x248+var_240]
.text&ARM.extab:C52DA556 00 68 LDR R0, [R0]
.text&ARM.extab:C52DA558 D2 F8 00 90 LDR.W R9, [R2]
.text&ARM.extab:C52DA55C 41 1E SUBS R1, R0, #1
.text&ARM.extab:C52DA55E 89 EA 00 04 EOR.W R4, R9, R0
.text&ARM.extab:C52DA562 41 43 MULS R1, R0
.text&ARM.extab:C52DA564 11 F0 01 08 ANDS.W R8, R1, #1
.text&ARM.extab:C52DA568 1C D0 BEQ loc_C52DA5A4
.text&ARM.extab:C52DA568
.text&ARM.extab:C52DA56A B9 F1 1D 0F CMP.W R9, #0x1D
.text&ARM.extab:C52DA56E 19 DB BLT loc_C52DA5A4
.text&ARM.extab:C52DA56E
.text&ARM.extab:C52DA570 99 2C CMP R4, #0x99
.text&ARM.extab:C52DA572 29 DB BLT loc_C52DA5C8
.text&ARM.extab:C52DA572
.text&ARM.extab:C52DA574 16 E0 B loc_C52DA5A4
.text&ARM.extab:C52DA574
.text&ARM.extab:C52DA576
.text&ARM.extab:C52DA576 loc_C52DA576
.text&ARM.extab:C52DA576 85 6C LDR R5, [R0,#0x48]
.text&ARM.extab:C52DA578 69 1C ADDS R1, R5, #1
.text&ARM.extab:C52DA57A 81 64 STR R1, [R0,#0x48]
.text&ARM.extab:C52DA57C 60 20 MOVS R0, #0x60 ; '`' ; size
.text&ARM.extab:C52DA57E CB F7 60 E9 BLX malloc
.text&ARM.extab:C52DA57E
.text&ARM.extab:C52DA582 02 2E CMP R6, #2
.text&ARM.extab:C52DA584 4F F0 00 01 MOV.W R1, #0
.text&ARM.extab:C52DA588 44 F8 25 00 STR.W R0, [R4,R5,LSL#2]
.text&ARM.extab:C52DA58C C0 E9 0A B1 STRD.W R11, R1, [R0,#0x28]
.text&ARM.extab:C52DA590 C0 F2 89 80 BLT.W loc_C52DA6A6
.text&ARM.extab:C52DA590
.text&ARM.extab:C52DA594 03 98 LDR R0, [SP,#0x248+var_23C]
.text&ARM.extab:C52DA596 01 3E SUBS R6, #1
.text&ARM.extab:C52DA598 06 9A LDR R2, [SP,#0x248+var_230]
.text&ARM.extab:C52DA59A 08 9D LDR R5, [SP,#0x248+var_228]
.text&ARM.extab:C52DA59C 08 32 ADDS R2, #8
.text&ARM.extab:C52DA59E D0 F8 00 A0 LDR.W R10, [R0]
.text&ARM.extab:C52DA5A2 CC E7 B loc_C52DA53E
.text&ARM.extab:C52DA5A2
.text&ARM.extab:C52DA5A4
.text&ARM.extab:C52DA5A4 loc_C52DA5A4
.text&ARM.extab:C52DA5A4 60 20 MOVS R0, #0x60 ; '`' ; size
.text&ARM.extab:C52DA5A6 CB F7 4C E9 BLX malloc
.text&ARM.extab:C52DA5A6
.text&ARM.extab:C52DA5AA 4F EA 89 01 MOV.W R1, R9,LSL#2
.text&ARM.extab:C52DA5AE B1 F5 F5 7F CMP.W R1, #0x1EA
.text&ARM.extab:C52DA5B2 CA F8 98 00 STR.W R0, [R10,#0x98]
.text&ARM.extab:C52DA5B6 0D DB BLT loc_C52DA5D4
.text&ARM.extab:C52DA5B6
.text&ARM.extab:C52DA5B8 E0 2C CMP R4, #0xE0
.text&ARM.extab:C52DA5BA 0B DC BGT loc_C52DA5D4
.text&ARM.extab:C52DA5BA
.text&ARM.extab:C52DA5BC B9 F1 0A 0F CMP.W R9, #0xA
.text&ARM.extab:C52DA5C0 08 DB BLT loc_C52DA5D4
.text&ARM.extab:C52DA5C0
.text&ARM.extab:C52DA5C2 B8 F1 00 0F CMP.W R8, #0
.text&ARM.extab:C52DA5C6 05 D0 BEQ loc_C52DA5D4
.text&ARM.extab:C52DA5C6
.text&ARM.extab:C52DA5C8
.text&ARM.extab:C52DA5C8 loc_C52DA5C8 ; CODE XREF: read_ijiami.dat_sub_C60CE440+132↑j
.text&ARM.extab:C52DA5C8 60 20 MOVS R0, #0x60 ; '`' ; size
.text&ARM.extab:C52DA5CA CB F7 3A E9 BLX malloc
.text&ARM.extab:C52DA5CA
.text&ARM.extab:C52DA5CE CA F8 98 00 STR.W R0, [R10,#0x98]
.text&ARM.extab:C52DA5D2 E7 E7 B loc_C52DA5A4
这时候dump出内存中的dex大部分的方法指令被抽了,还有部分是被native。如图4-6-1所示:
图4-6-1
内存中加载dex
int __fastcall sub_C60E5120(int a1, int a2)
{
v4 = *y_156_ptr[0];
v5 = *x_155_ptr[0];
v91 = *_stack_chk_guard_ptr[0];
v6 = (v4 ^ v5) < 177;
v7 = 4 * v4 > 198;
