第一题：

1. 通过jeb进行反汇编，发现检查函数无法正确逆向出java代码。
2. 修改虚拟机代码，打印出所有通过reflect的invoke调用出的信息：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

//invoke method     ret = kniInvokeMethod(selfThread, mentry, obj, args, parameterTypes);           const char* clz = vGetObjName(ret);         LOGE("zhiyu.zzy method invoke : %s %s->%s()",clz,mentry->vclass->className, mentry->m ethodName);         if (clz){                 if (strcmp(clz, "Ljava/lang/String;") == 0) {                         LOGE("zhiyu.zzy string: %s", vGetStringUTFChars(ret));                 }                 if (strcmp(clz, "Ljava/lang/Long;") == 0) {                         LOGE("zhiyu.zzy long: %lld", VOBJ_fieldLong(ret,8));                 }                 if (strcmp(clz, "Ljava/lang/Boolean;") == 0) {                         LOGE("zhiyu.zzy long: %d", VOBJ_fieldBoolean(ret,8));                 }         }

打印所有参数，比较困难。

3. 然后发现，日志里面调用了一次string的equals，不过输入到答案里面，始终是错的。

4. 寻找check函数的return块，只发现了一处，但是会有好几个地方调用过来：

1 2 3 4 5 6 7 8

000058E8  invoke-virtual          Method->invoke(Object, [Object)Object, v12, v4, v5 000058EE  move-result-object      v4 000058F0  check-cast              v4, Boolean 000058F4  invoke-virtual          Boolean->booleanValue()Z, v4 :58FA 000058FA  move-result             v4 :58FC 000058FC  return                  v4

其中有一处：

1 2 3 4 5 6 7 8 9

00010E08  const-wide/32           v4, 0x000F4240 00010E0E  rem-long                v4, v8, v4 00010E12  const-wide/32           v6, 0x0001E74E 00010E18  add-long/2addr          v4, v6 00010E1A  cmp-long                v4, v4, v10 00010E1E  if-nez                  v4, :10FC8 :10E22 00010E22  const/4                 v4, 0x1 00010E24  goto/16                 :58FC

这里就应该是真正的检查关键点。
在日志中，打印出来了一个比较奇怪的数字：

1 2 3 4 5 6 7 8 9

E/TVM     (17053): zhiyu.zzy method invoke : Ljava/math/BigDecimal; Ljava/lang/reflect/Method;->invoke() E/TVM     (17053): zhiyu.zzy method invoke : Ljava/lang/Long; Ljava/math/BigDecimal;->longValue() E/TVM     (17053): zhiyu.zzy long: 31395926 E/TVM     (17053): zhiyu.zzy method invoke : Ljava/lang/Long; Ljava/lang/reflect/Method;->invoke() E/TVM     (17053): zhiyu.zzy long: 31395926 E/TVM     (17053): zhiyu.zzy method invoke : Ljava/lang/Long; Ljava/lang/Long;->longValue() E/TVM     (17053): zhiyu.zzy long: 31395926 E/TVM     (17053): zhiyu.zzy method invoke : Ljava/lang/StringBuilder; Ljava/lang/StringBuilder;->reverse() E/TVM     (17053): zhiyu.zzy method invoke : Ljava/lang/String; Ljava/lang/Object;->toString()

把这个数字带入计算，31395926%0x000F4240 = 395926

第二题：

1. so中有一些反调试相关的东西，把打开"/proc/%d/status"这部分代码，nop掉
2. 函数中有多处调用mprotect的地方，把内存属性一会儿改成可写，一会儿改成不可写，调试发现，是动态修改了内存，然后跳过去执行了。
3. 通过gdb，断到页面修改完毕，准备跳过去执行之前，然后dump出来内存，贴回到原始的执行文件中，用来静态分析。
4. gdb断点的位置：
b *(base + 0x2198)
b *(base + 0x2984)
b *(base + 0x18C8)
b *(base + 0x1944)
b *(base + 0x1948)
其中每个断点都需要前一个断点触发之后，再下，否则会出现异常
5. 最后一个检查是跳转到mmap后的一段内存中执行的，这部分内存dump出来，单独扔到ida里面分析。发现可以反汇编，直接搞成c程序进行执行。调整了一些反汇编结果后，这个函数就可以在服务器上正常编译执行出结果了。对比了gdb的输出，是一样的，那么可以继续逆向算法了。
6. 根据最终检查的结果数组，从后往前推进计算。最后一轮的结果比较容易逆推回去。
7. 计算到循环的时候，发现这个计算比较复杂，感觉算法不像可逆的。每一轮都有4个byte参与计算，通过查表，每个byte，扩展为一个双字，然后这个双字的高位和地位分别组成了 H,L,L,H^L 四个部分，然后合成了一个新的4字，分别和其他的几个进行异或。
8. 逆向算法比较困难，所以选择通过暴力3个byte，然后检查第四个byte方式进行计算：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146

