首先是init,发现是安卓改了点。
.text:00009D8C ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:00009D8C main ; DATA XREF: .got:00034EE4o
.text:00009D8C
.text:00009D8C var_E0 = -0xE0
.text:00009D8C var_D4 = -0xD4
.text:00009D8C var_D0 = -0xD0
.text:00009D8C var_CC = -0xCC
.text:00009D8C var_C4 = -0xC4
.text:00009D8C var_88 = -0x88
.text:00009D8C var_2C = -0x2C
.text:00009D8C var_28 = -0x28
.text:00009D8C
.text:00009D8C PUSH.W {R4-R11,LR}
.text:00009D90 MOV R5, R0
.text:00009D92 LDR.W R7, =(dword_34FF4 - 0x9DA2)
.text:00009D96 SUB SP, SP, #0xBC
.text:00009D98 MOV R4, R1
.text:00009D9A LDR.W R3, =0xFFFFFEFC
.text:00009D9E ADD R7, PC ; dword_34FF4
.text:00009DA0 LDR R6, [R7,R3]
.text:00009DA2 LDR R0, [R6]
.text:00009DA4 STR R0, [SP,#0xE0+var_2C]
.text:00009DA6 LDR R0, [R1]
.text:00009DA8 BL sub_1687C
.text:00009DAC LDR.W R1, =(aUeventd - 0x9DB4)
.text:00009DB0 ADD R1, PC ; "ueventd"
.text:00009DB2 BLX strcmp ; if (!strcmp(basename(argv[0]), "ueventd"))
.text:00009DB2 ; //根据第一个参数判断是否是创建ueventd进程
.text:00009DB6 CBNZ R0, loc_9DC2
.text:00009DB8 MOV R0, R5
.text:00009DBA MOV R1, R4
.text:00009DBC BL sub_DF84 ; return ueventd_main(argc, argv);
.text:00009DC0 ; ---------------------------------------------------------------------------
.text:00009DC0 B loc_A506
.text:00009DC2 ; ---------------------------------------------------------------------------
.text:00009DC2
.text:00009DC2 loc_9DC2 ; CODE XREF: main+2Aj
.text:00009DC2 LDR R0, [R4]
.text:00009DC4 BL sub_1687C
.text:00009DC8 LDR.W R1, =(aWatchdogd - 0x9DD0)
.text:00009DCC ADD R1, PC ; "watchdogd"
.text:00009DCE BLX strcmp ; if (!strcmp(basename(argv[0]), "watchdogd"))
.text:00009DCE ; //根据第一个参数判断是否是创建watchdogd进程
.text:00009DD2 CBNZ R0, loc_9DDE
.text:00009DD4 MOV R0, R5
.text:00009DD6 MOV R1, R4
.text:00009DD8 BL sub_E1E4 ; return watchdogd_main(argc, argv);
.text:00009DDC B loc_A506
.text:00009DDE ; ---------------------------------------------------------------------------
.text:00009DDE
.text:00009DDE loc_9DDE ; CODE XREF: main+46j
.text:00009DDE LDR.W R4, =(aDev - 0x9DF0)
.text:00009DE2 MOVS R0, #0
.text:00009DE4 LDR.W R6, =(aProc - 0x9DFA)
.text:00009DE8 LDR.W R5, =(aSys - 0x9E02)
.text:00009DEC ADD R4, PC ; "/dev"
.text:00009DEE LDR.W R8, =(aDevPts - 0x9E26)
.text:00009DF2 BLX umask ; umask(0); //置用户创建文件的掩码
.text:00009DF6 ADD R6, PC ; "/proc"
.text:00009DF8 MOV R0, R4
.text:00009DFA MOVW R1, #0x1ED
.text:00009DFE ADD R5, PC ; "/sys"
.text:00009E00 BLX mkdir ; mkdir("/dev", 0755); //创建/dev目录
.text:00009E04 MOVW R1, #0x1ED
.text:00009E08 MOV R0, R6
.text:00009E0A BLX mkdir ; mkdir("/proc", 0755); //创建/proc目录
