第一题:
1. 通过jeb进行反汇编,发现检查函数无法正确逆向出java代码。
2. 修改虚拟机代码,打印出所有通过reflect的invoke调用出的信息:
//invoke method
ret = kniInvokeMethod(selfThread, mentry, obj, args, parameterTypes);
const char* clz = vGetObjName(ret);
LOGE("zhiyu.zzy method invoke : %s %s->%s()",clz,mentry->vclass->className, mentry->m
ethodName);
if (clz){
if (strcmp(clz, "Ljava/lang/String;") == 0) {
LOGE("zhiyu.zzy string: %s", vGetStringUTFChars(ret));
}
if (strcmp(clz, "Ljava/lang/Long;") == 0) {
LOGE("zhiyu.zzy long: %lld", VOBJ_fieldLong(ret,8));
}
if (strcmp(clz, "Ljava/lang/Boolean;") == 0) {
LOGE("zhiyu.zzy long: %d", VOBJ_fieldBoolean(ret,8));
}
}
打印所有参数,比较困难。
3. 然后发现,日志里面调用了一次string的equals,不过输入到答案里面,始终是错的。
4. 寻找check函数的return块,只发现了一处,但是会有好几个地方调用过来:
000058E8 invoke-virtual Method->invoke(Object, [Object)Object, v12, v4, v5
000058EE move-result-object v4
000058F0 check-cast v4, Boolean
000058F4 invoke-virtual Boolean->booleanValue()Z, v4
:58FA
000058FA move-result v4
:58FC
000058FC return v4
其中有一处:
00010E08 const-wide/32 v4, 0x000F4240
00010E0E rem-long v4, v8, v4
00010E12 const-wide/32 v6, 0x0001E74E
00010E18 add-long/2addr v4, v6
00010E1A cmp-long v4, v4, v10
00010E1E if-nez v4, :10FC8
:10E22
00010E22 const/4 v4, 0x1
00010E24 goto/16 :58FC
这里就应该是真正的检查关键点。
在日志中,打印出来了一个比较奇怪的数字:
E/TVM (17053): zhiyu.zzy method invoke : Ljava/math/BigDecimal; Ljava/lang/reflect/Method;->invoke()
E/TVM (17053): zhiyu.zzy method invoke : Ljava/lang/Long; Ljava/math/BigDecimal;->longValue()
E/TVM (17053): zhiyu.zzy long: 31395926
E/TVM (17053): zhiyu.zzy method invoke : Ljava/lang/Long; Ljava/lang/reflect/Method;->invoke()
E/TVM (17053): zhiyu.zzy long: 31395926
E/TVM (17053): zhiyu.zzy method invoke : Ljava/lang/Long; Ljava/lang/Long;->longValue()
E/TVM (17053): zhiyu.zzy long: 31395926
E/TVM (17053): zhiyu.zzy method invoke : Ljava/lang/StringBuilder; Ljava/lang/StringBuilder;->reverse()
E/TVM (17053): zhiyu.zzy method invoke : Ljava/lang/String; Ljava/lang/Object;->toString()
把这个数字带入计算,31395926%0x000F4240 = 395926
第二题:
1. so中有一些反调试相关的东西,把打开"/proc/%d/status"这部分代码,nop掉
2. 函数中有多处调用mprotect的地方,把内存属性一会儿改成可写,一会儿改成不可写,调试发现,是动态修改了内存,然后跳过去执行了。
