发现位于子进程创建的第一个线程中的三个反调试检测函数,所示如下:
反调试检测1
.text:00022EBC EXPORT p5E315AB697F0ABF2875D5DE24BFDDBCA
.text:00022EBC p5E315AB697F0ABF2875D5DE24BFDDBCA ; CODE XREF: pA0705C005488369A44C92ED630F6CA61+78p
.text:00022EBC
.text:00022EBC var_630 = -0x630
.text:00022EBC var_628 = -0x628
.text:00022EBC nptr = -0x624
.text:00022EBC var_61C = -0x61C
.text:00022EBC var_59C = -0x59C
.text:00022EBC s = -0x51C
.text:00022EBC var_41C = -0x41C
.text:00022EBC
.text:00022EBC F0 B5 PUSH {R4-R7,LR}
.text:00022EBE 30 4D LDR R5, =(__stack_chk_guard_ptr - 0x22EC6)
.text:00022EC0 30 4C LDR R4, =0xFFFFF9E4
.text:00022EC2 7D 44 ADD R5, PC ; __stack_chk_guard_ptr
.text:00022EC4 2D 68 LDR R5, [R5] ; __stack_chk_guard
.text:00022EC6 A5 44 ADD SP, R4
.text:00022EC8 03 92 STR R2, [SP,#0x630+nptr]
.text:00022ECA 2F 4A LDR R2, =0x60C
.text:00022ECC 2B 68 LDR R3, [R5]
.text:00022ECE 02 90 STR R0, [SP,#0x630+var_628]
.text:00022ED0 02 A8 ADD R0, SP, #0x630+var_628
.text:00022ED2 12 18 ADDS R2, R2, R0
.text:00022ED4 13 60 STR R3, [R2]
.text:00022ED6 00 91 STR R1, [SP,#0x630+var_630]
.text:00022ED8 80 21 MOVS R1, #0x80
.text:00022EDA 2C 4A LDR R2, =(aSS - 0x22EE8)
.text:00022EDC 2C 4B LDR R3, =(aCatProcNet - 0x22EEA)
.text:00022EDE 45 AC ADD R4, SP, #0x630+s
.text:00022EE0 20 1C MOVS R0, R4 ; s
.text:00022EE2 49 00 LSLS R1, R1, #1
.text:00022EE4 7A 44 ADD R2, PC ; "%s%s"
.text:00022EE6 7B 44 ADD R3, PC ; "cat /proc/net/"
.text:00022EE8 E8 F7 CE EC BLX snprintf
.text:00022EEC 29 49 LDR R1, =(aR - 0x22EF4)
.text:00022EEE 20 1C MOVS R0, R4 ; command
.text:00022EF0 79 44 ADD R1, PC ; modes
.text:00022EF2 E8 F7 1E ED BLX popen
.text:00022EF6 2F 1C MOVS R7, R5
.text:00022EF8 04 1C MOVS R4, R0
.text:00022EFA 05 1E SUBS R5, R0, #0
.text:00022EFC 32 D0 BEQ loc_22F64
.text:00022EFE 80 21 MOVS R1, #0x80
.text:00022F00 85 A8 ADD R0, SP, #0x630+var_41C ; s
.text:00022F02 C9 00 LSLS R1, R1, #3
.text:00022F04 22 1C MOVS R2, R4 ; stream
.text:00022F06 E8 F7 9A EB BLX fgets
.text:00022F0A 05 1E SUBS R5, R0, #0
.text:00022F0C 27 D0 BEQ loc_22F5E
.text:00022F0E
.text:00022F0E loc_22F0E ; CODE XREF: p5E315AB697F0ABF2875D5DE24BFDDBCA+72j
.text:00022F0E ; p5E315AB697F0ABF2875D5DE24BFDDBCA+88j
.text:00022F0E ; p5E315AB697F0ABF2875D5DE24BFDDBCA+9Aj
.text:00022F0E 22 49 LDR R1, =(aS127sSSSSS127s - 0x22F1A)
.text:00022F10 05 AE ADD R6, SP, #0x630+var_61C
.text:00022F12 25 AD ADD R5, SP, #0x630+var_59C
.text:00022F14 20 1C MOVS R0, R4 ; stream
.text:00022F16 79 44 ADD R1, PC ; "%*s %127s %*s %*s %*s %*s %*s %127s %*1"...