#!/usr/bin/env python # encoding: utf-8   from itertools import product   target = [92, 218, 119, 47, 163, 198, 62, 57, 182, 240, 243, 237, 81, 90, 153, 134]   matrix = [0x6bcdc67a,0x6b2b7c9d,0x8da459b1,0xab9d0680,         0x34a20b18,0x5f897785,0xd22d2e34,0x79b028b4,         0xd19686ae,0x8e1ff12b,0x5c32df1f,0x2582f7ab,         0xc6fee491,0x48e115ba,0x14d3caa5,0x31513d0e,         0x1fd94f56,0x57385aec,0x43eb9049,0x72baad47,         0xfb4cef16,0xac74b5fa,0xef9f25b3,0x9d2588f4,         0xe4885048,0x48fce5b2,0xa763c001,0x3a4648f5,         0xfedab6c8,0xb626537a,0x1145937b,0x2b03db8e,         0x563af39,0xb345fc43,0xa2006f38,0x8903b4b6,         0x65eee19e,0xd6ab1ddd,0x74ab72e5,0xfda8c653,         0x915a0cca,0x47f11117,0x335a63f2,0xcef2a5a1]   round = 10 b = [0x5cda772f,0xa3c63e39,0xb6f0f3ed,0x515a9986] a = [matrix[round*4+i] for i in range(4)]   c = [0]*4 for x in range(len(a)):     c[x] = a[x] ^ b[x]   d = ''.join(format(x, '08x') for x in c) print d   e = [ord(x) for x in d.decode('hex')] print map(hex, e)   f = [   0x63, 0xc6, 0x7c, 0xf8,   0x77, 0xee, 0x7b, 0xf6, 0xf2, 0xff, 0x6b, 0xd6, 0x6f, 0xde, 0xc5, 0x91,   0x30, 0x60, 0x01, 0x02, 0x67, 0xce, 0x2b, 0x56, 0xfe, 0xe7, 0xd7, 0xb5,   0xab, 0x4d, 0x76, 0xec, 0xca, 0x8f, 0x82, 0x1f, 0xc9, 0x89, 0x7d, 0xfa,   0xfa, 0xef, 0x59, 0xb2, 0x47, 0x8e, 0xf0, 0xfb, 0xad, 0x41, 0xd4, 0xb3,   0xa2, 0x5f, 0xaf, 0x45, 0x9c, 0x23, 0xa4, 0x53, 0x72, 0xe4, 0xc0, 0x9b,   0xb7, 0x75, 0xfd, 0xe1, 0x93, 0x3d, 0x26, 0x4c, 0x36, 0x6c, 0x3f, 0x7e,   0xf7, 0xf5, 0xcc, 0x83, 0x34, 0x68, 0xa5, 0x51, 0xe5, 0xd1, 0xf1, 0xf9,   0x71, 0xe2, 0xd8, 0xab, 0x31, 0x62, 0x15, 0x2a, 0x04, 0x08, 0xc7, 0x95,   0x23, 0x46, 0xc3, 0x9d, 0x18, 0x30, 0x96, 0x37, 0x05, 0x0a, 0x9a, 0x2f,   0x07, 0x0e, 0x12, 0x24, 0x80, 0x1b, 0xe2, 0xdf, 0xeb, 0xcd, 0x27, 0x4e,   0xb2, 0x7f, 0x75, 0xea, 0x09, 0x12, 0x83, 0x1d, 0x2c, 0x58, 0x1a, 0x34,   0x1b, 0x36, 0x6e, 0xdc, 0x5a, 0xb4, 0xa0, 0x5b, 0x52, 0xa4, 0x3b, 0x76,   0xd6, 0xb7, 0xb3, 0x7d, 0x29, 0x52, 0xe3, 0xdd, 0x2f, 0x5e, 0x84, 0x13,   0x53, 0xa6, 0xd1, 0xb9, 0x00, 0x00, 0xed, 0xc1, 0x20, 0x40, 0xfc, 0xe3,   0xb1, 0x79, 0x5b, 0xb6, 0x6a, 0xd4, 0xcb, 0x8d, 0xbe, 0x67, 