3. 通过gdb,断到页面修改完毕,准备跳过去执行之前,然后dump出来内存,贴回到原始的执行文件中,用来静态分析。
4. gdb断点的位置:
b *(base + 0x2198)
b *(base + 0x2984)
b *(base + 0x18C8)
b *(base + 0x1944)
b *(base + 0x1948)
其中每个断点都需要前一个断点触发之后,再下,否则会出现异常
5. 最后一个检查是跳转到mmap后的一段内存中执行的,这部分内存dump出来,单独扔到ida里面分析。发现可以反汇编,直接搞成c程序进行执行。调整了一些反汇编结果后,这个函数就可以在服务器上正常编译执行出结果了。对比了gdb的输出,是一样的,那么可以继续逆向算法了。
6. 根据最终检查的结果数组,从后往前推进计算。最后一轮的结果比较容易逆推回去。
7. 计算到循环的时候,发现这个计算比较复杂,感觉算法不像可逆的。每一轮都有4个byte参与计算,通过查表,每个byte,扩展为一个双字,然后这个双字的高位和地位分别组成了 H,L,L,H^L 四个部分,然后合成了一个新的4字,分别和其他的几个进行异或。
8. 逆向算法比较困难,所以选择通过暴力3个byte,然后检查第四个byte方式进行计算:
#!/usr/bin/env python
# encoding: utf-8
from itertools import product
target = [92, 218, 119, 47, 163, 198, 62, 57, 182, 240, 243, 237, 81, 90, 153, 134]
matrix = [0x6bcdc67a,0x6b2b7c9d,0x8da459b1,0xab9d0680,
0x34a20b18,0x5f897785,0xd22d2e34,0x79b028b4,
0xd19686ae,0x8e1ff12b,0x5c32df1f,0x2582f7ab,
0xc6fee491,0x48e115ba,0x14d3caa5,0x31513d0e,
0x1fd94f56,0x57385aec,0x43eb9049,0x72baad47,
0xfb4cef16,0xac74b5fa,0xef9f25b3,0x9d2588f4,
0xe4885048,0x48fce5b2,0xa763c001,0x3a4648f5,
0xfedab6c8,0xb626537a,0x1145937b,0x2b03db8e,
0x563af39,0xb345fc43,0xa2006f38,0x8903b4b6,
0x65eee19e,0xd6ab1ddd,0x74ab72e5,0xfda8c653,
0x915a0cca,0x47f11117,0x335a63f2,0xcef2a5a1]
round = 10
b = [0x5cda772f,0xa3c63e39,0xb6f0f3ed,0x515a9986]
a = [matrix[round*4+i] for i in range(4)]
c = [0]*4
for x in range(len(a)):
c[x] = a[x] ^ b[x]
d = ''.join(format(x, '08x') for x in c)
print d
e = [ord(x) for x in d.decode('hex')]
print map(hex, e)
f = [
0x63, 0xc6, 0x7c, 0xf8,
0x77, 0xee, 0x7b, 0xf6, 0xf2, 0xff, 0x6b, 0xd6, 0x6f, 0xde, 0xc5, 0x91,
0x30, 0x60, 0x01, 0x02, 0x67, 0xce, 0x2b, 0x56, 0xfe, 0xe7, 0xd7, 0xb5,
0xab, 0x4d, 0x76, 0xec, 0xca, 0x8f, 0x82, 0x1f, 0xc9, 0x89, 0x7d, 0xfa,
0xfa, 0xef, 0x59, 0xb2, 0x47, 0x8e, 0xf0, 0xfb, 0xad, 0x41, 0xd4, 0xb3,
0xa2, 0x5f, 0xaf, 0x45, 0x9c, 0x23, 0xa4, 0x53, 0x72, 0xe4, 0xc0, 0x9b,
0xb7, 0x75, 0xfd, 0xe1, 0x93, 0x3d, 0x26, 0x4c, 0x36, 0x6c, 0x3f, 0x7e,
0xf7, 0xf5, 0xcc, 0x83, 0x34, 0x68, 0xa5, 0x51, 0xe5, 0xd1, 0xf1, 0xf9,
0x71, 0xe2, 0xd8, 0xab, 0x31, 0x62, 0x15, 0x2a, 0x04, 0x08, 0xc7, 0x95,