.text:00009E0E MOVW R1, #0x1ED
.text:00009E12 MOV R0, R5
.text:00009E14 BLX mkdir ; mkdir("/sys", 0755); //创建/sys目录
.text:00009E18 LDR.W R1, =(aMode0755 - 0x9E2C)
.text:00009E1C MOVS R3, #2
.text:00009E1E LDR.W R0, =(aTmpfs - 0x9E2E)
.text:00009E22 ADD R8, PC ; "/dev/pts"
.text:00009E24 LDR.W R9, =(loc_8FFC+1 - 0x9E4E)
.text:00009E28 ADD R1, PC ; "mode=0755"
.text:00009E2A ADD R0, PC ; "tmpfs"
.text:00009E2C STR R1, [SP,#0xE0+var_E0]
.text:00009E2E MOV R2, R0
.text:00009E30 MOV R1, R4
.text:00009E32 BLX mount ; mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755"); //挂载tmpfs
.text:00009E36 MOVW R1, #0x1ED
.text:00009E3A MOV R0, R8
.text:00009E3C BLX mkdir ; mkdir("/dev/pts", 0755); //创建/dev/pts目录
.text:00009E40 LDR.W R0, =(aDevSocket - 0x9E50)
.text:00009E44 MOVW R1, #0x1ED
.text:00009E48 MOVS R4, #0
.text:00009E4A ADD R9, PC ; loc_8FFC
.text:00009E4C ADD R0, PC ; "/dev/socket"
.text:00009E4E BLX mkdir ; mkdir("/dev/socket", 0755); //创建/dev/socket目录
.text:00009E52 LDR.W R0, =(aDevpts - 0x9E60)
.text:00009E56 MOV R1, R8
.text:00009E58 MOV R3, R4
.text:00009E5A STR R4, [SP,#0xE0+var_E0]
.text:00009E5C ADD R0, PC ; "devpts"
.text:00009E5E MOV R2, R0
.text:00009E60 BLX mount ; mount("devpts", "/dev/pts", "devpts", 0, NULL); //挂载devpts
.text:00009E64 LDR.W R0, =(aProc_0 - 0x9E72)
.text:00009E68 MOV R1, R6
.text:00009E6A MOV R3, R4
.text:00009E6C STR R4, [SP,#0xE0+var_E0]
.text:00009E6E ADD R0, PC ; "proc"
.text:00009E70 MOV R2, R0
.text:00009E72 BLX mount ; mount("proc", "/proc", "proc", 0, NULL); //挂载proc
.text:00009E76 LDR.W R0, =(aSysfs - 0x9E84)
.text:00009E7A MOV R3, R4
.text:00009E7C MOV R1, R5
.text:00009E7E STR R4, [SP,#0xE0+var_E0]
.text:00009E80 ADD R0, PC ; "sysfs"
.text:00009E82 MOV R2, R0
.text:00009E84 BLX mount ; mount("sysfs", "/sys", "sysfs", 0, NULL); //挂载sysfs
.text:00009E88 LDR.W R0, =(aDev_booting - 0x9E94)
.text:00009E8C MOV R2, R4
.text:00009E8E MOVS R1, #0x41
.text:00009E90 ADD R0, PC ; "/dev/.booting"
.text:00009E92 BL open
.text:00009E96 BLX close ; close(open("/dev/.booting", O_WRONLY | O_CREAT, 0000));
.text:00009E96 ; //检测/dev/.booting文件是否可读写和创建
.text:00009E9A BL open_devnull_stdio ; open_devnull_stdio();
.text:00009E9A ; 屏蔽标准的输入输出,即标准的输入输出定向到NULL设备
.text:00009E9E BL klog_init ; klog_init();
.text:00009E9E ; //设置日志输出
.text:00009EA2 BL property_init ; property_init();
.text:00009EA2 ; 初始化系统属性
.text:00009EA6 LDR.W R0, =(unk_368E8 - 0x9EB2)
.text:00009EAA LDR.W R1, =(dword_36908 - 0x9EB4)
.text:00009EAE ADD R0, PC ; unk_368E8
.text:00009EB0 ADD R1, PC ; dword_36908