0x39, 0x72,   0x4a, 0x94, 0x4c, 0x98, 0x58, 0xb0, 0xcf, 0x85, 0xd0, 0xbb, 0xef, 0xc5,   0xaa, 0x4f, 0xfb, 0xed, 0x43, 0x86, 0x4d, 0x9a, 0x33, 0x66, 0x85, 0x11,   0x45, 0x8a, 0xf9, 0xe9, 0x02, 0x04, 0x7f, 0xfe, 0x50, 0xa0, 0x3c, 0x78,   0x9f, 0x25, 0xa8, 0x4b, 0x51, 0xa2, 0xa3, 0x5d, 0x40, 0x80, 0x8f, 0x05,   0x92, 0x3f, 0x9d, 0x21, 0x38, 0x70, 0xf5, 0xf1, 0xbc, 0x63, 0xb6, 0x77,   0xda, 0xaf, 0x21, 0x42, 0x10, 0x20, 0xff, 0xe5, 0xf3, 0xfd, 0xd2, 0xbf,   0xcd, 0x81, 0x0c, 0x18, 0x13, 0x26, 0xec, 0xc3, 0x5f, 0xbe, 0x97, 0x35,   0x44, 0x88, 0x17, 0x2e, 0xc4, 0x93, 0xa7, 0x55, 0x7e, 0xfc, 0x3d, 0x7a,   0x64, 0xc8, 0x5d, 0xba, 0x19, 0x32, 0x73, 0xe6, 0x60, 0xc0, 0x81, 0x19,   0x4f, 0x9e, 0xdc, 0xa3, 0x22, 0x44, 0x2a, 0x54, 0x90, 0x3b, 0x88, 0x0b,   0x46, 0x8c, 0xee, 0xc7, 0xb8, 0x6b, 0x14, 0x28, 0xde, 0xa7, 0x5e, 0xbc,   0x0b, 0x16, 0xdb, 0xad, 0xe0, 0xdb, 0x32, 0x64, 0x3a, 0x74, 0x0a, 0x14,   0x49, 0x92, 0x06, 0x0c, 0x24, 0x48, 0x5c, 0xb8, 0xc2, 0x9f, 0xd3, 0xbd,   0xac, 0x43, 0x62, 0xc4, 0x91, 0x39, 0x95, 0x31, 0xe4, 0xd3, 0x79, 0xf2,   0xe7, 0xd5, 0xc8, 0x8b, 0x37, 0x6e, 0x6d, 0xda, 0x8d, 0x01, 0xd5, 0xb1,   0x4e, 0x9c, 0xa9, 0x49, 0x6c, 0xd8, 0x56, 0xac, 0xf4, 0xf3, 0xea, 0xcf,   0x65, 0xca, 0x7a, 0xf4, 0xae, 0x47, 0x08, 0x10, 0xba, 0x6f, 0x78, 0xf0,   0x25, 0x4a, 0x2e, 0x5c, 0x1c, 0x38, 0xa6, 0x57, 0xb4, 0x73, 0xc6, 0x97,   0xe8, 0xcb, 0xdd, 0xa1, 0x74, 0xe8, 0x1f, 0x3e, 0x4b, 0x96, 0xbd, 0x61,   0x8b, 0x0d, 0x8a, 0x0f, 0x70, 0xe0, 0x3e, 0x7c, 0xb5, 0x71, 0x66, 0xcc,   0x48, 0x90, 0x03, 0x06, 0xf6, 0xf7, 0x0e, 0x1c, 0x61, 0xc2, 0x35, 0x6a,   0x57, 0xae, 0xb9, 0x69, 0x86, 0x17, 0xc1, 0x99, 0x1d, 0x3a, 0x9e, 0x27,   0xe1, 0xd9, 0xf8, 0xeb, 0x98, 0x2b, 0x11, 0x22, 0x69, 0xd2, 0xd9, 0xa9,   0x8e, 0x07, 0x94, 0x33, 0x9b, 0x2d, 0x1e, 0x3c, 0x87, 0x15, 0xe9, 0xc9,   0xce, 0x87, 0x55, 0xaa, 0x28, 0x50, 0xdf, 0xa5, 0x8c, 0x03, 0xa1, 0x59,   0x89, 0x09, 0x0d, 0x1a, 0xbf, 0x65, 0xe6, 0xd7, 0x42, 0x84, 0x68, 0xd0,   0x41, 0x82, 0x99, 0x29, 0x2d, 0x5a, 0x0f, 0x1e, 0xb0, 0x7b, 0x54, 0xa8,   0xbb, 0x6d, 0x16, 0x2c ];   def getTrans(off1,off2):     low = f[off1*2]     high = f[off1*2+1]     tmp = [high,low,low,(low^high)]     