0x23, 0x46, 0xc3, 0x9d, 0x18, 0x30, 0x96, 0x37, 0x05, 0x0a, 0x9a, 0x2f,
0x07, 0x0e, 0x12, 0x24, 0x80, 0x1b, 0xe2, 0xdf, 0xeb, 0xcd, 0x27, 0x4e,
0xb2, 0x7f, 0x75, 0xea, 0x09, 0x12, 0x83, 0x1d, 0x2c, 0x58, 0x1a, 0x34,
0x1b, 0x36, 0x6e, 0xdc, 0x5a, 0xb4, 0xa0, 0x5b, 0x52, 0xa4, 0x3b, 0x76,
0xd6, 0xb7, 0xb3, 0x7d, 0x29, 0x52, 0xe3, 0xdd, 0x2f, 0x5e, 0x84, 0x13,
0x53, 0xa6, 0xd1, 0xb9, 0x00, 0x00, 0xed, 0xc1, 0x20, 0x40, 0xfc, 0xe3,
0xb1, 0x79, 0x5b, 0xb6, 0x6a, 0xd4, 0xcb, 0x8d, 0xbe, 0x67, 0x39, 0x72,
0x4a, 0x94, 0x4c, 0x98, 0x58, 0xb0, 0xcf, 0x85, 0xd0, 0xbb, 0xef, 0xc5,
0xaa, 0x4f, 0xfb, 0xed, 0x43, 0x86, 0x4d, 0x9a, 0x33, 0x66, 0x85, 0x11,
0x45, 0x8a, 0xf9, 0xe9, 0x02, 0x04, 0x7f, 0xfe, 0x50, 0xa0, 0x3c, 0x78,
0x9f, 0x25, 0xa8, 0x4b, 0x51, 0xa2, 0xa3, 0x5d, 0x40, 0x80, 0x8f, 0x05,
0x92, 0x3f, 0x9d, 0x21, 0x38, 0x70, 0xf5, 0xf1, 0xbc, 0x63, 0xb6, 0x77,
0xda, 0xaf, 0x21, 0x42, 0x10, 0x20, 0xff, 0xe5, 0xf3, 0xfd, 0xd2, 0xbf,
0xcd, 0x81, 0x0c, 0x18, 0x13, 0x26, 0xec, 0xc3, 0x5f, 0xbe, 0x97, 0x35,
0x44, 0x88, 0x17, 0x2e, 0xc4, 0x93, 0xa7, 0x55, 0x7e, 0xfc, 0x3d, 0x7a,
0x64, 0xc8, 0x5d, 0xba, 0x19, 0x32, 0x73, 0xe6, 0x60, 0xc0, 0x81, 0x19,
0x4f, 0x9e, 0xdc, 0xa3, 0x22, 0x44, 0x2a, 0x54, 0x90, 0x3b, 0x88, 0x0b,
0x46, 0x8c, 0xee, 0xc7, 0xb8, 0x6b, 0x14, 0x28, 0xde, 0xa7, 0x5e, 0xbc,
0x0b, 0x16, 0xdb, 0xad, 0xe0, 0xdb, 0x32, 0x64, 0x3a, 0x74, 0x0a, 0x14,
0x49, 0x92, 0x06, 0x0c, 0x24, 0x48, 0x5c, 0xb8, 0xc2, 0x9f, 0xd3, 0xbd,
0xac, 0x43, 0x62, 0xc4, 0x91, 0x39, 0x95, 0x31, 0xe4, 0xd3, 0x79, 0xf2,
0xe7, 0xd5, 0xc8, 0x8b, 0x37, 0x6e, 0x6d, 0xda, 0x8d, 0x01, 0xd5, 0xb1,
0x4e, 0x9c, 0xa9, 0x49, 0x6c, 0xd8, 0x56, 0xac, 0xf4, 0xf3, 0xea, 0xcf,
0x65, 0xca, 0x7a, 0xf4, 0xae, 0x47, 0x08, 0x10, 0xba, 0x6f, 0x78, 0xf0,
0x25, 0x4a, 0x2e, 0x5c, 0x1c, 0x38, 0xa6, 0x57, 0xb4, 0x73, 0xc6, 0x97,
0xe8, 0xcb, 0xdd, 0xa1, 0x74, 0xe8, 0x1f, 0x3e, 0x4b, 0x96, 0xbd, 0x61,
0x8b, 0x0d, 0x8a, 0x0f, 0x70, 0xe0, 0x3e, 0x7c, 0xb5, 0x71, 0x66, 0xcc,
0x48, 0x90, 0x03, 0x06, 0xf6, 0xf7, 0x0e, 0x1c, 0x61, 0xc2, 0x35, 0x6a,
0x57, 0xae, 0xb9, 0x69, 0x86, 0x17, 0xc1, 0x99, 0x1d, 0x3a, 0x9e, 0x27,