.text:00022F18 32 1C MOVS R2, R6
.text:00022F1A 2B 1C MOVS R3, R5
.text:00022F1C E8 F7 2A EC BLX fscanf
.text:00022F20 02 28 CMP R0, #2
.text:00022F22 1B D1 BNE loc_22F5C
.text:00022F24 30 1C MOVS R0, R6 ; s
.text:00022F26 3A 21 MOVS R1, #0x3A ; c
.text:00022F28 E8 F7 0E ED BLX strrchr
.text:00022F2C 00 28 CMP R0, #0
.text:00022F2E EE D0 BEQ loc_22F0E
.text:00022F30 01 30 ADDS R0, #1 ; nptr
.text:00022F32 00 21 MOVS R1, #0 ; endptr
.text:00022F34 10 22 MOVS R2, #0x10 ; base
.text:00022F36 E8 F7 14 ED BLX strtol
.text:00022F3A 06 1C MOVS R6, R0
.text:00022F3C 03 98 LDR R0, [SP,#0x630+nptr] ; nptr
.text:00022F3E E8 F7 00 EB BLX atoi
.text:00022F42 86 42 CMP R6, R0
.text:00022F44 E3 D1 BNE loc_22F0E
.text:00022F46 28 1C MOVS R0, R5 ; nptr
.text:00022F48 E8 F7 FA EA BLX atoi
.text:00022F4C 01 1C MOVS R1, R0
.text:00022F4E 02 98 LDR R0, [SP,#0x630+var_628]
.text:00022F50 FF F7 0A FF BL p12F48844BB00453C751946E463625753
.text:00022F54 01 28 CMP R0, #1
.text:00022F56 DA D1 BNE loc_22F0E
.text:00022F58 05 1C MOVS R5, R0
.text:00022F5A 00 E0 B loc_22F5E
.text:00022F5C ; ---------------------------------------------------------------------------
.text:00022F5C
.text:00022F5C loc_22F5C ; CODE XREF: p5E315AB697F0ABF2875D5DE24BFDDBCA+66j
.text:00022F5C 00 25 MOVS R5, #0
.text:00022F5E
.text:00022F5E loc_22F5E ; CODE XREF: p5E315AB697F0ABF2875D5DE24BFDDBCA+50j
.text:00022F5E ; p5E315AB697F0ABF2875D5DE24BFDDBCA+9Ej
.text:00022F5E 20 1C MOVS R0, R4 ; stream
.text:00022F60 E8 F7 F8 EC BLX pclose
.text:00022F64
.text:00022F64 loc_22F64 ; CODE XREF: p5E315AB697F0ABF2875D5DE24BFDDBCA+40j
.text:00022F64 08 4B LDR R3, =0x60C
.text:00022F66 02 AA ADD R2, SP, #0x630+var_628
.text:00022F68 28 1C MOVS R0, R5
.text:00022F6A 9B 18 ADDS R3, R3, R2
.text:00022F6C 1A 68 LDR R2, [R3]
.text:00022F6E 3B 68 LDR R3, [R7]
.text:00022F70 9A 42 CMP R2, R3
.text:00022F72 01 D0 BEQ loc_22F78
.text:00022F74 E8 F7 D2 EA BLX __stack_chk_fail
.text:00022F78 ; ---------------------------------------------------------------------------
.text:00022F78
.text:00022F78 loc_22F78 ; CODE XREF: p5E315AB697F0ABF2875D5DE24BFDDBCA+B6j
.text:00022F78 08 4B LDR R3, =0x61C
.text:00022F7A 9D 44 ADD SP, R3
.text:00022F7C F0 BD POP {R4-R7,PC}
.text:00022F7C ; End of function p5E315AB697F0ABF2875D5DE24BFDDBCA
.text:00022F7C
反调试检测2
.text:00023570 EXPORT pE13F78243E9E95DCD3D597DCD54CCA5C
.text:00023570 pE13F78243E9E95DCD3D597DCD54CCA5C ; CODE XREF: .text:0002395Ap
.text:00023570
.text:00023570 var_6B8 = -0x6B8
.text:00023570 dirp = -0x6B0
.text:00023570 var_6AC = -0x6AC
.text:00023570 var_6A8 = -0x6A8
.text:00023570 var_6A4 = -0x6A4
.text:00023570 var_69C = -0x69C
.text:00023570 var_698 = -0x698
.text:00023570 var_694 = -0x694
.text:00023570 var_68C = -0x68C
.text:00023570 var_680 = -0x680
.text:00023570 var_670 = -0x670
.text:00023570 s = -0x660
.text:00023570 var_64C = -0x64C
.text:00023570 var_638 = -0x638
.text:00023570 var_61C = -0x61C
.text:00023570 var_51C = -0x51C
.text:00023570 var_41C = -0x41C
.text:00023570
.text:00023570 F0 B5 PUSH {R4-R7,LR}
.text:00023572 C3 4D LDR R5, =(__stack_chk_guard_ptr - 0x2357C)
.text:00023574 C3 4C LDR R4, =0xFFFFF95C
.text:00023576 C4 4A LDR R2, =0x68C
.text:00023578 7D 44 ADD R5, PC ; __stack_chk_guard_ptr
.text:0002357A 2D 68 LDR R5, [R5] ; __stack_chk_guard
.text:0002357C A5 44 ADD SP, R4
.text:0002357E 04 A9 ADD R1, SP, #0x6B8+var_6A8
.text:00023580 2B 68 LDR R3, [R5]
.text:00023582 16 AC ADD R4, SP, #0x6B8+s
.text:00023584 52 18 ADDS R2, R2, R1