tmp2 = tmp[-off2:] + tmp[:-off2]     return tmp2[0]<<24|tmp2[1]<<16|tmp2[2]<<8|tmp2[3]   tr = [[getTrans(i,0) for i in range(256)],         [getTrans(i,1) for i in range(256)],         [getTrans(i,2) for i in range(256)],         [getTrans(i,3) for i in range(256)]]   def findpos(x):     for i in range(len(f)/2):         if f[i*2] == x:             return i   g = [findpos(x) for x in e]   def trans(x):     a = [[x[0],x[13],x[10],x[7]],             [x[4],x[1],x[14],x[11]],             [x[8],x[5],x[2],x[15]],             [x[12],x[9],x[6],x[3]]]     b = [(int('0x'+''.join(format(c, '02x') for c in a[i]),16)) for i in range(4)]     return b b2 = trans(g)   def trans2(x):     a = [[x[0],x[1],x[2],x[3]],             [x[4],x[5],x[6],x[7]],             [x[8],x[9],x[10],x[11]],             [x[12],x[13],x[14],x[15]]]     b = [(int('0x'+''.join(format(c, '02x') for c in a[i]),16)) for i in range(4)]     return b   round -= 1 b2 = [0x570b0a03, 0xa33211fc, 0x5e69eda9, 0x7f423800] while (round > 0) :     round -= 1     a2 = [matrix[round*4+i] for i in range(4)]     print map(hex, b2)     print map(hex, a2)       c2 = [ a2[x]^b2[x] for x in range(len(a2)) ]     print map(hex, c2)       d = [0] * 16;     for x,y,z in product(range(256),range(256),range(256)):         data1 = tr[0][x]^tr[1][y]^tr[2][z]^c2[0]         data2 = tr[0][x]^tr[1][y]^tr[2][z]^c2[1]         data3 = tr[0][x]^tr[1][y]^tr[2][z]^c2[2]         data4 = tr[0][x]^tr[1][y]^tr[2][z]^c2[3]         if data1 in tr[3]:             print hex(c2[0]),hex(x),hex(y),hex(z),hex(tr[3].index(data1))             d[0],d[5],d[10],d[15] = x,y,z,tr[3].index(data1)         if data2 in tr[3]:             print hex(c2[1]),hex(x),hex(y),hex(z),hex(tr[3].index(data2))             d[4],d[9],d[14],d[3] = x,y,z,tr[3].index(data2)         if data3 in tr[3]:             print hex(c2[2]),hex(x),hex(y),hex(z),hex(tr[3].index(data3))             d[8],d[13],d[2],d[7] = x,y,z,tr[3].index(data3)         if data4 in tr[3]:             print hex(c2[3]),hex(x),hex(y),hex(z),hex(tr[3].index(data4))             d[12],d[1],d[6],d[11] = x,y,z,tr[3].index(data4)     b2 = trans2(d)     print map(hex,b2)