if ( v4 >= 10 && (((_BYTE)v5 * ((_BYTE)v5 - 1)) & 1) != 0 && v7 == v6 && v6 | v7 )
goto LABEL_8;
while ( 1 )
{
v85 = 0;
v8 = (*(int (__fastcall **)(int, char *))(*(_DWORD *)a1 + 24))(a1, (char *)&MEMORY[0xC532C1A8] + 3);
((void (__fastcall *)(void **))(*off_C5325018)[4][25])((*off_C5325018)[2]);
v9 = *y_156_ptr[0];
v10 = *y_156_ptr[0] ^ *x_155_ptr[0];
v11 = ((*x_155_ptr[0] - 1) * *x_155_ptr[0]) & 1;
if ( !v11 || v9 < 130 || v10 >= 172 )
break;
LABEL_8:
(*(void (__fastcall **)(int, char *))(*(_DWORD *)a1 + 24))(a1, (char *)&MEMORY[0xC532C1A8] + 3);
((void (__fastcall *)(void **))(*off_C5325018)[4][25])((*off_C5325018)[2]);
}
if ( !v8 )
{
v16 = v10 > 149;
v17 = v9 < 141;
v18 = 0;
v19 = 0;
if ( v17 )
v18 = 1;
v20 = v18 | v16;
if ( !v11 )
v19 = 1;
while ( !(v19 | v20) )
;
return 0;
}
v12 = off_C5325018;
v13 = NewObjectArray_sub_C60E4734(a1, (*off_C5325018)[53], v8, 0);
v14 = (void (__fastcall *)(char *))(*v12)[4][24];
v90 = v13;
v14((char *)&MEMORY[0xC532C1BC] + 3);
v15 = *y_156_ptr[0];
if ( 2 * *y_156_ptr[0] >= 211
&& (v15 ^ *x_155_ptr[0]) <= 89
&& v15 >= 10
&& ((((unsigned __int8)*x_155_ptr[0] - 1) * (unsigned __int8)*x_155_ptr[0]) & 1) != 0 )
{
goto LABEL_27;
}
while ( 1 )
{
v22 = ((int (__fastcall *)(int))(*off_C5325018)[4][21])(a1);
v23 = 0;
v24 = *y_156_ptr[0];
v25 = *x_155_ptr[0] ^ *y_156_ptr[0];
if ( *y_156_ptr[0] > 9 )
v23 = 1;
v26 = ((*x_155_ptr[0] - 1) * *x_155_ptr[0]) & 1;
if ( 2 * v24 <= 444 || v25 > 204 || v23 != v26 || !(v23 | v26) )
break;
LABEL_27:
((void (__fastcall *)(int))(*off_C5325018)[4][21])(a1);
}
v27 = 0;
v28 = 0;
if ( !v26 )
v27 = 1;
if ( v24 < 10 )
v28 = 1;
v29 = v27 | v28;
v30 = v25 > 65;
v31 = 0;
v32 = 0;
if ( 8 * v24 < 23 )
v31 = 1;
if ( v24 > 9 )
v32 = 1;
v33 = (v26 != 0) & (unsigned __int8)v32 ^ (v30 | v31) ^ 1 | v29 & (v30 | v31);
while ( v33 != 1 )
;
if ( !v22 )
return 0;
((void (__fastcall *)(void **))(*off_C5325018)[4][25])((*off_C5325018)[2]);
if ( !v90 )
{
v48 = 0;
v49 = 0;
v50 = *x_155_ptr[0];
v51 = *y_156_ptr[0];
if ( *y_156_ptr[0] > 9 )
v48 = 1;
v52 = (*x_155_ptr[0] - 1) * v50;
v17 = (v50 ^ v51) <= 196;
v53 = 0;
v54 = 16 * v51;
if ( !v17 )
v53 = 1;
if ( v54 <= 260 )
v49 = 1;
v55 = v53 | v49 | (v52 & 1 | v48) ^ 1 | v48 ^ v52 & 1;
while ( !v55 )
;
return 0;
}
v34 = 0;
v86 = &v85;
v87 = v22;
v88 = a2;
v89 = v8;
v35 = x_155_ptr[0];
v36 = y_156_ptr[0];
v37 = off_C5325018;
while ( 1 )
{
v39 = *v35;
v40 = 0;
v41 = *v36;
if ( *v36 <= 410 )
v40 = 1;
v42 = v41 ^ v39;
v43 = v40 | ((v41 ^ v39) > 88);
v44 = ((*v35 - 1) * v39) & 1;
while ( ((v44 == 0) | v43) != 1 )
;
v45 = *v37;
if ( v34 >= (int)(*v37)[53] )
break;
v38 = NewDirectByteBuffer_sub_C60E46A8(a1);
SetObjectArrayElement_sub_C60E57B4(a1, v90, v34, v38);
(*(void (__fastcall **)(int, int))(*(_DWORD *)a1 + 92))(a1, v38);
++v34;
}
v46 = v41 > 9;
v47 = v44 != 0;
if ( 8 * v41 >= 360 && v42 <= 84 && v46 == v47 && v47 | v46 )
goto LABEL_80;
while ( 1 )
{
((void (__fastcall *)(char *))v45[4][24])((char *)&MEMORY[0xC532C1BC] + 3);
v56 = (*x_155_ptr[0] ^ *y_156_ptr[0]) > 149 || *y_156_ptr[0] <= 486;
v57 = ((*(_BYTE *)x_155_ptr[0] - 1) * *(_BYTE *)x_155_ptr[0]) & 1;
v58 = (*y_156_ptr[0] > 9) & v57;
v59 = v58 == v56;
if ( v58 != v56 )