.text:00023586 13 60 STR R3, [R2]
.text:00023588 03 90 STR R0, [SP,#0x6B8+var_6AC]
.text:0002358A 00 21 MOVS R1, #0 ; c
.text:0002358C 12 22 MOVS R2, #0x12 ; n
.text:0002358E 20 1C MOVS R0, R4 ; s
.text:00023590 E7 F7 94 EF BLX memset
.text:00023594 C8 22 MOVS R2, #0xC8
.text:00023596 E2 70 STRB R2, [R4,#3]
.text:00023598 CA 22 MOVS R2, #0xCA
.text:0002359A 22 71 STRB R2, [R4,#4]
.text:0002359C D7 22 MOVS R2, #0xD7
.text:0002359E 62 71 STRB R2, [R4,#5]
.text:000235A0 DB 22 MOVS R2, #0xDB
.text:000235A2 A2 71 STRB R2, [R4,#6]
.text:000235A4 9D 22 MOVS R2, #0x9D
.text:000235A6 22 72 STRB R2, [R4,#8]
.text:000235A8 D4 22 MOVS R2, #0xD4
.text:000235AA 62 72 STRB R2, [R4,#9]
.text:000235AC DC 22 MOVS R2, #0xDC
.text:000235AE A2 72 STRB R2, [R4,#0xA]
.text:000235B0 CC 22 MOVS R2, #0xCC
.text:000235B2 22 73 STRB R2, [R4,#0xC]
.text:000235B4 D9 22 MOVS R2, #0xD9
.text:000235B6 62 73 STRB R2, [R4,#0xD]
.text:000235B8 CB 22 MOVS R2, #0xCB
.text:000235BA 5A 23 MOVS R3, #0x5A
.text:000235BC A2 73 STRB R2, [R4,#0xE]
.text:000235BE D3 22 MOVS R2, #0xD3
.text:000235C0 63 70 STRB R3, [R4,#1]
.text:000235C2 97 23 MOVS R3, #0x97
.text:000235C4 E2 73 STRB R2, [R4,#0xF]
.text:000235C6 0F 21 MOVS R1, #0xF
.text:000235C8 E2 22 MOVS R2, #0xE2
.text:000235CA 27 AE ADD R6, SP, #0x6B8+var_61C
.text:000235CC 20 1C MOVS R0, R4
.text:000235CE A3 70 STRB R3, [R4,#2]
.text:000235D0 E3 71 STRB R3, [R4,#7]
.text:000235D2 E3 72 STRB R3, [R4,#0xB]
.text:000235D4 23 74 STRB R3, [R4,#0x10]
.text:000235D6 FF F7 ED FA BL sub_22BB4
.text:000235DA 21 1C MOVS R1, R4 ; format
.text:000235DC 03 9A LDR R2, [SP,#0x6B8+var_6AC]
.text:000235DE 30 1C MOVS R0, R6 ; s
.text:000235E0 E7 F7 D2 EF BLX sprintf
.text:000235E4 30 1C MOVS R0, R6 ; name
.text:000235E6 E7 F7 BE EF BLX opendir
.text:000235EA 05 95 STR R5, [SP,#0x6B8+var_6A4]
.text:000235EC 02 90 STR R0, [SP,#0x6B8+dirp]
.text:000235EE 00 28 CMP R0, #0
.text:000235F0 00 D1 BNE loc_235F4
.text:000235F2 37 E1 B loc_23864
.text:000235F4 ; ---------------------------------------------------------------------------
.text:000235F4
.text:000235F4 loc_235F4 ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+80j
.text:000235F4 ; pE13F78243E9E95DCD3D597DCD54CCA5C+D0j
.text:000235F4 ; pE13F78243E9E95DCD3D597DCD54CCA5C+DCj
.text:000235F4 ; pE13F78243E9E95DCD3D597DCD54CCA5C+EAj
.text:000235F4 ; pE13F78243E9E95DCD3D597DCD54CCA5C+18Cj
.text:000235F4 ; pE13F78243E9E95DCD3D597DCD54CCA5C+2E4j
.text:000235F4 02 98 LDR R0, [SP,#0x6B8+dirp] ; dirp
.text:000235F6 E7 F7 C2 EF BLX readdir
.text:000235FA 00 25 MOVS R5, #0
.text:000235FC A8 42 CMP R0, R5
.text:000235FE 00 D1 BNE loc_23602
.text:00023600 2B E1 B loc_2385A
.text:00023602 ; ---------------------------------------------------------------------------
.text:00023602
.text:00023602 loc_23602 ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+8Ej
.text:00023602 CA 23 MOVS R3, #0xCA
.text:00023604 07 AF ADD R7, SP, #0x6B8+var_69C
.text:00023606 07 95 STR R5, [SP,#0x6B8+var_69C]
.text:00023608 7B 70 STRB R3, [R7,#1]
.text:0002360A 4B 23 MOVS R3, #0x4B
.text:0002360C 13 30 ADDS R0, #0x13
.text:0002360E 04 1C MOVS R4, R0
.text:00023610 01 21 MOVS R1, #1
.text:00023612 AF 22 MOVS R2, #0xAF
.text:00023614 38 1C MOVS R0, R7
.text:00023616 BB 70 STRB R3, [R7,#2]
.text:00023618 FF F7 CC FA BL sub_22BB4
.text:0002361C 5A 23 MOVS R3, #0x5A
.text:0002361E 09 AE ADD R6, SP, #0x6B8+var_694
.text:00023620 09 95 STR R5, [SP,#0x6B8+var_694]
.text:00023622 73 70 STRB R3, [R6,#1]