9. 大概10轮需要几分钟时间能够全部暴力完成，最终得到结果，再次往回逆推。因为前面的计算，不涉及到位置变换，并且都是加减运算，所以根据传入的错误答案，与正确答案生成的数组之间的差值，计算出正确答案。

第三题：

1. 修改虚拟机代码，打印native method调用的地址：

1	E/TVM     (13562): zhiyu.zzy native Method 0x7c8f6c39 Lcom/ctf/crackme3/MainActivity;->check()

我这里，直接把内存dump了一份人扔到了ida里面，binary的方式进行的分析，段偏移直接根据真机来使用。

2. 承接前一题，修改了内核，从proc里面，把tracepid相关的输出不进行显示。这样反调试功能将不起作用。
3. 调试时发现，下断点会导致异常，原因不明。但是，有一个技巧可以绕过这部分防护。下断点在需要的地址+1的位置，这样调试时，会得到SIGTRAP的异常，被gdb捕获到，然后删除这个断点，就可以继续单步调试了。
4. 主要的计算，被拆解成了非常多的小block，然后通过一个代码块的数组把他们都串起来。
5. 核心计算部分在这里:

入口点是0x16a对应的代码block，基地址为0x7C8DD000

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73

ROM:7C8F6C8C real_check_entry DCD 0x16A              ; DATA XREF: ROM:loc_7C8F6C84r ROM:7C8F6C90 real_check_code DCD 0x5B4, 0x5C4, 0x5E0, 0x5F0, 0x600, 0x610, 0x638, 0x648 ROM:7C8F6C90                 DCD 0x658, 0x668, 0x678, 0x688, 0x6A4, 0x6C0, 0x6D0, 0x6E0 ROM:7C8F6C90                 DCD 0x6F0, 0x704, 0x714, 0x728, 0x738, 0x760, 0x78C, 0x79C ROM:7C8F6C90                 DCD 0x7B0, 0x7DC, 0x7F8, 0x808, 0x818, 0x828, 0x850, 0x870 ROM:7C8F6C90                 DCD 0x880, 0x890, 0x8A0, 0x8C8, 0x8D8, 0x8F4, 0x914, 0x928 ROM:7C8F6C90                 DCD 0x938, 0x954, 0x964, 0x984, 0x99C, 0x9B4, 0x9CC, 0x9DC ROM:7C8F6C90                 DCD 0x9EC, 0xA00, 0xA10, 0xA2C, 0xA58, 0xA68, 0xA80, 0xA9C ROM:7C8F6C90                 DCD 0xAC8, 0xADC, 0xAF4, 0xB08, 0xB1C, 0xB3C, 0xB5C, 0xB6C ROM:7C8F6C90                 DCD 0xB7C, 0xB8C, 0xB9C, 0xBB8, 0xBC8, 0xBE4, 0xBF4, 0xC1C ROM:7C8F6C90                 DCD 0xC2C, 0xC4C, 0xC6C, 0xC88, 0xCB4, 0xCCC, 0xCF8, 0xD0C ROM:7C8F6C90                 DCD 0xD28, 0xD3C, 0xD4C, 0xD5C, 0xD7C, 0xD98, 0xDB0, 0xDC0 ROM:7C8F6C90                 DCD 0xDD0, 0xDE0, 0xDF0, 0xE18, 0xE28, 0xE44, 0xE60, 0xE70 ROM:7C8F6C90                 DCD 0xE88, 0xEB8, 0xEC8, 0xED8, 0xEE8, 0xEF8, 0xF20, 0xF34 ROM:7C8F6C90                 DCD 0xF44, 0xF58, 0xF78, 0xF88, 0xF98, 0xFCC, 0xFE0, 0xFF8 ROM:7C8F6C90                 DCD 0x1020, 0x1040, 0x1058, 0x1068, 0x107C, 0x109C, 0x10AC ROM:7C8F6C90                 DCD 0x10D4, 0x10F8, 0x1110, 0x1130, 0x1144, 0x1154, 0x1170 ROM:7C8F6C90                 DCD 0x1180, 0x1194, 0x11B0, 0x11C0, 0x11D4, 0x11E4, 0x11F4 ROM:7C8F6C90                 DCD 0x121C, 0x123C, 0x1250, 0x1260, 0x1280, 0x12AC, 0x12C4 ROM:7C8F6C90                 DCD 0x12EC, 0x1308, 0x1324, 0x1344, 0x135C, 0x1390, 0x13B8 ROM:7C8F6C90                 DCD 0x13D4, 0x13E4, 0x13FC, 0x140C, 0x141C, 0x142C, 0x143C ROM:7C8F6C90                 DCD 0x1450, 0x1460, 0x1488, 0x14B0, 0x14CC, 0x14FC, 0x1524 ROM:7C8F6C90                 DCD 0x1540, 0x1550, 0x1564, 0x1578, 0x158C, 0x15A0, 0x15B0 ROM:7C8F6C90                 DCD 0x15D8, 0x15F4, 0x1604, 0x162C, 0x1648, 0x1658, 0x1674 ROM:7C8F6C90                 DCD 0x1690, 0x16AC, 0x16BC, 0x16E4, 0x16F4, 0x171C, 0x172C ROM:7C8F6C90                 DCD 0x1744, 0x175C, 0x1778, 0x1794, 0x17A4, 0x17C4, 0x17D4 ROM:7C8F6C90                 DCD 0x17F0, 0x1808, 0x1818, 0x1828, 0x1848, 0x1858, 0x1868 ROM:7C8F6C90                 DCD 0x1878, 0x1888, 0x18A8, 0x18B8, 0x18D4, 0x18E4, 0x18F4 ROM:7C8F6C90                 DCD 0x1904, 0x1920, 0x1948, 0x1974, 0x1988, 0x1A34, 0x1A44 ROM:7C8F6C90                 DCD 0x1A6C, 0x1A88, 