.text:00009EB2 BL get_hardware_name ; get_hardware_name(hardware, &revision);
.text:00009EB2 ; 获取硬件参数
.text:00009EB6 LDR.W R0, =(aProcCmdline - 0x9EC2) ; process_kernel_cmdline
.text:00009EBA MOV.W R1, #0x120
.text:00009EBE ADD R0, PC ; "/proc/cmdline"
.text:00009EC0 BLX chmod ; chmod("/proc/cmdline", 0440);
.text:00009EC4 MOV R0, R4
.text:00009EC6 MOV R1, R9
.text:00009EC8 BL import_kernel_cmdline
.text:00009ECC LDR.W R2, =(byte_369D0 - 0x9ED4)
.text:00009ED0 ADD R2, PC ; byte_369D0
.text:00009ED2 LDRB R3, [R2]
.text:00009ED4 CBZ R3, loc_9EDE ; if (qemu[0])
.text:00009ED6 MOVS R0, #1
.text:00009ED8 MOV R1, R9
.text:00009EDA BL import_kernel_cmdline ; import_kernel_cmdline(1, import_kernel_nv);
.text:00009EDE
.text:00009EDE loc_9EDE ; CODE XREF: main+148j
.text:00009EDE LDR.W R11, =(off_35000 - 0x9EEE) ;
省略。。。
然后是init.rc对比安卓多了几句
#YUNOS BEGIN
##modules(WebRT)
##date:2013-06-06 ##author:xishuang.chenxs@aliyun-inc.com
mkdir /data/tgl 0771 system system
mkdir /data/tgl/app 0771 system system
#YUNOS END
#YUNOS BEGIN
#modules(AliTheme)
#date:2014-07-03 ##author:zhaosheng.zs@alibaba-inc.com
#init auitheme workspace
write /proc/bootprof "INIT:auitheme init start"
mkdir /data/system 0775 system system
mkdir /data/system/auitheme 0755 system system
mkdir /data/system/auitheme/fonts 0755 system system
setprop auitheme.fonts 1
#YUNOS END
#YUNOS BEGIN
# osupdate Permissions
chown root root /system/bin/ou
chmod 0755 /system/bin/ou
#YUNOS END
#YUNOS BEGIN
#YUNOS BEGIN #add for yunos uuid
service aliyun_uuid /system/bin/uuid -initsetuuid
class main
user root
oneshot
#YUNOS END
#YUNOS BEGIN
##modules(WebRT)
##date:2014-02-15 ##author:vaney.liw
service nvwa /system/bin/nvwa --this-parameter-is-only-placeholder-the-process-is-not-use-it
class main
socket nvwa stream 0660 root system
#YUNOS END
#YUNOS BEGIN
#modules(AliTheme)
#regist service
service copyFontFile /system/bin/copyFontFile
class main
socket copyFontFile 0660 root system
disabled
oneshot
on property:auitheme.fonts=1
start copyFontFile
on property:auitheme.fonts=2
chown system system /data/system/auitheme/fonts/auitheme_font.ttf
chmod 755 /data/system/auitheme/fonts/auitheme_font.ttf
write /proc/bootprof "INIT:auitheme init end"
#YUNOS END
然后是app_process,发现也是安卓改了点
.text:00000E88 ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:00000E88 main ; DATA XREF: .got:00002F50o
.text:00000E88
.text:00000E88 var_E0 = -0xE0
.text:00000E88 var_DC = -0xDC
.text:00000E88 var_D8 = -0xD8
.text:00000E88 var_D4 = -0xD4
.text:00000E88 var_D0 = -0xD0
.text:00000E88 s2 = -0xCC
.text:00000E88 var_C8 = -0xC8
