-
-
[分享][分享][分享]脱壳纪事——梆梆加固
-
发表于: 2023-7-31 00:49 9321
-
分析如下:{
init_proc{
粗略的用JEB过了下xml中的application,可以确定该加固App第一个加载自身lib目录下的so为libSecShell.so,如下图:
使用IDA加载libSecShell.so发现除去init_proc函数外其他重要函数(如:init_arrary和jni_onLoad)都无法正常分析,该情况下便只有调试运行App
位于jhj_copyData函数头部偏移0xC4的函数中可以很清楚的观察到通过中断方式调用mmap2函数申请映射内存空间,(在整个init_proc函数的执行期间该函数总共被调用了两次)
继续分析jhj_Decode函数,位于函数头部偏移0x174c处的函数中通过中断的方式调用mprotect函数(共计调用三次),如下图:
内部有两个解密并修复数据的函数,分别位于偏移0xC10BC处的函数(命名为:jhj_DecryptByteCode)和位于偏移0xC0918处的函数(命名为:jhj_DecryptByteCode2),解密之后dump修复即可,如下:
// offset 0xc10bc 0xFFCDF2B0
// DecryptByteCode(dst, 0x64895, src, &local)//
int __fastcall jhj_DecryptByteCode(int a1, unsigned int a2, int a3, _DWORD *a4)
{
int v4; // r5
unsigned int v5; // r7
unsigned int v6; // r12
int v7; // r4
bool v8; // zf
char v9; // r6
int i; // r6
bool v11; // zf
int v12; // r4
bool v13; // zf
unsigned int v14; // r8
unsigned int v15; // r4
int v16; // r6
int v17; // r6
bool v18; // zf
int v19; // r6
int v20; // r6
unsigned int v21; // r8
bool v22; // zf
int v23; // r6
unsigned int v24; // r7
bool v25; // zf
int v26; // r6
int v27; // r6
int v28; // r6
bool v29; // zf
int v30; // r4
bool v31; // zf
unsigned int v32; // r8
int v33; // r6
int v34; // r8
_BYTE *v35; // r6
int v36; // r9
_BYTE *v37; // r10
int v38; // r5
char v39; // t1
v4 = 0;
v5 = 1;
v6 = 0;
v7 = 0;
while ( 1 )
{
while ( 1 )
{
v8 = (v7 & 0x7F) == 0;
if ( (v7 & 0x7F) != 0 )
v7 *= 2;
else
v7 = *(unsigned __int8 *)(a1 + v6);
if ( v8 )
{
v7 = 2 * v7 + 1;
++v6;
}
if ( (v7 & 0x100) == 0 )
break;
v9 = *(_BYTE *)(a1 + v6++);
*(_BYTE *)(a3 + v4++) = v9;
}
for ( i = 1; ; i = v20 + ((unsigned int)(v7 << 23) >> 31) )
{
v11 = (v7 & 0x7F) == 0;
if ( (v7 & 0x7F) != 0 )
v12 = 2 * v7;
else
v12 = *(unsigned __int8 *)(a1 + v6);
if ( v11 )
{
v12 = 2 * v12 + 1;
++v6;
}
v13 = (v12 & 0x7F) == 0;
v14 = v12 << 23;
if ( (v12 & 0x7F) != 0 )
v15 = 2 * v12;
else
v15 = *(unsigned __int8 *)(a1 + v6);
if ( v13 )
v15 = 2 * v15 + 1;
v16 = 2 * i;
if ( v13 )
++v6;
v17 = v16 + (v14 >> 31);
if ( (v15 & 0x100) != 0 )
break;
v18 = (v15 & 0x7F) == 0;
if ( (v15 & 0x7F) == 0 )
v15 = *(unsigned __int8 *)(a1 + v6);
v19 = v17 + 0x7FFFFFFF;
v7 = 2 * v15;
if ( v18 )
++v7;
v20 = 2 * v19;
if ( v18 )
++v6;
}
v21 = v6;
if ( v17 != 2 )
break;
v22 = (v15 & 0x7F) == 0;
if ( (v15 & 0x7F) != 0 )
v15 *= 2;
else
v15 = *(unsigned __int8 *)(a1 + v6);
if ( v22 )
v15 = 2 * v15 + 1;
if ( v22 )
++v6;
v23 = (v15 >> 8) & 1;
LABEL_41:
v25 = (v15 & 0x7F) == 0;
if ( (v15 & 0x7F) != 0 )
v7 = 2 * v15;
else
v7 = *(unsigned __int8 *)(a1 + v6);
if ( v25 )
v7 = 2 * v7 + 1;
v26 = 2 * v23;
if ( v25 )
++v6;
v27 = v26 + ((unsigned int)(v7 << 23) >> 31);
if ( !v27 )
{
v28 = 1;
do
{
v29 = (v7 & 0x7F) == 0;
if ( (v7 & 0x7F) != 0 )
v30 = 2 * v7;
else
v30 = *(unsigned __int8 *)(a1 + v6);
if ( v29 )
{
v30 = 2 * v30 + 1;
++v6;
}
v31 = (v30 & 0x7F) == 0;
v32 = v30 << 23;
if ( (v30 & 0x7F) != 0 )
v7 = 2 * v30;
else
v7 = *(unsigned __int8 *)(a1 + v6);
if ( v31 )
v7 = 2 * v7 + 1;
v33 = 2 * v28;
if ( v31 )
++v6;
v28 = v33 + (v32 >> 31);
}
while ( (v7 & 0x100) == 0 );
v27 = v28 + 2;
}
if ( v5 > 0x500 )
v34 = v27 + 1;
else
v34 = v27;
v35 = (_BYTE *)(a3 + v4 - v5);
*(_BYTE *)(a3 + v4) = *v35;
v36 = v4 + 1;
v37 = &v35[v34];
v38 = a3 + v4;
do
{
v39 = *++v35;
*(_BYTE *)++v38 = v39;
}
while ( v35 != v37 );
v4 = v36 + v34;
}
v24 = *(unsigned __int8 *)(a1 + v6++) + ((v17 + 16777213) << 8);
if ( v24 != -1 )
{
v23 = !(*(_BYTE *)(a1 + v21) & 1);
v5 = (v24 >> 1) + 1;
goto LABEL_41;
}
*a4 = v4;
if ( v6 == a2 )
return 0;
if ( v6 >= a2 )
return -201;
return -205;
}
// 参数为soBase 和 偏移D4(D4是头表结束的位置)
int __fastcall jhj_DecryptByteCode2(int result, int a2)
{
int v2; // r4
unsigned int v3; // r12
int v4; // r6
int v5; // r7
int v6; // r5
int v7; // r2
unsigned int v8; // r5
int v9; // r3
int v10; // r6
unsigned int v11; // r1
v2 = *(_DWORD *)(result + a2 + 8);
v3 = *(_DWORD *)(result + a2 + 12);
v4 = *(_DWORD *)(result + a2 + 16);
v5 = *(_DWORD *)(result + a2 + 20);
v6 = *(_DWORD *)(result + a2 + 24);
if ( *(_DWORD *)(result + a2) == 2146926590 )
{
result += *(_DWORD *)(result + a2 + 4);
v7 = 0;
v8 = v3 + 4 * v6;
v9 = 0;
v10 = v5 + v4;
while ( v9 != v2 )
{
v11 = *(_DWORD *)(result + 8 * v9);
if ( v11 >= v3 && v11 < v8 )
*(_DWORD *)(result + 8 * v9) = v10 + 4 * v7++;
++v9;
}
}
return result;
}
}
init_array:{
让我关注的init_array函数只是动态获取了libc中的api地址,除此之外并无看到做特殊的处理,所以直接跳到jni_onLoad
}
jni_onLoader:{
此处开始才是关键所在,在偏移:0x15194处的函数中格式化了字符串并对其调用access函数进行处理,这也是"assets/classes0.jar" 字符串首次出现在该函数,该函数执行完毕就执行
is_magisk_check_process(_JNIEnv *,_jclass *) 和 is_miuiinstaller_process(_JNIEnv *,_jclass *),根据两个函数的返回值执行不同的分支,如下图:
分支1,两个函数中任何一个返回值为1的情况,在位于偏移:0x16028处注册com/SecShell/SecShell/H的jni函数,注册的函数如下:
Class:com/SecShell/SecShell/H,FunctionName:attach,Signature:(Landroid/app/Application;Landroid/content/Context;)V,offset:0x26FAC
Class:com/SecShell/SecShell/H,FunctionName:b,Signature:(Landroid/content/Context;Landroid/app/Application;)V,offset:0x17334
Class:com/SecShell/SecShell/H,FunctionName:c,Signature:()V,offset:0x18094
Class:com/SecShell/SecShell/H,FunctionName:d,Signature:(Ljava/lang/String;)Ljava/lang/String;,offset:0x1BF5C
Class:com/SecShell/SecShell/H,FunctionName:e,Signature:(Ljava/lang/Object;Ljava/util/List;Ljava/lang/String;)[Ljava/lang/Object;,offset:0x21ED8
Class:com/SecShell/SecShell/H,FunctionName:f,Signature:()[Ljava/lang/String;,offset:0x1A2F0
Class:com/SecShell/SecShell/H,FunctionName:g,Signature:()[Ljava/lang/String;,offset:0x19E98
Class:com/SecShell/SecShell/H,FunctionName:h,Signature:()[Ljava/lang/String;,offset:0x19888
Class:com/SecShell/SecShell/H,FunctionName:n,Signature:()[Ljava/lang/String;,offset:0x1938C
Class:com/SecShell/SecShell/H,FunctionName:j,Signature:()[Ljava/lang/String;,offset:0x19120
Class:com/SecShell/SecShell/H,FunctionName:k,Signature:()Ljava/lang/String;,offset:0x18FC8
Class:com/SecShell/SecShell/H,FunctionName:l,Signature:()Ljava/lang/String;,offset:0x18F68
Class:com/SecShell/SecShell/H,FunctionName:m,Signature:()Ljava/lang/String;,offset:0x18F18
Class:com/SecShell/SecShell/H,FunctionName:bb,Signature:(Landroid/content/Context;Landroid/app/Application;Landroid/app/Application;)V,offset:1758C
Class:com/SecShell/SecShell/H,FunctionName:o,Signature:(Landroid/content/Context;)I,offset:0x17D9C,源导出名为:check_root
Class:com/SecShell/SecShell/H,FunctionName:p,Signature:()V,offset:0x12294,源导出名为:root_kill
Class:com/SecShell/SecShell/H,FunctionName:q,Signature:()I,offset:0x159C4,源导出名为:is_magisk_check_process
Class:com/SecShell/SecShell/H,FunctionName:mu,Signature:()I,offset:0x15AC0源导出名为:is_miuiinstaller_process
该分支中注册完jni函数后便结束了对jni_Onload函数的调用
分支2,两个函数的返回值都为0的情况:
同样也注册了上述的com/SecShell/SecShell/H的jni函数,但在偏移0x4D7DC处的函数内对libc的api进行了hook,其IDA F5伪代码如下:
int __fastcall jhj_HookLibcFunction(int result, int a2, int a3)
{
int v3; // r4
int v5; // r9
int v6; // r5
int v7; // r8
int v8; // r2
int **v9; // r3
int v10; // r0
int v11; // r2
unsigned int v12; // r5
int v13; // r2
_DWORD *v14; // [sp+0h] [bp-E0h]
char v15[4]; // [sp+14h] [bp-CCh] BYREF
int v16; // [sp+18h] [bp-C8h]
char v17[2]; // [sp+1Ch] [bp-C4h] BYREF
char v18[4]; // [sp+1Eh] [bp-C2h] BYREF
char v19[20]; // [sp+24h] [bp-BCh] BYREF
char v20[28]; // [sp+38h] [bp-A8h] BYREF
char v21[32]; // [sp+54h] [bp-8Ch] BYREF
int v22[16]; // [sp+74h] [bp-6Ch] BYREF
int v23; // [sp+B4h] [bp-2Ch]
v5 = result;
v14 = off_A2984;
v6 = 0;
v7 = 31101;
v23 = *(_DWORD *)off_A2984;
v8 = 0;
v9 = off_AC224;
LABEL_2:
if ( v6 != 8 )
{
while ( 1 )
{
switch ( v6 )
{
case 0:
off_AC22C[0] = sub_4C1E0(v15, v5, v8, (int)v9);
jhj_pthread_mutex_init((int)&dword_AC218, 0);
v6 = 3;
result = jhj_pthread_mutex_init((int)&dword_AC220, 0);
continue;
case 1:
jhj_HookLibcApi(v3, (int)"pread64", (int)jhj_hookpread64, &off_AC244);
result = jhj_HookLibcApi(v3, (int)"ftruncate64", (int)jhj_hookftruncate64, &off_AC234);
if ( a3 )
v6 = 5;
else
v6 = 8;
goto LABEL_2;
case 2:
jhj_HookLibcApi(v3, (int)"write", (int)jhj_hookwrite, &off_AC24C);
jhj_HookLibcApi(v3, (int)"read", (int)jhj_hookread, &off_AC240);
jhj_HookLibcApi(v3, (int)"munmap", (int)jhj_hookmunmap, &off_AC228);
v6 = 1;
result = jhj_HookLibcApi(v3, (int)"msync", (int)jhj_hookmsync, off_AC230);
continue;
case 3:
sub_4BE78(100000, -1);
v3 = jhj_dlopen((int)"libc.so", 0);
jhj_HookLibcApi(v3, (int)"__open", (int)jhj_hook__open, &off_AC23C);
v6 = 7;
result = jhj_HookLibcApi(v3, (int)"__openat", (int)jhj_hook__openat, &off_AC238);
continue;
case 4:
v10 = sub_4BAA4();
v6 = 2;
result = jhj_HooArtFunction(v10, (int)sub_4B664, off_AC224);
continue;
case 5:
result = pFB65A3D3038290551DF5BDF56A950A91(result);
goto LABEL_28;
case 6:
v12 = v7 - 151 * ((unsigned int)(55554 * v7) >> 23);
v22[0] = -1465444864;
v22[1] = 10598315;
v9 = (int **)(133 - v12);
while ( v9 != (int **)((char *)&dword_0 + 1) )
{
if ( !v9 )
{
v7 = 4361;
jhj_DecrypBytes((int)v22, 5, 210);
result = jhj_HookLibcApi(v3, (int)v22, (int)sub_4B664, off_AC224);
break;
}
}
v6 = 135 - v12;
goto LABEL_2;
case 7:
jhj_HookLibcApi(v3, (int)"__mmap2", (int)jhj_hook__mmap2, &off_AC248);
v16 = 0;
jhj_memset(v19, 0, 19);
v19[2] = -75;
v19[4] = -23;
v19[6] = -75;
v19[5] = -73;
v19[8] = -93;
v19[9] = -78;
v19[12] = -23;
v19[10] = -92;
v19[13] = -86;
v19[11] = -77;
v19[15] = -93;
v19[3] = -88;
v19[7] = -88;
v19[14] = -88;
v19[1] = 40;
v19[16] = -94;
v19[17] = -85;
jhj_DecrypBytes((int)v19, 16, 239);
jhj_GetSystemProperty((int)v19, v21, v11);
result = jhj_strstr(v21, "Pixelbook");
if ( result )
goto LABEL_24;
jhj_memset(v20, 0, 26);
v20[3] = -2;
v20[1] = 124;
v20[5] = -31;
v20[2] = -29;
v20[6] = -29;
v20[7] = -2;
v20[11] = -27;
v20[8] = -11;
v20[15] = -1;
v20[9] = -28;
v20[16] = -28;
v20[17] = -9;
v20[20] = -27;
v20[21] = -28;
v20[22] = -29;
v20[23] = -12;
v20[24] = -29;
v20[10] = -14;
v20[19] = -14;
v20[4] = -65;
v20[12] = -65;
v20[13] = -4;
v20[14] = -16;
v20[18] = -16;
jhj_DecrypBytes((int)v20, 23, 237);
jhj_GetSystemProperty((int)v20, v22, v13);
result = jhj_memset(v17, 0, 7);
v9 = 0;
v17[1] = -26;
qmemcpy(v18, ")*(>", sizeof(v18));
v8 = 62;
while ( 2 )
{
if ( v9 == (int **)((char *)&dword_0 + 1) )
{
v7 = 13421;
v9 = (int **)*pEB77A6F897F9B354B0478926205A1AC5_ptr;
if ( (int)*pEB77A6F897F9B354B0478926205A1AC5_ptr <= 28 )
v6 = 6;
else
v6 = 4;
goto LABEL_2;
}
if ( v9 != (int **)((char *)&dword_0 + 2) )
{
jhj_DecrypBytes((int)v17, 4, 156);
result = jhj_strcmp((int)v22, (int)v17);
if ( result )