0x1AA4, 0x1AB4, 0x1AC4, 0x1AEC, 0x1B18 ROM:7C8F6C90                 DCD 0x1B28, 0x1B38, 0x1B48, 0x1B64, 0x1B74, 0x1B9C, 0x1BC4 ROM:7C8F6C90                 DCD 0x1BE4, 0x1BF4, 0x1C10, 0x1C24, 0x1C4C, 0x1C64, 0x1C74 ROM:7C8F6C90                 DCD 0x1C88, 0x1CA8, 0x1CC0, 0x1CD0, 0x1CF0, 0x1D00, 0x1D18 ROM:7C8F6C90                 DCD 0x1D38, 0x1D48, 0x1D58, 0x1D84, 0x1DA0, 0x1DB0, 0x1DCC ROM:7C8F6C90                 DCD 0x1DF4, 0x1E04, 0x1E14, 0x1E3C, 0x1E4C, 0x1E5C, 0x1E70 ROM:7C8F6C90                 DCD 0x1E9C, 0x1EAC, 0x1EBC, 0x1ECC, 0x1EDC, 0x1EEC, 0x1EFC ROM:7C8F6C90                 DCD 0x1F0C, 0x1F28, 0x1F38, 0x1F48, 0x1F58, 0x1F84, 0x1F98 ROM:7C8F6C90                 DCD 0x1FA8, 0x1FC4, 0x1FE0, 0x1FFC, 0x200C, 0x2028, 0x2040 ROM:7C8F6C90                 DCD 0x2050, 0x2060, 0x2070, 0x2090, 0x20A4, 0x20C4, 0x20E4 ROM:7C8F6C90                 DCD 0x2100, 0x2110, 0x2120, 0x2134, 0x2150, 0x2160, 0x2194 ROM:7C8F6C90                 DCD 0x21C0, 0x21DC, 0x21F0, 0x2208, 0x221C, 0x2238, 0x2250 ROM:7C8F6C90                 DCD 0x2264, 0x2280, 0x2290, 0x22A8, 0x22D4, 0x22F0, 0x2308 ROM:7C8F6C90                 DCD 0x2318, 0x2328, 0x2338, 0x234C, 0x2370, 0x2390, 0x23A0 ROM:7C8F6C90                 DCD 0x23BC, 0x23CC, 0x23DC, 0x23F0, 0x2400, 0x2428, 0x2450 ROM:7C8F6C90                 DCD 0x2460, 0x2470, 0x2480, 0x2498, 0x24B8, 0x24EC, 0x24FC ROM:7C8F6C90                 DCD 0x250C, 0x251C, 0x252C, 0x2550, 0x2564, 0x2580, 0x259C ROM:7C8F6C90                 DCD 0x25B4, 0x25CC, 0x25DC, 0x25F8, 0x2610, 0x262C, 0x2640 ROM:7C8F6C90                 DCD 0x2654, 0x2668, 0x2678, 0x268C, 0x26A8, 0x26C4, 0x26E0 ROM:7C8F6C90                 DCD 0x26F4, 0x2704, 0x2720, 0x2740, 0x2750, 0x2764, 0x2778 ROM:7C8F6C90                 DCD 0x278C, 0x279C, 0x27B0, 0x27C0, 0x27D4, 0x2800, 0x2810 ROM:7C8F6C90                 DCD 0x2820, 0x283C, 0x284C, 0x285C, 0x2870, 0x2884, 0x2898 ROM:7C8F7240 ; --------------------------------------------------------------------------- ROM:7C8F7240                 SUBS            R2, R0, #1 ROM:7C8F7242                 PUSH            {R0,R1,LR} ROM:7C8F7244                 LDR             R0, =0x168 ROM:7C8F7246                 BL              next2 ROM:7C8F7246 ; --------------------------------------------------------------------------- ROM:7C8F724A word_7C8F724A   DCW 0x46C0 ROM:7C8F724C dword_7C8F724C  DCD 0x168               ; DATA XREF: ROM:7C8F7244r ROM:7C8F7250 ; --------------------------------------------------------------------------- ROM:7C8F7250                 BGE             loc_7C8F725C ROM:7C8F7252                 PUSH            {R0,R1,LR} ROM:7C8F7254                 BL              next_word ROM:7C8F7254 ; --------------------------------------------------------------------------- ROM:7C8F7258                 DCD 0x22A4 ROM:7C8F725C ; --------------------------------------------------------------------------- ROM:7C8F725C ROM:7C8F725C loc_7C8F725C                            ; CODE XREF: ROM:7C8F7250j ROM:7C8F725C                 MOV             R0, R4 ROM:7C8F725E                 PUSH            {R0,R1,LR} ROM:7C8F7260                 LDR             R0, =0x169 ROM:7C8F7262                 BL              next2 .........