.text:00000E88 var_C4 = -0xC4
.text:00000E88 var_C0 = -0xC0
.text:00000E88 var_BC = -0xBC
.text:00000E88 var_B8 = -0xB8
.text:00000E88 var_9C = -0x9C
.text:00000E88 var_98 = -0x98
.text:00000E88 var_94 = -0x94
.text:00000E88 var_90 = -0x90
.text:00000E88 var_8C = -0x8C
.text:00000E88 s1 = -0x88
.text:00000E88 var_2C = -0x2C
.text:00000E88
.text:00000E88 PUSH.W {R4-R11,LR}
.text:00000E8C MOV R6, R0
.text:00000E8E LDR R5, =(_GLOBAL_OFFSET_TABLE_ - 0xE9C)
.text:00000E90 SUB SP, SP, #0xBC
.text:00000E92 MOV R9, R1
.text:00000E94 ADD R1, SP, #0xE0+s1
.text:00000E96 LDR R3, =(__stack_chk_guard_ptr - 0x2F70)
.text:00000E98 ADD R5, PC ; _GLOBAL_OFFSET_TABLE_
.text:00000E9A LDR R2, =(unk_131B - 0xEA8)
.text:00000E9C LDR R4, =(a1 - 0xEAA)
.text:00000E9E LDR.W R8, [R5,R3] ; __stack_chk_guard
.text:00000EA2 LDR R7, =(aNo_addr_compat - 0xEB0)
.text:00000EA4 ADD R2, PC
.text:00000EA6 ADD R4, PC ; a1 ; "1"
.text:00000EA8 LDR.W R0, [R8]
.text:00000EAC ADD R7, PC ; "NO_ADDR_COMPAT_LAYOUT_FIXUP"
.text:00000EAE STR R0, [SP,#0xE0+var_2C]
.text:00000EB0 LDR R0, =(aRo_kernel_qemu - 0xEB6)
.text:00000EB2 ADD R0, PC ; "ro.kernel.qemu"
.text:00000EB4 BLX property_get ; property_get("ro.kernel.qemu", value, "");
.text:00000EB8 MOV R1, R4 ; s2
.text:00000EBA ADD R0, SP, #0xE0+s1 ; s1
.text:00000EBC BLX strcmp ; bool is_qemu = (strcmp(value, "1") == 0);
.text:00000EC0 MOV R10, R0
.text:00000EC2 MOV R0, R7 ; name
.text:00000EC4 BLX getenv ; if ((getenv("NO_ADDR_COMPAT_LAYOUT_FIXUP") == NULL) && !is_qemu)
.text:00000EC8 STR.W R8, [SP,#0xE0+var_D0]
.text:00000ECC CBNZ R0, loc_EFA
.text:00000ECE CMP.W R10, #0
.text:00000ED2 BNE.W loc_1094
.text:00000ED6 B loc_EFA
.text:00000ED8 ; ---------------------------------------------------------------------------
.text:00000ED8
.text:00000ED8 loc_ED8 ; CODE XREF: main+21Aj
.text:00000ED8 ORR.W R0, R0, #0x200000 ; persona
.text:00000EDC BLX personality ; int current = personality(0xFFFFFFFF);
.text:00000EE0 MOV R1, R4 ; value
.text:00000EE2 MOVS R2, #1 ; replace
.text:00000EE4 MOV R0, R7 ; name
.text:00000EE6 BLX setenv ; setenv("NO_ADDR_COMPAT_LAYOUT_FIXUP", "1", 1);
.text:00000EEA LDR R0, =(aSystemBinApp_p - 0xEF2)
.text:00000EEC MOV R1, R9 ; argv
.text:00000EEE ADD R0, PC ; "/system/bin/app_process"
.text:00000EF0 BLX execv ; execv("/system/bin/app_process", argv);
.text:00000EF4 MOV.W R0, #0xFFFFFFFF
.text:00000EF8 B loc_1088
.text:00000EFA ; ---------------------------------------------------------------------------
.text:00000EFA
.text:00000EFA loc_EFA ; CODE XREF: main+44j
.text:00000EFA ; main+4Ej ...