v9 = (int **)(&dword_0 + 1);
else
v9 = (int **)(&dword_0 + 2);
continue;
}
break;
}
LABEL_24:
v6 = 4;
v7 = 13421;
break;
default:
goto LABEL_2;
}
}
}
LABEL_28:
if ( v23 != *v14 )
return jhj__stack_chk_fail(result);
return result;
}
并对art::OatFileManager::OpenDexFilesFromOat和对art::ArtDexFileLoader::Open(std::string const&,unsigned int,art::MemMap &&,bool,bool,std::string*)一同进hook
位于偏移:0x1E21C处反射调用getClassLoader获取了当前壳的ClassLoader并配合之前上述创建的jstring对象反射调用com.SecShell.SecShell.H中的
public static void f(ClassLoader arg6, "/data/user/0/com.fy.qqkp.new.mi/.cache/classes.jar", "/data/user/0/com.fy.qqkp.new.mi/.cache")方法和反射调用ff方法
反调试、注入、hook的处理也位于jni_onLoader中,如下:
偏移:0x59B08处的函数在循环判断当前进程的所有线程中的status文件中的Name是否跟frida相关(标识符:gmain和gum-js-loop)如果所属的线程的Status文件中的Name有gmain和gum-js-loop
且判断当前进程的/proc/pid/fd中是否包含了linjector,两个判断条件只有满足一个那么直接跳转偏移:0x5F518处的函数进行关闭自身进程,相关代码如下(相关链接:[原创] frida常用检测点及其原理--一把梭方案-Android安全-看雪-安全社区|安全招聘|kanxue.com):
.text&ARM.extab:00059CB0 25 AD ADD R5, SP, #0x300+var_26C
.text&ARM.extab:00059CB2 00 21 MOVS R1, #0
.text&ARM.extab:00059CB4 0E 22 MOVS R2, #0xE
.text&ARM.extab:00059CB6 28 46 MOV R0, R5
.text&ARM.extab:00059CB8 B6 F7 76 EB BLX jhj_memset
.text&ARM.extab:00059CB8
.text&ARM.extab:00059CBC E3 22 MOVS R2, #0xE3
.text&ARM.extab:00059CBE 0B 21 MOVS R1, #0xB
.text&ARM.extab:00059CC0 AA 71 STRB R2, [R5,#6]
.text&ARM.extab:00059CC2 28 46 MOV R0, R5
.text&ARM.extab:00059CC4 FA 22 MOVS R2, #0xFA
.text&ARM.extab:00059CC6 EA 71 STRB R2, [R5,#7]
.text&ARM.extab:00059CC8 EC 22 MOVS R2, #0xEC
.text&ARM.extab:00059CCA 65 23 MOVS R3, #0x65 ; 'e'
.text&ARM.extab:00059CCC 6B 70 STRB R3, [R5,#1]
.text&ARM.extab:00059CCE EE 23 MOVS R3, #0xEE
.text&ARM.extab:00059CD0 AB 70 STRB R3, [R5,#2]
.text&ARM.extab:00059CD2 FC 23 MOVS R3, #0xFC
.text&ARM.extab:00059CD4 EB 70 STRB R3, [R5,#3]
.text&ARM.extab:00059CD6 E4 23 MOVS R3, #0xE4
.text&ARM.extab:00059CD8 2B 71 STRB R3, [R5,#4]
.text&ARM.extab:00059CDA A4 23 MOVS R3, #0xA4
.text&ARM.extab:00059CDC 6B 71 STRB R3, [R5,#5]
.text&ARM.extab:00059CDE 2B 72 STRB R3, [R5,#8]
.text&ARM.extab:00059CE0 E5 23 MOVS R3, #0xE5
.text&ARM.extab:00059CE2 6B 72 STRB R3, [R5,#9]
.text&ARM.extab:00059CE4 E6 23 MOVS R3, #0xE6
.text&ARM.extab:00059CE6 AB 72 STRB R3, [R5,#0xA]
.text&ARM.extab:00059CE8 EB 72 STRB R3, [R5,#0xB]
.text&ARM.extab:00059CEA F9 23 MOVS R3, #0xF9
.text&ARM.extab:00059CEC 2B 73 STRB R3, [R5,#0xC]
.text&ARM.extab:00059CEE FF F7 C7 FD BL jhj_DecryptString4 ; 解密得到字符串"gum-js-loop"
.text&ARM.extab:00059CEE ; gum-js-loop是Frida Gadget中的一个模块,用于在JavaScript代码中创建一个循环。
.text&ARM.extab:00059CEE ; Frida是一款功能强大的动态二进制分析工具,允许你在运行时对应用程序进行操作和监视。
.text&ARM.extab:00059CEE
.text&ARM.extab:00059CF2 23 AB ADD R3, SP, #0x300+var_274
.text&ARM.extab:00059CF4 4F F0 00 0C MOV.W R12, #0
.text&ARM.extab:00059CF8 72 22 MOVS R2, #0x72 ; 'r'
.text&ARM.extab:00059CFA CD F8 8C C0 STR.W R12, [SP,#0x300+var_274]
.text&ARM.extab:00059CFE CD F8 90 C0 STR.W R12, [SP,#0x300+var_270]
.text&ARM.extab:00059D02 18 46 MOV R0, R3
.text&ARM.extab:00059D04 8D F8 8D 20 STRB.W R2, [SP,#0x300+var_274+1]
.text&ARM.extab:00059D08 05 21 MOVS R1, #5
.text&ARM.extab:00059D0A D6 22 MOVS R2, #0xD6
.text&ARM.extab:00059D0C 8D F8 8E 20 STRB.W R2, [SP,#0x300+var_274+2]
.text&ARM.extab:00059D10 DC 22 MOVS R2, #0xDC
.text&ARM.extab:00059D12 8D F8 8F 20 STRB.W R2, [SP,#0x300+var_274+3]
.text&ARM.extab:00059D16 D0 22 MOVS R2, #0xD0
.text&ARM.extab:00059D18 8D F8 90 20 STRB.W R2, [SP,#0x300+var_270]
.text&ARM.extab:00059D1C D8 22 MOVS R2, #0xD8
.text&ARM.extab:00059D1E 8D F8 91 20 STRB.W R2, [SP,#0x300+var_270+1]
.text&ARM.extab:00059D22 DF 22 MOVS R2, #0xDF
.text&ARM.extab:00059D24 8D F8 92 20 STRB.W R2, [SP,#0x300+var_270+2]
.text&ARM.extab:00059D28 C3 22 MOVS R2, #0xC3
.text&ARM.extab:00059D2A CD F8 14 C0 STR.W R12, [SP,#0x300+var_2EC]
.text&ARM.extab:00059D2E 04 93 STR R3, [SP,#0x300+var_2F0]
.text&ARM.extab:00059D30 FF F7 A6 FD BL jhj_DecryptString4 ; 解密得到字符串"gmain"
.text&ARM.extab:00059D30
.text&ARM.extab:00059D34 38 46 MOV R0, R7
.text&ARM.extab:00059D36 29 46 MOV R1, R5
.text&ARM.extab:00059D38 FF F7 FA FB BL jhj_IsFridaThreadAnd_FD_IsHavelinjector ; 该函数的参数1为task的tid->status文件中的Name
.text&ARM.extab:00059D38 ; 参数二为具有frida标识的特征,该处为:gum-js-loop
.text&ARM.extab:00059D38
.text&ARM.extab:00059D3C 04 9B LDR R3, [SP,#0x300+var_2F0]
.text&ARM.extab:00059D3E DD F8 14 C0 LDR.W R12, [SP,#0x300+var_2EC]
.text&ARM.extab:00059D42 78 B9 CBNZ R0, loc_59D64
.text&ARM.extab:00059D42
.text&ARM.extab:00059D44 38 46 MOV R0, R7
.text&ARM.extab:00059D46 19 46 MOV R1, R3
.text&ARM.extab:00059D48 FF F7 F2 FB BL jhj_IsFridaThreadAnd_FD_IsHavelinjector ; 该函数的参数1为task的tid->status文件中的Name
.text&ARM.extab:00059D48 ; 参数二为具有frida标识的特征,该处为:gmain
偏移:0x601AA处调用pthread_create创建新线程1并在线程回调中进行如下反调试:
偏移:0x5F608处的函数在检测/proc/pid/status中的State和TracerPid属性(先检测State后检测TracerPid),两者如果都符合那么该函数直接返回1,否则0
.text&ARM.extab:0005F608 EXPORT jhj_CheckPidStatus
.text&ARM.extab:0005F608 jhj_CheckPidStatus ; CODE XREF: .text&ARM.extab:00060130↓p
.text&ARM.extab:0005F608 ; DATA XREF: LOAD:0000232C↑o
.text&ARM.extab:0005F608
.text&ARM.extab:0005F608 var_9F0= -0x9F0
.text&ARM.extab:0005F608 var_9EC= -0x9EC
.text&ARM.extab:0005F608 var_9E8= -0x9E8
.text&ARM.extab:0005F608 var_9E4= -0x9E4
.text&ARM.extab:0005F608 var_9DC= -0x9DC
.text&ARM.extab:0005F608 var_9D8= -0x9D8
.text&ARM.extab:0005F608 var_9D4= -0x9D4
.text&ARM.extab:0005F608 var_9D0= -0x9D0
.text&ARM.extab:0005F608 var_9CC= -0x9CC
.text&ARM.extab:0005F608 var_9C0= -0x9C0
.text&ARM.extab:0005F608 var_9B4= -0x9B4
.text&ARM.extab:0005F608 var_9A4= -0x9A4
.text&ARM.extab:0005F608 var_994= -0x994
.text&ARM.extab:0005F608 var_980= -0x980
.text&ARM.extab:0005F608 var_96C= -0x96C
.text&ARM.extab:0005F608 var_92C= -0x92C
.text&ARM.extab:0005F608 var_82C= -0x82C
.text&ARM.extab:0005F608 var_42C= -0x42C
.text&ARM.extab:0005F608 var_2C= -0x2C
.text&ARM.extab:0005F608
.text&ARM.extab:0005F608 ; __unwind { // 417B6000
.text&ARM.extab:0005F608 2D E9 F0 4F PUSH.W {R4-R11,LR}
.text&ARM.extab:0005F60C AD F6 CC 1D SUBW SP, SP, #0x9CC
.text&ARM.extab:0005F610 C8 4E LDR R6, =(off_A2984 - 0x5F61C)
.text&ARM.extab:0005F612 17 AC ADD R4, SP, #0x9F0+var_994
.text&ARM.extab:0005F614 80 46 MOV R8, R0
.text&ARM.extab:0005F616 00 21 MOVS R1, #0
.text&ARM.extab:0005F618 7E 44 ADD R6, PC ; off_A2984
.text&ARM.extab:0005F61A 36 68 LDR R6, [R6]
.text&ARM.extab:0005F61C 20 46 MOV R0, R4
.text&ARM.extab:0005F61E 13 22 MOVS R2, #0x13
.text&ARM.extab:0005F620 0D F1 C4 0A ADD.W R10, SP, #0x9F0+var_92C
.text&ARM.extab:0005F624 33 68 LDR R3, [R6]
.text&ARM.extab:0005F626 4F F0 08 0B MOV.W R11, #8
.text&ARM.extab:0005F62A 09 25 MOVS R5, #9
.text&ARM.extab:0005F62C 0E 27 MOVS R7, #0xE
.text&ARM.extab:0005F62E 4F F0 00 09 MOV.W R9, #0
.text&ARM.extab:0005F632 CD F8 C4 39 STR.W R3, [SP,#0x9F0+var_2C]
.text&ARM.extab:0005F636 B0 F7 B8 EE BLX jhj_memset
.text&ARM.extab:0005F636
.text&ARM.extab:0005F63A 0B 22 MOVS R2, #0xB
.text&ARM.extab:0005F63C 20 46 MOV R0, R4
.text&ARM.extab:0005F63E E2 70 STRB R2, [R4,#3]
.text&ARM.extab:0005F640 10 21 MOVS R1, #0x10
.text&ARM.extab:0005F642 14 22 MOVS R2, #0x14
.text&ARM.extab:0005F644 62 71 STRB R2, [R4,#5]
.text&ARM.extab:0005F646 18 22 MOVS R2, #0x18
.text&ARM.extab:0005F648 A2 71 STRB R2, [R4,#6]
.text&ARM.extab:0005F64A 5E 22 MOVS R2, #0x5E ; '^'
.text&ARM.extab:0005F64C 22 72 STRB R2, [R4,#8]
.text&ARM.extab:0005F64E 17 22 MOVS R2, #0x17
.text&ARM.extab:0005F650 62 72 STRB R2, [R4,#9]
.text&ARM.extab:0005F652 1F 22 MOVS R2, #0x1F
.text&ARM.extab:0005F654 A2 72 STRB R2, [R4,#0xA]
.text&ARM.extab:0005F656 1A 22 MOVS R2, #0x1A
.text&ARM.extab:0005F658 A2 73 STRB R2, [R4,#0xE]
.text&ARM.extab:0005F65A E1 22 MOVS R2, #0xE1
.text&ARM.extab:0005F65C 9A 23 MOVS R3, #0x9A
.text&ARM.extab:0005F65E 25 71 STRB R5, [R4,#4]
.text&ARM.extab:0005F660 63 70 STRB R3, [R4,#1]
.text&ARM.extab:0005F662 54 23 MOVS R3, #0x54 ; 'T'
.text&ARM.extab:0005F664 84 F8 0C B0 STRB.W R11, [R4,#0xC]
.text&ARM.extab:0005F668 A3 70 STRB R3, [R4,#2]
.text&ARM.extab:0005F66A E3 71 STRB R3, [R4,#7]
.text&ARM.extab:0005F66C E3 72 STRB R3, [R4,#0xB]
.text&ARM.extab:0005F66E 0F 23 MOVS R3, #0xF
.text&ARM.extab:0005F670 27 74 STRB R7, [R4,#0x10]
.text&ARM.extab:0005F672 63 73 STRB R3, [R4,#0xD]
.text&ARM.extab:0005F674 E3 73 STRB R3, [R4,#0xF]
.text&ARM.extab:0005F676 84 F8 11 B0 STRB.W R11, [R4,#0x11]
.text&ARM.extab:0005F67A FF F7 5D FF BL jhj_DecryptString5 ; 解密得到字符串"/proc/%ld/status"
.text&ARM.extab:0005F67A
.text&ARM.extab:0005F67E 22 46 MOV R2, R4
.text&ARM.extab:0005F680 06 AC ADD R4, SP, #0x9F0+var_9D8
.text&ARM.extab:0005F682 43 46 MOV R3, R8
.text&ARM.extab:0005F684 50 46 MOV R0, R10
.text&ARM.extab:0005F686 4F F4 80 71 MOV.W R1, #0x100
.text&ARM.extab:0005F68A DF F8 AC 82 LDR.W R8, =(g_func_map_ptr - 0x5F6B0)
.text&ARM.extab:0005F68E 39 F0 23 FC BL jhj_format1 ; 格式化字符串"/proc/pid/status"
.text&ARM.extab:0005F68E
.text&ARM.extab:0005F692 01 21 MOVS R1, #1
.text&ARM.extab:0005F694 D6 22 MOVS R2, #0xD6
.text&ARM.extab:0005F696 20 46 MOV R0, R4
.text&ARM.extab:0005F698 CD F8 18 90 STR.W R9, [SP,#0x9F0+var_9D8]
.text&ARM.extab:0005F69C 5A 23 MOVS R3, #0x5A ; 'Z'
.text&ARM.extab:0005F69E 8D F8 19 30 STRB.W R3, [SP,#0x9F0+var_9D8+1]
.text&ARM.extab:0005F6A2 FE 23 MOVS R3, #0xFE
.text&ARM.extab:0005F6A4 8D F8 1A 30 STRB.W R3, [SP,#0x9F0+var_9D8+2]
.text&ARM.extab:0005F6A8 FF F7 46 FF BL jhj_DecryptString5 ; 解密得到字符串"r"
.text&ARM.extab:0005F6A8
.text&ARM.extab:0005F6AC F8 44 ADD R8, PC ; g_func_map_ptr
.text&ARM.extab:0005F6AE D8 F8 00 80 LDR.W R8, [R8] ; g_func_map
.text&ARM.extab:0005F6B2 50 46 MOV R0, R10
.text&ARM.extab:0005F6B4 21 46 MOV R1, R4
.text&ARM.extab:0005F6B6 D8 F8 00 30 LDR.W R3, [R8]
.text&ARM.extab:0005F6BA 98 47 BLX R3 ; dword_0 ; fopen("/proc/pid/status", "r")
.text&ARM.extab:0005F6BA
.text&ARM.extab:0005F6BC 01 96 STR R6, [SP,#0x9F0+var_9EC]
.text&ARM.extab:0005F6BE 82 46 MOV R10, R0
.text&ARM.extab:0005F6C0 00 28 CMP R0, #0
.text&ARM.extab:0005F6C2 00 F0 28 81 BEQ.W loc_5F916
.text&ARM.extab:0005F6C2
.text&ARM.extab:0005F6C6 0F AC ADD R4, SP, #0x9F0+var_9B4
.text&ARM.extab:0005F6C8 05 AB ADD R3, SP, #0x9F0+var_9DC
.text&ARM.extab:0005F6CA 09 AE ADD R6, SP, #0x9F0+var_9CC
.text&ARM.extab:0005F6CC 49 46 MOV R1, R9
.text&ARM.extab:0005F6CE 0D 22 MOVS R2, #0xD
.text&ARM.extab:0005F6D0 20 46 MOV R0, R4
.text&ARM.extab:0005F6D2 C3 F8 00 90 STR.W R9, [R3]