v59 = ((unsigned __int8)v56 & (*y_156_ptr[0] < 10 || v57 == 0)) == 1;
if ( v59 )
break;
LABEL_80:
((void (__fastcall *)(char *))v45[4][24])((char *)&MEMORY[0xC532C1BC] + 3);
}
v60 = v86;
v61 = v87;
v62 = ((int (__fastcall *)(int, int *, char *, char *, int *))(*off_C5325018)[4][16])(
a1,
v86,
(char *)&MEMORY[0xC532C1E0] + 1,
(char *)&MEMORY[0xC532C1F8] + 3,
&makeInMemoryDexElements);
v63 = v89;
if ( v62 == 1 && *v60 && dexElements_sub_C84EA7C0(a1, v88) != 1 )
return 0;
v64 = 0;
v65 = 0;
v66 = 0;
v67 = *x_155_ptr[0];
v68 = *y_156_ptr[0];
if ( *y_156_ptr[0] >= 496 )
v64 = 1;
v69 = (*x_155_ptr[0] - 1) * v67;
v70 = v67 ^ v68;
if ( v70 < 60 )
v65 = 1;
v71 = v64 ^ v65 | (v64 | v65) ^ 1;
if ( (v69 & 1) == 0 )
v66 = 1;
v72 = v66 | (v68 < 10) | v71;
while ( v72 != 1 )
;
v73 = (*off_C5325018)[2];
if ( (v69 & 1) != 0 && v68 >= 73 && v70 < 195 )
goto LABEL_92;
while ( 1 )
{
(*((void (__fastcall **)(void **, int))*v73 + 23))(v73, v63);
v74 = 0;
v75 = (*x_155_ptr[0] ^ *y_156_ptr[0]) > 176 || 16 * *y_156_ptr[0] < 51;
v76 = ((*(_BYTE *)x_155_ptr[0] - 1) * *(_BYTE *)x_155_ptr[0]) & 1;
v77 = (*y_156_ptr[0] > 9) & v76;
v78 = v77 == v75;
if ( v77 != v75 )
v78 = ((unsigned __int8)v75 & (*y_156_ptr[0] < 10 || v76 == 0)) == 1;
if ( v78 )
break;
LABEL_92:
(*((void (__fastcall **)(void **, int))*v73 + 23))(v73, v63);
}
v79 = off_C5325018;
(*((void (__fastcall **)(void **, int))*(*off_C5325018)[2] + 23))((*off_C5325018)[2], v90);
(*((void (__fastcall **)(void **, int))*(*v79)[2] + 23))((*v79)[2], v61);
v80 = 0;
v81 = *y_156_ptr[0];
v83 = ((*x_155_ptr[0] - 1) * *x_155_ptr[0]) & 1;
if ( !v83 )
v80 = 1;
if ( v81 > 9 )
v74 = 1;
v82 = (*x_155_ptr[0] ^ *y_156_ptr[0]) > 57 || 16 * *y_156_ptr[0] < 386;
v84 = v82 ^ v74 & v83 ^ 1 | ((v81 < 10) | v80) & v82;
while ( v84 != 1 )
;
return 1;
}
4.7、方法指令还原
判断是否为要修复
.text&ARM.extab:C52BDA04 hook_ClassLinker_LoadMethod_sub_C52BDA04
.text&ARM.extab:C52BDA04
.text&ARM.extab:C52BDA04 var_28= -0x28
.text&ARM.extab:C52BDA04 var_24= -0x24
.text&ARM.extab:C52BDA04 var_20= -0x20
.text&ARM.extab:C52BDA04
.text&ARM.extab:C52BDA04 ; __unwind {
.text&ARM.extab:C52BDA04 F0 B5 PUSH {R4-R7,LR}
.text&ARM.extab:C52BDA06 03 AF ADD R7, SP, #0xC
.text&ARM.extab:C52BDA08 2D E9 00 0F PUSH.W {R8-R11}
.text&ARM.extab:C52BDA0C 83 B0 SUB SP, SP, #0xC
.text&ARM.extab:C52BDA0E 83 46 MOV R11, R0
.text&ARM.extab:C52BDA10 4E 48 LDR R0, =(__stack_chk_guard_ptr - 0xC52BDA1A)
.text&ARM.extab:C52BDA12 01 AA ADD R2, SP, #0x28+var_24
.text&ARM.extab:C52BDA14 00 26 MOVS R6, #0
.text&ARM.extab:C52BDA16 78 44 ADD R0, PC ; __stack_chk_guard_ptr
.text&ARM.extab:C52BDA18 00 68 LDR R0, [R0]
.text&ARM.extab:C52BDA1A 00 68 LDR R0, [R0]
.text&ARM.extab:C52BDA1C 02 90 STR R0, [SP,#0x28+var_20]
.text&ARM.extab:C52BDA1E 58 46 MOV R0, R11
.text&ARM.extab:C52BDA20 01 96 STR R6, [SP,#0x28+var_24]
.text&ARM.extab:C52BDA22 00 F0 A3 F8 BL GetMothedAddress_sub_C84B7B6C
.text&ARM.extab:C52BDA22
.text&ARM.extab:C52BDA26 04 46 MOV R4, R0
.text&ARM.extab:C52BDA28 00 2C CMP R4, #0
.text&ARM.extab:C52BDA2A 00 F0 82 80 BEQ.W loc_C52BDB32
.text&ARM.extab:C52BDA2A
.text&ARM.extab:C52BDA2E A0 46 MOV R8, R4
.text&ARM.extab:C52BDA30 00 20 MOVS R0, #0