.text:00023624 A1 23 MOVS R3, #0xA1
.text:00023626 02 21 MOVS R1, #2
.text:00023628 30 1C MOVS R0, R6
.text:0002362A D5 22 MOVS R2, #0xD5
.text:0002362C 35 71 STRB R5, [R6,#4]
.text:0002362E B3 70 STRB R3, [R6,#2]
.text:00023630 F3 70 STRB R3, [R6,#3]
.text:00023632 FF F7 BF FA BL sub_22BB4
.text:00023636 20 1C MOVS R0, R4 ; s1
.text:00023638 39 1C MOVS R1, R7 ; s2
.text:0002363A E7 F7 7C EF BLX strcmp
.text:0002363E 00 28 CMP R0, #0
.text:00023640 D8 D0 BEQ loc_235F4
.text:00023642 20 1C MOVS R0, R4 ; s1
.text:00023644 31 1C MOVS R1, R6 ; s2
.text:00023646 E7 F7 76 EF BLX strcmp
.text:0002364A 00 28 CMP R0, #0
.text:0002364C D2 D0 BEQ loc_235F4
.text:0002364E 20 1C MOVS R0, R4 ; nptr
.text:00023650 E8 F7 8C E9 BLX atol
.text:00023654 03 9B LDR R3, [SP,#0x6B8+var_6AC]
.text:00023656 04 90 STR R0, [SP,#0x6B8+var_6A8]
.text:00023658 83 42 CMP R3, R0
.text:0002365A CB D0 BEQ loc_235F4
.text:0002365C 20 AC ADD R4, SP, #0x6B8+var_638
.text:0002365E 20 1C MOVS R0, R4 ; s
.text:00023660 29 1C MOVS R1, R5 ; c
.text:00023662 1C 22 MOVS R2, #0x1C ; n
.text:00023664 E7 F7 2A EF BLX memset
.text:00023668 CF 22 MOVS R2, #0xCF
.text:0002366A E2 70 STRB R2, [R4,#3]
.text:0002366C CD 22 MOVS R2, #0xCD
.text:0002366E 22 71 STRB R2, [R4,#4]
.text:00023670 D0 22 MOVS R2, #0xD0
.text:00023672 62 71 STRB R2, [R4,#5]
.text:00023674 DC 22 MOVS R2, #0xDC
.text:00023676 2D 23 MOVS R3, #0x2D
.text:00023678 A2 71 STRB R2, [R4,#6]
.text:0002367A DB 22 MOVS R2, #0xDB
.text:0002367C 63 70 STRB R3, [R4,#1]
.text:0002367E 90 23 MOVS R3, #0x90
.text:00023680 A2 72 STRB R2, [R4,#0xA]
.text:00023682 D4 20 MOVS R0, #0xD4
.text:00023684 DE 22 MOVS R2, #0xDE
.text:00023686 A3 70 STRB R3, [R4,#2]
.text:00023688 E3 71 STRB R3, [R4,#7]
.text:0002368A E3 72 STRB R3, [R4,#0xB]
.text:0002368C 23 74 STRB R3, [R4,#0x10]
.text:0002368E 23 75 STRB R3, [R4,#0x14]
.text:00023690 DE 23 MOVS R3, #0xDE
.text:00023692 CB 21 MOVS R1, #0xCB
.text:00023694 62 73 STRB R2, [R4,#0xD]
.text:00023696 E0 73 STRB R0, [R4,#0xF]
.text:00023698 CC 22 MOVS R2, #0xCC
.text:0002369A DB 20 MOVS R0, #0xDB
.text:0002369C 9A 27 MOVS R7, #0x9A
.text:0002369E D3 26 MOVS R6, #0xD3
.text:000236A0 E3 75 STRB R3, [R4,#0x17]
.text:000236A2 CA 23 MOVS R3, #0xCA
.text:000236A4 21 73 STRB R1, [R4,#0xC]
.text:000236A6 A2 73 STRB R2, [R4,#0xE]
.text:000236A8 E0 74 STRB R0, [R4,#0x13]
.text:000236AA 62 75 STRB R2, [R4,#0x15]
.text:000236AC A1 75 STRB R1, [R4,#0x16]
.text:000236AE 21 76 STRB R1, [R4,#0x18]
.text:000236B0 A2 76 STRB R2, [R4,#0x1A]
.text:000236B2 20 1C MOVS R0, R4
.text:000236B4 19 21 MOVS R1, #0x19
.text:000236B6 92 22 MOVS R2, #0x92
.text:000236B8 27 72 STRB R7, [R4,#8]
.text:000236BA 66 72 STRB R6, [R4,#9]
.text:000236BC 67 74 STRB R7, [R4,#0x11]
.text:000236BE A6 74 STRB R6, [R4,#0x12]
.text:000236C0 63 76 STRB R3, [R4,#0x19]
.text:000236C2 FF F7 77 FA BL sub_22BB4
.text:000236C6 80 21 MOVS R1, #0x80
.text:000236C8 04 9B LDR R3, [SP,#0x6B8+var_6A8]
.text:000236CA 67 AE ADD R6, SP, #0x6B8+var_51C
.text:000236CC 22 1C MOVS R2, R4 ; format
.text:000236CE 00 93 STR R3, [SP,#0x6B8+var_6B8]
.text:000236D0 49 00 LSLS R1, R1, #1
.text:000236D2 03 9B LDR R3, [SP,#0x6B8+var_6AC]
.text:000236D4 30 1C MOVS R0, R6 ; s
.text:000236D6 E8 F7 D8 E8 BLX snprintf
.text:000236DA C0 23 MOVS R3, #0xC0
.text:000236DC 08 AC ADD R4, SP, #0x6B8+var_698
.text:000236DE 08 95 STR R5, [SP,#0x6B8+var_698]
.text:000236E0 63 70 STRB R3, [R4,#1]
.text:000236E2 0E 23 MOVS R3, #0xE
.text:000236E4 01 21 MOVS R1, #1