.text&ARM.extab:0005F6D6 00 93 STR R3, [SP,#0x9F0+var_9F0]
.text&ARM.extab:0005F6D8 B0 F7 66 EE BLX jhj_memset
.text&ARM.extab:0005F6D8
.text&ARM.extab:0005F6DC C8 22 MOVS R2, #0xC8
.text&ARM.extab:0005F6DE 0A 21 MOVS R1, #0xA
.text&ARM.extab:0005F6E0 22 71 STRB R2, [R4,#4]
.text&ARM.extab:0005F6E2 20 46 MOV R0, R4
.text&ARM.extab:0005F6E4 CA 22 MOVS R2, #0xCA
.text&ARM.extab:0005F6E6 62 71 STRB R2, [R4,#5]
.text&ARM.extab:0005F6E8 CC 22 MOVS R2, #0xCC
.text&ARM.extab:0005F6EA A2 71 STRB R2, [R4,#6]
.text&ARM.extab:0005F6EC DC 22 MOVS R2, #0xDC
.text&ARM.extab:0005F6EE 75 23 MOVS R3, #0x75 ; 'u'
.text&ARM.extab:0005F6F0 63 70 STRB R3, [R4,#1]
.text&ARM.extab:0005F6F2 FD 23 MOVS R3, #0xFD
.text&ARM.extab:0005F6F4 A3 70 STRB R3, [R4,#2]
.text&ARM.extab:0005F6F6 DB 23 MOVS R3, #0xDB
.text&ARM.extab:0005F6F8 E3 70 STRB R3, [R4,#3]
.text&ARM.extab:0005F6FA E3 71 STRB R3, [R4,#7]
.text&ARM.extab:0005F6FC F9 23 MOVS R3, #0xF9
.text&ARM.extab:0005F6FE 23 72 STRB R3, [R4,#8]
.text&ARM.extab:0005F700 C0 23 MOVS R3, #0xC0
.text&ARM.extab:0005F702 63 72 STRB R3, [R4,#9]
.text&ARM.extab:0005F704 CD 23 MOVS R3, #0xCD
.text&ARM.extab:0005F706 A3 72 STRB R3, [R4,#0xA]
.text&ARM.extab:0005F708 93 23 MOVS R3, #0x93
.text&ARM.extab:0005F70A E3 72 STRB R3, [R4,#0xB]
.text&ARM.extab:0005F70C FF F7 14 FF BL jhj_DecryptString5 ; 解密得到字符串"TracerPid"
.text&ARM.extab:0005F70C
.text&ARM.extab:0005F710 2A 46 MOV R2, R5
.text&ARM.extab:0005F712 49 46 MOV R1, R9
.text&ARM.extab:0005F714 13 AD ADD R5, SP, #0x9F0+var_9A4
.text&ARM.extab:0005F716 30 46 MOV R0, R6
.text&ARM.extab:0005F718 B0 F7 46 EE BLX jhj_memset
.text&ARM.extab:0005F718
.text&ARM.extab:0005F71C 0C 22 MOVS R2, #0xC
.text&ARM.extab:0005F71E 06 21 MOVS R1, #6
.text&ARM.extab:0005F720 32 71 STRB R2, [R6,#4]
.text&ARM.extab:0005F722 30 46 MOV R0, R6
.text&ARM.extab:0005F724 57 22 MOVS R2, #0x57 ; 'W'
.text&ARM.extab:0005F726 F2 71 STRB R2, [R6,#7]
.text&ARM.extab:0005F728 BB 22 MOVS R2, #0xBB
.text&ARM.extab:0005F72A 86 F8 06 B0 STRB.W R11, [R6,#6]
.text&ARM.extab:0005F72E D6 23 MOVS R3, #0xD6
.text&ARM.extab:0005F730 73 70 STRB R3, [R6,#1]
.text&ARM.extab:0005F732 3E 23 MOVS R3, #0x3E ; '>'
.text&ARM.extab:0005F734 B3 70 STRB R3, [R6,#2]
.text&ARM.extab:0005F736 19 23 MOVS R3, #0x19
.text&ARM.extab:0005F738 F3 70 STRB R3, [R6,#3]
.text&ARM.extab:0005F73A 73 71 STRB R3, [R6,#5]
.text&ARM.extab:0005F73C 02 93 STR R3, [SP,#0x9F0+var_9E8]
.text&ARM.extab:0005F73E FF F7 FB FE BL jhj_DecryptString5 ; 解密得到字符串"State:"
.text&ARM.extab:0005F73E
.text&ARM.extab:0005F742 3A 46 MOV R2, R7
.text&ARM.extab:0005F744 49 46 MOV R1, R9
.text&ARM.extab:0005F746 28 46 MOV R0, R5
.text&ARM.extab:0005F748 0C AF ADD R7, SP, #0x9F0+var_9C0
.text&ARM.extab:0005F74A B0 F7 2E EE BLX jhj_memset
.text&ARM.extab:0005F74A
.text&ARM.extab:0005F74E 5E 23 MOVS R3, #0x5E ; '^'
.text&ARM.extab:0005F750 2B 71 STRB R3, [R5,#4]
.text&ARM.extab:0005F752 A2 22 MOVS R2, #0xA2
.text&ARM.extab:0005F754 02 9B LDR R3, [SP,#0x9F0+var_9E8]
.text&ARM.extab:0005F756 0B 21 MOVS R1, #0xB
.text&ARM.extab:0005F758 6A 70 STRB R2, [R5,#1]
.text&ARM.extab:0005F75A 28 46 MOV R0, R5
.text&ARM.extab:0005F75C 22 22 MOVS R2, #0x22 ; '"'
.text&ARM.extab:0005F75E AA 70 STRB R2, [R5,#2]
.text&ARM.extab:0005F760 56 22 MOVS R2, #0x56 ; 'V'
.text&ARM.extab:0005F762 EA 70 STRB R2, [R5,#3]
.text&ARM.extab:0005F764 05 22 MOVS R2, #5
.text&ARM.extab:0005F766 6A 71 STRB R2, [R5,#5]
.text&ARM.extab:0005F768 12 22 MOVS R2, #0x12
.text&ARM.extab:0005F76A EA 72 STRB R2, [R5,#0xB]
.text&ARM.extab:0005F76C 5F 22 MOVS R2, #0x5F ; '_'
.text&ARM.extab:0005F76E 2A 73 STRB R2, [R5,#0xC]
.text&ARM.extab:0005F770 D4 22 MOVS R2, #0xD4
.text&ARM.extab:0005F772 4F F0 02 0C MOV.W R12, #2
.text&ARM.extab:0005F776 EB 71 STRB R3, [R5,#7]
.text&ARM.extab:0005F778 06 23 MOVS R3, #6
.text&ARM.extab:0005F77A 85 F8 06 C0 STRB.W R12, [R5,#6]
.text&ARM.extab:0005F77E CD F8 0C C0 STR.W R12, [SP,#0x9F0+var_9E4]
.text&ARM.extab:0005F782 2B 72 STRB R3, [R5,#8]
.text&ARM.extab:0005F784 6B 72 STRB R3, [R5,#9]
.text&ARM.extab:0005F786 02 93 STR R3, [SP,#0x9F0+var_9E8]
.text&ARM.extab:0005F788 13 23 MOVS R3, #0x13
.text&ARM.extab:0005F78A AB 72 STRB R3, [R5,#0xA]
.text&ARM.extab:0005F78C FF F7 D4 FE BL jhj_DecryptString5 ; 解密得到字符串"T (stopped)"
.text&ARM.extab:0005F78C
.text&ARM.extab:0005F790 49 46 MOV R1, R9
.text&ARM.extab:0005F792 0B 22 MOVS R2, #0xB
.text&ARM.extab:0005F794 38 46 MOV R0, R7
.text&ARM.extab:0005F796 B0 F7 08 EE BLX jhj_memset
.text&ARM.extab:0005F796
.text&ARM.extab:0005F79A DD F8 0C C0 LDR.W R12, [SP,#0x9F0+var_9E4]
.text&ARM.extab:0005F79E 0D 23 MOVS R3, #0xD
.text&ARM.extab:0005F7A0 BB 71 STRB R3, [R7,#6]
.text&ARM.extab:0005F7A2 02 9B LDR R3, [SP,#0x9F0+var_9E8]
.text&ARM.extab:0005F7A4 59 46 MOV R1, R11
.text&ARM.extab:0005F7A6 0D F1 70 0B ADD.W R11, SP, #0x9F0+var_980
.text&ARM.extab:0005F7AA B0 22 MOVS R2, #0xB0
.text&ARM.extab:0005F7AC 38 46 MOV R0, R7
.text&ARM.extab:0005F7AE 7A 70 STRB R2, [R7,#1]
.text&ARM.extab:0005F7B0 47 22 MOVS R2, #0x47 ; 'G'
.text&ARM.extab:0005F7B2 BA 70 STRB R2, [R7,#2]
.text&ARM.extab:0005F7B4 15 22 MOVS R2, #0x15
.text&ARM.extab:0005F7B6 FA 70 STRB R2, [R7,#3]
.text&ARM.extab:0005F7B8 DF 22 MOVS R2, #0xDF
.text&ARM.extab:0005F7BA 87 F8 05 C0 STRB.W R12, [R7,#5]
.text&ARM.extab:0005F7BE FB 71 STRB R3, [R7,#7]
.text&ARM.extab:0005F7C0 0A 23 MOVS R3, #0xA
.text&ARM.extab:0005F7C2 3B 72 STRB R3, [R7,#8]
.text&ARM.extab:0005F7C4 46 23 MOVS R3, #0x46 ; 'F'
.text&ARM.extab:0005F7C6 7B 72 STRB R3, [R7,#9]
.text&ARM.extab:0005F7C8 FF F7 B6 FE BL jhj_DecryptString5 ; 解密得到字符串"(zombie)"
.text&ARM.extab:0005F7C8
.text&ARM.extab:0005F7CC 49 46 MOV R1, R9
.text&ARM.extab:0005F7CE 13 22 MOVS R2, #0x13
.text&ARM.extab:0005F7D0 58 46 MOV R0, R11
.text&ARM.extab:0005F7D2 0D F5 E2 79 ADD.W R9, SP, #0x9F0+var_82C
.text&ARM.extab:0005F7D6 B0 F7 E8 ED BLX jhj_memset
.text&ARM.extab:0005F7D6
.text&ARM.extab:0005F7DA 80 22 MOVS R2, #0x80
.text&ARM.extab:0005F7DC 88 21 MOVS R1, #0x88
.text&ARM.extab:0005F7DE 8B F8 03 20 STRB.W R2, [R11,#3]
.text&ARM.extab:0005F7E2 8B F8 04 10 STRB.W R1, [R11,#4]
.text&ARM.extab:0005F7E6 58 46 MOV R0, R11
.text&ARM.extab:0005F7E8 D2 21 MOVS R1, #0xD2
.text&ARM.extab:0005F7EA 8B F8 0C 20 STRB.W R2, [R11,#0xC]
.text&ARM.extab:0005F7EE 8B F8 06 10 STRB.W R1, [R11,#6]
.text&ARM.extab:0005F7F2 D3 22 MOVS R2, #0xD3
.text&ARM.extab:0005F7F4 C1 21 MOVS R1, #0xC1
.text&ARM.extab:0005F7F6 8B F8 07 10 STRB.W R1, [R11,#7]
.text&ARM.extab:0005F7FA C3 21 MOVS R1, #0xC3
.text&ARM.extab:0005F7FC 8B F8 08 10 STRB.W R1, [R11,#8]
.text&ARM.extab:0005F800 C9 21 MOVS R1, #0xC9
.text&ARM.extab:0005F802 8B F8 09 10 STRB.W R1, [R11,#9]
.text&ARM.extab:0005F806 CE 21 MOVS R1, #0xCE
.text&ARM.extab:0005F808 8B F8 0A 10 STRB.W R1, [R11,#0xA]
.text&ARM.extab:0005F80C C7 21 MOVS R1, #0xC7
.text&ARM.extab:0005F80E 8B F8 0B 10 STRB.W R1, [R11,#0xB]
.text&ARM.extab:0005F812 10 21 MOVS R1, #0x10
.text&ARM.extab:0005F814 73 23 MOVS R3, #0x73 ; 's'
.text&ARM.extab:0005F816 8B F8 0D 20 STRB.W R2, [R11,#0xD]
.text&ARM.extab:0005F81A 8B F8 01 30 STRB.W R3, [R11,#1]
.text&ARM.extab:0005F81E D4 23 MOVS R3, #0xD4
.text&ARM.extab:0005F820 8B F8 02 30 STRB.W R3, [R11,#2]
.text&ARM.extab:0005F824 8B F8 05 30 STRB.W R3, [R11,#5]
.text&ARM.extab:0005F828 8B F8 0E 30 STRB.W R3, [R11,#0xE]
.text&ARM.extab:0005F82C CF 23 MOVS R3, #0xCF
.text&ARM.extab:0005F82E 8B F8 0F 30 STRB.W R3, [R11,#0xF]
.text&ARM.extab:0005F832 D0 23 MOVS R3, #0xD0
.text&ARM.extab:0005F834 8B F8 10 30 STRB.W R3, [R11,#0x10]
.text&ARM.extab:0005F838 89 23 MOVS R3, #0x89
.text&ARM.extab:0005F83A 8B F8 11 30 STRB.W R3, [R11,#0x11]
.text&ARM.extab:0005F83E FF F7 7B FE BL jhj_DecryptString5 ; 解密得到字符串"t (tracing stop)"
.text&ARM.extab:0005F83E
.text&ARM.extab:0005F842
.text&ARM.extab:0005F842 loc_5F842 ; CODE XREF: jhj_CheckPidStatus+25E↓j
.text&ARM.extab:0005F842 ; jhj_CheckPidStatus+288↓j
.text&ARM.extab:0005F842 D8 F8 08 30 LDR.W R3, [R8,#(off_AB7EC - 0xAB7E4)]
.text&ARM.extab:0005F846 48 46 MOV R0, R9
.text&ARM.extab:0005F848 4F F4 80 61 MOV.W R1, #0x400
.text&ARM.extab:0005F84C 52 46 MOV R2, R10
.text&ARM.extab:0005F84E 98 47 BLX R3 ; dword_0 ; fgets
.text&ARM.extab:0005F84E
.text&ARM.extab:0005F850 00 28 CMP R0, #0
.text&ARM.extab:0005F852 54 D0 BEQ loc_5F8FE
.text&ARM.extab:0005F852
.text&ARM.extab:0005F854 30 46 MOV R0, R6
.text&ARM.extab:0005F856 B0 F7 84 ED BLX jhj_strlen
.text&ARM.extab:0005F856
.text&ARM.extab:0005F85A 31 46 MOV R1, R6
.text&ARM.extab:0005F85C 02 46 MOV R2, R0
.text&ARM.extab:0005F85E 48 46 MOV R0, R9
.text&ARM.extab:0005F860 B0 F7 78 ED BLX jhj_strncmp
.text&ARM.extab:0005F860
.text&ARM.extab:0005F864 00 28 CMP R0, #0
.text&ARM.extab:0005F866 EC D1 BNE loc_5F842
.text&ARM.extab:0005F866
.text&ARM.extab:0005F868 48 46 MOV R0, R9
.text&ARM.extab:0005F86A 29 46 MOV R1, R5
.text&ARM.extab:0005F86C B0 F7 EE EF BLX jhj_strcasestr ; 查找字符串且不分大小写
.text&ARM.extab:0005F86C ; 此处查找的字串为"T (stopped)"
.text&ARM.extab:0005F86C
.text&ARM.extab:0005F870 78 B9 CBNZ R0, loc_5F892
.text&ARM.extab:0005F870
.text&ARM.extab:0005F872 48 46 MOV R0, R9
.text&ARM.extab:0005F874 39 46 MOV R1, R7
.text&ARM.extab:0005F876 B0 F7 EA EF BLX jhj_strcasestr ; 此处需要查找的字符串为"(zombie)"
.text&ARM.extab:0005F876
.text&ARM.extab:0005F87A 50 B9 CBNZ R0, loc_5F892
.text&ARM.extab:0005F87A
.text&ARM.extab:0005F87C 48 46 MOV R0, R9
.text&ARM.extab:0005F87E 59 46 MOV R1, R11
.text&ARM.extab:0005F880 B0 F7 E4 EF BLX jhj_strcasestr ; 此处需要查找的字符串为"t (tracing stop)"
.text&ARM.extab:0005F880
.text&ARM.extab:0005F884 28 B9 CBNZ R0, loc_5F892
.text&ARM.extab:0005F884
.text&ARM.extab:0005F886 2D 4B LDR R3, =(p3906CEE43A636FED71D0E81D64568947_ptr - 0x5F88C)
.text&ARM.extab:0005F888 7B 44 ADD R3, PC ; p3906CEE43A636FED71D0E81D64568947_ptr
.text&ARM.extab:0005F88A 1B 68 LDR R3, [R3] ; p3906CEE43A636FED71D0E81D64568947
.text&ARM.extab:0005F88C 1B 68 LDR R3, [R3]
.text&ARM.extab:0005F88E 00 2B CMP R3, #0
.text&ARM.extab:0005F890 D7 D1 BNE loc_5F842
.text&ARM.extab:0005F890
.text&ARM.extab:0005F892
.text&ARM.extab:0005F892 loc_5F892 ; CODE XREF: jhj_CheckPidStatus+268↑j
.text&ARM.extab:0005F892 ; jhj_CheckPidStatus+272↑j
.text&ARM.extab:0005F892 ; jhj_CheckPidStatus+27C↑j
.text&ARM.extab:0005F892 0D F2 C4 55 ADDW R5, SP, #0x9F0+var_42C
.text&ARM.extab:0005F892
.text&ARM.extab:0005F896
.text&ARM.extab:0005F896 loc_5F896 ; CODE XREF: jhj_CheckPidStatus+2B0↓j