0xe1, 0xd9, 0xf8, 0xeb, 0x98, 0x2b, 0x11, 0x22, 0x69, 0xd2, 0xd9, 0xa9,
0x8e, 0x07, 0x94, 0x33, 0x9b, 0x2d, 0x1e, 0x3c, 0x87, 0x15, 0xe9, 0xc9,
0xce, 0x87, 0x55, 0xaa, 0x28, 0x50, 0xdf, 0xa5, 0x8c, 0x03, 0xa1, 0x59,
0x89, 0x09, 0x0d, 0x1a, 0xbf, 0x65, 0xe6, 0xd7, 0x42, 0x84, 0x68, 0xd0,
0x41, 0x82, 0x99, 0x29, 0x2d, 0x5a, 0x0f, 0x1e, 0xb0, 0x7b, 0x54, 0xa8,
0xbb, 0x6d, 0x16, 0x2c ];
def getTrans(off1,off2):
low = f[off1*2]
high = f[off1*2+1]
tmp = [high,low,low,(low^high)]
tmp2 = tmp[-off2:] + tmp[:-off2]
return tmp2[0]<<24|tmp2[1]<<16|tmp2[2]<<8|tmp2[3]
tr = [[getTrans(i,0) for i in range(256)],
[getTrans(i,1) for i in range(256)],
[getTrans(i,2) for i in range(256)],
[getTrans(i,3) for i in range(256)]]
def findpos(x):
for i in range(len(f)/2):
if f[i*2] == x:
return i
g = [findpos(x) for x in e]
def trans(x):
a = [[x[0],x[13],x[10],x[7]],
[x[4],x[1],x[14],x[11]],
[x[8],x[5],x[2],x[15]],
[x[12],x[9],x[6],x[3]]]
b = [(int('0x'+''.join(format(c, '02x') for c in a[i]),16)) for i in range(4)]
return b
b2 = trans(g)
def trans2(x):
a = [[x[0],x[1],x[2],x[3]],
[x[4],x[5],x[6],x[7]],
[x[8],x[9],x[10],x[11]],
[x[12],x[13],x[14],x[15]]]
b = [(int('0x'+''.join(format(c, '02x') for c in a[i]),16)) for i in range(4)]
return b
round -= 1
b2 = [0x570b0a03, 0xa33211fc, 0x5e69eda9, 0x7f423800]
while (round > 0) :
round -= 1
a2 = [matrix[round*4+i] for i in range(4)]
print map(hex, b2)
print map(hex, a2)
c2 = [ a2[x]^b2[x] for x in range(len(a2)) ]
print map(hex, c2)
d = [0] * 16;
for x,y,z in product(range(256),range(256),range(256)):
data1 = tr[0][x]^tr[1][y]^tr[2][z]^c2[0]
data2 = tr[0][x]^tr[1][y]^tr[2][z]^c2[1]
data3 = tr[0][x]^tr[1][y]^tr[2][z]^c2[2]
data4 = tr[0][x]^tr[1][y]^tr[2][z]^c2[3]
if data1 in tr[3]:
print hex(c2[0]),hex(x),hex(y),hex(z),hex(tr[3].index(data1))
d[0],d[5],d[10],d[15] = x,y,z,tr[3].index(data1)
if data2 in tr[3]:
print hex(c2[1]),hex(x),hex(y),hex(z),hex(tr[3].index(data2))
d[4],d[9],d[14],d[3] = x,y,z,tr[3].index(data2)
if data3 in tr[3]:
print hex(c2[2]),hex(x),hex(y),hex(z),hex(tr[3].index(data3))