.text:00000EFA LDR R0, =(aNo_addr_compat - 0xF06)
.text:00000EFC LDR R4, =(_ZN7android5mArgVE_ptr - 0x2F70)
.text:00000EFE LDR.W R8, =(_ZN7android7mArgLenE_ptr - 0x2F70)
.text:00000F02 ADD R0, PC ; "NO_ADDR_COMPAT_LAYOUT_FIXUP"
.text:00000F04 BLX unsetenv ; unsetenv("NO_ADDR_COMPAT_LAYOUT_FIXUP");
.text:00000F08 LDR R1, =(_ZN7android5mArgCE_ptr - 0x2F70)
.text:00000F0A LDR R2, [R5,R1] ; _ZN7android5mArgCE_ptr ; android::mArgC
.text:00000F0C STR R6, [R2] ; mArgC = argc;
.text:00000F0E LDR R7, [R5,R4] ; _ZN7android5mArgVE_ptr ; android::mArgV
.text:00000F10 STR.W R9, [R7] ; mArgV = argv;
.text:00000F14 MOVS R7, #0
.text:00000F16 LDR.W R4, [R5,R8] ; _ZN7android7mArgLenE_ptr ; android::mArgLen
.text:00000F1A STR R7, [R4] ; mArgLen = 0;
.text:00000F1C B loc_F30
.text:00000F1E ; ---------------------------------------------------------------------------
.text:00000F1E
.text:00000F1E loc_F1E ; CODE XREF: main+AAj
.text:00000F1E LDR.W R0, [R9,R7,LSL#2] ; for (int i=0; i<argc; i++)
.text:00000F22 ADDS R7, #1
.text:00000F24 BLX strlen ; mArgLen += strlen(argv[i]) + 1;
.text:00000F28 LDR R2, [R4]
.text:00000F2A ADDS R3, R2, #1
.text:00000F2C ADDS R0, R3, R0
.text:00000F2E STR R0, [R4]
.text:00000F30
.text:00000F30 loc_F30 ; CODE XREF: main+94j
.text:00000F30 CMP R7, R6
.text:00000F32 BLT loc_F1E ; for (int i=0; i<argc; i++)
.text:00000F34 LDR R3, [R4]
.text:00000F36 MOV R7, R9
.text:00000F38 ADD.W R8, R6, #0xFFFFFFFF
.text:00000F3C SUBS R0, R3, #1
.text:00000F3E STR R0, [R4]
.text:00000F40 ADD R0, SP, #0xE0+var_B8 ; this
.text:00000F42 BLX _ZN7android14AndroidRuntimeC2Ev ; android::AndroidRuntime::AndroidRuntime(void)
.text:00000F46 LDR R1, =(off_2F54 - 0x2F70) ; AppRuntime runtime;
.text:00000F48 MOVS R4, #0
.text:00000F4A LDR.W R11, [R7],#4
.text:00000F4E ADD R0, SP, #0xE0+var_B8 ; this
.text:00000F50 LDR R2, [R5,R1] ; unk_2E00
.text:00000F52 MOV R1, R8 ; int
.text:00000F54 STR R4, [SP,#0xE0+var_9C]
.text:00000F56 STR R4, [SP,#0xE0+var_98]
.text:00000F58 ADDS R2, #8
.text:00000F5A STR R4, [SP,#0xE0+var_94]
.text:00000F5C STR R2, [SP,#0xE0+var_B8]
.text:00000F5E MOV R2, R7 ; char **
.text:00000F60 STR R4, [SP,#0xE0+var_90]
.text:00000F62 STR R4, [SP,#0xE0+var_8C]
.text:00000F64 BLX _ZN7android14AndroidRuntime14addVmArgumentsEiPKPKc ; android::AndroidRuntime::addVmArguments(int,char const* const*)
.text:00000F68 ADD.W R3, R9, R0,LSL#2 ; int i = runtime.addVmArguments(argc, argv);
.text:00000F6C MOV R6, R0
.text:00000F6E LDR R0, =(aZygote - 0xF7A)
.text:00000F70 MOV R9, R4
.text:00000F72 STR R3, [SP,#0xE0+var_D4]
.text:00000F74 LDR R1, =(aZygote_0 - 0xF82)
.text:00000F76 ADD R0, PC ; "--zygote"
.text:00000F78 LDR R2, =(aStartSystemSer - 0xF86)