.text&ARM.extab:0005F896 D8 F8 08 30 LDR.W R3, [R8,#(off_AB7EC - 0xAB7E4)]
.text&ARM.extab:0005F89A 28 46 MOV R0, R5
.text&ARM.extab:0005F89C 4F F4 80 61 MOV.W R1, #0x400
.text&ARM.extab:0005F8A0 52 46 MOV R2, R10
.text&ARM.extab:0005F8A2 98 47 BLX R3 ; dword_0 ; fgets
.text&ARM.extab:0005F8A2
.text&ARM.extab:0005F8A4 40 B3 CBZ R0, loc_5F8F8
.text&ARM.extab:0005F8A4
.text&ARM.extab:0005F8A6 20 46 MOV R0, R4
.text&ARM.extab:0005F8A8 B0 F7 5A ED BLX jhj_strlen
.text&ARM.extab:0005F8A8
.text&ARM.extab:0005F8AC 21 46 MOV R1, R4
.text&ARM.extab:0005F8AE 02 46 MOV R2, R0
.text&ARM.extab:0005F8B0 28 46 MOV R0, R5
.text&ARM.extab:0005F8B2 B0 F7 50 ED BLX jhj_strncmp
.text&ARM.extab:0005F8B2
.text&ARM.extab:0005F8B6 00 28 CMP R0, #0
.text&ARM.extab:0005F8B8 ED D1 BNE loc_5F896
.text&ARM.extab:0005F8B8
.text&ARM.extab:0005F8BA 07 AC ADD R4, SP, #0x9F0+var_9D4
.text&ARM.extab:0005F8BC 07 90 STR R0, [SP,#0x9F0+var_9D4]
.text&ARM.extab:0005F8BE 08 90 STR R0, [SP,#0x9F0+var_9D0]
.text&ARM.extab:0005F8C0 0D 22 MOVS R2, #0xD
.text&ARM.extab:0005F8C2 05 21 MOVS R1, #5
.text&ARM.extab:0005F8C4 8D F8 1F 20 STRB.W R2, [SP,#0x9F0+var_9D4+3]
.text&ARM.extab:0005F8C8 20 46 MOV R0, R4
.text&ARM.extab:0005F8CA 5E 22 MOVS R2, #0x5E ; '^'
.text&ARM.extab:0005F8CC 8D F8 20 20 STRB.W R2, [SP,#0x9F0+var_9D0]
.text&ARM.extab:0005F8D0 A0 22 MOVS R2, #0xA0
.text&ARM.extab:0005F8D2 DE 23 MOVS R3, #0xDE
.text&ARM.extab:0005F8D4 8D F8 1D 30 STRB.W R3, [SP,#0x9F0+var_9D4+1]
.text&ARM.extab:0005F8D8 5B 23 MOVS R3, #0x5B ; '['
.text&ARM.extab:0005F8DA 8D F8 1E 30 STRB.W R3, [SP,#0x9F0+var_9D4+2]
.text&ARM.extab:0005F8DE 8D F8 21 30 STRB.W R3, [SP,#0x9F0+var_9D0+1]
.text&ARM.extab:0005F8E2 1A 23 MOVS R3, #0x1A
.text&ARM.extab:0005F8E4 8D F8 22 30 STRB.W R3, [SP,#0x9F0+var_9D0+2]
.text&ARM.extab:0005F8E8 FF F7 26 FE BL jhj_DecryptString5 ; 解密得到字符串"%s %d"
.text&ARM.extab:0005F8E8
.text&ARM.extab:0005F8EC 28 46 MOV R0, R5
.text&ARM.extab:0005F8EE 21 46 MOV R1, R4
.text&ARM.extab:0005F8F0 21 AA ADD R2, SP, #0x9F0+var_96C
.text&ARM.extab:0005F8F2 00 9B LDR R3, [SP,#0x9F0+var_9F0]
.text&ARM.extab:0005F8F4 B0 F7 54 EE BLX jhj_sscanf
.text&ARM.extab:0005F8F4
.text&ARM.extab:0005F8F8
.text&ARM.extab:0005F8F8 loc_5F8F8 ; CODE XREF: jhj_CheckPidStatus+29C↑j
.text&ARM.extab:0005F8F8 00 9B LDR R3, [SP,#0x9F0+var_9F0]
.text&ARM.extab:0005F8FA 1C 68 LDR R4, [R3]
.text&ARM.extab:0005F8FC 0C B9 CBNZ R4, loc_5F902
.text&ARM.extab:0005F8FC
.text&ARM.extab:0005F8FE
.text&ARM.extab:0005F8FE loc_5F8FE ; CODE XREF: jhj_CheckPidStatus+24A↑j
.text&ARM.extab:0005F8FE 00 24 MOVS R4, #0
.text&ARM.extab:0005F900 04 E0 B loc_5F90C
.text&ARM.extab:0005F900
.text&ARM.extab:0005F902 ; ---------------------------------------------------------------------------
.text&ARM.extab:0005F902
.text&ARM.extab:0005F902 loc_5F902 ; CODE XREF: jhj_CheckPidStatus+2F4↑j
.text&ARM.extab:0005F902 B0 F7 B8 ED BLX jhj_getpid
.text&ARM.extab:0005F902
.text&ARM.extab:0005F906 24 1A SUBS R4, R4, R0
.text&ARM.extab:0005F908 18 BF IT NE
.text&ARM.extab:0005F90A 01 24 MOVNE R4, #1
.text&ARM.extab:0005F90A
.text&ARM.extab:0005F90C
.text&ARM.extab:0005F90C loc_5F90C ; CODE XREF: jhj_CheckPidStatus+2F8↑j
.text&ARM.extab:0005F90C D8 F8 04 30 LDR.W R3, [R8,#(off_AB7E8 - 0xAB7E4)]
.text&ARM.extab:0005F910 50 46 MOV R0, R10
.text&ARM.extab:0005F912 98 47 BLX R3 ; dword_0 ; fclose
.text&ARM.extab:0005F912
.text&ARM.extab:0005F914 00 E0 B loc_5F918
.text&ARM.extab:0005F914
.text&ARM.extab:0005F916 ; ---------------------------------------------------------------------------
.text&ARM.extab:0005F916
.text&ARM.extab:0005F916 loc_5F916 ; CODE XREF: jhj_CheckPidStatus+BA↑j
.text&ARM.extab:0005F916 04 46 MOV R4, R0
.text&ARM.extab:0005F916
.text&ARM.extab:0005F918
.text&ARM.extab:0005F918 loc_5F918 ; CODE XREF: jhj_CheckPidStatus+30C↑j
.text&ARM.extab:0005F918 01 9B LDR R3, [SP,#0x9F0+var_9EC]
.text&ARM.extab:0005F91A 20 46 MOV R0, R4
.text&ARM.extab:0005F91C DD F8 C4 29 LDR.W R2, [SP,#0x9F0+var_2C]
.text&ARM.extab:0005F920 1B 68 LDR R3, [R3]
.text&ARM.extab:0005F922 9A 42 CMP R2, R3
.text&ARM.extab:0005F924 01 D0 BEQ loc_5F92A
.text&ARM.extab:0005F924
.text&ARM.extab:0005F926 B0 F7 10 ED BLX jhj__stack_chk_fail
.text&ARM.extab:0005F926
.text&ARM.extab:0005F92A
.text&ARM.extab:0005F92A loc_5F92A ; CODE XREF: jhj_CheckPidStatus+31C↑j
.text&ARM.extab:0005F92A 0D F6 CC 1D ADDW SP, SP, #0x9CC
.text&ARM.extab:0005F92E BD E8 F0 8F POP.W {R4-R11,PC}
偏移:0x5FAD4处的函数检查了该进程每个线程的status文件只要发现了调试的踪迹则直接返回1
.text&ARM.extab:0005FAD4 jhj_CheckAllTidStatus ; CODE XREF: .text&ARM.extab:00060068↓p
.text&ARM.extab:0005FAD4 ; DATA XREF: LOAD:0000235C↑o
.text&ARM.extab:0005FAD4 ; __unwind { // 417B6000
.text&ARM.extab:0005FAD4 DF F8 44 25 LDR.W R2, =(off_A2984 - 0x5FAE2)
.text&ARM.extab:0005FAD8 00 21 MOVS R1, #0
.text&ARM.extab:0005FADA 2D E9 F0 4F PUSH.W {R4-R11,LR}
.text&ARM.extab:0005FADE 7A 44 ADD R2, PC ; off_A2984
.text&ARM.extab:0005FAE0 12 68 LDR R2, [R2]
.text&ARM.extab:0005FAE2 AD F6 14 3D SUBW SP, SP, #0xB14
.text&ARM.extab:0005FAE6 13 68 LDR R3, [R2]
.text&ARM.extab:0005FAE8 0D F5 43 7A ADD.W R10, SP, #0x30C
.text&ARM.extab:0005FAEC 04 90 STR R0, [SP,#0x10]
.text&ARM.extab:0005FAEE 0C 91 STR R1, [SP,#0x30]
.text&ARM.extab:0005FAF0 CD F8 0C 3B STR.W R3, [SP,#0xB0C]
.text&ARM.extab:0005FAF4 0B 91 STR R1, [SP,#0x2C]
.text&ARM.extab:0005FAF6 0B 9B LDR R3, [SP,#0x2C]
.text&ARM.extab:0005FAF8 07 92 STR R2, [SP,#0x1C]
.text&ARM.extab:0005FAF8
.text&ARM.extab:0005FAFA
.text&ARM.extab:0005FAFA loc_5FAFA ; CODE XREF: .text&ARM.extab:0005FFFE↓j
.text&ARM.extab:0005FAFA 0C AB ADD R3, SP, #0x30 ; '0'
.text&ARM.extab:0005FAFC 19 68 LDR R1, [R3]
.text&ARM.extab:0005FAFC
.text&ARM.extab:0005FAFE
.text&ARM.extab:0005FAFE loc_5FAFE ; CODE XREF: .text&ARM.extab:0005FB06↓j
.text&ARM.extab:0005FAFE 01 29 CMP R1, #1
.text&ARM.extab:0005FB00 00 F0 87 82 BEQ.W loc_60012
.text&ARM.extab:0005FB00
.text&ARM.extab:0005FB04 00 29 CMP R1, #0
.text&ARM.extab:0005FB06 FA D1 BNE loc_5FAFE
.text&ARM.extab:0005FB06
.text&ARM.extab:0005FB08 22 AC ADD R4, SP, #0x88
.text&ARM.extab:0005FB0A 12 22 MOVS R2, #0x12
.text&ARM.extab:0005FB0C 20 46 MOV R0, R4
.text&ARM.extab:0005FB0E B0 F7 4C EC BLX jhj_memset
.text&ARM.extab:0005FB0E
.text&ARM.extab:0005FB12 30 23 MOVS R3, #0x30 ; '0'
.text&ARM.extab:0005FB14 63 70 STRB R3, [R4,#1]
.text&ARM.extab:0005FB16 A5 23 MOVS R3, #0xA5
.text&ARM.extab:0005FB18 A3 70 STRB R3, [R4,#2]
.text&ARM.extab:0005FB1A FA 22 MOVS R2, #0xFA
.text&ARM.extab:0005FB1C E3 71 STRB R3, [R4,#7]
.text&ARM.extab:0005FB1E E3 72 STRB R3, [R4,#0xB]
.text&ARM.extab:0005FB20 23 74 STRB R3, [R4,#0x10]
.text&ARM.extab:0005FB22 03 23 MOVS R3, #3
.text&ARM.extab:0005FB24 E2 70 STRB R2, [R4,#3]
.text&ARM.extab:0005FB26 F8 22 MOVS R2, #0xF8
.text&ARM.extab:0005FB28 22 71 STRB R2, [R4,#4]
.text&ARM.extab:0005FB2A E5 22 MOVS R2, #0xE5
.text&ARM.extab:0005FB2C 62 71 STRB R2, [R4,#5]
.text&ARM.extab:0005FB2E E9 22 MOVS R2, #0xE9
.text&ARM.extab:0005FB30 A2 71 STRB R2, [R4,#6]
.text&ARM.extab:0005FB32 AF 22 MOVS R2, #0xAF
.text&ARM.extab:0005FB34 22 72 STRB R2, [R4,#8]
.text&ARM.extab:0005FB36 E6 22 MOVS R2, #0xE6
.text&ARM.extab:0005FB38 62 72 STRB R2, [R4,#9]
.text&ARM.extab:0005FB3A EE 22 MOVS R2, #0xEE
.text&ARM.extab:0005FB3C A2 72 STRB R2, [R4,#0xA]
.text&ARM.extab:0005FB3E FE 22 MOVS R2, #0xFE
.text&ARM.extab:0005FB40 22 73 STRB R2, [R4,#0xC]
.text&ARM.extab:0005FB42 EB 22 MOVS R2, #0xEB
.text&ARM.extab:0005FB44 62 73 STRB R2, [R4,#0xD]
.text&ARM.extab:0005FB46 F9 22 MOVS R2, #0xF9
.text&ARM.extab:0005FB48 A2 73 STRB R2, [R4,#0xE]
.text&ARM.extab:0005FB4A E1 22 MOVS R2, #0xE1
.text&ARM.extab:0005FB4C E2 73 STRB R2, [R4,#0xF]
.text&ARM.extab:0005FB4C
.text&ARM.extab:0005FB4E
.text&ARM.extab:0005FB4E def_5FB58 ; CODE XREF: .text&ARM.extab:0005FB56↓j
.text&ARM.extab:0005FB4E ; .text&ARM.extab:0005FB7A↓j
.text&ARM.extab:0005FB4E ; .text&ARM.extab:0005FFEC↓j
.text&ARM.extab:0005FB4E 07 2B CMP R3, #7 ; jumptable 0005FB58 default case
.text&ARM.extab:0005FB50 00 F0 53 82 BEQ.W loc_5FFFA
.text&ARM.extab:0005FB50
.text&ARM.extab:0005FB54
.text&ARM.extab:0005FB54 loc_5FB54 ; CODE XREF: .text&ARM.extab:0005FF76↓j
.text&ARM.extab:0005FB54 ; .text&ARM.extab:0005FFF4↓j
.text&ARM.extab:0005FB54 ; .text&ARM.extab:0005FFF8↓j
.text&ARM.extab:0005FB54 06 2B CMP R3, #6 ; switch 7 cases
.text&ARM.extab:0005FB56 FA D8 BHI def_5FB58 ; jumptable 0005FB58 default case
.text&ARM.extab:0005FB56
.text&ARM.extab:0005FB58 DF E8 13 F0 TBH.W [PC,R3,LSL#1] ; switch jump
.text&ARM.extab:0005FB58
.text&ARM.extab:0005FB58 ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FB5C 07 00 jpt_5FB58 DCW 7 ; jump table for switch statement
.text&ARM.extab:0005FB5E 2F 02 DCW 0x22F
.text&ARM.extab:0005FB60 49 02 DCW 0x249
.text&ARM.extab:0005FB62 34 02 DCW 0x234
.text&ARM.extab:0005FB64 0E 02 DCW 0x20E
.text&ARM.extab:0005FB66 52 02 DCW 0x252
.text&ARM.extab:0005FB68 10 00 DCW 0x10
.text&ARM.extab:0005FB6A ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FB6A
.text&ARM.extab:0005FB6A loc_5FB6A ; CODE XREF: .text&ARM.extab:0005FB58↑j
.text&ARM.extab:0005FB6A 02 98 LDR R0, [SP,#8] ; jumptable 0005FB58 case 0
.text&ARM.extab:0005FB6C B0 F7 76 EC BLX jhj_readdir64
.text&ARM.extab:0005FB6C
.text&ARM.extab:0005FB70 05 90 STR R0, [SP,#0x14]
.text&ARM.extab:0005FB72 00 28 CMP R0, #0
.text&ARM.extab:0005FB74 14 BF ITE NE
.text&ARM.extab:0005FB76 06 23 MOVNE R3, #6
.text&ARM.extab:0005FB78 01 23 MOVEQ R3, #1
.text&ARM.extab:0005FB7A E8 E7 B def_5FB58 ; jumptable 0005FB58 default case
.text&ARM.extab:0005FB7A
.text&ARM.extab:0005FB7C ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FB7C
.text&ARM.extab:0005FB7C loc_5FB7C ; CODE XREF: .text&ARM.extab:0005FB58↑j
.text&ARM.extab:0005FB7C 0F A8 ADD R0, SP, #0x3C ; '<' ; jumptable 0005FB58 case 6
.text&ARM.extab:0005FB7E 05 9B LDR R3, [SP,#0x14]
.text&ARM.extab:0005FB80 92 22 MOVS R2, #0x92
.text&ARM.extab:0005FB82 01 21 MOVS R1, #1
.text&ARM.extab:0005FB84 00 24 MOVS R4, #0
.text&ARM.extab:0005FB86 03 F1 13 0B ADD.W R11, R3, #0x13
.text&ARM.extab:0005FB8A 04 60 STR R4, [R0]
.text&ARM.extab:0005FB8C F4 23 MOVS R3, #0xF4
.text&ARM.extab:0005FB8E 43 70 STRB R3, [R0,#1]
.text&ARM.extab:0005FB90 48 23 MOVS R3, #0x48 ; 'H'
.text&ARM.extab:0005FB92 83 70 STRB R3, [R0,#2]
.text&ARM.extab:0005FB94 FF F7 D0 FC BL jhj_DecryptString5 ; 解密得到字符串"."
