main函数是由你IDA截图里的linc_init函数所调用，LDR R2, [R12, R3] 只是在给libc_init函数传递参数，然后由libc_init调用main

[QUOTE=Lnju;1384789]main函数是由你IDA截图里的linc_init函数所调用，LDR R2, [R12, R3] 只是在给libc_init函数传递参数，然后由libc_init调用main[/QUOTE]
谢谢，懂了，函数地址作为参数传递
__noreturn void __libc_init(uintptr_t *elfdata,
                       void (*onexit)(void),
                       int (*slingshot)(int, char**, char**),
                       structors_array_t const * const structors)
{
    int  argc;
    char **argv, **envp;

    /* Initialize the C runtime environment */
    __libc_init_common(elfdata);

    /* Several Linux ABIs don't pass the onexit pointer, and the ones that
     * do never use it.  Therefore, we ignore it.
     */

    /* pre-init array. */
    call_array(structors->preinit_array);

    /* .ctors section initializers, for non-arm-eabi ABIs */
    call_array(structors->ctors_array);

    // call static constructors
    call_array(structors->init_array);

    argc = (int) *elfdata;
    argv = (char**)(elfdata + 1);
    envp = argv + argc + 1;

    /* The executable may have its own destructors listed in its .fini_array
     * so we need to ensure that these are called when the program exits
     * normally.
     */
    if (structors->fini_array)
        __cxa_atexit(__libc_fini,structors->fini_array,NULL);

    exit(slingshot(argc, argv, envp));
}

我想问下你这个arm汇编是怎么生成的 具体环境怎么配置的 有相关的教程不 谢谢

Makefile文件内容：
ANDROID_NDK_ROOT=$(ANDROID_NDK_HOME)

PREFIX=$(ANDROID_NDK_ROOT)/toolchains/arm-linux-androideabi-4.6/prebuilt/windows-x86_64/bin/arm-linux-androideabi-

SYSROOT=--sysroot=$(ANDROID_NDK_ROOT)/platforms/android-9/arch-arm

CFLAGS := -g -Wall -c

LDFLAGS := -g -Wall

CC := $(PREFIX)gcc $(SYSROOT)

###################################
INJECTSO :=        inject

INJECT_DIR := Injectso

INJECT_SOURCES := $(wildcard $(INJECT_DIR)/*.c)

INJECT_OBJECTS := $(patsubst %.c,%.o,$(INJECT_SOURCES))

####################################
LIBHOOK := libhook.so

LIBTEST_DIR := HookLibrary

LIBTEST_SOURCES := $(wildcard $(LIBTEST_DIR)/*.cpp)

LIBTEST_OBJECTS := $(patsubst %.cpp,%.o,$(LIBTEST_SOURCES))

####################################
LIBHELLO := libhello.so

LIBHELLO_DIR := ./

####################################

all:$(INJECTSO) $(LIBHOOK) $(LIBHELLO)

$(INJECTSO):$(INJECT_OBJECTS)
$(CC) $(LDFLAGS) $(INJECT_OBJECTS) -L$(SYSROOT)/usr/lib -llog -o $@

$(INJECT_OBJECTS):%.o:%.c
$(CC) $(CFLAGS) $< -I$(INJECT_DIR) -o $@

$(LIBHOOK):$(LIBTEST_OBJECTS)
$(CC) $(LDFLAGS) -shared -fPIC $(LIBTEST_OBJECTS) -L$(LIBTEST_DIR) -llog -ldl -landroid_runtime -lTKHooklib -ldvm -o $@

$(LIBTEST_OBJECTS):%.o:%.cpp
$(CC) $(CFLAGS) $< -I$(LIBTEST_DIR) -o $@

$(LIBHELLO):hello.o
$(CC) $(LDFLAGS) -shared $^ -o $@

hello.o:hello.c
$(CC) $(CFLAGS) $<

.PHONY:clean pushobj

clean:
rm -f $(INJECT_DIR)/*.o
rm -f $(LIBTEST_DIR)/*.o
rm -f *.o
rm -f $(LIBHOOK)
rm -f $(INJECTSO)
rm -f $(LIBHELLO)

pushobj:
adb push $(INJECTSO) data/local/tmp/
adb push $(LIBHOOK) data/local/tmp/
adb push $(LIBHELLO) data/local/tmp/
adb shell chmod 777 data/local/tmp/$(INJECTSO)
adb shell chmod 777 data/local/tmp/$(LIBHOOK)
adb shell chmod 777 data/local/tmp/$(LIBHELLO)

非虫的那本书上有http://pan.baidu.com/s/1mgGLDJa只是将ndk编译so文件的Android.mk的BUILD_SHARED_LIBRARY改成BUILD_EXECUTABLE，再加一个LOCAL_ARM_MODE := arm，具体看第七章