.text:00000F7A STR R0, [SP,#0xE0+s2]
.text:00000F7C LDR R3, =(aApplication - 0xF8A)
.text:00000F7E ADD R1, PC ; "zygote"
.text:00000F80 LDR R0, =(aNiceName - 0xF8E)
.text:00000F82 ADD R2, PC ; "--start-system-server"
.text:00000F84 STR R4, [SP,#0xE0+var_D8]
.text:00000F86 ADD R3, PC ; "--application"
.text:00000F88 STR R4, [SP,#0xE0+var_DC]
.text:00000F8A ADD R0, PC ; "--nice-name="
.text:00000F8C STR R4, [SP,#0xE0+var_E0]
.text:00000F8E STR R1, [SP,#0xE0+var_C8]
.text:00000F90 STR R2, [SP,#0xE0+var_C4]
.text:00000F92 STR R3, [SP,#0xE0+var_C0]
.text:00000F94 STR R0, [SP,#0xE0+var_BC]
然后是libandroid_runtime.os还是安卓改了点
.text:00052A9C ; _DWORD __fastcall android::AndroidRuntime::start(android::AndroidRuntime *__hidden this, const char *, const char *)
.text:00052A9C EXPORT _ZN7android14AndroidRuntime5startEPKcS2_
.text:00052A9C _ZN7android14AndroidRuntime5startEPKcS2_
.text:00052A9C
.text:00052A9C var_88 = -0x88
.text:00052A9C var_80 = -0x80
.text:00052A9C var_70 = -0x70
.text:00052A9C var_18 = -0x18
.text:00052A9C
.text:00052A9C PUSH.W {R4-R8,LR}
.text:00052AA0 MOV R6, R0
.text:00052AA2 SUB SP, SP, #0x70
.text:00052AA4 MOV R7, R2
.text:00052AA6 MOV R4, R1
.text:00052AA8 CBNZ R1, loc_52AB0
.text:00052AAA LDR R3, =(aUnknown - 0x52AB0)
.text:00052AAC ADD R3, PC ; "(unknown)"
.text:00052AAE B loc_52AB2
.text:00052AB0 ; ---------------------------------------------------------------------------
.text:00052AB0
.text:00052AB0 loc_52AB0 ; CODE XREF: android::AndroidRuntime::start(char const*,char const*)+Cj
.text:00052AB0 MOV R3, R1
.text:00052AB2
.text:00052AB2 loc_52AB2 ; CODE XREF: android::AndroidRuntime::start(char const*,char const*)+12j
.text:00052AB2 LDR R1, =(aAndroidruntime - 0x52ABC)
.text:00052AB4 MOVS R0, #3
.text:00052AB6 LDR R2, =(aAndroidrunti_0 - 0x52ABE)
.text:00052AB8 ADD R1, PC ; "AndroidRuntime"
.text:00052ABA ADD R2, PC ; "\n>>>>>> AndroidRuntime START %s <<<<<<"...
.text:00052ABC BLX __android_log_print ; ALOGD("\n>>>>>> AndroidRuntime START %s <<<<<<\n",
.text:00052ABC ; 808 className != NULL ? className : "(unknown)");
.text:00052AC0 LDR R1, =(aStartSystemSer - 0x52AC8)
.text:00052AC2 MOV R0, R7 ; s1
.text:00052AC4 ADD R1, PC ; "start-system-server"
.text:00052AC6 BLX strcmp ; if (strcmp(options, "start-system-server") == 0)
.text:00052ACA CBNZ R0, loc_52AEE
.text:00052ACC MOVS R0, #1
.text:00052ACE BLX systemTime ; LOG_EVENT_LONG(LOG_BOOT_PROGRESS_START,
.text:00052ACE ; 818 ns2ms(systemTime(SYSTEM_TIME_MONOTONIC)));
.text:00052AD2 LDR R2, =0xF4240
.text:00052AD4 MOVS R3, #0
.text:00052AD6 BLX __aeabi_ldivmod
.text:00052ADA ADD R2, SP, #0x88+var_18
.text:00052ADC MOVS R3, #8
.text:00052ADE STRD.W R0, R1, [R2,#-0x70]!