其中每个block返回之前，R0的数值，就是下一个block的地址。

6. 如果说，有key的话，根据gdb跟踪结果，那么我估计应该是在这里附近：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

ROM:7C8F958C                 DCD 0xFAD172AF ROM:7C8F9590                 DCD 0xB852A6B9 ROM:7C8F9594                 DCD 0xACDBE1A2 ROM:7C8F9598                 DCD 0x6246B6C6 ROM:7C8F959C                 DCD 0x6246B6C7          ; hit ROM:7C8F95A0                 DCD 0xFAD172AE ROM:7C8F95A4                 DCD 0xE848824E ROM:7C8F95A8                 DCD 0x97FCAD1B ROM:7C8F95AC                 DCD 0xB852A6B8 ROM:7C8F95B0                 DCD 0xA0C6FE76 ROM:7C8F95B4                 DCD 0xA0C6FE77 ROM:7C8F95B8                 DCD 0x7D4C6231 ROM:7C8F95BC                 DCD 0x82B39DCE ROM:7C8F95C0                 DCD 0xFFFFFF58 ROM:7C8F95C4                 DCD 0x3A7B285E ROM:7C8F95C8                 DCD 0x584D7A1 ROM:7C8F95CC                 DCD 0xFFFFD8D0 ROM:7C8F95D0                 DCD 0x96C0A04A ROM:7C8F95D4                 DCD 0x693F5FB5 ROM:7C8F95D8                 DCD 0xC0A04A            ; hit

其中标记为hit的，是明确在计算流程中发现出现过的。

6. 写了一个python脚本，方便计算根据起始地址寻找block的偏移，以及反向查找。这样的话，可以知道下一个block是多少。

7. 接下来，如果把这些block组合起来，那么可以还原整个计算的流程，不过确实比较麻烦，来不及做了。

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课