d[8],d[13],d[2],d[7] = x,y,z,tr[3].index(data3)
if data4 in tr[3]:
print hex(c2[3]),hex(x),hex(y),hex(z),hex(tr[3].index(data4))
d[12],d[1],d[6],d[11] = x,y,z,tr[3].index(data4)
b2 = trans2(d)
print map(hex,b2)
9. 大概10轮需要几分钟时间能够全部暴力完成,最终得到结果,再次往回逆推。因为前面的计算,不涉及到位置变换,并且都是加减运算,所以根据传入的错误答案,与正确答案生成的数组之间的差值,计算出正确答案。
第三题:
1. 修改虚拟机代码,打印native method调用的地址:
E/TVM (13562): zhiyu.zzy native Method 0x7c8f6c39 Lcom/ctf/crackme3/MainActivity;->check()
我这里,直接把内存dump了一份人扔到了ida里面,binary的方式进行的分析,段偏移直接根据真机来使用。
2. 承接前一题,修改了内核,从proc里面,把tracepid相关的输出不进行显示。这样反调试功能将不起作用。
3. 调试时发现,下断点会导致异常,原因不明。但是,有一个技巧可以绕过这部分防护。下断点在需要的地址+1的位置,这样调试时,会得到SIGTRAP的异常,被gdb捕获到,然后删除这个断点,就可以继续单步调试了。
4. 主要的计算,被拆解成了非常多的小block,然后通过一个代码块的数组把他们都串起来。
5. 核心计算部分在这里:
入口点是0x16a对应的代码block,基地址为0x7C8DD000
ROM:7C8F6C8C real_check_entry DCD 0x16A ; DATA XREF: ROM:loc_7C8F6C84�r
ROM:7C8F6C90 real_check_code DCD 0x5B4, 0x5C4, 0x5E0, 0x5F0, 0x600, 0x610, 0x638, 0x648
ROM:7C8F6C90 DCD 0x658, 0x668, 0x678, 0x688, 0x6A4, 0x6C0, 0x6D0, 0x6E0
ROM:7C8F6C90 DCD 0x6F0, 0x704, 0x714, 0x728, 0x738, 0x760, 0x78C, 0x79C
ROM:7C8F6C90 DCD 0x7B0, 0x7DC, 0x7F8, 0x808, 0x818, 0x828, 0x850, 0x870
ROM:7C8F6C90 DCD 0x880, 0x890, 0x8A0, 0x8C8, 0x8D8, 0x8F4, 0x914, 0x928
ROM:7C8F6C90 DCD 0x938, 0x954, 0x964, 0x984, 0x99C, 0x9B4, 0x9CC, 0x9DC
ROM:7C8F6C90 DCD 0x9EC, 0xA00, 0xA10, 0xA2C, 0xA58, 0xA68, 0xA80, 0xA9C
ROM:7C8F6C90 DCD 0xAC8, 0xADC, 0xAF4, 0xB08, 0xB1C, 0xB3C, 0xB5C, 0xB6C
ROM:7C8F6C90 DCD 0xB7C, 0xB8C, 0xB9C, 0xBB8, 0xBC8, 0xBE4, 0xBF4, 0xC1C
ROM:7C8F6C90 DCD 0xC2C, 0xC4C, 0xC6C, 0xC88, 0xCB4, 0xCCC, 0xCF8, 0xD0C
ROM:7C8F6C90 DCD 0xD28, 0xD3C, 0xD4C, 0xD5C, 0xD7C, 0xD98, 0xDB0, 0xDC0
ROM:7C8F6C90 DCD 0xDD0, 0xDE0, 0xDF0, 0xE18, 0xE28, 0xE44, 0xE60, 0xE70
ROM:7C8F6C90 DCD 0xE88, 0xEB8, 0xEC8, 0xED8, 0xEE8, 0xEF8, 0xF20, 0xF34
ROM:7C8F6C90 DCD 0xF44, 0xF58, 0xF78, 0xF88, 0xF98, 0xFCC, 0xFE0, 0xFF8
ROM:7C8F6C90 DCD 0x1020, 0x1040, 0x1058, 0x1068, 0x107C, 0x109C, 0x10AC
ROM:7C8F6C90 DCD 0x10D4, 0x10F8, 0x1110, 0x1130, 0x1144, 0x1154, 0x1170
ROM:7C8F6C90 DCD 0x1180, 0x1194, 0x11B0, 0x11C0, 0x11D4, 0x11E4, 0x11F4