.text&ARM.extab:0005FB94
.text&ARM.extab:0005FB98 01 23 MOVS R3, #1
.text&ARM.extab:0005FB9A 11 94 STR R4, [SP,#0x44]
.text&ARM.extab:0005FB9C B2 22 MOVS R2, #0xB2
.text&ARM.extab:0005FB9E 8D F8 48 40 STRB.W R4, [SP,#0x48]
.text&ARM.extab:0005FBA2 8D F8 45 20 STRB.W R2, [SP,#0x45]
.text&ARM.extab:0005FBA6 4B 22 MOVS R2, #0x4B ; 'K'
.text&ARM.extab:0005FBA8 8D F8 46 20 STRB.W R2, [SP,#0x46]
.text&ARM.extab:0005FBAC 8D F8 47 20 STRB.W R2, [SP,#0x47]
.text&ARM.extab:0005FBAC
.text&ARM.extab:0005FBB0
.text&ARM.extab:0005FBB0 loc_5FBB0 ; CODE XREF: .text&ARM.extab:0005FF26↓j
.text&ARM.extab:0005FBB0 ; .text&ARM.extab:0005FF3A↓j
.text&ARM.extab:0005FBB0 ; .text&ARM.extab:0005FF68↓j
.text&ARM.extab:0005FBB0 ; .text&ARM.extab:0005FF6C↓j
.text&ARM.extab:0005FBB0 ; .text&ARM.extab:0005FF70↓j
.text&ARM.extab:0005FBB0 5A 1E SUBS R2, R3, #1
.text&ARM.extab:0005FBB0
.text&ARM.extab:0005FBB2
.text&ARM.extab:0005FBB2 def_5FBBC ; CODE XREF: .text&ARM.extab:0005FBBA↓j
.text&ARM.extab:0005FBB2 07 2B CMP R3, #7 ; jumptable 0005FBBC default case
.text&ARM.extab:0005FBB4 00 F0 1F 82 BEQ.W loc_5FFF6 ; jumptable 0005FBBC cases 1,5
.text&ARM.extab:0005FBB4
.text&ARM.extab:0005FBB8 05 2A CMP R2, #5 ; switch 6 cases
.text&ARM.extab:0005FBBA FA D8 BHI def_5FBBC ; jumptable 0005FBBC default case
.text&ARM.extab:0005FBBA
.text&ARM.extab:0005FBBC DF E8 12 F0 TBH.W [PC,R2,LSL#1] ; switch jump
.text&ARM.extab:0005FBBC
.text&ARM.extab:0005FBBC ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FBC0 BE 01 jpt_5FBBC DCW 0x1BE ; jump table for switch statement
.text&ARM.extab:0005FBC2 1B 02 DCW 0x21B
.text&ARM.extab:0005FBC4 06 00 DCW 6
.text&ARM.extab:0005FBC6 B4 01 DCW 0x1B4
.text&ARM.extab:0005FBC8 D9 01 DCW 0x1D9
.text&ARM.extab:0005FBCA 1B 02 DCW 0x21B
.text&ARM.extab:0005FBCC ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FBCC
.text&ARM.extab:0005FBCC loc_5FBCC ; CODE XREF: .text&ARM.extab:0005FBBC↑j
.text&ARM.extab:0005FBCC 2C AD ADD R5, SP, #0xB0 ; jumptable 0005FBBC case 2
.text&ARM.extab:0005FBCE 00 21 MOVS R1, #0
.text&ARM.extab:0005FBD0 1C 22 MOVS R2, #0x1C
.text&ARM.extab:0005FBD2 BF 27 MOVS R7, #0xBF
.text&ARM.extab:0005FBD4 28 46 MOV R0, R5
.text&ARM.extab:0005FBD6 F6 26 MOVS R6, #0xF6
.text&ARM.extab:0005FBD8 B0 F7 E6 EB BLX jhj_memset
.text&ARM.extab:0005FBD8
.text&ARM.extab:0005FBDC FE 20 MOVS R0, #0xFE
.text&ARM.extab:0005FBDE FB 21 MOVS R1, #0xFB
.text&ARM.extab:0005FBE0 A8 72 STRB R0, [R5,#0xA]
.text&ARM.extab:0005FBE2 69 73 STRB R1, [R5,#0xD]
.text&ARM.extab:0005FBE4 EA 22 MOVS R2, #0xEA
.text&ARM.extab:0005FBE6 E8 74 STRB R0, [R5,#0x13]
.text&ARM.extab:0005FBE8 28 46 MOV R0, R5
.text&ARM.extab:0005FBEA EA 70 STRB R2, [R5,#3]
.text&ARM.extab:0005FBEC E8 22 MOVS R2, #0xE8
.text&ARM.extab:0005FBEE E9 75 STRB R1, [R5,#0x17]
.text&ARM.extab:0005FBF0 19 21 MOVS R1, #0x19
.text&ARM.extab:0005FBF2 2A 71 STRB R2, [R5,#4]
.text&ARM.extab:0005FBF4 F5 22 MOVS R2, #0xF5
.text&ARM.extab:0005FBF6 6A 71 STRB R2, [R5,#5]
.text&ARM.extab:0005FBF8 F9 22 MOVS R2, #0xF9
.text&ARM.extab:0005FBFA AA 71 STRB R2, [R5,#6]
.text&ARM.extab:0005FBFC EE 22 MOVS R2, #0xEE
.text&ARM.extab:0005FBFE 2A 73 STRB R2, [R5,#0xC]
.text&ARM.extab:0005FC00 4F F0 F1 0E MOV.W LR, #0xF1
.text&ARM.extab:0005FC04 AA 75 STRB R2, [R5,#0x16]
.text&ARM.extab:0005FC06 E9 24 MOVS R4, #0xE9
.text&ARM.extab:0005FC08 2A 76 STRB R2, [R5,#0x18]
.text&ARM.extab:0005FC0A A7 22 MOVS R2, #0xA7
.text&ARM.extab:0005FC0C 85 F8 0F E0 STRB.W LR, [R5,#0xF]
.text&ARM.extab:0005FC10 3D 23 MOVS R3, #0x3D ; '='
.text&ARM.extab:0005FC12 2F 72 STRB R7, [R5,#8]
.text&ARM.extab:0005FC14 0D F5 03 78 ADD.W R8, SP, #0x20C
.text&ARM.extab:0005FC18 6B 70 STRB R3, [R5,#1]
.text&ARM.extab:0005FC1A B5 23 MOVS R3, #0xB5
.text&ARM.extab:0005FC1C 6E 72 STRB R6, [R5,#9]
.text&ARM.extab:0005FC1E AB 70 STRB R3, [R5,#2]
.text&ARM.extab:0005FC20 EB 71 STRB R3, [R5,#7]
.text&ARM.extab:0005FC22 EB 72 STRB R3, [R5,#0xB]
.text&ARM.extab:0005FC24 2B 74 STRB R3, [R5,#0x10]
.text&ARM.extab:0005FC26 6F 74 STRB R7, [R5,#0x11]
.text&ARM.extab:0005FC28 10 AF ADD R7, SP, #0x40 ; '@'
.text&ARM.extab:0005FC2A AE 74 STRB R6, [R5,#0x12]
.text&ARM.extab:0005FC2C 00 26 MOVS R6, #0
.text&ARM.extab:0005FC2E 2B 75 STRB R3, [R5,#0x14]
.text&ARM.extab:0005FC30 EF 23 MOVS R3, #0xEF
.text&ARM.extab:0005FC32 AC 73 STRB R4, [R5,#0xE]
.text&ARM.extab:0005FC34 6B 76 STRB R3, [R5,#0x19]
.text&ARM.extab:0005FC36 6C 75 STRB R4, [R5,#0x15]
.text&ARM.extab:0005FC38 AC 76 STRB R4, [R5,#0x1A]
.text&ARM.extab:0005FC3A FF F7 7D FC BL jhj_DecryptString5 ; 解密得到字符串"/proc/%ld/task/%ld/status"
.text&ARM.extab:0005FC3A
.text&ARM.extab:0005FC3E 06 9B LDR R3, [SP,#0x18]
.text&ARM.extab:0005FC40 2A 46 MOV R2, R5
.text&ARM.extab:0005FC42 4F F4 80 71 MOV.W R1, #0x100
.text&ARM.extab:0005FC46 40 46 MOV R0, R8
.text&ARM.extab:0005FC48 F5 4D LDR R5, =(g_func_map_ptr - 0x5FC6E)
.text&ARM.extab:0005FC4A 00 93 STR R3, [SP]
.text&ARM.extab:0005FC4C 04 9B LDR R3, [SP,#0x10]
.text&ARM.extab:0005FC4E 39 F0 43 F9 BL jhj_format1 ; 格式化字符串"/proc/pid/task/%ld/status"
.text&ARM.extab:0005FC4E
.text&ARM.extab:0005FC52 38 46 MOV R0, R7
.text&ARM.extab:0005FC54 01 21 MOVS R1, #1
.text&ARM.extab:0005FC56 F8 22 MOVS R2, #0xF8
.text&ARM.extab:0005FC58 10 96 STR R6, [SP,#0x40]
.text&ARM.extab:0005FC5A 67 23 MOVS R3, #0x67 ; 'g'
.text&ARM.extab:0005FC5C 8D F8 41 30 STRB.W R3, [SP,#0x41]
.text&ARM.extab:0005FC60 ED 23 MOVS R3, #0xED
.text&ARM.extab:0005FC62 8D F8 42 30 STRB.W R3, [SP,#0x42]
.text&ARM.extab:0005FC66 FF F7 67 FC BL jhj_DecryptString5 ; 解密得到字符串"r"
.text&ARM.extab:0005FC66
.text&ARM.extab:0005FC6A 7D 44 ADD R5, PC ; g_func_map_ptr
.text&ARM.extab:0005FC6C 2D 68 LDR R5, [R5] ; g_func_map
.text&ARM.extab:0005FC6E 39 46 MOV R1, R7
.text&ARM.extab:0005FC70 40 46 MOV R0, R8
.text&ARM.extab:0005FC72 2B 68 LDR R3, [R5]
.text&ARM.extab:0005FC74 98 47 BLX R3 ; dword_0 ; fopen
.text&ARM.extab:0005FC74
.text&ARM.extab:0005FC76 07 46 MOV R7, R0
.text&ARM.extab:0005FC78 00 28 CMP R0, #0
.text&ARM.extab:0005FC7A 00 F0 53 81 BEQ.W loc_5FF24
.text&ARM.extab:0005FC7A
.text&ARM.extab:0005FC7E 0D F1 68 09 ADD.W R9, SP, #0x68 ; 'h'
.text&ARM.extab:0005FC82 4F F0 0D 08 MOV.W R8, #0xD
.text&ARM.extab:0005FC86 31 46 MOV R1, R6
.text&ARM.extab:0005FC88 42 46 MOV R2, R8
.text&ARM.extab:0005FC8A 48 46 MOV R0, R9
.text&ARM.extab:0005FC8C B0 F7 8C EB BLX jhj_memset
.text&ARM.extab:0005FC8C
.text&ARM.extab:0005FC90 15 22 MOVS R2, #0x15
.text&ARM.extab:0005FC92 04 21 MOVS R1, #4
.text&ARM.extab:0005FC94 89 F8 03 20 STRB.W R2, [R9,#3]
.text&ARM.extab:0005FC98 89 F8 05 10 STRB.W R1, [R9,#5]
.text&ARM.extab:0005FC9C 48 46 MOV R0, R9
.text&ARM.extab:0005FC9E 89 F8 07 20 STRB.W R2, [R9,#7]
.text&ARM.extab:0005FCA2 02 21 MOVS R1, #2
.text&ARM.extab:0005FCA4 37 22 MOVS R2, #0x37 ; '7'
.text&ARM.extab:0005FCA6 89 F8 06 10 STRB.W R1, [R9,#6]
.text&ARM.extab:0005FCAA 89 F8 08 20 STRB.W R2, [R9,#8]
.text&ARM.extab:0005FCAE 0A 21 MOVS R1, #0xA
.text&ARM.extab:0005FCB0 03 22 MOVS R2, #3
.text&ARM.extab:0005FCB2 89 F8 0A 20 STRB.W R2, [R9,#0xA]
.text&ARM.extab:0005FCB6 CE 22 MOVS R2, #0xCE
.text&ARM.extab:0005FCB8 A9 23 MOVS R3, #0xA9
.text&ARM.extab:0005FCBA 89 F8 01 30 STRB.W R3, [R9,#1]
.text&ARM.extab:0005FCBE 33 23 MOVS R3, #0x33 ; '3'
.text&ARM.extab:0005FCC0 89 F8 02 30 STRB.W R3, [R9,#2]
.text&ARM.extab:0005FCC4 06 23 MOVS R3, #6
.text&ARM.extab:0005FCC6 89 F8 04 30 STRB.W R3, [R9,#4]
.text&ARM.extab:0005FCCA 09 93 STR R3, [SP,#0x24]
.text&ARM.extab:0005FCCC 0E 23 MOVS R3, #0xE
.text&ARM.extab:0005FCCE 89 F8 09 30 STRB.W R3, [R9,#9]
.text&ARM.extab:0005FCD2 5D 23 MOVS R3, #0x5D ; ']'
.text&ARM.extab:0005FCD4 89 F8 0B 30 STRB.W R3, [R9,#0xB]
.text&ARM.extab:0005FCD8 FF F7 2E FC BL jhj_DecryptString5 ; 解密得到字符串"TracerPid:"
.text&ARM.extab:0005FCD8
.text&ARM.extab:0005FCDC 13 A8 ADD R0, SP, #0x4C ; 'L'
.text&ARM.extab:0005FCDE 6A 22 MOVS R2, #0x6A ; 'j'
.text&ARM.extab:0005FCE0 05 21 MOVS R1, #5
.text&ARM.extab:0005FCE2 4F F0 DD 09 MOV.W R9, #0xDD
.text&ARM.extab:0005FCE6 06 60 STR R6, [R0]
.text&ARM.extab:0005FCE8 46 60 STR R6, [R0,#4]
.text&ARM.extab:0005FCEA 42 70 STRB R2, [R0,#1]
.text&ARM.extab:0005FCEC E4 22 MOVS R2, #0xE4
.text&ARM.extab:0005FCEE 44 71 STRB R4, [R0,#5]
.text&ARM.extab:0005FCF0 17 AC ADD R4, SP, #0x5C ; '\'
.text&ARM.extab:0005FCF2 02 71 STRB R2, [R0,#4]
.text&ARM.extab:0005FCF4 B7 22 MOVS R2, #0xB7
.text&ARM.extab:0005FCF6 82 71 STRB R2, [R0,#6]
.text&ARM.extab:0005FCF8 E7 22 MOVS R2, #0xE7
.text&ARM.extab:0005FCFA 80 F8 02 90 STRB.W R9, [R0,#2]
.text&ARM.extab:0005FCFE 80 F8 03 90 STRB.W R9, [R0,#3]
.text&ARM.extab:0005FD02 FF F7 19 FC BL jhj_DecryptString5 ; 解密得到字符串"PPid:"
.text&ARM.extab:0005FD02
.text&ARM.extab:0005FD06 4F F0 09 0C MOV.W R12, #9
.text&ARM.extab:0005FD0A 20 46 MOV R0, R4
.text&ARM.extab:0005FD0C 62 46 MOV R2, R12
.text&ARM.extab:0005FD0E 31 46 MOV R1, R6
.text&ARM.extab:0005FD10 CD F8 20 C0 STR.W R12, [SP,#0x20]
.text&ARM.extab:0005FD14 B0 F7 48 EB BLX jhj_memset
.text&ARM.extab:0005FD14
.text&ARM.extab:0005FD18 09 9B LDR R3, [SP,#0x24]
.text&ARM.extab:0005FD1A 20 46 MOV R0, R4
.text&ARM.extab:0005FD1C 84 F8 01 80 STRB.W R8, [R4,#1]
.text&ARM.extab:0005FD20 96 22 MOVS R2, #0x96
.text&ARM.extab:0005FD22 A4 21 MOVS R1, #0xA4
.text&ARM.extab:0005FD24 A2 70 STRB R2, [R4,#2]
.text&ARM.extab:0005FD26 21 71 STRB R1, [R4,#4]
.text&ARM.extab:0005FD28 B1 22 MOVS R2, #0xB1
.text&ARM.extab:0005FD2A E2 70 STRB R2, [R4,#3]
.text&ARM.extab:0005FD2C 19 46 MOV R1, R3
.text&ARM.extab:0005FD2E 62 71 STRB R2, [R4,#5]
.text&ARM.extab:0005FD30 A0 22 MOVS R2, #0xA0
.text&ARM.extab:0005FD32 A2 71 STRB R2, [R4,#6]
.text&ARM.extab:0005FD34 FF 22 MOVS R2, #0xFF
.text&ARM.extab:0005FD36 E2 71 STRB R2, [R4,#7]
.text&ARM.extab:0005FD38 1E AC ADD R4, SP, #0x78 ; 'x'
.text&ARM.extab:0005FD3A C8 22 MOVS R2, #0xC8
.text&ARM.extab:0005FD3C FF F7 FC FB BL jhj_DecryptString5 ; 解密得到字符串"State:"
.text&ARM.extab:0005FD3C
.text&ARM.extab:0005FD40 20 46 MOV R0, R4
.text&ARM.extab:0005FD42 31 46 MOV R1, R6
.text&ARM.extab:0005FD44 0E 22 MOVS R2, #0xE
.text&ARM.extab:0005FD46 B0 F7 30 EB BLX jhj_memset
.text&ARM.extab:0005FD46
.text&ARM.extab:0005FD4A DD F8 20 C0 LDR.W R12, [SP,#0x20]
.text&ARM.extab:0005FD4E 84 F8 08 80 STRB.W R8, [R4,#8]
.text&ARM.extab:0005FD52 20 46 MOV R0, R4
.text&ARM.extab:0005FD54 84 F8 09 80 STRB.W R8, [R4,#9]
.text&ARM.extab:0005FD58 9B 23 MOVS R3, #0x9B
.text&ARM.extab:0005FD5A 84 F8 06 C0 STRB.W R12, [R4,#6]
.text&ARM.extab:0005FD5E 0B 21 MOVS R1, #0xB
.text&ARM.extab:0005FD60 63 70 STRB R3, [R4,#1]
.text&ARM.extab:0005FD62 29 23 MOVS R3, #0x29 ; ')'
.text&ARM.extab:0005FD64 A3 70 STRB R3, [R4,#2]
.text&ARM.extab:0005FD66 5D 23 MOVS R3, #0x5D ; ']'
.text&ARM.extab:0005FD68 E3 70 STRB R3, [R4,#3]
.text&ARM.extab:0005FD6A 55 23 MOVS R3, #0x55 ; 'U'
.text&ARM.extab:0005FD6C 23 71 STRB R3, [R4,#4]
.text&ARM.extab:0005FD6E 0E 23 MOVS R3, #0xE
.text&ARM.extab:0005FD70 63 71 STRB R3, [R4,#5]
.text&ARM.extab:0005FD72 12 23 MOVS R3, #0x12
.text&ARM.extab:0005FD74 E3 71 STRB R3, [R4,#7]
.text&ARM.extab:0005FD76 18 23 MOVS R3, #0x18
.text&ARM.extab:0005FD78 A3 72 STRB R3, [R4,#0xA]
.text&ARM.extab:0005FD7A 19 23 MOVS R3, #0x19
.text&ARM.extab:0005FD7C E3 72 STRB R3, [R4,#0xB]
.text&ARM.extab:0005FD7E 54 23 MOVS R3, #0x54 ; 'T'
.text&ARM.extab:0005FD80 23 73 STRB R3, [R4,#0xC]
.text&ARM.extab:0005FD82 27 AC ADD R4, SP, #0x9C
.text&ARM.extab:0005FD84 E6 22 MOVS R2, #0xE6
.text&ARM.extab:0005FD86 FF F7 D7 FB BL jhj_DecryptString5 ; 解密得到字符串"T (stopped)"
.text&ARM.extab:0005FD86
.text&ARM.extab:0005FD8A 31 46 MOV R1, R6
.text&ARM.extab:0005FD8C 13 22 MOVS R2, #0x13
.text&ARM.extab:0005FD8E 20 46 MOV R0, R4
.text&ARM.extab:0005FD90 B0 F7 0A EB BLX jhj_memset
.text&ARM.extab:0005FD90
.text&ARM.extab:0005FD94 9A 22 MOVS R2, #0x9A
.text&ARM.extab:0005FD96 92 21 MOVS R1, #0x92
.text&ARM.extab:0005FD98 E2 70 STRB R2, [R4,#3]
.text&ARM.extab:0005FD9A 21 71 STRB R1, [R4,#4]
.text&ARM.extab:0005FD9C 20 46 MOV R0, R4