.text:00052AE2 MOVW R0, #0xBB8
.text:00052AE6 MOVS R1, #1
.text:00052AE8 MOV R2, SP
.text:00052AEA BLX __android_log_btwrite
.text:00052AEE
.text:00052AEE loc_52AEE ; CODE XREF: android::AndroidRuntime::start(char const*,char const*)+2Ej
.text:00052AEE LDR R5, =(aAndroid_root - 0x52AF4)
.text:00052AF0 ADD R5, PC ; "ANDROID_ROOT"
.text:00052AF2 MOV R0, R5 ; name
.text:00052AF4 BLX getenv ; const char* rootDir = getenv("ANDROID_ROOT");
.text:00052AF8 CBNZ R0, loc_52B26 ; if (rootDir == NULL)
.text:00052AFA LDR.W R8, =(aSystem - 0x52B04)
.text:00052AFE ADD R1, SP, #0x88+var_80 ; buf
.text:00052B00 ADD R8, PC ; rootDir = "/system";
.text:00052B02 MOV R0, R8 ; file
.text:00052B04 BLX stat ; if (!hasDir("/system"))
.text:00052B08 CMP R0, #0
.text:00052B0A BNE.W loc_52C54
.text:00052B0E LDR R3, [SP,#0x88+var_70]
.text:00052B10 AND.W R0, R3, #0xF000
.text:00052B14 CMP.W R0, #0x4000
.text:00052B18 BNE.W loc_52C54
.text:00052B1C MOV R0, R5 ; name
.text:00052B1E MOV R1, R8 ; value
.text:00052B20 MOVS R2, #1 ; replace
.text:00052B22 BLX setenv ; setenv("ANDROID_ROOT", rootDir, 1);
.text:00052B26
.text:00052B26 loc_52B26 ; CODE XREF: android::AndroidRuntime::start(char const*,char const*)+5Cj
.text:00052B26 ADD R0, SP, #0x88+var_80 ; JniInvocation jni_invocation
.text:00052B28 BLX _ZN13JniInvocationC1Ev ; JniInvocation::JniInvocation(void)
.text:00052B2C MOVS R1, #0 ; char *
.text:00052B2E ADD R0, SP, #0x88+var_80 ; this
.text:00052B30 BLX _ZN13JniInvocation4InitEPKc ; jni_invocation.Init(NULL);
.text:00052B34 LDR R1, =(_ZN7android14AndroidRuntime7mJavaVME - 0x52B3E)
.text:00052B36 MOV R0, R6
.text:00052B38 MOV R2, SP ; JNIEnv* env;
.text:00052B3A ADD R1, PC ; android::AndroidRuntime::mJavaVM
.text:00052B3C BL _ZN7android14AndroidRuntime7startVmEPP7_JavaVMPP7_JNIEnv ; android::AndroidRuntime::startVm(_JavaVM **,_JNIEnv **)
.text:00052B40 MOV R5, R0
.text:00052B42 CMP R0, #0 ; if (startVm(&mJavaVM, &env) != 0)
.text:00052B44 BNE.W loc_52C4E
.text:00052B48 LDR R1, [R6]
.text:00052B4A MOV R0, R6
.text:00052B4C LDR R2, [R1,#8]
.text:00052B4E LDR R1, [SP,#0x88+var_88]
.text:00052B50 BLX R2
.text:00052B52 LDR R0, [SP,#0x88+var_88]
.text:00052B54 BL _ZN7android14AndroidRuntime8startRegEP7_JNIEnv ; android::AndroidRuntime::startReg(_JNIEnv *)
.text:00052B58 CMP R0, #0 ; onVmCreated(env);
.text:00052B5A BGE loc_52B68
.text:00052B5C LDR R1, =(aAndroidruntime - 0x52B66)
.text:00052B5E MOVS R0, #6
.text:00052B60 LDR R2, =(aUnableToRegist - 0x52B68)
.text:00052B62 ADD R1, PC ; "AndroidRuntime"
.text:00052B64 ADD R2, PC ; "Unable to register all android natives\"...