ROM:7C8F6C90 DCD 0x121C, 0x123C, 0x1250, 0x1260, 0x1280, 0x12AC, 0x12C4
ROM:7C8F6C90 DCD 0x12EC, 0x1308, 0x1324, 0x1344, 0x135C, 0x1390, 0x13B8
ROM:7C8F6C90 DCD 0x13D4, 0x13E4, 0x13FC, 0x140C, 0x141C, 0x142C, 0x143C
ROM:7C8F6C90 DCD 0x1450, 0x1460, 0x1488, 0x14B0, 0x14CC, 0x14FC, 0x1524
ROM:7C8F6C90 DCD 0x1540, 0x1550, 0x1564, 0x1578, 0x158C, 0x15A0, 0x15B0
ROM:7C8F6C90 DCD 0x15D8, 0x15F4, 0x1604, 0x162C, 0x1648, 0x1658, 0x1674
ROM:7C8F6C90 DCD 0x1690, 0x16AC, 0x16BC, 0x16E4, 0x16F4, 0x171C, 0x172C
ROM:7C8F6C90 DCD 0x1744, 0x175C, 0x1778, 0x1794, 0x17A4, 0x17C4, 0x17D4
ROM:7C8F6C90 DCD 0x17F0, 0x1808, 0x1818, 0x1828, 0x1848, 0x1858, 0x1868
ROM:7C8F6C90 DCD 0x1878, 0x1888, 0x18A8, 0x18B8, 0x18D4, 0x18E4, 0x18F4
ROM:7C8F6C90 DCD 0x1904, 0x1920, 0x1948, 0x1974, 0x1988, 0x1A34, 0x1A44
ROM:7C8F6C90 DCD 0x1A6C, 0x1A88, 0x1AA4, 0x1AB4, 0x1AC4, 0x1AEC, 0x1B18
ROM:7C8F6C90 DCD 0x1B28, 0x1B38, 0x1B48, 0x1B64, 0x1B74, 0x1B9C, 0x1BC4
ROM:7C8F6C90 DCD 0x1BE4, 0x1BF4, 0x1C10, 0x1C24, 0x1C4C, 0x1C64, 0x1C74
ROM:7C8F6C90 DCD 0x1C88, 0x1CA8, 0x1CC0, 0x1CD0, 0x1CF0, 0x1D00, 0x1D18
ROM:7C8F6C90 DCD 0x1D38, 0x1D48, 0x1D58, 0x1D84, 0x1DA0, 0x1DB0, 0x1DCC
ROM:7C8F6C90 DCD 0x1DF4, 0x1E04, 0x1E14, 0x1E3C, 0x1E4C, 0x1E5C, 0x1E70
ROM:7C8F6C90 DCD 0x1E9C, 0x1EAC, 0x1EBC, 0x1ECC, 0x1EDC, 0x1EEC, 0x1EFC
ROM:7C8F6C90 DCD 0x1F0C, 0x1F28, 0x1F38, 0x1F48, 0x1F58, 0x1F84, 0x1F98
ROM:7C8F6C90 DCD 0x1FA8, 0x1FC4, 0x1FE0, 0x1FFC, 0x200C, 0x2028, 0x2040
ROM:7C8F6C90 DCD 0x2050, 0x2060, 0x2070, 0x2090, 0x20A4, 0x20C4, 0x20E4
ROM:7C8F6C90 DCD 0x2100, 0x2110, 0x2120, 0x2134, 0x2150, 0x2160, 0x2194
ROM:7C8F6C90 DCD 0x21C0, 0x21DC, 0x21F0, 0x2208, 0x221C, 0x2238, 0x2250
ROM:7C8F6C90 DCD 0x2264, 0x2280, 0x2290, 0x22A8, 0x22D4, 0x22F0, 0x2308
ROM:7C8F6C90 DCD 0x2318, 0x2328, 0x2338, 0x234C, 0x2370, 0x2390, 0x23A0
ROM:7C8F6C90 DCD 0x23BC, 0x23CC, 0x23DC, 0x23F0, 0x2400, 0x2428, 0x2450
ROM:7C8F6C90 DCD 0x2460, 0x2470, 0x2480, 0x2498, 0x24B8, 0x24EC, 0x24FC
ROM:7C8F6C90 DCD 0x250C, 0x251C, 0x252C, 0x2550, 0x2564, 0x2580, 0x259C
ROM:7C8F6C90 DCD 0x25B4, 0x25CC, 0x25DC, 0x25F8, 0x2610, 0x262C, 0x2640