.text:000236E6 BC 22 MOVS R2, #0xBC
.text:000236E8 20 1C MOVS R0, R4
.text:000236EA A3 70 STRB R3, [R4,#2]
.text:000236EC FF F7 62 FA BL sub_22BB4
.text:000236F0 30 1C MOVS R0, R6 ; filename
.text:000236F2 21 1C MOVS R1, R4 ; modes
.text:000236F4 E7 F7 60 EF BLX fopen
.text:000236F8 07 1E SUBS R7, R0, #0
.text:000236FA 00 D1 BNE loc_236FE
.text:000236FC 7A E7 B loc_235F4
.text:000236FE ; ---------------------------------------------------------------------------
.text:000236FE
.text:000236FE loc_236FE ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+18Aj
.text:000236FE 0E AC ADD R4, SP, #0x6B8+var_680
.text:00023700 20 1C MOVS R0, R4 ; s
.text:00023702 29 1C MOVS R1, R5 ; c
.text:00023704 0D 22 MOVS R2, #0xD ; n
.text:00023706 E7 F7 DA EE BLX memset
.text:0002370A 37 23 MOVS R3, #0x37
.text:0002370C 63 70 STRB R3, [R4,#1]
.text:0002370E 97 23 MOVS R3, #0x97
.text:00023710 A3 70 STRB R3, [R4,#2]
.text:00023712 B1 23 MOVS R3, #0xB1
.text:00023714 E3 70 STRB R3, [R4,#3]
.text:00023716 E3 71 STRB R3, [R4,#7]
.text:00023718 93 23 MOVS R3, #0x93
.text:0002371A A2 22 MOVS R2, #0xA2
.text:0002371C 23 72 STRB R3, [R4,#8]
.text:0002371E AA 23 MOVS R3, #0xAA
.text:00023720 22 71 STRB R2, [R4,#4]
.text:00023722 63 72 STRB R3, [R4,#9]
.text:00023724 A0 22 MOVS R2, #0xA0
.text:00023726 A7 23 MOVS R3, #0xA7
.text:00023728 62 71 STRB R2, [R4,#5]
.text:0002372A A3 72 STRB R3, [R4,#0xA]
.text:0002372C A6 22 MOVS R2, #0xA6
.text:0002372E F9 23 MOVS R3, #0xF9
.text:00023730 A2 71 STRB R2, [R4,#6]
.text:00023732 E3 72 STRB R3, [R4,#0xB]
.text:00023734 20 1C MOVS R0, R4
.text:00023736 0A 21 MOVS R1, #0xA
.text:00023738 0B AC ADD R4, SP, #0x6B8+var_68C
.text:0002373A F4 22 MOVS R2, #0xF4
.text:0002373C FF F7 3A FA BL sub_22BB4
.text:00023740 20 1C MOVS R0, R4 ; s
.text:00023742 29 1C MOVS R1, R5 ; c
.text:00023744 09 22 MOVS R2, #9 ; n
.text:00023746 E7 F7 BA EE BLX memset
.text:0002374A 54 23 MOVS R3, #0x54
.text:0002374C 63 70 STRB R3, [R4,#1]
.text:0002374E DB 23 MOVS R3, #0xDB
.text:00023750 A3 70 STRB R3, [R4,#2]
.text:00023752 FC 23 MOVS R3, #0xFC
.text:00023754 ED 26 MOVS R6, #0xED
.text:00023756 E3 70 STRB R3, [R4,#3]
.text:00023758 63 71 STRB R3, [R4,#5]
.text:0002375A E9 22 MOVS R2, #0xE9
.text:0002375C B2 23 MOVS R3, #0xB2
.text:0002375E 22 71 STRB R2, [R4,#4]
.text:00023760 E3 71 STRB R3, [R4,#7]
.text:00023762 A6 71 STRB R6, [R4,#6]
.text:00023764 20 1C MOVS R0, R4
.text:00023766 06 21 MOVS R1, #6
.text:00023768 12 AC ADD R4, SP, #0x6B8+var_670
.text:0002376A DC 22 MOVS R2, #0xDC
.text:0002376C FF F7 22 FA BL sub_22BB4
.text:00023770 20 1C MOVS R0, R4 ; s
.text:00023772 29 1C MOVS R1, R5 ; c
.text:00023774 0E 22 MOVS R2, #0xE ; n
.text:00023776 E7 F7 A2 EE BLX memset
.text:0002377A 4C 23 MOVS R3, #0x4C
.text:0002377C 63 70 STRB R3, [R4,#1]
.text:0002377E C9 23 MOVS R3, #0xC9
.text:00023780 A3 70 STRB R3, [R4,#2]
.text:00023782 BD 23 MOVS R3, #0xBD
.text:00023784 E3 70 STRB R3, [R4,#3]
.text:00023786 B5 23 MOVS R3, #0xB5
.text:00023788 23 71 STRB R3, [R4,#4]
.text:0002378A EE 23 MOVS R3, #0xEE
.text:0002378C 63 71 STRB R3, [R4,#5]
.text:0002378E E9 23 MOVS R3, #0xE9
.text:00023790 A3 71 STRB R3, [R4,#6]
.text:00023792 F2 23 MOVS R3, #0xF2
.text:00023794 E3 71 STRB R3, [R4,#7]
.text:00023796 F9 23 MOVS R3, #0xF9
.text:00023798 26 72 STRB R6, [R4,#8]
.text:0002379A 66 72 STRB R6, [R4,#9]
.text:0002379C E3 72 STRB R3, [R4,#0xB]
.text:0002379E F8 26 MOVS R6, #0xF8
.text:000237A0 B4 23 MOVS R3, #0xB4
.text:000237A2 A6 72 STRB R6, [R4,#0xA]
