__int64 __fastcall sub_11450(__int64 a1, __int64 a2) { ... v2 = a2; *(_DWORD *)(a2 + 48) = 0; *(_QWORD *)(a2 + 56) = 0i64; v3 = *(_QWORD *)(a2 + 184); v4 = *(_QWORD *)(a2 + 24); //(a2 + 24) = 这就是获取用户提交的驱动码 v5 = *(_DWORD *)(v3 + 16); if ( *(_BYTE *)v3 == 14 ) { switch ( *((_BYTE *)qword_11A20 + (unsigned int)(*(_DWORD *)(v3 + 24) + 2147475456)) ) //swith(qword_11A20 + 用户提交的驱动码 + 2147475456 ) 这究竟是什么玩意? { case 0xE: if ( v5 == 48 ) { ...... } break; case 0xF: if ( v5 == 48 ) { .... } break; ..... } } ... }
__int64 qword_11A20[12] = { 1302123038070936064i64, 1302123046660870658i64, 1302123055250805252i64, 1302123063840739846i64, 1302123111085380114i64, 1302123072430674440i64, 1302123081020609034i64, 1302123111085380114i64, 1302123089610543628i64, 1302123098200478222i64, -3689349621033594352i64, -3689348814741910324i64 }; // weak
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
pureman (unsigned int)(*(_DWORD *)(v3 + 24) + 2147475456)------这应该是qword_11A20[12]数组的偏移吧,假设为i *((_BYTE * ...