.text:00052B66 B loc_52C4A
最后找到了虚拟机启动改了地方libnativehelper.so
text:00002ECC ; _DWORD __fastcall JniInvocation::Init(JniInvocation *__hidden this, const char *)
.text:00002ECC EXPORT _ZN13JniInvocation4InitEPKc
.text:00002ECC _ZN13JniInvocation4InitEPKc
.text:00002ECC
.text:00002ECC var_88 = -0x88
.text:00002ECC var_84 = -0x84
.text:00002ECC default_library = -0x80
.text:00002ECC var_24 = -0x24
.text:00002ECC
.text:00002ECC LDR R3, =(_GLOBAL_OFFSET_TABLE_ - 0x2EDA)
.text:00002ECE LDR R2, =(__stack_chk_guard_ptr - 0x4F84)
.text:00002ED0 PUSH.W {R4-R9,LR}
.text:00002ED4 MOV R5, R0
.text:00002ED6 ADD R3, PC ; _GLOBAL_OFFSET_TABLE_
.text:00002ED8 LDR R7, =(aLibdvm_so - 0x2EEA)
.text:00002EDA SUB SP, SP, #0x6C
.text:00002EDC MOV R4, R1 ; library
.text:00002EDE LDR R6, [R3,R2] ; __stack_chk_guard
.text:00002EE0 ADD.W R8, SP, #0x88+default_library
.text:00002EE4 LDR R0, =(aPersist_sys_da - 0x2EF8)
.text:00002EE6 ADD R7, PC ; "libdvm.so"
.text:00002EE8 MOV R1, R8 ; default_library
.text:00002EEA MOV R2, R7 ; kLibraryFallback = "libdvm.so";
.text:00002EEC LDR R3, [R6]
.text:00002EEE CMP R4, #0 ; if (library == NULL)
.text:00002EF0 IT EQ
.text:00002EF2 MOVEQ R4, R8 ; library = default_library
.text:00002EF4 ADD R0, PC ; kLibrarySystemProperty = "persist.sys.dalvik.vm.lib";
.text:00002EF6 MOV R9, R6
.text:00002EF8 STR R3, [SP,#0x88+var_24]
.text:00002EFA BLX property_get ; property_get(kLibrarySystemProperty, default_library, kLibraryFallback);
.text:00002EFE MOV R0, R4 ; str1 library
.text:00002F00 MOV R1, R7 ; str2 kLibraryFallback "libdvm.so"
.text:00002F02 MOVS R2, #9 ; n 9
.text:00002F04 BLX strncmp ; if (strncmp(library, "libdvm.so", 9) == 0)
.text:00002F08 CBNZ R0, loc_2F0E
.text:00002F0A LDR R4, =(aLibvmkid_lemur - 0x2F10)
.text:00002F0C ADD R4, PC ; library = "libvmkid_lemur.so"
.text:00002F0E
.text:00002F0E loc_2F0E ; CODE XREF: JniInvocation::Init(char const*)+3Cj
.text:00002F0E MOV R0, R4 ; file
.text:00002F10 MOVS R1, #0 ; mode
.text:00002F12 BLX dlopen ; dlopen(library, RTLD_NOW);
.text:00002F16 MOV R7, R0
.text:00002F18 STR R0, [R5]
.text:00002F1A CMP R0, #0 ; if (handle_ == NULL)
.text:00002F1C BNE loc_2F82
.text:00002F1E LDR R6, =(aLibdvm_so - 0x2F26)
.text:00002F20 MOV R0, R4 ; s1
.text:00002F22 ADD R6, PC ; "libdvm.so"
.text:00002F24 MOV R1, R6 ; s2
.text:00002F26 BLX strcmp ; if (strcmp(library, kLibraryFallback) == 0)
.text:00002F2A MOV R8, R0
.text:00002F2C CBNZ R0, loc_2F42
.text:00002F2E BLX dlerror ; dlerror()
.text:00002F32 LDR R1, =(aJniinvocation - 0x2F40)
.text:00002F34 MOV R3, R4
.text:00002F36 LDR R2, =(aFailedToDlopen - 0x2F42)
.text:00002F38 STR R0, [SP,#0x88+var_88]
.text:00002F3A MOVS R0, #6
.text:00002F3C ADD R1, PC ; "JniInvocation"
.text:00002F3E ADD R2, PC ; "Failed to dlopen %s: %s"
.text:00002F40 B loc_2F7C ; ALOGE("Failed to dlopen %s: %s", library, dlerror());
这都能叫自主啊!!!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)