.text&ARM.extab:0005FD9E C8 21 MOVS R1, #0xC8
.text&ARM.extab:0005FDA0 22 73 STRB R2, [R4,#0xC]
.text&ARM.extab:0005FDA2 A1 71 STRB R1, [R4,#6]
.text&ARM.extab:0005FDA4 C9 22 MOVS R2, #0xC9
.text&ARM.extab:0005FDA6 DB 21 MOVS R1, #0xDB
.text&ARM.extab:0005FDA8 62 73 STRB R2, [R4,#0xD]
.text&ARM.extab:0005FDAA E1 71 STRB R1, [R4,#7]
.text&ARM.extab:0005FDAC B0 22 MOVS R2, #0xB0
.text&ARM.extab:0005FDAE D9 21 MOVS R1, #0xD9
.text&ARM.extab:0005FDB0 21 72 STRB R1, [R4,#8]
.text&ARM.extab:0005FDB2 D3 21 MOVS R1, #0xD3
.text&ARM.extab:0005FDB4 61 72 STRB R1, [R4,#9]
.text&ARM.extab:0005FDB6 D4 21 MOVS R1, #0xD4
.text&ARM.extab:0005FDB8 A1 72 STRB R1, [R4,#0xA]
.text&ARM.extab:0005FDBA 10 21 MOVS R1, #0x10
.text&ARM.extab:0005FDBC 0A 23 MOVS R3, #0xA
.text&ARM.extab:0005FDBE 84 F8 0B 90 STRB.W R9, [R4,#0xB]
.text&ARM.extab:0005FDC2 63 70 STRB R3, [R4,#1]
.text&ARM.extab:0005FDC4 CE 23 MOVS R3, #0xCE
.text&ARM.extab:0005FDC6 A3 70 STRB R3, [R4,#2]
.text&ARM.extab:0005FDC8 63 71 STRB R3, [R4,#5]
.text&ARM.extab:0005FDCA A3 73 STRB R3, [R4,#0xE]
.text&ARM.extab:0005FDCC D5 23 MOVS R3, #0xD5
.text&ARM.extab:0005FDCE E3 73 STRB R3, [R4,#0xF]
.text&ARM.extab:0005FDD0 CA 23 MOVS R3, #0xCA
.text&ARM.extab:0005FDD2 23 74 STRB R3, [R4,#0x10]
.text&ARM.extab:0005FDD4 93 23 MOVS R3, #0x93
.text&ARM.extab:0005FDD6 63 74 STRB R3, [R4,#0x11]
.text&ARM.extab:0005FDD8 FF F7 AE FB BL jhj_DecryptString5 ; 解密得到字符串"t (tracing stop)"
.text&ARM.extab:0005FDD8
.text&ARM.extab:0005FDDC
.text&ARM.extab:0005FDDC loc_5FDDC ; CODE XREF: .text&ARM.extab:0005FE32↓j
.text&ARM.extab:0005FDDC 17 AC ADD R4, SP, #0x5C ; '\'
.text&ARM.extab:0005FDDC
.text&ARM.extab:0005FDDE
.text&ARM.extab:0005FDDE loc_5FDDE ; CODE XREF: .text&ARM.extab:0005FE02↓j
.text&ARM.extab:0005FDDE AB 68 LDR R3, [R5,#(off_AB7EC - 0xAB7E4)]
.text&ARM.extab:0005FDE0 50 46 MOV R0, R10
.text&ARM.extab:0005FDE2 4F F4 80 61 MOV.W R1, #0x400
.text&ARM.extab:0005FDE6 3A 46 MOV R2, R7
.text&ARM.extab:0005FDE8 98 47 BLX R3 ; dword_0 ; fgets
.text&ARM.extab:0005FDE8
.text&ARM.extab:0005FDEA 00 28 CMP R0, #0
.text&ARM.extab:0005FDEC 00 F0 95 80 BEQ.W loc_5FF1A
.text&ARM.extab:0005FDEC
.text&ARM.extab:0005FDF0 20 46 MOV R0, R4
.text&ARM.extab:0005FDF2 B0 F7 B6 EA BLX jhj_strlen
.text&ARM.extab:0005FDF2
.text&ARM.extab:0005FDF6 21 46 MOV R1, R4
.text&ARM.extab:0005FDF8 02 46 MOV R2, R0
.text&ARM.extab:0005FDFA 50 46 MOV R0, R10
.text&ARM.extab:0005FDFC B0 F7 AA EA BLX jhj_strncmp
.text&ARM.extab:0005FDFC
.text&ARM.extab:0005FE00 00 28 CMP R0, #0
.text&ARM.extab:0005FE02 EC D1 BNE loc_5FDDE
.text&ARM.extab:0005FE02
.text&ARM.extab:0005FE04 50 46 MOV R0, R10
.text&ARM.extab:0005FE06 1E A9 ADD R1, SP, #0x78 ; 'x'
.text&ARM.extab:0005FE08 B0 F7 20 ED BLX jhj_strcasestr
.text&ARM.extab:0005FE08
.text&ARM.extab:0005FE0C 30 B1 CBZ R0, loc_5FE1C
.text&ARM.extab:0005FE0C
.text&ARM.extab:0005FE0E
.text&ARM.extab:0005FE0E loc_5FE0E ; CODE XREF: .text&ARM.extab:0005FE26↓j
.text&ARM.extab:0005FE0E ; .text&ARM.extab:0005FE34↓j
.text&ARM.extab:0005FE0E 00 23 MOVS R3, #0
.text&ARM.extab:0005FE10 0D F2 0C 74 ADDW R4, SP, #0x70C
.text&ARM.extab:0005FE14 0D 93 STR R3, [SP,#0x34]
.text&ARM.extab:0005FE16 13 AE ADD R6, SP, #0x4C ; 'L'
.text&ARM.extab:0005FE18 0E 93 STR R3, [SP,#0x38]
.text&ARM.extab:0005FE1A 0C E0 B loc_5FE36
.text&ARM.extab:0005FE1A
.text&ARM.extab:0005FE1C ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FE1C
.text&ARM.extab:0005FE1C loc_5FE1C ; CODE XREF: .text&ARM.extab:0005FE0C↑j
.text&ARM.extab:0005FE1C 50 46 MOV R0, R10
.text&ARM.extab:0005FE1E 27 A9 ADD R1, SP, #0x9C
.text&ARM.extab:0005FE20 B0 F7 14 ED BLX jhj_strcasestr
.text&ARM.extab:0005FE20
.text&ARM.extab:0005FE24 00 28 CMP R0, #0
.text&ARM.extab:0005FE26 F2 D1 BNE loc_5FE0E
.text&ARM.extab:0005FE26
.text&ARM.extab:0005FE28 7E 4B LDR R3, =(p3906CEE43A636FED71D0E81D64568947_ptr - 0x5FE2E)
.text&ARM.extab:0005FE2A 7B 44 ADD R3, PC ; p3906CEE43A636FED71D0E81D64568947_ptr
.text&ARM.extab:0005FE2C 1B 68 LDR R3, [R3] ; p3906CEE43A636FED71D0E81D64568947
.text&ARM.extab:0005FE2E 1B 68 LDR R3, [R3]
.text&ARM.extab:0005FE30 00 2B CMP R3, #0
.text&ARM.extab:0005FE32 D3 D1 BNE loc_5FDDC
.text&ARM.extab:0005FE32
.text&ARM.extab:0005FE34 EB E7 B loc_5FE0E
.text&ARM.extab:0005FE34
.text&ARM.extab:0005FE36 ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FE36
.text&ARM.extab:0005FE36 loc_5FE36 ; CODE XREF: .text&ARM.extab:0005FE1A↑j
.text&ARM.extab:0005FE36 ; .text&ARM.extab:0005FE56↓j
.text&ARM.extab:0005FE36 AB 68 LDR R3, [R5,#(off_AB7EC - 0xAB7E4)]
.text&ARM.extab:0005FE38 20 46 MOV R0, R4
.text&ARM.extab:0005FE3A 4F F4 80 61 MOV.W R1, #0x400
.text&ARM.extab:0005FE3E 3A 46 MOV R2, R7
.text&ARM.extab:0005FE40 98 47 BLX R3 ; dword_0
.text&ARM.extab:0005FE40
.text&ARM.extab:0005FE42 40 B3 CBZ R0, loc_5FE96
.text&ARM.extab:0005FE42
.text&ARM.extab:0005FE44 30 46 MOV R0, R6
.text&ARM.extab:0005FE46 B0 F7 8C EA BLX jhj_strlen
.text&ARM.extab:0005FE46
.text&ARM.extab:0005FE4A 31 46 MOV R1, R6
.text&ARM.extab:0005FE4C 02 46 MOV R2, R0
.text&ARM.extab:0005FE4E 20 46 MOV R0, R4
.text&ARM.extab:0005FE50 B0 F7 80 EA BLX jhj_strncmp
.text&ARM.extab:0005FE50
.text&ARM.extab:0005FE54 00 28 CMP R0, #0
.text&ARM.extab:0005FE56 EE D1 BNE loc_5FE36
.text&ARM.extab:0005FE56
.text&ARM.extab:0005FE58 15 AE ADD R6, SP, #0x54 ; 'T'
.text&ARM.extab:0005FE5A 15 90 STR R0, [SP,#0x54]
.text&ARM.extab:0005FE5C 16 90 STR R0, [SP,#0x58]
.text&ARM.extab:0005FE5E 09 22 MOVS R2, #9
.text&ARM.extab:0005FE60 05 21 MOVS R1, #5
.text&ARM.extab:0005FE62 8D F8 57 20 STRB.W R2, [SP,#0x57]
.text&ARM.extab:0005FE66 30 46 MOV R0, R6
.text&ARM.extab:0005FE68 5A 22 MOVS R2, #0x5A ; 'Z'
.text&ARM.extab:0005FE6A 8D F8 58 20 STRB.W R2, [SP,#0x58]
.text&ARM.extab:0005FE6E F1 22 MOVS R2, #0xF1
.text&ARM.extab:0005FE70 8B 23 MOVS R3, #0x8B
.text&ARM.extab:0005FE72 8D F8 55 30 STRB.W R3, [SP,#0x55]
.text&ARM.extab:0005FE76 5F 23 MOVS R3, #0x5F ; '_'
.text&ARM.extab:0005FE78 8D F8 56 30 STRB.W R3, [SP,#0x56]
.text&ARM.extab:0005FE7C 8D F8 59 30 STRB.W R3, [SP,#0x59]
.text&ARM.extab:0005FE80 1E 23 MOVS R3, #0x1E
.text&ARM.extab:0005FE82 8D F8 5A 30 STRB.W R3, [SP,#0x5A]
.text&ARM.extab:0005FE86 FF F7 57 FB BL jhj_DecryptString5 ; 解密得到字符串"%s %d"
.text&ARM.extab:0005FE86
.text&ARM.extab:0005FE8A 20 46 MOV R0, R4
.text&ARM.extab:0005FE8C 31 46 MOV R1, R6
.text&ARM.extab:0005FE8E 33 AA ADD R2, SP, #0xCC
.text&ARM.extab:0005FE90 0E AB ADD R3, SP, #0x38 ; '8'
.text&ARM.extab:0005FE92 B0 F7 86 EB BLX jhj_sscanf
.text&ARM.extab:0005FE92
.text&ARM.extab:0005FE96
.text&ARM.extab:0005FE96 loc_5FE96 ; CODE XREF: .text&ARM.extab:0005FE42↑j
.text&ARM.extab:0005FE96 0D F2 0C 74 ADDW R4, SP, #0x70C
.text&ARM.extab:0005FE9A 1A AE ADD R6, SP, #0x68 ; 'h'
.text&ARM.extab:0005FE9A
.text&ARM.extab:0005FE9C
.text&ARM.extab:0005FE9C loc_5FE9C ; CODE XREF: .text&ARM.extab:0005FEBC↓j
.text&ARM.extab:0005FE9C AB 68 LDR R3, [R5,#(off_AB7EC - 0xAB7E4)]
.text&ARM.extab:0005FE9E 20 46 MOV R0, R4
.text&ARM.extab:0005FEA0 4F F4 80 61 MOV.W R1, #0x400
.text&ARM.extab:0005FEA4 3A 46 MOV R2, R7
.text&ARM.extab:0005FEA6 98 47 BLX R3 ; dword_0
.text&ARM.extab:0005FEA6
.text&ARM.extab:0005FEA8 40 B3 CBZ R0, loc_5FEFC
.text&ARM.extab:0005FEA8
.text&ARM.extab:0005FEAA 30 46 MOV R0, R6
.text&ARM.extab:0005FEAC B0 F7 58 EA BLX jhj_strlen
.text&ARM.extab:0005FEAC
.text&ARM.extab:0005FEB0 31 46 MOV R1, R6
.text&ARM.extab:0005FEB2 02 46 MOV R2, R0
.text&ARM.extab:0005FEB4 20 46 MOV R0, R4
.text&ARM.extab:0005FEB6 B0 F7 4E EA BLX jhj_strncmp
.text&ARM.extab:0005FEB6
.text&ARM.extab:0005FEBA 00 28 CMP R0, #0
.text&ARM.extab:0005FEBC EE D1 BNE loc_5FE9C
.text&ARM.extab:0005FEBC
.text&ARM.extab:0005FEBE 15 AE ADD R6, SP, #0x54 ; 'T'
.text&ARM.extab:0005FEC0 15 90 STR R0, [SP,#0x54]
.text&ARM.extab:0005FEC2 16 90 STR R0, [SP,#0x58]
.text&ARM.extab:0005FEC4 C3 22 MOVS R2, #0xC3
.text&ARM.extab:0005FEC6 05 21 MOVS R1, #5
.text&ARM.extab:0005FEC8 8D F8 57 20 STRB.W R2, [SP,#0x57]
.text&ARM.extab:0005FECC 30 46 MOV R0, R6
.text&ARM.extab:0005FECE 90 22 MOVS R2, #0x90
.text&ARM.extab:0005FED0 8D F8 58 20 STRB.W R2, [SP,#0x58]
.text&ARM.extab:0005FED4 E8 22 MOVS R2, #0xE8
.text&ARM.extab:0005FED6 58 23 MOVS R3, #0x58 ; 'X'
.text&ARM.extab:0005FED8 8D F8 55 30 STRB.W R3, [SP,#0x55]
.text&ARM.extab:0005FEDC 95 23 MOVS R3, #0x95
.text&ARM.extab:0005FEDE 8D F8 56 30 STRB.W R3, [SP,#0x56]
.text&ARM.extab:0005FEE2 8D F8 59 30 STRB.W R3, [SP,#0x59]
.text&ARM.extab:0005FEE6 D4 23 MOVS R3, #0xD4
.text&ARM.extab:0005FEE8 8D F8 5A 30 STRB.W R3, [SP,#0x5A]
.text&ARM.extab:0005FEEC FF F7 24 FB BL jhj_DecryptString5 ; 解密得到字符串"%s %d"
.text&ARM.extab:0005FEEC
.text&ARM.extab:0005FEF0 20 46 MOV R0, R4
.text&ARM.extab:0005FEF2 31 46 MOV R1, R6
.text&ARM.extab:0005FEF4 33 AA ADD R2, SP, #0xCC
.text&ARM.extab:0005FEF6 0D AB ADD R3, SP, #0x34 ; '4'
.text&ARM.extab:0005FEF8 B0 F7 52 EB BLX jhj_sscanf
.text&ARM.extab:0005FEF8
.text&ARM.extab:0005FEFC
.text&ARM.extab:0005FEFC loc_5FEFC ; CODE XREF: .text&ARM.extab:0005FEA8↑j
.text&ARM.extab:0005FEFC 0D AC ADD R4, SP, #0x34 ; '4'
.text&ARM.extab:0005FEFE 26 68 LDR R6, [R4]
.text&ARM.extab:0005FF00 0E B9 CBNZ R6, loc_5FF06
.text&ARM.extab:0005FF00
.text&ARM.extab:0005FF02
.text&ARM.extab:0005FF02 loc_5FF02 ; CODE XREF: .text&ARM.extab:0005FF0C↓j
.text&ARM.extab:0005FF02 00 26 MOVS R6, #0
.text&ARM.extab:0005FF04 0A E0 B loc_5FF1C
.text&ARM.extab:0005FF04
.text&ARM.extab:0005FF06 ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FF06
.text&ARM.extab:0005FF06 loc_5FF06 ; CODE XREF: .text&ARM.extab:0005FF00↑j
.text&ARM.extab:0005FF06 B0 F7 B6 EA BLX jhj_getpid
.text&ARM.extab:0005FF06
.text&ARM.extab:0005FF0A 86 42 CMP R6, R0
.text&ARM.extab:0005FF0C F9 D0 BEQ loc_5FF02
.text&ARM.extab:0005FF0C
.text&ARM.extab:0005FF0E 23 68 LDR R3, [R4]
.text&ARM.extab:0005FF10 0E 9E LDR R6, [SP,#0x38]
.text&ARM.extab:0005FF12 9E 1B SUBS R6, R3, R6
.text&ARM.extab:0005FF14 18 BF IT NE
.text&ARM.extab:0005FF16 01 26 MOVNE R6, #1
.text&ARM.extab:0005FF18 00 E0 B loc_5FF1C
.text&ARM.extab:0005FF18
.text&ARM.extab:0005FF1A ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FF1A
.text&ARM.extab:0005FF1A loc_5FF1A ; CODE XREF: .text&ARM.extab:0005FDEC↑j
.text&ARM.extab:0005FF1A 06 46 MOV R6, R0
.text&ARM.extab:0005FF1A
.text&ARM.extab:0005FF1C
.text&ARM.extab:0005FF1C loc_5FF1C ; CODE XREF: .text&ARM.extab:0005FF04↑j
.text&ARM.extab:0005FF1C ; .text&ARM.extab:0005FF18↑j
.text&ARM.extab:0005FF1C 6B 68 LDR R3, [R5,#(off_AB7E8 - 0xAB7E4)]
.text&ARM.extab:0005FF1E 38 46 MOV R0, R7
.text&ARM.extab:0005FF20 98 47 BLX R3 ; dword_0
.text&ARM.extab:0005FF20
.text&ARM.extab:0005FF22 16 BB CBNZ R6, loc_5FF6A
.text&ARM.extab:0005FF22
.text&ARM.extab:0005FF24
.text&ARM.extab:0005FF24 loc_5FF24 ; CODE XREF: .text&ARM.extab:0005FC7A↑j
.text&ARM.extab:0005FF24 07 23 MOVS R3, #7
.text&ARM.extab:0005FF26 43 E6 B loc_5FBB0
.text&ARM.extab:0005FF26
.text&ARM.extab:0005FF28 ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FF28
.text&ARM.extab:0005FF28 loc_5FF28 ; CODE XREF: .text&ARM.extab:0005FBBC↑j
.text&ARM.extab:0005FF28 58 46 MOV R0, R11 ; jumptable 0005FBBC case 3
.text&ARM.extab:0005FF2A B0 F7 AE EC BLX jhj_atol
.text&ARM.extab:0005FF2A
.text&ARM.extab:0005FF2E 04 9B LDR R3, [SP,#0x10]
.text&ARM.extab:0005FF30 06 90 STR R0, [SP,#0x18]
.text&ARM.extab:0005FF32 83 42 CMP R3, R0
.text&ARM.extab:0005FF34 0C BF ITE EQ
.text&ARM.extab:0005FF36 02 23 MOVEQ R3, #2
.text&ARM.extab:0005FF38 03 23 MOVNE R3, #3
.text&ARM.extab:0005FF3A 39 E6 B loc_5FBB0
.text&ARM.extab:0005FF3A
.text&ARM.extab:0005FF3C ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FF3C
.text&ARM.extab:0005FF3C loc_5FF3C ; CODE XREF: .text&ARM.extab:0005FBBC↑j
.text&ARM.extab:0005FF3C 11 AC ADD R4, SP, #0x44 ; 'D' ; jumptable 0005FBBC case 0
.text&ARM.extab:0005FF3E 02 21 MOVS R1, #2
.text&ARM.extab:0005FF40 D7 22 MOVS R2, #0xD7
.text&ARM.extab:0005FF42 20 46 MOV R0, R4
.text&ARM.extab:0005FF44 FF F7 F8 FA BL jhj_DecryptString5 ; 解密得到字符串".."