.text&ARM.extab:C52BDA32 58 F8 08 5F LDR.W R5, [R8,#8]! ; Debug info
.text&ARM.extab:C52BDA36 B5 F1 82 6F CMP.W R5, #0x4100000
.text&ARM.extab:C52BDA3A C8 BF IT GT
.text&ARM.extab:C52BDA3C 01 20 MOVGT R0, #1
.text&ARM.extab:C52BDA3E B5 F1 40 7F CMP.W R5, #0x3000000
.text&ARM.extab:C52BDA42 B8 BF IT LT
.text&ARM.extab:C52BDA44 01 26 MOVLT R6, #1
.text&ARM.extab:C52BDA46 96 EA 00 0F TEQ.W R6, R0
.text&ARM.extab:C52BDA4A 72 D1 BNE loc_C52BDB32
修复指令
根据Debug info定位到指令,获取指令解密
.text&ARM.extab:C52AA9D2 getDecCode_sub_C20E39D2
.text&ARM.extab:C52AA9D2 ; __unwind {
.text&ARM.extab:C52AA9D2 F0 B5 PUSH {R4-R7,LR}
.text&ARM.extab:C52AA9D4 03 AF ADD R7, SP, #0xC
.text&ARM.extab:C52AA9D6 4D F8 04 8D PUSH.W {R8}
.text&ARM.extab:C52AA9DA 80 46 MOV R8, R0
.text&ARM.extab:C52AA9DC 0C 46 MOV R4, R1
.text&ARM.extab:C52AA9DE D8 F8 08 10 LDR.W R1, [R8,#8]
.text&ARM.extab:C52AA9E2 20 46 MOV R0, R4
.text&ARM.extab:C52AA9E4 88 47 BLX R1
.text&ARM.extab:C52AA9E4
.text&ARM.extab:C52AA9E6 6F EA 40 23 MVN.W R3, R0,LSL#9 ; Debug info
.text&ARM.extab:C52AA9EA 18 44 ADD R0, R3 ; Debuginfo+Debuginfo<<9
.text&ARM.extab:C52AA9EC D8 E9 00 12 LDRD.W R1, R2, [R8]
.text&ARM.extab:C52AA9F0 80 EA 90 30 EOR.W R0, R0, R0,LSR#14
.text&ARM.extab:C52AA9F4 00 EB 00 10 ADD.W R0, R0, R0,LSL#4
.text&ARM.extab:C52AA9F8 80 EA 90 26 EOR.W R6, R0, R0,LSR#10
.text&ARM.extab:C52AA9FC 50 1E SUBS R0, R2, #1
.text&ARM.extab:C52AA9FE 30 40 ANDS R0, R6
.text&ARM.extab:C52AAA00 51 F8 20 50 LDR.W R5, [R1,R0,LSL#2]
.text&ARM.extab:C52AAA04 0C E0 B loc_C52AAA20
.text&ARM.extab:C52AAA04
.text&ARM.extab:C52AAA06
.text&ARM.extab:C52AAA06 loc_C52AAA06 ; CODE XREF: getDecCode_sub_C20E39D2+50↓j
.text&ARM.extab:C52AAA06 28 68 LDR R0, [R5] ; 取解密后指令中的Debug info
.text&ARM.extab:C52AAA08 A0 42 CMP R0, R4 ; 判断被抽取指令与解密后指令中的Debug info是否相同
.text&ARM.extab:C52AAA0A 0D D0 BEQ loc_C52AAA28 ; 取解密后指令地址
.text&ARM.extab:C52AAA0A
.text&ARM.extab:C52AAA0C 69 68 LDR R1, [R5,#4]
.text&ARM.extab:C52AAA0E B1 42 CMP R1, R6
.text&ARM.extab:C52AAA10 05 D1 BNE loc_C52AAA1E
.text&ARM.extab:C52AAA10
.text&ARM.extab:C52AAA12 D8 F8 0C 20 LDR.W R2, [R8,#0xC]
.text&ARM.extab:C52AAA16 21 46 MOV R1, R4
.text&ARM.extab:C52AAA18 90 47 BLX R2
.text&ARM.extab:C52AAA18
.text&ARM.extab:C52AAA1A 01 28 CMP R0, #1
.text&ARM.extab:C52AAA1C 04 D0 BEQ loc_C52AAA28 ; 取解密后指令地址
.text&ARM.extab:C52AAA1C
.text&ARM.extab:C52AAA1E
.text&ARM.extab:C52AAA1E loc_C52AAA1E
.text&ARM.extab:C52AAA1E ED 68 LDR R5, [R5,#0xC]
.text&ARM.extab:C52AAA1E
.text&ARM.extab:C52AAA20
.text&ARM.extab:C52AAA20 loc_C52AAA20
.text&ARM.extab:C52AAA20 00 2D CMP R5, #0
.text&ARM.extab:C52AAA22 F0 D1 BNE loc_C52AAA06 ; 取解密后指令中的Debug info
.text&ARM.extab:C52AAA22
.text&ARM.extab:C52AAA24 00 20 MOVS R0, #0
.text&ARM.extab:C52AAA26 00 E0 B loc_C52AAA2A
.text&ARM.extab:C52AAA26
.text&ARM.extab:C52AAA28
.text&ARM.extab:C52AAA28 loc_C52AAA28
.text&ARM.extab:C52AAA28 ; getDecCode_sub_C20E39D2+4A↑j
.text&ARM.extab:C52AAA28 A8 68 LDR R0, [R5,#8] ; 取解密后指令地址
.text&ARM.extab:C52AAA28
.text&ARM.extab:C52AAA2A
.text&ARM.extab:C52AAA2A loc_C52AAA2A
.text&ARM.extab:C52AAA2A 5D F8 04 8B POP.W {R8}
.text&ARM.extab:C52AAA2E F0 BD POP {R4-R7,PC}