.text:000237A4 23 73 STRB R3, [R4,#0xC]
.text:000237A6 20 1C MOVS R0, R4
.text:000237A8 0B 21 MOVS R1, #0xB
.text:000237AA 1B AC ADD R4, SP, #0x6B8+var_64C
.text:000237AC D1 22 MOVS R2, #0xD1
.text:000237AE FF F7 01 FA BL sub_22BB4
.text:000237B2 29 1C MOVS R1, R5 ; c
.text:000237B4 13 22 MOVS R2, #0x13 ; n
.text:000237B6 20 1C MOVS R0, R4 ; s
.text:000237B8 E7 F7 80 EE BLX memset
.text:000237BC BE 21 MOVS R1, #0xBE
.text:000237BE 21 71 STRB R1, [R4,#4]
.text:000237C0 E4 21 MOVS R1, #0xE4
.text:000237C2 6C 23 MOVS R3, #0x6C
.text:000237C4 A1 71 STRB R1, [R4,#6]
.text:000237C6 F7 21 MOVS R1, #0xF7
.text:000237C8 63 70 STRB R3, [R4,#1]
.text:000237CA E2 23 MOVS R3, #0xE2
.text:000237CC E1 71 STRB R1, [R4,#7]
.text:000237CE F5 21 MOVS R1, #0xF5
.text:000237D0 A3 70 STRB R3, [R4,#2]
.text:000237D2 63 71 STRB R3, [R4,#5]
.text:000237D4 A3 73 STRB R3, [R4,#0xE]
.text:000237D6 F9 23 MOVS R3, #0xF9
.text:000237D8 B6 22 MOVS R2, #0xB6
.text:000237DA 21 72 STRB R1, [R4,#8]
.text:000237DC FF 21 MOVS R1, #0xFF
.text:000237DE E3 73 STRB R3, [R4,#0xF]
.text:000237E0 E6 23 MOVS R3, #0xE6
.text:000237E2 E2 70 STRB R2, [R4,#3]
.text:000237E4 61 72 STRB R1, [R4,#9]
.text:000237E6 22 73 STRB R2, [R4,#0xC]
.text:000237E8 F1 21 MOVS R1, #0xF1
.text:000237EA E5 22 MOVS R2, #0xE5
.text:000237EC 23 74 STRB R3, [R4,#0x10]
.text:000237EE BF 23 MOVS R3, #0xBF
.text:000237F0 E1 72 STRB R1, [R4,#0xB]
.text:000237F2 62 73 STRB R2, [R4,#0xD]
.text:000237F4 20 1C MOVS R0, R4
.text:000237F6 10 21 MOVS R1, #0x10
.text:000237F8 FA 22 MOVS R2, #0xFA
.text:000237FA A6 72 STRB R6, [R4,#0xA]
.text:000237FC 63 74 STRB R3, [R4,#0x11]
.text:000237FE FF F7 D9 F9 BL sub_22BB4
.text:00023802
.text:00023802 loc_23802 ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+2B8j
.text:00023802 ; pE13F78243E9E95DCD3D597DCD54CCA5C+2D4j
.text:00023802 80 21 MOVS R1, #0x80
.text:00023804 A7 AC ADD R4, SP, #0x6B8+var_41C
.text:00023806 20 1C MOVS R0, R4 ; s
.text:00023808 C9 00 LSLS R1, R1, #3
.text:0002380A 3A 1C MOVS R2, R7 ; stream
.text:0002380C E7 F7 16 EF BLX fgets
.text:00023810 00 28 CMP R0, #0
.text:00023812 19 D0 BEQ loc_23848
.text:00023814 0B AD ADD R5, SP, #0x6B8+var_68C
.text:00023816 28 1C MOVS R0, R5
.text:00023818 EB F7 C6 FE BL strlen
.text:0002381C 29 1C MOVS R1, R5 ; s2
.text:0002381E 02 1C MOVS R2, R0 ; n
.text:00023820 20 1C MOVS R0, R4 ; s1
.text:00023822 E7 F7 9A EE BLX strncmp
.text:00023826 00 28 CMP R0, #0
.text:00023828 EB D1 BNE loc_23802
.text:0002382A 20 1C MOVS R0, R4
.text:0002382C 12 A9 ADD R1, SP, #0x6B8+var_670
.text:0002382E E7 F7 D6 EE BLX strcasestr
.text:00023832 00 28 CMP R0, #0
.text:00023834 01 D0 BEQ loc_2383A
.text:00023836
.text:00023836 loc_23836 ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+2D6j
.text:00023836 01 24 MOVS R4, #1
.text:00023838 07 E0 B loc_2384A
.text:0002383A ; ---------------------------------------------------------------------------
.text:0002383A
.text:0002383A loc_2383A ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+2C4j
.text:0002383A 20 1C MOVS R0, R4
.text:0002383C 1B A9 ADD R1, SP, #0x6B8+var_64C
.text:0002383E E7 F7 CE EE BLX strcasestr
.text:00023842 00 28 CMP R0, #0
.text:00023844 DD D0 BEQ loc_23802
.text:00023846 F6 E7 B loc_23836
.text:00023848 ; ---------------------------------------------------------------------------
.text:00023848
.text:00023848 loc_23848 ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+2A2j
.text:00023848 04 1C ADDS R4, R0, #0
.text:0002384A