ROM:7C8F6C90 DCD 0x2654, 0x2668, 0x2678, 0x268C, 0x26A8, 0x26C4, 0x26E0
ROM:7C8F6C90 DCD 0x26F4, 0x2704, 0x2720, 0x2740, 0x2750, 0x2764, 0x2778
ROM:7C8F6C90 DCD 0x278C, 0x279C, 0x27B0, 0x27C0, 0x27D4, 0x2800, 0x2810
ROM:7C8F6C90 DCD 0x2820, 0x283C, 0x284C, 0x285C, 0x2870, 0x2884, 0x2898
ROM:7C8F7240 ; ---------------------------------------------------------------------------
ROM:7C8F7240 SUBS R2, R0, #1
ROM:7C8F7242 PUSH {R0,R1,LR}
ROM:7C8F7244 LDR R0, =0x168
ROM:7C8F7246 BL next2
ROM:7C8F7246 ; ---------------------------------------------------------------------------
ROM:7C8F724A word_7C8F724A DCW 0x46C0
ROM:7C8F724C dword_7C8F724C DCD 0x168 ; DATA XREF: ROM:7C8F7244�r
ROM:7C8F7250 ; ---------------------------------------------------------------------------
ROM:7C8F7250 BGE loc_7C8F725C
ROM:7C8F7252 PUSH {R0,R1,LR}
ROM:7C8F7254 BL next_word
ROM:7C8F7254 ; ---------------------------------------------------------------------------
ROM:7C8F7258 DCD 0x22A4
ROM:7C8F725C ; ---------------------------------------------------------------------------
ROM:7C8F725C
ROM:7C8F725C loc_7C8F725C ; CODE XREF: ROM:7C8F7250�j
ROM:7C8F725C MOV R0, R4
ROM:7C8F725E PUSH {R0,R1,LR}
ROM:7C8F7260 LDR R0, =0x169
ROM:7C8F7262 BL next2
.........
其中每个block返回之前,R0的数值,就是下一个block的地址。
6. 如果说,有key的话,根据gdb跟踪结果,那么我估计应该是在这里附近:
ROM:7C8F958C DCD 0xFAD172AF
ROM:7C8F9590 DCD 0xB852A6B9
ROM:7C8F9594 DCD 0xACDBE1A2
ROM:7C8F9598 DCD 0x6246B6C6
ROM:7C8F959C DCD 0x6246B6C7 ; hit
ROM:7C8F95A0 DCD 0xFAD172AE
ROM:7C8F95A4 DCD 0xE848824E
ROM:7C8F95A8 DCD 0x97FCAD1B
ROM:7C8F95AC DCD 0xB852A6B8
ROM:7C8F95B0 DCD 0xA0C6FE76
ROM:7C8F95B4 DCD 0xA0C6FE77
ROM:7C8F95B8 DCD 0x7D4C6231
ROM:7C8F95BC DCD 0x82B39DCE
ROM:7C8F95C0 DCD 0xFFFFFF58
ROM:7C8F95C4 DCD 0x3A7B285E
ROM:7C8F95C8 DCD 0x584D7A1
ROM:7C8F95CC DCD 0xFFFFD8D0
ROM:7C8F95D0 DCD 0x96C0A04A
ROM:7C8F95D4 DCD 0x693F5FB5
ROM:7C8F95D8 DCD 0xC0A04A ; hit
其中标记为hit的,是明确在计算流程中发现出现过的。
6. 写了一个python脚本,方便计算根据起始地址寻找block的偏移,以及反向查找。这样的话,可以知道下一个block是多少。
7. 接下来,如果把这些block组合起来,那么可以还原整个计算的流程,不过确实比较麻烦,来不及做了。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