修复指令
.text&ARM.extab:C52E7F34 ; r0:解密后方法指令,R1:方法地址
.text&ARM.extab:C52E7F34 Fix_Method_sub_C2195F34
.text&ARM.extab:C52E7F34
.text&ARM.extab:C52E7F34 var_20= -0x20
.text&ARM.extab:C52E7F34
.text&ARM.extab:C52E7F34 ; __unwind {
.text&ARM.extab:C52E7F34 F0 B5 PUSH {R4-R7,LR}
.text&ARM.extab:C52E7F36 03 AF ADD R7, SP, #0xC
.text&ARM.extab:C52E7F38 2D E9 00 0F PUSH.W {R8-R11}
.text&ARM.extab:C52E7F3C 81 B0 SUB SP, SP, #4
.text&ARM.extab:C52E7F3E 8F 4A LDR R2, =(x.27_ptr - 0xC52E7F4A)
.text&ARM.extab:C52E7F40 00 25 MOVS R5, #0
.text&ARM.extab:C52E7F42 8F 4B LDR R3, =(y.28_ptr - 0xC52E7F4C)
.text&ARM.extab:C52E7F44 00 24 MOVS R4, #0
.text&ARM.extab:C52E7F46 7A 44 ADD R2, PC ; x.27_ptr
.text&ARM.extab:C52E7F48 7B 44 ADD R3, PC ; y.28_ptr
.text&ARM.extab:C52E7F4A 12 68 LDR R2, [R2] ; x.27
.text&ARM.extab:C52E7F4C 1B 68 LDR R3, [R3] ; y.28
.text&ARM.extab:C52E7F4E 16 68 LDR R6, [R2]
.text&ARM.extab:C52E7F50 1A 68 LDR R2, [R3]
.text&ARM.extab:C52E7F52 73 1E SUBS R3, R6, #1
.text&ARM.extab:C52E7F54 82 EA 06 0E EOR.W LR, R2, R6
.text&ARM.extab:C52E7F58 03 FB 06 FC MUL.W R12, R3, R6
.text&ARM.extab:C52E7F5C 13 01 LSLS R3, R2, #4
.text&ARM.extab:C52E7F5E A1 2B CMP R3, #0xA1
.text&ARM.extab:C52E7F60 C8 BF IT GT
.text&ARM.extab:C52E7F62 01 25 MOVGT R5, #1
.text&ARM.extab:C52E7F64 BE F1 6E 0F CMP.W LR, #0x6E ; 'n'
.text&ARM.extab:C52E7F68 4F F0 00 06 MOV.W R6, #0
.text&ARM.extab:C52E7F6C B8 BF IT LT
.text&ARM.extab:C52E7F6E 01 26 MOVLT R6, #1
.text&ARM.extab:C52E7F70 09 2A CMP R2, #9
.text&ARM.extab:C52E7F72 06 EA 05 06 AND.W R6, R6, R5
.text&ARM.extab:C52E7F76 4F F0 00 05 MOV.W R5, #0
.text&ARM.extab:C52E7F7A C8 BF IT GT
.text&ARM.extab:C52E7F7C 01 25 MOVGT R5, #1
.text&ARM.extab:C52E7F7E 0C F0 01 03 AND.W R3, R12, #1
.text&ARM.extab:C52E7F82 1D 40 ANDS R5, R3
.text&ARM.extab:C52E7F84 0A 2A CMP R2, #0xA
.text&ARM.extab:C52E7F86 86 EA 05 0C EOR.W R12, R6, R5
.text&ARM.extab:C52E7F8A 45 EA 06 05 ORR.W R5, R5, R6
.text&ARM.extab:C52E7F8E 4F F0 00 06 MOV.W R6, #0
.text&ARM.extab:C52E7F92 85 F0 01 05 EOR.W R5, R5, #1
.text&ARM.extab:C52E7F96 B8 BF IT LT
.text&ARM.extab:C52E7F98 01 26 MOVLT R6, #1
.text&ARM.extab:C52E7F9A 00 2B CMP R3, #0
.text&ARM.extab:C52E7F9C 08 BF IT EQ
.text&ARM.extab:C52E7F9E 01 24 MOVEQ R4, #1
.text&ARM.extab:C52E7FA0 45 EA 0C 05 ORR.W R5, R5, R12
.text&ARM.extab:C52E7FA4 26 43 ORRS R6, R4
.text&ARM.extab:C52E7FA4
.text&ARM.extab:C52E7FA6
.text&ARM.extab:C52E7FA6 loc_C52E7FA6
.text&ARM.extab:C52E7FA6 01 2D CMP R5, #1
.text&ARM.extab:C52E7FA8 FD D1 BNE loc_C52E7FA6
.text&ARM.extab:C52E7FA8
.text&ARM.extab:C52E7FAA BE F1 B9 0F CMP.W LR, #0xB9
.text&ARM.extab:C52E7FAE 4F F0 00 05 MOV.W R5, #0
.text&ARM.extab:C52E7FB2 4F F0 00 03 MOV.W R3, #0
.text&ARM.extab:C52E7FB6 C8 BF IT GT
.text&ARM.extab:C52E7FB8 01 25 MOVGT R5, #1
.text&ARM.extab:C52E7FBA D2 00 LSLS R2, R2, #3
.text&ARM.extab:C52E7FBC E4 2A CMP R2, #0xE4
.text&ARM.extab:C52E7FBE B8 BF IT LT
.text&ARM.extab:C52E7FC0 01 23 MOVLT R3, #1
.text&ARM.extab:C52E7FC2 43 EA 05 02 ORR.W R2, R3, R5
.text&ARM.extab:C52E7FC6 32 43 ORRS R2, R6
.text&ARM.extab:C52E7FC6
.text&ARM.extab:C52E7FC8
.text&ARM.extab:C52E7FC8 loc_C52E7FC8