.text&ARM.extab:0005FF44
.text&ARM.extab:0005FF48 BB F1 00 0F CMP.W R11, #0
.text&ARM.extab:0005FF4C 0F D0 BEQ loc_5FF6E
.text&ARM.extab:0005FF4C
.text&ARM.extab:0005FF4E 58 46 MOV R0, R11
.text&ARM.extab:0005FF50 0F A9 ADD R1, SP, #0x3C ; '<'
.text&ARM.extab:0005FF52 B0 F7 54 EA BLX jhj_strcmp
.text&ARM.extab:0005FF52
.text&ARM.extab:0005FF56 50 B1 CBZ R0, loc_5FF6E
.text&ARM.extab:0005FF56
.text&ARM.extab:0005FF58 58 46 MOV R0, R11
.text&ARM.extab:0005FF5A 21 46 MOV R1, R4
.text&ARM.extab:0005FF5C B0 F7 4E EA BLX jhj_strcmp
.text&ARM.extab:0005FF5C
.text&ARM.extab:0005FF60 00 28 CMP R0, #0
.text&ARM.extab:0005FF62 0C BF ITE EQ
.text&ARM.extab:0005FF64 06 23 MOVEQ R3, #6
.text&ARM.extab:0005FF66 04 23 MOVNE R3, #4
.text&ARM.extab:0005FF68 22 E6 B loc_5FBB0
.text&ARM.extab:0005FF68
.text&ARM.extab:0005FF6A ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FF6A
.text&ARM.extab:0005FF6A loc_5FF6A ; CODE XREF: .text&ARM.extab:0005FF22↑j
.text&ARM.extab:0005FF6A 05 23 MOVS R3, #5
.text&ARM.extab:0005FF6C 20 E6 B loc_5FBB0
.text&ARM.extab:0005FF6C
.text&ARM.extab:0005FF6E ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FF6E
.text&ARM.extab:0005FF6E loc_5FF6E ; CODE XREF: .text&ARM.extab:0005FF4C↑j
.text&ARM.extab:0005FF6E ; .text&ARM.extab:0005FF56↑j
.text&ARM.extab:0005FF6E 06 23 MOVS R3, #6
.text&ARM.extab:0005FF70 1E E6 B loc_5FBB0
.text&ARM.extab:0005FF70
.text&ARM.extab:0005FF72 ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FF72
.text&ARM.extab:0005FF72 loc_5FF72 ; CODE XREF: .text&ARM.extab:0005FBBC↑j
.text&ARM.extab:0005FF72 01 23 MOVS R3, #1 ; jumptable 0005FBBC case 4
.text&ARM.extab:0005FF74 03 93 STR R3, [SP,#0xC]
.text&ARM.extab:0005FF76 ED E5 B loc_5FB54
.text&ARM.extab:0005FF76
.text&ARM.extab:0005FF78 ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FF78
.text&ARM.extab:0005FF78 loc_5FF78 ; CODE XREF: .text&ARM.extab:0005FB58↑j
.text&ARM.extab:0005FF78 0C 9B LDR R3, [SP,#0x30] ; jumptable 0005FB58 case 4
.text&ARM.extab:0005FF7A 00 2B CMP R3, #0
.text&ARM.extab:0005FF7C 3B DA BGE loc_5FFF6 ; jumptable 0005FBBC cases 1,5
.text&ARM.extab:0005FF7C
.text&ARM.extab:0005FF7E 00 BF NOP
.text&ARM.extab:0005FF80 7E 73 STRB R6, [R7,#0xD]
.text&ARM.extab:0005FF82 05 43 ORRS R5, R0
.text&ARM.extab:0005FF84 F7 A5 ADR R5, byte_60364
.text&ARM.extab:0005FF86 B0 75 STRB R0, [R6,#0x16]
.text&ARM.extab:0005FF88 7D B3 CBZ R5, loc_5FFEA
.text&ARM.extab:0005FF88
.text&ARM.extab:0005FF8A C9 0A LSRS R1, R1, #0xB
.text&ARM.extab:0005FF8C 59 AC ADD R4, SP, #0x164
.text&ARM.extab:0005FF8E 4B 78 LDRB R3, [R1,#1]
.text&ARM.extab:0005FF90 89 34 ADDS R4, #0x89
.text&ARM.extab:0005FF92 BD C2 STM R2, {R0,R2-R5,R7}
.text&ARM.extab:0005FF94 EB 40 LSRS R3, R5
.text&ARM.extab:0005FF96 80 2C CMP R4, #0x80
.text&ARM.extab:0005FF98 A1 7B LDRB R1, [R4,#0xE]
.text&ARM.extab:0005FF9A 24 3B SUBS R3, #0x24 ; '$'
.text&ARM.extab:0005FF9C 71 D6 BVS loc_60082
.text&ARM.extab:0005FF9C
.text&ARM.extab:0005FF9E 50 55 STRB R0, [R2,R5]
.text&ARM.extab:0005FF9E
.text&ARM.extab:0005FF9E ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FFA0 68 B6 AA 39 76 4A 1B CD 2A 52+DCD 0x39AAB668, 0xCD1B4A76, 0x2986522A, 0x299C1ABC, 0x6B5921DE, 0x6DF3BB26
.text&ARM.extab:0005FFB8 ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FFB8 1D E0 B loc_5FFF6 ; jumptable 0005FBBC cases 1,5
.text&ARM.extab:0005FFB8
.text&ARM.extab:0005FFBA ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FFBA
.text&ARM.extab:0005FFBA loc_5FFBA ; CODE XREF: .text&ARM.extab:0005FB58↑j
.text&ARM.extab:0005FFBA 02 98 LDR R0, [SP,#8] ; jumptable 0005FB58 case 1
.text&ARM.extab:0005FFBC B0 F7 48 EA BLX jhj_closedir
.text&ARM.extab:0005FFBC
.text&ARM.extab:0005FFC0 03 98 LDR R0, [SP,#0xC]
.text&ARM.extab:0005FFC2 1E E0 B loc_60002
.text&ARM.extab:0005FFC2
.text&ARM.extab:0005FFC4 ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FFC4
.text&ARM.extab:0005FFC4 loc_5FFC4 ; CODE XREF: .text&ARM.extab:0005FB58↑j
.text&ARM.extab:0005FFC4 22 AD ADD R5, SP, #0x88 ; jumptable 0005FB58 case 3
.text&ARM.extab:0005FFC6 43 AC ADD R4, SP, #0x10C
.text&ARM.extab:0005FFC8 0F 21 MOVS R1, #0xF
.text&ARM.extab:0005FFCA BA 22 MOVS R2, #0xBA
.text&ARM.extab:0005FFCC 28 46 MOV R0, R5
.text&ARM.extab:0005FFCE FF F7 B3 FA BL jhj_DecryptString5 ; 解密得到字符串"/proc/%ld/task/"
.text&ARM.extab:0005FFCE
.text&ARM.extab:0005FFD2 29 46 MOV R1, R5
.text&ARM.extab:0005FFD4 04 9A LDR R2, [SP,#0x10]
.text&ARM.extab:0005FFD6 20 46 MOV R0, R4
.text&ARM.extab:0005FFD8 38 F0 A2 FF BL jhj_format ; 得到格式化字符串"/proc/pid/task/"
.text&ARM.extab:0005FFD8
.text&ARM.extab:0005FFDC 20 46 MOV R0, R4
.text&ARM.extab:0005FFDE B0 F7 2C EA BLX jhj_opendir
.text&ARM.extab:0005FFDE
.text&ARM.extab:0005FFE2 02 90 STR R0, [SP,#8]
.text&ARM.extab:0005FFE4 00 28 CMP R0, #0
.text&ARM.extab:0005FFE6 0C BF ITE EQ
.text&ARM.extab:0005FFE8 05 23 MOVEQ R3, #5
.text&ARM.extab:0005FFE8
.text&ARM.extab:0005FFEA
.text&ARM.extab:0005FFEA loc_5FFEA ; CODE XREF: .text&ARM.extab:0005FF88↑j
.text&ARM.extab:0005FFEA 02 23 MOVNE R3, #2
.text&ARM.extab:0005FFEC AF E5 B def_5FB58 ; jumptable 0005FB58 default case
.text&ARM.extab:0005FFEC
.text&ARM.extab:0005FFEE ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FFEE
.text&ARM.extab:0005FFEE loc_5FFEE ; CODE XREF: .text&ARM.extab:0005FB58↑j
.text&ARM.extab:0005FFEE 00 23 MOVS R3, #0 ; jumptable 0005FB58 case 2
.text&ARM.extab:0005FFF0 03 93 STR R3, [SP,#0xC]
.text&ARM.extab:0005FFF2 04 23 MOVS R3, #4
.text&ARM.extab:0005FFF4 AE E5 B loc_5FB54
.text&ARM.extab:0005FFF4
.text&ARM.extab:0005FFF6 ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FFF6
.text&ARM.extab:0005FFF6 loc_5FFF6 ; CODE XREF: .text&ARM.extab:0005FBB4↑j
.text&ARM.extab:0005FFF6 ; .text&ARM.extab:0005FBBC↑j
.text&ARM.extab:0005FFF6 ; .text&ARM.extab:0005FF7C↑j
.text&ARM.extab:0005FFF6 ; .text&ARM.extab:0005FFB8↑j
.text&ARM.extab:0005FFF6 00 23 MOVS R3, #0 ; jumptable 0005FBBC cases 1,5
.text&ARM.extab:0005FFF8 AC E5 B loc_5FB54
.text&ARM.extab:0005FFF8
.text&ARM.extab:0005FFFA ; ---------------------------------------------------------------------------
.text&ARM.extab:0005FFFA
.text&ARM.extab:0005FFFA loc_5FFFA ; CODE XREF: .text&ARM.extab:0005FB50↑j
.text&ARM.extab:0005FFFA 01 22 MOVS R2, #1
.text&ARM.extab:0005FFFC 0C 92 STR R2, [SP,#0x30]
.text&ARM.extab:0005FFFE 7C E5 B loc_5FAFA
.text&ARM.extab:0005FFFE
.text&ARM.extab:00060000 ; ---------------------------------------------------------------------------
.text&ARM.extab:00060000
.text&ARM.extab:00060000 loc_60000 ; CODE XREF: .text&ARM.extab:0005FB58↑j
.text&ARM.extab:00060000 00 20 MOVS R0, #0 ; jumptable 0005FB58 case 5
.text&ARM.extab:00060000
.text&ARM.extab:00060002
.text&ARM.extab:00060002 loc_60002 ; CODE XREF: .text&ARM.extab:0005FFC2↑j
.text&ARM.extab:00060002 07 9B LDR R3, [SP,#0x1C]
.text&ARM.extab:00060004 DD F8 0C 2B LDR.W R2, [SP,#0xB0C]
.text&ARM.extab:00060008 1B 68 LDR R3, [R3]
.text&ARM.extab:0006000A 9A 42 CMP R2, R3
.text&ARM.extab:0006000C 02 D0 BEQ loc_60014
.text&ARM.extab:0006000C
.text&ARM.extab:0006000E B0 F7 9C E9 BLX jhj__stack_chk_fail
.text&ARM.extab:0006000E
.text&ARM.extab:00060012
.text&ARM.extab:00060012 loc_60012 ; CODE XREF: .text&ARM.extab:0005FB00↑j
.text&ARM.extab:00060012 FF DE UND #0xFF
.text&ARM.extab:00060012
.text&ARM.extab:00060014 ; ---------------------------------------------------------------------------
.text&ARM.extab:00060014
.text&ARM.extab:00060014 loc_60014 ; CODE XREF: .text&ARM.extab:0006000C↑j
.text&ARM.extab:00060014 0D F6 14 3D ADDW SP, SP, #0xB14
.text&ARM.extab:00060018 BD E8 F0 8F POP.W {R4-R11,PC}
偏移:0x59500处调用的pthread_create创建新线程2并在线程回调中进行如下反调试:
该线程2的回调函数中调用inotify系列api对虚拟文件进行监控
此外还创建了新的线程,子线程的线程回调偏移位于:0x58E19处的函数,并在子线程中调用sigaction,大胆猜测应该是线程2和其子线程互发信号相互确认
备注且调用sigaction函数的子线程代码只在调试中可见(其偏移为:0x2D94B3DC)
偏移:0x7C04C处创建新的线程3,其线程回调函数的偏移:0x7BF09,此处调试线程回调会导致进程崩溃,先修改为nop(00 BF)再修改r0为0,暂时先跳过,怀疑是其他的反调试手段在运行
(后续:将该线程Pass后,直至jni_onLoader结束并未发现其他的反调试,暂时没有好的解决方法,不知道有没有好心人告诉我如何解决)
}
获得dex:{
源dex都在assets目录下的classes0.jar(为加密状态,在测试机中的位置/data/user/0/com.fy.qqkp.newmi/.cache/classs.jar),
其解密的流程在jni_onLoader中的反射调用com.SecShell.SecShell.H中的public static void f(ClassLoader arg6, "/data/user/0/com.fy.qqkp.new.mi/.cache/classes.jar", "/data/user/0/com.fy.qqkp.new.mi/.cache")方法
其实也就是解密之后调用反射InMemoryDexClassLoader动态加载内存中dex文件罢了
其解密函数位于被hook的libc中的rep_read函数中,且该函数在调试设置断点时会弹出访问内存错误,怀疑是有新线程在循环检测该函数所在的内存区域
.text&ARM.extab:0004D210 ; int __fastcall jhj_hookread(int, int, int)
.text&ARM.extab:0004D210 jhj_hookread ; DATA XREF: jhj_HookLibcFunction+190↓o
.text&ARM.extab:0004D210 ; jhj_HookLibcFunction+19A↓o
.text&ARM.extab:0004D210 ; .text&ARM.extab:off_4DBCC↓o
.text&ARM.extab:0004D210 ; __unwind { // 417B6000
.text&ARM.extab:0004D210 2D E9 F0 41 PUSH.W {R4-R8,LR}
.text&ARM.extab:0004D214 05 46 MOV R5, R0
.text&ARM.extab:0004D216 0C 46 MOV R4, R1
.text&ARM.extab:0004D218 17 46 MOV R7, R2
.text&ARM.extab:0004D21A FE F7 D1 F8 BL sub_4B3C0
.text&ARM.extab:0004D21A
.text&ARM.extab:0004D21E 80 46 MOV R8, R0
.text&ARM.extab:0004D220 E8 B1 CBZ R0, loc_4D25E
.text&ARM.extab:0004D220
.text&ARM.extab:0004D222 28 46 MOV R0, R5
.text&ARM.extab:0004D224 00 21 MOVS R1, #0
.text&ARM.extab:0004D226 01 22 MOVS R2, #1
.text&ARM.extab:0004D228 C3 F7 32 EA BLX jhj_lseek
.text&ARM.extab:0004D228
.text&ARM.extab:0004D22C 12 4B LDR R3, =(off_AC214 - 0x4D236)
.text&ARM.extab:0004D22E 21 46 MOV R1, R4
.text&ARM.extab:0004D230 3A 46 MOV R2, R7
.text&ARM.extab:0004D232 7B 44 ADD R3, PC ; off_AC214
.text&ARM.extab:0004D234 DB 6A LDR R3, [R3,#(off_AC240 - 0xAC214)]
.text&ARM.extab:0004D236 06 46 MOV R6, R0
.text&ARM.extab:0004D238 28 46 MOV R0, R5
.text&ARM.extab:0004D23A 98 47 BLX R3 ; dword_0 ; 跳转偏移:EEFC7000 - BE99A000 = 0x3062D000
.text&ARM.extab:0004D23A ; 动态解密的函数
.text&ARM.extab:0004D23A ; 该函数的作用就是将文件数据读取出来
.text&ARM.extab:0004D23A
.text&ARM.extab:0004D23C 05 1E SUBS R5, R0, #0
.text&ARM.extab:0004D23E 17 DD BLE loc_4D270
.text&ARM.extab:0004D23E
.text&ARM.extab:0004D240 D8 F8 04 30 LDR.W R3, [R8,#4]
.text&ARM.extab:0004D244 30 46 MOV R0, R6
.text&ARM.extab:0004D246 21 46 MOV R1, R4
.text&ARM.extab:0004D248 2A 46 MOV R2, R5
.text&ARM.extab:0004D24A 01 2B CMP R3, #1
.text&ARM.extab:0004D24C 04 D0 BEQ loc_4D258
.text&ARM.extab:0004D24C