.text:0002384A loc_2384A ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+2C8j
.text:0002384A 38 1C MOVS R0, R7 ; stream
.text:0002384C E7 F7 C0 EE BLX fclose
.text:00023850 00 2C CMP R4, #0
.text:00023852 00 D1 BNE loc_23856
.text:00023854 CE E6 B loc_235F4
.text:00023856 ; ---------------------------------------------------------------------------
.text:00023856
.text:00023856 loc_23856 ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+2E2j
.text:00023856 01 24 MOVS R4, #1
.text:00023858 00 E0 B loc_2385C
.text:0002385A ; ---------------------------------------------------------------------------
.text:0002385A
.text:0002385A loc_2385A ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+90j
.text:0002385A 04 1C ADDS R4, R0, #0
.text:0002385C
.text:0002385C loc_2385C ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+2E8j
.text:0002385C 02 98 LDR R0, [SP,#0x6B8+dirp] ; dirp
.text:0002385E E7 F7 88 EE BLX closedir
.text:00023862 20 1C ADDS R0, R4, #0
.text:00023864
.text:00023864 loc_23864 ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+82j
.text:00023864 08 4B LDR R3, =0x68C
.text:00023866 04 AA ADD R2, SP, #0x6B8+var_6A8
.text:00023868 9B 18 ADDS R3, R3, R2
.text:0002386A 1A 68 LDR R2, [R3]
.text:0002386C 05 9B LDR R3, [SP,#0x6B8+var_6A4]
.text:0002386E 1B 68 LDR R3, [R3]
.text:00023870 9A 42 CMP R2, R3
.text:00023872 01 D0 BEQ loc_23878
.text:00023874 E7 F7 52 EE BLX __stack_chk_fail
.text:00023878 ; ---------------------------------------------------------------------------
.text:00023878
.text:00023878 loc_23878 ; CODE XREF: pE13F78243E9E95DCD3D597DCD54CCA5C+302j
.text:00023878 04 4B LDR R3, =0x6A4
.text:0002387A 9D 44 ADD SP, R3
.text:0002387C F0 BD POP {R4-R7,PC}
.text:0002387C ; End of function pE13F78243E9E95DCD3D597DCD54CCA5C
反调试检测3
.text:00022BFC EXPORT p1CC6A51FD1217D64FB70BE7C7FC20DFC
.text:00022BFC p1CC6A51FD1217D64FB70BE7C7FC20DFC ; CODE XREF: .text:00023934p
.text:00022BFC
.text:00022BFC s2 = -0x528
.text:00022BFC var_524 = -0x524
.text:00022BFC var_520 = -0x520
.text:00022BFC var_51C = -0x51C
.text:00022BFC var_49C = -0x49C
.text:00022BFC s = -0x41C
.text:00022BFC
.text:00022BFC F0 B5 PUSH {R4-R7,LR}
.text:00022BFE 2B 4C LDR R4, =0xFFFFFAEC
.text:00022C00 2B 4A LDR R2, =0x504
.text:00022C02 2C 48 LDR R0, =(aNetstatApn - 0x22C16)
.text:00022C04 A5 44 ADD SP, R4
.text:00022C06 2C 4C LDR R4, =(__stack_chk_guard_ptr - 0x22C10)
.text:00022C08 02 A9 ADD R1, SP, #0x528+var_520
.text:00022C0A 52 18 ADDS R2, R2, R1
.text:00022C0C 7C 44 ADD R4, PC ; __stack_chk_guard_ptr
.text:00022C0E 24 68 LDR R4, [R4] ; __stack_chk_guard
.text:00022C10 2A 49 LDR R1, =(aR - 0x22C1A)
.text:00022C12 78 44 ADD R0, PC ; "netstat -apn"
.text:00022C14 23 68 LDR R3, [R4]
.text:00022C16 79 44 ADD R1, PC ; modes
.text:00022C18 13 60 STR R3, [R2]
.text:00022C1A E8 F7 8A EE BLX popen
.text:00022C1E 01 94 STR R4, [SP,#0x528+var_524]
.text:00022C20 05 1C MOVS R5, R0
.text:00022C22 06 1E SUBS R6, R0, #0
.text:00022C24 34 D0 BEQ loc_22C90
.text:00022C26 80 21 MOVS R1, #0x80
.text:00022C28 43 A8 ADD R0, SP, #0x528+s ; s
.text:00022C2A C9 00 LSLS R1, R1, #3
.text:00022C2C 2A 1C MOVS R2, R5 ; stream
.text:00022C2E E8 F7 06 ED BLX fgets
.text:00022C32 00 26 MOVS R6, #0
.text:00022C34 B0 42 CMP R0, R6
.text:00022C36 28 D0 BEQ loc_22C8A
.text:00022C38
.text:00022C38 loc_22C38 ; CODE XREF: p1CC6A51FD1217D64FB70BE7C7FC20DFC+60j
.text:00022C38 ; p1CC6A51FD1217D64FB70BE7C7FC20DFC+6Cj
.text:00022C38 ; p1CC6A51FD1217D64FB70BE7C7FC20DFC+88j