.text&ARM.extab:C52E7FC8 01 2A CMP R2, #1
.text&ARM.extab:C52E7FCA FD D1 BNE loc_C52E7FC8
.text&ARM.extab:C52E7FCA
.text&ARM.extab:C52E7FCC 82 68 LDR R2, [R0,#8] ; 取解密后的方法指令长度
.text&ARM.extab:C52E7FCE 00 2A CMP R2, #0
.text&ARM.extab:C52E7FD0 00 F0 CE 80 BEQ.W loc_C52E8170
.text&ARM.extab:C52E7FD0
.text&ARM.extab:C52E7FD4 6B 4B LDR R3, =(x.27_ptr - 0xC52E7FDC)
.text&ARM.extab:C52E7FD6 00 22 MOVS R2, #0
.text&ARM.extab:C52E7FD8 7B 44 ADD R3, PC ; x.27_ptr
.text&ARM.extab:C52E7FDA 1B 68 LDR R3, [R3] ; x.27
.text&ARM.extab:C52E7FDC 00 93 STR R3, [SP,#0x20+var_20]
.text&ARM.extab:C52E7FDE 6A 4B LDR R3, =(y.28_ptr - 0xC52E7FE4)
.text&ARM.extab:C52E7FE0 7B 44 ADD R3, PC ; y.28_ptr
.text&ARM.extab:C52E7FE2 D3 F8 00 E0 LDR.W LR, [R3] ; y.28
.text&ARM.extab:C52E7FE2
.text&ARM.extab:C52E7FE6
.text&ARM.extab:C52E7FE6 loc_C52E7FE6
.text&ARM.extab:C52E7FE6 83 18 ADDS R3, R0, R2 ; base++
.text&ARM.extab:C52E7FE8 93 F8 0C A0 LDRB.W R10, [R3,#0xC] ; 取指令
.text&ARM.extab:C52E7FEC BA F1 00 0F CMP.W R10, #0
.text&ARM.extab:C52E7FF0 67 D0 BEQ loc_C52E80C2
.text&ARM.extab:C52E7FF0
.text&ARM.extab:C52E7FF2 00 9B LDR R3, [SP,#0x20+var_20]
.text&ARM.extab:C52E7FF4 00 26 MOVS R6, #0
.text&ARM.extab:C52E7FF6 DE F8 00 50 LDR.W R5, [LR]
.text&ARM.extab:C52E7FFA 1B 68 LDR R3, [R3]
.text&ARM.extab:C52E7FFC 09 2D CMP R5, #9
.text&ARM.extab:C52E7FFE C8 BF IT GT
.text&ARM.extab:C52E8000 01 26 MOVGT R6, #1
.text&ARM.extab:C52E8002 AA 2D CMP R5, #0xAA
.text&ARM.extab:C52E8004 A3 F1 01 04 SUB.W R4, R3, #1
.text&ARM.extab:C52E8008 85 EA 03 0C EOR.W R12, R5, R3
.text&ARM.extab:C52E800C 4F EA C5 08 MOV.W R8, R5,LSL#3
.text&ARM.extab:C52E8010 03 FB 04 F4 MUL.W R4, R3, R4
.text&ARM.extab:C52E8014 4F F0 00 03 MOV.W R3, #0
.text&ARM.extab:C52E8018 04 F0 01 0B AND.W R11, R4, #1
.text&ARM.extab:C52E801C 86 EA 0B 04 EOR.W R4, R6, R11
.text&ARM.extab:C52E8020 46 EA 0B 06 ORR.W R6, R6, R11
.text&ARM.extab:C52E8024 86 F0 01 06 EOR.W R6, R6, #1
.text&ARM.extab:C52E8028 44 EA 06 04 ORR.W R4, R4, R6
.text&ARM.extab:C52E802C 4F F0 00 06 MOV.W R6, #0
.text&ARM.extab:C52E8030 B8 BF IT LT
.text&ARM.extab:C52E8032 01 26 MOVLT R6, #1
.text&ARM.extab:C52E8034 BC F1 E6 0F CMP.W R12, #0xE6
.text&ARM.extab:C52E8038 C8 BF IT GT
.text&ARM.extab:C52E803A 01 23 MOVGT R3, #1
.text&ARM.extab:C52E803C 0A 2D CMP R5, #0xA
.text&ARM.extab:C52E803E 43 EA 06 03 ORR.W R3, R3, R6
.text&ARM.extab:C52E8042 4F F0 00 06 MOV.W R6, #0
.text&ARM.extab:C52E8046 43 EA 04 03 ORR.W R3, R3, R4
.text&ARM.extab:C52E804A 4F F0 00 04 MOV.W R4, #0
.text&ARM.extab:C52E804E B8 BF IT LT
.text&ARM.extab:C52E8050 01 24 MOVLT R4, #1
.text&ARM.extab:C52E8052 BB F1 00 0F CMP.W R11, #0
.text&ARM.extab:C52E8056 08 BF IT EQ
.text&ARM.extab:C52E8058 01 26 MOVEQ R6, #1
.text&ARM.extab:C52E805A 44 EA 06 09 ORR.W R9, R4, R6
.text&ARM.extab:C52E805A
.text&ARM.extab:C52E805E
.text&ARM.extab:C52E805E loc_C52E805E
.text&ARM.extab:C52E805E 01 2B CMP R3, #1
.text&ARM.extab:C52E8060 FD D1 BNE loc_C52E805E
.text&ARM.extab:C52E8060
.text&ARM.extab:C52E8062 BA F1 FF 0F CMP.W R10, #0xFF ; 判断指令是否为0xFF
.text&ARM.extab:C52E8066 2E D0 BEQ loc_C52E80C6
.text&ARM.extab:C52E8066
.text&ARM.extab:C52E8068 BC F1 BF 0F CMP.W R12, #0xBF