.text&ARM.extab:0004D24E 03 2B CMP R3, #3
.text&ARM.extab:0004D250 02 D1 BNE loc_4D258
.text&ARM.extab:0004D250
.text&ARM.extab:0004D252 FF F7 D3 FB BL sub_4C9FC
.text&ARM.extab:0004D252
.text&ARM.extab:0004D256 0B E0 B loc_4D270
.text&ARM.extab:0004D256
.text&ARM.extab:0004D258 ; ---------------------------------------------------------------------------
.text&ARM.extab:0004D258
.text&ARM.extab:0004D258 loc_4D258 ; CODE XREF: jhj_hookread+3C↑j
.text&ARM.extab:0004D258 ; jhj_hookread+40↑j
.text&ARM.extab:0004D258 FF F7 40 FF BL jhj_DecryptBytes ; 第一个参数,文件偏移
.text&ARM.extab:0004D258 ; 第二个参数,srcBuffer
.text&ARM.extab:0004D258 ; 第三个参数,srcBufferSize
.text&ARM.extab:0004D258
.text&ARM.extab:0004D25C 08 E0 B loc_4D270 ; 断在此处,总共三个dex,jar包真实大小6e1c1b
.text&ARM.extab:0004D25C
.text&ARM.extab:0004D25E ; ---------------------------------------------------------------------------
.text&ARM.extab:0004D25E
.text&ARM.extab:0004D25E loc_4D25E ; CODE XREF: jhj_hookread+10↑j
.text&ARM.extab:0004D25E 07 4B LDR R3, =(off_AC214 - 0x4D26A)
.text&ARM.extab:0004D260 28 46 MOV R0, R5
.text&ARM.extab:0004D262 21 46 MOV R1, R4
.text&ARM.extab:0004D264 3A 46 MOV R2, R7
.text&ARM.extab:0004D266 7B 44 ADD R3, PC ; off_AC214
.text&ARM.extab:0004D268 BD E8 F0 41 POP.W {R4-R8,LR}
.text&ARM.extab:0004D26C DB 6A LDR R3, [R3,#(off_AC240 - 0xAC214)]
.text&ARM.extab:0004D26E 18 47 BX R3 ; dword_0
.text&ARM.extab:0004D26E
.text&ARM.extab:0004D270 ; ---------------------------------------------------------------------------
.text&ARM.extab:0004D270
.text&ARM.extab:0004D270 loc_4D270 ; CODE XREF: jhj_hookread+2E↑j
.text&ARM.extab:0004D270 ; jhj_hookread+46↑j
.text&ARM.extab:0004D270 ; jhj_hookread+4C↑j
.text&ARM.extab:0004D270 28 46 MOV R0, R5
.text&ARM.extab:0004D272 BD E8 F0 81 POP.W {R4-R8,PC}
其解密的函数为jhj_DecryptBytes,如下:
text&ARM.extab:0004D0DC ; 第一个参数,文件偏移
.text&ARM.extab:0004D0DC ; 第二个参数,srcBuffer
.text&ARM.extab:0004D0DC ; 第三个参数,srcBufferSize
.text&ARM.extab:0004D0DC
.text&ARM.extab:0004D0DC ; unsigned int __fastcall jhj_DecryptBytes(unsigned int, char *, signed int)
.text&ARM.extab:0004D0DC EXPORT jhj_DecryptBytes
.text&ARM.extab:0004D0DC jhj_DecryptBytes ; CODE XREF: .text&ARM.extab:0002623C↑p
.text&ARM.extab:0004D0DC ; .text&ARM.extab:0002686C↑p
.text&ARM.extab:0004D0DC ; jhj_hookread:loc_4D258↓p
.text&ARM.extab:0004D0DC ; jhj_hookpread64:loc_4D2B8↓p
.text&ARM.extab:0004D0DC ; jhj_hook__mmap2+C0↓p
.text&ARM.extab:0004D0DC ; pFD099753FE3C34335A32B92C8F00766D+2E↓p
.text&ARM.extab:0004D0DC ; DATA XREF: LOAD:stru_AFC↑o
.text&ARM.extab:0004D0DC
.text&ARM.extab:0004D0DC var_12C= -0x12C
.text&ARM.extab:0004D0DC var_128= -0x128
.text&ARM.extab:0004D0DC var_124= -0x124
.text&ARM.extab:0004D0DC var_24= -0x24
.text&ARM.extab:0004D0DC
.text&ARM.extab:0004D0DC ; __unwind { // 417B6000
.text&ARM.extab:0004D0DC 2D E9 F0 43 PUSH.W {R4-R9,LR}
.text&ARM.extab:0004D0E0 C5 B0 SUB SP, SP, #0x114
.text&ARM.extab:0004D0E2 DF F8 1C 91 LDR.W R9, =(off_A2984 - 0x4D0F2)
.text&ARM.extab:0004D0E6 0D F1 04 08 ADD.W R8, SP, #0x130+var_12C
.text&ARM.extab:0004D0EA 02 AE ADD R6, SP, #0x130+var_128
.text&ARM.extab:0004D0EC 0D 46 MOV R5, R1
.text&ARM.extab:0004D0EE F9 44 ADD R9, PC ; off_A2984
.text&ARM.extab:0004D0F0 D9 F8 00 90 LDR.W R9, [R9]
.text&ARM.extab:0004D0F4 11 46 MOV R1, R2
.text&ARM.extab:0004D0F6 42 46 MOV R2, R8
.text&ARM.extab:0004D0F8 00 24 MOVS R4, #0
.text&ARM.extab:0004D0FA D9 F8 00 30 LDR.W R3, [R9]
.text&ARM.extab:0004D0FE 07 46 MOV R7, R0
.text&ARM.extab:0004D100 01 94 STR R4, [SP,#0x130+var_12C]
.text&ARM.extab:0004D102 34 60 STR R4, [R6]
.text&ARM.extab:0004D104 43 93 STR R3, [SP,#0x130+var_24]
.text&ARM.extab:0004D106 33 46 MOV R3, R6
.text&ARM.extab:0004D108 FF F7 31 FA BL sub_4C56E
.text&ARM.extab:0004D108
.text&ARM.extab:0004D10C D8 F8 00 00 LDR.W R0, [R8]
.text&ARM.extab:0004D110 CE 46 MOV LR, R9
.text&ARM.extab:0004D112 A0 42 CMP R0, R4
.text&ARM.extab:0004D114 50 DD BLE loc_4D1B8
.text&ARM.extab:0004D114
.text&ARM.extab:0004D116 3B 4B LDR R3, =(off_AC214 - 0x4D11E)
.text&ARM.extab:0004D118 22 46 MOV R2, R4
.text&ARM.extab:0004D11A 7B 44 ADD R3, PC ; off_AC214
.text&ARM.extab:0004D11C D3 F8 18 80 LDR.W R8, [R3,#(off_AC22C - 0xAC214)]
.text&ARM.extab:0004D120 03 AB ADD R3, SP, #0x130+var_124
.text&ARM.extab:0004D120
.text&ARM.extab:0004D122
.text&ARM.extab:0004D122 loc_4D122 ; CODE XREF: jhj_DecryptBytes+4E↓j
.text&ARM.extab:0004D122 D2 54 STRB R2, [R2,R3]
.text&ARM.extab:0004D124 01 32 ADDS R2, #1
.text&ARM.extab:0004D126 B2 F5 80 7F CMP.W R2, #0x100
.text&ARM.extab:0004D12A FA D1 BNE loc_4D122
.text&ARM.extab:0004D12A
.text&ARM.extab:0004D12C 00 22 MOVS R2, #0
.text&ARM.extab:0004D12E 14 46 MOV R4, R2
.text&ARM.extab:0004D130 11 46 MOV R1, R2
.text&ARM.extab:0004D130
.text&ARM.extab:0004D132
.text&ARM.extab:0004D132 loc_4D132 ; CODE XREF: jhj_DecryptBytes+7E↓j
.text&ARM.extab:0004D132 13 F8 01 90 LDRB.W R9, [R3,R1]
.text&ARM.extab:0004D136 18 F8 02 C0 LDRB.W R12, [R8,R2]
.text&ARM.extab:0004D13A 01 32 ADDS R2, #1
.text&ARM.extab:0004D13C 0F 2A CMP R2, #0xF
.text&ARM.extab:0004D13E CC 44 ADD R12, R9
.text&ARM.extab:0004D140 64 44 ADD R4, R12
.text&ARM.extab:0004D142 C8 BF IT GT
.text&ARM.extab:0004D144 00 22 MOVGT R2, #0
.text&ARM.extab:0004D146 E4 B2 UXTB R4, R4
.text&ARM.extab:0004D148 13 F8 04 C0 LDRB.W R12, [R3,R4]
.text&ARM.extab:0004D14C 03 F8 01 C0 STRB.W R12, [R3,R1]
.text&ARM.extab:0004D150 01 31 ADDS R1, #1
.text&ARM.extab:0004D152 B1 F5 80 7F CMP.W R1, #0x100
.text&ARM.extab:0004D156 03 F8 04 90 STRB.W R9, [R3,R4]
.text&ARM.extab:0004D15A EA D1 BNE loc_4D132
.text&ARM.extab:0004D15A
.text&ARM.extab:0004D15C 00 24 MOVS R4, #0
.text&ARM.extab:0004D15E 21 46 MOV R1, R4
.text&ARM.extab:0004D160 22 46 MOV R2, R4
.text&ARM.extab:0004D160
.text&ARM.extab:0004D162
.text&ARM.extab:0004D162 loc_4D162 ; CODE XREF: jhj_DecryptBytes+A4↓j
.text&ARM.extab:0004D162 BC 42 CMP R4, R7
.text&ARM.extab:0004D164 0D D0 BEQ loc_4D182
.text&ARM.extab:0004D164
.text&ARM.extab:0004D166 01 32 ADDS R2, #1
.text&ARM.extab:0004D168 01 34 ADDS R4, #1
.text&ARM.extab:0004D16A D2 B2 UXTB R2, R2
.text&ARM.extab:0004D16C 13 F8 02 C0 LDRB.W R12, [R3,R2]
.text&ARM.extab:0004D170 61 44 ADD R1, R12
.text&ARM.extab:0004D172 C9 B2 UXTB R1, R1
.text&ARM.extab:0004D174 13 F8 01 80 LDRB.W R8, [R3,R1]
.text&ARM.extab:0004D178 03 F8 02 80 STRB.W R8, [R3,R2]
.text&ARM.extab:0004D17C 03 F8 01 C0 STRB.W R12, [R3,R1]
.text&ARM.extab:0004D180 EF E7 B loc_4D162
.text&ARM.extab:0004D180
.text&ARM.extab:0004D182 ; ---------------------------------------------------------------------------
.text&ARM.extab:0004D182
.text&ARM.extab:0004D182 loc_4D182 ; CODE XREF: jhj_DecryptBytes+88↑j
.text&ARM.extab:0004D182 05 EB 00 0C ADD.W R12, R5, R0
.text&ARM.extab:0004D186 2F 46 MOV R7, R5
.text&ARM.extab:0004D186
.text&ARM.extab:0004D188
.text&ARM.extab:0004D188 loc_4D188 ; CODE XREF: jhj_DecryptBytes+DA↓j
.text&ARM.extab:0004D188 01 32 ADDS R2, #1
.text&ARM.extab:0004D18A D2 B2 UXTB R2, R2
.text&ARM.extab:0004D18C 9C 5C LDRB R4, [R3,R2]
.text&ARM.extab:0004D18E 21 44 ADD R1, R4
.text&ARM.extab:0004D190 C9 B2 UXTB R1, R1
.text&ARM.extab:0004D192 13 F8 01 80 LDRB.W R8, [R3,R1]
.text&ARM.extab:0004D196 03 F8 02 80 STRB.W R8, [R3,R2]
.text&ARM.extab:0004D19A 5C 54 STRB R4, [R3,R1]
.text&ARM.extab:0004D19C 13 F8 02 80 LDRB.W R8, [R3,R2]
.text&ARM.extab:0004D1A0 44 44 ADD R4, R8
.text&ARM.extab:0004D1A2 E4 B2 UXTB R4, R4
.text&ARM.extab:0004D1A4 13 F8 04 80 LDRB.W R8, [R3,R4]
.text&ARM.extab:0004D1A8 17 F8 01 4B LDRB.W R4, [R7],#1
.text&ARM.extab:0004D1AC 67 45 CMP R7, R12
.text&ARM.extab:0004D1AE 88 EA 04 04 EOR.W R4, R8, R4
.text&ARM.extab:0004D1B2 07 F8 01 4C STRB.W R4, [R7,#-1]
.text&ARM.extab:0004D1B6 E7 D1 BNE loc_4D188
.text&ARM.extab:0004D1B6
.text&ARM.extab:0004D1B8
.text&ARM.extab:0004D1B8 loc_4D1B8 ; CODE XREF: jhj_DecryptBytes+38↑j
.text&ARM.extab:0004D1B8 13 4B LDR R3, =(p6185EAA3C139AC76EEFDBB2353E688AA_ptr - 0x4D1BE)
.text&ARM.extab:0004D1BA 7B 44 ADD R3, PC ; p6185EAA3C139AC76EEFDBB2353E688AA_ptr
.text&ARM.extab:0004D1BC 1B 68 LDR R3, [R3] ; p6185EAA3C139AC76EEFDBB2353E688AA
.text&ARM.extab:0004D1BE 1B 68 LDR R3, [R3]
.text&ARM.extab:0004D1C0 33 B9 CBNZ R3, loc_4D1D0
.text&ARM.extab:0004D1C0
.text&ARM.extab:0004D1C2 12 4B LDR R3, =(p9D140C911F03767A451AB14CBC5BBAD7_ptr - 0x4D1C8)
.text&ARM.extab:0004D1C4 7B 44 ADD R3, PC ; p9D140C911F03767A451AB14CBC5BBAD7_ptr
.text&ARM.extab:0004D1C6 1B 68 LDR R3, [R3] ; p9D140C911F03767A451AB14CBC5BBAD7
.text&ARM.extab:0004D1C8 1B 68 LDR R3, [R3]
.text&ARM.extab:0004D1CA 93 F8 48 30 LDRB.W R3, [R3,#dword_48]
.text&ARM.extab:0004D1CE 63 B9 CBNZ R3, loc_4D1EA
.text&ARM.extab:0004D1CE
.text&ARM.extab:0004D1D0
.text&ARM.extab:0004D1D0 loc_4D1D0 ; CODE XREF: jhj_DecryptBytes+E4↑j
.text&ARM.extab:0004D1D0 31 68 LDR R1, [R6]
.text&ARM.extab:0004D1D2 00 29 CMP R1, #0
.text&ARM.extab:0004D1D4 09 DD BLE loc_4D1EA
.text&ARM.extab:0004D1D4
.text&ARM.extab:0004D1D6 2B 18 ADDS R3, R5, R0
.text&ARM.extab:0004D1D8 18 46 MOV R0, R3
.text&ARM.extab:0004D1D8
.text&ARM.extab:0004D1DA
.text&ARM.extab:0004D1DA loc_4D1DA ; CODE XREF: jhj_DecryptBytes+10C↓j
.text&ARM.extab:0004D1DA 1A 78 LDRB R2, [R3]
.text&ARM.extab:0004D1DC 82 F0 AC 02 EOR.W R2, R2, #0xAC
.text&ARM.extab:0004D1E0 03 F8 01 2B STRB.W R2, [R3],#1
.text&ARM.extab:0004D1E4 1A 1A SUBS R2, R3, R0
.text&ARM.extab:0004D1E6 8A 42 CMP R2, R1
.text&ARM.extab:0004D1E8 F7 DB BLT loc_4D1DA
.text&ARM.extab:0004D1E8
.text&ARM.extab:0004D1EA
.text&ARM.extab:0004D1EA loc_4D1EA ; CODE XREF: jhj_DecryptBytes+F2↑j
.text&ARM.extab:0004D1EA ; jhj_DecryptBytes+F8↑j
.text&ARM.extab:0004D1EA 43 9A LDR R2, [SP,#0x130+var_24]
.text&ARM.extab:0004D1EC DE F8 00 30 LDR.W R3, [LR]
.text&ARM.extab:0004D1F0 9A 42 CMP R2, R3
.text&ARM.extab:0004D1F2 01 D0 BEQ loc_4D1F8
.text&ARM.extab:0004D1F2
.text&ARM.extab:0004D1F4 C3 F7 A8 E8 BLX jhj__stack_chk_fail
.text&ARM.extab:0004D1F4
.text&ARM.extab:0004D1F8
.text&ARM.extab:0004D1F8 loc_4D1F8 ; CODE XREF: jhj_DecryptBytes+116↑j
.text&ARM.extab:0004D1F8 45 B0 ADD SP, SP, #0x114
.text&ARM.extab:0004D1FA BD E8 F0 83 POP.W {R4-R9,PC}
}
最后:
重新组装后的apk其本身具有root和签名的检测,因测试机是自己编译的aosp所以过了root检测,只需要对签名检测做处理即可
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)