.text:00022C38 ; p1CC6A51FD1217D64FB70BE7C7FC20DFC+8Cj
.text:00022C38 21 49 LDR R1, =(aSSS127sS127s - 0x22C44)
.text:00022C3A 03 AF ADD R7, SP, #0x528+var_51C
.text:00022C3C 23 AC ADD R4, SP, #0x528+var_49C
.text:00022C3E 28 1C MOVS R0, R5 ; stream
.text:00022C40 79 44 ADD R1, PC ; "%*s %*s %*s %127s %*s %127s[^\n]"
.text:00022C42 3A 1C MOVS R2, R7
.text:00022C44 23 1C MOVS R3, R4
.text:00022C46 E8 F7 96 ED BLX fscanf
.text:00022C4A 02 28 CMP R0, #2
.text:00022C4C 1D D1 BNE loc_22C8A
.text:00022C4E 1D 49 LDR R1, =(aListen - 0x22C56)
.text:00022C50 20 1C MOVS R0, R4 ; s1
.text:00022C52 79 44 ADD R1, PC ; "LISTEN"
.text:00022C54 06 22 MOVS R2, #6 ; n
.text:00022C56 E8 F7 72 EE BLX strncasecmp
.text:00022C5A 04 1E SUBS R4, R0, #0
.text:00022C5C EC D1 BNE loc_22C38
.text:00022C5E 38 1C MOVS R0, R7 ; s
.text:00022C60 3A 21 MOVS R1, #0x3A ; c
.text:00022C62 E8 F7 72 EE BLX strrchr
.text:00022C66 00 28 CMP R0, #0
.text:00022C68 E6 D0 BEQ loc_22C38
.text:00022C6A 17 4F LDR R7, =(off_412A8 - 0x22C74)
.text:00022C6C 43 1C ADDS R3, R0, #1
.text:00022C6E 00 93 STR R3, [SP,#0x528+s2]
.text:00022C70 7F 44 ADD R7, PC ; off_412A8
.text:00022C72
.text:00022C72 loc_22C72 ; CODE XREF: p1CC6A51FD1217D64FB70BE7C7FC20DFC+86j
.text:00022C72 E0 59 LDR R0, [R4,R7] ; s1
.text:00022C74 00 99 LDR R1, [SP,#0x528+s2] ; s2
.text:00022C76 E8 F7 5E EC BLX strcmp
.text:00022C7A 04 34 ADDS R4, #4
.text:00022C7C 00 28 CMP R0, #0
.text:00022C7E 02 D0 BEQ loc_22C86
.text:00022C80 10 2C CMP R4, #0x10
.text:00022C82 F6 D1 BNE loc_22C72
.text:00022C84 D8 E7 B loc_22C38
.text:00022C86 ; ---------------------------------------------------------------------------
.text:00022C86
.text:00022C86 loc_22C86 ; CODE XREF: p1CC6A51FD1217D64FB70BE7C7FC20DFC+82j
.text:00022C86 01 26 MOVS R6, #1
.text:00022C88 D6 E7 B loc_22C38
.text:00022C8A ; ---------------------------------------------------------------------------
.text:00022C8A
.text:00022C8A loc_22C8A ; CODE XREF: p1CC6A51FD1217D64FB70BE7C7FC20DFC+3Aj
.text:00022C8A ; p1CC6A51FD1217D64FB70BE7C7FC20DFC+50j
.text:00022C8A 28 1C MOVS R0, R5 ; stream
.text:00022C8C E8 F7 62 EE BLX pclose
.text:00022C90
.text:00022C90 loc_22C90 ; CODE XREF: p1CC6A51FD1217D64FB70BE7C7FC20DFC+28j
.text:00022C90 07 4B LDR R3, =0x504
.text:00022C92 02 AA ADD R2, SP, #0x528+var_520
.text:00022C94 30 1C MOVS R0, R6
.text:00022C96 9B 18 ADDS R3, R3, R2
.text:00022C98 1A 68 LDR R2, [R3]
.text:00022C9A 01 9B LDR R3, [SP,#0x528+var_524]
.text:00022C9C 1B 68 LDR R3, [R3]
.text:00022C9E 9A 42 CMP R2, R3
.text:00022CA0 01 D0 BEQ loc_22CA6
.text:00022CA2 E8 F7 3C EC BLX __stack_chk_fail
.text:00022CA6 ; ---------------------------------------------------------------------------
.text:00022CA6
.text:00022CA6 loc_22CA6 ; CODE XREF: p1CC6A51FD1217D64FB70BE7C7FC20DFC+A4j
.text:00022CA6 09 4B LDR R3, =0x514
.text:00022CA8 9D 44 ADD SP, R3
.text:00022CAA F0 BD POP {R4-R7,PC}
.text:00022CAA ; End of function p1CC6A51FD1217D64FB70BE7C7FC20DFC
.text:00022CAA
#bangbang杀死自己的代码--
libDexHelper.so:75FF6B94 F0 50 2D E9 STMFD SP!, {R4-R7,R12,LR}
libDexHelper.so:75FF6B98 25 70 A0 E3 MOV R7, #0x25
libDexHelper.so:75FF6B9C 00 00 00 EF SVC 0
libDexHelper.so:75FF6BA0 F0 50 BD E8 LDMFD SP!, {R4-R7,R12,LR}
libDexHelper.so:75FF6BA4 01 0A 70 E3 CMN R0, #0x1000
libDexHelper.so:75FF6BA8 1E FF 2F 91 BXLS LR
libDexHelper.so:75FF6BAC 00 00 60 E2 RSB R0, R0, #0
libDexHelper.so:75FF6BB0 CF 66 00 EA B sub_760106F4
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
wooyunking