.text&ARM.extab:C52E806C 4F F0 00 04 MOV.W R4, #0
.text&ARM.extab:C52E8070 C8 BF IT GT
.text&ARM.extab:C52E8072 01 24 MOVGT R4, #1
.text&ARM.extab:C52E8074 6B 00 LSLS R3, R5, #1
.text&ARM.extab:C52E8076 B3 F5 B2 7F CMP.W R3, #0x164
.text&ARM.extab:C52E807A 4F F0 00 06 MOV.W R6, #0
.text&ARM.extab:C52E807E B8 BF IT LT
.text&ARM.extab:C52E8080 01 26 MOVLT R6, #1
.text&ARM.extab:C52E8082 34 43 ORRS R4, R6
.text&ARM.extab:C52E8084 44 EA 09 04 ORR.W R4, R4, R9
.text&ARM.extab:C52E8084
.text&ARM.extab:C52E8088
.text&ARM.extab:C52E8088 loc_C52E8088
.text&ARM.extab:C52E8088 01 2C CMP R4, #1
.text&ARM.extab:C52E808A FD D1 BNE loc_C52E8088
.text&ARM.extab:C52E808A
.text&ARM.extab:C52E808C BC F1 A6 0F CMP.W R12, #0xA6
.text&ARM.extab:C52E8090 4F F0 00 04 MOV.W R4, #0
.text&ARM.extab:C52E8094 B8 BF IT LT
.text&ARM.extab:C52E8096 01 24 MOVLT R4, #1
.text&ARM.extab:C52E8098 B3 F5 F8 7F CMP.W R3, #0x1F0
.text&ARM.extab:C52E809C 4F F0 00 03 MOV.W R3, #0
.text&ARM.extab:C52E80A0 C8 BF IT GT
.text&ARM.extab:C52E80A2 01 23 MOVGT R3, #1
.text&ARM.extab:C52E80A4 83 EA 04 06 EOR.W R6, R3, R4
.text&ARM.extab:C52E80A8 23 43 ORRS R3, R4
.text&ARM.extab:C52E80AA 83 F0 01 03 EOR.W R3, R3, #1
.text&ARM.extab:C52E80AE 33 43 ORRS R3, R6
.text&ARM.extab:C52E80B0 43 EA 09 03 ORR.W R3, R3, R9
.text&ARM.extab:C52E80B0
.text&ARM.extab:C52E80B4
.text&ARM.extab:C52E80B4 loc_C52E80B4
.text&ARM.extab:C52E80B4 01 2B CMP R3, #1
.text&ARM.extab:C52E80B6 FD D1 BNE loc_C52E80B4
.text&ARM.extab:C52E80B6
.text&ARM.extab:C52E80B8 BA F1 23 0F CMP.W R10, #0x23 ; '#' ; 判断指令是否为0x23
.text&ARM.extab:C52E80BC 05 D1 BNE loc_C52E80CA
.text&ARM.extab:C52E80BC
.text&ARM.extab:C52E80BE 23 23 MOVS R3, #0x23 ; '#'
.text&ARM.extab:C52E80C0 50 E0 B loc_C52E8164 ; 写指令
.text&ARM.extab:C52E80C0
.text&ARM.extab:C52E80C2
.text&ARM.extab:C52E80C2 loc_C52E80C2
.text&ARM.extab:C52E80C2 00 23 MOVS R3, #0
.text&ARM.extab:C52E80C4 4E E0 B loc_C52E8164 ; 写指令
.text&ARM.extab:C52E80C4
.text&ARM.extab:C52E80C6
.text&ARM.extab:C52E80C6 loc_C52E80C6
.text&ARM.extab:C52E80C6 FF 23 MOVS R3, #0xFF
.text&ARM.extab:C52E80C8 4C E0 B loc_C52E8164 ; 写指令
.text&ARM.extab:C52E80C8
.text&ARM.extab:C52E80CA
.text&ARM.extab:C52E80CA loc_C52E80CA
.text&ARM.extab:C52E80CA BC F1 46 0F CMP.W R12, #0x46 ; 'F'
.text&ARM.extab:C52E80CE 4F F0 00 03 MOV.W R3, #0
.text&ARM.extab:C52E80D2 C8 BF IT GT
.text&ARM.extab:C52E80D4 01 23 MOVGT R3, #1
.text&ARM.extab:C52E80D6 B8 F5 FA 7F CMP.W R8, #0x1F4
.text&ARM.extab:C52E80DA 4F F0 00 04 MOV.W R4, #0
.text&ARM.extab:C52E80DE B8 BF IT LT
.text&ARM.extab:C52E80E0 01 24 MOVLT R4, #1
.text&ARM.extab:C52E80E2 23 43 ORRS R3, R4
.text&ARM.extab:C52E80E4 43 EA 09 03 ORR.W R3, R3, R9
.text&ARM.extab:C52E80E4
.text&ARM.extab:C52E80E8
.text&ARM.extab:C52E80E8 loc_C52E80E8
.text&ARM.extab:C52E80E8 01 2B CMP R3, #1
.text&ARM.extab:C52E80EA FD D1 BNE loc_C52E80E8
.text&ARM.extab:C52E80EA
.text&ARM.extab:C52E80EC BC F1 13 0F CMP.W R12, #0x13
.text&ARM.extab:C52E80F0 4F F0 00 03 MOV.W R3, #0
.text&ARM.extab:C52E80F4 4F EA 05 14 MOV.W R4, R5,LSL#4
.text&ARM.extab:C52E80F8 C8 BF IT GT
.text&ARM.extab:C52E80FA 01 23 MOVGT R3, #1
.text&ARM.extab:C52E80FC B4 F5 95 7F CMP.W R4, #0x12A
.text&ARM.extab:C52E8100 4F F0 00 04 MOV.W R4, #0
.text&ARM.extab:C52E8104 B8 BF IT LT
.text&ARM.extab:C52E8106 01 24 MOVLT R4, #1
.text&ARM.extab:C52E8108 23 43 ORRS R3, R4
.text&ARM.extab:C52E810A 43 EA 09 03 ORR.W R3, R3, R9
.text&ARM.extab:C52E810A
.text&ARM.extab:C52E810E
.text&ARM.extab:C52E810E loc_C52E810E
.text&ARM.extab:C52E810E 01 2B CMP R3, #1
.text&ARM.extab:C52E8110 FD D1 BNE loc_C52E810E
.text&ARM.extab:C52E8110
.text&ARM.extab:C52E8112 BA F1 DC 0F CMP.W R10, #0xDC ; 判断指令是否为0xDC
.text&ARM.extab:C52E8116 01 D1 BNE loc_C52E811C
.text&ARM.extab:C52E8116
.text&ARM.extab:C52E8118 DC 23 MOVS R3, #0xDC
.text&ARM.extab:C52E811A 23 E0 B loc_C52E8164 ; 写指令
.text&ARM.extab:C52E811A
.text&ARM.extab:C52E811C
.text&ARM.extab:C52E811C loc_C52E811C
.text&ARM.extab:C52E811C B8 F1 71 0F CMP.W R8, #0x71 ; 'q'
.text&ARM.extab:C52E8120 4F F0 00 03 MOV.W R3, #0
.text&ARM.extab:C52E8124 C8 BF IT GT
.text&ARM.extab:C52E8126 01 23 MOVGT R3, #1
.text&ARM.extab:C52E8128 BC F1 D8 0F CMP.W R12, #0xD8
.text&ARM.extab:C52E812C 4F F0 00 06 MOV.W R6, #0
.text&ARM.extab:C52E8130 B8 BF IT LT
.text&ARM.extab:C52E8132 01 26 MOVLT R6, #1
.text&ARM.extab:C52E8134 09 2D CMP R5, #9
.text&ARM.extab:C52E8136 03 EA 06 03 AND.W R3, R3, R6
.text&ARM.extab:C52E813A 4F F0 00 06 MOV.W R6, #0
.text&ARM.extab:C52E813E C8 BF IT GT
.text&ARM.extab:C52E8140 01 26 MOVGT R6, #1
.text&ARM.extab:C52E8142 BB F1 00 0F CMP.W R11, #0
.text&ARM.extab:C52E8146 18 BF IT NE
.text&ARM.extab:C52E8148 4F F0 01 0B MOVNE.W R11, #1
.text&ARM.extab:C52E814C 06 EA 0B 06 AND.W R6, R6, R11
.text&ARM.extab:C52E8150 83 EA 06 05 EOR.W R5, R3, R6
.text&ARM.extab:C52E8154 33 43 ORRS R3, R6
.text&ARM.extab:C52E8156 83 F0 01 03 EOR.W R3, R3, #1
.text&ARM.extab:C52E815A 2B 43 ORRS R3, R5
.text&ARM.extab:C52E815A
.text&ARM.extab:C52E815C
.text&ARM.extab:C52E815C loc_C52E815C
.text&ARM.extab:C52E815C 01 2B CMP R3, #1
.text&ARM.extab:C52E815E FD D1 BNE loc_C52E815C
.text&ARM.extab:C52E815E
.text&ARM.extab:C52E8160 6F EA 0A 03 MVN.W R3, R10 ; 解密指令 R10按位取反
.text&ARM.extab:C52E8160
.text&ARM.extab:C52E8164
.text&ARM.extab:C52E8164 loc_C52E8164
.text&ARM.extab:C52E8164 8B 54 STRB R3, [R1,R2] ; 写指令
.text&ARM.extab:C52E8166 01 32 ADDS R2, #1
.text&ARM.extab:C52E8168 83 68 LDR R3, [R0,#8] ; 取指令长度
.text&ARM.extab:C52E816A 9A 42 CMP R2, R3 ; 判断是否结束
.text&ARM.extab:C52E816C FF F4 3B AF BCC.W loc_C52E7FE6 ; base++
.text&ARM.extab:C52E816C
.text&ARM.extab:C52E8170
.text&ARM.extab:C52E8170 loc_C52E8170
.text&ARM.extab:C52E8170 01 20 MOVS R0, #1
.text&ARM.extab:C52E8172 01 B0 ADD SP, SP, #4
.text&ARM.extab:C52E8174 BD E8 00 0F POP.W {R8-R11}
.text&ARM.extab:C52E8178 F0 BD POP {R4-R7,PC}
被抽走后的指令存储格式:
6C C6 FF 03 37 1E 38 00 08 00 00 00 xxxxxxx Debug info 指令长度 指令
五、Native原理分析
主要是通过解析smali代码进行了通过JNI反射调用等价的语义转换,转为了C代码,执行时通过FindClass、GetStaticMethodID、GetMethodID、CallxxxMethod。
我是通过JNItrace来分析,如图5-1所示:
图5-1
六、总结
壳整体是指令抽取加方法native化二者结合,所有被抽走的指令还原后dump出来也能分析出80%左右的代码,其它被native化的用JNItrace配合分析,所以用该加固方案客户端代码安全性一般。接下来就可以继续进行APP渗透分析。
欢迎关注公众号
标签:00,加密,LDR,text,extab,加固,R0,定制,ARM 来源: https://www.cnblogs.com/2014asm/p/16120746.html